package org.zowe.apiml.cloudgatewayservice.config;

import jakarta.annotation.PostConstruct;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpCookie;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.ResponseCookie;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.InMemoryReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.server.AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.context.NoOpServerSecurityContextRepository;
import org.springframework.security.web.server.savedrequest.CookieServerRequestCache;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.web.server.ServerWebExchange;
import org.zowe.apiml.cloudgatewayservice.config.oidc.ClientConfiguration;
import org.zowe.apiml.product.constants.CoreService;
import org.zowe.apiml.security.SecurityUtils;
import reactor.core.publisher.Mono;

@Configuration
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/cloudgatewayservice/config/WebSecurity.class */
public class WebSecurity {

    @Value("${apiml.security.oidc.cookie.sameSite:Lax}")
    public String sameSite;

    @Value("${apiml.security.x509.registry.allowedUsers:#{null}}")
    private String allowedUsers;
    private final ClientConfiguration clientConfiguration;
    private Predicate<String> usernameAuthorizationTester;
    public static final String CONTEXT_PATH = "/" + CoreService.CLOUD_GATEWAY.getServiceId();
    public static final String REGISTRY_PATH = CONTEXT_PATH + "/api/v1/registry/**";
    private static final Pattern CLIENT_REG_ID = Pattern.compile("^" + CONTEXT_PATH + "/login/oauth2/code/([^/]+)$");
    private static final Predicate<HttpCookie> HAS_NO_VALUE = httpCookie -> {
        return httpCookie == null || StringUtils.isEmpty(httpCookie.getValue());
    };
    public static final String COOKIE_NONCE = "oidc_nonce";
    public static final String COOKIE_STATE = "oidc_state";
    public static final String COOKIE_RETURN_URL = "oidc_return_url";
    private static final List<String> COOKIES = Arrays.asList(COOKIE_NONCE, COOKIE_STATE, COOKIE_RETURN_URL);
    public static final String OAUTH_2_AUTHORIZATION = CONTEXT_PATH + "/oauth2/authorization/**";
    public static final String OAUTH_2_AUTHORIZATION_BASE_URI = CONTEXT_PATH + "/oauth2/authorization/";
    public static final String OAUTH_2_AUTHORIZATION_URI = CONTEXT_PATH + "/oauth2/authorization/{registrationId}";
    public static final String OAUTH_2_REDIRECT_URI = CONTEXT_PATH + "/login/oauth2/code/**";
    public static final String OAUTH_2_REDIRECT_LOGIN_URI = CONTEXT_PATH + "/login/oauth2/code/{registrationId}";

    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/cloudgatewayservice/config/WebSecurity$ApimlServerAuthorizationRequestRepository.class */
    class ApimlServerAuthorizationRequestRepository implements ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> {
        final ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver;

        @Override // org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository
        public Mono<OAuth2AuthorizationRequest> loadAuthorizationRequest(ServerWebExchange serverWebExchange) {
            return this.authorizationRequestResolver.resolve(serverWebExchange, WebSecurity.getClientRegistrationId(serverWebExchange)).map(oAuth2AuthorizationRequest -> {
                return serverWebExchange.getRequest().getCookies().getFirst(WebSecurity.COOKIE_NONCE) != null ? createAuthorizationRequest(serverWebExchange, oAuth2AuthorizationRequest) : oAuth2AuthorizationRequest;
            });
        }

        public OAuth2AuthorizationRequest createAuthorizationRequest(ServerWebExchange serverWebExchange, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
            HttpCookie first = serverWebExchange.getRequest().getCookies().getFirst(WebSecurity.COOKIE_NONCE);
            HttpCookie first2 = serverWebExchange.getRequest().getCookies().getFirst(WebSecurity.COOKIE_STATE);
            if (WebSecurity.HAS_NO_VALUE.test(first) || WebSecurity.HAS_NO_VALUE.test(first2)) {
                return oAuth2AuthorizationRequest;
            }
            String value = first.getValue();
            String createHash = createHash(value);
            return OAuth2AuthorizationRequest.authorizationCode().attributes(map -> {
                map.put(OAuth2ParameterNames.REGISTRATION_ID, oAuth2AuthorizationRequest.getAttributes().get(OAuth2ParameterNames.REGISTRATION_ID));
                map.put("nonce", value);
            }).additionalParameters(map2 -> {
                map2.put("nonce", createHash);
            }).clientId(oAuth2AuthorizationRequest.getClientId()).authorizationUri(oAuth2AuthorizationRequest.getAuthorizationUri()).redirectUri(oAuth2AuthorizationRequest.getRedirectUri()).scopes(oAuth2AuthorizationRequest.getScopes()).state(first2.getValue()).build();
        }

        private static String createHash(String str) {
            try {
                return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalStateException(e);
            }
        }

        @Override // org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository
        public Mono<Void> saveAuthorizationRequest(OAuth2AuthorizationRequest oAuth2AuthorizationRequest, ServerWebExchange serverWebExchange) {
            serverWebExchange.getResponse().addCookie(WebSecurity.this.createCookie(WebSecurity.COOKIE_NONCE, String.valueOf(oAuth2AuthorizationRequest.getAttributes().get("nonce"))));
            serverWebExchange.getResponse().addCookie(WebSecurity.this.createCookie(WebSecurity.COOKIE_RETURN_URL, getReturnUrl(serverWebExchange)));
            serverWebExchange.getResponse().addCookie(WebSecurity.this.createCookie(WebSecurity.COOKIE_STATE, oAuth2AuthorizationRequest.getState()));
            return Mono.empty();
        }

        String getReturnUrl(ServerWebExchange serverWebExchange) {
            return (String) Optional.ofNullable(serverWebExchange.getRequest().getQueryParams().getFirst("returnUrl")).orElse(serverWebExchange.getRequest().getHeaders().getFirst("Origin"));
        }

        @Override // org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository
        public Mono<OAuth2AuthorizationRequest> removeAuthorizationRequest(ServerWebExchange serverWebExchange) {
            Mono<OAuth2AuthorizationRequest> loadAuthorizationRequest = loadAuthorizationRequest(serverWebExchange);
            serverWebExchange.getResponse().getCookies().remove(WebSecurity.COOKIE_NONCE);
            return loadAuthorizationRequest;
        }

        @Generated
        public ApimlServerAuthorizationRequestRepository(ServerOAuth2AuthorizationRequestResolver serverOAuth2AuthorizationRequestResolver) {
            this.authorizationRequestResolver = serverOAuth2AuthorizationRequestResolver;
        }
    }

    @PostConstruct
    void initScopes() {
        boolean equals = "*".equals(this.allowedUsers);
        Set set = (Set) ((List) Optional.ofNullable(this.allowedUsers).map(str -> {
            return str.split("[,;]");
        }).map((v0) -> {
            return Arrays.asList(v0);
        }).orElse(Collections.emptyList())).stream().map((v0) -> {
            return v0.trim();
        }).map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toSet());
        this.usernameAuthorizationTester = str2 -> {
            return equals || set.contains(StringUtils.lowerCase(str2));
        };
    }

    private ResponseCookie.ResponseCookieBuilder defaultCookieAttr(ResponseCookie.ResponseCookieBuilder responseCookieBuilder) {
        return responseCookieBuilder.path("/").sameSite(this.sameSite).httpOnly(true).secure(true);
    }

    private ResponseCookie createCookie(String str, String str2) {
        return defaultCookieAttr(ResponseCookie.from(str, str2)).build();
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public SecurityWebFilterChain oauth2WebFilterChain(ServerHttpSecurity serverHttpSecurity, Optional<ReactiveOAuth2AuthorizedClientService> optional, Optional<ApimlServerAuthorizationRequestRepository> optional2, Optional<ServerOAuth2AuthorizationRequestResolver> optional3) {
        if (this.clientConfiguration.isConfigured()) {
            return serverHttpSecurity.headers(headerSpec -> {
                headerSpec.frameOptions((v0) -> {
                    v0.disable();
                });
            }).securityContextRepository(NoOpServerSecurityContextRepository.getInstance()).securityMatcher(ServerWebExchangeMatchers.pathMatchers(OAUTH_2_AUTHORIZATION, OAUTH_2_REDIRECT_URI)).authorizeExchange(authorizeExchangeSpec -> {
                authorizeExchangeSpec.anyExchange().authenticated();
            }).oauth2Login(oAuth2LoginSpec -> {
                oAuth2LoginSpec.authenticationMatcher(new PathPatternParserServerWebExchangeMatcher(OAUTH_2_REDIRECT_LOGIN_URI)).authorizationRequestRepository((ServerAuthorizationRequestRepository) optional2.orElseThrow(() -> {
                    return new NoSuchBeanDefinitionException((Class<?>) ApimlServerAuthorizationRequestRepository.class);
                })).authorizationRequestResolver((ServerOAuth2AuthorizationRequestResolver) optional3.orElseThrow(() -> {
                    return new NoSuchBeanDefinitionException((Class<?>) ServerOAuth2AuthorizationRequestResolver.class);
                })).authenticationSuccessHandler((webFilterExchange, authentication) -> {
                    return ((ReactiveOAuth2AuthorizedClientService) optional.orElseThrow(() -> {
                        return new NoSuchBeanDefinitionException((Class<?>) ReactiveOAuth2AuthorizedClientService.class);
                    })).loadAuthorizedClient(getClientRegistrationId(webFilterExchange.getExchange()), authentication.getName()).map(oAuth2AuthorizedClient -> {
                        return updateCookies(webFilterExchange, oAuth2AuthorizedClient);
                    }).flatMap(mono -> {
                        return Mono.empty();
                    });
                }).authenticationFailureHandler((webFilterExchange2, authenticationException) -> {
                    String clientRegistrationId = getClientRegistrationId(webFilterExchange2.getExchange());
                    clearCookies(webFilterExchange2);
                    redirect(webFilterExchange2.getExchange().getResponse(), OAUTH_2_AUTHORIZATION_BASE_URI + clientRegistrationId);
                    return Mono.empty();
                });
            }).oauth2Client(oAuth2ClientSpec -> {
                oAuth2ClientSpec.authorizationRequestRepository((ServerAuthorizationRequestRepository) optional2.orElseThrow(() -> {
                    return new NoSuchBeanDefinitionException((Class<?>) ApimlServerAuthorizationRequestRepository.class);
                }));
            }).requestCache(requestCacheSpec -> {
                requestCacheSpec.requestCache(new CookieServerRequestCache());
            }).build();
        }
        return null;
    }

    public Mono<Object> updateCookies(WebFilterExchange webFilterExchange, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        webFilterExchange.getExchange().getResponse().addCookie(defaultCookieAttr(ResponseCookie.from(SecurityUtils.COOKIE_AUTH_NAME, oAuth2AuthorizedClient.getAccessToken().getTokenValue())).build());
        HttpCookie first = webFilterExchange.getExchange().getRequest().getCookies().getFirst(COOKIE_RETURN_URL);
        if (!HAS_NO_VALUE.test(first)) {
            redirect(webFilterExchange.getExchange().getResponse(), first.getValue());
        }
        clearCookies(webFilterExchange);
        return Mono.empty();
    }

    private void redirect(ServerHttpResponse serverHttpResponse, String str) {
        serverHttpResponse.getHeaders().set("Location", str);
        serverHttpResponse.setStatusCode(HttpStatusCode.valueOf(302));
    }

    private void clearCookies(WebFilterExchange webFilterExchange) {
        COOKIES.forEach(str -> {
            webFilterExchange.getExchange().getResponse().addCookie(defaultCookieAttr(ResponseCookie.from(str).maxAge(0L)).build());
        });
    }

    @Bean
    ReactiveOAuth2AuthorizedClientService authorizedClientService(Optional<ReactiveClientRegistrationRepository> optional) {
        if (this.clientConfiguration.isConfigured()) {
            return new InMemoryReactiveOAuth2AuthorizedClientService(optional.orElseThrow(() -> {
                return new NoSuchBeanDefinitionException((Class<?>) ReactiveClientRegistrationRepository.class);
            }));
        }
        return null;
    }

    @Bean
    public ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(Optional<InMemoryReactiveClientRegistrationRepository> optional) {
        if (this.clientConfiguration.isConfigured()) {
            return new DefaultServerOAuth2AuthorizationRequestResolver(optional.orElseThrow(() -> {
                return new NoSuchBeanDefinitionException((Class<?>) InMemoryReactiveClientRegistrationRepository.class);
            }), new PathPatternParserServerWebExchangeMatcher(OAUTH_2_AUTHORIZATION_URI));
        }
        return null;
    }

    @Bean
    public ApimlServerAuthorizationRequestRepository requestRepository(Optional<ServerOAuth2AuthorizationRequestResolver> optional) {
        if (this.clientConfiguration.isConfigured()) {
            return new ApimlServerAuthorizationRequestRepository(optional.orElseThrow(() -> {
                return new NoSuchBeanDefinitionException((Class<?>) ServerOAuth2AuthorizationRequestResolver.class);
            }));
        }
        return null;
    }

    @Bean
    public ReactiveClientRegistrationRepository clientRegistrationRepository() {
        if (this.clientConfiguration.isConfigured()) {
            return new InMemoryReactiveClientRegistrationRepository(getClientRegistrations());
        }
        return null;
    }

    @Bean
    public ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository(Optional<ReactiveOAuth2AuthorizedClientService> optional) {
        if (this.clientConfiguration.isConfigured()) {
            return new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(optional.orElseThrow(() -> {
                return new NoSuchBeanDefinitionException((Class<?>) ReactiveOAuth2AuthorizedClientService.class);
            }));
        }
        return null;
    }

    @ConditionalOnBean({ReactiveClientRegistrationRepository.class})
    @Bean
    public ReactiveOAuth2AuthorizedClientManager gatewayReactiveOAuth2AuthorizedClientManager(Optional<ReactiveClientRegistrationRepository> optional, Optional<ReactiveOAuth2AuthorizedClientService> optional2) {
        if (!this.clientConfiguration.isConfigured()) {
            return null;
        }
        ReactiveOAuth2AuthorizedClientProvider build = ReactiveOAuth2AuthorizedClientProviderBuilder.builder().authorizationCode().refreshToken().build();
        AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientServiceReactiveOAuth2AuthorizedClientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(optional.orElseThrow(() -> {
            return new NoSuchBeanDefinitionException((Class<?>) ReactiveClientRegistrationRepository.class);
        }), optional2.orElseThrow(() -> {
            return new NoSuchBeanDefinitionException((Class<?>) ReactiveOAuth2AuthorizedClientService.class);
        }));
        authorizedClientServiceReactiveOAuth2AuthorizedClientManager.setAuthorizedClientProvider(build);
        return authorizedClientServiceReactiveOAuth2AuthorizedClientManager;
    }

    private List<ClientRegistration> getClientRegistrations() {
        return (List) this.clientConfiguration.getConfigurations().values().stream().map(config -> {
            return ClientRegistration.withRegistrationId(config.getId()).clientId(config.getRegistration().getClientId()).clientSecret(config.getRegistration().getClientSecret()).clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).redirectUri(config.getRegistration().getRedirectUri()).scope(config.getRegistration().getScope()).authorizationUri(config.getProvider().getAuthorizationUri()).tokenUri(config.getProvider().getTokenUri()).userInfoUri(config.getProvider().getUserInfoUri()).userNameAttributeName(config.getProvider().getUserNameAttribute()).jwkSetUri(config.getProvider().getJwkSetUri()).clientName(config.getId()).build();
        }).collect(Collectors.toList());
    }

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.headers(headerSpec -> {
            headerSpec.frameOptions((v0) -> {
                v0.disable();
            });
        }).x509(x509Spec -> {
            x509Spec.principalExtractor(new SubjectDnX509PrincipalExtractor()).authenticationManager(authentication -> {
                authentication.setAuthenticated(true);
                return Mono.just(authentication);
            });
        }).authorizeExchange(authorizeExchangeSpec -> {
            authorizeExchangeSpec.pathMatchers(REGISTRY_PATH).authenticated().anyExchange().permitAll();
        }).csrf((v0) -> {
            v0.disable();
        }).build();
    }

    @Bean
    @Primary
    ReactiveUserDetailsService userDetailsService() {
        return str -> {
            ArrayList arrayList = new ArrayList();
            if (this.usernameAuthorizationTester.test(str)) {
                arrayList.add(new SimpleGrantedAuthority("REGISTRY"));
            }
            return Mono.just(User.withUsername(str).authorities(arrayList).password("").build());
        };
    }

    static String getClientRegistrationId(ServerWebExchange serverWebExchange) {
        String value = serverWebExchange.getRequest().getPath().value();
        Matcher matcher = CLIENT_REG_ID.matcher(value);
        if (matcher.matches()) {
            return matcher.group(1);
        }
        throw new IllegalStateException("Client registration ID was not found in the path: " + value);
    }

    @Generated
    public WebSecurity(ClientConfiguration clientConfiguration) {
        this.clientConfiguration = clientConfiguration;
    }
}
