package com.evolveum.midpoint.web.boot;

import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.web.security.AuditedLogoutHandler;
import com.evolveum.midpoint.web.security.MidPointAccessDeniedHandler;
import com.evolveum.midpoint.web.security.MidPointApplication;
import com.evolveum.midpoint.web.security.MidPointAuthenticationProvider;
import com.evolveum.midpoint.web.security.MidPointAuthenticationSuccessHandler;
import com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator;
import com.evolveum.midpoint.web.security.WicketLoginUrlAuthenticationEntryPoint;
import java.util.Arrays;
import javax.servlet.Filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.preauth.RequestAttributeAuthenticationFilter;
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.session.HttpSessionEventPublisher;

@Configuration
@EnableWebSecurity
@Order(2147483641)
/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/boot/WebSecurityConfig.class */
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private Environment environment;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private MidPointGuiAuthorizationEvaluator accessDecisionManager;

    @Autowired
    private SessionRegistry sessionRegistry;

    @Value("${auth.sso.header:SM_USER}")
    private String principalRequestHeader;

    @Value("${auth.sso.env:REMOTE_USER}")
    private String principalRequestEnvVariable;

    @Value("${auth.cas.server.url:}")
    private String casServerUrl;

    @Value("${security.enable-csrf:true}")
    private boolean csrfEnabled;

    @Value("${auth.logout.url:/}")
    private String authLogoutUrl;

    @Profile({"!cas"})
    @Bean
    public AuthenticationEntryPoint authenticationEntryPoint() {
        return new WicketLoginUrlAuthenticationEntryPoint(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
    }

    @Bean
    public MidPointGuiAuthorizationEvaluator accessDecisionManager(SecurityEnforcer securityEnforcer, SecurityContextManager securityContextManager, TaskManager taskManager) {
        return new MidPointGuiAuthorizationEvaluator(securityEnforcer, securityContextManager, taskManager);
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/model/**");
        webSecurity.ignoring().antMatchers("/ws/**");
        webSecurity.ignoring().antMatchers("/rest/**");
        webSecurity.ignoring().antMatchers("/report");
        webSecurity.ignoring().antMatchers("/js/**");
        webSecurity.ignoring().antMatchers("/css/**");
        webSecurity.ignoring().antMatchers("/img/**");
        webSecurity.ignoring().antMatchers("/fonts/**");
        webSecurity.ignoring().antMatchers("/wro/**");
        webSecurity.ignoring().antMatchers("/static-web/**");
        webSecurity.ignoring().antMatchers("/less/**");
        webSecurity.ignoring().antMatchers("/wicket/resource/**");
        webSecurity.ignoring().antMatchers("/actuator");
        webSecurity.ignoring().antMatchers("/actuator/health");
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().accessDecisionManager(this.accessDecisionManager).antMatchers("/j_spring_security_check", "/spring_security_login", DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL, "/forgotpassword", "/registration", SchemaConstants.REGISTRATION_CONFIRAMTION_PREFIX, SchemaConstants.PASSWORD_RESET_CONFIRMATION_PREFIX, MidPointApplication.MOUNT_INTERNAL_SERVER_ERROR, "/error/*", "/bootstrap").permitAll().anyRequest().fullyAuthenticated();
        httpSecurity.logout().clearAuthentication(true).logoutUrl("/logout").invalidateHttpSession(true).deleteCookies("JSESSIONID").logoutSuccessHandler(logoutHandler());
        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).maximumSessions(-1).sessionRegistry(this.sessionRegistry).maxSessionsPreventsLogin(true);
        httpSecurity.formLogin().loginPage(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).loginProcessingUrl("/spring_security_login").successHandler(authenticationSuccessHandler()).permitAll();
        httpSecurity.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()).accessDeniedHandler(accessDeniedHandler());
        if (!this.csrfEnabled) {
            httpSecurity.csrf().disable();
        }
        httpSecurity.headers().disable();
        httpSecurity.headers().frameOptions().sameOrigin();
        if (Arrays.stream(this.environment.getActiveProfiles()).anyMatch(str -> {
            return str.equalsIgnoreCase("cas");
        })) {
            httpSecurity.addFilterAt(casFilter(), CasAuthenticationFilter.class);
            httpSecurity.addFilterBefore((Filter) requestSingleLogoutFilter(), LogoutFilter.class);
        }
        if (Arrays.stream(this.environment.getActiveProfiles()).anyMatch(str2 -> {
            return str2.equalsIgnoreCase("sso");
        })) {
            httpSecurity.addFilterBefore((Filter) requestHeaderAuthenticationFilter(), LogoutFilter.class);
        }
        if (Arrays.stream(this.environment.getActiveProfiles()).anyMatch(str3 -> {
            return str3.equalsIgnoreCase("ssoenv");
        })) {
            httpSecurity.addFilterBefore((Filter) requestAttributeAuthenticationFilter(), LogoutFilter.class);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    @Bean
    public AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

    @Bean
    public MidPointAccessDeniedHandler accessDeniedHandler() {
        return new MidPointAccessDeniedHandler();
    }

    @ConditionalOnMissingBean(name = {"midPointAuthenticationProvider"})
    @Bean
    public AuthenticationProvider midPointAuthenticationProvider() throws Exception {
        return new MidPointAuthenticationProvider();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(this.authenticationProvider);
    }

    @Bean
    public MidPointAuthenticationSuccessHandler authenticationSuccessHandler() {
        MidPointAuthenticationSuccessHandler midPointAuthenticationSuccessHandler = new MidPointAuthenticationSuccessHandler();
        midPointAuthenticationSuccessHandler.setUseReferer(true);
        midPointAuthenticationSuccessHandler.setDefaultTargetUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
        return midPointAuthenticationSuccessHandler;
    }

    @Bean
    public AuditedLogoutHandler logoutHandler() {
        AuditedLogoutHandler auditedLogoutHandler = new AuditedLogoutHandler();
        auditedLogoutHandler.setDefaultTargetUrl(this.authLogoutUrl);
        return auditedLogoutHandler;
    }

    @Profile({"sso"})
    @Bean
    public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() {
        RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter = new RequestHeaderAuthenticationFilter();
        requestHeaderAuthenticationFilter.setPrincipalRequestHeader(this.principalRequestHeader);
        requestHeaderAuthenticationFilter.setExceptionIfHeaderMissing(false);
        requestHeaderAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
        return requestHeaderAuthenticationFilter;
    }

    @Profile({"ssoenv"})
    @Bean
    public RequestAttributeAuthenticationFilter requestAttributeAuthenticationFilter() {
        RequestAttributeAuthenticationFilter requestAttributeAuthenticationFilter = new RequestAttributeAuthenticationFilter();
        requestAttributeAuthenticationFilter.setPrincipalEnvironmentVariable(this.principalRequestEnvVariable);
        requestAttributeAuthenticationFilter.setExceptionIfVariableMissing(false);
        requestAttributeAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
        return requestAttributeAuthenticationFilter;
    }

    @Profile({"cas"})
    @Bean
    public CasAuthenticationFilter casFilter() {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
        return casAuthenticationFilter;
    }

    @Profile({"cas"})
    @Bean
    public LogoutFilter requestSingleLogoutFilter() {
        LogoutFilter logoutFilter = new LogoutFilter(this.casServerUrl + "/logout", new SecurityContextLogoutHandler());
        logoutFilter.setFilterProcessesUrl("/logout");
        return logoutFilter;
    }

    @Bean
    public ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
}
