package com.evolveum.midpoint.authentication.impl.module.configurer;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.MidpointAuthenticationTrustResolverImpl;
import com.evolveum.midpoint.authentication.impl.authorization.evaluator.MidpointHttpAuthorizationEvaluator;
import com.evolveum.midpoint.authentication.impl.entry.point.HttpAuthenticationEntryPoint;
import com.evolveum.midpoint.authentication.impl.filter.SequenceAuditFilter;
import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer;
import com.evolveum.midpoint.authentication.impl.filter.oidc.OidcBearerTokenAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.module.configuration.JwtOidcResourceServerConfiguration;
import com.evolveum.midpoint.authentication.impl.module.configuration.OpaqueTokenOidcResourceServerConfiguration;
import com.evolveum.midpoint.authentication.impl.module.configuration.RemoteModuleWebSecurityConfiguration;
import com.evolveum.midpoint.authentication.impl.provider.OidcResourceServerProvider;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcResourceServerAuthenticationModuleType;
import jakarta.servlet.Filter;
import jakarta.servlet.ServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.3.jar:com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.class */
public class OidcResourceServerModuleWebSecurityConfigurer<C extends RemoteModuleWebSecurityConfiguration> extends ModuleWebSecurityConfigurer<C, OidcAuthenticationModuleType> {

    @Autowired
    private ModelService model;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    TaskManager taskManager;

    @Autowired
    private ApplicationContext applicationContext;

    public OidcResourceServerModuleWebSecurityConfigurer(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str, AuthenticationChannel authenticationChannel, ObjectPostProcessor<Object> objectPostProcessor, ServletRequest servletRequest, AuthenticationProvider authenticationProvider) {
        super(oidcAuthenticationModuleType, str, authenticationChannel, objectPostProcessor, servletRequest, authenticationProvider);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer
    public C buildConfiguration(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str, AuthenticationChannel authenticationChannel, ServletRequest servletRequest) {
        OidcResourceServerAuthenticationModuleType resourceServer = oidcAuthenticationModuleType.getResourceServer();
        if (resourceServer.getJwt() == null && resourceServer.getOpaqueToken() != null) {
            return createOpaqueTokenResourceServerConfiguration(oidcAuthenticationModuleType, resourceServer, str);
        }
        return createJwtResourceServerConfiguration(oidcAuthenticationModuleType, resourceServer, str);
    }

    private C createJwtResourceServerConfiguration(AbstractAuthenticationModuleType abstractAuthenticationModuleType, OidcResourceServerAuthenticationModuleType oidcResourceServerAuthenticationModuleType, String str) {
        JwtOidcResourceServerConfiguration build = JwtOidcResourceServerConfiguration.build((OidcAuthenticationModuleType) abstractAuthenticationModuleType, str);
        build.setSequenceSuffix(str);
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        if (oidcResourceServerAuthenticationModuleType.getJwt() != null && oidcResourceServerAuthenticationModuleType.getJwt().getNameOfUsernameClaim() != null) {
            jwtAuthenticationConverter.setPrincipalClaimName(oidcResourceServerAuthenticationModuleType.getJwt().getNameOfUsernameClaim());
        } else if (oidcResourceServerAuthenticationModuleType.getNameOfUsernameClaim() != null) {
            jwtAuthenticationConverter.setPrincipalClaimName(oidcResourceServerAuthenticationModuleType.getNameOfUsernameClaim());
        }
        build.addAuthenticationProvider((AuthenticationProvider) getObjectPostProcessor().postProcess(new OidcResourceServerProvider(build.getDecoder(), jwtAuthenticationConverter)));
        return build;
    }

    private C createOpaqueTokenResourceServerConfiguration(AbstractAuthenticationModuleType abstractAuthenticationModuleType, OidcResourceServerAuthenticationModuleType oidcResourceServerAuthenticationModuleType, String str) {
        OpaqueTokenOidcResourceServerConfiguration build = OpaqueTokenOidcResourceServerConfiguration.build((OidcAuthenticationModuleType) abstractAuthenticationModuleType, str);
        build.setSequenceSuffix(str);
        build.addAuthenticationProvider((AuthenticationProvider) getObjectPostProcessor().postProcess(new OidcResourceServerProvider(build.getIntrospector())));
        return build;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer
    public void configure(HttpSecurity httpSecurity) throws Exception {
        super.configure(httpSecurity);
        HttpAuthenticationEntryPoint httpAuthenticationEntryPoint = (HttpAuthenticationEntryPoint) getObjectPostProcessor().postProcess(new HttpAuthenticationEntryPoint());
        httpSecurity.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
        OidcBearerTokenAuthenticationFilter oidcBearerTokenAuthenticationFilter = (OidcBearerTokenAuthenticationFilter) getObjectPostProcessor().postProcess(new OidcBearerTokenAuthenticationFilter(authenticationManager(), httpAuthenticationEntryPoint));
        RememberMeServices rememberMeServices = (RememberMeServices) httpSecurity.getSharedObject(RememberMeServices.class);
        if (rememberMeServices != null) {
            oidcBearerTokenAuthenticationFilter.setRememberMeServices(rememberMeServices);
        }
        httpSecurity.authorizeRequests().accessDecisionManager(new MidpointHttpAuthorizationEvaluator(this.securityEnforcer, this.securityContextManager, this.taskManager, this.model, this.applicationContext));
        httpSecurity.addFilterAt(oidcBearerTokenAuthenticationFilter, BasicAuthenticationFilter.class);
        ((HttpSecurity) httpSecurity.formLogin().disable()).csrf().disable();
        ((MidpointExceptionHandlingConfigurer) getOrApply(httpSecurity, new MidpointExceptionHandlingConfigurer())).authenticationEntryPoint(httpAuthenticationEntryPoint).authenticationTrustResolver(new MidpointAuthenticationTrustResolverImpl());
        SequenceAuditFilter sequenceAuditFilter = new SequenceAuditFilter();
        sequenceAuditFilter.setRecordOnEndOfChain(false);
        httpSecurity.addFilterAfter((Filter) getObjectPostProcessor().postProcess(sequenceAuditFilter), FilterSecurityInterceptor.class);
    }
}
