package org.apache.nifi.web.security.configuration;

import java.util.List;
import java.util.stream.Collectors;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.StandardAuthenticationEntryPoint;
import org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationFilter;
import org.apache.nifi.web.security.csrf.CsrfCookieFilter;
import org.apache.nifi.web.security.csrf.CsrfCookieRequestMatcher;
import org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter;
import org.apache.nifi.web.security.csrf.StandardCookieCsrfTokenRepository;
import org.apache.nifi.web.security.csrf.StandardCsrfTokenRequestAttributeHandler;
import org.apache.nifi.web.security.log.AuthenticationUserFilter;
import org.apache.nifi.web.security.oidc.client.web.OidcBearerTokenRefreshFilter;
import org.apache.nifi.web.security.oidc.logout.OidcLogoutFilter;
import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2LocalLogoutFilter;
import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2SingleLogoutFilter;
import org.apache.nifi.web.security.x509.X509AuthenticationFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@Import({AuthenticationSecurityConfiguration.class})
/* loaded from: input_file:org/apache/nifi/web/security/configuration/WebSecurityConfiguration.class */
public class WebSecurityConfiguration {
    private static final List<String> UNFILTERED_PATHS = List.of("/access/token", "/access/logout/complete", "/authentication/configuration");
    private static final RequestMatcher UNFILTERED_PATHS_REQUEST_MATCHER = new OrRequestMatcher((List) UNFILTERED_PATHS.stream().map(AntPathRequestMatcher::new).collect(Collectors.toList()));

    @Bean
    public AuthenticationManager authenticationManager(List<AuthenticationProvider> list) {
        return new ProviderManager(list);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity, NiFiProperties niFiProperties, StandardAuthenticationEntryPoint standardAuthenticationEntryPoint, X509AuthenticationFilter x509AuthenticationFilter, BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter, NiFiAnonymousAuthenticationFilter niFiAnonymousAuthenticationFilter, OAuth2LoginAuthenticationFilter oAuth2LoginAuthenticationFilter, OAuth2AuthorizationCodeGrantFilter oAuth2AuthorizationCodeGrantFilter, OAuth2AuthorizationRequestRedirectFilter oAuth2AuthorizationRequestRedirectFilter, OidcBearerTokenRefreshFilter oidcBearerTokenRefreshFilter, OidcLogoutFilter oidcLogoutFilter, Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter, Saml2WebSsoAuthenticationRequestFilter saml2WebSsoAuthenticationRequestFilter, Saml2MetadataFilter saml2MetadataFilter, Saml2LogoutRequestFilter saml2LogoutRequestFilter, Saml2LogoutResponseFilter saml2LogoutResponseFilter, Saml2SingleLogoutFilter saml2SingleLogoutFilter, Saml2LocalLogoutFilter saml2LocalLogoutFilter) throws Exception {
        httpSecurity.logout((v0) -> {
            v0.disable();
        }).rememberMe((v0) -> {
            v0.disable();
        }).requestCache((v0) -> {
            v0.disable();
        }).servletApi((v0) -> {
            v0.disable();
        }).securityContext((v0) -> {
            v0.disable();
        }).sessionManagement((v0) -> {
            v0.disable();
        }).headers((v0) -> {
            v0.disable();
        }).securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(new RequestMatcher[]{RequestMatchers.not(UNFILTERED_PATHS_REQUEST_MATCHER)});
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        }).addFilterBefore(new SkipReplicatedCsrfFilter(), CsrfFilter.class).addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class).csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(new StandardCookieCsrfTokenRepository()).requireCsrfProtectionMatcher(new AndRequestMatcher(new RequestMatcher[]{CsrfFilter.DEFAULT_CSRF_MATCHER, new CsrfCookieRequestMatcher()})).csrfTokenRequestHandler(new StandardCsrfTokenRequestAttributeHandler());
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(standardAuthenticationEntryPoint);
        }).addFilterBefore(x509AuthenticationFilter, AnonymousAuthenticationFilter.class).addFilterBefore(bearerTokenAuthenticationFilter, AnonymousAuthenticationFilter.class).addFilterBefore(new AuthenticationUserFilter(), ExceptionTranslationFilter.class);
        if (niFiProperties.isAnonymousAuthenticationAllowed().booleanValue() || niFiProperties.isHttpEnabled()) {
            httpSecurity.addFilterAfter(niFiAnonymousAuthenticationFilter, AnonymousAuthenticationFilter.class);
        }
        if (niFiProperties.isSamlEnabled()) {
            httpSecurity.addFilterBefore(saml2WebSsoAuthenticationFilter, AnonymousAuthenticationFilter.class);
            httpSecurity.addFilterBefore(saml2WebSsoAuthenticationRequestFilter, AnonymousAuthenticationFilter.class);
            httpSecurity.addFilterBefore(saml2MetadataFilter, CsrfFilter.class);
            httpSecurity.addFilterBefore(saml2LocalLogoutFilter, CsrfFilter.class);
            if (niFiProperties.isSamlSingleLogoutEnabled()) {
                httpSecurity.addFilterBefore(saml2SingleLogoutFilter, CsrfFilter.class);
                httpSecurity.addFilterBefore(saml2LogoutRequestFilter, CsrfFilter.class);
                httpSecurity.addFilterBefore(saml2LogoutResponseFilter, CsrfFilter.class);
            }
        }
        if (niFiProperties.isOidcEnabled()) {
            httpSecurity.addFilterBefore(oAuth2LoginAuthenticationFilter, AnonymousAuthenticationFilter.class);
            httpSecurity.addFilterBefore(oAuth2AuthorizationCodeGrantFilter, AnonymousAuthenticationFilter.class);
            httpSecurity.addFilterBefore(oAuth2AuthorizationRequestRedirectFilter, AnonymousAuthenticationFilter.class);
            httpSecurity.addFilterBefore(oidcBearerTokenRefreshFilter, AnonymousAuthenticationFilter.class);
            httpSecurity.addFilterBefore(oidcLogoutFilter, CsrfFilter.class);
        }
        return (SecurityFilterChain) httpSecurity.build();
    }
}
