package org.dspace.app.rest.security;

import org.dspace.app.rest.exception.DSpaceAccessDeniedHandler;
import org.dspace.authenticate.service.AuthenticationService;
import org.dspace.services.RequestService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableConfigurationProperties({SecurityProperties.class})
@EnableWebSecurity
@Configuration
/* loaded from: input_file:org/dspace/app/rest/security/WebSecurityConfiguration.class */
public class WebSecurityConfiguration {
    public static final String ADMIN_GRANT = "ADMIN";
    public static final String AUTHENTICATED_GRANT = "AUTHENTICATED";
    public static final String ANONYMOUS_GRANT = "ANONYMOUS";

    @Autowired
    private EPersonRestAuthenticationProvider ePersonRestAuthenticationProvider;

    @Autowired
    private RestAuthenticationService restAuthenticationService;

    @Autowired
    private RequestService requestService;

    @Autowired
    private CustomLogoutHandler customLogoutHandler;

    @Autowired
    private AuthenticationService authenticationService;

    @Autowired
    private DSpaceAccessDeniedHandler accessDeniedHandler;

    @Value("${management.endpoints.web.base-path:/actuator}")
    private String actuatorBasePath;

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(new AuthenticationProvider[]{this.ePersonRestAuthenticationProvider});
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        AuthenticationManager authenticationManager = authenticationManager();
        httpSecurity.securityMatcher(new String[]{"/api/**", "/iiif/**", this.actuatorBasePath + "/**", "/signposting/**"}).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher(this.actuatorBasePath + "/info", HttpMethod.GET.name())})).hasAnyAuthority(new String[]{ADMIN_GRANT}).anyRequest()).permitAll();
        }).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).anonymous(anonymousConfigurer -> {
            anonymousConfigurer.authorities(new String[]{ANONYMOUS_GRANT});
        }).servletApi(Customizer.withDefaults()).cors(Customizer.withDefaults()).csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(csrfTokenRepository()).sessionAuthenticationStrategy(dSpaceCsrfAuthenticationStrategy()).csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(new DSpace401AuthenticationEntryPoint(this.restAuthenticationService)).accessDeniedHandler(this.accessDeniedHandler);
        }).logout(logoutConfigurer -> {
            logoutConfigurer.addLogoutHandler(this.customLogoutHandler).logoutRequestMatcher(new AntPathRequestMatcher("/api/authn/logout", HttpMethod.POST.name())).logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT));
        }).addFilterBefore(new AnonymousAdditionalAuthorizationFilter(authenticationManager, this.authenticationService), StatelessAuthenticationFilter.class).addFilterBefore(new StatelessLoginFilter("/api/authn/login", HttpMethod.POST.name(), authenticationManager, this.restAuthenticationService), LogoutFilter.class).addFilterBefore(new ShibbolethLoginFilter("/api/authn/shibboleth", HttpMethod.GET.name(), authenticationManager, this.restAuthenticationService), LogoutFilter.class).addFilterBefore(new OrcidLoginFilter("/api/authn/orcid", HttpMethod.GET.name(), authenticationManager, this.restAuthenticationService), LogoutFilter.class).addFilterBefore(new OidcLoginFilter("/api/authn/oidc", HttpMethod.GET.name(), authenticationManager, this.restAuthenticationService), LogoutFilter.class).addFilterBefore(new StatelessAuthenticationFilter(authenticationManager, this.restAuthenticationService, this.ePersonRestAuthenticationProvider, this.requestService), StatelessLoginFilter.class);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Lazy
    @Bean
    public CsrfTokenRepository csrfTokenRepository() {
        return new DSpaceCsrfTokenRepository();
    }

    @Lazy
    @Bean
    public DSpaceCsrfAuthenticationStrategy dSpaceCsrfAuthenticationStrategy() {
        return new DSpaceCsrfAuthenticationStrategy(csrfTokenRepository());
    }
}
