package org.zowe.apiml.apicatalog.security;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Collections;
import java.util.Set;
import javax.servlet.Filter;
import lombok.Generated;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.zowe.apiml.filter.AttlsFilter;
import org.zowe.apiml.filter.SecureConnectionFilter;
import org.zowe.apiml.security.client.EnableApimlAuth;
import org.zowe.apiml.security.client.login.GatewayLoginProvider;
import org.zowe.apiml.security.client.token.GatewayTokenProvider;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.config.CertificateAuthenticationProvider;
import org.zowe.apiml.security.common.config.HandlerInitializer;
import org.zowe.apiml.security.common.content.BasicContentFilter;
import org.zowe.apiml.security.common.content.CookieContentFilter;
import org.zowe.apiml.security.common.filter.ApimlX509Filter;
import org.zowe.apiml.security.common.login.LoginFilter;
import org.zowe.apiml.security.common.login.ShouldBeAlreadyAuthenticatedFilter;

@Configuration
@EnableWebSecurity
@EnableApimlAuth
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/apicatalog/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final String APIDOC_ROUTES = "/apidoc/**";
    private final ObjectMapper securityObjectMapper;
    private final AuthConfigurationProperties authConfigurationProperties;
    private final HandlerInitializer handlerInitializer;
    private final GatewayLoginProvider gatewayLoginProvider;
    private final GatewayTokenProvider gatewayTokenProvider;

    @Qualifier("publicKeyCertificatesBase64")
    private final Set<String> publicKeyCertificatesBase64;

    @Value("${server.attls.enabled:false}")
    private boolean isAttlsEnabled;

    @Configuration
    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/apicatalog/security/SecurityConfiguration$FilterChainBasicAuthOrTokenAllEndpoints.class */
    public class FilterChainBasicAuthOrTokenAllEndpoints extends WebSecurityConfigurerAdapter {
        public FilterChainBasicAuthOrTokenAllEndpoints() {
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) SecurityConfiguration.this.gatewayLoginProvider);
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) SecurityConfiguration.this.gatewayTokenProvider);
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
        public void configure(WebSecurity webSecurity) {
            webSecurity.ignoring().antMatchers("/", "/static/**", "/favicon.ico", "/api-doc");
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            SecurityConfiguration.this.mainframeCredentialsConfiguration(SecurityConfiguration.this.baseConfiguration(httpSecurity), authenticationManager()).authorizeRequests().antMatchers("/static-api/**").authenticated().antMatchers("/containers/**").authenticated().antMatchers(SecurityConfiguration.APIDOC_ROUTES).authenticated().antMatchers("/application/health", "/application/info").permitAll().antMatchers("/application/**").authenticated();
            if (SecurityConfiguration.this.isAttlsEnabled) {
                httpSecurity.addFilterBefore((Filter) new SecureConnectionFilter(), BasicContentFilter.class);
            }
        }
    }

    @Configuration
    @Order(1)
    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/apicatalog/security/SecurityConfiguration$FilterChainBasicAuthOrTokenOrCertForApiDoc.class */
    public class FilterChainBasicAuthOrTokenOrCertForApiDoc extends WebSecurityConfigurerAdapter {

        @Value("${apiml.security.ssl.verifySslCertificatesOfServices:true}")
        private boolean verifySslCertificatesOfServices;

        @Value("${apiml.security.ssl.nonStrictVerifySslCertificatesOfServices:false}")
        private boolean nonStrictVerifySslCertificatesOfServices;

        public FilterChainBasicAuthOrTokenOrCertForApiDoc() {
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) SecurityConfiguration.this.gatewayLoginProvider);
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) SecurityConfiguration.this.gatewayTokenProvider);
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) new CertificateAuthenticationProvider());
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            SecurityConfiguration.this.mainframeCredentialsConfiguration(SecurityConfiguration.this.baseConfiguration(httpSecurity.antMatcher(SecurityConfiguration.APIDOC_ROUTES)), authenticationManager()).authorizeRequests().antMatchers(SecurityConfiguration.APIDOC_ROUTES).authenticated();
            if (this.verifySslCertificatesOfServices || this.nonStrictVerifySslCertificatesOfServices) {
                if (SecurityConfiguration.this.isAttlsEnabled) {
                    ((HttpSecurity) httpSecurity.x509().x509AuthenticationFilter(apimlX509Filter(authenticationManager())).userDetailsService(x509UserDetailsService()).and()).addFilterBefore((Filter) new AttlsFilter(), X509AuthenticationFilter.class).addFilterBefore((Filter) new SecureConnectionFilter(), AttlsFilter.class);
                } else {
                    httpSecurity.x509().userDetailsService(x509UserDetailsService());
                }
            }
        }

        private UserDetailsService x509UserDetailsService() {
            return str -> {
                return new User(str, "", Collections.emptyList());
            };
        }

        private ApimlX509Filter apimlX509Filter(AuthenticationManager authenticationManager) {
            ApimlX509Filter apimlX509Filter = new ApimlX509Filter(SecurityConfiguration.this.publicKeyCertificatesBase64);
            apimlX509Filter.setCertificateForClientAuth(x509Certificate -> {
                return apimlX509Filter.getPublicKeyCertificatesBase64().contains(apimlX509Filter.base64EncodePublicKey(x509Certificate));
            });
            apimlX509Filter.setNotCertificateForClientAuth(x509Certificate2 -> {
                return !apimlX509Filter.getPublicKeyCertificatesBase64().contains(apimlX509Filter.base64EncodePublicKey(x509Certificate2));
            });
            apimlX509Filter.setAuthenticationManager(authenticationManager);
            return apimlX509Filter;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    public HttpSecurity baseConfiguration(HttpSecurity httpSecurity) throws Exception {
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.csrf().disable()).headers().httpStrictTransportSecurity().disable().frameOptions().disable().and()).exceptionHandling().defaultAuthenticationEntryPointFor(this.handlerInitializer.getBasicAuthUnauthorizedHandler(), new AntPathRequestMatcher("/application/**")).defaultAuthenticationEntryPointFor(this.handlerInitializer.getBasicAuthUnauthorizedHandler(), new AntPathRequestMatcher(APIDOC_ROUTES)).defaultAuthenticationEntryPointFor(this.handlerInitializer.getUnAuthorizedHandler(), new AntPathRequestMatcher("/**")).and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        return httpSecurity;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    public HttpSecurity mainframeCredentialsConfiguration(HttpSecurity httpSecurity, AuthenticationManager authenticationManager) throws Exception {
        ((HttpSecurity) ((HttpSecurity) httpSecurity.addFilterBefore((Filter) new ShouldBeAlreadyAuthenticatedFilter(this.authConfigurationProperties.getServiceLoginEndpoint(), this.handlerInitializer.getAuthenticationFailureHandler()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) loginFilter(this.authConfigurationProperties.getServiceLoginEndpoint(), authenticationManager), ShouldBeAlreadyAuthenticatedFilter.class).authorizeRequests().antMatchers(HttpMethod.POST, this.authConfigurationProperties.getServiceLoginEndpoint()).permitAll().and()).logout().logoutUrl(this.authConfigurationProperties.getServiceLogoutEndpoint()).logoutSuccessHandler(logoutSuccessHandler()).and()).addFilterBefore((Filter) basicFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) cookieFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
        return httpSecurity;
    }

    private LoginFilter loginFilter(String str, AuthenticationManager authenticationManager) {
        return new LoginFilter(str, this.handlerInitializer.getSuccessfulLoginHandler(), this.handlerInitializer.getAuthenticationFailureHandler(), this.securityObjectMapper, authenticationManager, this.handlerInitializer.getResourceAccessExceptionHandler());
    }

    private BasicContentFilter basicFilter(AuthenticationManager authenticationManager) {
        return new BasicContentFilter(authenticationManager, this.handlerInitializer.getAuthenticationFailureHandler(), this.handlerInitializer.getResourceAccessExceptionHandler());
    }

    private CookieContentFilter cookieFilter(AuthenticationManager authenticationManager) {
        return new CookieContentFilter(authenticationManager, this.handlerInitializer.getAuthenticationFailureHandler(), this.handlerInitializer.getResourceAccessExceptionHandler(), this.authConfigurationProperties);
    }

    @Bean
    public LogoutSuccessHandler logoutSuccessHandler() {
        return new ApiCatalogLogoutSuccessHandler(this.authConfigurationProperties);
    }

    @Generated
    public SecurityConfiguration(ObjectMapper objectMapper, AuthConfigurationProperties authConfigurationProperties, HandlerInitializer handlerInitializer, GatewayLoginProvider gatewayLoginProvider, GatewayTokenProvider gatewayTokenProvider, Set<String> set) {
        this.securityObjectMapper = objectMapper;
        this.authConfigurationProperties = authConfigurationProperties;
        this.handlerInitializer = handlerInitializer;
        this.gatewayLoginProvider = gatewayLoginProvider;
        this.gatewayTokenProvider = gatewayTokenProvider;
        this.publicKeyCertificatesBase64 = set;
    }
}
