package org.apache.geode.tools.pulse.internal.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

@Configuration
@EnableWebSecurity
@Profile({"pulse.authentication.oauth"})
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:WEB-INF/classes/org/apache/geode/tools/pulse/internal/security/OAuthSecurityConfig.class */
public class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {
    private final LogoutHandler repositoryLogoutHandler;
    private final LogoutSuccessHandler oidcLogoutHandler;

    @Autowired
    public OAuthSecurityConfig(RepositoryLogoutHandler repositoryLogoutHandler, OidcClientInitiatedLogoutSuccessHandler oidcClientInitiatedLogoutSuccessHandler) {
        this.oidcLogoutHandler = oidcClientInitiatedLogoutSuccessHandler;
        this.repositoryLogoutHandler = repositoryLogoutHandler;
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
            expressionInterceptUrlRegistry.mvcMatchers2("/pulseVersion", "/scripts/**", "/images/**", "/css/**", "/properties/**").permitAll().mvcMatchers2("/dataBrowser*", "/getQueryStatisticsGridModel*").access("hasAuthority('SCOPE_CLUSTER:READ') and hasAuthority('SCOPE_DATA:READ')").mvcMatchers2("/*").hasAuthority("SCOPE_CLUSTER:READ").anyRequest().authenticated();
        }).oauth2Login(oAuth2LoginConfigurer -> {
            oAuth2LoginConfigurer.defaultSuccessUrl("/clusterDetail.html", true);
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.accessDeniedPage("/accessDenied.html");
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl("/clusterLogout").addLogoutHandler(this.repositoryLogoutHandler).logoutSuccessHandler(this.oidcLogoutHandler);
        }).headers(headersConfigurer -> {
            headersConfigurer.frameOptions().deny().xssProtection(xXssConfig -> {
                xXssConfig.xssProtectionEnabled(true).block(true);
            }).contentTypeOptions();
        }).csrf().disable();
    }
}
