package no.fintlabs.resourceserver.security;

import no.fintlabs.cache.FintCacheConfiguration;
import no.fintlabs.resourceserver.security.client.ClientJwtConverter;
import no.fintlabs.resourceserver.security.client.sourceapplication.SourceApplicationJwtConverter;
import no.fintlabs.resourceserver.security.properties.ApiSecurityProperties;
import no.fintlabs.resourceserver.security.properties.ExternalApiSecurityProperties;
import no.fintlabs.resourceserver.security.properties.InternalApiSecurityProperties;
import no.fintlabs.resourceserver.security.properties.InternalClientApiSecurityProperties;
import no.fintlabs.resourceserver.security.user.UserClaimFormattingService;
import no.fintlabs.resourceserver.security.user.UserJwtConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import reactor.core.publisher.Mono;

@EnableWebFluxSecurity
@EnableAutoConfiguration
@Import({FintCacheConfiguration.class})
/* loaded from: input_file:no/fintlabs/resourceserver/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);
    private final UserClaimFormattingService userClaimFormattingService;

    public SecurityConfiguration(UserClaimFormattingService userClaimFormattingService) {
        this.userClaimFormattingService = userClaimFormattingService;
    }

    @ConfigurationProperties("fint.flyt.resource-server.security.api.internal")
    @Bean
    InternalApiSecurityProperties internalApiSecurityProperties() {
        return new InternalApiSecurityProperties();
    }

    @ConfigurationProperties("fint.flyt.resource-server.security.api.internal-client")
    @Bean
    InternalClientApiSecurityProperties internalClientApiSecurityProperties() {
        return new InternalClientApiSecurityProperties();
    }

    @ConfigurationProperties("fint.flyt.resource-server.security.api.external")
    @Bean
    ExternalApiSecurityProperties externalApiSecurityProperties() {
        return new ExternalApiSecurityProperties();
    }

    @Order(1)
    @Bean
    SecurityWebFilterChain internalApiFilterChain(ServerHttpSecurity serverHttpSecurity, InternalApiSecurityProperties internalApiSecurityProperties) {
        log.debug("Internal API Security Properties: {}", internalApiSecurityProperties.getPermittedAuthorities());
        return createFilterChain(serverHttpSecurity, "/api/intern/**", new UserJwtConverter(internalApiSecurityProperties, this.userClaimFormattingService), internalApiSecurityProperties);
    }

    @Order(2)
    @Bean
    SecurityWebFilterChain internalClientApiFilterChain(ServerHttpSecurity serverHttpSecurity, InternalClientApiSecurityProperties internalClientApiSecurityProperties, ClientJwtConverter clientJwtConverter) {
        return createFilterChain(serverHttpSecurity, "/api/intern-klient/**", clientJwtConverter, internalClientApiSecurityProperties);
    }

    @Order(3)
    @Bean
    SecurityWebFilterChain externalApiFilterChain(ServerHttpSecurity serverHttpSecurity, ExternalApiSecurityProperties externalApiSecurityProperties, SourceApplicationJwtConverter sourceApplicationJwtConverter) {
        return createFilterChain(serverHttpSecurity, "/api/**", sourceApplicationJwtConverter, externalApiSecurityProperties);
    }

    @Order(4)
    @Bean
    SecurityWebFilterChain globalFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.addFilterBefore(new AuthorizationLogFilter(), SecurityWebFiltersOrder.AUTHENTICATION);
        return denyAll(serverHttpSecurity);
    }

    private SecurityWebFilterChain createFilterChain(ServerHttpSecurity serverHttpSecurity, String str, Converter<Jwt, Mono<AbstractAuthenticationToken>> converter, ApiSecurityProperties apiSecurityProperties) {
        serverHttpSecurity.securityMatcher(new PathPatternParserServerWebExchangeMatcher(str)).addFilterBefore(new AuthorizationLogFilter(), SecurityWebFiltersOrder.AUTHENTICATION);
        return !apiSecurityProperties.isEnabled() ? denyAll(serverHttpSecurity) : apiSecurityProperties.isPermitAll() ? permitAll(serverHttpSecurity) : serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.jwt().jwtAuthenticationConverter(converter);
        }).authorizeExchange().anyExchange().hasAnyAuthority(apiSecurityProperties.getPermittedAuthorities()).and().build();
    }

    private SecurityWebFilterChain permitAll(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.authorizeExchange().anyExchange().permitAll().and().build();
    }

    private SecurityWebFilterChain denyAll(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.authorizeExchange().anyExchange().denyAll().and().build();
    }
}
