package de.muenchen.oss.digiwf.gateway.configuration;

import java.time.Duration;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.logout.HttpStatusReturningServerLogoutSuccessHandler;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import reactor.core.publisher.Mono;

@Profile({"!no-security"})
@Configuration
/* loaded from: input_file:BOOT-INF/classes/de/muenchen/oss/digiwf/gateway/configuration/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final String LOGOUT_URL = "/logout";
    private static final String LOGOUT_SUCCESS_URL = "/loggedout.html";

    @Value("${spring.session.timeout:36000}")
    private long springSessionTimeoutSeconds;

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.logout(logoutSpec -> {
            logoutSpec.logoutSuccessHandler(new HttpStatusReturningServerLogoutSuccessHandler()).logoutUrl(LOGOUT_URL).requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, LOGOUT_URL));
        }).authorizeExchange(authorizeExchangeSpec -> {
            authorizeExchangeSpec.pathMatchers(HttpMethod.OPTIONS, "/api/**").permitAll().pathMatchers(LOGOUT_SUCCESS_URL).permitAll().pathMatchers("/api/*/info", "/actuator/health", "/actuator/info", "/actuator/metrics").permitAll().anyExchange().authenticated();
        }).cors(corsSpec -> {
        }).csrf(csrfSpec -> {
            csrfSpec.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse());
        }).oauth2Login(oAuth2LoginSpec -> {
            oAuth2LoginSpec.authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler() { // from class: de.muenchen.oss.digiwf.gateway.configuration.SecurityConfiguration.1
                @Override // org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler, org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler
                public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
                    webFilterExchange.getExchange().getSession().subscribe(webSession -> {
                        webSession.setMaxIdleTime(Duration.ofSeconds(SecurityConfiguration.this.springSessionTimeoutSeconds));
                    });
                    return super.onAuthenticationSuccess(webFilterExchange, authentication);
                }
            });
        });
        return serverHttpSecurity.build();
    }
}
