package in.hocg.boot.sso.client.autoconfigure.core.webflux;

import in.hocg.boot.sso.client.autoconfigure.core.AuthenticationResult;
import in.hocg.boot.sso.client.autoconfigure.core.webflux.bearer.ServerBearerTokenAuthenticationConverter;
import in.hocg.boot.sso.client.autoconfigure.properties.SsoClientProperties;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.ResolvableType;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.web.server.DelegatingServerAuthenticationEntryPoint;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint;
import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

@Configuration
@EnableWebFluxSecurity
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
/* loaded from: input_file:in/hocg/boot/sso/client/autoconfigure/core/webflux/WebFluxSsoClientConfiguration.class */
public class WebFluxSsoClientConfiguration {
    private final SsoClientProperties properties;
    private ApplicationContext context;

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ApplicationContext applicationContext) {
        this.context = applicationContext;
        String[] strArr = (String[]) this.properties.getIgnoreUrls().toArray(new String[0]);
        String[] strArr2 = (String[]) this.properties.getDenyUrls().toArray(new String[0]);
        String[] strArr3 = (String[]) this.properties.getAuthenticatedUrls().toArray(new String[0]);
        ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange = serverHttpSecurity.authorizeExchange();
        if (strArr2.length > 0) {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchange.pathMatchers(strArr2)).denyAll();
        }
        if (strArr3.length > 0) {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchange.pathMatchers(strArr3)).authenticated();
        }
        if (strArr.length > 0) {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchange.pathMatchers(strArr)).permitAll();
        }
        authorizeExchange.anyExchange().authenticated().and();
        serverHttpSecurity.oauth2Login();
        serverHttpSecurity.csrf().disable();
        serverHttpSecurity.exceptionHandling().authenticationEntryPoint(new DelegatingServerAuthenticationEntryPoint(new DelegatingServerAuthenticationEntryPoint.DelegateEntry[]{getOAuthServerAuthenticationEntryPoint(), getAjaxServerAuthenticationEntryPoint()}));
        AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(authenticationManager(applicationContext));
        authenticationWebFilter.setAuthenticationFailureHandler((webFilterExchange, authenticationException) -> {
            return handleAuthentication4Webflux(webFilterExchange.getExchange());
        });
        authenticationWebFilter.setServerAuthenticationConverter(new ServerBearerTokenAuthenticationConverter().setAllowUriQueryParameter(true));
        serverHttpSecurity.addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION);
        return serverHttpSecurity.build();
    }

    @ConditionalOnMissingBean
    @Bean
    public WebFluxExpandAuthenticationManager authenticationManager(ApplicationContext applicationContext) {
        return new WebFluxExpandAuthenticationManager(applicationContext);
    }

    private DelegatingServerAuthenticationEntryPoint.DelegateEntry getAjaxServerAuthenticationEntryPoint() {
        return new DelegatingServerAuthenticationEntryPoint.DelegateEntry(serverWebExchange -> {
            return Objects.equals(serverWebExchange.getRequest().getHeaders().getFirst("X-Requested-With"), "XMLHttpRequest") ? ServerWebExchangeMatcher.MatchResult.match() : ServerWebExchangeMatcher.MatchResult.notMatch();
        }, (serverWebExchange2, authenticationException) -> {
            return handleAuthentication4Webflux(serverWebExchange2);
        });
    }

    private Mono<Void> handleAuthentication4Webflux(ServerWebExchange serverWebExchange) {
        ServerHttpRequest request = serverWebExchange.getRequest();
        ServerHttpResponse response = serverWebExchange.getResponse();
        HttpHeaders headers = request.getHeaders();
        String str = null;
        String first = headers.getFirst("X-Page-Url");
        if (StringUtils.isEmpty(first)) {
            first = headers.getFirst("Referer");
        }
        if (!StringUtils.isEmpty(first)) {
            str = first;
        }
        DataBuffer wrap = response.bufferFactory().wrap(AuthenticationResult.create(str).toJSON().getBytes(StandardCharsets.UTF_8));
        response.setStatusCode(HttpStatus.UNAUTHORIZED);
        response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
        return response.writeWith(Mono.just(wrap));
    }

    private DelegatingServerAuthenticationEntryPoint.DelegateEntry getOAuthServerAuthenticationEntryPoint() {
        MediaTypeServerWebExchangeMatcher mediaTypeServerWebExchangeMatcher = new MediaTypeServerWebExchangeMatcher(new MediaType[]{MediaType.TEXT_HTML});
        mediaTypeServerWebExchangeMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
        Map<String, String> links = getLinks();
        return new DelegatingServerAuthenticationEntryPoint.DelegateEntry(mediaTypeServerWebExchangeMatcher, new RedirectServerAuthenticationEntryPoint(links.size() == 1 ? links.keySet().iterator().next() : "/login"));
    }

    private Map<String, String> getLinks() {
        Iterable iterable = (Iterable) getBeanOrNull(ResolvableType.forClassWithGenerics(Iterable.class, new Class[]{ClientRegistration.class}));
        if (iterable == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        iterable.iterator().forEachRemaining(clientRegistration -> {
            hashMap.put("/oauth2/authorization/" + clientRegistration.getRegistrationId(), clientRegistration.getClientName());
        });
        return hashMap;
    }

    private <T> T getBeanOrNull(ResolvableType resolvableType) {
        if (this.context == null) {
            return null;
        }
        String[] beanNamesForType = this.context.getBeanNamesForType(resolvableType);
        if (beanNamesForType.length == 1) {
            return (T) this.context.getBean(beanNamesForType[0]);
        }
        return null;
    }

    @Lazy
    public WebFluxSsoClientConfiguration(SsoClientProperties ssoClientProperties) {
        this.properties = ssoClientProperties;
    }
}
