package org.molgenis.security;

import java.util.List;
import javax.servlet.Filter;
import javax.sql.DataSource;
import org.molgenis.data.DataService;
import org.molgenis.framework.ui.ResourcePathPatterns;
import org.molgenis.security.account.AccountController;
import org.molgenis.security.core.MolgenisPasswordEncoder;
import org.molgenis.security.core.MolgenisPermissionService;
import org.molgenis.security.permission.MolgenisPermissionServiceImpl;
import org.molgenis.security.token.DataServiceTokenService;
import org.molgenis.security.token.TokenAuthenticationFilter;
import org.molgenis.security.token.TokenAuthenticationProvider;
import org.molgenis.security.token.TokenGenerator;
import org.molgenis.security.token.TokenService;
import org.molgenis.security.user.MolgenisUserDetailsChecker;
import org.molgenis.security.user.MolgenisUserDetailsService;
import org.molgenis.security.user.MolgenisUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyAuthoritiesMapper;
import org.springframework.security.access.vote.RoleHierarchyVoter;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.authentication.AnonymousAuthenticationProvider;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.switchuser.SwitchUserFilter;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.header.writers.CacheControlHeadersWriter;
import org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;

/* loaded from: input_file:WEB-INF/lib/molgenis-security-1.9.0-SNAPSHOT.jar:org/molgenis/security/MolgenisWebAppSecurityConfig.class */
public abstract class MolgenisWebAppSecurityConfig extends WebSecurityConfigurerAdapter {
    private static final String ANONYMOUS_AUTHENTICATION_KEY = "anonymousAuthenticationKey";

    @Autowired
    private DataService dataService;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private MolgenisUserService molgenisUserService;

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.headers().contentTypeOptions().and().xssProtection().and().httpStrictTransportSecurity().and().frameOptions().and().addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(new NegatedRequestMatcher(new OrRequestMatcher(new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_CSS), new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_JS), new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_IMG), new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_FONTS))), new CacheControlHeadersWriter()));
        httpSecurity.addFilterBefore((Filter) anonymousAuthFilter(), AnonymousAuthenticationFilter.class);
        httpSecurity.authenticationProvider((AuthenticationProvider) anonymousAuthenticationProvider());
        httpSecurity.addFilterBefore(tokenAuthenticationFilter(), MolgenisAnonymousAuthenticationFilter.class);
        httpSecurity.authenticationProvider(tokenAuthenticationProvider());
        httpSecurity.addFilterAfter(changePasswordFilter(), SwitchUserFilter.class);
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.authorizeRequests();
        configureUrlAuthorization(authorizeRequests);
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) authorizeRequests.antMatchers(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).permitAll().antMatchers("/logo/**").permitAll().antMatchers("/molgenis.R").permitAll().antMatchers(AccountController.CHANGE_PASSWORD_URI).authenticated().antMatchers("/account/**").permitAll().antMatchers(ResourcePathPatterns.PATTERN_CSS).permitAll().antMatchers(ResourcePathPatterns.PATTERN_IMG).permitAll().antMatchers(ResourcePathPatterns.PATTERN_JS).permitAll().antMatchers(ResourcePathPatterns.PATTERN_FONTS).permitAll().antMatchers("/html/**").permitAll().antMatchers("/plugin/void/**").permitAll().antMatchers("/api/**").permitAll().antMatchers("/search").permitAll().antMatchers("/captcha").permitAll().antMatchers("/dataindexerstatus").authenticated().antMatchers("/permission/**/write/**").permitAll().antMatchers("/scripts/**/run").authenticated().antMatchers("/files/**").permitAll().anyRequest().denyAll().and()).httpBasic().authenticationEntryPoint(authenticationEntryPoint()).and()).formLogin().loginPage(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).failureUrl("/login?error").and()).logout().logoutSuccessUrl("/").and()).csrf().disable();
    }

    protected abstract void configureUrlAuthorization(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry);

    protected abstract RoleHierarchy roleHierarchy();

    @Bean
    public MolgenisAnonymousAuthenticationFilter anonymousAuthFilter() {
        return new MolgenisAnonymousAuthenticationFilter(ANONYMOUS_AUTHENTICATION_KEY, "anonymous", userDetailsService());
    }

    protected abstract List<GrantedAuthority> createAnonymousUserAuthorities();

    @Bean
    public AnonymousAuthenticationProvider anonymousAuthenticationProvider() {
        return new AnonymousAuthenticationProvider(ANONYMOUS_AUTHENTICATION_KEY);
    }

    @Bean
    public TokenService tokenService() {
        return new DataServiceTokenService(new TokenGenerator(), this.dataService, userDetailsService());
    }

    @Bean
    public AuthenticationProvider tokenAuthenticationProvider() {
        return new TokenAuthenticationProvider(tokenService());
    }

    @Bean
    public Filter tokenAuthenticationFilter() {
        return new TokenAuthenticationFilter(tokenAuthenticationProvider());
    }

    @Bean
    public Filter changePasswordFilter() {
        return new MolgenisChangePasswordFilter(this.molgenisUserService, redirectStrategy());
    }

    @Bean
    public RedirectStrategy redirectStrategy() {
        return new DefaultRedirectStrategy();
    }

    @Bean
    public RoleHierarchy roleHierarchyBean() {
        return roleHierarchy();
    }

    @Bean
    public RoleVoter roleVoter() {
        return new RoleHierarchyVoter(roleHierarchy());
    }

    @Bean
    public GrantedAuthoritiesMapper roleHierarchyAuthoritiesMapper() {
        return new RoleHierarchyAuthoritiesMapper(roleHierarchy());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new MolgenisPasswordEncoder(new BCryptPasswordEncoder());
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected UserDetailsService userDetailsService() {
        return new MolgenisUserDetailsService(this.dataService, roleHierarchyAuthoritiesMapper());
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    @Bean
    public UserDetailsService userDetailsServiceBean() throws Exception {
        return userDetailsService();
    }

    @Bean
    public UserDetailsChecker userDetailsChecker() {
        return new MolgenisUserDetailsChecker();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
        try {
            authenticationManagerBuilder.userDetailsService(userDetailsServiceBean());
            DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
            daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
            daoAuthenticationProvider.setUserDetailsService(userDetailsServiceBean());
            daoAuthenticationProvider.setPreAuthenticationChecks(userDetailsChecker());
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) daoAuthenticationProvider);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public MolgenisPermissionService molgenisPermissionService() {
        return new MolgenisPermissionServiceImpl();
    }

    @Bean
    public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {
        return new AjaxAwareLoginUrlAuthenticationEntryPoint(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
    }
}
