package org.apereo.cas.config;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.annotation.Nonnull;
import java.io.InputStream;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.regex.Pattern;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.core.audit.AuditEngineProperties;
import org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapAuthorizationProperties;
import org.apereo.cas.configuration.support.JpaBeans;
import org.apereo.cas.multitenancy.TenantExtractor;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.crypto.DefaultPasswordEncoder;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter;
import org.apereo.cas.web.security.CasWebflowSecurityContextRepository;
import org.apereo.inspektr.common.web.ClientInfoExtractionOptions;
import org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.autoconfigure.web.server.ManagementServerProperties;
import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.web.WebProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.context.DelegatingSecurityContextRepository;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.webflow.context.servlet.FlowUrlHandler;
import org.springframework.webflow.executor.FlowExecutor;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "CasWebSecurityConfiguration", proxyBeanMethods = false)
@EnableWebSecurity
@ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.WebApplication})
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
/* loaded from: input_file:WEB-INF/lib/cas-server-support-webconfig-7.3.0-RC2.jar:org/apereo/cas/config/CasWebSecurityConfiguration.class */
class CasWebSecurityConfiguration {

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasWebAppSecurityJdbcConfiguration", proxyBeanMethods = false)
    @ConditionalOnProperty(name = {"cas.monitor.endpoints.jdbc.query"})
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-webconfig-7.3.0-RC2.jar:org/apereo/cas/config/CasWebSecurityConfiguration$CasWebAppSecurityJdbcConfiguration.class */
    static class CasWebAppSecurityJdbcConfiguration {
        CasWebAppSecurityJdbcConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"jdbcUserDetailsPasswordEncoder"})
        @Bean
        public static PasswordEncoder jdbcUserDetailsPasswordEncoder(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return PasswordEncoderUtils.newPasswordEncoder(casConfigurationProperties.getMonitor().getEndpoints().getJdbc().getPasswordEncoder(), configurableApplicationContext);
        }

        @ConditionalOnMissingBean(name = {"jdbcUserDetailsManager"})
        @Bean
        public UserDetailsManager jdbcUserDetailsManager(CasConfigurationProperties casConfigurationProperties) {
            JdbcSecurityActuatorEndpointsMonitorProperties jdbc = casConfigurationProperties.getMonitor().getEndpoints().getJdbc();
            JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(JpaBeans.newDataSource(jdbc));
            jdbcUserDetailsManager.setRolePrefix(jdbc.getRolePrefix());
            jdbcUserDetailsManager.setUsersByUsernameQuery(jdbc.getQuery());
            return jdbcUserDetailsManager;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasWebAppSecurityJsonUsersConfiguration", proxyBeanMethods = false)
    @ConditionalOnProperty(name = {"cas.monitor.endpoints.json.location"})
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-webconfig-7.3.0-RC2.jar:org/apereo/cas/config/CasWebSecurityConfiguration$CasWebAppSecurityJsonUsersConfiguration.class */
    static class CasWebAppSecurityJsonUsersConfiguration {
        private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(false).build().toObjectMapper();
        private static final Pattern PATTERN_PASSWORD_ALG = Pattern.compile("^\\{.+\\}.*");

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:WEB-INF/lib/cas-server-support-webconfig-7.3.0-RC2.jar:org/apereo/cas/config/CasWebSecurityConfiguration$CasWebAppSecurityJsonUsersConfiguration$CasUserDetails.class */
        public static final class CasUserDetails implements Serializable {
            private static final long serialVersionUID = -741527534790033702L;
            private String username;
            private String password;
            private List<String> authorities = new ArrayList();

            @Generated
            public String getUsername() {
                return this.username;
            }

            @Generated
            public String getPassword() {
                return this.password;
            }

            @Generated
            public List<String> getAuthorities() {
                return this.authorities;
            }

            @Generated
            public void setUsername(String str) {
                this.username = str;
            }

            @Generated
            public void setPassword(String str) {
                this.password = str;
            }

            @Generated
            public void setAuthorities(List<String> list) {
                this.authorities = list;
            }

            @Generated
            public CasUserDetails() {
            }
        }

        CasWebAppSecurityJsonUsersConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"jsonUserDetailsService"})
        @Bean
        public UserDetailsService userDetailsService(CasConfigurationProperties casConfigurationProperties) throws Exception {
            InputStream inputStream = casConfigurationProperties.getMonitor().getEndpoints().getJson().getLocation().getInputStream();
            try {
                InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager(((List) MAPPER.readValue(inputStream, new TypeReference<List<CasUserDetails>>(this) { // from class: org.apereo.cas.config.CasWebSecurityConfiguration.CasWebAppSecurityJsonUsersConfiguration.1
                })).stream().map(casUserDetails -> {
                    List list = casUserDetails.getAuthorities().stream().map(str -> {
                        return StringUtils.prependIfMissing(str, LdapAuthorizationProperties.DEFAULT_ROLE_PREFIX, new CharSequence[0]);
                    }).map(SimpleGrantedAuthority::new).toList();
                    String password = casUserDetails.getPassword();
                    if (!PATTERN_PASSWORD_ALG.matcher(password).matches()) {
                        password = "{noop}" + password;
                    }
                    return User.builder().username(casUserDetails.getUsername()).password(password).authorities(list).build();
                }).toList());
                if (inputStream != null) {
                    inputStream.close();
                }
                return inMemoryUserDetailsManager;
            } catch (Throwable th) {
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        @ConditionalOnMissingBean(name = {"jsonUserDetailsPasswordEncoder"})
        @Bean
        public PasswordEncoder jsonUserDetailsPasswordEncoder() {
            HashMap hashMap = new HashMap();
            hashMap.put("pbkdf2", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8());
            hashMap.put("scrypt", SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8());
            hashMap.put("argon2", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8());
            hashMap.put("bcrypt", new BCryptPasswordEncoder());
            hashMap.put("sha256", new DefaultPasswordEncoder("SHA-256", StandardCharsets.UTF_8.name()));
            hashMap.put("sha512", new DefaultPasswordEncoder("SHA-512", StandardCharsets.UTF_8.name()));
            hashMap.put("noop", NoOpPasswordEncoder.getInstance());
            return new DelegatingPasswordEncoder("sha512", hashMap);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasWebAppSecurityMvcConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-webconfig-7.3.0-RC2.jar:org/apereo/cas/config/CasWebSecurityConfiguration$CasWebAppSecurityMvcConfiguration.class */
    static class CasWebAppSecurityMvcConfiguration {
        CasWebAppSecurityMvcConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"casWebAppSecurityWebMvcConfigurer"})
        @Bean
        public WebMvcConfigurer casWebAppSecurityWebMvcConfigurer(final CasConfigurationProperties casConfigurationProperties) {
            return new WebMvcConfigurer(this) { // from class: org.apereo.cas.config.CasWebSecurityConfiguration.CasWebAppSecurityMvcConfiguration.1
                @Override // org.springframework.web.servlet.config.annotation.WebMvcConfigurer
                public void addViewControllers(@Nonnull ViewControllerRegistry viewControllerRegistry) {
                    if (casConfigurationProperties.getMonitor().getEndpoints().isFormLoginEnabled()) {
                        viewControllerRegistry.addViewController(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN).setViewName(CasWebflowConstants.VIEW_ID_ENDPOINT_ADMIN_LOGIN_VIEW);
                        viewControllerRegistry.setOrder(Integer.MIN_VALUE);
                    }
                }
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasWebappCoreSecurityConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-webconfig-7.3.0-RC2.jar:org/apereo/cas/config/CasWebSecurityConfiguration$CasWebappCoreSecurityConfiguration.class */
    static class CasWebappCoreSecurityConfiguration {
        CasWebappCoreSecurityConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"securityContextRepository"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public SecurityContextRepository securityContextRepository(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("loginFlowUrlHandler") FlowUrlHandler flowUrlHandler, @Qualifier("loginFlowExecutor") FlowExecutor flowExecutor) {
            return new DelegatingSecurityContextRepository(new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository(), new CasWebflowSecurityContextRepository(configurableApplicationContext));
        }

        /* JADX WARN: Type inference failed for: r0v5, types: [org.apereo.inspektr.common.web.ClientInfoExtractionOptions$ClientInfoExtractionOptionsBuilder] */
        @ConditionalOnMissingBean(name = {"casClientInfoLoggingFilter"})
        @Bean
        public FilterRegistrationBean<ClientInfoThreadLocalFilter> casClientInfoLoggingFilter(@Qualifier("tenantExtractor") TenantExtractor tenantExtractor, CasConfigurationProperties casConfigurationProperties) {
            FilterRegistrationBean<ClientInfoThreadLocalFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            AuditEngineProperties engine = casConfigurationProperties.getAudit().getEngine();
            filterRegistrationBean.setFilter(new ClientInfoThreadLocalFilter(ClientInfoExtractionOptions.builder().alternateLocalAddrHeaderName(engine.getAlternateClientAddrHeaderName()).alternateServerAddrHeaderName(engine.getAlternateServerAddrHeaderName()).useServerHostAddress(engine.isUseServerHostAddress()).httpRequestHeaders(engine.getHttpRequestHeaders()).build(), tenantExtractor));
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
            filterRegistrationBean.setName("CAS Client Info Logging Filter");
            filterRegistrationBean.setAsyncSupported(true);
            filterRegistrationBean.setOrder(-2147483647);
            return filterRegistrationBean;
        }

        @Bean
        public FilterRegistrationBean<SecurityContextHolderFilter> securityContextHolderFilter(@Qualifier("securityContextRepository") SecurityContextRepository securityContextRepository) {
            FilterRegistrationBean<SecurityContextHolderFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            filterRegistrationBean.setFilter(new SecurityContextHolderFilter(securityContextRepository));
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER));
            filterRegistrationBean.setName("Spring Security Context Holder Filter");
            filterRegistrationBean.setAsyncSupported(true);
            filterRegistrationBean.setOrder(-2147483647);
            return filterRegistrationBean;
        }

        @ConditionalOnMissingBean(name = {"casWebSecurityCustomizer"})
        @Bean
        public WebSecurityCustomizer casWebSecurityCustomizer(@Qualifier("securityContextRepository") SecurityContextRepository securityContextRepository, ObjectProvider<PathMappedEndpoints> objectProvider, List<CasWebSecurityConfigurer> list, WebEndpointProperties webEndpointProperties, ManagementServerProperties managementServerProperties, CasConfigurationProperties casConfigurationProperties, WebProperties webProperties) {
            CasWebSecurityConfigurerAdapter casWebSecurityConfigurerAdapter = new CasWebSecurityConfigurerAdapter(casConfigurationProperties, webEndpointProperties, managementServerProperties, objectProvider, list, securityContextRepository, webProperties);
            Objects.requireNonNull(casWebSecurityConfigurerAdapter);
            return casWebSecurityConfigurerAdapter::configureWebSecurity;
        }

        @ConditionalOnMissingBean(name = {"casWebSecurityConfigurerAdapter"})
        @Bean
        public SecurityFilterChain casWebSecurityConfigurerAdapter(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("securityContextRepository") SecurityContextRepository securityContextRepository, HttpSecurity httpSecurity, ObjectProvider<PathMappedEndpoints> objectProvider, List<CasWebSecurityConfigurer> list, WebEndpointProperties webEndpointProperties, ManagementServerProperties managementServerProperties, SecurityProperties securityProperties, CasConfigurationProperties casConfigurationProperties, WebProperties webProperties) throws Exception {
            return new CasWebSecurityConfigurerAdapter(casConfigurationProperties, webEndpointProperties, managementServerProperties, objectProvider, list, securityContextRepository, webProperties).configureHttpSecurity(httpSecurity, configurableApplicationContext).build();
        }
    }

    CasWebSecurityConfiguration() {
    }

    @Bean
    @Lazy(false)
    public InitializingBean securityContextHolderInitialization() {
        return () -> {
            SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_THREADLOCAL);
        };
    }
}
