package io.hawt.example.spring.boot;

import io.hawt.springboot.EndpointPathResolver;
import io.hawt.web.auth.AuthenticationConfiguration;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.function.Supplier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:BOOT-INF/classes/io/hawt/example/spring/boot/KeycloakConfiguration.class */
public class KeycloakConfiguration {
    private final EndpointPathResolver endpointPath;

    /* loaded from: input_file:BOOT-INF/classes/io/hawt/example/spring/boot/KeycloakConfiguration$CsrfCookieFilter.class */
    static class CsrfCookieFilter extends OncePerRequestFilter {
        CsrfCookieFilter() {
        }

        @Override // org.springframework.web.filter.OncePerRequestFilter
        protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
            ((CsrfToken) httpServletRequest.getAttribute(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME)).getToken();
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/classes/io/hawt/example/spring/boot/KeycloakConfiguration$SpaCsrfTokenRequestHandler.class */
    public static class SpaCsrfTokenRequestHandler extends CsrfTokenRequestAttributeHandler {
        private final CsrfTokenRequestHandler delegate = new XorCsrfTokenRequestAttributeHandler();

        SpaCsrfTokenRequestHandler() {
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler, org.springframework.security.web.csrf.CsrfTokenRequestHandler
        public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Supplier<CsrfToken> supplier) {
            this.delegate.handle(httpServletRequest, httpServletResponse, supplier);
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRequestHandler, org.springframework.security.web.csrf.CsrfTokenRequestResolver
        public String resolveCsrfTokenValue(HttpServletRequest httpServletRequest, CsrfToken csrfToken) {
            return StringUtils.hasText(httpServletRequest.getHeader(csrfToken.getHeaderName())) ? super.resolveCsrfTokenValue(httpServletRequest, csrfToken) : this.delegate.resolveCsrfTokenValue(httpServletRequest, csrfToken);
        }
    }

    public KeycloakConfiguration(EndpointPathResolver endpointPathResolver) {
        this.endpointPath = endpointPathResolver;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        String resolve = this.endpointPath.resolve(AuthenticationConfiguration.DEFAULT_REALM);
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(AntPathRequestMatcher.antMatcher(resolve + "/css/**")).permitAll().requestMatchers(AntPathRequestMatcher.antMatcher(resolve + "/fonts/**")).permitAll().requestMatchers(AntPathRequestMatcher.antMatcher(resolve + "/img/**")).permitAll().anyRequest().authenticated();
        }).oauth2Client(Customizer.withDefaults()).oauth2Login(Customizer.withDefaults()).csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
        }).addFilterAfter((Filter) new CsrfCookieFilter(), BasicAuthenticationFilter.class);
        return httpSecurity.build();
    }
}
