package org.molgenis.security;

import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.util.List;
import javax.servlet.Filter;
import org.molgenis.core.framework.ui.ResourcePathPatterns;
import org.molgenis.data.DataService;
import org.molgenis.data.security.auth.GroupMemberFactory;
import org.molgenis.data.security.auth.TokenFactory;
import org.molgenis.data.security.auth.UserFactory;
import org.molgenis.data.security.user.UserService;
import org.molgenis.security.account.AccountController;
import org.molgenis.security.core.MolgenisPasswordEncoder;
import org.molgenis.security.core.token.TokenService;
import org.molgenis.security.google.GoogleAuthenticationProcessingFilter;
import org.molgenis.security.settings.AuthenticationSettings;
import org.molgenis.security.token.DataServiceTokenService;
import org.molgenis.security.token.TokenAuthenticationFilter;
import org.molgenis.security.token.TokenAuthenticationProvider;
import org.molgenis.security.token.TokenGenerator;
import org.molgenis.security.twofactor.auth.RecoveryAuthenticationProvider;
import org.molgenis.security.twofactor.auth.RecoveryAuthenticationProviderImpl;
import org.molgenis.security.twofactor.auth.TwoFactorAuthenticationFilter;
import org.molgenis.security.twofactor.auth.TwoFactorAuthenticationProvider;
import org.molgenis.security.twofactor.auth.TwoFactorAuthenticationProviderImpl;
import org.molgenis.security.twofactor.service.OtpService;
import org.molgenis.security.twofactor.service.RecoveryService;
import org.molgenis.security.twofactor.service.TwoFactorAuthenticationService;
import org.molgenis.security.user.MolgenisUserDetailsChecker;
import org.molgenis.security.user.UserAccountService;
import org.molgenis.security.user.UserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyAuthoritiesMapper;
import org.springframework.security.access.intercept.RunAsImplAuthenticationProvider;
import org.springframework.security.access.vote.RoleHierarchyVoter;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.authentication.AnonymousAuthenticationProvider;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.security.web.authentication.switchuser.SwitchUserFilter;
import org.springframework.security.web.header.writers.CacheControlHeadersWriter;
import org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.session.InvalidSessionStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;

/* loaded from: input_file:WEB-INF/lib/molgenis-security-6.1.0.jar:org/molgenis/security/MolgenisWebAppSecurityConfig.class */
public abstract class MolgenisWebAppSecurityConfig extends WebSecurityConfigurerAdapter {
    private static final String ANONYMOUS_AUTHENTICATION_KEY = "anonymousAuthenticationKey";

    @Autowired
    private DataService dataService;

    @Autowired
    private UserService userService;

    @Autowired
    private AuthenticationSettings authenticationSettings;

    @Autowired
    private TokenFactory tokenFactory;

    @Autowired
    private UserFactory userFactory;

    @Autowired
    private GroupMemberFactory groupMemberFactory;

    @Autowired
    private OtpService otpService;

    @Autowired
    private TwoFactorAuthenticationService twoFactorAuthenticationService;

    @Autowired
    private RecoveryService recoveryService;

    @Autowired
    private UserAccountService userAccountService;

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        DelegatingRequestMatcherHeaderWriter delegatingRequestMatcherHeaderWriter = new DelegatingRequestMatcherHeaderWriter(new NegatedRequestMatcher(new OrRequestMatcher(new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_CSS), new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_JS), new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_IMG), new AntPathRequestMatcher(ResourcePathPatterns.PATTERN_FONTS))), new CacheControlHeadersWriter());
        httpSecurity.sessionManagement().invalidSessionStrategy(invalidSessionStrategy());
        httpSecurity.headers().contentTypeOptions().and().xssProtection().and().httpStrictTransportSecurity().and().frameOptions().and().addHeaderWriter(delegatingRequestMatcherHeaderWriter);
        httpSecurity.addFilterBefore((Filter) anonymousAuthFilter(), AnonymousAuthenticationFilter.class);
        httpSecurity.authenticationProvider((AuthenticationProvider) anonymousAuthenticationProvider());
        httpSecurity.authenticationProvider(tokenAuthenticationProvider());
        httpSecurity.authenticationProvider(runAsAuthenticationProvider());
        httpSecurity.addFilterBefore(tokenAuthenticationFilter(), MolgenisAnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore(googleAuthenticationProcessingFilter(), TokenAuthenticationFilter.class);
        httpSecurity.addFilterAfter(changePasswordFilter(), SwitchUserFilter.class);
        httpSecurity.addFilterAfter((Filter) twoFactorAuthenticationFilter(), MolgenisChangePasswordFilter.class);
        httpSecurity.authenticationProvider((AuthenticationProvider) twoFactorAuthenticationProvider());
        httpSecurity.authenticationProvider((AuthenticationProvider) recoveryAuthenticationProvider());
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.authorizeRequests();
        configureUrlAuthorization(authorizeRequests);
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) authorizeRequests.antMatchers("/login").permitAll().antMatchers("/2fa/**").permitAll().antMatchers(GoogleAuthenticationProcessingFilter.GOOGLE_AUTHENTICATION_URL).permitAll().antMatchers("/beacon/**").permitAll().antMatchers("/logo/**").permitAll().antMatchers("/molgenis.py").permitAll().antMatchers("/molgenis.R").permitAll().antMatchers(AccountController.CHANGE_PASSWORD_URI).authenticated().antMatchers("/account/**").permitAll().antMatchers(ResourcePathPatterns.PATTERN_SWAGGER).permitAll().antMatchers(ResourcePathPatterns.PATTERN_CSS).permitAll().antMatchers(ResourcePathPatterns.PATTERN_IMG).permitAll().antMatchers(ResourcePathPatterns.PATTERN_JS).permitAll().antMatchers(ResourcePathPatterns.PATTERN_FONTS).permitAll().antMatchers("/html/**").permitAll().antMatchers("/plugin/void/**").permitAll().antMatchers("/api/**").permitAll().antMatchers("/webjars/**").permitAll().antMatchers("/search").permitAll().antMatchers("/captcha").permitAll().antMatchers("/dataindexerstatus").authenticated().antMatchers("/permission/**/read/**").permitAll().antMatchers("/permission/**/write/**").permitAll().antMatchers("/scripts/**/run").authenticated().antMatchers("/scripts/**/start").authenticated().antMatchers("/files/**").permitAll().antMatchers("/apps/**").permitAll().anyRequest().denyAll().and()).httpBasic().authenticationEntryPoint(authenticationEntryPoint()).and()).formLogin().loginPage("/login").failureUrl("/login?error").and()).logout().deleteCookies("JSESSIONID").addLogoutHandler((httpServletRequest, httpServletResponse, authentication) -> {
            if (httpServletRequest.getSession(false) == null || httpServletRequest.getSession().getAttribute("continueWithUnsupportedBrowser") == null) {
                return;
            }
            httpServletRequest.setAttribute("continueWithUnsupportedBrowser", true);
        }).logoutSuccessHandler((httpServletRequest2, httpServletResponse2, authentication2) -> {
            StringBuilder sb = new StringBuilder("/");
            if (httpServletRequest2.getAttribute("continueWithUnsupportedBrowser") != null) {
                sb.append("?continueWithUnsupportedBrowser=true");
            }
            SimpleUrlLogoutSuccessHandler simpleUrlLogoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
            simpleUrlLogoutSuccessHandler.setDefaultTargetUrl(sb.toString());
            simpleUrlLogoutSuccessHandler.onLogoutSuccess(httpServletRequest2, httpServletResponse2, authentication2);
        }).and()).csrf().disable();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers(ResourcePathPatterns.PATTERN_CSS).antMatchers(ResourcePathPatterns.PATTERN_IMG).antMatchers(ResourcePathPatterns.PATTERN_JS).antMatchers(ResourcePathPatterns.PATTERN_FONTS);
    }

    @Bean
    public AuthenticationProvider runAsAuthenticationProvider() {
        RunAsImplAuthenticationProvider runAsImplAuthenticationProvider = new RunAsImplAuthenticationProvider();
        runAsImplAuthenticationProvider.setKey("Job Execution");
        return runAsImplAuthenticationProvider;
    }

    protected abstract void configureUrlAuthorization(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry);

    protected abstract RoleHierarchy roleHierarchy();

    @Bean
    public MolgenisAnonymousAuthenticationFilter anonymousAuthFilter() {
        return new MolgenisAnonymousAuthenticationFilter(ANONYMOUS_AUTHENTICATION_KEY, "anonymous", userDetailsService());
    }

    protected abstract List<GrantedAuthority> createAnonymousUserAuthorities();

    @Bean
    public AnonymousAuthenticationProvider anonymousAuthenticationProvider() {
        return new AnonymousAuthenticationProvider(ANONYMOUS_AUTHENTICATION_KEY);
    }

    @Bean
    public TokenService tokenService() {
        return new DataServiceTokenService(new TokenGenerator(), this.dataService, userDetailsService(), this.tokenFactory);
    }

    @Bean
    public AuthenticationProvider tokenAuthenticationProvider() {
        return new TokenAuthenticationProvider(tokenService());
    }

    @Bean
    public Filter tokenAuthenticationFilter() {
        return new TokenAuthenticationFilter(tokenAuthenticationProvider());
    }

    @Bean
    public GooglePublicKeysManager googlePublicKeysManager() {
        return new GooglePublicKeysManager(new NetHttpTransport(), new JacksonFactory());
    }

    @Bean
    public Filter googleAuthenticationProcessingFilter() throws Exception {
        GoogleAuthenticationProcessingFilter googleAuthenticationProcessingFilter = new GoogleAuthenticationProcessingFilter(googlePublicKeysManager(), this.dataService, (UserDetailsService) userDetailsService(), this.authenticationSettings, this.userFactory, this.groupMemberFactory);
        googleAuthenticationProcessingFilter.setAuthenticationManager(authenticationManagerBean());
        return googleAuthenticationProcessingFilter;
    }

    @Bean
    public Filter changePasswordFilter() {
        return new MolgenisChangePasswordFilter(this.userService, redirectStrategy());
    }

    @Bean
    public TwoFactorAuthenticationFilter twoFactorAuthenticationFilter() {
        return new TwoFactorAuthenticationFilter(this.authenticationSettings, this.twoFactorAuthenticationService, redirectStrategy(), this.userAccountService);
    }

    @Bean
    public TwoFactorAuthenticationProvider twoFactorAuthenticationProvider() {
        return new TwoFactorAuthenticationProviderImpl(this.twoFactorAuthenticationService, this.otpService, this.recoveryService);
    }

    @Bean
    public RecoveryAuthenticationProvider recoveryAuthenticationProvider() {
        return new RecoveryAuthenticationProviderImpl(this.recoveryService);
    }

    @Bean
    public RedirectStrategy redirectStrategy() {
        return new DefaultRedirectStrategy();
    }

    @Bean
    public RoleHierarchy roleHierarchyBean() {
        return roleHierarchy();
    }

    @Bean
    public RoleVoter roleVoter() {
        return new RoleHierarchyVoter(roleHierarchy());
    }

    @Bean
    public GrantedAuthoritiesMapper roleHierarchyAuthoritiesMapper() {
        return new RoleHierarchyAuthoritiesMapper(roleHierarchy());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new MolgenisPasswordEncoder(new BCryptPasswordEncoder());
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected org.springframework.security.core.userdetails.UserDetailsService userDetailsService() {
        return new UserDetailsService(this.dataService, roleHierarchyAuthoritiesMapper());
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    @Bean
    public org.springframework.security.core.userdetails.UserDetailsService userDetailsServiceBean() throws Exception {
        return userDetailsService();
    }

    @Bean
    public UserDetailsChecker userDetailsChecker() {
        return new MolgenisUserDetailsChecker();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
        try {
            DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
            daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
            daoAuthenticationProvider.setUserDetailsService(userDetailsServiceBean());
            daoAuthenticationProvider.setPreAuthenticationChecks(userDetailsChecker());
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) daoAuthenticationProvider);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {
        return new AjaxAwareLoginUrlAuthenticationEntryPoint("/login");
    }

    @Bean
    public InvalidSessionStrategy invalidSessionStrategy() {
        return new AjaxAwareInvalidSessionStrategy("/login?expired");
    }

    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
}
