package org.apereo.cas.config;

import java.util.HashMap;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpHeadersRequestProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpRequestProperties;
import org.apereo.cas.configuration.model.core.web.security.HttpWebRequestProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.web.support.RegisteredServiceCorsConfigurationSource;
import org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.web.support.ArgumentExtractor;
import org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter;
import org.apereo.cas.web.support.filters.AddResponseHeadersFilter;
import org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.filter.CorsFilter;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "CasFiltersConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/config/CasFiltersConfiguration.class */
public class CasFiltersConfiguration {

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasFiltersEncodingConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasFiltersConfiguration$CasFiltersBaseConfiguration.class */
    public static class CasFiltersBaseConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public FilterRegistrationBean<CharacterEncodingFilter> characterEncodingFilter(CasConfigurationProperties casConfigurationProperties) {
            FilterRegistrationBean<CharacterEncodingFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            HttpWebRequestProperties web = casConfigurationProperties.getHttpWebRequest().getWeb();
            filterRegistrationBean.setFilter(new CharacterEncodingFilter(web.getEncoding(), web.isForceEncoding()));
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap("/*"));
            filterRegistrationBean.setName("characterEncodingFilter");
            filterRegistrationBean.setAsyncSupported(true);
            return filterRegistrationBean;
        }

        @Bean
        public FilterRegistrationBean<AuthenticationCredentialsThreadLocalBinderClearingFilter> currentCredentialsAndAuthenticationClearingFilter() {
            FilterRegistrationBean<AuthenticationCredentialsThreadLocalBinderClearingFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            filterRegistrationBean.setFilter(new AuthenticationCredentialsThreadLocalBinderClearingFilter());
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap("/*"));
            filterRegistrationBean.setName("currentCredentialsAndAuthenticationClearingFilter");
            filterRegistrationBean.setAsyncSupported(true);
            return filterRegistrationBean;
        }
    }

    @Configuration(value = "CasFiltersCorsConfiguration", proxyBeanMethods = false)
    @ConditionalOnProperty(prefix = "cas.http-web-request.cors", name = {"enabled"}, havingValue = "true")
    /* loaded from: input_file:org/apereo/cas/config/CasFiltersConfiguration$CasFiltersCorsConfiguration.class */
    public static class CasFiltersCorsConfiguration {
        @ConditionalOnMissingBean(name = {"corsConfigurationSource"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CorsConfigurationSource corsConfigurationSource(CasConfigurationProperties casConfigurationProperties, @Qualifier("argumentExtractor") ArgumentExtractor argumentExtractor, @Qualifier("servicesManager") ServicesManager servicesManager) {
            return new RegisteredServiceCorsConfigurationSource(casConfigurationProperties, servicesManager, argumentExtractor);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public FilterRegistrationBean<CorsFilter> casCorsFilter(@Qualifier("corsConfigurationSource") CorsConfigurationSource corsConfigurationSource) {
            FilterRegistrationBean<CorsFilter> filterRegistrationBean = new FilterRegistrationBean<>(new CorsFilter(corsConfigurationSource), new ServletRegistrationBean[0]);
            filterRegistrationBean.setName("casCorsFilter");
            filterRegistrationBean.setAsyncSupported(true);
            filterRegistrationBean.setOrder(0);
            return filterRegistrationBean;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasFiltersResponseHeadersConfiguration", proxyBeanMethods = false)
    @AutoConfigureAfter({CasCoreServicesConfiguration.class})
    /* loaded from: input_file:org/apereo/cas/config/CasFiltersConfiguration$CasFiltersResponseHeadersConfiguration.class */
    public static class CasFiltersResponseHeadersConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public FilterRegistrationBean<AddResponseHeadersFilter> responseHeadersFilter(CasConfigurationProperties casConfigurationProperties) {
            FilterRegistrationBean<AddResponseHeadersFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            AddResponseHeadersFilter addResponseHeadersFilter = new AddResponseHeadersFilter();
            addResponseHeadersFilter.setHeadersMap(casConfigurationProperties.getHttpWebRequest().getCustomHeaders());
            filterRegistrationBean.setFilter(addResponseHeadersFilter);
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap("/*"));
            filterRegistrationBean.setName("responseHeadersFilter");
            filterRegistrationBean.setAsyncSupported(true);
            return filterRegistrationBean;
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @ConditionalOnProperty(prefix = "cas.http-web-request.header", name = {"enabled"}, havingValue = "true", matchIfMissing = true)
        @Bean
        public FilterRegistrationBean<RegisteredServiceResponseHeadersEnforcementFilter> responseHeadersSecurityFilter(CasConfigurationProperties casConfigurationProperties, @Qualifier("argumentExtractor") ArgumentExtractor argumentExtractor, @Qualifier("servicesManager") ServicesManager servicesManager, @Qualifier("registeredServiceAccessStrategyEnforcer") AuditableExecution auditableExecution, @Qualifier("authenticationServiceSelectionPlan") AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan) {
            HttpHeadersRequestProperties header = casConfigurationProperties.getHttpWebRequest().getHeader();
            HashMap hashMap = new HashMap();
            hashMap.put("enableCacheControl", BooleanUtils.toStringTrueFalse(header.isCache()));
            hashMap.put("enableXContentTypeOptions", BooleanUtils.toStringTrueFalse(header.isXcontent()));
            hashMap.put("enableStrictTransportSecurity", BooleanUtils.toStringTrueFalse(header.isHsts()));
            hashMap.put("enableXFrameOptions", BooleanUtils.toStringTrueFalse(header.isXframe()));
            hashMap.put("XFrameOptions", header.getXframeOptions());
            hashMap.put("enableXSSProtection", BooleanUtils.toStringTrueFalse(header.isXss()));
            hashMap.put("XSSProtection", header.getXssOptions());
            if (StringUtils.isNotBlank(header.getContentSecurityPolicy())) {
                hashMap.put("contentSecurityPolicy", header.getContentSecurityPolicy());
            }
            FilterRegistrationBean<RegisteredServiceResponseHeadersEnforcementFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            filterRegistrationBean.setFilter(new RegisteredServiceResponseHeadersEnforcementFilter(servicesManager, argumentExtractor, authenticationServiceSelectionPlan, auditableExecution));
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap("/*"));
            filterRegistrationBean.setInitParameters(hashMap);
            filterRegistrationBean.setName("responseHeadersSecurityFilter");
            filterRegistrationBean.setAsyncSupported(true);
            return filterRegistrationBean;
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public FilterRegistrationBean<RequestParameterPolicyEnforcementFilter> requestParameterSecurityFilter(CasConfigurationProperties casConfigurationProperties) {
            HttpRequestProperties httpWebRequest = casConfigurationProperties.getHttpWebRequest();
            HashMap hashMap = new HashMap();
            if (StringUtils.isNotBlank(httpWebRequest.getParamsToCheck())) {
                hashMap.put("parametersToCheck", httpWebRequest.getParamsToCheck());
            }
            hashMap.put("charactersToForbid", httpWebRequest.getCharactersToForbid());
            hashMap.put("allowMultiValuedParameters", BooleanUtils.toStringTrueFalse(httpWebRequest.isAllowMultiValueParameters()));
            hashMap.put("onlyPostParameters", httpWebRequest.getOnlyPostParams());
            hashMap.put("throwOnError", Boolean.TRUE.toString());
            if (StringUtils.isNotBlank(httpWebRequest.getPatternToBlock())) {
                hashMap.put("patternToBlock", httpWebRequest.getPatternToBlock());
            }
            FilterRegistrationBean<RequestParameterPolicyEnforcementFilter> filterRegistrationBean = new FilterRegistrationBean<>();
            filterRegistrationBean.setFilter(new RequestParameterPolicyEnforcementFilter());
            filterRegistrationBean.setUrlPatterns(CollectionUtils.wrap("/*"));
            filterRegistrationBean.setName("requestParameterSecurityFilter");
            filterRegistrationBean.setInitParameters(hashMap);
            filterRegistrationBean.setAsyncSupported(true);
            return filterRegistrationBean;
        }
    }
}
