package com.stormpath.spring.config;

import com.stormpath.sdk.authc.AuthenticationResult;
import com.stormpath.sdk.client.Client;
import com.stormpath.sdk.servlet.filter.ContentNegotiationResolver;
import com.stormpath.sdk.servlet.http.MediaType;
import com.stormpath.sdk.servlet.http.Saver;
import com.stormpath.sdk.servlet.http.UnresolvedMediaTypeException;
import com.stormpath.sdk.servlet.mvc.WebHandler;
import com.stormpath.spring.filter.ContentNegotiationAuthenticationFilter;
import com.stormpath.spring.filter.LoginHandlerFilter;
import com.stormpath.spring.filter.SpringSecurityResolvedAccountFilter;
import com.stormpath.spring.oauth.OAuthAuthenticationSpringSecurityProcessingFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableStormpathWebSecurity
@Configuration
/* loaded from: input_file:com/stormpath/spring/config/StormpathWebSecurityConfigurer.class */
public class StormpathWebSecurityConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
    private static final Logger log = LoggerFactory.getLogger(StormpathWebSecurityConfigurer.class);

    @Autowired
    OAuthAuthenticationSpringSecurityProcessingFilter oauthAuthenticationSpringSecurityProcessingFilter;

    @Autowired
    SpringSecurityResolvedAccountFilter springSecurityResolvedAccountFilter;

    @Autowired
    AuthenticationEntryPoint stormpathAuthenticationEntryPoint;

    @Autowired
    protected Client client;

    @Autowired
    @Qualifier("stormpathLogoutHandler")
    protected LogoutHandler logoutHandler;

    @Autowired
    @Qualifier("stormpathAuthenticationSuccessHandler")
    protected AuthenticationSuccessHandler successHandler;

    @Autowired
    @Qualifier("stormpathCsrfTokenRepository")
    private CsrfTokenRepository csrfTokenRepository;

    @Autowired
    @Qualifier("stormpathAuthenticationFailureHandler")
    protected AuthenticationFailureHandler failureHandler;

    @Autowired
    @Qualifier("stormpathAuthenticationManager")
    AuthenticationManager stormpathAuthenticationManager;

    @Autowired(required = false)
    @Qualifier("stormpathAuthenticationResultSaver")
    protected Saver<AuthenticationResult> authenticationResultSaver;

    @Value("#{ @environment['stormpath.web.produces'] ?: 'application/json, text/html' }")
    protected String produces;

    @Value("#{ @environment['stormpath.spring.security.enabled'] ?: true }")
    protected boolean stormpathSecuritybEnabled;

    @Value("#{ @environment['stormpath.web.enabled'] ?: true }")
    protected boolean stormpathWebEnabled;

    @Value("#{ @environment['stormpath.web.login.enabled'] ?: true }")
    protected boolean loginEnabled;

    @Value("#{ @environment['stormpath.web.login.uri'] ?: '/login' }")
    protected String loginUri;

    @Value("#{ @environment['stormpath.web.logout.enabled'] ?: true }")
    protected boolean logoutEnabled;

    @Value("#{ @environment['stormpath.web.logout.uri'] ?: '/logout' }")
    protected String logoutUri;

    @Value("#{ @environment['stormpath.web.logout.nextUri'] ?: '/' }")
    protected String logoutNextUri;

    @Value("#{ @environment['stormpath.web.forgotPassword.enabled'] ?: true }")
    protected boolean forgotEnabled;

    @Value("#{ @environment['stormpath.web.forgotPassword.uri'] ?: '/forgot' }")
    protected String forgotUri;

    @Value("#{ @environment['stormpath.web.changePassword.enabled'] ?: true }")
    protected boolean changeEnabled;

    @Value("#{ @environment['stormpath.web.changePassword.uri'] ?: '/change' }")
    protected String changeUri;

    @Value("#{ @environment['stormpath.web.register.enabled'] ?: true }")
    protected boolean registerEnabled;

    @Value("#{ @environment['stormpath.web.register.uri'] ?: '/register' }")
    protected String registerUri;

    @Value("#{ @environment['stormpath.web.verifyEmail.enabled'] ?: true }")
    protected boolean verifyEnabled;

    @Value("#{ @environment['stormpath.web.verifyEmail.uri'] ?: '/verify' }")
    protected String verifyUri;

    @Value("#{ @environment['stormpath.web.oauth2.enabled'] ?: true }")
    protected boolean accessTokenEnabled;

    @Value("#{ @environment['stormpath.web.oauth2.uri'] ?: '/oauth/token' }")
    protected String accessTokenUri;

    @Value("#{ @environment['stormpath.web.oauth2.revokeOnLogout'] ?: true }")
    protected boolean accessTokenRevokeOnLogout;

    @Value("#{ @environment['stormpath.web.csrf.token.enabled'] ?: true }")
    protected boolean csrfTokenEnabled;

    @Value("#{ @environment['stormpath.web.resendVerification.uri'] ?: '/resendVerification' }")
    protected String resendVerificationUri;

    @Value("#{ @environment['stormpath.spring.security.fullyAuthenticated.enabled'] ?: true }")
    protected boolean fullyAuthenticatedEnabled;

    @Value("#{ @environment['stormpath.web.idSite.enabled'] ?: false }")
    protected boolean idSiteEnabled;

    @Value("#{ @environment['stormpath.web.callback.enabled'] ?: true }")
    protected boolean callbackEnabled;

    @Value("#{ @environment['stormpath.web.idSite.resultUri'] ?: '/idSiteResult' }")
    protected String idSiteResultUri;

    @Value("#{ @environment['stormpath.web.callback.uri'] ?: '/stormpathCallback' }")
    protected String samlResultUri;

    @Value("#{ @environment['stormpath.web.social.google.uri'] ?: '/callbacks/google' }")
    protected String googleCallbackUri;

    @Value("#{ @environment['stormpath.web.social.facebook.uri'] ?: '/callbacks/facebook' }")
    protected String facebookCallbackUri;

    @Value("#{ @environment['stormpath.web.social.linkedin.uri'] ?: '/callbacks/linkedin' }")
    protected String linkedinCallbackUri;

    @Value("#{ @environment['stormpath.web.social.github.uri'] ?: '/callbacks/github' }")
    protected String githubCallbackUri;

    @Value("#{ @environment['stormpath.web.me.enabled'] ?: true }")
    protected boolean meEnabled;

    @Value("#{ @environment['stormpath.web.me.uri'] ?: '/me' }")
    protected String meUri;

    @Autowired(required = false)
    @Qualifier("loginPreHandler")
    protected WebHandler loginPreHandler;

    @Autowired(required = false)
    @Qualifier("loginPostHandler")
    protected WebHandler loginPostHandler;

    public static StormpathWebSecurityConfigurer stormpath() {
        return new StormpathWebSecurityConfigurer();
    }

    public void init(HttpSecurity httpSecurity) throws Exception {
        ((ApplicationContext) httpSecurity.getSharedObject(ApplicationContext.class)).getAutowireCapableBeanFactory().autowireBean(this);
        httpSecurity.servletApi().rolePrefix("");
        httpSecurity.addFilterBefore(this.springSecurityResolvedAccountFilter, AnonymousAuthenticationFilter.class);
        if (this.loginEnabled) {
            httpSecurity.addFilterBefore(setupContentNegotiationAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
            httpSecurity.addFilterBefore(preLoginHandlerFilter(), ContentNegotiationAuthenticationFilter.class);
        }
        if (this.idSiteEnabled && this.loginEnabled) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.loginUri})).permitAll().antMatchers(new String[]{this.idSiteEnabled ? this.idSiteResultUri : this.samlResultUri})).permitAll().and().exceptionHandling().authenticationEntryPoint(this.stormpathAuthenticationEntryPoint);
        } else if (this.stormpathWebEnabled) {
            if (this.loginEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.loginUri.endsWith("*") ? this.loginUri : this.loginUri + "*"})).permitAll().antMatchers(new String[]{this.googleCallbackUri})).permitAll().antMatchers(new String[]{this.githubCallbackUri})).permitAll().antMatchers(new String[]{this.facebookCallbackUri})).permitAll().antMatchers(new String[]{this.linkedinCallbackUri})).permitAll().and().exceptionHandling().authenticationEntryPoint(this.stormpathAuthenticationEntryPoint);
            }
            if (this.meEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.meUri})).fullyAuthenticated();
            }
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/assets/css/stormpath.css"})).permitAll().antMatchers(new String[]{"/assets/css/custom.stormpath.css"})).permitAll().antMatchers(new String[]{"/assets/js/stormpath.js"})).permitAll().antMatchers(new String[]{"/WEB-INF/jsp/stormpath/**"})).permitAll();
        }
        if (this.idSiteEnabled || this.callbackEnabled || this.stormpathWebEnabled) {
            if (this.logoutEnabled) {
                LogoutConfigurer logoutUrl = httpSecurity.logout().invalidateHttpSession(true).logoutUrl(this.logoutUri);
                if (!this.idSiteEnabled) {
                    logoutUrl.logoutSuccessUrl(this.logoutNextUri);
                }
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) logoutUrl.addLogoutHandler(this.logoutHandler).and().authorizeRequests().antMatchers(new String[]{this.logoutUri})).permitAll();
            }
            if (this.forgotEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.forgotUri})).permitAll();
            }
            if (this.changeEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.changeUri})).permitAll();
            }
            if (this.registerEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.registerUri})).permitAll();
            }
            if (this.verifyEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.verifyUri})).permitAll();
            }
            if (this.accessTokenEnabled) {
                if (!this.callbackEnabled && !this.idSiteEnabled && !this.loginEnabled) {
                    this.oauthAuthenticationSpringSecurityProcessingFilter.setStateless(true);
                }
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.accessTokenUri})).permitAll();
                httpSecurity.addFilterBefore(this.oauthAuthenticationSpringSecurityProcessingFilter, AnonymousAuthenticationFilter.class);
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{this.accessTokenUri})).permitAll();
            }
            if (this.fullyAuthenticatedEnabled) {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).fullyAuthenticated();
            }
            if (!this.csrfTokenEnabled) {
                httpSecurity.csrf().disable();
                return;
            }
            httpSecurity.csrf().csrfTokenRepository(this.csrfTokenRepository);
            if (this.accessTokenEnabled) {
                httpSecurity.csrf().ignoringAntMatchers(new String[]{this.accessTokenUri});
            }
            if (this.logoutEnabled) {
                httpSecurity.csrf().ignoringAntMatchers(new String[]{this.logoutUri});
            }
            httpSecurity.csrf().requireCsrfProtectionMatcher(new RequestMatcher() { // from class: com.stormpath.spring.config.StormpathWebSecurityConfigurer.1
                public boolean matches(HttpServletRequest httpServletRequest) {
                    if ("GET".equals(httpServletRequest.getMethod())) {
                        return false;
                    }
                    try {
                        return !MediaType.APPLICATION_JSON.equals(ContentNegotiationResolver.INSTANCE.getContentType(httpServletRequest, (HttpServletResponse) null, MediaType.parseMediaTypes(StormpathWebSecurityConfigurer.this.produces)));
                    } catch (UnresolvedMediaTypeException e) {
                        StormpathWebSecurityConfigurer.log.error("Couldn't resolve media type: {}", e.getMessage(), e);
                        return true;
                    }
                }
            });
        }
    }

    private ContentNegotiationAuthenticationFilter setupContentNegotiationAuthenticationFilter() {
        ContentNegotiationAuthenticationFilter contentNegotiationAuthenticationFilter = new ContentNegotiationAuthenticationFilter();
        contentNegotiationAuthenticationFilter.setSupportedMediaTypes(MediaType.parseMediaTypes(this.produces));
        contentNegotiationAuthenticationFilter.setAuthenticationManager(this.stormpathAuthenticationManager);
        contentNegotiationAuthenticationFilter.setUsernameParameter("login");
        contentNegotiationAuthenticationFilter.setPasswordParameter("password");
        contentNegotiationAuthenticationFilter.setAuthenticationSuccessHandler(this.successHandler);
        contentNegotiationAuthenticationFilter.setAuthenticationFailureHandler(this.failureHandler);
        return contentNegotiationAuthenticationFilter;
    }

    private LoginHandlerFilter preLoginHandlerFilter() {
        return new LoginHandlerFilter(this.loginPreHandler, this.loginUri);
    }

    private LoginHandlerFilter postLoginHandlerFilter() {
        return new LoginHandlerFilter(this.loginPostHandler, this.loginUri);
    }
}
