package org.zowe.apiml.cloudgatewayservice.config;

import jakarta.annotation.PostConstruct;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.zowe.apiml.product.constants.CoreService;
import reactor.core.publisher.Mono;

@Configuration
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/cloudgatewayservice/config/WebSecurity.class */
public class WebSecurity {

    @Value("${apiml.security.x509.registry.allowedUsers:#{null}}")
    private String allowedUsers;
    private Predicate<String> usernameAuthorizationTester;

    @PostConstruct
    void initScopes() {
        boolean equals = "*".equals(this.allowedUsers);
        Set set = (Set) ((List) Optional.ofNullable(this.allowedUsers).map(str -> {
            return str.split("[,;]");
        }).map((v0) -> {
            return Arrays.asList(v0);
        }).orElse(Collections.emptyList())).stream().map((v0) -> {
            return v0.trim();
        }).map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toSet());
        this.usernameAuthorizationTester = str2 -> {
            return equals || set.contains(StringUtils.lowerCase(str2));
        };
    }

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
        SubjectDnX509PrincipalExtractor subjectDnX509PrincipalExtractor = new SubjectDnX509PrincipalExtractor();
        ReactiveAuthenticationManager reactiveAuthenticationManager = authentication -> {
            authentication.setAuthenticated(true);
            return Mono.just(authentication);
        };
        serverHttpSecurity.x509(x509Spec -> {
            x509Spec.principalExtractor(subjectDnX509PrincipalExtractor).authenticationManager(reactiveAuthenticationManager);
        }).authorizeExchange(authorizeExchangeSpec -> {
            authorizeExchangeSpec.pathMatchers("/" + CoreService.CLOUD_GATEWAY.getServiceId() + "/api/v1/registry/**").authenticated();
        }).authorizeExchange(authorizeExchangeSpec2 -> {
            authorizeExchangeSpec2.anyExchange().permitAll();
        }).csrf((v0) -> {
            v0.disable();
        });
        return serverHttpSecurity.build();
    }

    @Bean
    @Primary
    ReactiveUserDetailsService userDetailsService() {
        return str -> {
            ArrayList arrayList = new ArrayList();
            if (this.usernameAuthorizationTester.test(str)) {
                arrayList.add(new SimpleGrantedAuthority("REGISTRY"));
            }
            return Mono.just(User.withUsername(str).authorities(arrayList).password("").build());
        };
    }
}
