package de.uniba.minf.auth.spring.config;

import com.github.scribejava.apis.GitHubApi;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import de.uniba.minf.auth.ProfileActionHandler;
import de.uniba.minf.auth.config.BaseSecurity;
import de.uniba.minf.auth.config.BaseSecurityConfig;
import de.uniba.minf.auth.config.OrderedClient;
import de.uniba.minf.auth.config.oauth.OAuthSecurity;
import de.uniba.minf.auth.config.openid.OpenIDSecurity;
import de.uniba.minf.auth.helpers.SAMLMetadataHelper;
import de.uniba.minf.auth.profile.AuthProfileDefinition;
import de.uniba.minf.auth.profile.creator.ExtendedOAuthProfileCreator;
import de.uniba.minf.auth.profile.creator.ExtendedOidcProfileCreator;
import de.uniba.minf.auth.profile.creator.JwtProfileCreator;
import de.uniba.minf.auth.profile.creator.LocalProfileCreator;
import de.uniba.minf.auth.profile.creator.SamlProfileCreator;
import de.uniba.minf.auth.saml.CustomSAML2Client;
import de.uniba.minf.auth.spring.authentication.CustomProfileManager;
import de.uniba.minf.auth.spring.authentication.LocalUsernamePasswordAuthenticator;
import de.uniba.minf.auth.spring.mvc.AuthInfoHelper;
import java.io.FileNotFoundException;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.client.DirectClient;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.config.Config;
import org.pac4j.http.client.direct.DirectBearerAuthClient;
import org.pac4j.http.client.direct.HeaderClient;
import org.pac4j.http.client.direct.ParameterClient;
import org.pac4j.http.client.indirect.FormClient;
import org.pac4j.jwt.profile.JwtGenerator;
import org.pac4j.oauth.client.OAuth20Client;
import org.pac4j.oauth.config.OAuth20Configuration;
import org.pac4j.oauth.profile.github.GitHubProfileDefinition;
import org.pac4j.oauth.profile.yahoo.YahooProfileDefinition;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.springframework.web.CallbackController;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@ComponentScan
/* loaded from: input_file:BOOT-INF/lib/auth-spring-5.2-SNAPSHOT.jar:de/uniba/minf/auth/spring/config/SecurityConfig.class */
public class SecurityConfig extends BaseSecurityConfig {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SecurityConfig.class);
    private boolean enabled;
    private String indirectStartClientName;
    private String directClientNames;

    @Bean
    public AuthInfoHelper authInfoHelper() {
        return new AuthInfoHelper();
    }

    @Bean
    public CallbackController callbackController() {
        CallbackController callbackController = new CallbackController();
        callbackController.setDefaultUrl(baseUrl().getUrl());
        return callbackController;
    }

    @Bean
    public JwtGenerator jwtGenerator() {
        return super.getJwtGenerator();
    }

    @Bean
    public SAMLMetadataHelper metadataHelper() {
        return new SAMLMetadataHelper();
    }

    @Bean
    public Config config(Optional<ProfileActionHandler> optional, List<List<OrderedClient<IndirectClient>>> list, List<Optional<DirectClient>> list2) throws URISyntaxException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list.stream().flatMap(list3 -> {
            return list3.stream();
        }).toList());
        arrayList.addAll(list2.stream().filter(optional2 -> {
            return optional2.isPresent();
        }).map(optional3 -> {
            return new OrderedClient(Integer.MAX_VALUE, (DirectClient) optional3.get());
        }).toList());
        Collections.sort(arrayList);
        addClients(arrayList);
        Config config = new Config(new Clients(baseUrl().getAbsoluteUrl("/callback"), (List<Client>) arrayList.stream().map((v0) -> {
            return v0.getClient();
        }).collect(Collectors.toList())));
        config.setProfileManagerFactory((webContext, sessionStore) -> {
            return new CustomProfileManager(webContext, sessionStore, (ProfileActionHandler) optional.orElse(null));
        });
        this.directClientNames = String.join(",", getEnabledDirectClients().keySet());
        if (getLocal().isEnabled() || getEnabledIndirectClients().size() != 1) {
            if (getLocal().isEnabled() || getEnabledIndirectClients().size() > 2) {
                this.indirectStartClientName = getLocal().getAuthorizerName();
            } else {
                this.indirectStartClientName = (String) getEnabledIndirectClients().values().stream().filter(client -> {
                    return !FormClient.class.isAssignableFrom(client.getClass());
                }).map(client2 -> {
                    return client2.getName();
                }).findFirst().get();
            }
            this.enabled = true;
            log.debug("Initialized security: \ndirectClients: {}\nindirectStartClient: {}", list2, this.indirectStartClientName);
        } else {
            log.warn("No indirect clients configured: security is DISABLED");
            this.enabled = false;
        }
        return config;
    }

    @Bean
    public Optional<DirectClient> directBearerAuthClient() {
        if (!this.rest.isEnabled()) {
            return Optional.empty();
        }
        DirectBearerAuthClient directBearerAuthClient = new DirectBearerAuthClient(super.getJwtAuthenticator());
        directBearerAuthClient.setName("directBearerAuthClient");
        directBearerAuthClient.setProfileCreator(new JwtProfileCreator());
        return Optional.of(directBearerAuthClient);
    }

    @Bean
    public Optional<DirectClient> headerClient() {
        if (!this.rest.isEnabled()) {
            return Optional.empty();
        }
        HeaderClient headerClient = new HeaderClient(AuthProfileDefinition.TOKEN, super.getJwtAuthenticator());
        headerClient.setName("headerClient");
        headerClient.setProfileCreator(new JwtProfileCreator());
        return Optional.of(headerClient);
    }

    @Bean
    public Optional<DirectClient> parameterClient() {
        if (!this.rest.isEnabled()) {
            return Optional.empty();
        }
        ParameterClient parameterClient = new ParameterClient(AuthProfileDefinition.TOKEN, super.getJwtAuthenticator());
        parameterClient.setName("parameterClient");
        parameterClient.setProfileCreator(new JwtProfileCreator());
        parameterClient.setSupportGetRequest(true);
        parameterClient.setSupportPostRequest(false);
        return Optional.of(parameterClient);
    }

    @Bean
    public List<OrderedClient<IndirectClient>> getFormClients() throws URISyntaxException {
        ArrayList arrayList = new ArrayList();
        LocalUsernamePasswordAuthenticator localUsernamePasswordAuthenticator = new LocalUsernamePasswordAuthenticator();
        localUsernamePasswordAuthenticator.setEncoder(new BCryptPasswordEncoder());
        if (this.local.isEnabled()) {
            localUsernamePasswordAuthenticator.setLocalUserConfigurations(this.local.getUsers());
        }
        FormClient formClient = new FormClient(baseUrl().getAbsoluteUrl("/login"), localUsernamePasswordAuthenticator);
        setBaseClientConfig(formClient, this.local);
        formClient.setProfileCreator(new LocalProfileCreator(formClient, this));
        arrayList.add(new OrderedClient(this.local.getOrder(), formClient));
        return arrayList;
    }

    @Bean
    public List<OrderedClient<IndirectClient>> getOpenIDClients() {
        ArrayList arrayList = new ArrayList();
        if (this.openid == null || this.openid.length == 0) {
            return arrayList;
        }
        for (OpenIDSecurity openIDSecurity : this.openid) {
            if (openIDSecurity.isEnabled()) {
                OidcConfiguration oidcConfiguration = new OidcConfiguration();
                oidcConfiguration.setClientId(openIDSecurity.getClientId());
                oidcConfiguration.setSecret(openIDSecurity.getSecret());
                oidcConfiguration.setDiscoveryURI(openIDSecurity.getDiscoveryURI());
                oidcConfiguration.setResponseType(openIDSecurity.getResponseType());
                oidcConfiguration.setResponseMode(openIDSecurity.getResponseMode());
                oidcConfiguration.setScope(openIDSecurity.getScope());
                oidcConfiguration.setUseNonce(openIDSecurity.isUseNonce());
                oidcConfiguration.setClientAuthenticationMethod(new ClientAuthenticationMethod(openIDSecurity.getClientAuthenticationMethod()));
                oidcConfiguration.setMaxClockSkew(openIDSecurity.getMaxClockSkew());
                oidcConfiguration.setExpireSessionWithToken(openIDSecurity.isExpireSessionWithToken());
                oidcConfiguration.setTokenExpirationAdvance(openIDSecurity.getTokenExpirationAdvance());
                oidcConfiguration.setAllowUnsignedIdTokens(openIDSecurity.isAllowUnsignedIdTokens());
                OidcClient oidcClient = new OidcClient(oidcConfiguration);
                setBaseClientConfig(oidcClient, openIDSecurity);
                oidcClient.setProfileCreator(new ExtendedOidcProfileCreator(oidcConfiguration, oidcClient));
                arrayList.add(new OrderedClient(openIDSecurity.getOrder(), oidcClient));
            }
        }
        return arrayList;
    }

    @Bean
    public List<OrderedClient<IndirectClient>> getOauthClients() {
        ArrayList arrayList = new ArrayList();
        if (this.oauth == null || this.oauth.length == 0) {
            return arrayList;
        }
        for (OAuthSecurity oAuthSecurity : this.oauth) {
            if (oAuthSecurity.isEnabled()) {
                OAuth20Configuration oAuth20Configuration = new OAuth20Configuration();
                if (oAuthSecurity.getApi() == null || oAuthSecurity.getApi().isBlank()) {
                    log.warn("No OAuth API specified, security client not configured", oAuthSecurity.getApi());
                } else if (oAuthSecurity.getApi().equals("github")) {
                    oAuth20Configuration.setApi(GitHubApi.instance());
                    oAuth20Configuration.setProfileDefinition(new GitHubProfileDefinition());
                } else {
                    log.warn("Unknown OAuth API: {}, security client not configured", oAuthSecurity.getApi());
                }
                oAuth20Configuration.setScope(oAuthSecurity.getScope());
                oAuth20Configuration.setKey(oAuthSecurity.getClientId());
                oAuth20Configuration.setSecret(oAuthSecurity.getSecret());
                OAuth20Client oAuth20Client = new OAuth20Client();
                setBaseClientConfig(oAuth20Client, oAuthSecurity);
                oAuth20Client.setConfiguration(oAuth20Configuration);
                oAuth20Client.setProfileCreator(new ExtendedOAuthProfileCreator(oAuth20Configuration, oAuth20Client));
                arrayList.add(new OrderedClient(oAuthSecurity.getOrder(), oAuth20Client));
            }
        }
        return arrayList;
    }

    @Bean
    public List<OrderedClient<IndirectClient>> getSamlClient() throws URISyntaxException {
        ArrayList arrayList = new ArrayList();
        if (!this.saml.isEnabled()) {
            return arrayList;
        }
        SAML2Configuration sAML2Configuration = new SAML2Configuration();
        sAML2Configuration.setKeyStoreAlias(this.saml.getKeystore().getAlias());
        sAML2Configuration.setKeystorePath(this.saml.getKeystore().getPath());
        sAML2Configuration.setPrivateKeyPassword(this.saml.getKeystore().getAliaspass());
        sAML2Configuration.setKeystorePassword(this.saml.getKeystore().getPass());
        sAML2Configuration.setIdentityProviderMetadataPath(this.saml.getMetadata().getUrl());
        if (this.saml.getSp().getMetadataResource() == null) {
            log.info("SP metadata resource is not configured (auth.saml.sp.metadataResource); metadata will be generated and served in-memory");
        } else if (Files.exists(Paths.get(this.saml.getSp().getMetadataResource(), new String[0]), new LinkOption[0])) {
            sAML2Configuration.setServiceProviderMetadataPath(this.saml.getSp().getMetadataResource());
        } else {
            log.warn("Configured SP metadata resource does not exist", (Throwable) new FileNotFoundException(this.saml.getSp().getMetadataResource()));
        }
        sAML2Configuration.setMaximumAuthenticationLifetime(this.saml.getSp().getMaxAuthAge());
        sAML2Configuration.setSignatureAlgorithms(this.saml.getSp().getSigningMethods());
        sAML2Configuration.setSignatureReferenceDigestMethods(this.saml.getSp().getDigestMethods());
        if (this.saml.getSp().getEntityId() != null) {
            sAML2Configuration.setServiceProviderEntityId(this.saml.getSp().getEntityId());
        } else {
            sAML2Configuration.setServiceProviderEntityId(baseUrl().getUrl());
        }
        sAML2Configuration.setSpLogoutRequestSigned(this.saml.getSp().isLogoutRequestSigned());
        sAML2Configuration.setWantsAssertionsSigned(this.saml.getSp().isWantsAssertionsSigned());
        sAML2Configuration.setWantsResponsesSigned(this.saml.getSp().isWantsResponsesSigned());
        sAML2Configuration.setAuthnRequestSigned(this.saml.getSp().isAuthnRequestSigned());
        sAML2Configuration.setSignMetadata(this.saml.getSp().isSignMetadata());
        sAML2Configuration.setSupportedProtocols(this.saml.getSp().getSupportedProtocols());
        sAML2Configuration.setHttpClient(this.saml.getSp().getHttpClient());
        sAML2Configuration.setMappedAttributes(this.saml.getSp().getMappedAttributesNameMap());
        CustomSAML2Client customSAML2Client = new CustomSAML2Client(sAML2Configuration, this.saml);
        setBaseClientConfig(customSAML2Client, this.saml);
        customSAML2Client.setProfileCreator(new SamlProfileCreator(sAML2Configuration, customSAML2Client, this));
        arrayList.add(new OrderedClient(this.saml.getOrder(), customSAML2Client));
        return arrayList;
    }

    private void setBaseClientConfig(BaseClient baseClient, BaseSecurity baseSecurity) {
        baseClient.setCustomProperties(new HashMap());
        if (baseSecurity.getText() != null) {
            baseClient.getCustomProperties().put("text", baseSecurity.getText());
        }
        if (baseSecurity.getText() != null) {
            baseClient.getCustomProperties().put(YahooProfileDefinition.IMAGE, baseSecurity.getImage());
        }
        baseClient.setName(baseSecurity.getAuthorizerName());
    }

    private void addClients(List<OrderedClient<? extends Client>> list) {
        if (list == null) {
            return;
        }
        for (OrderedClient<? extends Client> orderedClient : list) {
            if (IndirectClient.class.isAssignableFrom(orderedClient.getClient().getClass())) {
                this.enabledIndirectClients.put(orderedClient.getClient().getName(), orderedClient.getClient());
            } else {
                this.enabledDirectClients.put(orderedClient.getClient().getName(), orderedClient.getClient());
            }
        }
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public String getIndirectStartClientName() {
        return this.indirectStartClientName;
    }

    public String getDirectClientNames() {
        return this.directClientNames;
    }
}
