package org.activiti.cloud.security.authorization;

import jakarta.annotation.PostConstruct;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.activiti.cloud.security.authorization.AuthorizationProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:org/activiti/cloud/security/authorization/AuthorizationConfigurer.class */
public class AuthorizationConfigurer {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationConfigurer.class);
    private final AuthorizationProperties authorizationProperties;
    private final Environment environment;

    @Autowired
    public AuthorizationConfigurer(AuthorizationProperties authorizationProperties, Environment environment) {
        this.authorizationProperties = authorizationProperties;
        this.environment = environment;
    }

    @PostConstruct
    public void checkKeycloakConfig() {
        if (this.environment.getProperty("keycloak.security-constraints[0].securityCollections[0].patterns[0]") != null) {
            LOGGER.warn("A Keycloak security configuration was found, it could override Spring Security configuration, please check if we have properties starting with \"keycloak.security-constraints\".");
        }
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        List<AuthorizationProperties.SecurityConstraint> orderedList = getOrderedList(this.authorizationProperties.getSecurityConstraints());
        ArrayList arrayList = new ArrayList();
        for (AuthorizationProperties.SecurityConstraint securityConstraint : orderedList) {
            if (!hasRoleOrPermissionConstraint(securityConstraint)) {
                arrayList.addAll(Arrays.stream(securityConstraint.getSecurityCollections()).flatMap(securityCollection -> {
                    return Arrays.stream(getPatterns(securityCollection.getPatterns()));
                }).toList());
            }
            configureAuthorization(httpSecurity, securityConstraint);
        }
        if (!arrayList.isEmpty()) {
            LOGGER.debug("Disabling CSRF protection for public URLs: {}", arrayList);
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{new CsrfIgnoreMatcher(arrayList)});
            });
        }
        httpSecurity.anonymous(Customizer.withDefaults());
    }

    private void configureAuthorization(HttpSecurity httpSecurity, AuthorizationProperties.SecurityConstraint securityConstraint) throws Exception {
        buildAntMatchers(httpSecurity, securityConstraint.getSecurityCollections(), hasRoleOrPermissionConstraint(securityConstraint) ? authorizedUrl -> {
            authorizedUrl.access(new CustomAuthorizationManager(securityConstraint.getAuthRoles(), securityConstraint.getAuthPermissions()));
        } : (v0) -> {
            v0.permitAll();
        });
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Setting access {} to {}", securityConstraint.getSecurityCollections(), hasRoleOrPermissionConstraint(securityConstraint) ? Stream.concat(Arrays.stream(securityConstraint.getAuthRoles()), Arrays.stream(securityConstraint.getAuthPermissions())).collect(Collectors.joining(", ")) : "anonymous");
        }
    }

    private void buildAntMatchers(HttpSecurity httpSecurity, AuthorizationProperties.SecurityCollection[] securityCollectionArr, Consumer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizedUrl> consumer) throws Exception {
        for (AuthorizationProperties.SecurityCollection securityCollection : securityCollectionArr) {
            String[] patterns = getPatterns(securityCollection.getPatterns());
            List list = Arrays.stream(securityCollection.getOmittedMethods()).map(HttpMethod::valueOf).toList();
            for (HttpMethod httpMethod : HttpMethod.values()) {
                if (list.contains(httpMethod)) {
                    httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(httpMethod, patterns)).denyAll();
                    });
                } else {
                    httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                        consumer.accept((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.requestMatchers(httpMethod, patterns));
                    });
                }
            }
        }
    }

    private List<AuthorizationProperties.SecurityConstraint> getOrderedList(List<AuthorizationProperties.SecurityConstraint> list) {
        ArrayList arrayList = new ArrayList(list);
        Collections.reverse(arrayList);
        ArrayList arrayList2 = new ArrayList();
        arrayList.forEach(securityConstraint -> {
            if (hasRoleOrPermissionConstraint(securityConstraint)) {
                arrayList2.add(securityConstraint);
            } else {
                arrayList2.add(0, securityConstraint);
            }
        });
        return arrayList2;
    }

    private String[] getPatterns(String[] strArr) {
        return (String[]) Stream.of((Object[]) strArr).map(str -> {
            return str.endsWith("/*") ? str + "*" : str;
        }).toArray(i -> {
            return new String[i];
        });
    }

    private boolean isNotEmpty(String[] strArr) {
        return strArr != null && strArr.length > 0;
    }

    private boolean hasRoleOrPermissionConstraint(AuthorizationProperties.SecurityConstraint securityConstraint) {
        return isNotEmpty(securityConstraint.getAuthRoles()) || isNotEmpty(securityConstraint.getAuthPermissions());
    }
}
