package com.evolveum.midpoint.authentication.impl.module.configurer;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.entry.point.RemoteAuthenticationEntryPoint;
import com.evolveum.midpoint.authentication.impl.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.authentication.impl.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.authentication.impl.filter.MidpointAnonymousAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.filter.UseCsrfFilterOnlyForAuthenticatedRequest;
import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer;
import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.module.configuration.RemoteModuleWebSecurityConfiguration;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.repo.common.SystemObjectCache;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Map;
import java.util.UUID;
import org.apache.wicket.util.cookies.CookieUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.class */
public abstract class RemoteModuleWebSecurityConfigurer<C extends RemoteModuleWebSecurityConfiguration, MT extends AbstractAuthenticationModuleType> extends ModuleWebSecurityConfigurer<C, MT> {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) RemoteModuleWebSecurityConfigurer.class);

    @Autowired
    private ModelAuditRecorder auditProvider;

    @Autowired
    private AuthModuleRegistryImpl authRegistry;

    @Autowired
    private AuthChannelRegistryImpl authChannelRegistry;

    @Autowired
    SystemObjectCache systemObjectCache;

    /* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer$RemoteAuthenticationDetailsSource.class */
    private static class RemoteAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, Object> {
        private final WebAuthenticationDetailsSource detailsSource = new WebAuthenticationDetailsSource();
        private final Class<? extends Authentication> getAuthTokenClass;

        private RemoteAuthenticationDetailsSource(Class<? extends Authentication> cls) {
            this.getAuthTokenClass = cls;
        }

        @Override // org.springframework.security.authentication.AuthenticationDetailsSource
        public Object buildDetails(HttpServletRequest httpServletRequest) {
            ModuleAuthentication processingModuleAuthentication;
            return (!(SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) || (processingModuleAuthentication = ((MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication()).getProcessingModuleAuthentication()) == null || processingModuleAuthentication.getAuthentication() == null || !this.getAuthTokenClass.isAssignableFrom(processingModuleAuthentication.getAuthentication().getClass())) ? this.detailsSource.buildDetails(httpServletRequest) : processingModuleAuthentication.getAuthentication();
        }
    }

    public RemoteModuleWebSecurityConfigurer(MT mt, String str, AuthenticationChannel authenticationChannel, ObjectPostProcessor<Object> objectPostProcessor, ServletRequest servletRequest, AuthenticationProvider authenticationProvider) {
        super(mt, str, authenticationChannel, objectPostProcessor, servletRequest, authenticationProvider);
    }

    protected ModelAuditRecorder getAuditProvider() {
        return this.auditProvider;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer
    public void configure(HttpSecurity httpSecurity) throws Exception {
        super.configure(httpSecurity);
        httpSecurity.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
        httpSecurity.csrf().requireCsrfProtectionMatcher(new UseCsrfFilterOnlyForAuthenticatedRequest());
        ((MidpointExceptionHandlingConfigurer) getOrApply(httpSecurity, new MidpointExceptionHandlingConfigurer() { // from class: com.evolveum.midpoint.authentication.impl.module.configurer.RemoteModuleWebSecurityConfigurer.1
            @Override // com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer
            protected Authentication createNewAuthentication(AnonymousAuthenticationToken anonymousAuthenticationToken, AuthenticationSequenceChannelType authenticationSequenceChannelType) {
                if (anonymousAuthenticationToken.getDetails() == null || !RemoteModuleWebSecurityConfigurer.this.getAuthTokenClass().isAssignableFrom(anonymousAuthenticationToken.getDetails().getClass())) {
                    return null;
                }
                return (Authentication) anonymousAuthenticationToken.getDetails();
            }
        })).authenticationEntryPoint(new RemoteAuthenticationEntryPoint(getAuthEntryPointUrl()));
        httpSecurity.logout().clearAuthentication(true).logoutRequestMatcher(new AntPathRequestMatcher(getPrefix() + "/logout")).invalidateHttpSession(true).deleteCookies(CookieUtils.DEFAULT_SESSIONID_COOKIE_NAME).logoutSuccessHandler(getLogoutRequestSuccessHandler());
    }

    protected abstract String getAuthEntryPointUrl();

    protected abstract LogoutSuccessHandler getLogoutRequestSuccessHandler();

    @Override // com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer
    protected AnonymousAuthenticationFilter createAnonymousFilter(Map<Class<?>, Object> map) {
        MidpointAnonymousAuthenticationFilter midpointAnonymousAuthenticationFilter = new MidpointAnonymousAuthenticationFilter(this.authRegistry, this.authChannelRegistry, PrismContext.get(), UUID.randomUUID().toString(), AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL, AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"), map) { // from class: com.evolveum.midpoint.authentication.impl.module.configurer.RemoteModuleWebSecurityConfigurer.2
            @Override // com.evolveum.midpoint.authentication.impl.filter.MidpointAnonymousAuthenticationFilter
            protected void processAuthentication(ServletRequest servletRequest) {
                if (SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) {
                    MidpointAuthentication midpointAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
                    ModuleAuthenticationImpl moduleAuthenticationImpl = (ModuleAuthenticationImpl) midpointAuthentication.getProcessingModuleAuthentication();
                    if (moduleAuthenticationImpl != null) {
                        if (moduleAuthenticationImpl.getAuthentication() == null || RemoteModuleWebSecurityConfigurer.this.getAuthTokenClass().isAssignableFrom(moduleAuthenticationImpl.getAuthentication().getClass())) {
                            Authentication createBasicAuthentication = createBasicAuthentication((HttpServletRequest) servletRequest);
                            moduleAuthenticationImpl.setAuthentication(createBasicAuthentication);
                            midpointAuthentication.setPrincipal(createBasicAuthentication.getPrincipal());
                        }
                    }
                }
            }
        };
        midpointAnonymousAuthenticationFilter.setAuthenticationDetailsSource(new RemoteAuthenticationDetailsSource(getAuthTokenClass()));
        return midpointAnonymousAuthenticationFilter;
    }

    protected abstract Class<? extends Authentication> getAuthTokenClass();

    /* JADX INFO: Access modifiers changed from: protected */
    public String getPublicUrlPrefix(ServletRequest servletRequest) {
        try {
            return SystemConfigurationTypeUtil.getPublicHttpUrlPattern(this.systemObjectCache.getSystemConfiguration(new OperationResult("load system configuration")).asObjectable(), servletRequest.getServerName());
        } catch (SchemaException e) {
            LOGGER.error("Couldn't load system configuration", (Throwable) e);
            return null;
        }
    }
}
