package org.tailormap.api.security;

import jakarta.servlet.Filter;
import java.lang.invoke.MethodHandles;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.context.event.ApplicationReadyEvent;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.context.event.EventListener;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.transaction.annotation.Transactional;
import org.tailormap.api.persistence.Group;
import org.tailormap.api.persistence.User;
import org.tailormap.api.repository.GroupRepository;
import org.tailormap.api.repository.UserRepository;

@Configuration
@Order(1)
/* loaded from: input_file:BOOT-INF/classes/org/tailormap/api/security/ActuatorSecurityConfiguration.class */
public class ActuatorSecurityConfiguration {
    private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());

    @Value("${management.endpoints.web.base-path}")
    private String basePath;

    @Value("${tailormap-api.management.hashed-password}")
    private String hashedPassword;
    private final UserRepository userRepository;
    private final GroupRepository groupRepository;

    public ActuatorSecurityConfiguration(UserRepository userRepository, GroupRepository groupRepository) {
        this.userRepository = userRepository;
        this.groupRepository = groupRepository;
    }

    @DependsOn({"tailormap-database-initialization"})
    @Transactional
    @EventListener({ApplicationReadyEvent.class})
    public void createActuatorAccount() {
        if (StringUtils.isBlank(this.hashedPassword)) {
            return;
        }
        InternalAdminAuthentication.setInSecurityContext();
        try {
            User orElse = this.userRepository.findById(Group.ACTUATOR).orElse(null);
            if (orElse != null) {
                logger.info("Actuator account already exists {} the MANAGEMENT_HASHED_ACCOUNT environment variable", this.hashedPassword.equals(orElse.getPassword()) ? "with the hashed password in" : "with a different password from");
            } else if (this.hashedPassword.startsWith("{bcrypt}")) {
                User password = new User().setUsername(Group.ACTUATOR).setPassword(this.hashedPassword);
                password.getGroups().add(this.groupRepository.findById(Group.ACTUATOR).orElseThrow());
                this.userRepository.save(password);
                logger.info("Created {} account with hashed password for management", Group.ACTUATOR);
            } else {
                logger.error("Invalid password hash, must start with {bcrypt}");
            }
        } finally {
            InternalAdminAuthentication.clearSecurityContextAuthentication();
        }
    }

    @Bean
    public SecurityFilterChain actuatorFilterChain(HttpSecurity httpSecurity, CookieCsrfTokenRepository cookieCsrfTokenRepository) throws Exception {
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(cookieCsrfTokenRepository);
        }).securityMatcher(this.basePath + "/**").authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(this.basePath + "/health/**").permitAll().requestMatchers(this.basePath + "/info").permitAll().requestMatchers(this.basePath + "/**").hasAnyAuthority(Group.ADMIN, Group.ACTUATOR);
        }).httpBasic(Customizer.withDefaults()).addFilterAfter((Filter) new AuditInterceptor(), AnonymousAuthenticationFilter.class);
        return httpSecurity.build();
    }
}
