package de.muenchen.oss.digiwf.spring.security;

import de.muenchen.oss.digiwf.spring.security.userinfo.UserInfoAuthoritiesConverter;
import io.muenchendigital.digiwf.spring.security.client.ClientParameters;
import jakarta.annotation.PostConstruct;
import java.util.Arrays;
import java.util.Collection;
import org.springdoc.core.Constants;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
@Profile({SecurityConfiguration.SECURITY})
/* loaded from: input_file:BOOT-INF/lib/digiwf-spring-security-core-1.4.3.jar:de/muenchen/oss/digiwf/spring/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    public static final String SECURITY = "!no-security";
    public static final int DEFAULT_SECURITY_ORDER = 77;
    public static final String SPRING_ROLE_PREFIX = "ROLE_";
    private final RestTemplateBuilder restTemplateBuilder;
    private final SpringSecurityProperties springSecurityProperties;
    private final Environment environment;
    private ClientParameters clientParameters;

    @PostConstruct
    void setupClientRegistration() {
        this.clientParameters = ClientParameters.fromEnvironment(this.environment, this.springSecurityProperties.getClientRegistration());
    }

    @Bean
    @Order(77)
    public SecurityFilterChain mainSecurityFilterChain(HttpSecurity httpSecurity, JwtAuthenticationConverter jwtAuthenticationConverter) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.OPTIONS, Constants.ALL_PATTERN)).permitAll();
            Arrays.stream(this.springSecurityProperties.getPermittedUrls()).forEach(str -> {
                authorizationManagerRequestMatcherRegistry.requestMatchers(AntPathRequestMatcher.antMatcher(str)).permitAll();
            });
            authorizationManagerRequestMatcherRegistry.anyRequest().authenticated();
        }).csrf((v0) -> {
            v0.disable();
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                jwtConfigurer.jwtAuthenticationConverter(jwtAuthenticationConverter).decoder(NimbusJwtDecoder.withIssuerLocation(this.clientParameters.getProviderIssuerUrl()).build());
            });
        });
        return httpSecurity.build();
    }

    @Bean
    public JwtAuthenticationConverter customCachingUserServiceConverter(Converter<Jwt, Collection<GrantedAuthority>> converter) {
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(converter);
        return jwtAuthenticationConverter;
    }

    @Bean
    public Converter<Jwt, Collection<GrantedAuthority>> userInfoAuthoritiesConverter() {
        return new UserInfoAuthoritiesConverter(this.clientParameters.getProviderUserInfoUri(), this.restTemplateBuilder);
    }

    public SecurityConfiguration(RestTemplateBuilder restTemplateBuilder, SpringSecurityProperties springSecurityProperties, Environment environment) {
        this.restTemplateBuilder = restTemplateBuilder;
        this.springSecurityProperties = springSecurityProperties;
        this.environment = environment;
    }
}
