package io.nerv.core.auth.config;

import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.ArrayUtil;
import io.nerv.core.auth.security.entrypoint.UnauthorizedHandler;
import io.nerv.core.auth.security.entrypoint.UrlAccessDeniedHandler;
import io.nerv.core.auth.security.entrypoint.UrlAuthenticationFailureHandler;
import io.nerv.core.auth.security.entrypoint.UrlAuthenticationSuccessHandler;
import io.nerv.core.auth.security.entrypoint.UrlLogoutSuccessHandler;
import io.nerv.core.auth.security.filter.JwtAuthFilter;
import io.nerv.core.auth.security.provider.DynamiclAccessDecisionManager;
import io.nerv.core.auth.security.provider.JwtUsernamePasswordAuthenticationFilter;
import io.nerv.core.properties.EvaConfig;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
/* loaded from: input_file:io/nerv/core/auth/config/WebSecurityConfig.class */
public class WebSecurityConfig {

    @Value("${eva.security.anonymous}")
    private String[] anonymous;

    @Value("${eva.security.webstatic}")
    private String[] webstatic;
    private final EvaConfig evaConfig;
    private final UrlAuthenticationSuccessHandler urlAuthenticationSuccessHandler;
    private final DynamiclAccessDecisionManager urlAccessDecisionManager;
    private final UrlAuthenticationFailureHandler urlAuthenticationFailureHandler;
    private final UrlLogoutSuccessHandler urlLogoutSuccessHandler;
    private final UrlAccessDeniedHandler urlAccessDeniedHandler;
    private final UnauthorizedHandler unauthorizedHandler;
    private final AuthenticationConfiguration authenticationConfiguration;
    private final JwtAuthFilter jwtAuthFilter;

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedOrigins(CollUtil.isEmpty(this.evaConfig.getJwt().getCreditUrl()) ? Arrays.asList("*") : this.evaConfig.getJwt().getCreditUrl());
        corsConfiguration.setAllowCredentials(false);
        corsConfiguration.setAllowedMethods(Arrays.asList("PUT", "DELETE", "GET", "POST", "OPTIONS"));
        corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
        corsConfiguration.setMaxAge(1800L);
        corsConfiguration.setExposedHeaders(Arrays.asList("Access-Control-Allow-Headers", "Access-Control-Allow-Methods", "Access-Control-Expose-Headers", "Access-Control-Allow-Origin", "Access-Control-Max-Age", "authorization", "auth_token", "xsrf-token", "content-type", "X-Frame-Options", "Authorization"));
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    @Bean
    public SecurityFilterChain httpSecurityConfigure(HttpSecurity httpSecurity) throws Exception {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.cors().and().csrf().disable().headers().frameOptions().disable().xssProtection().and().addHeaderWriter(new StaticHeadersWriter("P3P", new String[]{"CP='CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'"})).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeHttpRequests().requestMatchers(this.anonymous)).permitAll().anyRequest()).access(this.urlAccessDecisionManager);
        httpSecurity.logout().logoutUrl("/auth/logout").logoutSuccessHandler(this.urlLogoutSuccessHandler);
        httpSecurity.exceptionHandling().authenticationEntryPoint(this.unauthorizedHandler).accessDeniedHandler(this.urlAccessDeniedHandler).and().addFilterBefore(this.jwtAuthFilter, UsernamePasswordAuthenticationFilter.class).addFilterBefore(new JwtUsernamePasswordAuthenticationFilter("/auth/login", this.authenticationConfiguration.getAuthenticationManager(), this.urlAuthenticationSuccessHandler, this.urlAuthenticationFailureHandler), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.anonymous().authorities(new String[]{"ROLE_ANONYMOUS"});
        httpSecurity.headers().frameOptions().sameOrigin().cacheControl();
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityConfigure() {
        return webSecurity -> {
            String[] strArr = null;
            String[] strArr2 = {"/", "/static/**", "/*.html", "/*.xls", "/*.xlsx", "/*.doc", "/*.docx", "/*.pdf", "/favicon.ico", "/*/*.html", "/*/*.css", "/*/*.js", "/*/swagger-resources/**", "/*/api-docs/**"};
            if (null != this.webstatic) {
                strArr = (String[]) ArrayUtil.addAll((Object[][]) new String[]{this.webstatic, strArr2});
            }
            ((WebSecurity.IgnoredRequestConfigurer) webSecurity.ignoring().requestMatchers(HttpMethod.GET, strArr)).requestMatchers(new RequestMatcher[]{PathRequest.toStaticResources().atCommonLocations()});
        };
    }

    public WebSecurityConfig(EvaConfig evaConfig, UrlAuthenticationSuccessHandler urlAuthenticationSuccessHandler, DynamiclAccessDecisionManager dynamiclAccessDecisionManager, UrlAuthenticationFailureHandler urlAuthenticationFailureHandler, UrlLogoutSuccessHandler urlLogoutSuccessHandler, UrlAccessDeniedHandler urlAccessDeniedHandler, UnauthorizedHandler unauthorizedHandler, AuthenticationConfiguration authenticationConfiguration, JwtAuthFilter jwtAuthFilter) {
        this.evaConfig = evaConfig;
        this.urlAuthenticationSuccessHandler = urlAuthenticationSuccessHandler;
        this.urlAccessDecisionManager = dynamiclAccessDecisionManager;
        this.urlAuthenticationFailureHandler = urlAuthenticationFailureHandler;
        this.urlLogoutSuccessHandler = urlLogoutSuccessHandler;
        this.urlAccessDeniedHandler = urlAccessDeniedHandler;
        this.unauthorizedHandler = unauthorizedHandler;
        this.authenticationConfiguration = authenticationConfiguration;
        this.jwtAuthFilter = jwtAuthFilter;
    }
}
