package org.frankframework.console.configuration;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.util.Supplier;
import org.frankframework.lifecycle.servlets.AuthenticatorUtils;
import org.frankframework.lifecycle.servlets.IAuthenticator;
import org.frankframework.lifecycle.servlets.NoOpAuthenticator;
import org.frankframework.lifecycle.servlets.SpaCsrfTokenRequestHandler;
import org.frankframework.security.config.ServletRegistration;
import org.frankframework.util.ClassUtils;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.EnvironmentAware;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(jsr250Enabled = true, prePostEnabled = false)
@Order(-2147483548)
/* loaded from: input_file:org/frankframework/console/configuration/SecurityChainConfigurer.class */
public class SecurityChainConfigurer implements ApplicationContextAware, EnvironmentAware {
    static final String HEALTH_CHECK_EXPRESSION_KEY = "iaf-api.healthCheckEndpointExpression";
    private static final Logger APPLICATION_LOG = LogManager.getLogger("APPLICATION");
    private static final String EXPRESSION_IS_LOCALHOST_OR_AUTHENTICATED = "hasIpAddress('127.0.0.1') or hasIpAddress('::1') or isAuthenticated()";
    private ApplicationContext applicationContext;
    private boolean csrfEnabled;
    private String csrfCookiePath;
    private boolean corsEnabled;
    private String healthCheckEndpointExpression;

    /* loaded from: input_file:org/frankframework/console/configuration/SecurityChainConfigurer$RedirectToServletRoot.class */
    private static class RedirectToServletRoot implements LogoutSuccessHandler {
        private RedirectToServletRoot() {
        }

        public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
            httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
            httpServletResponse.setHeader("Location", determineTargetUrl(httpServletRequest));
        }

        private String determineTargetUrl(HttpServletRequest httpServletRequest) {
            String servletPath = httpServletRequest.getServletPath();
            if (!servletPath.endsWith("/")) {
                servletPath = servletPath + "/";
            }
            return servletPath;
        }
    }

    public void setEnvironment(Environment environment) {
        this.csrfEnabled = ((Boolean) environment.getProperty("csrf.enabled", Boolean.TYPE, true)).booleanValue();
        this.csrfCookiePath = (String) environment.getProperty("csrf.cookie.path", String.class);
        this.corsEnabled = ((Boolean) environment.getProperty("cors.enforced", Boolean.TYPE, false)).booleanValue();
        this.healthCheckEndpointExpression = environment.getProperty(HEALTH_CHECK_EXPRESSION_KEY, EXPRESSION_IS_LOCALHOST_OR_AUTHENTICATED);
    }

    private SecurityFilterChain configureHttpSecurity(IAuthenticator iAuthenticator, HttpSecurity httpSecurity) throws Exception {
        httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.frameOptions((v0) -> {
                v0.sameOrigin();
            });
        });
        if (this.csrfEnabled) {
            CookieCsrfTokenRepository withHttpOnlyFalse = CookieCsrfTokenRepository.withHttpOnlyFalse();
            if (!StringUtils.isEmpty(this.csrfCookiePath)) {
                withHttpOnlyFalse.setCookiePath(this.csrfCookiePath);
            }
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.csrfTokenRepository(withHttpOnlyFalse).csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
            });
        } else {
            httpSecurity.csrf((v0) -> {
                v0.disable();
            });
        }
        httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
        });
        httpSecurity.formLogin((v0) -> {
            v0.disable();
        });
        if (!this.corsEnabled) {
            httpSecurity.cors((v0) -> {
                v0.disable();
            });
        }
        httpSecurity.logout(logoutConfigurer -> {
            logoutConfigurer.logoutRequestMatcher(this::requestMatcher).logoutSuccessHandler(new RedirectToServletRoot());
        });
        if (!StringUtils.isNotEmpty(this.healthCheckEndpointExpression) || (iAuthenticator instanceof NoOpAuthenticator)) {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/**/health")})).permitAll();
            });
        } else {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/**/health")})).access(new WebExpressionAuthorizationManager(this.healthCheckEndpointExpression));
            });
        }
        return iAuthenticator.configureHttpSecurity(httpSecurity);
    }

    private boolean requestMatcher(HttpServletRequest httpServletRequest) {
        return "GET".equals(httpServletRequest.getMethod()) && "/logout".equals(httpServletRequest.getPathInfo());
    }

    @Bean
    public IAuthenticator consoleAuthenticator() {
        return AuthenticatorUtils.createAuthenticator(this.applicationContext, "application.security.console.authentication.");
    }

    @Bean
    public SecurityFilterChain createConsoleSecurityChain(HttpSecurity httpSecurity, IAuthenticator iAuthenticator) throws Exception {
        APPLICATION_LOG.info("Securing Frank!Framework Console using {}", new Supplier[]{() -> {
            return ClassUtils.classNameOf(iAuthenticator);
        }});
        iAuthenticator.registerServlet(((ServletRegistration) this.applicationContext.getBean("backendServletBean", ServletRegistration.class)).getServletConfiguration());
        iAuthenticator.registerServlet(((ServletRegistration) this.applicationContext.getBean("frontendServletBean", ServletRegistration.class)).getServletConfiguration());
        return configureHttpSecurity(iAuthenticator, httpSecurity);
    }

    @Generated
    public void setApplicationContext(ApplicationContext applicationContext) {
        this.applicationContext = applicationContext;
    }
}
