package com.erudika.para.server.security;

import com.erudika.para.core.utils.Para;
import com.erudika.para.server.ParaServer;
import com.typesafe.config.ConfigList;
import com.typesafe.config.ConfigObject;
import com.typesafe.config.ConfigValue;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import javax.annotation.security.DeclareRoles;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.util.matcher.RequestMatcher;

@DeclareRoles({"ROLE_USER", "ROLE_MOD", "ROLE_ADMIN", "ROLE_APP"})
@Configuration
@EnableWebSecurity
/* loaded from: input_file:com/erudika/para/server/security/SecurityConfig.class */
public class SecurityConfig {
    private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
    private static final String[] DEFAULT_ROLES = {"USER", "MOD", "ADMIN", "APP"};
    private final CachedCsrfTokenRepository csrfTokenRepository = (CachedCsrfTokenRepository) ParaServer.getInstance(CachedCsrfTokenRepository.class);

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            DefaultHttpFirewall defaultHttpFirewall = new DefaultHttpFirewall();
            defaultHttpFirewall.setAllowUrlEncodedSlash(true);
            webSecurity.httpFirewall(defaultHttpFirewall);
        };
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        String signinPath = Para.getConfig().signinPath();
        String signoutPath = Para.getConfig().signoutPath();
        String accessDeniedPath = Para.getConfig().accessDeniedPath();
        String signoutSuccessPath = Para.getConfig().signoutSuccessPath();
        ConfigObject protectedPaths = Para.getConfig().protectedPaths();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.authorizeHttpRequests().requestMatchers(new RequestMatcher[]{IgnoredRequestMatcher.INSTANCE})).permitAll();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.authorizeHttpRequests().requestMatchers(new RequestMatcher[]{RestRequestMatcher.INSTANCE})).authenticated();
        parseProtectedResources(httpSecurity, protectedPaths);
        if (Para.getConfig().csrfProtectionEnabled()) {
            httpSecurity.csrf().requireCsrfProtectionMatcher(CsrfProtectionRequestMatcher.INSTANCE).csrfTokenRepository(this.csrfTokenRepository);
        } else {
            httpSecurity.csrf().disable();
        }
        httpSecurity.sessionManagement().enableSessionUrlRewriting(false);
        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
        httpSecurity.sessionManagement().sessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy());
        httpSecurity.exceptionHandling().authenticationEntryPoint(new SimpleAuthenticationEntryPoint(signinPath));
        httpSecurity.exceptionHandling().accessDeniedHandler(new SimpleAccessDeniedHandler(accessDeniedPath));
        httpSecurity.requestCache().requestCache(new SimpleRequestCache());
        httpSecurity.logout().deleteCookies(new String[]{Para.getConfig().authCookieName()}).invalidateHttpSession(true).logoutUrl(signoutPath).logoutSuccessUrl(signoutSuccessPath);
        httpSecurity.rememberMe().disable();
        httpSecurity.authenticationProvider(new JWTAuthenticationProvider());
        httpSecurity.authenticationProvider(new LDAPAuthenticationProvider());
        httpSecurity.apply(new JwtConfigurer());
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void parseProtectedResources(HttpSecurity httpSecurity, ConfigObject configObject) throws Exception {
        if (configObject == null || configObject.isEmpty()) {
            return;
        }
        for (ConfigList<ConfigList> configList : configObject.values()) {
            LinkedList linkedList = new LinkedList();
            LinkedList linkedList2 = new LinkedList();
            HashSet hashSet = new HashSet();
            for (ConfigList configList2 : configList) {
                try {
                    if (configList2 instanceof ConfigList) {
                        Iterator it = configList2.iterator();
                        while (it.hasNext()) {
                            String trim = ((String) ((ConfigValue) it.next()).unwrapped()).toUpperCase().trim();
                            HttpMethod resolve = HttpMethod.resolve(trim);
                            if (resolve != null) {
                                hashSet.add(resolve);
                            } else {
                                linkedList2.add(trim);
                            }
                        }
                    } else {
                        linkedList.add((String) configList2.unwrapped());
                    }
                } catch (Exception e) {
                    logger.error("Invalid config syntax for protected resource: {}.", configList2.render(), e);
                }
            }
            String[] strArr = linkedList2.isEmpty() ? DEFAULT_ROLES : (String[]) linkedList2.toArray(new String[0]);
            String[] strArr2 = (String[]) linkedList.toArray(new String[0]);
            if (hashSet.isEmpty()) {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.authorizeHttpRequests().requestMatchers(strArr2)).hasAnyRole(strArr);
            } else {
                Iterator it2 = hashSet.iterator();
                while (it2.hasNext()) {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.authorizeHttpRequests().requestMatchers((HttpMethod) it2.next(), strArr2)).hasAnyRole(strArr);
                }
            }
        }
    }
}
