package no.fintlabs.core.consumer.shared.config;

import no.fintlabs.core.consumer.shared.ConsumerProps;
import no.vigoiks.resourceserver.security.FintJwtCoreConverter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;

@Configuration
@EnableWebFluxSecurity
/* loaded from: input_file:no/fintlabs/core/consumer/shared/config/SecurityConfig.class */
public class SecurityConfig {
    private final ConsumerProps consumerProps;

    public SecurityConfig(ConsumerProps consumerProps) {
        this.consumerProps = consumerProps;
    }

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers(new String[]{"/**"})).access(this::hasRequiredOrgIdAndRole).anyExchange().authenticated();
        }).oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.jwt().jwtAuthenticationConverter(new FintJwtCoreConverter());
        });
        return serverHttpSecurity.build();
    }

    private Mono<AuthorizationDecision> hasRequiredOrgIdAndRole(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
        String format = String.format("ROLE_FINT_Client_%s_%s", this.consumerProps.getDomainName(), this.consumerProps.getPackageName());
        return mono.map(authentication -> {
            return new AuthorizationDecision(authentication.getAuthorities().stream().anyMatch(grantedAuthority -> {
                return grantedAuthority.getAuthority().equals(format);
            }) && authentication.getAuthorities().stream().anyMatch(grantedAuthority2 -> {
                return grantedAuthority2.getAuthority().equals("ORGID_" + this.consumerProps.getOrgId());
            }));
        });
    }
}
