package org.tailormap.api.security;

import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import org.apache.solr.common.params.CommonParams;
import org.apache.solr.common.params.CoreAdminParams;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.server.Cookie;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationEventPublisher;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.tailormap.api.persistence.Group;
import org.tailormap.api.repository.GroupRepository;
import org.tailormap.api.repository.OIDCConfigurationRepository;
import org.tailormap.api.security.events.DefaultAuthenticationFailureEvent;
import org.tailormap.api.security.events.OAuth2AuthenticationFailureEvent;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
/* loaded from: input_file:BOOT-INF/classes/org/tailormap/api/security/ApiSecurityConfiguration.class */
public class ApiSecurityConfiguration {

    @Value("${tailormap-api.base-path}")
    private String apiBasePath;

    @Value("${tailormap-api.admin.base-path}")
    private String adminApiBasePath;

    @Value("${tailormap-api.security.disable-csrf:false}")
    private boolean disableCsrf;

    @Bean
    public CookieCsrfTokenRepository csrfTokenRepository() {
        CookieCsrfTokenRepository withHttpOnlyFalse = CookieCsrfTokenRepository.withHttpOnlyFalse();
        withHttpOnlyFalse.setCookieCustomizer(responseCookieBuilder -> {
            if (responseCookieBuilder.build().isSecure()) {
                responseCookieBuilder.sameSite(Cookie.SameSite.NONE.attributeValue());
            }
        });
        return withHttpOnlyFalse;
    }

    @Bean
    public AuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher = new DefaultAuthenticationEventPublisher(applicationEventPublisher);
        defaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Collections.singletonMap(OAuth2AuthenticationException.class, OAuth2AuthenticationFailureEvent.class));
        defaultAuthenticationEventPublisher.setDefaultAuthenticationFailureEvent(DefaultAuthenticationFailureEvent.class);
        return defaultAuthenticationEventPublisher;
    }

    @Bean
    public SecurityFilterChain apiFilterChain(HttpSecurity httpSecurity, CookieCsrfTokenRepository cookieCsrfTokenRepository) throws Exception {
        if (this.disableCsrf) {
            httpSecurity.csrf((v0) -> {
                v0.disable();
            });
        } else {
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()).csrfTokenRepository(cookieCsrfTokenRepository).ignoringRequestMatchers(this.apiBasePath + "/{viewerKind}/{viewerName}/layer/{appLayerId}/features");
            });
            httpSecurity.addFilterAfter((Filter) new CsrfCookieFilter(), BasicAuthenticationFilter.class);
        }
        DefaultRedirectStrategy defaultRedirectStrategy = new DefaultRedirectStrategy() { // from class: org.tailormap.api.security.ApiSecurityConfiguration.1
            @Override // org.springframework.security.web.DefaultRedirectStrategy, org.springframework.security.web.RedirectStrategy
            public void sendRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
                String parameter = httpServletRequest.getParameter("redirectUrl");
                if (parameter != null && parameter.startsWith("/")) {
                    httpServletRequest.getSession().setAttribute("redirectUrl", parameter);
                }
                super.sendRedirect(httpServletRequest, httpServletResponse, str);
            }
        };
        AuthenticationSuccessHandler authenticationSuccessHandler = (httpServletRequest, httpServletResponse, authentication) -> {
            String str;
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null || (str = (String) session.getAttribute("redirectUrl")) == null) {
                httpServletResponse.sendRedirect("/");
            } else {
                httpServletResponse.sendRedirect(str);
            }
        };
        httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(this.apiBasePath + "/**");
        }).addFilterAfter((Filter) new AuditInterceptor(), AnonymousAuthenticationFilter.class).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(this.adminApiBasePath + "/**").hasAuthority(Group.ADMIN);
            authorizationManagerRequestMatcherRegistry.requestMatchers(this.apiBasePath + "/**").permitAll();
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginPage(this.apiBasePath + "/unauthorized").loginProcessingUrl(this.apiBasePath + "/login");
        }).oauth2Login(oAuth2LoginConfigurer -> {
            oAuth2LoginConfigurer.authorizationEndpoint(authorizationEndpointConfig -> {
                authorizationEndpointConfig.baseUri(this.apiBasePath + "/oauth2/authorization").authorizationRedirectStrategy(defaultRedirectStrategy);
            }).redirectionEndpoint(redirectionEndpointConfig -> {
                redirectionEndpointConfig.baseUri(this.apiBasePath + "/oauth2/callback");
            }).successHandler(authenticationSuccessHandler);
        }).anonymous(anonymousConfigurer -> {
            anonymousConfigurer.authorities("anonymous");
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl(this.apiBasePath + "/logout").logoutSuccessHandler((httpServletRequest2, httpServletResponse2, authentication2) -> {
                httpServletResponse2.sendError(HttpStatus.OK.value(), CommonParams.OK);
            });
        });
        return httpSecurity.build();
    }

    @Bean
    public OIDCRepository clientRegistrationRepository(OIDCConfigurationRepository oIDCConfigurationRepository) {
        return new OIDCRepository(oIDCConfigurationRepository);
    }

    @Bean
    public GrantedAuthoritiesMapper userAuthoritiesMapper(GroupRepository groupRepository) {
        return collection -> {
            HashSet hashSet = new HashSet();
            HashSet<String> hashSet2 = new HashSet();
            try {
                collection.forEach(grantedAuthority -> {
                    List<String> claimAsStringList;
                    hashSet.add(grantedAuthority);
                    if (!(grantedAuthority instanceof OidcUserAuthority) || (claimAsStringList = ((OidcUserAuthority) grantedAuthority).getIdToken().getClaimAsStringList(CoreAdminParams.ROLES)) == null) {
                        return;
                    }
                    hashSet2.addAll(claimAsStringList);
                });
                for (String str : hashSet2) {
                    if (groupRepository.findById(str).isEmpty()) {
                        Group group = new Group();
                        group.setName(str);
                        group.setDescription("<imported from SSO>");
                        groupRepository.save(group);
                    }
                    hashSet.add(new SimpleGrantedAuthority(str));
                }
            } catch (Exception e) {
            }
            return hashSet;
        };
    }
}
