package com.erudika.para.security;

import com.erudika.para.Para;
import com.erudika.para.rest.Signer;
import com.erudika.para.security.filters.FacebookAuthFilter;
import com.erudika.para.security.filters.GenericOAuth2Filter;
import com.erudika.para.security.filters.GitHubAuthFilter;
import com.erudika.para.security.filters.GoogleAuthFilter;
import com.erudika.para.security.filters.LdapAuthFilter;
import com.erudika.para.security.filters.LinkedInAuthFilter;
import com.erudika.para.security.filters.MicrosoftAuthFilter;
import com.erudika.para.security.filters.OpenIDAuthFilter;
import com.erudika.para.security.filters.PasswordAuthFilter;
import com.erudika.para.security.filters.TwitterAuthFilter;
import com.erudika.para.utils.Config;
import com.typesafe.config.ConfigList;
import com.typesafe.config.ConfigObject;
import com.typesafe.config.ConfigValue;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import javax.annotation.security.DeclareRoles;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.RememberMeAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.openid.OpenIDAuthenticationProvider;
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.util.matcher.RequestMatcher;

@DeclareRoles({"ROLE_USER", "ROLE_MOD", "ROLE_ADMIN", "ROLE_APP"})
@Configuration
@EnableWebSecurity
/* loaded from: input_file:com/erudika/para/security/SecurityConfig.class */
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
    private static final String[] DEFAULT_ROLES = {"USER", "MOD", "ADMIN", "APP"};
    private final CachedCsrfTokenRepository csrfTokenRepository = (CachedCsrfTokenRepository) Para.getInstance(CachedCsrfTokenRepository.class);
    private final SimpleRememberMeServices rememberMeServices = (SimpleRememberMeServices) Para.getInstance(SimpleRememberMeServices.class);
    private final PasswordAuthFilter passwordFilter = (PasswordAuthFilter) Para.getInstance(PasswordAuthFilter.class);
    private final OpenIDAuthFilter openidFilter = (OpenIDAuthFilter) Para.getInstance(OpenIDAuthFilter.class);
    private final FacebookAuthFilter facebookFilter = (FacebookAuthFilter) Para.getInstance(FacebookAuthFilter.class);
    private final GoogleAuthFilter googleFilter = (GoogleAuthFilter) Para.getInstance(GoogleAuthFilter.class);
    private final LinkedInAuthFilter linkedinFilter = (LinkedInAuthFilter) Para.getInstance(LinkedInAuthFilter.class);
    private final TwitterAuthFilter twitterFilter = (TwitterAuthFilter) Para.getInstance(TwitterAuthFilter.class);
    private final GitHubAuthFilter githubFilter = (GitHubAuthFilter) Para.getInstance(GitHubAuthFilter.class);
    private final MicrosoftAuthFilter microsoftFilter = (MicrosoftAuthFilter) Para.getInstance(MicrosoftAuthFilter.class);
    private final GenericOAuth2Filter oauth2Filter = (GenericOAuth2Filter) Para.getInstance(GenericOAuth2Filter.class);
    private final LdapAuthFilter ldapFilter = (LdapAuthFilter) Para.getInstance(LdapAuthFilter.class);
    private final JWTRestfulAuthFilter jwtFilter = (JWTRestfulAuthFilter) Para.getInstance(JWTRestfulAuthFilter.class);

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        OpenIDAuthenticationProvider openIDAuthenticationProvider = new OpenIDAuthenticationProvider();
        openIDAuthenticationProvider.setAuthenticationUserDetailsService(new SimpleUserService());
        authenticationManagerBuilder.authenticationProvider(openIDAuthenticationProvider);
        authenticationManagerBuilder.authenticationProvider(new RememberMeAuthenticationProvider(Config.APP_SECRET_KEY));
        authenticationManagerBuilder.authenticationProvider(new JWTAuthenticationProvider());
        authenticationManagerBuilder.authenticationProvider(new LDAPAuthenticationProvider());
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().requestMatchers(new RequestMatcher[]{IgnoredRequestMatcher.INSTANCE});
        DefaultHttpFirewall defaultHttpFirewall = new DefaultHttpFirewall();
        defaultHttpFirewall.setAllowUrlEncodedSlash(true);
        webSecurity.httpFirewall(defaultHttpFirewall);
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ConfigObject object = Config.getConfig().getObject("security.protected");
        ConfigValue value = Config.getConfig().getValue("security.api_security");
        boolean z = value != null && Boolean.TRUE.equals(value.unwrapped());
        String configParam = Config.getConfigParam("security.signin", "/signin");
        String configParam2 = Config.getConfigParam("security.signout", "/signout");
        String configParam3 = Config.getConfigParam("security.access_denied", "/403");
        String configParam4 = Config.getConfigParam("security.signout_success", configParam);
        if (z) {
            httpSecurity.authorizeRequests().requestMatchers(new RequestMatcher[]{RestRequestMatcher.INSTANCE});
        }
        parseProtectedResources(httpSecurity, object);
        if (Config.getConfigBoolean("security.csrf_protection", true)) {
            httpSecurity.csrf().requireCsrfProtectionMatcher(CsrfProtectionRequestMatcher.INSTANCE).csrfTokenRepository(this.csrfTokenRepository);
        } else {
            httpSecurity.csrf().disable();
        }
        httpSecurity.sessionManagement().enableSessionUrlRewriting(false);
        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
        httpSecurity.sessionManagement().sessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy());
        httpSecurity.exceptionHandling().authenticationEntryPoint(new SimpleAuthenticationEntryPoint(configParam));
        httpSecurity.exceptionHandling().accessDeniedHandler(new SimpleAccessDeniedHandler(configParam3));
        httpSecurity.requestCache().requestCache(new SimpleRequestCache());
        httpSecurity.logout().logoutUrl(configParam2).logoutSuccessUrl(configParam4);
        httpSecurity.rememberMe().rememberMeServices(this.rememberMeServices);
        registerAuthFilters(httpSecurity);
        if (z) {
            if (this.jwtFilter != null) {
                this.jwtFilter.setAuthenticationManager(authenticationManager());
                httpSecurity.addFilterBefore(this.jwtFilter, RememberMeAuthenticationFilter.class);
            }
            httpSecurity.addFilterAfter(new RestAuthFilter(new Signer()), JWTRestfulAuthFilter.class);
        }
    }

    private void registerAuthFilters(HttpSecurity httpSecurity) throws Exception {
        if (this.passwordFilter != null) {
            this.passwordFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.passwordFilter, BasicAuthenticationFilter.class);
        }
        if (this.openidFilter != null) {
            this.openidFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.openidFilter, BasicAuthenticationFilter.class);
        }
        if (this.facebookFilter != null) {
            this.facebookFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.facebookFilter, BasicAuthenticationFilter.class);
        }
        if (this.googleFilter != null) {
            this.googleFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.googleFilter, BasicAuthenticationFilter.class);
        }
        if (this.linkedinFilter != null) {
            this.linkedinFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.linkedinFilter, BasicAuthenticationFilter.class);
        }
        if (this.twitterFilter != null) {
            this.twitterFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.twitterFilter, BasicAuthenticationFilter.class);
        }
        if (this.githubFilter != null) {
            this.githubFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.githubFilter, BasicAuthenticationFilter.class);
        }
        if (this.microsoftFilter != null) {
            this.microsoftFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.microsoftFilter, BasicAuthenticationFilter.class);
        }
        if (this.oauth2Filter != null) {
            this.oauth2Filter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.oauth2Filter, BasicAuthenticationFilter.class);
        }
        if (this.ldapFilter != null) {
            this.ldapFilter.setAuthenticationManager(authenticationManager());
            httpSecurity.addFilterAfter(this.ldapFilter, BasicAuthenticationFilter.class);
        }
    }

    private void parseProtectedResources(HttpSecurity httpSecurity, ConfigObject configObject) throws Exception {
        for (ConfigList<ConfigList> configList : configObject.values()) {
            LinkedList linkedList = new LinkedList();
            LinkedList linkedList2 = new LinkedList();
            HashSet hashSet = new HashSet();
            for (ConfigList configList2 : configList) {
                try {
                    if (configList2 instanceof ConfigList) {
                        Iterator it = configList2.iterator();
                        while (it.hasNext()) {
                            String trim = ((String) ((ConfigValue) it.next()).unwrapped()).toUpperCase().trim();
                            HttpMethod resolve = HttpMethod.resolve(trim);
                            if (resolve != null) {
                                hashSet.add(resolve);
                            } else {
                                linkedList2.add(trim);
                            }
                        }
                    } else {
                        linkedList.add((String) configList2.unwrapped());
                    }
                } catch (Exception e) {
                    logger.error("Invalid config syntax for protected resource: {}.", configList2.render(), e);
                }
            }
            String[] strArr = linkedList2.isEmpty() ? DEFAULT_ROLES : (String[]) linkedList2.toArray(new String[0]);
            String[] strArr2 = (String[]) linkedList.toArray(new String[0]);
            if (hashSet.isEmpty()) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(strArr2)).hasAnyRole(strArr);
            } else {
                Iterator it2 = hashSet.iterator();
                while (it2.hasNext()) {
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers((HttpMethod) it2.next(), strArr2)).hasAnyRole(strArr);
                }
            }
        }
    }
}
