package no.fintlabs.core.resource.server.security.config;

import no.fintlabs.core.resource.server.security.authentication.CorePrincipal;
import no.fintlabs.core.resource.server.security.converter.CorePrincipalConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;

@Configuration
@EnableWebFluxSecurity
/* loaded from: input_file:no/fintlabs/core/resource/server/security/config/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);
    private final FintSecurity fintSecurity;
    private final SecurityConsumerConfig consumerConfig;

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
        return this.fintSecurity.isEnabled() ? requireJwt(serverHttpSecurity) : permitAll(serverHttpSecurity);
    }

    private SecurityWebFilterChain requireJwt(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.jwt(jwtSpec -> {
                jwtSpec.jwtAuthenticationConverter(new CorePrincipalConverter());
            });
        }).authorizeExchange(authorizeExchangeSpec -> {
            for (String str : this.fintSecurity.getOpenPaths()) {
                ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers(new String[]{str})).permitAll();
            }
            authorizeExchangeSpec.anyExchange().access(this::checkCorePrincipalForAccess);
        });
        return serverHttpSecurity.build();
    }

    private Mono<AuthorizationDecision> checkCorePrincipalForAccess(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
        return mono.map(authentication -> {
            if (!(authentication instanceof CorePrincipal)) {
                log.warn("Jwt is not a CorePrincipal! Denying Request!");
                return new AuthorizationDecision(false);
            }
            CorePrincipal corePrincipal = (CorePrincipal) authentication;
            boolean isComponentRequired = this.fintSecurity.isComponentRequired();
            boolean isOrgIdRequired = this.fintSecurity.isOrgIdRequired();
            boolean isScopeRequired = this.fintSecurity.isScopeRequired();
            if (isComponentRequired || isOrgIdRequired || isScopeRequired) {
                return new AuthorizationDecision(validateComponent(corePrincipal, isComponentRequired) && validateOrgId(corePrincipal, isOrgIdRequired) && validateScope(corePrincipal, isScopeRequired));
            }
            return new AuthorizationDecision(true);
        });
    }

    private void debugLogIfValidationFails(String str, String str2, Object obj, String str3) {
        log.warn("{}: {} Validation Failed! CorePrincipal value: {} compared to Security value: {}", new Object[]{str, str2, obj.toString(), str3});
    }

    private boolean validateScope(CorePrincipal corePrincipal, boolean z) {
        boolean z2 = !z || corePrincipal.hasScope(getScope());
        if (!z2) {
            debugLogIfValidationFails(corePrincipal.getUsername(), "Scope", corePrincipal.getScopes(), getScope());
        }
        return z2;
    }

    private boolean validateComponent(CorePrincipal corePrincipal, boolean z) {
        boolean z2 = !z || corePrincipal.hasRole(getComponentRole());
        if (!z2) {
            debugLogIfValidationFails(corePrincipal.getUsername(), "Component", corePrincipal.getRoles(), getComponentRole());
        }
        return z2;
    }

    private boolean validateOrgId(CorePrincipal corePrincipal, boolean z) {
        boolean z2 = !z || corePrincipal.hasMatchingOrgId(this.consumerConfig.getOrgId());
        if (!z2) {
            debugLogIfValidationFails(corePrincipal.getUsername(), "OrgId", corePrincipal.getOrgId(), this.consumerConfig.getOrgId());
        }
        return z2;
    }

    private String getScope() {
        return String.format("fint-%s", this.fintSecurity.getRoleType().toLowerCase());
    }

    private String getComponentRole() {
        return String.format("FINT_%s_%s", this.fintSecurity.getRoleType(), this.consumerConfig.getComponent());
    }

    private SecurityWebFilterChain permitAll(ServerHttpSecurity serverHttpSecurity) {
        return permitAllExchanges(serverHttpSecurity).build();
    }

    private ServerHttpSecurity permitAllExchanges(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
            authorizeExchangeSpec.anyExchange().permitAll();
        });
    }

    public SecurityConfiguration(FintSecurity fintSecurity, SecurityConsumerConfig securityConsumerConfig) {
        this.fintSecurity = fintSecurity;
        this.consumerConfig = securityConsumerConfig;
    }
}
