package org.activiti.cloud.services.common.security.config;

import com.github.benmanes.caffeine.cache.Caffeine;
import feign.RequestInterceptor;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import org.activiti.api.runtime.shared.security.PrincipalGroupsProvider;
import org.activiti.api.runtime.shared.security.PrincipalIdentityProvider;
import org.activiti.api.runtime.shared.security.PrincipalRolesProvider;
import org.activiti.api.runtime.shared.security.SecurityContextPrincipalProvider;
import org.activiti.api.runtime.shared.security.SecurityContextTokenProvider;
import org.activiti.api.runtime.shared.security.SecurityManager;
import org.activiti.cloud.security.authorization.AuthorizationConfigurer;
import org.activiti.cloud.security.authorization.EnableAuthorizationConfiguration;
import org.activiti.cloud.security.feign.TokenRelayRequestInterceptor;
import org.activiti.cloud.services.common.security.CustomBearerTokenAccessDeniedHandler;
import org.activiti.cloud.services.common.security.SecurityManagerImpl;
import org.activiti.cloud.services.common.security.jwt.JtwAccessTokenPrincipalRolesProvider;
import org.activiti.cloud.services.common.security.jwt.JwtAccessTokenPrincipalGroupsProvider;
import org.activiti.cloud.services.common.security.jwt.JwtAccessTokenProvider;
import org.activiti.cloud.services.common.security.jwt.JwtAccessTokenValidator;
import org.activiti.cloud.services.common.security.jwt.JwtPrincipalGroupsProviderChain;
import org.activiti.cloud.services.common.security.jwt.JwtPrincipalIdentityProvider;
import org.activiti.cloud.services.common.security.jwt.JwtPrincipalRolesProviderChain;
import org.activiti.cloud.services.common.security.jwt.JwtSecurityContextPrincipalProvider;
import org.activiti.cloud.services.common.security.jwt.JwtSecurityContextTokenProvider;
import org.activiti.cloud.services.common.security.jwt.validator.ExpiredValidationCheck;
import org.activiti.cloud.services.common.security.jwt.validator.IsNotBeforeValidationCheck;
import org.activiti.cloud.services.common.security.jwt.validator.ValidationCheck;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.cache.Cache;
import org.springframework.cache.CacheManager;
import org.springframework.cache.caffeine.CaffeineCache;
import org.springframework.cache.support.SimpleCacheManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsConfiguration;

@EnableAuthorizationConfiguration
@AutoConfiguration
@ConditionalOnMissingBean({SessionAuthenticationStrategy.class, SessionAuthenticationStrategy.class})
@ConditionalOnWebApplication
@Import({CommonJwtAuthenticationConverterConfiguration.class})
/* loaded from: input_file:org/activiti/cloud/services/common/security/config/CommonSecurityAutoConfiguration.class */
public class CommonSecurityAutoConfiguration {
    private final AuthorizationConfigurer authorizationConfigurer;
    private final Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter;

    @Value("${authorization.validation.offset:0}")
    private long offset;

    @Value("${cors.allowedOrigins:*}")
    private List<String> allowedOrigins;

    @Autowired
    public CommonSecurityAutoConfiguration(AuthorizationConfigurer authorizationConfigurer, Converter<Jwt, AbstractAuthenticationToken> converter) {
        this.authorizationConfigurer = authorizationConfigurer;
        this.jwtAuthenticationConverter = converter;
    }

    @ConditionalOnMissingBean
    @Bean
    public SecurityContextPrincipalProvider authenticatedPrincipalProvider() {
        return new JwtSecurityContextPrincipalProvider();
    }

    @ConditionalOnMissingBean
    @Bean
    public JwtAccessTokenValidator jwtAccessTokenValidator(List<ValidationCheck> list) {
        return new JwtAccessTokenValidator(list);
    }

    @ConditionalOnMissingBean
    @Bean
    public ExpiredValidationCheck expiredValidationCheck() {
        return new ExpiredValidationCheck(this.offset);
    }

    @ConditionalOnMissingBean
    @Bean
    public IsNotBeforeValidationCheck isNotBeforeValidationCheck() {
        return new IsNotBeforeValidationCheck(this.offset);
    }

    @ConditionalOnMissingBean
    @Bean
    public PrincipalIdentityProvider principalIdentityProvider(JwtAccessTokenProvider jwtAccessTokenProvider, JwtAccessTokenValidator jwtAccessTokenValidator) {
        return new JwtPrincipalIdentityProvider(jwtAccessTokenProvider, jwtAccessTokenValidator);
    }

    @ConditionalOnMissingBean
    @Bean
    @Order(Integer.MIN_VALUE)
    public JwtAccessTokenPrincipalGroupsProvider jwtAccessTokenPrincipalGroupsProvider(JwtAccessTokenProvider jwtAccessTokenProvider, JwtAccessTokenValidator jwtAccessTokenValidator) {
        return new JwtAccessTokenPrincipalGroupsProvider(jwtAccessTokenProvider, jwtAccessTokenValidator);
    }

    @ConditionalOnMissingBean
    @Bean
    @Order(Integer.MIN_VALUE)
    public JtwAccessTokenPrincipalRolesProvider jtwAccessTokenPrincipalRolesProvider(JwtAccessTokenProvider jwtAccessTokenProvider, JwtAccessTokenValidator jwtAccessTokenValidator) {
        return new JtwAccessTokenPrincipalRolesProvider(jwtAccessTokenProvider, jwtAccessTokenValidator);
    }

    @ConditionalOnMissingBean
    @Bean
    public JwtPrincipalGroupsProviderChain principalGroupsProviderChain(List<PrincipalGroupsProvider> list) {
        return new JwtPrincipalGroupsProviderChain(list);
    }

    @ConditionalOnMissingBean
    @Bean
    public JwtPrincipalRolesProviderChain principalRolesProviderChain(List<PrincipalRolesProvider> list) {
        return new JwtPrincipalRolesProviderChain(list);
    }

    @ConditionalOnMissingBean
    @Bean
    public SecurityManager securityManager(SecurityContextPrincipalProvider securityContextPrincipalProvider, PrincipalIdentityProvider principalIdentityProvider, JwtPrincipalGroupsProviderChain jwtPrincipalGroupsProviderChain, JwtPrincipalRolesProviderChain jwtPrincipalRolesProviderChain) {
        return new SecurityManagerImpl(securityContextPrincipalProvider, principalIdentityProvider, jwtPrincipalGroupsProviderChain, jwtPrincipalRolesProviderChain);
    }

    @ConditionalOnMissingBean
    @Bean
    public SecurityContextTokenProvider securityContextTokenProvider() {
        return new JwtSecurityContextTokenProvider();
    }

    @ConditionalOnMissingBean
    @Bean
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @ConditionalOnMissingBean
    @Bean
    public RequestInterceptor tokenRelayRequestInterceptor(SecurityContextTokenProvider securityContextTokenProvider) {
        return new TokenRelayRequestInterceptor(securityContextTokenProvider);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        this.authorizationConfigurer.configure(httpSecurity);
        return (SecurityFilterChain) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.authorizeHttpRequests().requestMatchers(new RequestMatcher[]{actuatorEndpointsMatcher()})).authenticated().and().authorizeHttpRequests().anyRequest()).permitAll().and().cors().configurationSource(httpServletRequest -> {
            CorsConfiguration corsConfiguration = new CorsConfiguration();
            corsConfiguration.setAllowedMethods(List.of("GET", "HEAD", "OPTION", "POST", "PUT", "DELETE"));
            corsConfiguration.setAllowedOrigins(this.allowedOrigins);
            return corsConfiguration.applyPermitDefaultValues();
        }).and().exceptionHandling().accessDeniedHandler(new CustomBearerTokenAccessDeniedHandler(new BearerTokenAccessDeniedHandler())).and().httpBasic().disable().oauth2ResourceServer().jwt().jwtAuthenticationConverter(this.jwtAuthenticationConverter).and().and().build();
    }

    private RequestMatcher actuatorEndpointsMatcher() {
        AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher("/actuator/**");
        List asList = Arrays.asList(new AntPathRequestMatcher("/actuator/health/**"), new AntPathRequestMatcher("/actuator/info/**"));
        return httpServletRequest -> {
            return antPathRequestMatcher.matches(httpServletRequest) && asList.stream().noneMatch(requestMatcher -> {
                return requestMatcher.matches(httpServletRequest);
            });
        };
    }

    @ConditionalOnMissingBean
    @Bean
    public CacheManager cacheManager(Collection<Cache> collection) {
        SimpleCacheManager simpleCacheManager = new SimpleCacheManager() { // from class: org.activiti.cloud.services.common.security.config.CommonSecurityAutoConfiguration.1
            protected Cache getMissingCache(String str) {
                return new CaffeineCache(str, Caffeine.newBuilder().build());
            }
        };
        simpleCacheManager.setCaches(collection);
        return simpleCacheManager;
    }
}
