package pro.fessional.wings.warlock.spring.bean;

import jakarta.servlet.http.HttpServletRequest;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.DispatcherServlet;
import pro.fessional.mirana.data.Null;
import pro.fessional.wings.silencer.runner.ApplicationRunnerOrdered;
import pro.fessional.wings.silencer.spring.boot.ConditionalWingsEnabled;
import pro.fessional.wings.silencer.support.PropHelper;
import pro.fessional.wings.slardar.security.WingsAuthDetailsSource;
import pro.fessional.wings.slardar.servlet.response.ResponseHelper;
import pro.fessional.wings.slardar.spring.conf.WingsBindLoginConfigurer;
import pro.fessional.wings.slardar.spring.help.SecurityConfigHelper;
import pro.fessional.wings.warlock.security.loginpage.ListAllLoginPageCombo;
import pro.fessional.wings.warlock.spring.conf.HttpSecurityCustomizer;
import pro.fessional.wings.warlock.spring.prop.WarlockSecurityProp;

@Configuration(proxyBeanMethods = false)
@ConditionalWingsEnabled
/* loaded from: input_file:pro/fessional/wings/warlock/spring/bean/WarlockSecurityConfConfiguration.class */
public class WarlockSecurityConfConfiguration {
    private static final Log log = LogFactory.getLog(WarlockSecurityConfConfiguration.class);

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-web-auto")
    public WebSecurityCustomizer warlockWebCustomizer(WarlockSecurityProp warlockSecurityProp, ObjectProvider<HttpFirewall> objectProvider) {
        log.info("WarlockShadow spring-bean warlockWebCustomizer");
        return webSecurity -> {
            if (warlockSecurityProp.isWebDebug()) {
                log.info("WarlockShadow conf WebSecurity, WebDebug=true");
                webSecurity.debug(true);
            }
            Map<String, String> webIgnore = warlockSecurityProp.getWebIgnore();
            if (!webIgnore.isEmpty()) {
                LinkedHashSet onlyValid = PropHelper.onlyValid(webIgnore.values());
                log.info("WarlockShadow conf WebSecurity, ignoring=" + String.join("\n,", onlyValid));
                webSecurity.ignoring().requestMatchers((String[]) onlyValid.toArray(i -> {
                    return new String[i];
                }));
            }
            HttpFirewall httpFirewall = (HttpFirewall) objectProvider.getIfAvailable();
            if (httpFirewall != null) {
                log.info("WarlockShadow conf WebSecurity, httpFirewall=" + String.valueOf(httpFirewall.getClass()));
                webSecurity.httpFirewall(httpFirewall);
            }
        };
    }

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-http-bind")
    @Order(-29999800)
    public HttpSecurityCustomizer warlockSecurityBindHttpConfigure(WarlockSecurityProp warlockSecurityProp, SessionRegistry sessionRegistry, ObjectProvider<AuthenticationSuccessHandler> objectProvider, ObjectProvider<AuthenticationFailureHandler> objectProvider2, ObjectProvider<WingsAuthDetailsSource<?>> objectProvider3, ObjectProvider<LogoutSuccessHandler> objectProvider4, ObjectProvider<AccessDeniedHandler> objectProvider5) {
        log.info("WarlockShadow spring-bean warlockSecurityBindHttpConfigure");
        return httpSecurity -> {
            AuthenticationSuccessHandler authenticationSuccessHandler = (AuthenticationSuccessHandler) objectProvider.getIfAvailable();
            AuthenticationFailureHandler authenticationFailureHandler = (AuthenticationFailureHandler) objectProvider2.getIfAvailable();
            WingsAuthDetailsSource wingsAuthDetailsSource = (WingsAuthDetailsSource) objectProvider3.getIfAvailable();
            LogoutSuccessHandler logoutSuccessHandler = (LogoutSuccessHandler) objectProvider4.getIfAvailable();
            log.info("WarlockShadow conf HttpSecurity, authenticationDetailsSource=" + String.valueOf(wingsAuthDetailsSource == null ? "null" : wingsAuthDetailsSource.getClass()));
            httpSecurity.with(new WingsBindLoginConfigurer(), wingsBindLoginConfigurer -> {
                wingsBindLoginConfigurer.loginPage(warlockSecurityProp.getLoginPage()).loginProcessingUrl(warlockSecurityProp.getLoginProcUrl(), warlockSecurityProp.getLoginProcMethod()).loginForward(warlockSecurityProp.isLoginForward()).usernameParameter(warlockSecurityProp.getUsernamePara()).passwordParameter(warlockSecurityProp.getPasswordPara()).authenticationDetailsSource(wingsAuthDetailsSource).bindAuthTypeDefault(warlockSecurityProp.mapAuthTypeDefault()).bindAuthTypeToEnums(warlockSecurityProp.mapAuthTypeEnum());
                if (authenticationSuccessHandler != null) {
                    log.info("WarlockShadow conf HttpSecurity, successHandler=" + String.valueOf(authenticationSuccessHandler.getClass()));
                    wingsBindLoginConfigurer.successHandler(authenticationSuccessHandler);
                }
                if (authenticationFailureHandler != null) {
                    log.info("WarlockShadow conf HttpSecurity, failureHandler=" + String.valueOf(authenticationFailureHandler.getClass()));
                    wingsBindLoginConfigurer.failureHandler(authenticationFailureHandler);
                }
            }).logout(logoutConfigurer -> {
                logoutConfigurer.logoutUrl(warlockSecurityProp.getLogoutUrl()).clearAuthentication(true).invalidateHttpSession(true);
                if (logoutSuccessHandler != null) {
                    log.info("WarlockShadow conf HttpSecurity, logoutSuccessHandler=" + String.valueOf(logoutSuccessHandler.getClass()));
                    logoutConfigurer.logoutSuccessHandler(logoutSuccessHandler);
                }
            }).sessionManagement(sessionManagementConfigurer -> {
                sessionManagementConfigurer.maximumSessions(warlockSecurityProp.getSessionMaximum()).sessionRegistry(sessionRegistry).expiredSessionStrategy(sessionInformationExpiredEvent -> {
                    ResponseHelper.writeBodyUtf8(sessionInformationExpiredEvent.getResponse(), warlockSecurityProp.getSessionExpiredBody());
                });
            }).anonymous(anonymousConfigurer -> {
                if (warlockSecurityProp.isAnonymous()) {
                    return;
                }
                log.info("WarlockShadow conf HttpSecurity, disable anonymous");
                anonymousConfigurer.disable();
            });
            AccessDeniedHandler accessDeniedHandler = (AccessDeniedHandler) objectProvider5.getIfAvailable();
            if (accessDeniedHandler != null) {
                log.info("WarlockShadow conf exceptionHandling, accessDeniedHandler=" + String.valueOf(accessDeniedHandler.getClass()));
                httpSecurity.exceptionHandling(exceptionHandlingConfigurer -> {
                    exceptionHandlingConfigurer.accessDeniedHandler(accessDeniedHandler);
                });
            }
        };
    }

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-http-auth")
    @Order(-29999700)
    public HttpSecurityCustomizer warlockSecurityAuthHttpConfigure(WarlockSecurityProp warlockSecurityProp) {
        log.info("WarlockShadow spring-bean warlockSecurityAuthHttpConfigure");
        return httpSecurity -> {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                LinkedHashSet onlyValid = PropHelper.onlyValid(warlockSecurityProp.getPermitAll().values());
                if (!onlyValid.isEmpty()) {
                    log.info("WarlockShadow conf HttpSecurity, bind PermitAll=" + String.join("\n,", onlyValid));
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((String[]) onlyValid.toArray(i -> {
                        return new String[i];
                    }))).permitAll();
                }
                LinkedHashSet onlyValid2 = PropHelper.onlyValid(warlockSecurityProp.getAuthenticated().values());
                if (!onlyValid2.isEmpty()) {
                    log.info("WarlockShadow conf HttpSecurity, bind Authenticated=" + String.join("\n,", onlyValid2));
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((String[]) onlyValid2.toArray(i2 -> {
                        return new String[i2];
                    }))).authenticated();
                }
                if (warlockSecurityProp.getAuthority().isEmpty()) {
                    return;
                }
                TreeMap treeMap = new TreeMap();
                for (Map.Entry<String, Set<String>> entry : warlockSecurityProp.getAuthority().entrySet()) {
                    String key = entry.getKey();
                    for (String str : entry.getValue()) {
                        if (PropHelper.valid(str)) {
                            ((Set) treeMap.computeIfAbsent(str, str2 -> {
                                return new HashSet();
                            })).add(key);
                        }
                    }
                }
                for (Map.Entry entry2 : treeMap.descendingMap().entrySet()) {
                    String str3 = (String) entry2.getKey();
                    LinkedHashSet onlyValid3 = PropHelper.onlyValid((Collection) entry2.getValue());
                    log.info("WarlockShadow conf HttpSecurity, bind url=" + str3 + ", any-permit=[" + String.join(",", onlyValid3) + "]");
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{str3})).hasAnyAuthority((String[]) onlyValid3.toArray(Null.StrArr));
                }
            });
        };
    }

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-http-base")
    @Order(ListAllLoginPageCombo.ORDER)
    public HttpSecurityCustomizer warlockSecurityHttpBaseConfigure() {
        log.info("WarlockShadow spring-bean warlockSecurityHttpBaseConfigure");
        return httpSecurity -> {
            httpSecurity.httpBasic(httpBasicConfigurer -> {
            });
        };
    }

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-http-auto")
    @Order(-29999600)
    public HttpSecurityCustomizer warlockSecurityAutoHttpConfigure(ObjectProvider<CsrfTokenRepository> objectProvider, ObjectProvider<RequestCache> objectProvider2) {
        log.info("WarlockShadow spring-bean warlockSecurityAutoHttpConfigure");
        return httpSecurity -> {
            httpSecurity.cors(corsConfigurer -> {
                corsConfigurer.configurationSource(SecurityConfigHelper.corsPermitAll());
            });
            RequestCache requestCache = (RequestCache) objectProvider2.getIfAvailable();
            if (requestCache == null) {
                httpSecurity.requestCache((v0) -> {
                    v0.disable();
                });
                log.info("WarlockShadow conf HttpSecurity, requestCache disable");
            } else {
                httpSecurity.requestCache(requestCacheConfigurer -> {
                    requestCacheConfigurer.requestCache(requestCache);
                });
                log.info("WarlockShadow conf HttpSecurity, requestCache " + requestCache.getClass().getName());
            }
            CsrfTokenRepository csrfTokenRepository = (CsrfTokenRepository) objectProvider.getIfAvailable();
            if (csrfTokenRepository == null) {
                httpSecurity.csrf((v0) -> {
                    v0.disable();
                });
                log.info("WarlockShadow conf HttpSecurity, csrf disable");
            } else {
                httpSecurity.csrf(csrfConfigurer -> {
                    csrfConfigurer.csrfTokenRepository(csrfTokenRepository);
                });
                log.info("WarlockShadow conf HttpSecurity, csrf " + csrfTokenRepository.getClass().getName());
            }
        };
    }

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-http-chain")
    @Order(-29999100)
    public SecurityFilterChain securityFilterChain(WarlockSecurityProp warlockSecurityProp, HttpSecurity httpSecurity, Map<String, HttpSecurityCustomizer> map) throws Exception {
        log.info("WarlockShadow conf securityFilterChain, begin");
        for (Map.Entry<String, HttpSecurityCustomizer> entry : map.entrySet()) {
            log.info("WarlockShadow conf securityFilterChain, bean=" + entry.getKey());
            entry.getValue().customize(httpSecurity);
        }
        String anyRequest = warlockSecurityProp.getAnyRequest();
        if (StringUtils.hasText(anyRequest)) {
            log.info("WarlockShadow conf securityFilterChain, anyRequest=" + anyRequest);
            String trim = anyRequest.trim();
            if (!StringUtils.hasText(trim) || "permitAll".equalsIgnoreCase(trim)) {
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
                });
            } else if ("authenticated".equalsIgnoreCase(trim)) {
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.anyRequest()).authenticated();
                });
            } else if ("anonymous".equalsIgnoreCase(trim)) {
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry3 -> {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry3.anyRequest()).anonymous();
                });
            } else if ("fullyAuthenticated".equalsIgnoreCase(trim)) {
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry4 -> {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry4.anyRequest()).fullyAuthenticated();
                });
            } else {
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry5 -> {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry5.anyRequest()).hasAnyAuthority(trim.split("[, \t\r\n]+"));
                });
            }
        }
        log.info("WarlockShadow conf securityFilterChain, done");
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    @ConditionalWingsEnabled(abs = "wings.enabled.warlock.sec-check-url")
    public ApplicationRunnerOrdered securityCheckUrlRunner(WarlockSecurityProp warlockSecurityProp, ApplicationContext applicationContext) {
        log.info("WarlockShadow spring-runs securityCheckUrlRunner");
        return new ApplicationRunnerOrdered(-90000000, applicationArguments -> {
            try {
                secCheckUrl(warlockSecurityProp, applicationContext);
            } catch (RuntimeException e) {
                log.error("set wings.enabled.warlock.sec-check-url=false to skip check", e);
                throw e;
            }
        });
    }

    private static void secCheckUrl(WarlockSecurityProp warlockSecurityProp, ApplicationContext applicationContext) {
        log.info("WarlockShadow check security url config");
        String str = "dispatcherServlet";
        Iterator it = applicationContext.getBeanProvider(ServletRegistrationBean.class).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ServletRegistrationBean servletRegistrationBean = (ServletRegistrationBean) it.next();
            if (servletRegistrationBean.getServlet() instanceof DispatcherServlet) {
                str = servletRegistrationBean.getServletName();
                break;
            }
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        for (Map.Entry<String, String> entry : warlockSecurityProp.getWebIgnore().entrySet()) {
            String value = entry.getValue();
            if (StringUtils.hasText(value)) {
                linkedHashMap.put("WebIgnore:" + entry.getKey(), value);
                linkedHashMap2.put(value, SecurityConfigHelper.dummyMatcherRequest(value, str));
            }
        }
        for (Map.Entry<String, String> entry2 : warlockSecurityProp.getPermitAll().entrySet()) {
            String value2 = entry2.getValue();
            if (StringUtils.hasText(value2)) {
                linkedHashMap.put("PermitAll:" + entry2.getKey(), value2);
                linkedHashMap2.put(value2, SecurityConfigHelper.dummyMatcherRequest(value2, str));
            }
        }
        for (Map.Entry<String, String> entry3 : warlockSecurityProp.getAuthenticated().entrySet()) {
            String value3 = entry3.getValue();
            if (StringUtils.hasText(value3)) {
                linkedHashMap.put("Authenticated:" + entry3.getKey(), value3);
                linkedHashMap2.put(value3, SecurityConfigHelper.dummyMatcherRequest(value3, str));
            }
        }
        for (Map.Entry<String, Set<String>> entry4 : warlockSecurityProp.getAuthority().entrySet()) {
            int i = 0;
            String key = entry4.getKey();
            for (String str2 : entry4.getValue()) {
                if (StringUtils.hasText(str2)) {
                    int i2 = i;
                    i++;
                    linkedHashMap.put("Authority:" + key + "[" + i2 + "]", str2);
                    linkedHashMap2.put(str2, SecurityConfigHelper.dummyMatcherRequest(str2, str));
                }
            }
        }
        AtomicReference atomicReference = new AtomicReference();
        SecurityConfigHelper.MatcherHelper of = SecurityConfigHelper.MatcherHelper.of(applicationContext, atomicReference);
        for (Map.Entry entry5 : linkedHashMap.entrySet()) {
            String str3 = (String) entry5.getValue();
            linkedHashMap2.remove(str3);
            if (linkedHashMap2.isEmpty()) {
                break;
            }
            of.requestMatchers(new String[]{str3});
            RequestMatcher requestMatcher = (RequestMatcher) atomicReference.get();
            for (Map.Entry entry6 : linkedHashMap2.entrySet()) {
                try {
                    if (requestMatcher.matches((HttpServletRequest) entry6.getValue())) {
                        log.warn(((String) entry5.getKey()) + "=" + str3 + " should not contain " + ((String) entry6.getKey()));
                    }
                } catch (RuntimeException e) {
                    log.error("failed to check " + ((String) entry5.getKey()) + "=" + str3 + " should not contain " + ((String) entry6.getKey()));
                    throw e;
                }
            }
        }
        linkedHashMap.clear();
        linkedHashMap2.clear();
        String loginPage = warlockSecurityProp.getLoginPage();
        if (StringUtils.hasText(loginPage)) {
            linkedHashMap2.put(loginPage, SecurityConfigHelper.dummyMatcherRequest(loginPage, str));
        }
        String logoutUrl = warlockSecurityProp.getLogoutUrl();
        if (StringUtils.hasText(logoutUrl)) {
            linkedHashMap2.put(logoutUrl, SecurityConfigHelper.dummyMatcherRequest(logoutUrl, str));
        }
        String loginProcUrl = warlockSecurityProp.getLoginProcUrl();
        if (StringUtils.hasText(loginProcUrl)) {
            linkedHashMap2.put(loginProcUrl, SecurityConfigHelper.dummyMatcherRequest(loginProcUrl, str));
        }
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, String> entry7 : warlockSecurityProp.getWebIgnore().entrySet()) {
            String value4 = entry7.getValue();
            if (StringUtils.hasText(value4)) {
                if (linkedHashMap2.isEmpty()) {
                    break;
                }
                of.requestMatchers(new String[]{value4});
                RequestMatcher requestMatcher2 = (RequestMatcher) atomicReference.get();
                for (Map.Entry entry8 : linkedHashMap2.entrySet()) {
                    try {
                        if (requestMatcher2.matches((HttpServletRequest) entry8.getValue())) {
                            sb.append("\nWebIgnore:").append(entry7.getKey()).append(" should exclude ").append((String) entry8.getKey());
                        }
                    } catch (RuntimeException e2) {
                        log.error("failed to check " + entry7.getKey() + "=" + value4 + " should not contain " + ((String) entry8.getKey()));
                        throw e2;
                    }
                }
            }
        }
        String anyRequest = warlockSecurityProp.getAnyRequest();
        if (!StringUtils.hasText(anyRequest) || "permitAll".equalsIgnoreCase(anyRequest) || "anonymous".equalsIgnoreCase(anyRequest)) {
            for (Map.Entry<String, String> entry9 : warlockSecurityProp.getPermitAll().entrySet()) {
                String value5 = entry9.getValue();
                if (StringUtils.hasText(value5)) {
                    if (linkedHashMap2.isEmpty()) {
                        break;
                    }
                    of.requestMatchers(new String[]{value5});
                    RequestMatcher requestMatcher3 = (RequestMatcher) atomicReference.get();
                    Iterator it2 = linkedHashMap2.entrySet().iterator();
                    while (it2.hasNext()) {
                        Map.Entry entry10 = (Map.Entry) it2.next();
                        try {
                            if (requestMatcher3.matches((HttpServletRequest) entry10.getValue())) {
                                log.debug("WarlockShadow security url permit all include " + ((String) entry10.getKey()));
                                it2.remove();
                            }
                        } catch (RuntimeException e3) {
                            log.error("failed to check " + entry9.getKey() + "=" + value5 + " should not contain " + ((String) entry10.getKey()));
                            throw e3;
                        }
                    }
                }
            }
            if (!linkedHashMap2.isEmpty()) {
                sb.append("\nPermitAll should include urls: ").append(String.join(", ", linkedHashMap2.keySet()));
            }
        }
        if (sb.isEmpty()) {
            return;
        }
        String sb2 = sb.toString();
        log.error(sb2);
        throw new IllegalStateException("\nWarlockSecurityConfConfiguration has security url conflict to fix.\nor disable checking by `wings.enabled.warlock.sec-check-url=false`" + sb2);
    }
}
