package com.vaadin.controlcenter.starter.idm;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.vaadin.flow.spring.security.AuthenticationContext;
import com.vaadin.flow.spring.security.RequestUtil;
import com.vaadin.flow.spring.security.UidlRedirectStrategy;
import com.vaadin.flow.spring.security.VaadinWebSecurity;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

@EnableConfigurationProperties({IdentityManagementProperties.class})
@AutoConfiguration
@EnableWebSecurity
@ConditionalOnMissingBean({IdentityManagementConfiguration.class})
/* loaded from: input_file:com/vaadin/controlcenter/starter/idm/IdentityManagementConfiguration.class */
public class IdentityManagementConfiguration extends VaadinWebSecurity {
    private static final String BACK_CHANNEL_LOGOUT_URI = "{baseScheme}://{baseHost}{basePort}/logout";
    private static final String REALM_ACCESS_CLAIM = "realm_access";
    private static final String RESOURCE_ACCESS_CLAIM = "resource_access";
    private static final String ROLES_CLAIM = "roles";
    private static final String ROLE_PREFIX = "ROLE_";
    private static final String SCOPE_PREFIX = "SCOPE_";
    private static final ObjectMapper MAPPER = new ObjectMapper();
    private IdentityManagementProperties properties;
    private ClientRegistrationRepository clientRegistrationRepository;
    private OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
    private RequestUtil requestUtil;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/vaadin/controlcenter/starter/idm/IdentityManagementConfiguration$KeycloakClientRole.class */
    public static class KeycloakClientRole implements GrantedAuthority {
        private final String client;
        private final String role;

        public KeycloakClientRole(String str, String str2) {
            Assert.hasText(str, "Client must not be empty");
            Assert.hasText(str2, "Role must not be empty");
            this.client = str;
            this.role = str2;
        }

        public String getClient() {
            return this.client;
        }

        public String getRole() {
            return this.role;
        }

        public String getAuthority() {
            return "ROLE_" + this.role;
        }

        public int hashCode() {
            return Objects.hash(this.client, this.role);
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof KeycloakClientRole)) {
                return false;
            }
            KeycloakClientRole keycloakClientRole = (KeycloakClientRole) obj;
            return Objects.equals(this.client, keycloakClientRole.client) && Objects.equals(this.role, keycloakClientRole.role);
        }
    }

    /* loaded from: input_file:com/vaadin/controlcenter/starter/idm/IdentityManagementConfiguration$KeycloakRealmRole.class */
    static class KeycloakRealmRole implements GrantedAuthority {
        private final String role;

        public KeycloakRealmRole(String str) {
            Assert.hasText(str, "Role must not be empty");
            this.role = str;
        }

        public String getRole() {
            return this.role;
        }

        public String getAuthority() {
            return "ROLE_" + this.role;
        }

        public int hashCode() {
            return Objects.hash(this.role);
        }

        public boolean equals(Object obj) {
            if (obj instanceof KeycloakRealmRole) {
                return Objects.equals(this.role, ((KeycloakRealmRole) obj).role);
            }
            return false;
        }
    }

    @Autowired
    void setProperties(IdentityManagementProperties identityManagementProperties) {
        this.properties = identityManagementProperties;
    }

    @Autowired
    void setClientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) {
        this.clientRegistrationRepository = clientRegistrationRepository;
    }

    @Autowired
    void setOAuth2AuthorizedClientService(OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        this.oAuth2AuthorizedClientService = oAuth2AuthorizedClientService;
    }

    @Autowired
    void setRequestUtil(RequestUtil requestUtil) {
        this.requestUtil = requestUtil;
    }

    @RefreshScope
    @Bean(name = {"VaadinSecurityFilterChainBean"})
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        return super.filterChain(httpSecurity);
    }

    @RefreshScope
    @Bean(name = {"VaadinWebSecurityCustomizerBean"})
    public WebSecurityCustomizer webSecurityCustomizer() {
        return super.webSecurityCustomizer();
    }

    @RefreshScope
    @Bean(name = {"VaadinAuthenticationContext"})
    public AuthenticationContext getAuthenticationContext() {
        return super.getAuthenticationContext();
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        if (!this.properties.isEnabled()) {
            withIdentityManagementDisabled(httpSecurity);
        } else {
            withIdentityManagementEnabled(httpSecurity);
            super.configure(httpSecurity);
        }
    }

    protected void withIdentityManagementEnabled(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.addFilterBefore(new RefreshTokenFilter(this.oAuth2AuthorizedClientService), AnonymousAuthenticationFilter.class);
        httpSecurity.authorizeHttpRequests(this::requestWhitelist);
        httpSecurity.oauth2Login(this::configureOidcLogin);
        setOAuth2LoginPage(httpSecurity, this.properties.getLoginRoute());
        httpSecurity.oidcLogout(this::configureOidcLogout);
        httpSecurity.logout(this::configureLogout);
    }

    protected void withIdentityManagementDisabled(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(this::ignoreInternalRequests);
        httpSecurity.authorizeHttpRequests(this::authorizeAnyRequest);
    }

    protected void requestWhitelist(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/actuator/**"})).permitAll();
    }

    protected void ignoreInternalRequests(CsrfConfigurer<HttpSecurity> csrfConfigurer) {
        RequestUtil requestUtil = this.requestUtil;
        Objects.requireNonNull(requestUtil);
        csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{requestUtil::isFrameworkInternalRequest});
    }

    private void configureOidcLogin(OAuth2LoginConfigurer<HttpSecurity> oAuth2LoginConfigurer) {
        oAuth2LoginConfigurer.defaultSuccessUrl(this.properties.getLoginSuccessRoute());
        oAuth2LoginConfigurer.userInfoEndpoint(userInfoEndpointConfig -> {
            OidcUserService oidcUserService = new OidcUserService();
            oidcUserService.setOidcUserMapper(this::keycloakUserMapper);
            userInfoEndpointConfig.oidcUserService(oidcUserService);
        });
    }

    private void configureOidcLogout(OidcLogoutConfigurer<HttpSecurity> oidcLogoutConfigurer) {
        oidcLogoutConfigurer.backChannel(backChannelLogoutConfigurer -> {
            backChannelLogoutConfigurer.logoutUri(BACK_CHANNEL_LOGOUT_URI);
        });
    }

    private void configureLogout(LogoutConfigurer<HttpSecurity> logoutConfigurer) {
        OidcClientInitiatedLogoutSuccessHandler oidcClientInitiatedLogoutSuccessHandler = new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository);
        oidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(this.properties.getLogoutSuccessRoute());
        oidcClientInitiatedLogoutSuccessHandler.setRedirectStrategy(new UidlRedirectStrategy());
        logoutConfigurer.logoutSuccessHandler(oidcClientInitiatedLogoutSuccessHandler);
    }

    private void authorizeAnyRequest(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
    }

    private OidcUser keycloakUserMapper(OidcUserRequest oidcUserRequest, OidcUserInfo oidcUserInfo) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(new OidcUserAuthority(oidcUserRequest.getIdToken(), oidcUserInfo));
        OAuth2AccessToken accessToken = oidcUserRequest.getAccessToken();
        Iterator it = accessToken.getScopes().iterator();
        while (it.hasNext()) {
            linkedHashSet.add(new SimpleGrantedAuthority("SCOPE_" + ((String) it.next())));
        }
        ClientRegistration clientRegistration = oidcUserRequest.getClientRegistration();
        String issuerUri = clientRegistration.getProviderDetails().getIssuerUri();
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri()).build();
        build.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri));
        Jwt decode = build.decode(accessToken.getTokenValue());
        if (decode.hasClaim(REALM_ACCESS_CLAIM)) {
            Stream stream = ((List) ((Map) MAPPER.convertValue(decode.getClaimAsMap(REALM_ACCESS_CLAIM), new TypeReference<Map<String, List<String>>>() { // from class: com.vaadin.controlcenter.starter.idm.IdentityManagementConfiguration.1
            })).getOrDefault(ROLES_CLAIM, List.of())).stream();
            Class<String> cls = String.class;
            Objects.requireNonNull(String.class);
            Stream map = stream.map((v1) -> {
                return r1.cast(v1);
            }).map(KeycloakRealmRole::new);
            Objects.requireNonNull(linkedHashSet);
            map.forEach((v1) -> {
                r1.add(v1);
            });
        }
        if (decode.hasClaim(RESOURCE_ACCESS_CLAIM)) {
            Map map2 = (Map) MAPPER.convertValue(decode.getClaimAsMap(RESOURCE_ACCESS_CLAIM), new TypeReference<Map<String, Map<String, List<String>>>>() { // from class: com.vaadin.controlcenter.starter.idm.IdentityManagementConfiguration.2
            });
            String clientId = clientRegistration.getClientId();
            Stream stream2 = ((List) ((Map) map2.getOrDefault(clientId, Map.of())).getOrDefault(ROLES_CLAIM, List.of())).stream();
            Class<String> cls2 = String.class;
            Objects.requireNonNull(String.class);
            Stream map3 = stream2.map((v1) -> {
                return r1.cast(v1);
            }).map(str -> {
                return new KeycloakClientRole(clientId, str);
            });
            Objects.requireNonNull(linkedHashSet);
            map3.forEach((v1) -> {
                r1.add(v1);
            });
        }
        String userNameAttributeName = oidcUserRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
        return StringUtils.hasText(userNameAttributeName) ? new DefaultOidcUser(linkedHashSet, oidcUserRequest.getIdToken(), oidcUserInfo, userNameAttributeName) : new DefaultOidcUser(linkedHashSet, oidcUserRequest.getIdToken(), oidcUserInfo);
    }
}
