package org.apereo.cas.web.security;

import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties;
import org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties;
import org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer;
import org.apereo.cas.web.security.authentication.EndpointLdapAuthenticationProvider;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.jaas.JaasAuthenticationProvider;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Order(1000)
/* loaded from: input_file:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.class */
public class CasWebSecurityConfigurerAdapter implements DisposableBean {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(CasWebSecurityConfigurerAdapter.class);
    public static final String ENDPOINT_URL_ADMIN_FORM_LOGIN = "/adminlogin";
    private final CasConfigurationProperties casProperties;
    private final SecurityProperties securityProperties;
    private final ObjectProvider<PathMappedEndpoints> pathMappedEndpoints;
    private final List<ProtocolEndpointWebSecurityConfigurer> protocolEndpointWebSecurityConfigurers;
    private EndpointLdapAuthenticationProvider endpointLdapAuthenticationProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel = new int[ActuatorEndpointProperties.EndpointAccessLevel.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.AUTHORITY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.ROLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.AUTHENTICATED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.IP_ADDRESS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.PERMIT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.ANONYMOUS.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[ActuatorEndpointProperties.EndpointAccessLevel.DENY.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    public void destroy() {
        FunctionUtils.doIfNotNull(this.endpointLdapAuthenticationProvider, (v0) -> {
            v0.destroy();
        });
    }

    public void configureWebSecurity(WebSecurity webSecurity) {
        List list = (List) this.protocolEndpointWebSecurityConfigurers.stream().map((v0) -> {
            return v0.getIgnoredEndpoints();
        }).flatMap((v0) -> {
            return v0.stream();
        }).map(str -> {
            return StringUtils.prependIfMissing(str, "/", new CharSequence[0]).concat("/**");
        }).collect(Collectors.toList());
        list.add("/webjars/**");
        list.add("/js/**");
        list.add("/css/**");
        list.add("/images/**");
        list.add("/static/**");
        list.add("/error");
        list.add("/favicon.ico");
        LOGGER.debug("Configuring protocol endpoints [{}] to exclude/ignore from web security", list);
        webSecurity.debug(LOGGER.isDebugEnabled()).ignoring().antMatchers((String[]) list.toArray(i -> {
            return new String[i];
        }));
    }

    public HttpSecurity configureHttpSecurity(HttpSecurity httpSecurity) throws Exception {
        ((ChannelSecurityConfigurer.RequiresChannelUrl) httpSecurity.cors(Customizer.withDefaults()).csrf().disable().headers().disable().logout().disable().requiresChannel().requestMatchers(new RequestMatcher[]{httpServletRequest -> {
            return httpServletRequest.getHeader("X-Forwarded-Proto") != null;
        }})).requiresSecure().and();
        AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests = httpSecurity.authorizeHttpRequests();
        List list = (List) this.protocolEndpointWebSecurityConfigurers.stream().map((v0) -> {
            return v0.getIgnoredEndpoints();
        }).flatMap((v0) -> {
            return v0.stream();
        }).map(str -> {
            return StringUtils.prependIfMissing(str, "/", new CharSequence[0]).concat("/**");
        }).collect(Collectors.toList());
        list.add("/webjars/**");
        list.add("/js/**");
        list.add("/css/**");
        list.add("/images/**");
        list.add("/static/**");
        list.add("/error");
        list.add("/favicon.ico");
        LOGGER.debug("Configuring protocol endpoints [{}] to exclude/ignore from web security", list);
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizeHttpRequests.antMatchers((String[]) list.toArray(i -> {
            return new String[i];
        }))).permitAll().and().securityContext().disable().sessionManagement().disable().requestCache().disable();
        this.protocolEndpointWebSecurityConfigurers.forEach(protocolEndpointWebSecurityConfigurer -> {
            protocolEndpointWebSecurityConfigurer.configure(httpSecurity);
        });
        this.casProperties.getMonitor().getEndpoints().getEndpoint().forEach(Unchecked.biConsumer((str2, actuatorEndpointProperties) -> {
            EndpointRequest.EndpointRequestMatcher endpointRequestMatcher = EndpointRequest.to(new String[]{str2});
            actuatorEndpointProperties.getAccess().forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(httpSecurity, authorizeHttpRequests, endpointAccessLevel, actuatorEndpointProperties, endpointRequestMatcher);
            }));
        }));
        configureEndpointAccessToDenyUndefined(httpSecurity, authorizeHttpRequests);
        configureEndpointAccessForStaticResources(authorizeHttpRequests);
        configureEndpointAccessByFormLogin(httpSecurity);
        JaasSecurityActuatorEndpointsMonitorProperties jaas = this.casProperties.getMonitor().getEndpoints().getJaas();
        if (jaas.getLoginConfig() != null) {
            configureJaasAuthenticationProvider(httpSecurity, jaas);
        } else {
            LOGGER.trace("No JAAS login config is defined to enable JAAS authentication");
        }
        LdapSecurityActuatorEndpointsMonitorProperties ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
        if (StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter())) {
            configureLdapAuthenticationProvider(httpSecurity, ldap);
        } else {
            LOGGER.trace("No LDAP url or search filter is defined to enable LDAP authentication");
        }
        return httpSecurity;
    }

    protected void configureEndpointAccessToDenyUndefined(HttpSecurity httpSecurity, AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        Set keySet = this.casProperties.getMonitor().getEndpoints().getEndpoint().keySet();
        ActuatorEndpointProperties defaultEndpointProperties = this.casProperties.getMonitor().getEndpoints().getDefaultEndpointProperties();
        ((PathMappedEndpoints) this.pathMappedEndpoints.getObject()).forEach(pathMappedEndpoint -> {
            String rootPath = pathMappedEndpoint.getRootPath();
            if (keySet.contains(rootPath)) {
                LOGGER.trace("Endpoint security is defined for endpoint [{}]", rootPath);
                return;
            }
            List access = defaultEndpointProperties.getAccess();
            LOGGER.trace("Endpoint security is NOT defined for endpoint [{}]. Using default security rules [{}]", rootPath, defaultEndpointProperties);
            EndpointRequest.EndpointRequestMatcher excludingLinks = EndpointRequest.to(new String[]{rootPath}).excludingLinks();
            access.forEach(Unchecked.consumer(endpointAccessLevel -> {
                configureEndpointAccess(httpSecurity, authorizationManagerRequestMatcherRegistry, endpointAccessLevel, defaultEndpointProperties, excludingLinks);
            }));
        });
    }

    protected void configureEndpointAccessForStaticResources(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{PathRequest.toStaticResources().atCommonLocations()})).permitAll();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.antMatchers(new String[]{"/resources/**"})).permitAll().antMatchers(new String[]{"/static/**"})).permitAll();
    }

    protected void configureEndpointAccessByFormLogin(HttpSecurity httpSecurity) throws Exception {
        if (this.casProperties.getMonitor().getEndpoints().isFormLoginEnabled()) {
            httpSecurity.formLogin().loginPage(ENDPOINT_URL_ADMIN_FORM_LOGIN).permitAll();
        } else {
            httpSecurity.formLogin().disable();
        }
    }

    protected void configureEndpointAccess(HttpSecurity httpSecurity, AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, ActuatorEndpointProperties.EndpointAccessLevel endpointAccessLevel, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        switch (AnonymousClass1.$SwitchMap$org$apereo$cas$configuration$model$core$monitor$ActuatorEndpointProperties$EndpointAccessLevel[endpointAccessLevel.ordinal()]) {
            case 1:
                configureEndpointAccessByAuthority(httpSecurity, authorizationManagerRequestMatcherRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 2:
                configureEndpointAccessByRole(httpSecurity, authorizationManagerRequestMatcherRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 3:
                configureEndpointAccessAuthenticated(httpSecurity, authorizationManagerRequestMatcherRegistry, endpointRequestMatcher);
                return;
            case 4:
                configureEndpointAccessByIpAddress(authorizationManagerRequestMatcherRegistry, actuatorEndpointProperties, endpointRequestMatcher);
                return;
            case 5:
                configureEndpointAccessPermitAll(authorizationManagerRequestMatcherRegistry, endpointRequestMatcher);
                return;
            case 6:
                configureEndpointAccessAnonymously(authorizationManagerRequestMatcherRegistry, endpointRequestMatcher);
                return;
            case 7:
            default:
                configureEndpointAccessToDenyAll(authorizationManagerRequestMatcherRegistry, endpointRequestMatcher);
                return;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessPermitAll(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).permitAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessToDenyAll(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).denyAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessAnonymously(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).permitAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessByIpAddress(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).access((supplier, requestAuthorizationContext) -> {
            String str = (String) actuatorEndpointProperties.getRequiredIpAddresses().stream().map(str2 -> {
                return "(" + str2 + ")";
            }).collect(Collectors.joining("|"));
            String str3 = (String) StringUtils.defaultIfBlank(requestAuthorizationContext.getRequest().getHeader(this.casProperties.getAudit().getEngine().getAlternateClientAddrHeaderName()), requestAuthorizationContext.getRequest().getRemoteAddr());
            LOGGER.trace("Attempting to match [{}] against [{}] as a regular expression", str3, str);
            boolean matches = RegexUtils.createPattern(str, 2).matcher(str3).matches();
            if (!matches) {
                LOGGER.warn("Provided regular expression pattern [{}] does not match [{}]", str, str3);
            }
            return new AuthorizationDecision(matches);
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessAuthenticated(HttpSecurity httpSecurity, AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).authenticated().and().httpBasic();
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessByRole(HttpSecurity httpSecurity, AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).hasAnyRole((String[]) actuatorEndpointProperties.getRequiredRoles().toArray(ArrayUtils.EMPTY_STRING_ARRAY)).and().httpBasic();
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void configureEndpointAccessByAuthority(HttpSecurity httpSecurity, AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry, ActuatorEndpointProperties actuatorEndpointProperties, EndpointRequest.EndpointRequestMatcher endpointRequestMatcher) throws Exception {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{endpointRequestMatcher})).hasAnyAuthority((String[]) actuatorEndpointProperties.getRequiredAuthorities().toArray(ArrayUtils.EMPTY_STRING_ARRAY)).and().httpBasic();
    }

    private boolean isLdapAuthorizationActive() {
        LdapSecurityActuatorEndpointsMonitorProperties ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
        return StringUtils.isNotBlank(ldap.getBaseDn()) && StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter()) && (StringUtils.isNotBlank(ldap.getLdapAuthz().getRoleAttribute()) || StringUtils.isNotBlank(ldap.getLdapAuthz().getGroupAttribute()));
    }

    private static void configureJaasAuthenticationProvider(HttpSecurity httpSecurity, JaasSecurityActuatorEndpointsMonitorProperties jaasSecurityActuatorEndpointsMonitorProperties) throws Exception {
        JaasAuthenticationProvider jaasAuthenticationProvider = new JaasAuthenticationProvider();
        jaasAuthenticationProvider.setLoginConfig(jaasSecurityActuatorEndpointsMonitorProperties.getLoginConfig());
        jaasAuthenticationProvider.setLoginContextName(jaasSecurityActuatorEndpointsMonitorProperties.getLoginContextName());
        jaasAuthenticationProvider.setRefreshConfigurationOnStartup(jaasSecurityActuatorEndpointsMonitorProperties.isRefreshConfigurationOnStartup());
        jaasAuthenticationProvider.afterPropertiesSet();
        httpSecurity.authenticationProvider(jaasAuthenticationProvider);
    }

    private void configureLdapAuthenticationProvider(HttpSecurity httpSecurity, LdapSecurityActuatorEndpointsMonitorProperties ldapSecurityActuatorEndpointsMonitorProperties) {
        if (isLdapAuthorizationActive()) {
            this.endpointLdapAuthenticationProvider = new EndpointLdapAuthenticationProvider(ldapSecurityActuatorEndpointsMonitorProperties, this.securityProperties, LdapUtils.newLdaptiveConnectionFactory(ldapSecurityActuatorEndpointsMonitorProperties), LdapUtils.newLdaptiveAuthenticator(ldapSecurityActuatorEndpointsMonitorProperties));
            httpSecurity.authenticationProvider(this.endpointLdapAuthenticationProvider);
        }
    }

    @Generated
    public CasWebSecurityConfigurerAdapter(CasConfigurationProperties casConfigurationProperties, SecurityProperties securityProperties, ObjectProvider<PathMappedEndpoints> objectProvider, List<ProtocolEndpointWebSecurityConfigurer> list) {
        this.casProperties = casConfigurationProperties;
        this.securityProperties = securityProperties;
        this.pathMappedEndpoints = objectProvider;
        this.protocolEndpointWebSecurityConfigurers = list;
    }
}
