package org.apache.syncope.sra.security.oauth2;

import java.util.Set;
import org.apache.syncope.sra.ApplicationContextUtils;
import org.apache.syncope.sra.SRAProperties;
import org.apache.syncope.sra.security.LogoutRouteMatcher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cache.CacheManager;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.DelegatingReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.client.InMemoryReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginReactiveAuthenticationManager;
import org.springframework.security.oauth2.client.endpoint.WebClientReactiveAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.web.server.AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationCodeAuthenticationTokenConverter;
import org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter;
import org.springframework.security.web.server.DelegatingServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.logout.LogoutWebFilter;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.class */
public final class OAuth2SecurityConfigUtils {
    private static final Logger LOG = LoggerFactory.getLogger(OAuth2SecurityConfigUtils.class);

    private static ReactiveAuthenticationManager authenticationManager(SRAProperties.AMType aMType) {
        WebClientReactiveAuthorizationCodeTokenResponseClient webClientReactiveAuthorizationCodeTokenResponseClient = new WebClientReactiveAuthorizationCodeTokenResponseClient();
        ReactiveAuthenticationManager oAuth2LoginReactiveAuthenticationManager = new OAuth2LoginReactiveAuthenticationManager(webClientReactiveAuthorizationCodeTokenResponseClient, new DefaultReactiveOAuth2UserService());
        if (SRAProperties.AMType.OIDC == aMType) {
            oAuth2LoginReactiveAuthenticationManager = new DelegatingReactiveAuthenticationManager(new ReactiveAuthenticationManager[]{new OidcAuthorizationCodeReactiveAuthenticationManager(webClientReactiveAuthorizationCodeTokenResponseClient, new OidcReactiveOAuth2UserService()), oAuth2LoginReactiveAuthenticationManager});
        }
        return oAuth2LoginReactiveAuthenticationManager;
    }

    public static void forLogin(ServerHttpSecurity serverHttpSecurity, SRAProperties.AMType aMType, ApplicationContext applicationContext) {
        ReactiveClientRegistrationRepository reactiveClientRegistrationRepository = (ReactiveClientRegistrationRepository) applicationContext.getBean(ReactiveClientRegistrationRepository.class);
        AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository authenticatedPrincipalServerOAuth2AuthorizedClientRepository = new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(new InMemoryReactiveOAuth2AuthorizedClientService(reactiveClientRegistrationRepository));
        serverHttpSecurity.addFilterAt(new OAuth2AuthorizationRequestRedirectWebFilter(reactiveClientRegistrationRepository), SecurityWebFiltersOrder.HTTP_BASIC);
        OAuth2LoginAuthenticationWebFilter oAuth2LoginAuthenticationWebFilter = new OAuth2LoginAuthenticationWebFilter(authenticationManager(aMType), authenticatedPrincipalServerOAuth2AuthorizedClientRepository);
        oAuth2LoginAuthenticationWebFilter.setRequiresAuthenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/login/oauth2/code/{registrationId}"));
        oAuth2LoginAuthenticationWebFilter.setServerAuthenticationConverter(new ServerOAuth2AuthorizationCodeAuthenticationTokenConverter(reactiveClientRegistrationRepository));
        oAuth2LoginAuthenticationWebFilter.setAuthenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler());
        oAuth2LoginAuthenticationWebFilter.setAuthenticationFailureHandler((webFilterExchange, authenticationException) -> {
            return Mono.error(authenticationException);
        });
        oAuth2LoginAuthenticationWebFilter.setSecurityContextRepository(new WebSessionServerSecurityContextRepository());
        serverHttpSecurity.addFilterAt(oAuth2LoginAuthenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION);
        MediaTypeServerWebExchangeMatcher mediaTypeServerWebExchangeMatcher = new MediaTypeServerWebExchangeMatcher(new MediaType[]{MediaType.TEXT_HTML});
        mediaTypeServerWebExchangeMatcher.setIgnoredMediaTypes(Set.of(MediaType.ALL));
        serverHttpSecurity.exceptionHandling().authenticationEntryPoint(new DelegatingServerAuthenticationEntryPoint.DelegateEntry(mediaTypeServerWebExchangeMatcher, new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/" + aMType.name())).getEntryPoint());
    }

    public static void forLogout(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec, SRAProperties.AMType aMType, CacheManager cacheManager, LogoutRouteMatcher logoutRouteMatcher, ConfigurableApplicationContext configurableApplicationContext) {
        LogoutWebFilter logoutWebFilter = new LogoutWebFilter();
        logoutWebFilter.setRequiresLogoutMatcher(logoutRouteMatcher);
        logoutWebFilter.setLogoutHandler(new OAuth2SessionRemovalServerLogoutHandler(cacheManager));
        if (SRAProperties.AMType.OIDC == aMType) {
            try {
                logoutWebFilter.setLogoutSuccessHandler((OidcClientInitiatedServerLogoutSuccessHandler) ApplicationContextUtils.getOrCreateBean(configurableApplicationContext, OidcClientInitiatedServerLogoutSuccessHandler.class.getName(), OidcClientInitiatedServerLogoutSuccessHandler.class));
            } catch (ClassNotFoundException e) {
                LOG.error("While creating instance of {}", OidcClientInitiatedServerLogoutSuccessHandler.class.getName(), e);
            }
        }
        authorizeExchangeSpec.and().logout().disable().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
    }

    private OAuth2SecurityConfigUtils() {
    }
}
