package com.evolveum.midpoint.authentication.impl.module.configurer;

import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.MidpointAuthenticationTrustResolverImpl;
import com.evolveum.midpoint.authentication.impl.MidpointProviderManager;
import com.evolveum.midpoint.authentication.impl.authorization.evaluator.MidPointGuiAuthorizationEvaluator;
import com.evolveum.midpoint.authentication.impl.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.authentication.impl.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.authentication.impl.filter.MidpointAnonymousAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.filter.RedirectForLoginPagesWithAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer;
import com.evolveum.midpoint.authentication.impl.handler.AuditedAccessDeniedHandler;
import com.evolveum.midpoint.authentication.impl.handler.AuditedLogoutHandler;
import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import java.util.Iterator;
import java.util.UUID;
import javax.servlet.Filter;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/module/configurer/ModuleWebSecurityConfigurer.class */
public class ModuleWebSecurityConfigurer<C extends ModuleWebSecurityConfiguration> extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuditedAccessDeniedHandler accessDeniedHandler;

    @Autowired
    private SessionRegistry sessionRegistry;

    @Autowired
    private MidPointGuiAuthorizationEvaluator accessDecisionManager;

    @Autowired
    private MidpointProviderManager authenticationManager;

    @Autowired
    private AuthModuleRegistryImpl authRegistry;

    @Autowired
    private AuthChannelRegistryImpl authChannelRegistry;

    @Autowired
    private PrismContext prismContext;

    @Value("${security.enable-csrf:true}")
    private boolean csrfEnabled;
    private ObjectPostProcessor<Object> objectPostProcessor;
    private final C configuration;

    public ModuleWebSecurityConfigurer(C c) {
        super(true);
        this.configuration = c;
    }

    public C getConfiguration() {
        return this.configuration;
    }

    public String getPrefix() {
        return this.configuration.getPrefixOfModule();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
        this.objectPostProcessor = objectPostProcessor;
        super.setObjectPostProcessor(objectPostProcessor);
    }

    public ObjectPostProcessor<Object> getObjectPostProcessor() {
        return this.objectPostProcessor;
    }

    public HttpSecurity getNewHttpSecurity() throws Exception {
        return getHttp();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.setSharedObject(AuthenticationTrustResolver.class, new MidpointAuthenticationTrustResolverImpl());
        httpSecurity.authorizeRequests().accessDecisionManager(this.accessDecisionManager).anyRequest().fullyAuthenticated();
        ((MidpointExceptionHandlingConfigurer) getOrApply(httpSecurity, new MidpointExceptionHandlingConfigurer())).accessDeniedHandler(this.accessDeniedHandler).authenticationTrustResolver(new MidpointAuthenticationTrustResolverImpl());
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.headers().and()).requestCache().and()).anonymous().authenticationFilter(createAnonymousFilter()).and()).servletApi();
        httpSecurity.addFilterAfter((Filter) new RedirectForLoginPagesWithAuthenticationFilter(), CsrfFilter.class);
        httpSecurity.csrf();
        if (!this.csrfEnabled) {
            httpSecurity.csrf().disable();
        }
        httpSecurity.headers().disable();
        httpSecurity.headers().frameOptions().sameOrigin();
    }

    protected AnonymousAuthenticationFilter createAnonymousFilter() {
        return new MidpointAnonymousAuthenticationFilter(this.authRegistry, this.authChannelRegistry, this.prismContext, UUID.randomUUID().toString(), AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL, AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public AuthenticationManager authenticationManager() throws Exception {
        if (this.configuration != null && !this.configuration.getAuthenticationProviders().isEmpty()) {
            for (AuthenticationProvider authenticationProvider : this.configuration.getAuthenticationProviders()) {
                if (!this.authenticationManager.getProviders().contains(authenticationProvider)) {
                    this.authenticationManager.getProviders().add(authenticationProvider);
                }
            }
        }
        return this.authenticationManager;
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        if (this.configuration == null || this.configuration.getAuthenticationProviders().isEmpty()) {
            super.configure(authenticationManagerBuilder);
            return;
        }
        Iterator<AuthenticationProvider> it = this.configuration.getAuthenticationProviders().iterator();
        while (it.hasNext()) {
            authenticationManagerBuilder.authenticationProvider(it.next());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RequestMatcher getLogoutMatcher(HttpSecurity httpSecurity, String str) {
        return httpServletRequest -> {
            ModuleAuthenticationImpl moduleAuthenticationImpl = (ModuleAuthenticationImpl) AuthUtil.getProcessingModuleIfExist();
            if (moduleAuthenticationImpl == null || !moduleAuthenticationImpl.isInternalLogout()) {
                return (httpSecurity.getConfigurer(CsrfConfigurer.class) != null ? new AntPathRequestMatcher(str, "POST") : new OrRequestMatcher(new AntPathRequestMatcher(str, "GET"), new AntPathRequestMatcher(str, "POST"), new AntPathRequestMatcher(str, "PUT"), new AntPathRequestMatcher(str, "DELETE"))).matches(httpServletRequest);
            }
            moduleAuthenticationImpl.setInternalLogout(false);
            return true;
        };
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LogoutSuccessHandler createLogoutHandler() {
        return createLogoutHandler(null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LogoutSuccessHandler createLogoutHandler(String str) {
        AuditedLogoutHandler auditedLogoutHandler = (AuditedLogoutHandler) this.objectPostProcessor.postProcess(new AuditedLogoutHandler());
        if (StringUtils.isNotBlank(str) && (str.startsWith("/") || str.startsWith("http") || str.startsWith("https"))) {
            auditedLogoutHandler.setDefaultTargetUrl(str);
        }
        return auditedLogoutHandler;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <CA extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>> CA getOrApply(HttpSecurity httpSecurity, CA ca) throws Exception {
        CA ca2 = (CA) httpSecurity.getConfigurer(ca.getClass());
        return ca2 != null ? ca2 : (CA) httpSecurity.apply((HttpSecurity) ca);
    }
}
