package org.birchframework.security.oauth2;

import com.google.common.base.Throwables;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import javax.annotation.Resource;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.Bus;
import org.apache.cxf.feature.Feature;
import org.apache.cxf.jaxrs.JAXRSServerFactoryBean;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustAllStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.birchframework.configuration.BirchProperties;
import org.birchframework.dto.BirchErrorCode;
import org.birchframework.framework.beans.Beans;
import org.birchframework.framework.cxf.JAXRSUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.actuate.autoconfigure.condition.ConditionsReportEndpoint;
import org.springframework.boot.actuate.autoconfigure.jolokia.JolokiaEndpoint;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.beans.BeansEndpoint;
import org.springframework.boot.actuate.env.EnvironmentEndpoint;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.boot.actuate.logging.LogFileWebEndpoint;
import org.springframework.boot.actuate.logging.LoggersEndpoint;
import org.springframework.boot.actuate.metrics.MetricsEndpoint;
import org.springframework.boot.actuate.metrics.export.prometheus.PrometheusScrapeEndpoint;
import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.GenericApplicationContext;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Service;
import org.springframework.util.CollectionUtils;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/birchframework/security/oauth2/OAuth2SecurityFilterChain.class */
public class OAuth2SecurityFilterChain implements SecurityFilterChain, Ordered {
    private static final Logger log = LoggerFactory.getLogger(OAuth2SecurityFilterChain.class);
    public static final Pattern contextPathPattern = Pattern.compile("^/?(([a-zA-Z-_]+/?)+)$");
    protected static final AtomicInteger order = new AtomicInteger(-100);
    private static final String CXF_BUS_HTTP_TRASNPORT_ID = "http://cxf.apache.org/transports/http";
    protected final BirchProperties.IdPRealm properties;
    protected final Set<String> unsecureContextPaths;

    @Resource
    private GenericApplicationContext context;

    @Resource
    private Bus bus;

    @Resource
    private UserDetailsService userDetailsService;

    @Resource
    private ObjectPostProcessor<Object> objectPostProcessor;

    @Resource
    private GrantedAuthoritiesBuilder defaultGrantedAuthoritiesBuilder;

    @Resource
    private BearerTokenResolver defaultBearerTokenResolver;

    @Resource
    private JAXRSUtils jaxrsUtils;

    @Value("${cxf.path:/api}")
    private String cxfPath;

    @Value("${cxf.jaxrs.classes-scan-packages:}")
    private Set<String> classesScanPackages;
    private String contextPath;
    private SecurityFilterChain delegate;

    @PostConstruct
    void init() {
        String normalizePath = normalizePath(this.properties.getRealmContextPath());
        if (normalizePath == null) {
            log.warn("Realm: {} has specified the context path pattern: {} which has resulted in its removal from the effective context path", this.properties.getValue(), this.properties.getRealmContextPath());
            this.contextPath = this.cxfPath;
        } else {
            this.contextPath = String.format("/%s/%s", normalizePath(this.cxfPath), normalizePath);
            log.debug("Realm: {} effective context path: {}", this.properties.getValue(), this.contextPath);
        }
        try {
            createServices();
            this.delegate = (SecurityFilterChain) httpSecurity().build();
        } catch (Exception e) {
            throw new RuntimeException(String.format("Unable to create security filter chain for IdP config %s", this.properties.getValue()), e);
        }
    }

    public int getOrder() {
        return order.getAndSet(order.get() + 5);
    }

    public boolean matches(HttpServletRequest httpServletRequest) {
        return this.delegate.matches(httpServletRequest);
    }

    public List<Filter> getFilters() {
        return this.delegate.getFilters();
    }

    protected HttpSecurity httpSecurity() throws Exception {
        NimbusJwtDecoder build = StringUtils.isNotBlank(this.properties.getJwkSetUri()) ? NimbusJwtDecoder.withJwkSetUri(this.properties.getJwkSetUri()).restOperations(jwkSetRestOperations(this.properties.isDisableSSLValidation())).jwsAlgorithm(SignatureAlgorithm.RS256).build() : StringUtils.isNotBlank(this.properties.getIssuerUri()) ? new IssuerAwareJWTDecoderAdapter(this.properties.getIssuerUri(), this.properties.isDisableSSLValidation()) : new NimbusJwtDecoder(new DefaultJWTProcessor());
        AuthenticationManagerBuilder authenticationManagerBuilder = new AuthenticationManagerBuilder(this.objectPostProcessor);
        JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(build);
        Converter<Jwt, AbstractAuthenticationToken> jwtAuthConverter = jwtAuthConverter();
        jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthConverter);
        authenticationManagerBuilder.authenticationProvider(jwtAuthenticationProvider);
        authenticationManagerBuilder.userDetailsService(this.userDetailsService);
        HttpSecurity httpSecurity = httpSecurity(authenticationManagerBuilder);
        httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{EndpointRequest.to(new Class[]{HealthEndpoint.class, InfoEndpoint.class, MappingsEndpoint.class, LoggersEndpoint.class, LogFileWebEndpoint.class, MetricsEndpoint.class, EnvironmentEndpoint.class, PrometheusScrapeEndpoint.class, BeansEndpoint.class, JolokiaEndpoint.class, ConditionsReportEndpoint.class})})).permitAll();
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers(new String[]{"/**/openapi.json"})).permitAll();
            if (!CollectionUtils.isEmpty(this.unsecureContextPaths)) {
                this.unsecureContextPaths.stream().filter(str -> {
                    return !StringUtils.equals(str, this.contextPath);
                }).forEach(str2 -> {
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers(new String[]{String.format("/%s/%s/**", normalizePath(this.cxfPath), normalizePath(str2))})).permitAll();
                });
            }
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers(new String[]{String.format("/%s/**", normalizePath(this.contextPath))})).authenticated();
        });
        NimbusJwtDecoder nimbusJwtDecoder = build;
        httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.bearerTokenResolver(this.defaultBearerTokenResolver);
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                try {
                    jwtConfigurer.decoder(nimbusJwtDecoder).jwtAuthenticationConverter(jwtAuthConverter);
                    if (StringUtils.isNotBlank(this.properties.getJwkSetUri())) {
                        jwtConfigurer.jwkSetUri(this.properties.getJwkSetUri());
                    }
                } catch (Exception e) {
                    throw new OAuth2ConfigurationException(BirchErrorCode.B43000, e);
                }
            });
        });
        log.info("HttpSecurity created for realm with key {} and name {}", this.properties.getValue(), this.properties.getName());
        return httpSecurity;
    }

    protected void createServices() {
        this.classesScanPackages.add(getClass().getPackage().getName());
        List findProviders = this.jaxrsUtils.findProviders(this.classesScanPackages);
        List list = (List) this.jaxrsUtils.findJAXRSFilterBeans().values().stream().filter(obj -> {
            return findProviders.stream().noneMatch(obj -> {
                return obj.getClass() == obj.getClass();
            });
        }).collect(Collectors.toList());
        List list2 = (List) findProviders.stream().filter(obj2 -> {
            return obj2 instanceof Feature;
        }).map(obj3 -> {
            return (Feature) obj3;
        }).collect(Collectors.toList());
        findProviders.removeAll(list2);
        findProviders.addAll(list);
        List list3 = (List) this.context.getBeansWithAnnotation(Service.class).values().stream().filter(obj4 -> {
            return AnnotationUtils.findAnnotation(obj4.getClass(), Path.class) != null;
        }).collect(Collectors.toList());
        JAXRSServerFactoryBean jAXRSServerFactoryBean = new JAXRSServerFactoryBean();
        jAXRSServerFactoryBean.setBus(this.bus);
        jAXRSServerFactoryBean.setTransportId(CXF_BUS_HTTP_TRASNPORT_ID);
        jAXRSServerFactoryBean.setProviders(findProviders);
        jAXRSServerFactoryBean.setAddress(this.properties.getRealmContextPath());
        jAXRSServerFactoryBean.setServiceBeans(list3);
        jAXRSServerFactoryBean.setFeatures(list2);
        jAXRSServerFactoryBean.create();
        log.info("Configured services for IdP realm with key {} and name {}", this.properties.getValue(), this.properties.getName());
    }

    protected Converter<Jwt, AbstractAuthenticationToken> jwtAuthConverter() throws Exception {
        String userNameClaimName = this.properties.getUserNameClaimName();
        String groupsClaimName = this.properties.getGroupsClaimName();
        GrantedAuthoritiesBuilder grantedAuthoritiesBuilder = (GrantedAuthoritiesBuilder) Beans.instanceOrDefault(this.properties.getGrantedAuthoritiesBuilder(), this.defaultGrantedAuthoritiesBuilder);
        return jwt -> {
            OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
            String str = (String) jwt.getClaim(userNameClaimName);
            Map claims = jwt.getClaims();
            Collection<GrantedAuthority> build = grantedAuthoritiesBuilder.build(groupsClaimName, jwt);
            BearerTokenOAuth2Authentication bearerTokenOAuth2Authentication = new BearerTokenOAuth2Authentication(new DefaultOAuth2AuthenticatedPrincipal(str, claims, build), oAuth2AccessToken, build, this.properties);
            SecurityContextHolder.getContext().setAuthentication(bearerTokenOAuth2Authentication);
            if (StringUtils.isBlank(str)) {
                log.error(BirchErrorCode.B43020.getDescription());
                throw new UsernameNotFoundException(BirchErrorCode.B43020.asString());
            }
            try {
                bearerTokenOAuth2Authentication.setUser(this.userDetailsService.loadUserByUsername(str));
                return bearerTokenOAuth2Authentication;
            } catch (UsernameNotFoundException e) {
                log.error("A user name not found error occurred; message: {}", Throwables.getRootCause(e).getMessage());
                throw e;
            }
        };
    }

    protected HttpSecurity httpSecurity(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        HttpSecurity httpSecurity = new HttpSecurity(this.objectPostProcessor, authenticationManagerBuilder, Map.of(ApplicationContext.class, this.context));
        httpSecurity.csrf(Customizer.withDefaults()).addFilter(new WebAsyncManagerIntegrationFilter()).exceptionHandling(Customizer.withDefaults()).headers(Customizer.withDefaults()).sessionManagement(Customizer.withDefaults()).securityContext(Customizer.withDefaults()).requestCache(Customizer.withDefaults()).anonymous(Customizer.withDefaults()).servletApi(Customizer.withDefaults()).logout(logoutConfigurer -> {
            logoutConfigurer.deleteCookies(new String[0]).invalidateHttpSession(true).logoutUrl(String.format("/%s/%s", normalizePath(this.contextPath), normalizePath(this.properties.getLogoutUri())));
            if (StringUtils.isNotBlank(this.properties.getLogoutRedirectUri())) {
                try {
                    logoutConfigurer.logoutSuccessUrl(StringUtils.isBlank(new URI(this.properties.getLogoutRedirectUri()).getScheme()) ? String.format("/%s/%s", normalizePath(this.contextPath), normalizePath(this.properties.getLogoutRedirectUri())) : this.properties.getLogoutRedirectUri());
                } catch (URISyntaxException e) {
                    log.error("logout-redirect-uri: {} is a malformed URI", this.properties.getLogoutRedirectUri());
                }
            }
        }).apply(new DefaultLoginPageConfigurer());
        return httpSecurity;
    }

    private RestOperations jwkSetRestOperations(boolean z) {
        if (!z) {
            return new RestTemplate();
        }
        try {
            return new RestTemplate(new HttpComponentsClientHttpRequestFactory(HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom().loadTrustMaterial((KeyStore) null, TrustAllStrategy.INSTANCE).build())).build()));
        } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException e) {
            throw new OAuth2ConfigurationException(BirchErrorCode.B43010, e);
        }
    }

    public static String normalizePath(String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        Matcher matcher = contextPathPattern.matcher(StringUtils.stripEnd(str.strip().replaceAll("(\\s*/\\s*\\s*)+", "/"), "/"));
        if (matcher.matches()) {
            return matcher.group(1);
        }
        return null;
    }

    public OAuth2SecurityFilterChain(BirchProperties.IdPRealm idPRealm, Set<String> set) {
        this.properties = idPRealm;
        this.unsecureContextPaths = set;
    }
}
