package org.interledger.connector.server.spring.settings.web;

import com.auth0.spring.security.api.JwtAuthenticationEntryPoint;
import com.google.common.eventbus.EventBus;
import io.prometheus.client.cache.caffeine.CacheMetricsCollector;
import java.util.Arrays;
import java.util.Objects;
import java.util.function.Supplier;
import org.interledger.connector.accounts.AccessTokenManager;
import org.interledger.connector.links.LinkSettingsFactory;
import org.interledger.connector.persistence.repositories.AccountSettingsRepository;
import org.interledger.connector.server.spring.auth.ilpoverhttp.AuthConstants;
import org.interledger.connector.server.spring.auth.ilpoverhttp.BearerTokenSecurityContextRepository;
import org.interledger.connector.server.spring.auth.ilpoverhttp.IlpOverHttpAuthenticationProvider;
import org.interledger.connector.server.spring.controllers.PathConstants;
import org.interledger.connector.server.spring.settings.metrics.MetricsConfiguration;
import org.interledger.connector.settings.ConnectorSettings;
import org.interledger.crypto.ByteArrayUtils;
import org.interledger.crypto.Decryptor;
import org.interledger.crypto.EncryptedSecret;
import org.interledger.crypto.EncryptionService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;

@Configuration
@EnableWebSecurity
@Import({SecurityProblemSupport.class})
/* loaded from: input_file:org/interledger/connector/server/spring/settings/web/SecurityConfiguration.class */
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    Supplier<ConnectorSettings> connectorSettingsSupplier;

    @Autowired
    SecurityProblemSupport problemSupport;

    @Autowired
    AccountSettingsRepository accountSettingsRepository;

    @Autowired
    EncryptionService encryptionService;

    @Autowired
    LinkSettingsFactory linkSettingsFactory;

    @Autowired
    CacheMetricsCollector cacheMetricsCollector;

    @Autowired
    Decryptor decryptor;

    @Autowired
    private AccessTokenManager accessTokenManager;

    @Autowired
    private EventBus eventBus;

    @Value("${interledger.connector.adminPassword}")
    @Deprecated
    private String adminPassword;

    @Value("${interledger.connector.spsp.urlPath:}")
    private String spspUrlPath;

    @Value("${interledger.connector.enabledProtocols.spspEnabled:false}")
    private boolean spspEnabled;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(11);
    }

    @Bean
    IlpOverHttpAuthenticationProvider ilpOverHttpAuthenticationProvider() {
        IlpOverHttpAuthenticationProvider ilpOverHttpAuthenticationProvider = new IlpOverHttpAuthenticationProvider(this.connectorSettingsSupplier, this.encryptionService, this.accountSettingsRepository, this.linkSettingsFactory, this.cacheMetricsCollector, this.accessTokenManager);
        this.eventBus.register(ilpOverHttpAuthenticationProvider);
        return ilpOverHttpAuthenticationProvider;
    }

    @Autowired
    @Deprecated
    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        byte[] bytes = (this.adminPassword == null || !this.adminPassword.startsWith("enc")) ? ((String) Objects.requireNonNull(this.adminPassword)).getBytes() : this.decryptor.decrypt(EncryptedSecret.fromEncodedValue(this.adminPassword));
        authenticationManagerBuilder.inMemoryAuthentication().withUser("admin").password(passwordEncoder().encode(new String(bytes))).authorities(new String[]{AuthConstants.Authorities.CONNECTOR_ADMIN, "user"}).and().withUser("user").password(passwordEncoder().encode(new String(bytes))).authorities(new String[]{"user"});
    }

    @Bean
    public SecurityContextHolderAwareRequestFilter securityContextHolderAwareRequestFilter() {
        return new SecurityContextHolderAwareRequestFilter();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedMethods(Arrays.asList("POST"));
        corsConfiguration.setAllowCredentials(true);
        corsConfiguration.addAllowedHeader("Authorization");
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) configureBearerTokenSecurity(httpSecurity, ByteArrayUtils.generate32RandomBytes()).authorizeRequests().antMatchers(HttpMethod.HEAD, new String[]{PathConstants.SLASH_ACCOUNTS_ILP_PATH})).authenticated().antMatchers(HttpMethod.POST, new String[]{PathConstants.SLASH_ACCOUNTS_ILP_PATH})).authenticated().antMatchers(HttpMethod.GET, new String[]{PathConstants.SLASH_ACCOUNTS_BALANCE_PATH})).authenticated().antMatchers(HttpMethod.GET, new String[]{"/accounts/{accountId:.+}/tokens/**"})).authenticated().antMatchers(HttpMethod.POST, new String[]{PathConstants.SLASH_ACCOUNTS_TOKENS_PATH})).authenticated().antMatchers(HttpMethod.DELETE, new String[]{"/accounts/{accountId:.+}/tokens/**"})).authenticated().antMatchers(HttpMethod.GET, new String[]{"/accounts/{accountId:.+}/payments/**"})).authenticated().antMatchers(HttpMethod.POST, new String[]{PathConstants.SLASH_ACCOUNTS_PAYMENTS_PATH})).authenticated().antMatchers(HttpMethod.GET, new String[]{MetricsConfiguration.METRICS_ENDPOINT_URL_PATH})).permitAll().requestMatchers(new RequestMatcher[]{new SpspRequestMatcher(this.spspEnabled, this.spspUrlPath)})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig -> {
                contentSecurityPolicyConfig.policyDirectives("default-src 'self'");
            });
        }).httpBasic().and().authorizeRequests().antMatchers(HttpMethod.GET, new String[]{PathConstants.SLASH})).permitAll().antMatchers(HttpMethod.POST, new String[]{"/accounts/{accountId:.+}/settlements"})).permitAll().antMatchers(HttpMethod.POST, new String[]{"/accounts/{accountId:.+}/messages"})).permitAll().antMatchers(HttpMethod.GET, new String[]{PathConstants.SLASH_MANAGE})).permitAll().antMatchers(HttpMethod.GET, new String[]{"/manage/health"})).permitAll().antMatchers(HttpMethod.GET, new String[]{"/manage/info"})).permitAll().antMatchers(HttpMethod.GET, new String[]{"/manage/**"})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.POST, new String[]{PathConstants.SLASH_ACCOUNTS})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.GET, new String[]{PathConstants.SLASH_ACCOUNTS})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.GET, new String[]{"/accounts/{accountId:.+}"})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.PUT, new String[]{"/accounts/{accountId:.+}"})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.DELETE, new String[]{"/accounts/{accountId:.+}"})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.GET, new String[]{PathConstants.SLASH_ROUTES})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.GET, new String[]{PathConstants.SLASH_ROUTES_STATIC})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.PUT, new String[]{PathConstants.SLASH_ROUTES_STATIC_PREFIX})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.DELETE, new String[]{PathConstants.SLASH_ROUTES_STATIC_PREFIX})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).antMatchers(HttpMethod.POST, new String[]{"/encryption/**"})).hasAuthority(AuthConstants.Authorities.CONNECTOR_ADMIN).anyRequest()).denyAll().and().addFilter(securityContextHolderAwareRequestFilter()).cors().and().formLogin().disable().logout().disable().jee().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).enableSessionUrlRewriting(false).and().exceptionHandling().authenticationEntryPoint(this.problemSupport).accessDeniedHandler(this.problemSupport);
    }

    private HttpSecurity configureBearerTokenSecurity(HttpSecurity httpSecurity, byte[] bArr) throws Exception {
        return httpSecurity.authenticationProvider(ilpOverHttpAuthenticationProvider()).securityContext().securityContextRepository(new BearerTokenSecurityContextRepository(bArr)).and().exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint()).and().httpBasic().disable().csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and();
    }
}
