package org.zowe.apiml.discovery.config;

import java.util.Collections;
import lombok.Generated;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.zowe.apiml.filter.AttlsFilter;
import org.zowe.apiml.filter.SecureConnectionFilter;
import org.zowe.apiml.security.client.EnableApimlAuth;
import org.zowe.apiml.security.client.login.GatewayLoginProvider;
import org.zowe.apiml.security.client.token.GatewayTokenProvider;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.config.HandlerInitializer;
import org.zowe.apiml.security.common.content.BasicContentFilter;
import org.zowe.apiml.security.common.content.BearerContentFilter;
import org.zowe.apiml.security.common.content.CookieContentFilter;

@Configuration
@EnableWebSecurity
@EnableApimlAuth
@Profile({"https", "attls"})
/* loaded from: input_file:org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.class */
public class HttpsWebSecurityConfig extends AbstractWebSecurityConfigurer {
    private final HandlerInitializer handlerInitializer;
    private final AuthConfigurationProperties securityConfigurationProperties;
    private final GatewayLoginProvider gatewayLoginProvider;
    private final GatewayTokenProvider gatewayTokenProvider;
    private static final String DISCOVERY_REALM = "API Mediation Discovery Service realm";

    @Value("${server.attls.enabled:false}")
    private boolean isAttlsEnabled;

    @Value("${apiml.security.ssl.verifySslCertificatesOfServices:true}")
    private boolean verifySslCertificatesOfServices;

    @Value("${apiml.security.ssl.nonStrictVerifySslCertificatesOfServices:false}")
    private boolean nonStrictVerifySslCertificatesOfServices;

    @Value("${apiml.metrics.enabled:false}")
    private boolean isMetricsEnabled;

    @Value("${apiml.health.protected:false}")
    private boolean isHealthEndpointProtected;

    /* loaded from: input_file:org/zowe/apiml/discovery/config/HttpsWebSecurityConfig$CustomSecurityFilters.class */
    private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
        private CustomSecurityFilters() {
        }

        public void configure(HttpSecurity httpSecurity) {
            AuthenticationManager authenticationManager = (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class);
            httpSecurity.addFilterBefore(basicFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class).addFilterBefore(cookieFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class).addFilterBefore(bearerContentFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
        }

        private BasicContentFilter basicFilter(AuthenticationManager authenticationManager) {
            return new BasicContentFilter(authenticationManager, HttpsWebSecurityConfig.this.handlerInitializer.getAuthenticationFailureHandler(), HttpsWebSecurityConfig.this.handlerInitializer.getResourceAccessExceptionHandler());
        }

        private CookieContentFilter cookieFilter(AuthenticationManager authenticationManager) {
            return new CookieContentFilter(authenticationManager, HttpsWebSecurityConfig.this.handlerInitializer.getAuthenticationFailureHandler(), HttpsWebSecurityConfig.this.handlerInitializer.getResourceAccessExceptionHandler(), HttpsWebSecurityConfig.this.securityConfigurationProperties);
        }

        private BearerContentFilter bearerContentFilter(AuthenticationManager authenticationManager) {
            return new BearerContentFilter(authenticationManager, HttpsWebSecurityConfig.this.handlerInitializer.getAuthenticationFailureHandler(), HttpsWebSecurityConfig.this.handlerInitializer.getResourceAccessExceptionHandler());
        }
    }

    @Bean
    public WebSecurityCustomizer httpsWebSecurityCustomizer() {
        String[] strArr = {"/eureka/css/**", "/eureka/js/**", "/eureka/fonts/**", "/eureka/images/**", "/application/info", "/favicon.ico"};
        return webSecurity -> {
            webSecurity.ignoring().requestMatchers(strArr);
            if (!this.isHealthEndpointProtected) {
                webSecurity.ignoring().requestMatchers(new String[]{"/application/health"});
            }
            if (this.isMetricsEnabled) {
                webSecurity.ignoring().requestMatchers(new String[]{"/application/hystrixstream"});
            }
        };
    }

    @Bean
    @Order(3)
    public SecurityFilterChain basicAuthOrTokenFilterChain(HttpSecurity httpSecurity) throws Exception {
        baseConfigure(httpSecurity.securityMatchers(requestMatcherConfigurer -> {
        })).authenticationProvider(this.gatewayLoginProvider).authenticationProvider(this.gatewayTokenProvider).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/**"})).authenticated();
        }).httpBasic(httpBasicConfigurer -> {
            httpBasicConfigurer.realmName(DISCOVERY_REALM);
        });
        if (this.isAttlsEnabled) {
            httpSecurity.addFilterBefore(new SecureConnectionFilter(), UsernamePasswordAuthenticationFilter.class);
        }
        return (SecurityFilterChain) httpSecurity.apply(new CustomSecurityFilters()).and().build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain clientCertificateFilterChain(HttpSecurity httpSecurity) throws Exception {
        baseConfigure(httpSecurity.securityMatcher(new String[]{"/eureka/**"}));
        if (this.verifySslCertificatesOfServices || !this.nonStrictVerifySslCertificatesOfServices) {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
            }).x509(x509Configurer -> {
                x509Configurer.userDetailsService(x509UserDetailsService());
            });
            if (this.isAttlsEnabled) {
                httpSecurity.addFilterBefore(new AttlsFilter(), X509AuthenticationFilter.class);
                httpSecurity.addFilterBefore(new SecureConnectionFilter(), AttlsFilter.class);
            }
        } else {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.anyRequest()).permitAll();
            });
        }
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    @Order(1)
    public SecurityFilterChain basicAuthOrTokenOrCertFilterChain(HttpSecurity httpSecurity) throws Exception {
        baseConfigure(httpSecurity.securityMatcher(new String[]{"/discovery/**"})).authenticationProvider(this.gatewayLoginProvider).authenticationProvider(this.gatewayTokenProvider).httpBasic(httpBasicConfigurer -> {
            httpBasicConfigurer.realmName(DISCOVERY_REALM);
        });
        if (this.verifySslCertificatesOfServices || !this.nonStrictVerifySslCertificatesOfServices) {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
            }).x509(x509Configurer -> {
                x509Configurer.userDetailsService(x509UserDetailsService());
            });
            if (this.isAttlsEnabled) {
                httpSecurity.addFilterBefore(new AttlsFilter(), X509AuthenticationFilter.class);
                httpSecurity.addFilterBefore(new SecureConnectionFilter(), AttlsFilter.class);
            }
        }
        return (SecurityFilterChain) httpSecurity.apply(new CustomSecurityFilters()).and().build();
    }

    private UserDetailsService x509UserDetailsService() {
        return str -> {
            return new User("eurekaClient", "", Collections.emptyList());
        };
    }

    @Generated
    public HttpsWebSecurityConfig(HandlerInitializer handlerInitializer, AuthConfigurationProperties authConfigurationProperties, GatewayLoginProvider gatewayLoginProvider, GatewayTokenProvider gatewayTokenProvider) {
        this.handlerInitializer = handlerInitializer;
        this.securityConfigurationProperties = authConfigurationProperties;
        this.gatewayLoginProvider = gatewayLoginProvider;
        this.gatewayTokenProvider = gatewayTokenProvider;
    }
}
