package org.zowe.apiml.gateway.config;

import java.security.cert.CertificateEncodingException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.cloud.client.ServiceInstance;
import org.springframework.cloud.client.loadbalancer.reactive.ReactiveLoadBalancer;
import org.springframework.cloud.client.loadbalancer.reactive.ReactorLoadBalancerExchangeFilterFunction;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.server.HandlerFunction;
import org.springframework.web.reactive.function.server.RequestPredicates;
import org.springframework.web.reactive.function.server.RouterFunction;
import org.springframework.web.reactive.function.server.RouterFunctions;
import org.springframework.web.reactive.function.server.ServerRequest;
import org.springframework.web.reactive.function.server.ServerResponse;
import org.zowe.apiml.constants.ApimlConstants;
import org.zowe.apiml.gateway.x509.ForwardClientCertFilterFactory;
import org.zowe.apiml.gateway.x509.X509Util;
import reactor.core.publisher.Mono;

@Configuration
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/config/AuthEndpointConfig.class */
public class AuthEndpointConfig {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthEndpointConfig.class);
    private String[] HEADERS_TO_RESEND = {"Set-Cookie", "Content-Type", ApimlConstants.AUTH_FAIL_HEADER};
    private final WebClient webClient;
    private final WebClient webClientClientCert;

    public AuthEndpointConfig(WebClient webClient, @Qualifier("webClientClientCert") WebClient webClient2, ReactiveLoadBalancer.Factory<ServiceInstance> factory) {
        this.webClient = createLoadBalanced(webClient, factory);
        this.webClientClientCert = createLoadBalanced(webClient2, factory);
    }

    private WebClient createLoadBalanced(WebClient webClient, ReactiveLoadBalancer.Factory<ServiceInstance> factory) {
        return webClient.mutate().filter(new ReactorLoadBalancerExchangeFilterFunction(factory, Collections.emptyList())).build();
    }

    private WebClient.RequestBodySpec getWebclient(ServerRequest serverRequest, String str) {
        SslInfo sslInfo = serverRequest.exchange().getRequest().getSslInfo();
        WebClient.RequestBodySpec headers = ((WebClient.RequestBodySpec) (sslInfo == null ? this.webClient : this.webClientClientCert).method(serverRequest.method()).uri("lb://zaas/zaas" + str, new Object[0])).headers(httpHeaders -> {
            httpHeaders.addAll(serverRequest.headers().asHttpHeaders());
        }).headers(httpHeaders2 -> {
            httpHeaders2.remove(ForwardClientCertFilterFactory.CLIENT_CERT_HEADER);
        });
        return sslInfo != null ? headers.headers(httpHeaders3 -> {
            try {
                httpHeaders3.add(ForwardClientCertFilterFactory.CLIENT_CERT_HEADER, X509Util.getEncodedClientCertificate(sslInfo));
            } catch (CertificateEncodingException e) {
                throw new IllegalStateException("Cannot forward client certificate", e);
            }
        }) : headers;
    }

    private Mono<ServerResponse> resend(ServerRequest serverRequest, String str, String str2) {
        return getWebclient(serverRequest, str).body(StringUtils.isNotEmpty(str2) ? BodyInserters.fromValue(str2) : BodyInserters.empty()).exchangeToMono(clientResponse -> {
            ServerResponse.BodyBuilder status = ServerResponse.status(clientResponse.statusCode());
            status.headers(httpHeaders -> {
                Arrays.stream(this.HEADERS_TO_RESEND).forEach(str3 -> {
                    httpHeaders.addAll(str3, (List<? extends String>) clientResponse.headers().header(str3));
                });
            });
            return clientResponse.bodyToMono(String.class).flatMap(str3 -> {
                return !str3.isEmpty() ? status.bodyValue(str3) : status.build();
            }).switchIfEmpty(status.build());
        });
    }

    private HandlerFunction<ServerResponse> resendTo(String str) {
        return serverRequest -> {
            return serverRequest.bodyToMono(String.class).switchIfEmpty(Mono.just("")).flatMap(str2 -> {
                return resend(serverRequest, str, str2);
            }).doOnError(th -> {
                log.debug("Cannot resend authentication call to the ZAAS", th);
            });
        };
    }

    @Bean
    public RouterFunction<ServerResponse> routes() {
        return RouterFunctions.route(RequestPredicates.path("/gateway/api/v1/auth/login"), resendTo("/api/v1/auth/login")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/logout"), resendTo("/api/v1/auth/logout")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/query"), resendTo("/api/v1/auth/query")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/refresh"), resendTo("/api/v1/auth/refresh")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/ticket"), resendTo("/api/v1/auth/ticket")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/revoke"), resendTo("/api/v1/auth/access-token/revoke")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/validate"), resendTo("/api/v1/auth/access-token/validate")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/generate"), resendTo("/api/v1/auth/access-token/generate")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/revoke/tokens/user"), resendTo("/api/v1/auth/access-token/revoke/tokens/user")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/revoke/tokens"), resendTo("/api/v1/auth/access-token/revoke/tokens")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/revoke/tokens/scope"), resendTo("/api/v1/auth/access-token/revoke/tokens/scope")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/access-token/evict"), resendTo("/api/v1/auth/access-token/evict")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/keys/public"), resendTo("/api/v1/auth/keys/public")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/keys/public/all"), resendTo("/api/v1/auth/keys/public/all")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/keys/public/current"), resendTo("/api/v1/auth/keys/public/current")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/oidc-token/validate"), resendTo("/api/v1/auth/oidc-token/validate")).andRoute(RequestPredicates.path("/gateway/api/v1/auth/oidc/webfinger"), resendTo("/api/v1/auth/oidc/webfinger")).andRoute(RequestPredicates.path("/gateway/auth/check"), resendTo("/auth/check"));
    }
}
