package org.apereo.cas.web.security;

import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties;
import org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.apereo.cas.web.security.authentication.IpAddressAuthorizationManager;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.endpoint.Access;
import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.boot.autoconfigure.web.WebProperties;
import org.springframework.context.ApplicationContext;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.jaas.JaasAuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.web.authentication.www.BasicAuthenticationConverter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Order(1000)
/* loaded from: input_file:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.class */
public class CasWebSecurityConfigurerAdapter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(CasWebSecurityConfigurerAdapter.class);
    private final ObjectPostProcessor<BasicAuthenticationFilter> basicAuthFilterPostProcessor = new ObjectPostProcessor<BasicAuthenticationFilter>() { // from class: org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.1
        public <O extends BasicAuthenticationFilter> O postProcess(O o) {
            final Set set = (Set) CasWebSecurityConfigurerAdapter.this.getAllowedPatternsToIgnore().stream().map(AntPathRequestMatcher::new).collect(Collectors.toSet());
            o.setAuthenticationConverter(new BasicAuthenticationConverter(this) { // from class: org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.1.1
                /* renamed from: convert, reason: merged with bridge method [inline-methods] */
                public UsernamePasswordAuthenticationToken m4convert(HttpServletRequest httpServletRequest) {
                    if (set.stream().noneMatch(antPathRequestMatcher -> {
                        return antPathRequestMatcher.matches(httpServletRequest);
                    })) {
                        return super.convert(httpServletRequest);
                    }
                    return null;
                }
            });
            return o;
        }
    };
    private final CasConfigurationProperties casProperties;
    private final WebEndpointProperties webEndpointProperties;
    private final ObjectProvider<PathMappedEndpoints> pathMappedEndpoints;
    private final List<CasWebSecurityConfigurer> webSecurityConfigurers;
    private final SecurityContextRepository securityContextRepository;
    private final WebProperties webProperties;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter$2, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel;
        static final /* synthetic */ int[] $SwitchMap$org$springframework$boot$actuate$endpoint$Access = new int[Access.values().length];

        static {
            try {
                $SwitchMap$org$springframework$boot$actuate$endpoint$Access[Access.UNRESTRICTED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$springframework$boot$actuate$endpoint$Access[Access.READ_ONLY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$springframework$boot$actuate$endpoint$Access[Access.NONE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel = new int[ActuatorEndpointProperties.EndpointAccessLevel.values().length];
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.AUTHORITY.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.ROLE.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.AUTHENTICATED.ordinal()] = 3;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.IP_ADDRESS.ordinal()] = 4;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.PERMIT.ordinal()] = 5;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.ANONYMOUS.ordinal()] = 6;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    private static List<String> prepareProtocolEndpoint(String str) {
        return List.of(StringUtils.prependIfMissing(str, "/", new CharSequence[0]).concat("**"), StringUtils.appendIfMissing(str, "/", new CharSequence[0]).concat("**"));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void configureJaasAuthenticationProvider(HttpSecurity httpSecurity, JaasSecurityActuatorEndpointsMonitorProperties jaasSecurityActuatorEndpointsMonitorProperties) throws Exception {
        JaasAuthenticationProvider jaasAuthenticationProvider = new JaasAuthenticationProvider();
        jaasAuthenticationProvider.setLoginConfig(jaasSecurityActuatorEndpointsMonitorProperties.getLoginConfig());
        jaasAuthenticationProvider.setLoginContextName(jaasSecurityActuatorEndpointsMonitorProperties.getLoginContextName());
        jaasAuthenticationProvider.setRefreshConfigurationOnStartup(jaasSecurityActuatorEndpointsMonitorProperties.isRefreshConfigurationOnStartup());
        jaasAuthenticationProvider.afterPropertiesSet();
        httpSecurity.authenticationProvider(jaasAuthenticationProvider);
    }

    public void configureWebSecurity(WebSecurity webSecurity) {
    }

    public HttpSecurity configureHttpSecurity(HttpSecurity httpSecurity, ApplicationContext applicationContext) throws Exception {
        httpSecurity.cors(Customizer.withDefaults()).csrf((v0) -> {
            v0.disable();
        }).headers((v0) -> {
            v0.disable();
        }).logout((v0) -> {
            v0.disable();
        }).requiresChannel(channelRequestMatcherRegistry -> {
            ((ChannelSecurityConfigurer.RequiresChannelUrl) channelRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{httpServletRequest -> {
                return httpServletRequest.getHeader("X-Forwarded-Proto") != null;
            }})).requiresSecure();
        });
        List<String> allowedPatternsToIgnore = getAllowedPatternsToIgnore();
        LOGGER.debug("Configuring protocol endpoints [{}] to exclude/ignore from http security", allowedPatternsToIgnore);
        HttpSecurity authorizeHttpRequests = httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((RequestMatcher[]) allowedPatternsToIgnore.stream().map(AntPathRequestMatcher::new).toList().toArray(new RequestMatcher[0]))).permitAll();
        });
        this.webSecurityConfigurers.stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).forEach(Unchecked.consumer(casWebSecurityConfigurer -> {
            casWebSecurityConfigurer.configure(httpSecurity);
        }));
        this.casProperties.getMonitor().getEndpoints().getEndpoint().forEach(Unchecked.biConsumer((str, actuatorEndpointProperties) -> {
            EndpointRequest.EndpointRequestMatcher endpointRequestMatcher = EndpointRequest.to(new String[]{str});
            actuatorEndpointProperties.getAccess().forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(authorizeHttpRequests, endpointAccessLevel, actuatorEndpointProperties, endpointRequestMatcher);
            }));
        }));
        configureEndpointAccessToDenyUndefined(authorizeHttpRequests, applicationContext);
        configureEndpointAccessForStaticResources(authorizeHttpRequests);
        configureEndpointAccessByFormLogin(authorizeHttpRequests);
        JaasSecurityActuatorEndpointsMonitorProperties jaas = this.casProperties.getMonitor().getEndpoints().getJaas();
        FunctionUtils.doIfNotNull(jaas.getLoginConfig(), resource -> {
            configureJaasAuthenticationProvider(httpSecurity, jaas);
        });
        httpSecurity.securityContext(securityContextConfigurer -> {
            securityContextConfigurer.securityContextRepository(this.securityContextRepository);
        });
        this.webSecurityConfigurers.stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).forEach(Unchecked.consumer(casWebSecurityConfigurer2 -> {
            casWebSecurityConfigurer2.finish(httpSecurity);
        }));
        return httpSecurity;
    }

    protected List<String> getAllowedPatternsToIgnore() {
        List<String> list = (List) this.webSecurityConfigurers.stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).map((v0) -> {
            return v0.getIgnoredEndpoints();
        }).flatMap((v0) -> {
            return v0.stream();
        }).map(CasWebSecurityConfigurerAdapter::prepareProtocolEndpoint).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toList());
        list.add("/webjars/**");
        list.add("/themes/**");
        list.add("/js/**");
        list.add("/css/**");
        list.add("/images/**");
        list.add("/static/**");
        list.add("/public/**");
        list.add("/error");
        list.add("/favicon.ico");
        list.add("/adminlogin");
        list.add("/");
        list.add(this.webEndpointProperties.getBasePath());
        list.addAll(this.casProperties.getMonitor().getEndpoints().getIgnoredEndpoints());
        return list;
    }

    protected void configureEndpointAccessToDenyUndefined(HttpSecurity httpSecurity, ApplicationContext applicationContext) {
        Set keySet = this.casProperties.getMonitor().getEndpoints().getEndpoint().keySet();
        ((PathMappedEndpoints) this.pathMappedEndpoints.getObject()).stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).forEach(Unchecked.consumer(pathMappedEndpoint -> {
            String rootPath = pathMappedEndpoint.getRootPath();
            EndpointRequest.EndpointRequestMatcher excludingLinks = EndpointRequest.to(new String[]{rootPath}).excludingLinks();
            if (keySet.contains(rootPath)) {
                LOGGER.trace("Endpoint security is defined for endpoint [{}]", rootPath);
                return;
            }
            String property = applicationContext.getEnvironment().getProperty("management.endpoint.%s.access".formatted(rootPath));
            if (!StringUtils.isNotBlank(property)) {
                ActuatorEndpointProperties defaultEndpointProperties = this.casProperties.getMonitor().getEndpoints().getDefaultEndpointProperties();
                List access = defaultEndpointProperties.getAccess();
                LOGGER.trace("Endpoint security is NOT defined for endpoint [{}]. Using default security rules [{}]", rootPath, defaultEndpointProperties);
                access.forEach(Unchecked.consumer(endpointAccessLevel -> {
                    configureEndpointAccess(httpSecurity, endpointAccessLevel, defaultEndpointProperties, excludingLinks);
                }));
                return;
            }
            switch (AnonymousClass2.$SwitchMap$org$springframework$boot$actuate$endpoint$Access[Access.valueOf(property.toUpperCase(Locale.ENGLISH)).ordinal()]) {
                case 1:
                case 2:
                    configureEndpointAccessPermitAll(httpSecurity, excludingLinks);
                    return;
                case 3:
                    configureEndpointAccessToDenyAll(httpSecurity, excludingLinks);
                    return;
                default:
                    return;
            }
        }));
    }

    protected void configureEndpointAccessForStaticResources(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{PathRequest.toStaticResources().atCommonLocations()})).permitAll();
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/resources/**")})).permitAll();
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/static/**")})).permitAll();
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/public/**")})).permitAll();
            Arrays.stream(this.webProperties.getResources().getStaticLocations()).forEach(str -> {
                if (str.startsWith("file:")) {
                    File file = new File(StringUtils.remove(str, "file:"));
                    if (file.exists() && file.isDirectory()) {
                        List list = Arrays.stream(file.listFiles((v0) -> {
                            return v0.isDirectory();
                        })).toList();
                        LOGGER.info("Directories to authorize for static public resources are [{}]", list);
                        list.forEach(file2 -> {
                            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/" + file2.getName() + "/**")})).permitAll();
                        });
                    }
                }
            });
        });
    }

    protected void configureEndpointAccessByFormLogin(HttpSecurity httpSecurity) throws Exception {
        if (this.casProperties.getMonitor().getEndpoints().isFormLoginEnabled()) {
            httpSecurity.formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginPage("/adminlogin");
            });
        } else {
            httpSecurity.formLogin((v0) -> {
                v0.disable();
            });
        }
    }

    protected void configureEndpointAccess(HttpSecurity httpSecurity, ActuatorEndpointProperties.EndpointAccessLevel endpointAccessLevel, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        switch (AnonymousClass2.$SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[endpointAccessLevel.ordinal()]) {
            case 1:
                configureEndpointAccessByAuthority(httpSecurity, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 2:
                configureEndpointAccessByRole(httpSecurity, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 3:
                configureEndpointAccessAuthenticated(httpSecurity, endpointRequestMatcher);
                return;
            case 4:
                configureEndpointAccessByIpAddress(httpSecurity, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 5:
                configureEndpointAccessPermitAll(httpSecurity, endpointRequestMatcher);
                return;
            case 6:
                configureEndpointAccessAnonymously(httpSecurity, endpointRequestMatcher);
                return;
            default:
                configureEndpointAccessToDenyAll(httpSecurity, endpointRequestMatcher);
                return;
        }
    }

    protected void configureEndpointAccessPermitAll(HttpSecurity httpSecurity, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).permitAll();
        });
    }

    protected void configureEndpointAccessToDenyAll(HttpSecurity httpSecurity, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).denyAll();
        });
    }

    protected void configureEndpointAccessAnonymously(HttpSecurity httpSecurity, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).permitAll();
        });
    }

    protected void configureEndpointAccessByIpAddress(HttpSecurity httpSecurity, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).access(new IpAddressAuthorizationManager(this.casProperties, actuatorEndpointProperties));
        });
    }

    protected void configureEndpointAccessAuthenticated(HttpSecurity httpSecurity, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).authenticated();
        }).httpBasic(httpBasicConfigurer -> {
            httpBasicConfigurer.addObjectPostProcessor(this.basicAuthFilterPostProcessor);
        });
    }

    protected void configureEndpointAccessByRole(HttpSecurity httpSecurity, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).hasAnyRole((String[]) actuatorEndpointProperties.getRequiredRoles().toArray(ArrayUtils.EMPTY_STRING_ARRAY));
        }).httpBasic(httpBasicConfigurer -> {
            httpBasicConfigurer.addObjectPostProcessor(this.basicAuthFilterPostProcessor);
        });
    }

    protected void configureEndpointAccessByAuthority(HttpSecurity httpSecurity, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).hasAnyAuthority((String[]) actuatorEndpointProperties.getRequiredAuthorities().toArray(ArrayUtils.EMPTY_STRING_ARRAY));
        }).httpBasic(httpBasicConfigurer -> {
            httpBasicConfigurer.addObjectPostProcessor(this.basicAuthFilterPostProcessor);
        });
    }

    @Generated
    public CasWebSecurityConfigurerAdapter(CasConfigurationProperties casConfigurationProperties, WebEndpointProperties webEndpointProperties, ObjectProvider<PathMappedEndpoints> objectProvider, List<CasWebSecurityConfigurer> list, SecurityContextRepository securityContextRepository, WebProperties webProperties) {
        this.casProperties = casConfigurationProperties;
        this.webEndpointProperties = webEndpointProperties;
        this.pathMappedEndpoints = objectProvider;
        this.webSecurityConfigurers = list;
        this.securityContextRepository = securityContextRepository;
        this.webProperties = webProperties;
    }
}
