package com.evolveum.midpoint.web.boot;

import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.web.security.AuditedLogoutHandler;
import com.evolveum.midpoint.web.security.MidPointAccessDeniedHandler;
import com.evolveum.midpoint.web.security.MidPointAuthenticationProvider;
import com.evolveum.midpoint.web.security.MidPointAuthenticationSuccessHandler;
import com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator;
import com.evolveum.midpoint.web.security.WicketLoginUrlAuthenticationEntryPoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;

@Configuration
@EnableWebSecurity
@Order(2147483641)
@EnableGlobalMethodSecurity(securedEnabled = true)
/* loaded from: input_file:com/evolveum/midpoint/web/boot/WebSecurityConfig.class */
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Autowired
    private MidPointGuiAuthorizationEvaluator accessDecisionManager;

    @Value("${security.enable-csrf:true}")
    private boolean csrfEnabled;

    @Value("${auth.logout.url:/}")
    private String authLogoutUrl;

    @Bean
    public WicketLoginUrlAuthenticationEntryPoint wicketAuthenticationEntryPoint() {
        return new WicketLoginUrlAuthenticationEntryPoint("/login");
    }

    @Bean
    public MidPointGuiAuthorizationEvaluator accessDecisionManager(SecurityEnforcer securityEnforcer, SecurityContextManager securityContextManager, TaskManager taskManager) {
        return new MidPointGuiAuthorizationEvaluator(securityEnforcer, securityContextManager, taskManager);
    }

    @Profile({"sso"})
    @Bean
    public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter(AuthenticationManager authenticationManager) {
        RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter = new RequestHeaderAuthenticationFilter();
        requestHeaderAuthenticationFilter.setPrincipalRequestHeader("SM_USER");
        requestHeaderAuthenticationFilter.setAuthenticationManager(authenticationManager);
        return requestHeaderAuthenticationFilter;
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers(new String[]{"/model/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/ws/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/rest/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/report"});
        webSecurity.ignoring().antMatchers(new String[]{"/js/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/css/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/img/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/fonts/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/wro/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/static-web/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/less/**"});
        webSecurity.ignoring().antMatchers(new String[]{"/wicket/resource/**"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().accessDecisionManager(this.accessDecisionManager).antMatchers(new String[]{"/j_spring_security_check", "/spring_security_login", "/login", "/forgotpassword", "/registration", "/confirm/registration", "/confirm/reset", "/error", "/error/*", "/bootstrap"})).permitAll().anyRequest()).fullyAuthenticated();
        httpSecurity.logout().logoutUrl("/j_spring_security_logout").invalidateHttpSession(true).logoutSuccessHandler(logoutHandler());
        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).maximumSessions(1).maxSessionsPreventsLogin(true);
        httpSecurity.formLogin().loginPage("/login").loginProcessingUrl("/spring_security_login").successHandler(authenticationSuccessHandler()).permitAll();
        httpSecurity.exceptionHandling().authenticationEntryPoint(wicketAuthenticationEntryPoint()).accessDeniedHandler(accessDeniedHandler());
        if (!this.csrfEnabled) {
            httpSecurity.csrf().disable();
        }
        httpSecurity.headers().disable();
        httpSecurity.headers().frameOptions().sameOrigin();
    }

    @Bean
    public MidPointAccessDeniedHandler accessDeniedHandler() {
        return new MidPointAccessDeniedHandler();
    }

    @Profile({"!ldap", "!cas"})
    @Bean
    public AuthenticationProvider authenticationProvider() {
        return new MidPointAuthenticationProvider();
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(this.authenticationProvider);
    }

    @Bean
    public MidPointAuthenticationSuccessHandler authenticationSuccessHandler() {
        MidPointAuthenticationSuccessHandler midPointAuthenticationSuccessHandler = new MidPointAuthenticationSuccessHandler();
        midPointAuthenticationSuccessHandler.setUseReferer(true);
        midPointAuthenticationSuccessHandler.setDefaultTargetUrl("/login");
        return midPointAuthenticationSuccessHandler;
    }

    @Bean
    public AuditedLogoutHandler logoutHandler() {
        AuditedLogoutHandler auditedLogoutHandler = new AuditedLogoutHandler();
        auditedLogoutHandler.setDefaultTargetUrl(this.authLogoutUrl);
        return auditedLogoutHandler;
    }
}
