package org.apereo.cas.config;

import java.util.HashMap;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpCorsRequestProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpHeadersRequestProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpRequestProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpWebRequestProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.web.support.ArgumentExtractor;
import org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter;
import org.apereo.cas.web.support.filters.AbstractSecurityFilter;
import org.apereo.cas.web.support.filters.AddResponseHeadersFilter;
import org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter;
import org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter;
import org.pac4j.core.authorization.generator.SpringSecurityPropertiesAuthorizationGenerator;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.filter.CorsFilter;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "casFiltersConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:WEB-INF/lib/cas-server-webapp-config-6.3.0-RC1.jar:org/apereo/cas/config/CasFiltersConfiguration.class */
public class CasFiltersConfiguration {

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    @Qualifier("argumentExtractor")
    private ObjectProvider<ArgumentExtractor> argumentExtractor;

    @Autowired
    @Qualifier("authenticationServiceSelectionPlan")
    private ObjectProvider<AuthenticationServiceSelectionPlan> authenticationRequestServiceSelectionStrategies;

    @RefreshScope
    @Bean
    public FilterRegistrationBean characterEncodingFilter() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        HttpWebRequestProperties web = this.casProperties.getHttpWebRequest().getWeb();
        filterRegistrationBean.setFilter(new CharacterEncodingFilter(web.getEncoding(), web.isForceEncoding()));
        filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
        filterRegistrationBean.setName("characterEncodingFilter");
        filterRegistrationBean.setAsyncSupported(true);
        return filterRegistrationBean;
    }

    @RefreshScope
    @Bean
    public FilterRegistrationBean responseHeadersFilter() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        AddResponseHeadersFilter addResponseHeadersFilter = new AddResponseHeadersFilter();
        addResponseHeadersFilter.setHeadersMap(this.casProperties.getHttpWebRequest().getCustomHeaders());
        filterRegistrationBean.setFilter(addResponseHeadersFilter);
        filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
        filterRegistrationBean.setName("responseHeadersFilter");
        filterRegistrationBean.setAsyncSupported(true);
        return filterRegistrationBean;
    }

    @RefreshScope
    @ConditionalOnProperty(prefix = "cas.http-web-request.cors", name = {SpringSecurityPropertiesAuthorizationGenerator.ENABLED}, havingValue = "true")
    @Bean
    public FilterRegistrationBean casCorsFilter() {
        HttpCorsRequestProperties cors = this.casProperties.getHttpWebRequest().getCors();
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowCredentials(Boolean.valueOf(cors.isAllowCredentials()));
        corsConfiguration.setAllowedOrigins(cors.getAllowOrigins());
        corsConfiguration.setAllowedMethods(cors.getAllowMethods());
        corsConfiguration.setAllowedHeaders(cors.getAllowHeaders());
        corsConfiguration.setMaxAge(Long.valueOf(cors.getMaxAge()));
        corsConfiguration.setExposedHeaders(cors.getExposedHeaders());
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(new CorsFilter(urlBasedCorsConfigurationSource), new ServletRegistrationBean[0]);
        filterRegistrationBean.setName("casCorsFilter");
        filterRegistrationBean.setAsyncSupported(true);
        filterRegistrationBean.setOrder(0);
        return filterRegistrationBean;
    }

    @RefreshScope
    @ConditionalOnProperty(prefix = "cas.http-web-request.header", name = {SpringSecurityPropertiesAuthorizationGenerator.ENABLED}, havingValue = "true", matchIfMissing = true)
    @Bean
    public FilterRegistrationBean responseHeadersSecurityFilter() {
        HttpHeadersRequestProperties header = this.casProperties.getHttpWebRequest().getHeader();
        HashMap hashMap = new HashMap();
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_CACHE_CONTROL, BooleanUtils.toStringTrueFalse(header.isCache()));
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_XCONTENT_OPTIONS, BooleanUtils.toStringTrueFalse(header.isXcontent()));
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_STRICT_TRANSPORT_SECURITY, BooleanUtils.toStringTrueFalse(header.isHsts()));
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_STRICT_XFRAME_OPTIONS, BooleanUtils.toStringTrueFalse(header.isXframe()));
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_STRICT_XFRAME_OPTIONS, header.getXframeOptions());
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_XSS_PROTECTION, BooleanUtils.toStringTrueFalse(header.isXss()));
        hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_XSS_PROTECTION, header.getXssOptions());
        if (StringUtils.isNotBlank(header.getContentSecurityPolicy())) {
            hashMap.put(ResponseHeadersEnforcementFilter.INIT_PARAM_CONTENT_SECURITY_POLICY, header.getContentSecurityPolicy());
        }
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(new RegisteredServiceResponseHeadersEnforcementFilter(this.servicesManager.getObject(), this.argumentExtractor.getObject(), this.authenticationRequestServiceSelectionStrategies.getObject()));
        filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
        filterRegistrationBean.setInitParameters(hashMap);
        filterRegistrationBean.setName("responseHeadersSecurityFilter");
        filterRegistrationBean.setAsyncSupported(true);
        return filterRegistrationBean;
    }

    @RefreshScope
    @Bean
    public FilterRegistrationBean requestParameterSecurityFilter() {
        HttpRequestProperties httpWebRequest = this.casProperties.getHttpWebRequest();
        HashMap hashMap = new HashMap();
        if (StringUtils.isNotBlank(httpWebRequest.getParamsToCheck())) {
            hashMap.put(RequestParameterPolicyEnforcementFilter.PARAMETERS_TO_CHECK, httpWebRequest.getParamsToCheck());
        }
        hashMap.put(RequestParameterPolicyEnforcementFilter.CHARACTERS_TO_FORBID, httpWebRequest.getCharactersToForbid());
        hashMap.put(RequestParameterPolicyEnforcementFilter.ALLOW_MULTI_VALUED_PARAMETERS, BooleanUtils.toStringTrueFalse(httpWebRequest.isAllowMultiValueParameters()));
        hashMap.put(RequestParameterPolicyEnforcementFilter.ONLY_POST_PARAMETERS, httpWebRequest.getOnlyPostParams());
        hashMap.put(AbstractSecurityFilter.THROW_ON_ERROR, Boolean.TRUE.toString());
        if (StringUtils.isNotBlank(httpWebRequest.getPatternToBlock())) {
            hashMap.put(RequestParameterPolicyEnforcementFilter.PATTERN_TO_BLOCK, httpWebRequest.getPatternToBlock());
        }
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(new RequestParameterPolicyEnforcementFilter());
        filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
        filterRegistrationBean.setName("requestParameterSecurityFilter");
        filterRegistrationBean.setInitParameters(hashMap);
        filterRegistrationBean.setAsyncSupported(true);
        return filterRegistrationBean;
    }

    @Bean
    public FilterRegistrationBean currentCredentialsAndAuthenticationClearingFilter() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(new AuthenticationCredentialsThreadLocalBinderClearingFilter());
        filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
        filterRegistrationBean.setName("currentCredentialsAndAuthenticationClearingFilter");
        filterRegistrationBean.setAsyncSupported(true);
        return filterRegistrationBean;
    }
}
