package eu.dariah.de.dariahsp.spring.config;

import eu.dariah.de.dariahsp.ProfileActionHandler;
import eu.dariah.de.dariahsp.authentication.SAMLRequiredAttributeAuthenticator;
import eu.dariah.de.dariahsp.authentication.SystemTokenAuthenticator;
import eu.dariah.de.dariahsp.authentication.UserTokenAuthenticator;
import eu.dariah.de.dariahsp.config.BaseSecurityConfig;
import eu.dariah.de.dariahsp.config.BaseUrl;
import eu.dariah.de.dariahsp.config.OrderedClient;
import eu.dariah.de.dariahsp.config.rest.SystemToken;
import eu.dariah.de.dariahsp.helpers.SAMLMetadataHelper;
import eu.dariah.de.dariahsp.profiles.LocalProfileCreator;
import eu.dariah.de.dariahsp.profiles.SamlProfileCreator;
import eu.dariah.de.dariahsp.spring.authentication.CustomizableProfileManager;
import eu.dariah.de.dariahsp.spring.authentication.LocalUsernamePasswordAuthenticator;
import java.io.FileNotFoundException;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.client.DirectClient;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.config.Config;
import org.pac4j.http.client.direct.DirectBasicAuthClient;
import org.pac4j.http.client.indirect.FormClient;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.access.vote.RoleHierarchyVoter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;

@Configuration
@ComponentScan
/* loaded from: input_file:BOOT-INF/lib/dariahsp-spring-4.1.2-SNAPSHOT.jar:eu/dariah/de/dariahsp/spring/config/SecurityConfig.class */
public class SecurityConfig extends BaseSecurityConfig {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SecurityConfig.class);

    @Bean
    public Optional<LocalUsernamePasswordAuthenticator> localUsernamePasswordAuthenticator() {
        if (!this.local.isEnabled()) {
            return Optional.empty();
        }
        LocalUsernamePasswordAuthenticator localUsernamePasswordAuthenticator = new LocalUsernamePasswordAuthenticator();
        localUsernamePasswordAuthenticator.setEncoder(new BCryptPasswordEncoder());
        localUsernamePasswordAuthenticator.setLocalUserConfigurations(this.local.getUsers());
        return Optional.of(localUsernamePasswordAuthenticator);
    }

    @Bean
    public RoleHierarchy roleHierarchy() {
        RoleHierarchyImpl roleHierarchyImpl = new RoleHierarchyImpl();
        roleHierarchyImpl.setHierarchy(this.permissionHierarchy);
        log.info("PermissionHierarchy configured: {}", this.permissionHierarchy);
        return roleHierarchyImpl;
    }

    @Bean
    public RoleHierarchyVoter roleVoter() {
        return new RoleHierarchyVoter(roleHierarchy());
    }

    @Bean
    public OrderedClient<IndirectClient> getFormClient() throws URISyntaxException {
        Optional<LocalUsernamePasswordAuthenticator> localUsernamePasswordAuthenticator = localUsernamePasswordAuthenticator();
        if (!localUsernamePasswordAuthenticator.isPresent()) {
            return null;
        }
        FormClient formClient = new FormClient(baseUrl().getAbsoluteUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL), localUsernamePasswordAuthenticator.get());
        formClient.setName(this.local.getAuthorizerName());
        formClient.setProfileCreator(localProfileCreator());
        return new OrderedClient<>(this.local.getOrder(), formClient);
    }

    @Bean
    public Optional<SystemTokenAuthenticator> systemTokenAuthenticator() {
        SystemToken[] systemTokens = this.rest.getSystemTokens();
        if (!this.rest.isEnabled() || systemTokens == null || systemTokens.length == 0) {
            return Optional.empty();
        }
        SystemTokenAuthenticator systemTokenAuthenticator = new SystemTokenAuthenticator();
        systemTokenAuthenticator.setSystemTokenConfigurations(this.rest.getSystemTokens());
        return Optional.of(systemTokenAuthenticator);
    }

    @Bean
    public BaseUrl baseUrl() {
        log.info("Base URL for security: {}", this.baseUrl);
        return new BaseUrl(this.baseUrl);
    }

    @Bean
    public SAMLMetadataHelper metadataHelper() {
        return new SAMLMetadataHelper();
    }

    @Bean
    public Config config(Optional<ProfileActionHandler> optional, List<OrderedClient<IndirectClient>> list, List<OrderedClient<DirectClient>> list2) throws URISyntaxException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        arrayList.addAll(list2);
        Collections.sort(arrayList);
        addClientNames(arrayList);
        Config config = new Config(new Clients(baseUrl().getAbsoluteUrl("/callback"), (List<Client>) arrayList.stream().map((v0) -> {
            return v0.getClient();
        }).collect(Collectors.toList())));
        config.setProfileManagerFactory((webContext, sessionStore) -> {
            return new CustomizableProfileManager(webContext, sessionStore, (ProfileActionHandler) optional.orElse(null));
        });
        return config;
    }

    @Bean
    public OrderedClient<IndirectClient> getSamlClient() throws URISyntaxException {
        if (!this.saml.isEnabled()) {
            return null;
        }
        SAML2Configuration sAML2Configuration = new SAML2Configuration();
        sAML2Configuration.setKeystoreAlias(this.saml.getKeystore().getAlias());
        sAML2Configuration.setKeystorePath(this.saml.getKeystore().getPath());
        sAML2Configuration.setPrivateKeyPassword(this.saml.getKeystore().getAliaspass());
        sAML2Configuration.setKeystorePassword(this.saml.getKeystore().getPass());
        sAML2Configuration.setIdentityProviderMetadataPath(this.saml.getMetadata().getUrl());
        if (this.saml.getSp().getMetadataResource() == null) {
            log.info("SP metadata resource is not configured (auth.saml.sp.metadataResource); metadata will be generated and served in-memory");
        } else if (Files.exists(Paths.get(this.saml.getSp().getMetadataResource(), new String[0]), new LinkOption[0])) {
            sAML2Configuration.setServiceProviderMetadataPath(this.saml.getSp().getMetadataResource());
        } else {
            log.warn("Configured SP metadata resource does not exist", (Throwable) new FileNotFoundException(this.saml.getSp().getMetadataResource()));
        }
        sAML2Configuration.setMaximumAuthenticationLifetime(this.saml.getSp().getMaxAuthAge());
        sAML2Configuration.setSignatureAlgorithms(this.saml.getSp().getSigningMethods());
        sAML2Configuration.setSignatureReferenceDigestMethods(this.saml.getSp().getDigestMethods());
        if (this.saml.getSp().getEntityId() != null) {
            sAML2Configuration.setServiceProviderEntityId(this.saml.getSp().getEntityId());
        } else {
            sAML2Configuration.setServiceProviderEntityId(this.baseUrl);
        }
        sAML2Configuration.setSpLogoutRequestSigned(this.saml.getSp().isLogoutRequestSigned());
        sAML2Configuration.setWantsAssertionsSigned(this.saml.getSp().isWantsAssertionsSigned());
        sAML2Configuration.setWantsResponsesSigned(this.saml.getSp().isWantsResponsesSigned());
        sAML2Configuration.setAuthnRequestSigned(this.saml.getSp().isAuthnRequestSigned());
        sAML2Configuration.setSignMetadata(this.saml.getSp().isSignMetadata());
        sAML2Configuration.setSupportedProtocols(this.saml.getSp().getSupportedProtocols());
        sAML2Configuration.setHttpClient(this.saml.getSp().getHttpClient());
        sAML2Configuration.setMappedAttributes(this.saml.getSp().getMappedAttributesNameMap());
        SAML2Client sAML2Client = new SAML2Client(sAML2Configuration);
        sAML2Client.setName(this.saml.getAuthorizerName());
        sAML2Client.setProfileCreator(saml2ProfileCreator());
        sAML2Client.setAuthenticator(new SAMLRequiredAttributeAuthenticator(sAML2Configuration.getAttributeAsId(), sAML2Configuration.getMappedAttributes(), this.saml.getSp()));
        return new OrderedClient<>(this.saml.getOrder(), sAML2Client);
    }

    @Bean
    public OrderedClient<DirectClient> getLocalUsernameBasicAuthClient() {
        Optional<LocalUsernamePasswordAuthenticator> localUsernamePasswordAuthenticator = localUsernamePasswordAuthenticator();
        if (!localUsernamePasswordAuthenticator.isPresent() || !this.rest.isEnabled()) {
            return null;
        }
        DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(localUsernamePasswordAuthenticator.get());
        directBasicAuthClient.setName(this.rest.getAuthorizerName() + "_localUsernamePassword");
        directBasicAuthClient.setProfileCreator(localProfileCreator());
        return new OrderedClient<>(Integer.MAX_VALUE, directBasicAuthClient);
    }

    @Bean
    public OrderedClient<DirectClient> getSystemTokenBasicAuthClient() {
        Optional<SystemTokenAuthenticator> systemTokenAuthenticator = systemTokenAuthenticator();
        if (!systemTokenAuthenticator.isPresent()) {
            return null;
        }
        DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(systemTokenAuthenticator.get());
        directBasicAuthClient.setName(this.rest.getAuthorizerName() + "_systemToken");
        directBasicAuthClient.setProfileCreator(systemProfileCreator());
        return new OrderedClient<>(Integer.MAX_VALUE, directBasicAuthClient);
    }

    @Bean
    public OrderedClient<DirectClient> getUserTokenBasicAuthClient(Optional<UserTokenAuthenticator> optional) {
        if (!optional.isPresent()) {
            return null;
        }
        DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(optional.get());
        optional.get().setPermissionDefinitions(this.permissionDefinitions);
        directBasicAuthClient.setName(this.rest.getAuthorizerName() + "_userToken");
        return new OrderedClient<>(Integer.MAX_VALUE, directBasicAuthClient);
    }

    private SamlProfileCreator saml2ProfileCreator() {
        SamlProfileCreator samlProfileCreator = new SamlProfileCreator(this, this.saml.getAuthorizerName());
        samlProfileCreator.setPermissionDefinitions(this.permissionDefinitions);
        return samlProfileCreator;
    }

    private LocalProfileCreator localProfileCreator() {
        LocalProfileCreator localProfileCreator = new LocalProfileCreator(this.local.getAuthorizerName());
        localProfileCreator.setPermissionDefinitions(this.permissionDefinitions);
        return localProfileCreator;
    }

    private LocalProfileCreator systemProfileCreator() {
        LocalProfileCreator localProfileCreator = new LocalProfileCreator(this.rest.getAuthorizerName());
        localProfileCreator.setPermissionDefinitions(this.permissionDefinitions);
        return localProfileCreator;
    }

    private void addClientNames(List<OrderedClient<? extends Client>> list) {
        if (list == null) {
            return;
        }
        for (OrderedClient<? extends Client> orderedClient : list) {
            if (IndirectClient.class.isAssignableFrom(orderedClient.getClient().getClass())) {
                this.enabledIndirectClientNames.add(orderedClient.getClient().getName());
            } else {
                this.enabledDirectClientNames.add(orderedClient.getClient().getName());
            }
        }
    }
}
