package org.bremersee.security.authentication;

import java.util.Objects;
import java.util.Optional;
import org.bremersee.core.OrderedProxy;
import org.bremersee.security.FrameOptionsMode;
import org.bremersee.security.authentication.AuthProperties;
import org.bremersee.web.CorsProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.UserDetailsRepositoryReactiveAuthenticationManager;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/bremersee/security/authentication/AbstractReactiveResourceServerAutoConfiguration.class */
public abstract class AbstractReactiveResourceServerAutoConfiguration {
    private static final Logger log = LoggerFactory.getLogger(AbstractReactiveResourceServerAutoConfiguration.class);
    private final Environment environment;
    private final CorsProperties corsProperties;
    private final AuthProperties authProperties;
    private final ObjectProvider<JsonPathReactiveJwtConverter> jwtConverterProvider;
    private final ObjectProvider<ReactiveUserDetailsService> userDetailsServiceProvider;
    private final ObjectProvider<PasswordEncoder> passwordEncoderProvider;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractReactiveResourceServerAutoConfiguration(Environment environment, CorsProperties corsProperties, AuthProperties authProperties, ObjectProvider<JsonPathReactiveJwtConverter> objectProvider, ObjectProvider<ReactiveUserDetailsService> objectProvider2, ObjectProvider<PasswordEncoder> objectProvider3) {
        this.environment = environment;
        this.corsProperties = corsProperties;
        this.authProperties = authProperties;
        this.jwtConverterProvider = objectProvider;
        this.userDetailsServiceProvider = objectProvider2;
        this.passwordEncoderProvider = objectProvider3;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void init() {
        log.info("\n*********************************************************************************\n* {}\n*********************************************************************************\n* enable = {}\n* order = {}\n* jwt = {}\n* cors = {}\n*********************************************************************************", new Object[]{ClassUtils.getUserClass(getClass()).getSimpleName(), this.authProperties.getResourceServer().name(), Integer.valueOf(this.authProperties.getResourceServerOrder()), Boolean.valueOf(StringUtils.hasText(this.environment.getProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri"))), Boolean.valueOf(this.corsProperties.isEnable())});
    }

    protected abstract ServerHttpSecurity.AuthorizeExchangeSpec init(ServerHttpSecurity serverHttpSecurity);

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityWebFilterChain resourceServerFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.headers().frameOptions(frameOptionsSpec -> {
            frameOptionsSpec.mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN);
        });
        Assert.notNull(serverHttpSecurity, "Server http security must be present.");
        ServerHttpSecurity.AuthorizeExchangeSpec init = init(serverHttpSecurity);
        ServerHttpSecurity disable = (this.authProperties.getResourceServer() == AutoSecurityMode.NONE ? init.anyExchange().permitAll().and().httpBasic().disable() : configureAuthenticationManager(configurePathMatchers(init).and())).headers().frameOptions(frameOptionsSpec2 -> {
            if (this.authProperties.getFrameOptionsMode() == FrameOptionsMode.DISABLE) {
                frameOptionsSpec2.disable();
            } else {
                frameOptionsSpec2.mode(this.authProperties.getFrameOptionsMode().getMode());
            }
        }).and().csrf().disable();
        return (SecurityWebFilterChain) OrderedProxy.create((this.corsProperties.isEnable() ? disable.cors().and() : disable.cors().disable()).build(), this.authProperties.getResourceServerOrder());
    }

    private ServerHttpSecurity.AuthorizeExchangeSpec configurePathMatchers(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec) {
        for (AuthProperties.PathMatcherProperties pathMatcherProperties : this.authProperties.preparePathMatchers(this.corsProperties)) {
            log.info("Securing requests to {}", pathMatcherProperties);
            switch (pathMatcherProperties.getAccessMode()) {
                case DENY_ALL:
                    authorizeExchangeSpec = ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.matchers(new ServerWebExchangeMatcher[]{matcher(pathMatcherProperties)})).denyAll();
                    break;
                case PERMIT_ALL:
                    authorizeExchangeSpec = ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.matchers(new ServerWebExchangeMatcher[]{matcher(pathMatcherProperties)})).permitAll();
                    break;
                default:
                    ServerHttpSecurity.AuthorizeExchangeSpec.Access access = (ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.matchers(new ServerWebExchangeMatcher[]{matcher(pathMatcherProperties)});
                    AuthProperties authProperties = this.authProperties;
                    Objects.requireNonNull(authProperties);
                    authorizeExchangeSpec = access.access(new RoleOrIpBasedAuthorizationManager(pathMatcherProperties.roles(authProperties::ensureRolePrefix), pathMatcherProperties.getIpAddresses()));
                    break;
            }
        }
        return authorizeExchangeSpec;
    }

    private ServerWebExchangeMatcher matcher(AuthProperties.PathMatcherProperties pathMatcherProperties) {
        return (ServerWebExchangeMatcher) Optional.ofNullable(pathMatcherProperties.httpMethod()).map(httpMethod -> {
            return ServerWebExchangeMatchers.pathMatchers(httpMethod, new String[]{pathMatcherProperties.getAntPattern()});
        }).orElseGet(() -> {
            return ServerWebExchangeMatchers.pathMatchers(new String[]{pathMatcherProperties.getAntPattern()});
        });
    }

    private ServerHttpSecurity configureAuthenticationManager(ServerHttpSecurity serverHttpSecurity) {
        return (ServerHttpSecurity) Optional.ofNullable((JsonPathReactiveJwtConverter) this.jwtConverterProvider.getIfAvailable()).map(jsonPathReactiveJwtConverter -> {
            return serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
                oAuth2ResourceServerSpec.jwt().jwtAuthenticationConverter(jsonPathReactiveJwtConverter).and();
            });
        }).orElseGet(() -> {
            return serverHttpSecurity.authenticationManager(userDetailsAuthenticationManager()).httpBasic().and().formLogin().disable();
        });
    }

    private ReactiveAuthenticationManager userDetailsAuthenticationManager() {
        ReactiveUserDetailsService reactiveUserDetailsService = (ReactiveUserDetailsService) this.userDetailsServiceProvider.getIfAvailable(this::defaultReactiveUserDetailsService);
        log.info("Creating ReactiveAuthenticationManager with {}", ClassUtils.getUserClass(reactiveUserDetailsService).getSimpleName());
        UserDetailsRepositoryReactiveAuthenticationManager userDetailsRepositoryReactiveAuthenticationManager = new UserDetailsRepositoryReactiveAuthenticationManager(reactiveUserDetailsService);
        this.passwordEncoderProvider.ifAvailable(passwordEncoder -> {
            log.info("Setting {} to ReactiveAuthenticationManager", ClassUtils.getUserClass(passwordEncoder).getSimpleName());
            userDetailsRepositoryReactiveAuthenticationManager.setPasswordEncoder(passwordEncoder);
        });
        return userDetailsRepositoryReactiveAuthenticationManager;
    }

    private ReactiveUserDetailsService defaultReactiveUserDetailsService() {
        return new MapReactiveUserDetailsService(this.authProperties.buildBasicAuthUserDetails((PasswordEncoder) this.passwordEncoderProvider.getIfAvailable()));
    }
}
