package pl.edu.icm.crpd.webapp;

import com.google.common.collect.Lists;
import java.util.Collections;
import javax.servlet.Filter;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import pl.edu.icm.crpd.webapp.security.CrpdDaoAuthenticationProvider;
import pl.edu.icm.crpd.webapp.security.CrpdGrantedAuthority;
import pl.edu.icm.crpd.webapp.security.DepositBasicAuthenticationEntryPoint;
import pl.edu.icm.crpd.webapp.security.InstitutionTokenAuthenticationProvider;
import pl.edu.icm.crpd.webapp.security.RemoteAddrAuthenticationFilter;
import pl.edu.icm.crpd.webapp.security.Role;
import pl.edu.icm.crpd.webapp.security.opi.OpiAuthenticationProvider;
import pl.edu.icm.sedno.icmopi.auth.LoginSoap;

@EnableWebMvcSecurity
@Configuration
@ComponentScan(basePackages = {"pl.edu.icm.crpd.webapp.security"})
/* loaded from: input_file:WEB-INF/classes/pl/edu/icm/crpd/webapp/SecurityConfiguration.class */
public class SecurityConfiguration {
    public static final String CSRF_TOKEN_SESSION_ATTR_NAME = "HTTP_CSRF_TOKEN";

    @Configuration
    @Order(2)
    /* loaded from: input_file:WEB-INF/classes/pl/edu/icm/crpd/webapp/SecurityConfiguration$DataSecurityConfiguration.class */
    public static class DataSecurityConfiguration extends WebSecurityConfigurerAdapter {
        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) httpSecurity.requestMatchers().antMatchers("/data/**", "/.well-known/resourcesync").and().authorizeRequests().anyRequest().hasAuthority(Role.DATA_CLIENT.name()).and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).addFilter(remoteAddrAuthenticationFilter());
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
            authenticationManagerBuilder.authenticationProvider(preAuthenticatedAuthenticationProvider());
        }

        private AuthenticationProvider preAuthenticatedAuthenticationProvider() {
            PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider = new PreAuthenticatedAuthenticationProvider();
            preAuthenticatedAuthenticationProvider.setPreAuthenticatedUserDetailsService(new AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken>() { // from class: pl.edu.icm.crpd.webapp.SecurityConfiguration.DataSecurityConfiguration.1
                @Override // org.springframework.security.core.userdetails.AuthenticationUserDetailsService
                public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken) {
                    return new User(preAuthenticatedAuthenticationToken.getName(), "unused", Collections.singleton(new CrpdGrantedAuthority(Role.DATA_CLIENT)));
                }
            });
            return preAuthenticatedAuthenticationProvider;
        }

        @Bean
        Filter remoteAddrAuthenticationFilter() throws Exception {
            RemoteAddrAuthenticationFilter remoteAddrAuthenticationFilter = new RemoteAddrAuthenticationFilter();
            remoteAddrAuthenticationFilter.setAuthenticationManager(authenticationManager());
            return remoteAddrAuthenticationFilter;
        }
    }

    @Configuration
    /* loaded from: input_file:WEB-INF/classes/pl/edu/icm/crpd/webapp/SecurityConfiguration$OpiSecurityConfiguration.class */
    public static class OpiSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Autowired
        private PasswordEncoder passwordEncoder;

        @Value("${opi.auth.ws.url}")
        private String opiAuthWsUrl;

        @Value("${opi.auth.ws.timeout}")
        private long opiAuthWsTimeout;

        @Value("${crpdAdmin.login}")
        private String crpdAdminLogin;

        @Value("${crpdAdmin.passwordHash}")
        private String crpdAdminPasswordHash;

        @Bean
        public Role[] thesisSearchRoles() {
            return new Role[]{Role.MINISTRY_OPERATOR, Role.PAKA, Role.UNIVERSITY_OPERATOR, Role.ADMIN};
        }

        @Bean
        public Role[] thesisShowRoles() {
            return new Role[]{Role.MINISTRY_OPERATOR, Role.PAKA, Role.UNIVERSITY_OPERATOR, Role.ADMIN};
        }

        @Bean
        public Role[] thesisEditRoles() {
            return new Role[]{Role.UNIVERSITY_OPERATOR};
        }

        @Bean
        public Role[] instTokenGenerateRoles() {
            return new Role[]{Role.UNIVERSITY_REPOSITORY_ADMIN};
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.antMatcher("/**").authorizeRequests().antMatchers("/console/**").hasAuthority(Role.ADMIN.name()).antMatchers("/testInstitutions").permitAll().antMatchers("/login").permitAll().antMatchers("/static/**").permitAll().antMatchers("/errors/**").permitAll().antMatchers("/theses/templink/new/**").hasAuthority(Role.UNIVERSITY_OPERATOR.name()).antMatchers("/theses/templink/*", "/theses/templink/*/*", "/theses/templink/*/*/contentFiles/*").permitAll().antMatchers("/theses/search/**").hasAnyAuthority(SecurityConfiguration.names(thesisSearchRoles())).antMatchers("/theses/add/**", "/theses/*/edit", "/theses/edit/**", "/theses/save*/**").hasAnyAuthority(SecurityConfiguration.names(thesisEditRoles())).antMatchers("/theses/*", "/theses/*/contentFiles/*").hasAnyAuthority(SecurityConfiguration.names(thesisShowRoles())).antMatchers("/institutions/tokens", "/institutions/*/token/*").hasAnyAuthority(SecurityConfiguration.names(instTokenGenerateRoles())).antMatchers(HttpMethod.GET, "/institutions/*/theses/*").hasAnyAuthority(SecurityConfiguration.names(thesisShowRoles())).antMatchers("/clients/**").hasAuthority(Role.MINISTRY_OPERATOR.name()).antMatchers("/institutions/oaipmh").hasAuthority(Role.UNIVERSITY_REPOSITORY_ADMIN.name()).antMatchers("/").authenticated().anyRequest().denyAll().and()).exceptionHandling().accessDeniedPage("/errors/accessDenied").and()).authenticationProvider(crpdLocalAuthenticationProvider()).authenticationProvider(opiAuthenticationProvider()).formLogin().loginPage("/login").defaultSuccessUrl("/").and()).csrf().csrfTokenRepository(csrfTokenRepository());
        }

        @Bean
        public CsrfTokenRepository csrfTokenRepository() {
            HttpSessionCsrfTokenRepository httpSessionCsrfTokenRepository = new HttpSessionCsrfTokenRepository();
            httpSessionCsrfTokenRepository.setSessionAttributeName(SecurityConfiguration.CSRF_TOKEN_SESSION_ATTR_NAME);
            return httpSessionCsrfTokenRepository;
        }

        @Bean
        AuthenticationProvider opiAuthenticationProvider() {
            return new OpiAuthenticationProvider();
        }

        @Bean
        LoginSoap opiAuthService() {
            JaxWsProxyFactoryBean jaxWsProxyFactoryBean = new JaxWsProxyFactoryBean();
            jaxWsProxyFactoryBean.setAddress(this.opiAuthWsUrl);
            jaxWsProxyFactoryBean.setServiceClass(LoginSoap.class);
            LoginSoap loginSoap = (LoginSoap) jaxWsProxyFactoryBean.create();
            HTTPConduit hTTPConduit = (HTTPConduit) ClientProxy.getClient(loginSoap).getConduit();
            HTTPClientPolicy hTTPClientPolicy = new HTTPClientPolicy();
            hTTPClientPolicy.setConnectionTimeout(this.opiAuthWsTimeout);
            hTTPClientPolicy.setReceiveTimeout(this.opiAuthWsTimeout);
            hTTPConduit.setClient(hTTPClientPolicy);
            return loginSoap;
        }

        AuthenticationProvider crpdLocalAuthenticationProvider() {
            CrpdDaoAuthenticationProvider crpdDaoAuthenticationProvider = new CrpdDaoAuthenticationProvider();
            crpdDaoAuthenticationProvider.setUserDetailsService(crpdUserService());
            crpdDaoAuthenticationProvider.setPasswordEncoder(this.passwordEncoder);
            return crpdDaoAuthenticationProvider;
        }

        InMemoryUserDetailsManager crpdUserService() {
            return new InMemoryUserDetailsManager(Lists.newArrayList(new User(this.crpdAdminLogin, this.crpdAdminPasswordHash, Lists.newArrayList(new CrpdGrantedAuthority(Role.ADMIN)))));
        }
    }

    @Configuration
    @Order(1)
    /* loaded from: input_file:WEB-INF/classes/pl/edu/icm/crpd/webapp/SecurityConfiguration$RestDepositSecurityConfiguration.class */
    public static class RestDepositSecurityConfiguration extends WebSecurityConfigurerAdapter {
        @Bean
        public Role[] thesisDepositRoles() {
            return new Role[]{Role.UNIVERSITY_REPOSITORY};
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            String[] strArr = {"/institutions/*/theses/**", "/institutions/*/*/theses/**"};
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.requestMatchers().requestMatchers(new OrRequestMatcher(new AntPathRequestMatcher(strArr[0], HttpMethod.PUT.name()), new AntPathRequestMatcher(strArr[0], HttpMethod.POST.name()), new AntPathRequestMatcher(strArr[1], HttpMethod.PUT.name()), new AntPathRequestMatcher(strArr[1], HttpMethod.POST.name()))).and().authorizeRequests().antMatchers(strArr).hasAnyAuthority(SecurityConfiguration.names(thesisDepositRoles())).anyRequest().authenticated().and()).authenticationProvider(institutionTokenAuthenticationProvider()).httpBasic().authenticationEntryPoint(depositBasicAuthenticationEntryPoint()).and()).exceptionHandling().accessDeniedPage("/errors/deposit/accessDenied").and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).csrf().disable();
        }

        @Bean
        AuthenticationEntryPoint depositBasicAuthenticationEntryPoint() {
            return new DepositBasicAuthenticationEntryPoint();
        }

        @Bean
        AuthenticationProvider institutionTokenAuthenticationProvider() {
            return new InstitutionTokenAuthenticationProvider();
        }
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String[] names(Role[] roleArr) {
        String[] strArr = new String[roleArr.length];
        for (int i = 0; i < roleArr.length; i++) {
            strArr[i] = roleArr[i].name();
        }
        return strArr;
    }
}
