package org.flowable.ui.common.security;

import java.util.Arrays;
import java.util.Objects;
import java.util.regex.Pattern;
import org.flowable.idm.api.IdmIdentityService;
import org.flowable.spring.boot.FlowableSecurityAutoConfiguration;
import org.flowable.spring.boot.idm.IdmEngineServicesAutoConfiguration;
import org.flowable.ui.common.properties.FlowableCommonAppProperties;
import org.flowable.ui.common.rest.idm.CurrentUserProvider;
import org.flowable.ui.common.rest.idm.OAuth2CurrentUserProvider;
import org.flowable.ui.common.service.idm.RemoteIdmService;
import org.flowable.ui.common.service.idm.RemoteIdmServiceImpl;
import org.flowable.ui.common.service.idm.cache.RemoteIdmUserCache;
import org.flowable.ui.common.service.idm.cache.UserCache;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
import org.springframework.boot.context.properties.PropertyMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
import org.springframework.security.web.util.matcher.RequestMatcher;

@AutoConfigureBefore({FlowableSecurityAutoConfiguration.class, OAuth2ClientAutoConfiguration.class})
@Configuration(proxyBeanMethods = false)
@AutoConfigureAfter({IdmEngineServicesAutoConfiguration.class})
/* loaded from: input_file:org/flowable/ui/common/security/FlowableUiSecurityAutoConfiguration.class */
public class FlowableUiSecurityAutoConfiguration {
    private static final Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> DEFAULT_AUTHORIZE_REQUESTS = expressionInterceptUrlRegistry -> {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers(new String[]{"/app/rest/account"})).authenticated().antMatchers(new String[]{"/app/rest/runtime/app-definitions"})).authenticated().antMatchers(new String[]{"/idm-app/rest/authenticate"})).authenticated().antMatchers(new String[]{"/idm-app/rest/account"})).authenticated().antMatchers(new String[]{"/app/rest/**", "/workflow/"})).hasAuthority(DefaultPrivileges.ACCESS_TASK).antMatchers(new String[]{"/admin-app/**", "/admin/"})).hasAuthority(DefaultPrivileges.ACCESS_ADMIN).antMatchers(new String[]{"/idm-app/**"})).hasAuthority(DefaultPrivileges.ACCESS_IDM).antMatchers(new String[]{"/modeler-app/**", "/modeler/"})).hasAuthority(DefaultPrivileges.ACCESS_MODELER).antMatchers(new String[]{"/"})).authenticated().antMatchers(new String[]{"/app/authentication"})).permitAll().antMatchers(new String[]{"/idm"})).permitAll();
    };
    private static final Customizer<LogoutConfigurer<HttpSecurity>> DEFAULT_LOGOUT = logoutConfigurer -> {
        logoutConfigurer.logoutUrl("/app/logout");
    };
    private static final Customizer<HeadersConfigurer<HttpSecurity>> DEFAULT_HEADERS = headersConfigurer -> {
        headersConfigurer.frameOptions().sameOrigin().addHeaderWriter(new XXssProtectionHeaderWriter());
    };

    @Configuration(proxyBeanMethods = false)
    @ConditionalOnClass({EndpointRequest.class})
    @Order(SecurityConstants.ACTUATOR_SECURITY_ORDER)
    /* loaded from: input_file:org/flowable/ui/common/security/FlowableUiSecurityAutoConfiguration$ActuatorWebSecurityConfigurationAdapter.class */
    public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected final ApiHttpSecurityCustomizer apiHttpSecurityCustomizer;

        public ActuatorWebSecurityConfigurationAdapter(ApiHttpSecurityCustomizer apiHttpSecurityCustomizer) {
            this.apiHttpSecurityCustomizer = apiHttpSecurityCustomizer;
        }

        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable();
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.requestMatcher(new ActuatorRequestMatcher()).authorizeRequests().requestMatchers(new RequestMatcher[]{EndpointRequest.to(new Class[]{InfoEndpoint.class, HealthEndpoint.class})})).authenticated().requestMatchers(new RequestMatcher[]{EndpointRequest.toAnyEndpoint()})).hasAnyAuthority(new String[]{DefaultPrivileges.ACCESS_ADMIN});
            this.apiHttpSecurityCustomizer.customize(httpSecurity);
        }
    }

    @Configuration(proxyBeanMethods = false)
    @ConditionalOnProperty(prefix = "flowable.common.app.security", name = {"type"}, havingValue = "idm", matchIfMissing = true)
    @Order(SecurityConstants.FORM_LOGIN_SECURITY_ORDER)
    /* loaded from: input_file:org/flowable/ui/common/security/FlowableUiSecurityAutoConfiguration$FormLoginWebSecurityConfigurerAdapter.class */
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        protected ObjectProvider<RememberMeServices> rememberMeServicesObjectProvider;

        @Autowired
        protected FlowableCommonAppProperties commonAppProperties;

        protected void configure(HttpSecurity httpSecurity) throws Exception {
            AbstractRememberMeServices abstractRememberMeServices = (RememberMeServices) this.rememberMeServicesObjectProvider.getIfAvailable();
            String str = null;
            if (abstractRememberMeServices instanceof AbstractRememberMeServices) {
                str = abstractRememberMeServices.getKey();
            }
            if (abstractRememberMeServices != null) {
                httpSecurity.rememberMe().key(str).rememberMeServices(abstractRememberMeServices);
            }
            httpSecurity.exceptionHandling().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().logout(logoutConfigurer -> {
                FlowableUiSecurityAutoConfiguration.DEFAULT_LOGOUT.customize(logoutConfigurer);
                logoutConfigurer.logoutSuccessUrl("/");
                logoutConfigurer.addLogoutHandler(new ClearFlowableCookieLogoutHandler());
            }).csrf().disable().headers(FlowableUiSecurityAutoConfiguration.DEFAULT_HEADERS).securityContext().securityContextRepository(new NullSecurityContextRepository()).and().authorizeRequests(FlowableUiSecurityAutoConfiguration.DEFAULT_AUTHORIZE_REQUESTS);
            httpSecurity.formLogin().disable();
            httpSecurity.apply(new FlowableUiCustomFormLoginConfigurer());
        }
    }

    @Configuration(proxyBeanMethods = false)
    @ConditionalOnClass(name = {"org.flowable.ui.idm.service.GroupServiceImpl"})
    /* loaded from: input_file:org/flowable/ui/common/security/FlowableUiSecurityAutoConfiguration$LocalIdmConfiguration.class */
    public static class LocalIdmConfiguration {
        @ConditionalOnMissingBean
        @Bean
        public PersistentTokenService flowableUiPersistentTokenService(IdmIdentityService idmIdentityService) {
            return new IdmEnginePersistentTokenService(idmIdentityService);
        }
    }

    @Configuration(proxyBeanMethods = false)
    @ConditionalOnProperty(prefix = "flowable.common.app.security", name = {"type"}, havingValue = "oauth2")
    @Order(SecurityConstants.FORM_LOGIN_SECURITY_ORDER)
    /* loaded from: input_file:org/flowable/ui/common/security/FlowableUiSecurityAutoConfiguration$OAuthWebSecurityConfigurerAdapter.class */
    public static class OAuthWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");
        protected final FlowableCommonAppProperties commonAppProperties;
        protected final ObjectProvider<PasswordEncoder> passwordEncoder;

        public OAuthWebSecurityConfigurerAdapter(FlowableCommonAppProperties flowableCommonAppProperties, ObjectProvider<PasswordEncoder> objectProvider) {
            this.commonAppProperties = flowableCommonAppProperties;
            this.passwordEncoder = objectProvider;
        }

        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.logout(logoutConfigurer -> {
                FlowableUiSecurityAutoConfiguration.DEFAULT_LOGOUT.customize(logoutConfigurer);
                OidcClientInitiatedLogoutSuccessHandler oidcClientInitiatedLogoutSuccessHandler = new OidcClientInitiatedLogoutSuccessHandler((ClientRegistrationRepository) getApplicationContext().getBean(ClientRegistrationRepository.class));
                oidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}");
                logoutConfigurer.logoutSuccessHandler(oidcClientInitiatedLogoutSuccessHandler);
            }).csrf().disable().headers(FlowableUiSecurityAutoConfiguration.DEFAULT_HEADERS).authorizeRequests(FlowableUiSecurityAutoConfiguration.DEFAULT_AUTHORIZE_REQUESTS);
            httpSecurity.oauth2Login();
            httpSecurity.oauth2Client();
        }

        @Bean
        public GrantedAuthoritiesMapper keycloakAuthoritiesMapper() {
            FlowableCommonAppProperties.OAuth2 oAuth2 = this.commonAppProperties.getSecurity().getOAuth2();
            return new FlowableOAuth2GrantedAuthoritiesMapper(oAuth2.getAuthoritiesAttribute(), oAuth2.getGroupsAttribute(), oAuth2.getDefaultAuthorities(), oAuth2.getDefaultGroups());
        }

        @ConditionalOnMissingBean
        @ConditionalOnClass({Jwt.class})
        @Bean
        public ApiHttpSecurityCustomizer delegatingApiHttpSecurityCustomizer() {
            JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
            FlowableCommonAppProperties.OAuth2 oAuth2 = this.commonAppProperties.getSecurity().getOAuth2();
            jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new FlowableJwtGrantedAuthoritiesMapper(oAuth2.getAuthoritiesAttribute(), oAuth2.getGroupsAttribute(), oAuth2.getDefaultAuthorities(), oAuth2.getDefaultGroups()));
            return new DelegatingApiHttpSecurityCustomizer(Arrays.asList(new FixUserApiHttpSecurityCustomizer(this.commonAppProperties.getIdmAdmin().getUser(), deducePassword(this.commonAppProperties.getIdmAdmin().getPassword())), new JwtApiHttpSecurityCustomizer(jwtAuthenticationConverter)));
        }

        @ConditionalOnMissingBean
        @ConditionalOnMissingClass({"org.springframework.security.oauth2.jwt.Jwt"})
        @Bean
        public ApiHttpSecurityCustomizer fixUserApiHttpSecurityCustomizer() {
            return new FixUserApiHttpSecurityCustomizer(this.commonAppProperties.getIdmAdmin().getUser(), deducePassword(this.commonAppProperties.getIdmAdmin().getPassword()));
        }

        @ConditionalOnMissingBean(name = {"oauth2CurrentUserProvider"})
        @Bean
        public CurrentUserProvider oauth2CurrentUserProvider() {
            FlowableCommonAppProperties.OAuth2 oAuth2 = this.commonAppProperties.getSecurity().getOAuth2();
            OAuth2CurrentUserProvider oAuth2CurrentUserProvider = new OAuth2CurrentUserProvider();
            PropertyMapper alwaysApplyingWhenNonNull = PropertyMapper.get().alwaysApplyingWhenNonNull();
            PropertyMapper.Source from = alwaysApplyingWhenNonNull.from(oAuth2.getFirstNameAttribute());
            Objects.requireNonNull(oAuth2CurrentUserProvider);
            from.to(oAuth2CurrentUserProvider::setFirstNameKey);
            PropertyMapper.Source from2 = alwaysApplyingWhenNonNull.from(oAuth2.getLastNameAttribute());
            Objects.requireNonNull(oAuth2CurrentUserProvider);
            from2.to(oAuth2CurrentUserProvider::setLastNameKey);
            PropertyMapper.Source from3 = alwaysApplyingWhenNonNull.from(oAuth2.getFullNameAttribute());
            Objects.requireNonNull(oAuth2CurrentUserProvider);
            from3.to(oAuth2CurrentUserProvider::setFullNameKey);
            PropertyMapper.Source from4 = alwaysApplyingWhenNonNull.from(oAuth2.getEmailAttribute());
            Objects.requireNonNull(oAuth2CurrentUserProvider);
            from4.to(oAuth2CurrentUserProvider::setEmailKey);
            return oAuth2CurrentUserProvider;
        }

        protected String deducePassword(String str) {
            PasswordEncoder passwordEncoder = (PasswordEncoder) this.passwordEncoder.getIfAvailable();
            if (!PASSWORD_ALGORITHM_PATTERN.matcher(str).matches() && passwordEncoder != null) {
                return passwordEncoder.encode(str);
            }
            return str;
        }
    }

    @ConditionalOnMissingClass({"org.flowable.ui.idm.service.GroupServiceImpl"})
    @Configuration(proxyBeanMethods = false)
    /* loaded from: input_file:org/flowable/ui/common/security/FlowableUiSecurityAutoConfiguration$RemoteIdmConfiguration.class */
    public static class RemoteIdmConfiguration {
        @Bean
        public RemoteIdmService remoteIdmService(FlowableCommonAppProperties flowableCommonAppProperties) {
            return new RemoteIdmServiceImpl(flowableCommonAppProperties);
        }

        @Bean
        public UserCache remoteIdmUserCache(FlowableCommonAppProperties flowableCommonAppProperties, RemoteIdmService remoteIdmService) {
            return new RemoteIdmUserCache(flowableCommonAppProperties, remoteIdmService);
        }

        @ConditionalOnMissingBean
        @Bean
        public UserDetailsService flowableUiUserDetailsService(RemoteIdmService remoteIdmService) {
            return new RemoteIdmUserDetailsService(remoteIdmService);
        }

        @ConditionalOnMissingBean
        @Bean
        public PersistentTokenService flowableUiPersistentTokenService(RemoteIdmService remoteIdmService) {
            return new RemoteIdmPersistentTokenService(remoteIdmService);
        }

        @Bean
        public RemoteIdmAuthenticationProvider remoteIdmAuthenticationProvider(RemoteIdmService remoteIdmService) {
            return new RemoteIdmAuthenticationProvider(remoteIdmService);
        }
    }

    public FlowableUiSecurityAutoConfiguration(ObjectProvider<SecurityScopeProvider> objectProvider) {
        SecurityUtils.setSecurityScopeProvider((SecurityScopeProvider) objectProvider.getIfAvailable(FlowableSecurityScopeProvider::new));
    }

    @ConditionalOnMissingBean
    @Bean
    public RememberMeServices flowableUiRememberMeService(FlowableCommonAppProperties flowableCommonAppProperties, UserDetailsService userDetailsService, PersistentTokenService persistentTokenService) {
        return new CustomPersistentRememberMeServices(flowableCommonAppProperties, userDetailsService, persistentTokenService);
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty(prefix = "flowable.common.app.security", name = {"type"}, havingValue = "idm", matchIfMissing = true)
    @Bean
    public ApiHttpSecurityCustomizer defaultApiHttpSecurityCustomizer() {
        return new DefaultApiHttpSecurityCustomizer();
    }
}
