package pro.taskana.rest.security;

import java.util.List;
import java.util.function.Function;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:pro/taskana/rest/security/WebSecurityConfig.class */
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${taskana.ldap.serverUrl:ldap://localhost:10389}")
    private String ldapServerUrl;

    @Value("${taskana.ldap.baseDn:OU=Test,O=TASKANA}")
    private String ldapBaseDn;

    @Value("${taskana.ldap.groupSearchBase:cn=groups}")
    private String ldapGroupSearchBase;

    @Value("${taskana.ldap.userDnPatterns:uid={0},cn=users}")
    private String ldapUserDnPatterns;

    @Value("${taskana.ldap.groupSearchFilter:uniqueMember={0}}")
    private String ldapGroupSearchFilter;

    @Value("${devMode:false}")
    private boolean devMode;

    /* loaded from: input_file:pro/taskana/rest/security/WebSecurityConfig$CorsWebMvcConfigurer.class */
    private static class CorsWebMvcConfigurer implements WebMvcConfigurer {
        private CorsWebMvcConfigurer() {
        }

        public void addCorsMappings(CorsRegistry corsRegistry) {
            corsRegistry.addMapping("/**").allowedOrigins(new String[]{"*"});
        }
    }

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new CorsWebMvcConfigurer();
    }

    @Bean
    public FilterRegistrationBean<CorsFilter> corsFilter() {
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowCredentials(true);
        corsConfiguration.addAllowedOrigin("*");
        corsConfiguration.addAllowedHeader("*");
        corsConfiguration.addAllowedMethod("*");
        corsConfiguration.addAllowedMethod("POST");
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        FilterRegistrationBean<CorsFilter> filterRegistrationBean = new FilterRegistrationBean<>(new CorsFilter(urlBasedCorsConfigurationSource), new ServletRegistrationBean[0]);
        filterRegistrationBean.setOrder(0);
        return filterRegistrationBean;
    }

    @Bean
    public DefaultSpringSecurityContextSource defaultSpringSecurityContextSource() {
        return new DefaultSpringSecurityContextSource(this.ldapServerUrl + "/" + this.ldapBaseDn);
    }

    @Bean
    public LdapAuthoritiesPopulator authoritiesPopulator() {
        Function function = map -> {
            return new SimpleGrantedAuthority((String) ((List) map.get("spring.security.ldap.dn")).get(0));
        };
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(defaultSpringSecurityContextSource(), this.ldapGroupSearchBase);
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter(this.ldapGroupSearchFilter);
        defaultLdapAuthoritiesPopulator.setSearchSubtree(true);
        defaultLdapAuthoritiesPopulator.setRolePrefix("");
        defaultLdapAuthoritiesPopulator.setAuthorityMapper(function);
        return defaultLdapAuthoritiesPopulator;
    }

    @Bean
    public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setPrefix("");
        return simpleAuthorityMapper;
    }

    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.ldapAuthentication().userDnPatterns(new String[]{this.ldapUserDnPatterns}).groupSearchBase(this.ldapGroupSearchBase).ldapAuthoritiesPopulator(authoritiesPopulator()).authoritiesMapper(grantedAuthoritiesMapper()).contextSource().url(this.ldapServerUrl + "/" + this.ldapBaseDn).and().passwordCompare().passwordAttribute("userPassword");
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/css/**", "/img/**"})).permitAll().and().csrf().disable().httpBasic().and().authorizeRequests().antMatchers(HttpMethod.GET, new String[]{"/docs/**"})).permitAll().and().addFilter(jaasApiIntegrationFilter()).addFilterAfter(new SpringSecurityToJaasFilter(), JaasApiIntegrationFilter.class);
        if (this.devMode) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.headers().frameOptions().sameOrigin().and().authorizeRequests().antMatchers(new String[]{"/h2-console/**"})).permitAll();
        } else {
            addLoginPageConfiguration(httpSecurity);
        }
    }

    protected void addLoginPageConfiguration(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).fullyAuthenticated().and().formLogin().loginPage("/login").failureUrl("/login?error").defaultSuccessUrl("/").permitAll().and().logout().invalidateHttpSession(true).clearAuthentication(true).logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login?logout").deleteCookies(new String[]{"JSESSIONID"}).permitAll();
    }

    protected JaasApiIntegrationFilter jaasApiIntegrationFilter() {
        JaasApiIntegrationFilter jaasApiIntegrationFilter = new JaasApiIntegrationFilter();
        jaasApiIntegrationFilter.setCreateEmptySubject(true);
        return jaasApiIntegrationFilter;
    }
}
