package ch.admin.smclient2.web.application;

import ch.admin.smclient2.web.ApplicationUsers;
import jakarta.servlet.Filter;
import org.camunda.bpm.engine.history.UserOperationLogEntry;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@EnableConfigurationProperties({ApplicationUsers.class})
@Configuration
@EnableWebSecurity
/* loaded from: input_file:BOOT-INF/classes/ch/admin/smclient2/web/application/SecurityConfig.class */
public class SecurityConfig {
    @Bean
    SecurityFilterChain configure(HttpSecurity httpSecurity, AuthenticationManager authenticationManager) {
        try {
            httpSecurity.csrf((v0) -> {
                v0.disable();
            });
            httpSecurity.addFilterBefore((Filter) smcAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.requestMatchers("/images/**").permitAll().requestMatchers("/").permitAll().requestMatchers("/logout").permitAll().requestMatchers("/login.xhtml").permitAll().requestMatchers(new AntPathRequestMatcher("/jakarta.faces.resource/**")).permitAll().requestMatchers("/audit/mandant.xhtml").hasRole("SuperUser").requestMatchers("testplatform/changepassword.xhtml").hasRole("SuperUser").requestMatchers("/audit/**").hasRole(UserOperationLogEntry.CATEGORY_ADMIN).requestMatchers("/compose/**").hasRole("ActiveUser").requestMatchers("/outlook/**").hasRole("PassiveUser").anyRequest().authenticated();
            }).formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginPage("/login.xhtml").permitAll();
            }).logout(logoutConfigurer -> {
                logoutConfigurer.logoutSuccessUrl("/login.xhtml").logoutUrl("/logout").deleteCookies("JSESSIONID");
            });
            return httpSecurity.build();
        } catch (Exception e) {
            throw new BeanCreationException("Wrong spring security configuration", e);
        }
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    public SmcAuthenticationFilter smcAuthenticationFilter(AuthenticationManager authenticationManager) {
        SmcAuthenticationFilter smcAuthenticationFilter = new SmcAuthenticationFilter();
        smcAuthenticationFilter.setAuthenticationManager(authenticationManager);
        smcAuthenticationFilter.setAuthenticationSuccessHandler(smClientAuthenticationSuccessHandler());
        smcAuthenticationFilter.setAuthenticationFailureHandler((httpServletRequest, httpServletResponse, authenticationException) -> {
            new DefaultRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, "/login.xhtml?error=true");
        });
        smcAuthenticationFilter.setSecurityContextRepository(new HttpSessionSecurityContextRepository());
        return smcAuthenticationFilter;
    }

    @Bean
    public AuthenticationSuccessHandler smClientAuthenticationSuccessHandler() {
        return new SmcAuthenticationSuccessHandler();
    }
}
