package io.gardenerframework.camellia.authentication.server.configuration;

import io.gardenerframework.camellia.authentication.server.common.configuration.AuthenticationServerPathOption;
import io.gardenerframework.camellia.authentication.server.main.exception.AuthenticationServerAuthenticationExceptions;
import io.gardenerframework.camellia.authentication.server.main.spring.AuthenticationEndpointAuthenticationFailureHandler;
import io.gardenerframework.camellia.authentication.server.main.utils.AuthenticationEndpointMatcher;
import io.gardenerframework.camellia.authentication.server.main.utils.DefaultAuthenticationEndpointMatcher;
import io.gardenerframework.fragrans.api.standard.error.DefaultApiErrorConstants;
import io.gardenerframework.fragrans.api.standard.error.ServletApiErrorAttributes;
import io.gardenerframework.fragrans.api.standard.error.ServletApiErrorAttributesConfigurer;
import io.gardenerframework.fragrans.api.standard.error.configuration.RevealError;
import io.gardenerframework.fragrans.messages.EnhancedMessageSource;
import java.util.Arrays;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.i18n.LocaleContextHolder;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@RevealError(superClasses = {AuthenticationServerAuthenticationExceptions.ClientSideException.class, AuthenticationServerAuthenticationExceptions.ServerSideException.class, BadCredentialsException.class, AccountStatusException.class})
@Order(Integer.MIN_VALUE)
/* loaded from: input_file:io/gardenerframework/camellia/authentication/server/configuration/AuthenticationServerEngineSecurityConfiguration.class */
public class AuthenticationServerEngineSecurityConfiguration extends WebSecurityConfigurerAdapter implements ServletApiErrorAttributesConfigurer {
    private final AuthenticationServerPathOption authenticationServerPathOption;
    private final WebAuthenticationEndpointFilterConfigurer webAuthenticationEndpointFilterConfigurer;
    private final OAuth2AuthorizationServerConfigurerProxy oAuth2AuthorizationServerConfigurerProxy;
    private final AuthenticationEndpointMatcher authenticationEndpointMatcher;
    private final AuthenticationEndpointAuthenticationFailureHandler authenticationEndpointAuthenticationFailureHandler;
    private final EnhancedMessageSource messageSource;
    private final AuthorizationServerSettings authorizationServerSettings;

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.apply(this.webAuthenticationEndpointFilterConfigurer);
        httpSecurity.apply(this.oAuth2AuthorizationServerConfigurerProxy);
        httpSecurity.csrf().ignoringRequestMatchers(new RequestMatcher[]{new AntPathRequestMatcher(String.format("%s/**", this.authenticationServerPathOption.getAuthenticationRestApiContextPath()))});
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{String.format("%s/**", this.authenticationServerPathOption.getAuthenticationRestApiContextPath()), this.authenticationServerPathOption.getWebAuthenticationErrorPage(), this.authenticationServerPathOption.getWebMfaChallengePage()})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).authenticated().and().logout().logoutRequestMatcher(new AntPathRequestMatcher(this.authenticationServerPathOption.getWebLogoutEndpoint())).logoutSuccessUrl(this.authenticationServerPathOption.getWebLogoutPage()).and().exceptionHandling().authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
            if (!this.oAuth2AuthorizationServerConfigurerProxy.getEndpointMatcher().matches(httpServletRequest) || this.oAuth2AuthorizationServerConfigurerProxy.getAuthorizationEndpointMatcher().matches(httpServletRequest)) {
                httpServletResponse.sendRedirect(this.authenticationServerPathOption.getWebLoginPage());
            } else {
                this.authenticationEndpointAuthenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, new OAuth2AuthenticationException(new OAuth2Error("unauthorized", this.messageSource.getMessage(authenticationException, this.messageSource.getMessage(DefaultApiErrorConstants.UNKNOWN_ERROR, LocaleContextHolder.getLocale()), LocaleContextHolder.getLocale()), (String) null), authenticationException));
            }
        });
        if (this.authenticationEndpointMatcher instanceof DefaultAuthenticationEndpointMatcher) {
            httpSecurity.apply((DefaultAuthenticationEndpointMatcher) this.authenticationEndpointMatcher);
        }
    }

    public void accept(ServletApiErrorAttributes servletApiErrorAttributes) {
        servletApiErrorAttributes.getIgnoringUrlPatterns().addAll(Arrays.asList(this.authorizationServerSettings.getAuthorizationEndpoint(), this.authorizationServerSettings.getJwkSetEndpoint(), this.authorizationServerSettings.getTokenEndpoint(), this.authorizationServerSettings.getOidcUserInfoEndpoint(), this.authorizationServerSettings.getTokenIntrospectionEndpoint(), this.authorizationServerSettings.getTokenRevocationEndpoint(), this.authorizationServerSettings.getOidcClientRegistrationEndpoint()));
    }

    public AuthenticationServerEngineSecurityConfiguration(AuthenticationServerPathOption authenticationServerPathOption, WebAuthenticationEndpointFilterConfigurer webAuthenticationEndpointFilterConfigurer, OAuth2AuthorizationServerConfigurerProxy oAuth2AuthorizationServerConfigurerProxy, AuthenticationEndpointMatcher authenticationEndpointMatcher, AuthenticationEndpointAuthenticationFailureHandler authenticationEndpointAuthenticationFailureHandler, EnhancedMessageSource enhancedMessageSource, AuthorizationServerSettings authorizationServerSettings) {
        this.authenticationServerPathOption = authenticationServerPathOption;
        this.webAuthenticationEndpointFilterConfigurer = webAuthenticationEndpointFilterConfigurer;
        this.oAuth2AuthorizationServerConfigurerProxy = oAuth2AuthorizationServerConfigurerProxy;
        this.authenticationEndpointMatcher = authenticationEndpointMatcher;
        this.authenticationEndpointAuthenticationFailureHandler = authenticationEndpointAuthenticationFailureHandler;
        this.messageSource = enhancedMessageSource;
        this.authorizationServerSettings = authorizationServerSettings;
    }
}
