package com.evolveum.midpoint.web.security.module;

import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleWebSecurityConfiguration;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.web.security.AuditedAccessDeniedHandler;
import com.evolveum.midpoint.web.security.AuditedLogoutHandler;
import com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator;
import com.evolveum.midpoint.web.security.MidpointAuthenticationManager;
import com.evolveum.midpoint.web.security.MidpointAuthenticationTrustResolverImpl;
import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
import com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter;
import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import java.util.Iterator;
import java.util.UUID;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.class */
public class ModuleWebSecurityConfig<C extends ModuleWebSecurityConfiguration> extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuditedAccessDeniedHandler accessDeniedHandler;

    @Autowired
    private SessionRegistry sessionRegistry;

    @Autowired
    private MidPointGuiAuthorizationEvaluator accessDecisionManager;

    @Autowired
    private MidpointAuthenticationManager authenticationManager;

    @Autowired
    AuthModuleRegistryImpl authRegistry;

    @Autowired
    AuthChannelRegistryImpl authChannelRegistry;

    @Autowired
    PrismContext prismContext;

    @Value("${security.enable-csrf:true}")
    private boolean csrfEnabled;
    private ObjectPostProcessor<Object> objectPostProcessor;
    private C configuration;

    public ModuleWebSecurityConfig(C c) {
        super(true);
        this.configuration = c;
    }

    public C getConfiguration() {
        return this.configuration;
    }

    public String getPrefix() {
        return this.configuration.getPrefix();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
        this.objectPostProcessor = objectPostProcessor;
        super.setObjectPostProcessor(objectPostProcessor);
    }

    public ObjectPostProcessor<Object> getObjectPostProcessor() {
        return this.objectPostProcessor;
    }

    public HttpSecurity getNewHttpSecurity() throws Exception {
        return getHttp();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.setSharedObject(AuthenticationTrustResolver.class, new MidpointAuthenticationTrustResolverImpl());
        httpSecurity.authorizeRequests().accessDecisionManager(this.accessDecisionManager).anyRequest().fullyAuthenticated();
        ((MidpointExceptionHandlingConfigurer) getOrApply(httpSecurity, new MidpointExceptionHandlingConfigurer())).accessDeniedHandler(this.accessDeniedHandler).authenticationTrustResolver(new MidpointAuthenticationTrustResolverImpl());
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.headers().and()).requestCache().and()).anonymous().authenticationFilter(createAnonymousFilter()).and()).servletApi();
        httpSecurity.addFilterAfter((Filter) new RedirectForLoginPagesWithAuthenticationFilter(), CsrfFilter.class);
        httpSecurity.csrf();
        if (!this.csrfEnabled) {
            httpSecurity.csrf().disable();
        }
        httpSecurity.headers().disable();
        httpSecurity.headers().frameOptions().sameOrigin();
    }

    protected AnonymousAuthenticationFilter createAnonymousFilter() {
        return new MidpointAnonymousAuthenticationFilter(this.authRegistry, this.authChannelRegistry, this.prismContext, UUID.randomUUID().toString(), AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL, AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public AuthenticationManager authenticationManager() throws Exception {
        if (this.configuration != null && !this.configuration.getAuthenticationProviders().isEmpty()) {
            for (AuthenticationProvider authenticationProvider : this.configuration.getAuthenticationProviders()) {
                if (!this.authenticationManager.getProviders().contains(authenticationProvider)) {
                    this.authenticationManager.getProviders().add(authenticationProvider);
                }
            }
        }
        return this.authenticationManager;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        if (this.configuration == null || this.configuration.getAuthenticationProviders().isEmpty()) {
            super.configure(authenticationManagerBuilder);
            return;
        }
        Iterator<AuthenticationProvider> it = this.configuration.getAuthenticationProviders().iterator();
        while (it.hasNext()) {
            authenticationManagerBuilder.authenticationProvider(it.next());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RequestMatcher getLogoutMatcher(final HttpSecurity httpSecurity, final String str) {
        return new RequestMatcher() { // from class: com.evolveum.midpoint.web.security.module.ModuleWebSecurityConfig.1
            @Override // org.springframework.security.web.util.matcher.RequestMatcher
            public boolean matches(HttpServletRequest httpServletRequest) {
                ModuleAuthentication processingModule = SecurityUtils.getProcessingModule(false);
                if (processingModule == null || !processingModule.isInternalLogout()) {
                    return (httpSecurity.getConfigurer(CsrfConfigurer.class) != null ? new AntPathRequestMatcher(str, "POST") : new OrRequestMatcher(new AntPathRequestMatcher(str, "GET"), new AntPathRequestMatcher(str, "POST"), new AntPathRequestMatcher(str, "PUT"), new AntPathRequestMatcher(str, "DELETE"))).matches(httpServletRequest);
                }
                processingModule.setInternalLogout(false);
                return true;
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LogoutSuccessHandler createLogoutHandler() {
        return createLogoutHandler(null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LogoutSuccessHandler createLogoutHandler(String str) {
        AuditedLogoutHandler auditedLogoutHandler = (AuditedLogoutHandler) this.objectPostProcessor.postProcess(new AuditedLogoutHandler());
        if (StringUtils.isNotBlank(str) && (str.startsWith("/") || str.startsWith("http") || str.startsWith("https"))) {
            auditedLogoutHandler.setDefaultTargetUrl(str);
        }
        return auditedLogoutHandler;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Incorrect return type in method signature: <C:Lorg/springframework/security/config/annotation/SecurityConfigurerAdapter<Lorg/springframework/security/web/DefaultSecurityFilterChain;Lorg/springframework/security/config/annotation/web/builders/HttpSecurity;>;>(Lorg/springframework/security/config/annotation/web/builders/HttpSecurity;TC;)TC; */
    public SecurityConfigurerAdapter getOrApply(HttpSecurity httpSecurity, SecurityConfigurerAdapter securityConfigurerAdapter) throws Exception {
        SecurityConfigurerAdapter securityConfigurerAdapter2 = (SecurityConfigurerAdapter) httpSecurity.getConfigurer(securityConfigurerAdapter.getClass());
        return securityConfigurerAdapter2 != null ? securityConfigurerAdapter2 : httpSecurity.apply((HttpSecurity) securityConfigurerAdapter);
    }
}
