package com.gitlab.credit_reference_platform.crp.gateway.security.configuration;

import com.gitlab.credit_reference_platform.crp.gateway.constants.GatewayURL;
import com.gitlab.credit_reference_platform.crp.gateway.customize.cub.security.configuration.SsoAuthenticationFailureHandler;
import com.gitlab.credit_reference_platform.crp.gateway.customize.cub.security.configuration.SsoAuthenticationProvider;
import com.gitlab.credit_reference_platform.crp.gateway.customize.cub.security.configuration.SsoLoginConfigurer;
import com.gitlab.credit_reference_platform.crp.gateway.encryption.utils.PasswordEncryptionUtils;
import com.gitlab.credit_reference_platform.crp.gateway.ldap.configuration.LdapConfigurationDelegate;
import com.gitlab.credit_reference_platform.crp.gateway.oauth2.service.IOAuth2Service;
import com.gitlab.credit_reference_platform.crp.gateway.portal.constant.PortalConstants;
import com.gitlab.credit_reference_platform.crp.gateway.security.authority.CRPGatewayGrantedAuthorities;
import com.gitlab.credit_reference_platform.crp.gateway.security.authority.CRPGatewayRoles;
import jakarta.annotation.Resource;
import jakarta.servlet.Filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.util.StringUtils;

@DependsOn({"crpPropertiesService"})
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:BOOT-INF/classes/com/gitlab/credit_reference_platform/crp/gateway/security/configuration/SecurityConfiguration.class */
public class SecurityConfiguration {

    @Autowired
    private IOAuth2Service oAuth2Service;

    @Resource
    private UserDetailsService userDetailsService;

    @Autowired
    private PortalAuthenticationSuccessHandler portalAuthenticationSuccessHandler;

    @Autowired
    private PortalAuthenticationFailureHandler portalAuthenticationFailureHandler;

    @Autowired
    private SsoAuthenticationFailureHandler ssoAuthenticationFailureHandler;

    @Autowired
    private PortalLogoutSuccessHandler portalLogoutSuccessHandler;

    @Autowired
    private LdapConfigurationDelegate ldapConfigurationDelegate;

    @Autowired(required = false)
    private SsoAuthenticationProvider ssoAuthenticationProvider;

    @Value("${crp.gateway.integration.api_key:}")
    private String apiKey;

    @Value("${crp.gateway.integration.whitelisted_subnets:}")
    private String whitelistedIpSubnets;

    @Value("${crp.gateway.customize.cub.sso.enabled:false}")
    private boolean cubSsoEnabled;

    @Value("${crp.gateway.customize.cub.sso.auth-url:}")
    private String cubSsoAuthUrl;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        PortalAccessFilter portalAccessFilter = portalAccessFilter();
        if (portalAccessFilter != null) {
            httpSecurity.addFilterBefore((Filter) portalAccessFilter, UsernamePasswordAuthenticationFilter.class);
        }
        ApiKeyAuthFilter apiKeyAuthFilter = apiKeyAuthFilter();
        if (apiKeyAuthFilter != null) {
            httpSecurity.addFilterBefore((Filter) apiKeyAuthFilter, UsernamePasswordAuthenticationFilter.class);
        }
        httpSecurity.addFilterBefore((Filter) new OAuth2AuthFilter(this.oAuth2Service), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.requireCsrfProtectionMatcher(new PortalCsrfRequestMatcher());
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(GatewayURL.HEALTH_URL).permitAll().requestMatchers("/change-password", "/api/v1/user/change-password").permitAll().requestMatchers(GatewayURL.RESTART_URL).hasAnyAuthority(CRPGatewayGrantedAuthorities.API.getAuthority(), CRPGatewayRoles.SYSTEM_SERVICES.getAuthorityName()).requestMatchers(GatewayURL.OAUTH_URL).permitAll().requestMatchers(GatewayURL.CRP_URLS).hasAuthority(CRPGatewayGrantedAuthorities.CRP.getAuthority()).requestMatchers(GatewayURL.RESOURCES_URLS).permitAll().requestMatchers(GatewayURL.ERROR_URL).permitAll();
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutSuccessHandler(this.portalLogoutSuccessHandler);
        });
        if (this.cubSsoEnabled && StringUtils.hasText(this.cubSsoAuthUrl)) {
            httpSecurity.with(new SsoLoginConfigurer(), ssoLoginConfigurer -> {
                ssoLoginConfigurer.loginProcessingUrl("/login").successHandler(this.portalAuthenticationSuccessHandler).failureHandler(this.ssoAuthenticationFailureHandler);
            });
        } else {
            httpSecurity.formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginPage("/login").successHandler(this.portalAuthenticationSuccessHandler).failureHandler(this.portalAuthenticationFailureHandler);
            }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                authorizationManagerRequestMatcherRegistry2.requestMatchers(PortalConstants.getPermitAllUrls()).permitAll();
            });
        }
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry3 -> {
            authorizationManagerRequestMatcherRegistry3.requestMatchers("/", GatewayURL.PORTAL_URL).hasAuthority(CRPGatewayGrantedAuthorities.USER.getAuthority()).requestMatchers(GatewayURL.API_URL).hasAnyAuthority(CRPGatewayGrantedAuthorities.USER.getAuthority(), CRPGatewayGrantedAuthorities.API.getAuthority()).anyRequest().denyAll();
        });
        return httpSecurity.build();
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        if (this.cubSsoEnabled && StringUtils.hasText(this.cubSsoAuthUrl)) {
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) this.ssoAuthenticationProvider);
            return;
        }
        AuthenticationProvider ldapAuthenticationProvider = this.ldapConfigurationDelegate.getLdapAuthenticationProvider();
        if (ldapAuthenticationProvider != null) {
            authenticationManagerBuilder.authenticationProvider(ldapAuthenticationProvider);
        } else {
            authenticationManagerBuilder.userDetailsService(this.userDetailsService).passwordEncoder(PasswordEncryptionUtils.getPasswordEncoder());
        }
    }

    private ApiKeyAuthFilter apiKeyAuthFilter() {
        if (StringUtils.hasText(this.apiKey)) {
            return new ApiKeyAuthFilter(this.apiKey);
        }
        return null;
    }

    private PortalAccessFilter portalAccessFilter() {
        if (StringUtils.hasText(this.whitelistedIpSubnets)) {
            return new PortalAccessFilter(this.whitelistedIpSubnets.split(","));
        }
        return null;
    }
}
