package org.apache.atlas.web.security;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.LinkedHashMap;
import javax.inject.Inject;
import org.apache.atlas.web.filters.ActiveServerFilter;
import org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint;
import org.apache.atlas.web.filters.AtlasAuthenticationFilter;
import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
import org.apache.atlas.web.filters.AtlasDelegatingAuthenticationEntryPoint;
import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
import org.apache.atlas.web.filters.HeadersUtil;
import org.apache.atlas.web.filters.RestUtil;
import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint;
import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.keycloak.adapters.springsecurity.filter.QueryParamPresenceRequestMatcher;
import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.core.io.FileSystemResource;
import org.springframework.core.io.Resource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableWebSecurity
@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:org/apache/atlas/web/security/AtlasSecurityConfig.class */
public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
    private final AtlasAuthenticationProvider authenticationProvider;
    private final AtlasAuthenticationSuccessHandler successHandler;
    private final AtlasAuthenticationFailureHandler failureHandler;
    private final AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter;
    private final AtlasAuthenticationFilter atlasAuthenticationFilter;
    private final AtlasCSRFPreventionFilter csrfPreventionFilter;
    private final AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint;
    private final Configuration configuration;
    private final StaleTransactionCleanupFilter staleTransactionCleanupFilter;
    private final ActiveServerFilter activeServerFilter;

    @Value("${keycloak.configurationFile:WEB-INF/keycloak.json}")
    private Resource keycloakConfigFileResource;

    @Autowired(required = false)
    private KeycloakConfigResolver keycloakConfigResolver;
    private final boolean keycloakEnabled;
    private static final Logger LOG = LoggerFactory.getLogger(AtlasSecurityConfig.class);
    public static final RequestMatcher KEYCLOAK_REQUEST_MATCHER = new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher("/login.jsp"), new RequestHeaderRequestMatcher("Authorization"), new QueryParamPresenceRequestMatcher("access_token")});

    @Inject
    public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter atlasKnoxSSOAuthenticationFilter, AtlasCSRFPreventionFilter atlasCSRFPreventionFilter, AtlasAuthenticationFilter atlasAuthenticationFilter, AtlasAuthenticationProvider atlasAuthenticationProvider, AtlasAuthenticationSuccessHandler atlasAuthenticationSuccessHandler, AtlasAuthenticationFailureHandler atlasAuthenticationFailureHandler, AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint, Configuration configuration, StaleTransactionCleanupFilter staleTransactionCleanupFilter, ActiveServerFilter activeServerFilter) {
        this.ssoAuthenticationFilter = atlasKnoxSSOAuthenticationFilter;
        this.csrfPreventionFilter = atlasCSRFPreventionFilter;
        this.atlasAuthenticationFilter = atlasAuthenticationFilter;
        this.authenticationProvider = atlasAuthenticationProvider;
        this.successHandler = atlasAuthenticationSuccessHandler;
        this.failureHandler = atlasAuthenticationFailureHandler;
        this.atlasAuthenticationEntryPoint = atlasAuthenticationEntryPoint;
        this.configuration = configuration;
        this.staleTransactionCleanupFilter = staleTransactionCleanupFilter;
        this.activeServerFilter = activeServerFilter;
        this.keycloakEnabled = configuration.getBoolean(AtlasAuthenticationProvider.KEYCLOAK_AUTH_METHOD, false);
    }

    public AuthenticationEntryPoint getAuthenticationEntryPoint() throws Exception {
        KeycloakAuthenticationEntryPoint atlasDelegatingAuthenticationEntryPoint;
        if (this.keycloakEnabled) {
            KeycloakAuthenticationEntryPoint keycloakAuthenticationEntryPoint = new KeycloakAuthenticationEntryPoint(adapterDeploymentContext());
            keycloakAuthenticationEntryPoint.setRealm("atlas.com");
            keycloakAuthenticationEntryPoint.setLoginUri("/login.jsp");
            atlasDelegatingAuthenticationEntryPoint = keycloakAuthenticationEntryPoint;
        } else {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put(new RequestHeaderRequestMatcher("User-Agent", HeadersUtil.USER_AGENT_VALUE), this.atlasAuthenticationEntryPoint);
            atlasDelegatingAuthenticationEntryPoint = new AtlasDelegatingAuthenticationEntryPoint(linkedHashMap);
        }
        return atlasDelegatingAuthenticationEntryPoint;
    }

    public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() throws Exception {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(new RequestHeaderRequestMatcher("User-Agent", HeadersUtil.USER_AGENT_VALUE), this.atlasAuthenticationEntryPoint);
        DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint = new DelegatingAuthenticationEntryPoint(linkedHashMap);
        delegatingAuthenticationEntryPoint.setDefaultEntryPoint(getAuthenticationEntryPoint());
        return delegatingAuthenticationEntryPoint;
    }

    @Inject
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(this.authenticationProvider);
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("/css/**", "/n/css/**", "/img/**", "/n/img/**", "/libs/**", "/n/libs/**", "/js/**", "/n/js/**", "/ieerror.html", "/migration-status.html", "/api/atlas/admin/status"));
        if (!this.keycloakEnabled) {
            arrayList.add("/login.jsp");
        }
        webSecurity.ignoring().antMatchers((String[]) arrayList.toArray(new String[arrayList.size()]));
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).authenticated().and().headers().addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, new String[]{HeadersUtil.headerMap.get(HeadersUtil.CONTENT_SEC_POLICY_KEY)})).addHeaderWriter(new StaticHeadersWriter(HeadersUtil.SERVER_KEY, new String[]{HeadersUtil.headerMap.get(HeadersUtil.SERVER_KEY)})).and().servletApi().and().csrf().disable().sessionManagement().enableSessionUrlRewriting(false).sessionCreationPolicy(SessionCreationPolicy.ALWAYS).sessionFixation().newSession().and().httpBasic().authenticationEntryPoint(getDelegatingAuthenticationEntryPoint()).and().formLogin().loginPage("/login.jsp").loginProcessingUrl("/j_spring_security_check").successHandler(this.successHandler).failureHandler(this.failureHandler).usernameParameter("j_username").passwordParameter("j_password").and().logout().logoutSuccessUrl("/login.jsp").deleteCookies(new String[]{"ATLASSESSIONID"}).logoutUrl(RestUtil.LOGOUT_URL);
        boolean z = !StringUtils.isEmpty(this.configuration.getString("atlas.migration.data.filename"));
        if (this.configuration.getBoolean("atlas.server.ha.enabled", false) || z) {
            if (z) {
                LOG.info("Atlas is in Migration Mode, enabling ActiveServerFilter");
            } else {
                LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter");
            }
            httpSecurity.addFilterAfter(this.activeServerFilter, BasicAuthenticationFilter.class);
        }
        httpSecurity.addFilterAfter(this.staleTransactionCleanupFilter, BasicAuthenticationFilter.class).addFilterBefore(this.ssoAuthenticationFilter, BasicAuthenticationFilter.class).addFilterAfter(this.atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class).addFilterAfter(this.csrfPreventionFilter, AtlasAuthenticationFilter.class);
        if (this.keycloakEnabled) {
            httpSecurity.logout().addLogoutHandler(keycloakLogoutHandler()).and().addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class).addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class).addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class).addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class);
        }
    }

    @Bean
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Bean
    protected AdapterDeploymentContext adapterDeploymentContext() throws Exception {
        AdapterDeploymentContextFactoryBean adapterDeploymentContextFactoryBean;
        String string = this.configuration.getString("atlas.authentication.method.keycloak.file");
        if (string == null || string.isEmpty()) {
            Configuration subset = this.configuration.subset(AtlasAuthenticationProvider.KEYCLOAK_AUTH_METHOD);
            AdapterConfig adapterConfig = new AdapterConfig();
            adapterConfig.setRealm(subset.getString("realm", "atlas.com"));
            adapterConfig.setAuthServerUrl(subset.getString("auth-server-url", "https://localhost/auth"));
            adapterConfig.setResource(subset.getString("resource", "none"));
            HashMap hashMap = new HashMap();
            hashMap.put("secret", subset.getString("credentials-secret", "nosecret"));
            adapterConfig.setCredentials(hashMap);
            final KeycloakDeployment build = KeycloakDeploymentBuilder.build(adapterConfig);
            adapterDeploymentContextFactoryBean = new AdapterDeploymentContextFactoryBean(new KeycloakConfigResolver() { // from class: org.apache.atlas.web.security.AtlasSecurityConfig.1
                public KeycloakDeployment resolve(HttpFacade.Request request) {
                    return build;
                }
            });
        } else {
            this.keycloakConfigFileResource = new FileSystemResource(string);
            adapterDeploymentContextFactoryBean = new AdapterDeploymentContextFactoryBean(this.keycloakConfigFileResource);
        }
        adapterDeploymentContextFactoryBean.afterPropertiesSet();
        return adapterDeploymentContextFactoryBean.getObject();
    }

    @Bean
    protected KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter() {
        return new KeycloakPreAuthActionsFilter(httpSessionManager());
    }

    @Bean
    protected HttpSessionManager httpSessionManager() {
        return new HttpSessionManager();
    }

    protected KeycloakLogoutHandler keycloakLogoutHandler() throws Exception {
        return new KeycloakLogoutHandler(adapterDeploymentContext());
    }

    @Bean
    protected KeycloakSecurityContextRequestFilter keycloakSecurityContextRequestFilter() {
        return new KeycloakSecurityContextRequestFilter();
    }

    @Bean
    protected KeycloakAuthenticatedActionsFilter keycloakAuthenticatedActionsRequestFilter() {
        return new KeycloakAuthenticatedActionsFilter();
    }

    @Bean
    protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
        KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter = new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), KEYCLOAK_REQUEST_MATCHER);
        keycloakAuthenticationProcessingFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
        return keycloakAuthenticationProcessingFilter;
    }
}
