package org.eclipse.hawkbit.autoconfigure.security;

import com.rabbitmq.client.AMQP;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.eclipse.hawkbit.autoconfigure.security.OidcUserManagementAutoConfiguration;
import org.eclipse.hawkbit.cache.DownloadIdCache;
import org.eclipse.hawkbit.ddi.rest.resource.DdiApiConfiguration;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.UserAuthenticationFilter;
import org.eclipse.hawkbit.mgmt.rest.resource.MgmtApiConfiguration;
import org.eclipse.hawkbit.repository.ControllerManagement;
import org.eclipse.hawkbit.repository.SystemManagement;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.security.ControllerTenantAwareAuthenticationDetailsSource;
import org.eclipse.hawkbit.security.DdiSecurityProperties;
import org.eclipse.hawkbit.security.DosFilter;
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
import org.eclipse.hawkbit.security.HttpControllerPreAuthenticateAnonymousDownloadFilter;
import org.eclipse.hawkbit.security.HttpControllerPreAuthenticateSecurityTokenFilter;
import org.eclipse.hawkbit.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter;
import org.eclipse.hawkbit.security.HttpControllerPreAuthenticatedSecurityHeaderFilter;
import org.eclipse.hawkbit.security.HttpDownloadAuthenticationFilter;
import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.Elements;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, mode = AdviceMode.ASPECTJ, proxyTargetClass = true, securedEnabled = true)
@Order(Integer.MIN_VALUE)
@PropertySource({"classpath:/hawkbit-security-defaults.properties"})
/* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.class */
public class SecurityManagedConfiguration {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SecurityManagedConfiguration.class);
    private static final int DOS_FILTER_ORDER = -200;

    @Configuration
    @ConditionalOnClass({DdiApiConfiguration.class})
    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration$ControllerDownloadSecurityConfigurationAdapter.class */
    static class ControllerDownloadSecurityConfigurationAdapter {
        private static final String DDI_DL_ANT_MATCHER = "/{tenant}/controller/v1/{controllerId}/softwaremodules/{softwareModuleId}/artifacts/*";
        private final ControllerManagement controllerManagement;
        private final TenantConfigurationManagement tenantConfigurationManagement;
        private final TenantAware tenantAware;
        private final DdiSecurityProperties ddiSecurityConfiguration;
        private final HawkbitSecurityProperties securityProperties;
        private final SystemSecurityContext systemSecurityContext;

        @Autowired
        ControllerDownloadSecurityConfigurationAdapter(ControllerManagement controllerManagement, TenantConfigurationManagement tenantConfigurationManagement, TenantAware tenantAware, DdiSecurityProperties ddiSecurityProperties, HawkbitSecurityProperties hawkbitSecurityProperties, SystemSecurityContext systemSecurityContext) {
            this.controllerManagement = controllerManagement;
            this.tenantConfigurationManagement = tenantConfigurationManagement;
            this.tenantAware = tenantAware;
            this.ddiSecurityConfiguration = ddiSecurityProperties;
            this.securityProperties = hawkbitSecurityProperties;
            this.systemSecurityContext = systemSecurityContext;
        }

        @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = {"enabled"}, matchIfMissing = true)
        @Bean
        public FilterRegistrationBean<DosFilter> dosFilterDDIDL(HawkbitSecurityProperties hawkbitSecurityProperties) {
            FilterRegistrationBean<DosFilter> dosFilter = SecurityManagedConfiguration.dosFilter(List.of(DDI_DL_ANT_MATCHER), hawkbitSecurityProperties.getDos().getFilter(), hawkbitSecurityProperties.getClients());
            dosFilter.setOrder(SecurityManagedConfiguration.DOS_FILTER_ORDER);
            dosFilter.setName("dosDDiDlFilter");
            return dosFilter;
        }

        @Bean
        @Order(301)
        protected SecurityFilterChain filterChainDDIDL(HttpSecurity httpSecurity) throws Exception {
            AuthenticationManager authenticationManager = SecurityManagedConfiguration.setAuthenticationManager(httpSecurity, this.ddiSecurityConfiguration);
            httpSecurity.requestMatcher(new AntPathRequestMatcher(DDI_DL_ANT_MATCHER)).csrf((v0) -> {
                v0.disable();
            });
            if (this.securityProperties.isRequireSsl()) {
                httpSecurity.requiresChannel(channelRequestMatcherRegistry -> {
                    channelRequestMatcherRegistry.anyRequest().requiresSecure();
                });
            }
            ControllerTenantAwareAuthenticationDetailsSource controllerTenantAwareAuthenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();
            if (this.ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {
                SecurityManagedConfiguration.LOG.info("******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************");
                AnonymousAuthenticationFilter anonymousAuthenticationFilter = new AnonymousAuthenticationFilter("controllerAnonymousFilter", Elements.ANONYMOUS, List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
                anonymousAuthenticationFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                httpSecurity.securityContext((v0) -> {
                    v0.disable();
                }).anonymous(anonymousConfigurer -> {
                    anonymousConfigurer.authenticationFilter(anonymousAuthenticationFilter);
                });
            } else {
                HttpControllerPreAuthenticatedSecurityHeaderFilter httpControllerPreAuthenticatedSecurityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(this.ddiSecurityConfiguration.getRp().getCnHeader(), this.ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), this.tenantConfigurationManagement, this.tenantAware, this.systemSecurityContext);
                httpControllerPreAuthenticatedSecurityHeaderFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticatedSecurityHeaderFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticatedSecurityHeaderFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                HttpControllerPreAuthenticateSecurityTokenFilter httpControllerPreAuthenticateSecurityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(this.tenantConfigurationManagement, this.tenantAware, this.controllerManagement, this.systemSecurityContext);
                httpControllerPreAuthenticateSecurityTokenFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticateSecurityTokenFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticateSecurityTokenFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                HttpControllerPreAuthenticatedGatewaySecurityTokenFilter httpControllerPreAuthenticatedGatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(this.tenantConfigurationManagement, this.tenantAware, this.systemSecurityContext);
                httpControllerPreAuthenticatedGatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticatedGatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticatedGatewaySecurityTokenFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                HttpControllerPreAuthenticateAnonymousDownloadFilter httpControllerPreAuthenticateAnonymousDownloadFilter = new HttpControllerPreAuthenticateAnonymousDownloadFilter(this.tenantConfigurationManagement, this.tenantAware, this.systemSecurityContext);
                httpControllerPreAuthenticateAnonymousDownloadFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticateAnonymousDownloadFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticateAnonymousDownloadFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                    authorizationManagerRequestMatcherRegistry.anyRequest().authenticated();
                }).anonymous((v0) -> {
                    v0.disable();
                }).addFilter((Filter) httpControllerPreAuthenticatedSecurityHeaderFilter).addFilter((Filter) httpControllerPreAuthenticateSecurityTokenFilter).addFilter((Filter) httpControllerPreAuthenticatedGatewaySecurityTokenFilter).addFilter((Filter) httpControllerPreAuthenticateAnonymousDownloadFilter).exceptionHandling(exceptionHandlingConfigurer -> {
                    exceptionHandlingConfigurer.authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
                        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
                    });
                }).sessionManagement(sessionManagementConfigurer -> {
                    sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
                });
            }
            return httpSecurity.build();
        }
    }

    @Configuration
    @EnableWebSecurity
    @ConditionalOnClass({DdiApiConfiguration.class})
    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration$ControllerSecurityConfigurationAdapter.class */
    static class ControllerSecurityConfigurationAdapter {
        private static final String[] DDI_ANT_MATCHERS = {"/{tenant}/controller/v1/{controllerId}", "/{tenant}/controller/v1/{controllerId}/confirmationBase/**", "/{tenant}/controller/v1/{controllerId}/deploymentBase/**", "/{tenant}/controller/v1/{controllerId}/installedBase/**", "/{tenant}/controller/v1/{controllerId}/cancelAction/**", "/{tenant}/controller/v1/{controllerId}/configData", "/{tenant}/controller/v1/{controllerId}/softwaremodules/{softwareModuleId}/artifacts"};
        private final ControllerManagement controllerManagement;
        private final TenantConfigurationManagement tenantConfigurationManagement;
        private final TenantAware tenantAware;
        private final DdiSecurityProperties ddiSecurityConfiguration;
        private final HawkbitSecurityProperties securityProperties;
        private final SystemSecurityContext systemSecurityContext;

        @Autowired
        ControllerSecurityConfigurationAdapter(ControllerManagement controllerManagement, TenantConfigurationManagement tenantConfigurationManagement, TenantAware tenantAware, DdiSecurityProperties ddiSecurityProperties, HawkbitSecurityProperties hawkbitSecurityProperties, SystemSecurityContext systemSecurityContext) {
            this.controllerManagement = controllerManagement;
            this.tenantConfigurationManagement = tenantConfigurationManagement;
            this.tenantAware = tenantAware;
            this.ddiSecurityConfiguration = ddiSecurityProperties;
            this.securityProperties = hawkbitSecurityProperties;
            this.systemSecurityContext = systemSecurityContext;
        }

        @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = {"enabled"}, matchIfMissing = true)
        @Bean
        public FilterRegistrationBean<DosFilter> dosFilterDDI(HawkbitSecurityProperties hawkbitSecurityProperties) {
            FilterRegistrationBean<DosFilter> dosFilter = SecurityManagedConfiguration.dosFilter(List.of((Object[]) DDI_ANT_MATCHERS), hawkbitSecurityProperties.getDos().getFilter(), hawkbitSecurityProperties.getClients());
            dosFilter.setOrder(SecurityManagedConfiguration.DOS_FILTER_ORDER);
            dosFilter.setName("dosDDiFilter");
            return dosFilter;
        }

        @Bean
        @Order(300)
        protected SecurityFilterChain filterChainDDI(HttpSecurity httpSecurity) throws Exception {
            AuthenticationManager authenticationManager = SecurityManagedConfiguration.setAuthenticationManager(httpSecurity, this.ddiSecurityConfiguration);
            httpSecurity.requestMatchers(requestMatcherConfigurer -> {
                requestMatcherConfigurer.antMatchers(DDI_ANT_MATCHERS);
            }).csrf((v0) -> {
                v0.disable();
            });
            if (this.securityProperties.isRequireSsl()) {
                httpSecurity.requiresChannel(channelRequestMatcherRegistry -> {
                    channelRequestMatcherRegistry.anyRequest().requiresSecure();
                });
            }
            ControllerTenantAwareAuthenticationDetailsSource controllerTenantAwareAuthenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();
            if (this.ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {
                SecurityManagedConfiguration.LOG.info("******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************");
                AnonymousAuthenticationFilter anonymousAuthenticationFilter = new AnonymousAuthenticationFilter("controllerAnonymousFilter", Elements.ANONYMOUS, List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
                anonymousAuthenticationFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                httpSecurity.securityContext((v0) -> {
                    v0.disable();
                }).anonymous(anonymousConfigurer -> {
                    anonymousConfigurer.authenticationFilter(anonymousAuthenticationFilter);
                });
            } else {
                HttpControllerPreAuthenticatedSecurityHeaderFilter httpControllerPreAuthenticatedSecurityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(this.ddiSecurityConfiguration.getRp().getCnHeader(), this.ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), this.tenantConfigurationManagement, this.tenantAware, this.systemSecurityContext);
                httpControllerPreAuthenticatedSecurityHeaderFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticatedSecurityHeaderFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticatedSecurityHeaderFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                HttpControllerPreAuthenticateSecurityTokenFilter httpControllerPreAuthenticateSecurityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(this.tenantConfigurationManagement, this.tenantAware, this.controllerManagement, this.systemSecurityContext);
                httpControllerPreAuthenticateSecurityTokenFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticateSecurityTokenFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticateSecurityTokenFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                HttpControllerPreAuthenticatedGatewaySecurityTokenFilter httpControllerPreAuthenticatedGatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(this.tenantConfigurationManagement, this.tenantAware, this.systemSecurityContext);
                httpControllerPreAuthenticatedGatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager);
                httpControllerPreAuthenticatedGatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
                httpControllerPreAuthenticatedGatewaySecurityTokenFilter.setAuthenticationDetailsSource(controllerTenantAwareAuthenticationDetailsSource);
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                    authorizationManagerRequestMatcherRegistry.anyRequest().authenticated();
                }).anonymous((v0) -> {
                    v0.disable();
                }).addFilter((Filter) httpControllerPreAuthenticatedSecurityHeaderFilter).addFilter((Filter) httpControllerPreAuthenticateSecurityTokenFilter).addFilter((Filter) httpControllerPreAuthenticatedGatewaySecurityTokenFilter).exceptionHandling(exceptionHandlingConfigurer -> {
                    exceptionHandlingConfigurer.authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
                        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
                    });
                }).sessionManagement(sessionManagementConfigurer -> {
                    sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
                });
            }
            return httpSecurity.build();
        }
    }

    @Configuration
    @EnableWebSecurity
    @ConditionalOnClass({MgmtApiConfiguration.class})
    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration$IdRestSecurityConfigurationAdapter.class */
    public static class IdRestSecurityConfigurationAdapter {
        @Bean
        @Order(AMQP.CONNECTION_FORCED)
        protected SecurityFilterChain filterChainDLID(HttpSecurity httpSecurity, DdiSecurityProperties ddiSecurityProperties, DownloadIdCache downloadIdCache) throws Exception {
            AuthenticationManager authenticationManager = SecurityManagedConfiguration.setAuthenticationManager(httpSecurity, ddiSecurityProperties);
            HttpDownloadAuthenticationFilter httpDownloadAuthenticationFilter = new HttpDownloadAuthenticationFilter(downloadIdCache);
            httpDownloadAuthenticationFilter.setAuthenticationManager(authenticationManager);
            httpSecurity.requestMatcher(new AntPathRequestMatcher("/**/downloadId/**")).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.anyRequest().authenticated();
            }).csrf((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            }).addFilterBefore((Filter) httpDownloadAuthenticationFilter, FilterSecurityInterceptor.class).sessionManagement(sessionManagementConfigurer -> {
                sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
            });
            return httpSecurity.build();
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration$IgnorePathsStrictHttpFirewall.class */
    private static class IgnorePathsStrictHttpFirewall extends StrictHttpFirewall {
        private final Collection<String> pathsToIgnore;

        public IgnorePathsStrictHttpFirewall(Collection<String> collection) {
            this.pathsToIgnore = collection;
        }

        @Override // org.springframework.security.web.firewall.StrictHttpFirewall, org.springframework.security.web.firewall.HttpFirewall
        public FirewalledRequest getFirewalledRequest(HttpServletRequest httpServletRequest) {
            return (this.pathsToIgnore == null || !this.pathsToIgnore.contains(httpServletRequest.getRequestURI())) ? super.getFirewalledRequest(httpServletRequest) : new FirewalledRequest(httpServletRequest) { // from class: org.eclipse.hawkbit.autoconfigure.security.SecurityManagedConfiguration.IgnorePathsStrictHttpFirewall.1
                @Override // org.springframework.security.web.firewall.FirewalledRequest
                public void reset() {
                }
            };
        }
    }

    @Configuration
    @EnableWebSecurity
    @ConditionalOnClass({MgmtApiConfiguration.class})
    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration$RestSecurityConfigurationAdapter.class */
    public static class RestSecurityConfigurationAdapter {
        private final HawkbitSecurityProperties securityProperties;

        public RestSecurityConfigurationAdapter(HawkbitSecurityProperties hawkbitSecurityProperties) {
            this.securityProperties = hawkbitSecurityProperties;
        }

        @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = {"enabled"}, matchIfMissing = true)
        @Bean
        public FilterRegistrationBean<DosFilter> dosFilterREST() {
            FilterRegistrationBean<DosFilter> dosFilter = SecurityManagedConfiguration.dosFilter(null, this.securityProperties.getDos().getFilter(), this.securityProperties.getClients());
            dosFilter.setUrlPatterns(List.of("/rest/*", "/api/*"));
            dosFilter.setOrder(SecurityManagedConfiguration.DOS_FILTER_ORDER);
            dosFilter.setName("dosMgmtFilter");
            return dosFilter;
        }

        @Bean
        @Order(350)
        SecurityFilterChain filterChainREST(HttpSecurity httpSecurity, @Lazy final UserAuthenticationFilter userAuthenticationFilter, @Autowired(required = false) OidcUserManagementAutoConfiguration.OidcBearerTokenAuthenticationFilter oidcBearerTokenAuthenticationFilter, @Autowired(required = false) InMemoryClientRegistrationRepository inMemoryClientRegistrationRepository, SystemManagement systemManagement, SystemSecurityContext systemSecurityContext) throws Exception {
            httpSecurity.requestMatchers(requestMatcherConfigurer -> {
                requestMatcherConfigurer.antMatchers("/rest/**", "/system/admin/**");
            }).csrf((v0) -> {
                v0.disable();
            }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.antMatchers("/system/admin/**").hasAnyAuthority(SpPermission.SYSTEM_ADMIN).anyRequest().authenticated();
            }).addFilterAfter((servletRequest, servletResponse, filterChain) -> {
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                if (authentication != null && authentication.isAuthenticated()) {
                    Objects.requireNonNull(systemManagement);
                    systemSecurityContext.runAsSystem(systemManagement::getTenantMetadata);
                }
                filterChain.doFilter(servletRequest, servletResponse);
            }, SessionManagementFilter.class).anonymous((v0) -> {
                v0.disable();
            }).sessionManagement(sessionManagementConfigurer -> {
                sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
            });
            if (this.securityProperties.getCors().isEnabled()) {
                httpSecurity.cors(corsConfigurer -> {
                    corsConfigurer.configurationSource(corsConfigurationSource());
                });
            }
            if (this.securityProperties.isRequireSsl()) {
                httpSecurity.requiresChannel(channelRequestMatcherRegistry -> {
                    channelRequestMatcherRegistry.anyRequest().requiresSecure();
                });
            }
            if (oidcBearerTokenAuthenticationFilter != null) {
                ClientRegistration next = (inMemoryClientRegistrationRepository == null || !inMemoryClientRegistrationRepository.iterator().hasNext()) ? null : inMemoryClientRegistrationRepository.iterator().next();
                Assert.notNull(next, "There must be a valid client registration");
                httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                    oAuth2ResourceServerConfigurer.jwt().jwkSetUri(next.getProviderDetails().getJwkSetUri());
                });
                oidcBearerTokenAuthenticationFilter.setClientRegistration(next);
                httpSecurity.addFilterAfter((Filter) oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
            } else {
                BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
                basicAuthenticationEntryPoint.setRealmName(this.securityProperties.getBasicRealm());
                httpSecurity.addFilterBefore(new Filter() { // from class: org.eclipse.hawkbit.autoconfigure.security.SecurityManagedConfiguration.RestSecurityConfigurationAdapter.1
                    @Override // javax.servlet.Filter
                    public void init(FilterConfig filterConfig) throws ServletException {
                        userAuthenticationFilter.init(filterConfig);
                    }

                    @Override // javax.servlet.Filter
                    public void doFilter(ServletRequest servletRequest2, ServletResponse servletResponse2, FilterChain filterChain2) throws IOException, ServletException {
                        userAuthenticationFilter.doFilter(servletRequest2, servletResponse2, filterChain2);
                    }

                    @Override // javax.servlet.Filter
                    public void destroy() {
                        userAuthenticationFilter.destroy();
                    }
                }, RequestHeaderAuthenticationFilter.class);
                httpSecurity.httpBasic(Customizer.withDefaults()).exceptionHandling(exceptionHandlingConfigurer -> {
                    exceptionHandlingConfigurer.authenticationEntryPoint(basicAuthenticationEntryPoint);
                });
            }
            return httpSecurity.build();
        }

        @ConditionalOnProperty(prefix = "hawkbit.server.security.cors", name = {"enabled"})
        @Bean
        CorsConfigurationSource corsConfigurationSource() {
            CorsConfiguration corsConfiguration = corsConfiguration();
            return httpServletRequest -> {
                return corsConfiguration;
            };
        }

        private CorsConfiguration corsConfiguration() {
            CorsConfiguration corsConfiguration = new CorsConfiguration();
            corsConfiguration.setAllowedOrigins(this.securityProperties.getCors().getAllowedOrigins());
            corsConfiguration.setAllowCredentials(true);
            corsConfiguration.setAllowedHeaders(this.securityProperties.getCors().getAllowedHeaders());
            corsConfiguration.setAllowedMethods(this.securityProperties.getCors().getAllowedMethods());
            corsConfiguration.setExposedHeaders(this.securityProperties.getCors().getExposedHeaders());
            return corsConfiguration;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.1.jar:org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration$UserAuthenticationFilterBasicAuth.class */
    private static final class UserAuthenticationFilterBasicAuth extends BasicAuthenticationFilter implements UserAuthenticationFilter {
        private UserAuthenticationFilterBasicAuth(AuthenticationManager authenticationManager) {
            super(authenticationManager);
        }
    }

    @ConditionalOnMissingBean
    @Bean
    UserAuthenticationFilter userAuthenticationFilter(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return new UserAuthenticationFilterBasicAuth(authenticationConfiguration.getAuthenticationManager());
    }

    @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = {"enabled"}, matchIfMissing = true)
    @Bean
    public FilterRegistrationBean<DosFilter> dosSystemFilter(HawkbitSecurityProperties hawkbitSecurityProperties) {
        FilterRegistrationBean<DosFilter> dosFilter = dosFilter(Collections.emptyList(), hawkbitSecurityProperties.getDos().getFilter(), hawkbitSecurityProperties.getClients());
        dosFilter.setUrlPatterns(List.of("/system/*"));
        dosFilter.setOrder(DOS_FILTER_ORDER);
        dosFilter.setName("dosSystemFilter");
        return dosFilter;
    }

    private static FilterRegistrationBean<DosFilter> dosFilter(Collection<String> collection, HawkbitSecurityProperties.Dos.Filter filter, HawkbitSecurityProperties.Clients clients) {
        FilterRegistrationBean<DosFilter> filterRegistrationBean = new FilterRegistrationBean<>();
        filterRegistrationBean.setFilter(new DosFilter(collection, filter.getMaxRead(), filter.getMaxWrite(), filter.getWhitelist(), clients.getBlacklist(), clients.getRemoteIpHeader()));
        return filterRegistrationBean;
    }

    @Bean
    public HttpFirewall httpFirewall(HawkbitSecurityProperties hawkbitSecurityProperties) {
        List<String> allowedHostNames = hawkbitSecurityProperties.getAllowedHostNames();
        IgnorePathsStrictHttpFirewall ignorePathsStrictHttpFirewall = new IgnorePathsStrictHttpFirewall(hawkbitSecurityProperties.getHttpFirewallIgnoredPaths());
        if (!CollectionUtils.isEmpty(allowedHostNames)) {
            ignorePathsStrictHttpFirewall.setAllowedHostnames(str -> {
                LOG.debug("Firewall check host: {}, allowed: {}", str, Boolean.valueOf(allowedHostNames.contains(str)));
                return allowedHostNames.contains(str);
            });
        }
        return ignorePathsStrictHttpFirewall;
    }

    private static AuthenticationManager setAuthenticationManager(HttpSecurity httpSecurity, DdiSecurityProperties ddiSecurityProperties) throws Exception {
        AuthenticationManager build = ((AuthenticationManagerBuilder) httpSecurity.getSharedObject(AuthenticationManagerBuilder.class)).authenticationProvider((AuthenticationProvider) new PreAuthTokenSourceTrustAuthenticationProvider(ddiSecurityProperties.getRp().getTrustedIPs())).build();
        httpSecurity.authenticationManager(build);
        return build;
    }
}
