package org.eclipse.hawkbit.ui.autoconfigure;

import java.util.Arrays;
import java.util.Collection;
import java.util.Objects;
import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
import org.eclipse.hawkbit.repository.SystemManagement;
import org.eclipse.hawkbit.security.DosFilter;
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.ui.MgmtUiConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.annotation.Order;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.util.ObjectUtils;
import org.vaadin.spring.http.HttpService;
import org.vaadin.spring.security.annotation.EnableVaadinSharedSecurity;
import org.vaadin.spring.security.shared.VaadinAuthenticationSuccessHandler;
import org.vaadin.spring.security.shared.VaadinUrlAuthenticationSuccessHandler;
import org.vaadin.spring.security.web.VaadinRedirectStrategy;

@EnableVaadinSharedSecurity
@Configuration
@EnableWebSecurity
@ConditionalOnClass({MgmtUiConfiguration.class})
/* loaded from: input_file:org/eclipse/hawkbit/ui/autoconfigure/UISecurityConfigurationAdapter.class */
public class UISecurityConfigurationAdapter {
    private static final Logger LOG = LoggerFactory.getLogger(UISecurityConfigurationAdapter.class);
    private static final int DOS_FILTER_ORDER = -200;

    @Autowired
    private HawkbitSecurityProperties hawkbitSecurityProperties;

    /* loaded from: input_file:org/eclipse/hawkbit/ui/autoconfigure/UISecurityConfigurationAdapter$TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler.class */
    class TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler extends VaadinUrlAuthenticationSuccessHandler {

        @Autowired
        private SystemManagement systemManagement;

        @Autowired
        private SystemSecurityContext systemSecurityContext;

        public TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler(HttpService httpService, VaadinRedirectStrategy vaadinRedirectStrategy, String str) {
            super(httpService, vaadinRedirectStrategy, str);
        }

        public void onAuthenticationSuccess(Authentication authentication) throws Exception {
            SystemSecurityContext systemSecurityContext = this.systemSecurityContext;
            SystemManagement systemManagement = this.systemManagement;
            Objects.requireNonNull(systemManagement);
            systemSecurityContext.runAsSystemAsTenant(systemManagement::getTenantMetadata, getTenantFrom(authentication));
            super.onAuthenticationSuccess(authentication);
        }

        private static String getTenantFrom(Authentication authentication) {
            Object details = authentication.getDetails();
            if (details instanceof TenantAwareAuthenticationDetails) {
                return ((TenantAwareAuthenticationDetails) details).getTenant();
            }
            throw new InsufficientAuthenticationException("Authentication details/tenant info are not specified!");
        }
    }

    @Configuration
    @ConditionalOnClass({MgmtUiConfiguration.class})
    @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
    /* loaded from: input_file:org/eclipse/hawkbit/ui/autoconfigure/UISecurityConfigurationAdapter$UIMethodSecurity.class */
    static class UIMethodSecurity extends GlobalMethodSecurityConfiguration {
        UIMethodSecurity() {
        }

        @Bean(name = {"accessDecisionManager"})
        protected AccessDecisionManager accessDecisionManager() {
            return super.accessDecisionManager();
        }
    }

    @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.ui-filter", name = {"enabled"}, matchIfMissing = true)
    @Bean
    public FilterRegistrationBean<DosFilter> dosMgmtUiFilter(HawkbitSecurityProperties hawkbitSecurityProperties) {
        HawkbitSecurityProperties.Dos.Filter uiFilter = hawkbitSecurityProperties.getDos().getUiFilter();
        HawkbitSecurityProperties.Clients clients = hawkbitSecurityProperties.getClients();
        FilterRegistrationBean<DosFilter> filterRegistrationBean = new FilterRegistrationBean<>();
        filterRegistrationBean.setFilter(new DosFilter((Collection) null, uiFilter.getMaxRead(), uiFilter.getMaxWrite(), uiFilter.getWhitelist(), clients.getBlacklist(), clients.getRemoteIpHeader()));
        filterRegistrationBean.setUrlPatterns(Arrays.asList("/UI/login", "/UI/login/*", "/UI/logout", "/UI/logout/*"));
        filterRegistrationBean.setOrder(DOS_FILTER_ORDER);
        filterRegistrationBean.setName("dosMgmtUiFilter");
        return filterRegistrationBean;
    }

    @Bean
    AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Primary
    @Bean(name = {"vaadinAuthenticationSuccessHandler"})
    public VaadinAuthenticationSuccessHandler redirectSaveHandler(HttpService httpService, VaadinRedirectStrategy vaadinRedirectStrategy) {
        TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler tenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler = new TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler(httpService, vaadinRedirectStrategy, "/UI/");
        tenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler.setTargetUrlParameter("r");
        return tenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler;
    }

    @Bean
    public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
    }

    @Bean
    @Order(400)
    protected SecurityFilterChain filterChainUI(HttpSecurity httpSecurity, @Autowired(required = false) OAuth2UserService<OidcUserRequest, OidcUser> oAuth2UserService, @Autowired(required = false) AuthenticationSuccessHandler authenticationSuccessHandler, LogoutHandler logoutHandler, LogoutSuccessHandler logoutSuccessHandler) throws Exception {
        boolean z = (oAuth2UserService == null || authenticationSuccessHandler == null) ? false : true;
        HttpSecurity and = z ? ((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{"/**/UI/**", "/**/oauth2/**"})).and() : httpSecurity.antMatcher("/**/UI/**");
        and.csrf((v0) -> {
            v0.disable();
        });
        and.headers().frameOptions().sameOrigin();
        if (this.hawkbitSecurityProperties.isRequireSsl()) {
            and = and.requiresChannel(channelRequestMatcherRegistry -> {
                ((ChannelSecurityConfigurer.RequiresChannelUrl) channelRequestMatcherRegistry.anyRequest()).requiresSecure();
            });
        } else {
            LOG.info("******************\n** Requires HTTPS Security has been disabled for UI, should only be used for developing purposes **\n******************");
        }
        if (!ObjectUtils.isEmpty(this.hawkbitSecurityProperties.getContentSecurityPolicy())) {
            and.headers().contentSecurityPolicy(this.hawkbitSecurityProperties.getContentSecurityPolicy());
        }
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) and.authorizeRequests().antMatchers(new String[]{"/UI/login/**", "/UI/UIDL/**"})).permitAll().anyRequest()).authenticated();
        if (z) {
            and.oauth2Login().userInfoEndpoint().oidcUserService(oAuth2UserService).and().successHandler(authenticationSuccessHandler).and().oauth2Client();
        } else {
            and.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/UI/login"));
        }
        and.logout().logoutUrl("/UI/logout*").addLogoutHandler(logoutHandler).logoutSuccessHandler(logoutSuccessHandler);
        return (SecurityFilterChain) and.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            webSecurity.ignoring().antMatchers(new String[]{"/documentation/**", "/VAADIN/**", "/*.*", "/docs/**"});
        };
    }
}
