package no.fintlabs.resourceserver.security;

import java.util.List;
import no.fintlabs.resourceserver.security.client.ClientAuthorizationUtil;
import no.fintlabs.resourceserver.security.client.ClientJwtConverter;
import no.fintlabs.resourceserver.security.properties.ExternalApiSecurityProperties;
import no.fintlabs.resourceserver.security.properties.InternalApiSecurityProperties;
import no.vigoiks.resourceserver.security.FintJwtUserConverter;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;

@EnableWebFluxSecurity
@EnableAutoConfiguration
/* loaded from: input_file:no/fintlabs/resourceserver/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    private final ClientJwtConverter clientJwtConverter;

    public SecurityConfiguration(ClientJwtConverter clientJwtConverter) {
        this.clientJwtConverter = clientJwtConverter;
    }

    @ConfigurationProperties("fint.flyt.resource-server.security.api.internal")
    @Bean
    InternalApiSecurityProperties internalApiSecurityProperties() {
        return new InternalApiSecurityProperties();
    }

    @ConfigurationProperties("fint.flyt.resource-server.security.api.external")
    @Bean
    ExternalApiSecurityProperties externalApiSecurityProperties() {
        return new ExternalApiSecurityProperties();
    }

    @Order(1)
    @Bean
    SecurityWebFilterChain internalApiFilterChain(InternalApiSecurityProperties internalApiSecurityProperties, ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/intern/**")).addFilterBefore(new AuthorizationLogFilter(), SecurityWebFiltersOrder.AUTHENTICATION);
        return !internalApiSecurityProperties.isEnabled() ? denyAll(serverHttpSecurity) : internalApiSecurityProperties.isPermitAll() ? permitAll(serverHttpSecurity) : serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.jwt().jwtAuthenticationConverter(new FintJwtUserConverter());
        }).authorizeExchange().anyExchange().hasAnyAuthority(mapToAuthoritiesArray("ORGID_", internalApiSecurityProperties.getAuthorizedOrgIds())).and().build();
    }

    @Order(2)
    @Bean
    SecurityWebFilterChain externalApiFilterChain(ExternalApiSecurityProperties externalApiSecurityProperties, ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/**")).addFilterBefore(new AuthorizationLogFilter(), SecurityWebFiltersOrder.AUTHENTICATION);
        return !externalApiSecurityProperties.isEnabled() ? denyAll(serverHttpSecurity) : externalApiSecurityProperties.isPermitAll() ? permitAll(serverHttpSecurity) : serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.jwt().jwtAuthenticationConverter(this.clientJwtConverter);
        }).authorizeExchange().anyExchange().hasAnyAuthority(mapToAuthoritiesArray(ClientAuthorizationUtil.SOURCE_APPLICATION_ID_PREFIX, externalApiSecurityProperties.getAuthorizedClientIds())).and().build();
    }

    @Order(3)
    @Bean
    SecurityWebFilterChain globalFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.addFilterBefore(new AuthorizationLogFilter(), SecurityWebFiltersOrder.AUTHENTICATION);
        return denyAll(serverHttpSecurity);
    }

    private SecurityWebFilterChain permitAll(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.authorizeExchange().anyExchange().permitAll().and().build();
    }

    private SecurityWebFilterChain denyAll(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.authorizeExchange().anyExchange().denyAll().and().build();
    }

    private String[] mapToAuthoritiesArray(String str, List<String> list) {
        return (String[]) list.stream().map(str2 -> {
            return str + str2;
        }).toArray(i -> {
            return new String[i];
        });
    }
}
