package org.springframework.cloud.security.oauth2.sso;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.security.oauth2.resource.ResourceServerTokenServicesConfiguration;
import org.springframework.cloud.security.oauth2.sso.OAuth2SsoConfigurer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.ClassUtils;

@EnableConfigurationProperties
@Configuration
@ConditionalOnClass({ResourceServerTokenServices.class, SecurityProperties.class})
@ConditionalOnExpression("'${spring.oauth2.client.clientId:}'!=''")
@ConditionalOnWebApplication
@Import({ResourceServerTokenServicesConfiguration.class})
/* loaded from: input_file:lib/spring-cloud-security-1.0.2.RELEASE.jar:org/springframework/cloud/security/oauth2/sso/OAuth2SsoConfiguration.class */
public class OAuth2SsoConfiguration extends WebSecurityConfigurerAdapter implements Ordered {

    @Autowired
    private OAuth2SsoProperties sso;

    @Autowired
    private ResourceServerTokenServices tokenServices;

    @Autowired
    @Qualifier("userInfoRestTemplate")
    private OAuth2RestOperations restTemplate;
    private List<OAuth2SsoConfigurer> configurers = Collections.emptyList();

    @Configuration
    /* loaded from: input_file:lib/spring-cloud-security-1.0.2.RELEASE.jar:org/springframework/cloud/security/oauth2/sso/OAuth2SsoConfiguration$ConfigurationProperties.class */
    protected static class ConfigurationProperties {

        @Autowired
        private AuthorizationCodeResourceDetails client;

        protected ConfigurationProperties() {
        }

        @ConditionalOnMissingBean
        @Bean
        public OAuth2SsoProperties ssoProperties() {
            return new OAuth2SsoProperties(this.client.getAccessTokenUri());
        }
    }

    /* loaded from: input_file:lib/spring-cloud-security-1.0.2.RELEASE.jar:org/springframework/cloud/security/oauth2/sso/OAuth2SsoConfiguration$OAuth2ClientAuthenticationConfigurer.class */
    public static final class OAuth2ClientAuthenticationConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
        private OAuth2ClientAuthenticationProcessingFilter filter;

        public OAuth2ClientAuthenticationConfigurer(OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter) {
            this.filter = oAuth2ClientAuthenticationProcessingFilter;
        }

        @Override // org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
        public void configure(HttpSecurity httpSecurity) throws Exception {
            OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter = this.filter;
            oAuth2ClientAuthenticationProcessingFilter.setSessionAuthenticationStrategy((SessionAuthenticationStrategy) httpSecurity.getSharedObject(SessionAuthenticationStrategy.class));
            httpSecurity.addFilterAfter((Filter) oAuth2ClientAuthenticationProcessingFilter, AbstractPreAuthenticatedProcessingFilter.class);
        }
    }

    @Override // org.springframework.core.Ordered
    public int getOrder() {
        if (this.sso.getFilterOrder() != null) {
            return this.sso.getFilterOrder().intValue();
        }
        if (ClassUtils.isPresent("org.springframework.boot.actuate.autoconfigure.ManagementServerProperties", null)) {
            return 2147483638;
        }
        return SecurityProperties.ACCESS_OVERRIDE_ORDER;
    }

    @Autowired(required = false)
    public void setConfigurers(List<OAuth2SsoConfigurer> list) {
        this.configurers = new ArrayList(list);
        AnnotationAwareOrderComparator.sort(this.configurers);
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.apply((HttpSecurity) new OAuth2ClientAuthenticationConfigurer(oauth2SsoFilter()));
        OAuth2SsoConfigurer.RequestMatchers requestMatchers = new OAuth2SsoConfigurer.RequestMatchers();
        if (this.configurers.isEmpty()) {
            requestMatchers.anyRequest();
        } else {
            requestMatchers.antMatchers(this.sso.getLoginPath());
            Iterator<OAuth2SsoConfigurer> it = this.configurers.iterator();
            while (it.hasNext()) {
                it.next().match(requestMatchers);
            }
        }
        httpSecurity.requestMatchers().requestMatchers(requestMatchers.getRequestMatchers());
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.authorizeRequests();
        if (!this.sso.getHome().isSecure()) {
            authorizeRequests.antMatchers(this.sso.getHome().getPath()).permitAll();
        }
        LogoutConfigurer<HttpSecurity> logout = httpSecurity.logout();
        logout.logoutSuccessUrl(this.sso.getHome().getRoot()).logoutRequestMatcher(new AntPathRequestMatcher(this.sso.getLogoutPath())).permitAll(!this.sso.getHome().isSecure());
        addRedirectToLogout(logout);
        httpSecurity.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint(this.sso.getLoginPath()));
        Iterator<OAuth2SsoConfigurer> it2 = this.configurers.iterator();
        while (it2.hasNext()) {
            it2.next().configure(httpSecurity);
        }
        if (this.configurers.isEmpty()) {
            authorizeRequests.anyRequest().authenticated();
        }
    }

    private void addRedirectToLogout(LogoutConfigurer<HttpSecurity> logoutConfigurer) {
        if (this.sso.isLogoutRedirect()) {
            logoutConfigurer.addLogoutHandler(logoutHandler());
        }
    }

    protected OAuth2ClientAuthenticationProcessingFilter oauth2SsoFilter() {
        OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter = new OAuth2ClientAuthenticationProcessingFilter(this.sso.getLoginPath());
        oAuth2ClientAuthenticationProcessingFilter.setRestTemplate(this.restTemplate);
        oAuth2ClientAuthenticationProcessingFilter.setTokenServices(this.tokenServices);
        return oAuth2ClientAuthenticationProcessingFilter;
    }

    private LogoutHandler logoutHandler() {
        return new LogoutHandler() { // from class: org.springframework.cloud.security.oauth2.sso.OAuth2SsoConfiguration.1
            @Override // org.springframework.security.web.authentication.logout.LogoutHandler
            public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
                OAuth2SsoConfiguration.this.restTemplate.getOAuth2ClientContext().setAccessToken(null);
                try {
                    httpServletResponse.sendRedirect(OAuth2SsoConfiguration.this.sso.getLogoutUri(httpServletRequest.getRequestURL().toString().replace(OAuth2SsoConfiguration.this.sso.getLogoutPath(), OAuth2SsoConfiguration.this.sso.getHome().getRoot())));
                } catch (IOException e) {
                    throw new IllegalStateException("Cannot logout remote server", e);
                }
            }
        };
    }
}
