package org.apereo.cas.web.security;

import com.google.common.net.HttpHeaders;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties;
import org.apereo.cas.configuration.model.core.monitor.MonitorProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapAuthorizationProperties;
import org.apereo.cas.configuration.support.JpaBeans;
import org.apereo.cas.web.security.authentication.MonitorEndpointLdapAuthenticationProvider;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.jaas.JaasAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.JdbcUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;

/* loaded from: input_file:WEB-INF/lib/cas-server-webapp-config-6.0.4.jar:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.class */
public class CasWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CasWebSecurityConfigurerAdapter.class);
    public static final String ENDPOINT_URL_ADMIN_FORM_LOGIN = "/adminlogin";
    private final CasConfigurationProperties casProperties;
    private final SecurityProperties securityProperties;
    private final WebEndpointProperties webEndpointProperties;
    private final PathMappedEndpoints pathMappedEndpoints;

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.csrf().disable()).headers().disable()).logout().disable()).requiresChannel().requestMatchers(httpServletRequest -> {
            return httpServletRequest.getHeader(HttpHeaders.X_FORWARDED_PROTO) != null;
        }).requiresSecure();
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.authorizeRequests();
        this.casProperties.getMonitor().getEndpoints().getEndpoint().forEach(Unchecked.biConsumer((str, actuatorEndpointProperties) -> {
            EndpointRequest.EndpointRequestMatcher endpointRequestMatcher = EndpointRequest.to(str);
            actuatorEndpointProperties.getAccess().forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(httpSecurity, authorizeRequests, endpointAccessLevel, actuatorEndpointProperties, endpointRequestMatcher);
            }));
        }));
        configureEndpointAccessToDenyUndefined(httpSecurity, authorizeRequests);
        configureEndpointAccessForStaticResources(authorizeRequests);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        MonitorProperties.Endpoints.JaasSecurity jaas = this.casProperties.getMonitor().getEndpoints().getJaas();
        if (jaas.getLoginConfig() != null) {
            configureJaasAuthenticationProvider(authenticationManagerBuilder, jaas);
        }
        MonitorProperties.Endpoints.LdapSecurity ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
        if (StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter())) {
            configureLdapAuthenticationProvider(authenticationManagerBuilder, ldap);
        }
        MonitorProperties.Endpoints.JdbcSecurity jdbc = this.casProperties.getMonitor().getEndpoints().getJdbc();
        if (StringUtils.isNotBlank(jdbc.getQuery())) {
            configureJdbcAuthenticationProvider(authenticationManagerBuilder, jdbc);
        }
        if (authenticationManagerBuilder.isConfigured()) {
            return;
        }
        super.configure(authenticationManagerBuilder);
    }

    protected void configureEndpointAccessToDenyUndefined(HttpSecurity httpSecurity, ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {
        Set<String> keySet = this.casProperties.getMonitor().getEndpoints().getEndpoint().keySet();
        ActuatorEndpointProperties defaultEndpointProperties = this.casProperties.getMonitor().getEndpoints().getDefaultEndpointProperties();
        this.pathMappedEndpoints.forEach(pathMappedEndpoint -> {
            String rootPath = pathMappedEndpoint.getRootPath();
            if (keySet.contains(rootPath)) {
                LOGGER.trace("Endpoint security is defined for endpoint [{}]", rootPath);
                return;
            }
            List<ActuatorEndpointProperties.EndpointAccessLevel> access = defaultEndpointProperties.getAccess();
            LOGGER.debug("Endpoint security is NOT defined for endpoint [{}]. Using default security rules [{}]", rootPath, defaultEndpointProperties);
            EndpointRequest.EndpointRequestMatcher excludingLinks = EndpointRequest.to(rootPath).excludingLinks();
            access.forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(httpSecurity, expressionInterceptUrlRegistry, endpointAccessLevel, defaultEndpointProperties, excludingLinks);
            }));
        });
    }

    protected void configureJdbcAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder, MonitorProperties.Endpoints.JdbcSecurity jdbcSecurity) throws Exception {
        JdbcUserDetailsManagerConfigurer<AuthenticationManagerBuilder> jdbcAuthentication = authenticationManagerBuilder.jdbcAuthentication();
        jdbcAuthentication.usersByUsernameQuery(jdbcSecurity.getQuery());
        jdbcAuthentication.rolePrefix(jdbcSecurity.getRolePrefix());
        jdbcAuthentication.dataSource(JpaBeans.newDataSource(jdbcSecurity));
        jdbcAuthentication.passwordEncoder(PasswordEncoderUtils.newPasswordEncoder(jdbcSecurity.getPasswordEncoder()));
    }

    protected void configureLdapAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder, MonitorProperties.Endpoints.LdapSecurity ldapSecurity) {
        if (isLdapAuthorizationActive()) {
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) new MonitorEndpointLdapAuthenticationProvider(ldapSecurity, this.securityProperties));
        }
    }

    protected void configureJaasAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder, MonitorProperties.Endpoints.JaasSecurity jaasSecurity) throws Exception {
        JaasAuthenticationProvider jaasAuthenticationProvider = new JaasAuthenticationProvider();
        jaasAuthenticationProvider.setLoginConfig(jaasSecurity.getLoginConfig());
        jaasAuthenticationProvider.setLoginContextName(jaasSecurity.getLoginContextName());
        jaasAuthenticationProvider.setRefreshConfigurationOnStartup(jaasSecurity.isRefreshConfigurationOnStartup());
        jaasAuthenticationProvider.afterPropertiesSet();
        authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) jaasAuthenticationProvider);
    }

    protected void configureEndpointAccessForStaticResources(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {
        expressionInterceptUrlRegistry.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
        expressionInterceptUrlRegistry.antMatchers("/resources/**").permitAll().antMatchers("/static/**").permitAll();
    }

    protected void configureEndpointAccessByFormLogin(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) throws Exception {
        expressionInterceptUrlRegistry.and().formLogin().loginPage(ENDPOINT_URL_ADMIN_FORM_LOGIN).permitAll();
    }

    protected void configureEndpointAccess(HttpSecurity httpSecurity, ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties.EndpointAccessLevel endpointAccessLevel, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        switch (endpointAccessLevel) {
            case AUTHORITY:
                configureEndpointAccessByAuthority(expressionInterceptUrlRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                configureEndpointAccessByFormLogin(expressionInterceptUrlRegistry);
                return;
            case ROLE:
                configureEndpointAccessByRole(expressionInterceptUrlRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                configureEndpointAccessByFormLogin(expressionInterceptUrlRegistry);
                return;
            case AUTHENTICATED:
                configureEndpointAccessAuthenticated(expressionInterceptUrlRegistry, endpointRequestMatcher);
                configureEndpointAccessByFormLogin(expressionInterceptUrlRegistry);
                return;
            case IP_ADDRESS:
                configureEndpointAccessByIpAddress(expressionInterceptUrlRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case PERMIT:
                configureEndpointAccessPermitAll(expressionInterceptUrlRegistry, endpointRequestMatcher);
                return;
            case ANONYMOUS:
                configureEndpointAccessAnonymously(expressionInterceptUrlRegistry, endpointRequestMatcher);
                return;
            case DENY:
            default:
                configureEndpointAccessToDenyAll(expressionInterceptUrlRegistry, endpointRequestMatcher);
                return;
        }
    }

    private void configureEndpointAccessPermitAll(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).permitAll();
    }

    private void configureEndpointAccessToDenyAll(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).denyAll();
    }

    private void configureEndpointAccessAnonymously(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).anonymous();
    }

    private void configureEndpointAccessByIpAddress(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).access((String) actuatorEndpointProperties.getRequiredIpAddresses().stream().map(str -> {
            return "hasIpAddress('" + str + "')";
        }).collect(Collectors.joining(" or ")));
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessAuthenticated(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((HttpSecurity) expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).authenticated().and()).httpBasic();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessByRole(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((HttpSecurity) expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).hasAnyRole((String[]) actuatorEndpointProperties.getRequiredRoles().toArray(ArrayUtils.EMPTY_STRING_ARRAY)).and()).httpBasic();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessByAuthority(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((HttpSecurity) expressionInterceptUrlRegistry.requestMatchers(endpointRequestMatcher).hasAnyAuthority((String[]) actuatorEndpointProperties.getRequiredAuthorities().toArray(ArrayUtils.EMPTY_STRING_ARRAY)).and()).httpBasic();
    }

    private boolean isLdapAuthorizationActive() {
        MonitorProperties.Endpoints.LdapSecurity ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
        LdapAuthorizationProperties ldapAuthz = ldap.getLdapAuthz();
        return StringUtils.isNotBlank(ldap.getBaseDn()) && StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter()) && (StringUtils.isNotBlank(ldapAuthz.getRoleAttribute()) || StringUtils.isNotBlank(ldapAuthz.getGroupAttribute()));
    }

    @Generated
    public CasWebSecurityConfigurerAdapter(CasConfigurationProperties casConfigurationProperties, SecurityProperties securityProperties, WebEndpointProperties webEndpointProperties, PathMappedEndpoints pathMappedEndpoints) {
        this.casProperties = casConfigurationProperties;
        this.securityProperties = securityProperties;
        this.webEndpointProperties = webEndpointProperties;
        this.pathMappedEndpoints = pathMappedEndpoints;
    }
}
