package com.jilongda.applet.config;

import com.jilongda.applet.security.AuthenticationProvider;
import com.jilongda.applet.security.SysUserDetailsService;
import com.jilongda.common.basic.Constant;
import com.jilongda.common.cache.CaffineCache;
import com.jilongda.common.redis.RedisAutoTemplate;
import com.jilongda.common.security.SecurityUtils;
import com.jilongda.common.security.filter.AuthenticationFilter;
import com.jilongda.common.security.hadler.SecurityAuthenticationEntryPoint;
import com.jilongda.common.swagger.SwaggerAutoConfiguration;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * 细粒度的访问控制
 * <p>
 * 注：需要使用注解@EnableGlobalMethodSecurity(prePostEnabled=true) 开启
 *
 * @author xiaochen
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private SecurityAuthenticationEntryPoint securityAuthenticationEntryPoint;
    @Autowired
    private RedisAutoTemplate redisAutoTemplate;
    @Autowired
    private CaffineCache<String> accessTokenCache;
    @Autowired
    private CaffineCache<String> refreshTokenCache;
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Autowired
    private  SysUserDetailsService loadUserDetailsService;


    /**
     * 应用重启token无效，可手动使令牌无效,管理了token的生命周期
     *
     * @return
     */
    @Bean
    public SecurityUtils securityUtils() {
        return new SecurityUtils(accessTokenCache, refreshTokenCache);
//        return new SecurityUtils();
    }


    /**
     * 不需要认证的在此处放行,比如系统的一些字典请求
     * 会包含Basic认证的请求。意思是如果请求在Basic中存在，在此处也存在，那么该请求的认证会被忽略
     * 这种方式的优势是不走 Spring Security 过滤器链
     *
     * @param web
     */
    @Override
    public void configure(WebSecurity web) {
        web.ignoring().antMatchers(SwaggerAutoConfiguration.DOC_LIST);
        web.ignoring().antMatchers(Constant.APPLET_AUTH_WHITELIST);
    }


    /**
     * 使用自定义登录身份认证组件，自实现rest登录请求，不适用于在过滤其中实现 在过滤其中无法提供接口文档，维护不方便
     *
     * @param auth
     */
    @Override
    public void configure(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(new AuthenticationProvider(loadUserDetailsService,passwordEncoder));
    }



    /**
     * Security各项配置
     *
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 需要Basic认证的请求
        http
                .cors().disable()
                // 关闭登录，自定义接口实现
                .formLogin().disable()
                // 关闭httpBasic认证
                .httpBasic().disable()
                // 关闭退出，自定义接口实现
                .logout().disable()
                .csrf().disable()
                // 放在 Cookie 中返回前端，防止跨域伪造
                //.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                //.and()
                .authorizeRequests()
                // 跨域预检请求
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                // 登录URL permitAll() 无需保护 ---> 此种方式配置忽略认证规则会走Spring Security 过滤器链，在过滤器链中，给请求放行
                // 不需要保护的请求,但需要经过过滤连
                //.antMatchers(HttpMethod.POST, "/login").permitAll()
                // 微信登录
                .antMatchers(HttpMethod.GET, "/**/openId-by-jscode2session/**").permitAll()
                .antMatchers(HttpMethod.POST, "/login").permitAll()
                .antMatchers(HttpMethod.POST, "/code/login").permitAll()
                .antMatchers(HttpMethod.POST, "/sendCode").permitAll()
                .antMatchers(HttpMethod.POST, "/sendPassCode").permitAll()
                .antMatchers(HttpMethod.POST, "/pageResetPassword").permitAll()
                // 其他都需要权限认证
                .anyRequest()
                .authenticated()
                // 其他所有请求需要身份认证
                .and()
                // 异常拦截
                .exceptionHandling()
                // 未授权用户访问无权限时的处理
                .authenticationEntryPoint(securityAuthenticationEntryPoint);
        // 此处存在session共享的问题，如要共享session，则需要管理
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        // 访问控制时登录状态检查过滤器
        http.addFilterBefore(new AuthenticationFilter(securityUtils()), UsernamePasswordAuthenticationFilter.class);
        // 异常捕捉过滤器，必须在AuthenticationFilter之前才能捕捉到异常信息
        http.addFilterBefore(new AuthenticationFilter(securityUtils()), AuthenticationFilter.class);
        //禁用缓存
        http.headers().cacheControl();
    }


    /**
     * 验证管理器，在登录接口时用到
     *
     * @return
     * @throws Exception
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

}