package net.oneandone.stool.overview.config;

import java.io.IOException;
import net.oneandone.stool.Overview;
import net.oneandone.stool.stage.Stage;
import net.oneandone.stool.util.Session;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper;
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;

@EnableWebSecurity
@Configuration
/* loaded from: input_file:net/oneandone/stool/overview/config/SecurityConfiguration.class */
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private Session session;

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(new Cas20ServiceTicketValidator(this.session.configuration.ldapSso));
        casAuthenticationProvider.setKey("cas");
        casAuthenticationProvider.setAuthenticationUserDetailsService(new UserDetailsByNameServiceWrapper(userDetailsService()));
        authenticationManagerBuilder.authenticationProvider(casAuthenticationProvider);
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        ((WebSecurity.IgnoredRequestConfigurer) ((WebSecurity.IgnoredRequestConfigurer) webSecurity.ignoring().antMatchers(new String[]{"/ressources/**"})).antMatchers(new String[]{"/favicon.ico"})).antMatchers(new String[]{"/system"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl(this.session.configuration.ldapSso + "/login/");
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        httpSecurity.csrf().disable().exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint).and().addFilter(casAuthenticationFilter);
        if (this.session.configuration.ldapUrl.isEmpty()) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/**"})).hasRole("ANONYMOUS");
        } else {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/whoami"})).fullyAuthenticated().antMatchers(new String[]{"/**"})).hasRole("LOGIN");
        }
    }

    @Bean
    public ServiceProperties serviceProperties() throws IOException {
        Stage load = this.session.load(Overview.OVERVIEW_NAME);
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService("https://" + load.mainHostname() + ":" + load.loadPorts().https(0) + "/j_spring_cas_security_check");
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    public DefaultSpringSecurityContextSource contextSource() {
        DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(this.session.configuration.ldapUrl);
        defaultSpringSecurityContextSource.setUserDn(this.session.configuration.ldapPrincipal);
        defaultSpringSecurityContextSource.setPassword(this.session.configuration.ldapCredentials);
        return defaultSpringSecurityContextSource;
    }

    public UserDetailsService userDetailsService() {
        FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch("ou=cisostages", "(uid={0})", contextSource());
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(contextSource(), "ou=roles,ou=cisostages");
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter("(member=uid={1})");
        defaultLdapAuthoritiesPopulator.setGroupRoleAttribute("ou");
        defaultLdapAuthoritiesPopulator.setSearchSubtree(false);
        defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
        LdapUserDetailsService ldapUserDetailsService = new LdapUserDetailsService(filterBasedLdapUserSearch, defaultLdapAuthoritiesPopulator);
        ldapUserDetailsService.setUserDetailsMapper(new InetOrgPersonContextMapper());
        return ldapUserDetailsService;
    }
}
