package org.zowe.apiml.gateway.security.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.servlet.Filter;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.netflix.zuul.filters.ZuulProperties;
import org.springframework.cloud.netflix.zuul.filters.discovery.DiscoveryClientRouteLocator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.zowe.apiml.gateway.controllers.CacheServiceController;
import org.zowe.apiml.gateway.security.login.x509.X509AuthenticationProvider;
import org.zowe.apiml.gateway.security.query.QueryFilter;
import org.zowe.apiml.gateway.security.query.SuccessfulQueryHandler;
import org.zowe.apiml.gateway.security.service.AuthenticationService;
import org.zowe.apiml.gateway.security.ticket.SuccessfulTicketHandler;
import org.zowe.apiml.gateway.services.ServicesInfoController;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.config.HandlerInitializer;
import org.zowe.apiml.security.common.content.BasicContentFilter;
import org.zowe.apiml.security.common.content.CookieContentFilter;
import org.zowe.apiml.security.common.login.LoginFilter;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/security/config/SecurityConfiguration.class */
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SecurityConfiguration.class);
    private static final String[] PROTECTED_ENDPOINTS = {"/gateway/api/v1", "/api/v1/gateway", "/application", ServicesInfoController.SERVICES_URL};
    private static final List<String> CORS_ENABLED_ENDPOINTS = Arrays.asList("/api/v1/gateway/**", "/gateway/version");

    @Value("${apiml.service.corsEnabled:false}")
    private boolean corsEnabled;

    @Value("${apiml.service.ignoredHeadersWhenCorsEnabled}")
    private String ignoredHeadersWhenCorsEnabled;
    private static final String EXTRACT_USER_PRINCIPAL_FROM_COMMON_NAME = "CN=(.*?)(?:,|$)";
    private final ObjectMapper securityObjectMapper;
    private final AuthenticationService authenticationService;
    private final AuthConfigurationProperties authConfigurationProperties;
    private final HandlerInitializer handlerInitializer;
    private final SuccessfulQueryHandler successfulQueryHandler;
    private final SuccessfulTicketHandler successfulTicketHandler;
    private final AuthProviderInitializer authProviderInitializer;

    @Qualifier("publicKeyCertificatesBase64")
    private final Set<String> publicKeyCertificatesBase64;
    private final ZuulProperties zuulProperties;
    private final X509AuthenticationProvider x509AuthenticationProvider;

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
        this.authProviderInitializer.configure(authenticationManagerBuilder);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.cors().and()).csrf().disable()).headers().httpStrictTransportSecurity().disable().frameOptions().disable().and()).exceptionHandling().authenticationEntryPoint(this.handlerInitializer.getBasicAuthUnauthorizedHandler()).and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).authorizeRequests().antMatchers(HttpMethod.POST, this.authConfigurationProperties.getGatewayLoginEndpoint()).permitAll().antMatchers(HttpMethod.POST, this.authConfigurationProperties.getGatewayLoginEndpointOldFormat()).permitAll().and()).authorizeRequests().antMatchers(HttpMethod.POST, this.authConfigurationProperties.getGatewayTicketEndpoint()).authenticated().antMatchers(HttpMethod.POST, this.authConfigurationProperties.getGatewayTicketEndpointOldFormat()).authenticated().and()).x509().userDetailsService(x509UserDetailsService()).and()).logout().logoutRequestMatcher(new RegexRequestMatcher(String.format("(%s|%s)", this.authConfigurationProperties.getGatewayLogoutEndpoint(), this.authConfigurationProperties.getGatewayLogoutEndpointOldFormat()), HttpMethod.POST.name())).addLogoutHandler(logoutHandler()).logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT)).permitAll().and()).authorizeRequests().antMatchers("/application/health", "/application/info", "/application/version").permitAll().antMatchers("/application/**").authenticated().antMatchers("/gateway/services/**").authenticated().and()).authorizeRequests().antMatchers("/gateway/auth/keys/public/all", "/gateway/auth/keys/public/current").permitAll().and()).authorizeRequests().antMatchers("/gateway/auth/invalidate/**", "/gateway/auth/distribute/**").authenticated().and()).x509().x509AuthenticationFilter(apimlX509Filter()).subjectPrincipalRegex(EXTRACT_USER_PRINCIPAL_FROM_COMMON_NAME).userDetailsService(x509UserDetailsService()).and()).authorizeRequests().antMatchers(HttpMethod.DELETE, CacheServiceController.CONTROLLER_PATH, "/gateway/cache/services/**").authenticated().and()).x509().x509AuthenticationFilter(apimlX509Filter()).subjectPrincipalRegex(EXTRACT_USER_PRINCIPAL_FROM_COMMON_NAME).userDetailsService(x509UserDetailsService()).and()).addFilterBefore((Filter) loginFilter(this.authConfigurationProperties.getGatewayLoginEndpoint()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) x509Filter(this.authConfigurationProperties.getGatewayLoginEndpoint()), LoginFilter.class).addFilterBefore((Filter) loginFilter(this.authConfigurationProperties.getGatewayLoginEndpointOldFormat()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) x509Filter(this.authConfigurationProperties.getGatewayLoginEndpointOldFormat()), LoginFilter.class).addFilterBefore((Filter) queryFilter(this.authConfigurationProperties.getGatewayQueryEndpoint()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) queryFilter(this.authConfigurationProperties.getGatewayQueryEndpointOldFormat()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) ticketFilter(this.authConfigurationProperties.getGatewayTicketEndpoint()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) ticketFilter(this.authConfigurationProperties.getGatewayTicketEndpointOldFormat()), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) basicFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore((Filter) cookieFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        List<String> singletonList;
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        if (this.corsEnabled) {
            addCorsRelatedIgnoredHeaders();
            corsConfiguration.setAllowCredentials(true);
            corsConfiguration.addAllowedOrigin("*");
            corsConfiguration.setAllowedHeaders(Collections.singletonList("*"));
            corsConfiguration.setAllowedMethods(allowedCorsHttpMethods());
            singletonList = CORS_ENABLED_ENDPOINTS;
        } else {
            singletonList = Collections.singletonList(DiscoveryClientRouteLocator.DEFAULT_ROUTE);
        }
        singletonList.forEach(str -> {
            urlBasedCorsConfigurationSource.registerCorsConfiguration(str, corsConfiguration);
        });
        return urlBasedCorsConfigurationSource;
    }

    private void addCorsRelatedIgnoredHeaders() {
        this.zuulProperties.setIgnoredHeaders(new HashSet(Arrays.asList(this.ignoredHeadersWhenCorsEnabled.split(","))));
    }

    @Bean
    List<String> allowedCorsHttpMethods() {
        return Collections.unmodifiableList(Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name(), HttpMethod.DELETE.name(), HttpMethod.PUT.name(), HttpMethod.OPTIONS.name()));
    }

    private LoginFilter loginFilter(String str) throws Exception {
        return new LoginFilter(str, this.handlerInitializer.getSuccessfulLoginHandler(), this.handlerInitializer.getAuthenticationFailureHandler(), this.securityObjectMapper, authenticationManager(), this.handlerInitializer.getResourceAccessExceptionHandler());
    }

    private X509AuthenticationFilter x509Filter(String str) {
        return new X509AuthenticationFilter(str, this.handlerInitializer.getSuccessfulLoginHandler(), this.x509AuthenticationProvider);
    }

    private QueryFilter queryFilter(String str) throws Exception {
        return new QueryFilter(str, this.successfulQueryHandler, this.handlerInitializer.getAuthenticationFailureHandler(), this.authenticationService, HttpMethod.GET, false, authenticationManager());
    }

    private QueryFilter ticketFilter(String str) throws Exception {
        return new QueryFilter(str, this.successfulTicketHandler, this.handlerInitializer.getAuthenticationFailureHandler(), this.authenticationService, HttpMethod.POST, true, authenticationManager());
    }

    private BasicContentFilter basicFilter() throws Exception {
        return new BasicContentFilter(authenticationManager(), this.handlerInitializer.getAuthenticationFailureHandler(), this.handlerInitializer.getResourceAccessExceptionHandler(), PROTECTED_ENDPOINTS);
    }

    private CookieContentFilter cookieFilter() throws Exception {
        return new CookieContentFilter(authenticationManager(), this.handlerInitializer.getAuthenticationFailureHandler(), this.handlerInitializer.getResourceAccessExceptionHandler(), this.authConfigurationProperties, PROTECTED_ENDPOINTS);
    }

    private LogoutHandler logoutHandler() {
        return new JWTLogoutHandler(this.authenticationService, this.handlerInitializer.getAuthenticationFailureHandler());
    }

    private ApimlX509Filter apimlX509Filter() throws Exception {
        ApimlX509Filter apimlX509Filter = new ApimlX509Filter(this.publicKeyCertificatesBase64);
        apimlX509Filter.setAuthenticationManager(authenticationManager());
        return apimlX509Filter;
    }

    private UserDetailsService x509UserDetailsService() {
        return str -> {
            return new User("gatewayClient", "", Collections.emptyList());
        };
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(WebSecurity webSecurity) {
        StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
        strictHttpFirewall.setAllowUrlEncodedSlash(true);
        strictHttpFirewall.setAllowBackSlash(true);
        strictHttpFirewall.setAllowUrlEncodedPercent(true);
        strictHttpFirewall.setAllowUrlEncodedPeriod(true);
        strictHttpFirewall.setAllowSemicolon(true);
        webSecurity.httpFirewall(strictHttpFirewall);
        webSecurity.ignoring().antMatchers("/gateway/auth/keys/public/**");
    }

    @Generated
    public SecurityConfiguration(ObjectMapper objectMapper, AuthenticationService authenticationService, AuthConfigurationProperties authConfigurationProperties, HandlerInitializer handlerInitializer, SuccessfulQueryHandler successfulQueryHandler, SuccessfulTicketHandler successfulTicketHandler, AuthProviderInitializer authProviderInitializer, Set<String> set, ZuulProperties zuulProperties, X509AuthenticationProvider x509AuthenticationProvider) {
        this.securityObjectMapper = objectMapper;
        this.authenticationService = authenticationService;
        this.authConfigurationProperties = authConfigurationProperties;
        this.handlerInitializer = handlerInitializer;
        this.successfulQueryHandler = successfulQueryHandler;
        this.successfulTicketHandler = successfulTicketHandler;
        this.authProviderInitializer = authProviderInitializer;
        this.publicKeyCertificatesBase64 = set;
        this.zuulProperties = zuulProperties;
        this.x509AuthenticationProvider = x509AuthenticationProvider;
    }
}
