package io.github.icodegarden.commons.gateway.autoconfigure;

import io.github.icodegarden.commons.gateway.core.security.AppKeyAuthenticationWebFilter;
import io.github.icodegarden.commons.gateway.core.security.JWTAuthenticationWebFilter;
import io.github.icodegarden.commons.gateway.core.security.JWTConfig;
import io.github.icodegarden.commons.gateway.properties.CommonsGatewaySecurityProperties;
import io.github.icodegarden.commons.springboot.security.ApiResponseServerAccessDeniedHandler;
import io.github.icodegarden.commons.springboot.security.ApiResponseServerAuthenticationEntryPoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@EnableConfigurationProperties({CommonsGatewaySecurityProperties.class})
@Configuration
@EnableWebFluxSecurity
@ConditionalOnProperty(value = {"commons.gateway.security.support.enabled"}, havingValue = "true", matchIfMissing = true)
/* loaded from: input_file:io/github/icodegarden/commons/gateway/autoconfigure/GatewaySecurityAutoConfiguration.class */
public class GatewaySecurityAutoConfiguration {
    private static final Logger log = LoggerFactory.getLogger(GatewaySecurityAutoConfiguration.class);

    @Autowired
    private CommonsGatewaySecurityProperties securityProperties;

    @Autowired(required = false)
    private AuthorizeExchangeSpecConfigurer authorizeExchangeSpecConfigurer;

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/autoconfigure/GatewaySecurityAutoConfiguration$AuthorizeExchangeSpecConfigurer.class */
    public interface AuthorizeExchangeSpecConfigurer {
        static void configDefault(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec) {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers(new String[]{"/openapi/**"})).authenticated().pathMatchers(new String[]{"/*/api/**"})).authenticated().pathMatchers(new String[]{"/*/internalapi/**"})).authenticated().pathMatchers(new String[]{"/*/login/**"})).permitAll().pathMatchers(new String[]{"/*/authenticate/**"})).permitAll().pathMatchers(new String[]{"/anonymous/**"})).permitAll().pathMatchers(new String[]{"/*/anonymous/**"})).permitAll().pathMatchers(new String[]{"/swagger*/**"})).permitAll().pathMatchers(new String[]{"/*/swagger*/**"})).permitAll().pathMatchers(new String[]{"/*/v3/api-docs/**"})).permitAll().pathMatchers(new String[]{"/actuator/**"})).permitAll().anyExchange().authenticated();
        }

        void config(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec);
    }

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/autoconfigure/GatewaySecurityAutoConfiguration$NoOpWebFilter.class */
    private class NoOpWebFilter implements WebFilter {
        private NoOpWebFilter() {
        }

        public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
            return webFilterChain.filter(serverWebExchange);
        }
    }

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
        WebFilter noOpWebFilter;
        ApiResponseServerAuthenticationEntryPoint apiResponseServerAuthenticationEntryPoint = new ApiResponseServerAuthenticationEntryPoint();
        ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange = serverHttpSecurity.exceptionHandling().authenticationEntryPoint(apiResponseServerAuthenticationEntryPoint).accessDeniedHandler(new ApiResponseServerAccessDeniedHandler()).and().csrf().disable().headers().frameOptions().disable().and().authorizeExchange();
        if (this.authorizeExchangeSpecConfigurer != null) {
            log.info("gateway security AuthorizeExchangeSpecConfigurer is exist, do config custom");
            this.authorizeExchangeSpecConfigurer.config(authorizeExchange);
        } else {
            log.info("gateway security AuthorizeExchangeSpecConfigurer not exist, do config default");
            AuthorizeExchangeSpecConfigurer.configDefault(authorizeExchange);
        }
        if (this.securityProperties.getJwt() != null) {
            CommonsGatewaySecurityProperties.Jwt jwt = this.securityProperties.getJwt();
            log.info("gateway security config Authentication WebFilter by jwt:{}", jwt);
            noOpWebFilter = new JWTAuthenticationWebFilter(new JWTConfig(jwt.getIssuer(), jwt.getSecretKey(), jwt.getTokenExpireSeconds()), apiResponseServerAuthenticationEntryPoint);
        } else if (this.securityProperties.getAppKey() != null) {
            CommonsGatewaySecurityProperties.AppKey appKey = this.securityProperties.getAppKey();
            log.info("gateway security config Authentication WebFilter by appKey:{}", appKey);
            noOpWebFilter = new AppKeyAuthenticationWebFilter(appKey.getApps(), apiResponseServerAuthenticationEntryPoint).setHeaderAppKey(appKey.getHeaderAppKey().booleanValue());
        } else {
            log.info("gateway security config Authentication WebFilter by NoOp");
            noOpWebFilter = new NoOpWebFilter();
        }
        authorizeExchange.and().addFilterBefore(noOpWebFilter, SecurityWebFiltersOrder.AUTHORIZATION);
        return serverHttpSecurity.build();
    }
}
