package com.vaadin.controlcenter.starter.security;

import com.vaadin.flow.spring.security.RequestUtil;
import com.vaadin.flow.spring.security.VaadinDefaultRequestCache;
import com.vaadin.flow.spring.security.VaadinWebSecurity;
import java.util.HashMap;
import java.util.Objects;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableConfigurationProperties({ControlCenterSecurityProperties.class})
@AutoConfiguration
/* loaded from: input_file:com/vaadin/controlcenter/starter/security/ControlCenterSecurity.class */
public class ControlCenterSecurity extends VaadinWebSecurity {
    private static final String FILTER_CHAIN_BEAN_NAME = "VaadinSecurityFilterChainBean";
    private final ControlCenterSecurityProperties properties;
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final RequestUtil requestUtil;
    private final VaadinDefaultRequestCache vaadinDefaultRequestCache;

    @EnableConfigurationProperties({OAuth2ClientProperties.class})
    @Configuration
    /* loaded from: input_file:com/vaadin/controlcenter/starter/security/ControlCenterSecurity$ClientRegistrationRepositoryConfiguration.class */
    static class ClientRegistrationRepositoryConfiguration {
        ClientRegistrationRepositoryConfiguration() {
        }

        @RefreshScope
        @Bean
        ClientRegistrationRepository clientRegistrationRepository(ControlCenterSecurityProperties controlCenterSecurityProperties) {
            HashMap hashMap = new HashMap();
            String issuerUri = controlCenterSecurityProperties.getIssuerUri();
            if (issuerUri != null) {
                String issuerValidationUri = controlCenterSecurityProperties.getIssuerValidationUri();
                hashMap.put("oidc", ClientRegistrations.fromOidcIssuerLocation(issuerUri, issuerValidationUri).registrationId("oidc").clientId(controlCenterSecurityProperties.getClientId()).clientSecret(controlCenterSecurityProperties.getClientSecret()).scope(new String[]{"openid"}).build());
            }
            return new DelegatingClientRegistrationRepository(new InMemoryClientRegistrationRepository(hashMap));
        }
    }

    protected ControlCenterSecurity(ControlCenterSecurityProperties controlCenterSecurityProperties, ClientRegistrationRepository clientRegistrationRepository, RequestUtil requestUtil, VaadinDefaultRequestCache vaadinDefaultRequestCache) {
        this.properties = controlCenterSecurityProperties;
        this.clientRegistrationRepository = clientRegistrationRepository;
        this.requestUtil = requestUtil;
        this.vaadinDefaultRequestCache = vaadinDefaultRequestCache;
    }

    @RefreshScope
    @Bean(name = {FILTER_CHAIN_BEAN_NAME})
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        return super.filterChain(httpSecurity);
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        if (this.properties.isEnabled()) {
            withSecurityEnabled(httpSecurity);
        } else {
            withSecurityDisabled(httpSecurity);
        }
    }

    protected void withSecurityEnabled(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeHttpRequests(this::requestWhitelist);
        httpSecurity.oauth2Login(this::configureOidcLogin);
        httpSecurity.oidcLogout(this::configureOidcLogout);
        httpSecurity.logout(this::configureLogout);
        super.configure(httpSecurity);
    }

    protected void withSecurityDisabled(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(this::disableCsrf);
        httpSecurity.requestCache(this::useRequestCache);
        httpSecurity.authorizeHttpRequests(this::authorizeAnyRequest);
    }

    private void requestWhitelist(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/styles/**"})).permitAll();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/images/**"})).permitAll();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/actuator/**"})).permitAll();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/line-awesome/**"})).permitAll();
    }

    private void configureOidcLogin(OAuth2LoginConfigurer<HttpSecurity> oAuth2LoginConfigurer) {
        oAuth2LoginConfigurer.loginPage(this.properties.getLoginRoute());
        oAuth2LoginConfigurer.defaultSuccessUrl(this.properties.getLoginSuccessRoute());
    }

    private void configureOidcLogout(OidcLogoutConfigurer<HttpSecurity> oidcLogoutConfigurer) {
        oidcLogoutConfigurer.backChannel(Customizer.withDefaults());
    }

    private void configureLogout(LogoutConfigurer<HttpSecurity> logoutConfigurer) {
        logoutConfigurer.logoutSuccessHandler(new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository));
    }

    private void disableCsrf(CsrfConfigurer<HttpSecurity> csrfConfigurer) {
        RequestUtil requestUtil = this.requestUtil;
        Objects.requireNonNull(requestUtil);
        csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{requestUtil::isFrameworkInternalRequest});
    }

    private void useRequestCache(RequestCacheConfigurer<HttpSecurity> requestCacheConfigurer) {
        requestCacheConfigurer.requestCache(this.vaadinDefaultRequestCache);
    }

    private void authorizeAnyRequest(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
    }
}
