package org.apereo.cas.web.security;

import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties;
import org.apereo.cas.configuration.model.core.monitor.MonitorProperties;
import org.apereo.cas.configuration.support.JpaBeans;
import org.apereo.cas.web.security.authentication.MonitorEndpointLdapAuthenticationProvider;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.security.authentication.jaas.JaasAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.JdbcUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.class */
public class CasWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(CasWebSecurityConfigurerAdapter.class);
    public static final String ENDPOINT_URL_ADMIN_FORM_LOGIN = "/adminlogin";
    private final CasConfigurationProperties casProperties;
    private final SecurityProperties securityProperties;
    private final CasWebSecurityExpressionHandler casWebSecurityExpressionHandler;
    private final WebEndpointProperties webEndpointProperties;
    private final PathMappedEndpoints pathMappedEndpoints;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel = new int[ActuatorEndpointProperties.EndpointAccessLevel.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.AUTHORITY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.ROLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.AUTHENTICATED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.IP_ADDRESS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.PERMIT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.ANONYMOUS.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.DENY.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ChannelSecurityConfigurer.RequiresChannelUrl) httpSecurity.csrf().disable().headers().disable().logout().disable().requiresChannel().requestMatchers(new RequestMatcher[]{httpServletRequest -> {
            return httpServletRequest.getHeader("X-Forwarded-Proto") != null;
        }})).requiresSecure();
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionHandler = httpSecurity.authorizeRequests().expressionHandler(this.casWebSecurityExpressionHandler);
        this.casProperties.getMonitor().getEndpoints().getEndpoint().forEach(Unchecked.biConsumer((str, actuatorEndpointProperties) -> {
            EndpointRequest.EndpointRequestMatcher endpointRequestMatcher = EndpointRequest.to(new String[]{str});
            actuatorEndpointProperties.getAccess().forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(httpSecurity, expressionHandler, endpointAccessLevel, actuatorEndpointProperties, endpointRequestMatcher);
            }));
        }));
        configureEndpointAccessToDenyUndefined(httpSecurity, expressionHandler);
        configureEndpointAccessForStaticResources(expressionHandler);
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        MonitorProperties.Endpoints.JaasSecurity jaas = this.casProperties.getMonitor().getEndpoints().getJaas();
        if (jaas.getLoginConfig() != null) {
            configureJaasAuthenticationProvider(authenticationManagerBuilder, jaas);
        } else {
            LOGGER.trace("No JAAS login config is defined to enable JAAS authentication");
        }
        MonitorProperties.Endpoints.LdapSecurity ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
        if (StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter())) {
            configureLdapAuthenticationProvider(authenticationManagerBuilder, ldap);
        } else {
            LOGGER.trace("No LDAP url or search filter is defined to enable LDAP authentication");
        }
        MonitorProperties.Endpoints.JdbcSecurity jdbc = this.casProperties.getMonitor().getEndpoints().getJdbc();
        if (StringUtils.isNotBlank(jdbc.getQuery())) {
            configureJdbcAuthenticationProvider(authenticationManagerBuilder, jdbc);
        } else {
            LOGGER.trace("No JDBC query is defined to enable JDBC authentication");
        }
        if (authenticationManagerBuilder.isConfigured()) {
            return;
        }
        super.configure(authenticationManagerBuilder);
    }

    protected void configureEndpointAccessToDenyUndefined(HttpSecurity httpSecurity, ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {
        Set keySet = this.casProperties.getMonitor().getEndpoints().getEndpoint().keySet();
        ActuatorEndpointProperties defaultEndpointProperties = this.casProperties.getMonitor().getEndpoints().getDefaultEndpointProperties();
        this.pathMappedEndpoints.forEach(pathMappedEndpoint -> {
            String rootPath = pathMappedEndpoint.getRootPath();
            if (keySet.contains(rootPath)) {
                LOGGER.trace("Endpoint security is defined for endpoint [{}]", rootPath);
                return;
            }
            List access = defaultEndpointProperties.getAccess();
            LOGGER.trace("Endpoint security is NOT defined for endpoint [{}]. Using default security rules [{}]", rootPath, defaultEndpointProperties);
            EndpointRequest.EndpointRequestMatcher excludingLinks = EndpointRequest.to(new String[]{rootPath}).excludingLinks();
            access.forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(httpSecurity, expressionInterceptUrlRegistry, endpointAccessLevel, defaultEndpointProperties, excludingLinks);
            }));
        });
    }

    protected void configureJdbcAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder, MonitorProperties.Endpoints.JdbcSecurity jdbcSecurity) throws Exception {
        JdbcUserDetailsManagerConfigurer jdbcAuthentication = authenticationManagerBuilder.jdbcAuthentication();
        jdbcAuthentication.usersByUsernameQuery(jdbcSecurity.getQuery());
        jdbcAuthentication.rolePrefix(jdbcSecurity.getRolePrefix());
        jdbcAuthentication.dataSource(JpaBeans.newDataSource(jdbcSecurity));
        jdbcAuthentication.passwordEncoder(PasswordEncoderUtils.newPasswordEncoder(jdbcSecurity.getPasswordEncoder()));
    }

    protected void configureLdapAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder, MonitorProperties.Endpoints.LdapSecurity ldapSecurity) {
        if (isLdapAuthorizationActive()) {
            authenticationManagerBuilder.authenticationProvider(new MonitorEndpointLdapAuthenticationProvider(ldapSecurity, this.securityProperties));
        } else {
            LOGGER.trace("LDAP authorization is undefined, given no LDAP url, base-dn, search filter or role/group filter is configured");
        }
    }

    protected void configureJaasAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder, MonitorProperties.Endpoints.JaasSecurity jaasSecurity) throws Exception {
        JaasAuthenticationProvider jaasAuthenticationProvider = new JaasAuthenticationProvider();
        jaasAuthenticationProvider.setLoginConfig(jaasSecurity.getLoginConfig());
        jaasAuthenticationProvider.setLoginContextName(jaasSecurity.getLoginContextName());
        jaasAuthenticationProvider.setRefreshConfigurationOnStartup(jaasSecurity.isRefreshConfigurationOnStartup());
        jaasAuthenticationProvider.afterPropertiesSet();
        authenticationManagerBuilder.authenticationProvider(jaasAuthenticationProvider);
    }

    protected void configureEndpointAccessForStaticResources(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{PathRequest.toStaticResources().atCommonLocations()})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers(new String[]{"/resources/**"})).permitAll().antMatchers(new String[]{"/static/**"})).permitAll();
    }

    protected void configureEndpointAccessByFormLogin(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) throws Exception {
        expressionInterceptUrlRegistry.and().formLogin().loginPage(ENDPOINT_URL_ADMIN_FORM_LOGIN).permitAll();
    }

    protected void configureEndpointAccess(HttpSecurity httpSecurity, ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties.EndpointAccessLevel endpointAccessLevel, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        switch (AnonymousClass1.$SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[endpointAccessLevel.ordinal()]) {
            case 1:
                configureEndpointAccessByAuthority(expressionInterceptUrlRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                configureEndpointAccessByFormLogin(expressionInterceptUrlRegistry);
                return;
            case 2:
                configureEndpointAccessByRole(expressionInterceptUrlRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                configureEndpointAccessByFormLogin(expressionInterceptUrlRegistry);
                return;
            case 3:
                configureEndpointAccessAuthenticated(expressionInterceptUrlRegistry, endpointRequestMatcher);
                configureEndpointAccessByFormLogin(expressionInterceptUrlRegistry);
                return;
            case 4:
                configureEndpointAccessByIpAddress(expressionInterceptUrlRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 5:
                configureEndpointAccessPermitAll(expressionInterceptUrlRegistry, endpointRequestMatcher);
                return;
            case 6:
                configureEndpointAccessAnonymously(expressionInterceptUrlRegistry, endpointRequestMatcher);
                return;
            case 7:
            default:
                configureEndpointAccessToDenyAll(expressionInterceptUrlRegistry, endpointRequestMatcher);
                return;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessPermitAll(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).permitAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessToDenyAll(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).denyAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessAnonymously(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).anonymous();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessByIpAddress(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).access((String) actuatorEndpointProperties.getRequiredIpAddresses().stream().map(str -> {
            return "hasIpAddress('" + str + "')";
        }).collect(Collectors.joining(" or ")));
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessAuthenticated(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).authenticated().and().httpBasic();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessByRole(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).hasAnyRole((String[]) actuatorEndpointProperties.getRequiredRoles().toArray(ArrayUtils.EMPTY_STRING_ARRAY)).and().httpBasic();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureEndpointAccessByAuthority(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).hasAnyAuthority((String[]) actuatorEndpointProperties.getRequiredAuthorities().toArray(ArrayUtils.EMPTY_STRING_ARRAY)).and().httpBasic();
    }

    private boolean isLdapAuthorizationActive() {
        MonitorProperties.Endpoints.LdapSecurity ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
        return StringUtils.isNotBlank(ldap.getBaseDn()) && StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter()) && (StringUtils.isNotBlank(ldap.getLdapAuthz().getRoleAttribute()) || StringUtils.isNotBlank(ldap.getLdapAuthz().getGroupAttribute()));
    }

    @Generated
    public CasWebSecurityConfigurerAdapter(CasConfigurationProperties casConfigurationProperties, SecurityProperties securityProperties, CasWebSecurityExpressionHandler casWebSecurityExpressionHandler, WebEndpointProperties webEndpointProperties, PathMappedEndpoints pathMappedEndpoints) {
        this.casProperties = casConfigurationProperties;
        this.securityProperties = securityProperties;
        this.casWebSecurityExpressionHandler = casWebSecurityExpressionHandler;
        this.webEndpointProperties = webEndpointProperties;
        this.pathMappedEndpoints = pathMappedEndpoints;
    }
}
