package org.zowe.apiml.gateway.security.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Set;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.zowe.apiml.filter.AttlsFilter;
import org.zowe.apiml.filter.SecureConnectionFilter;
import org.zowe.apiml.gateway.controllers.SafResourceAccessController;
import org.zowe.apiml.gateway.error.controllers.InternalServerErrorController;
import org.zowe.apiml.gateway.security.login.FailedAccessTokenHandler;
import org.zowe.apiml.gateway.security.login.SuccessfulAccessTokenHandler;
import org.zowe.apiml.gateway.security.login.x509.X509AuthenticationProvider;
import org.zowe.apiml.gateway.security.query.QueryFilter;
import org.zowe.apiml.gateway.security.query.SuccessfulQueryHandler;
import org.zowe.apiml.gateway.security.query.TokenAuthenticationProvider;
import org.zowe.apiml.gateway.security.refresh.SuccessfulRefreshHandler;
import org.zowe.apiml.gateway.security.service.AuthenticationService;
import org.zowe.apiml.gateway.security.ticket.SuccessfulTicketHandler;
import org.zowe.apiml.gateway.services.ServicesInfoController;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.config.CertificateAuthenticationProvider;
import org.zowe.apiml.security.common.config.HandlerInitializer;
import org.zowe.apiml.security.common.config.SimpleUserDetailService;
import org.zowe.apiml.security.common.content.BasicContentFilter;
import org.zowe.apiml.security.common.content.BearerContentFilter;
import org.zowe.apiml.security.common.content.CookieContentFilter;
import org.zowe.apiml.security.common.filter.CategorizeCertsFilter;
import org.zowe.apiml.security.common.filter.StoreAccessTokenInfoFilter;
import org.zowe.apiml.security.common.login.BasicAuthFilter;
import org.zowe.apiml.security.common.login.LoginFilter;
import org.zowe.apiml.security.common.login.NonCompulsoryAuthenticationProcessingFilter;
import org.zowe.apiml.security.common.login.ShouldBeAlreadyAuthenticatedFilter;
import org.zowe.apiml.security.common.login.X509AuthAwareFilter;

@ConditionalOnProperty(name = {"apiml.security.filterChainConfiguration"}, havingValue = "new", matchIfMissing = false)
@Configuration
@EnableWebSecurity
/* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.class */
public class NewSecurityConfiguration {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(NewSecurityConfiguration.class);
    private final ObjectMapper securityObjectMapper;
    private final AuthenticationService authenticationService;
    private final AuthConfigurationProperties authConfigurationProperties;
    private final HandlerInitializer handlerInitializer;
    private final SuccessfulAccessTokenHandler successfulAuthAccessTokenHandler;
    private final SuccessfulQueryHandler successfulQueryHandler;
    private final SuccessfulTicketHandler successfulTicketHandler;
    private final SuccessfulRefreshHandler successfulRefreshHandler;
    private final FailedAccessTokenHandler failedAccessTokenHandler;

    @Qualifier("publicKeyCertificatesBase64")
    private final Set<String> publicKeyCertificatesBase64;
    private final X509AuthenticationProvider x509AuthenticationProvider;

    @Value("${server.attls.enabled:false}")
    private boolean isAttlsEnabled;

    @Value("${apiml.metrics.enabled:false}")
    private boolean isMetricsEnabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    @Configuration
    @Order(7)
    /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken.class */
    public class AccessToken {
        private final CompoundAuthProvider compoundAuthProvider;
        private final AuthenticationProvider tokenAuthenticationProvider;

        /* JADX INFO: Access modifiers changed from: package-private */
        @Configuration
        @Order(8)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$AuthenticationProtectedEndpoints.class */
        public class AuthenticationProtectedEndpoints {
            private final CompoundAuthProvider compoundAuthProvider;

            /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$AuthenticationProtectedEndpoints$CustomSecurityFilters.class */
            private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
                private CustomSecurityFilters() {
                }

                public void configure(HttpSecurity httpSecurity) {
                    httpSecurity.addFilterBefore(new CategorizeCertsFilter(NewSecurityConfiguration.this.publicKeyCertificatesBase64), X509AuthenticationFilter.class).addFilterBefore(AuthenticationProtectedEndpoints.this.loginFilter(httpSecurity), X509AuthenticationFilter.class).addFilterAfter(AuthenticationProtectedEndpoints.this.x509AuthenticationFilter(), X509AuthenticationFilter.class);
                }
            }

            @Bean
            public SecurityFilterChain authProtectedEndpointsFilterChain(HttpSecurity httpSecurity) throws Exception {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{NewSecurityConfiguration.this.authConfigurationProperties.getRevokeMultipleAccessTokens() + "/**", NewSecurityConfiguration.this.authConfigurationProperties.getEvictAccessTokensAndRules()})).and()).authorizeRequests().anyRequest()).authenticated().and().x509().and().authenticationProvider(this.compoundAuthProvider).apply(new CustomSecurityFilters());
                return (SecurityFilterChain) httpSecurity.build();
            }

            /* JADX INFO: Access modifiers changed from: private */
            public NonCompulsoryAuthenticationProcessingFilter loginFilter(HttpSecurity httpSecurity) {
                return new BasicAuthFilter("/**", NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.securityObjectMapper, (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class), NewSecurityConfiguration.this.handlerInitializer.getResourceAccessExceptionHandler());
            }

            /* JADX INFO: Access modifiers changed from: private */
            public org.zowe.apiml.security.common.login.X509AuthenticationFilter x509AuthenticationFilter() {
                return new X509AuthAwareFilter("/**", NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.x509AuthenticationProvider);
            }

            @Generated
            public AuthenticationProtectedEndpoints(CompoundAuthProvider compoundAuthProvider) {
                this.compoundAuthProvider = compoundAuthProvider;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Configuration
        @Order(5)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$CertificateOrAuthProtectedEndpoints.class */
        public class CertificateOrAuthProtectedEndpoints {
            private final CompoundAuthProvider compoundAuthProvider;
            private final AuthenticationProvider tokenAuthenticationProvider;
            private final String[] protectedEndpoints = {"/application", SafResourceAccessController.FULL_CONTEXT_PATH, ServicesInfoController.SERVICES_URL};

            /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$CertificateOrAuthProtectedEndpoints$CustomSecurityFilters.class */
            private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
                private CustomSecurityFilters() {
                }

                public void configure(HttpSecurity httpSecurity) throws Exception {
                    AuthenticationManager authenticationManager = (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class);
                    httpSecurity.addFilterBefore(basicFilter(authenticationManager), X509AuthenticationFilter.class).addFilterBefore(cookieFilter(authenticationManager), X509AuthenticationFilter.class).addFilterBefore(bearerContentFilter(authenticationManager), X509AuthenticationFilter.class);
                }

                private BasicContentFilter basicFilter(AuthenticationManager authenticationManager) {
                    return new BasicContentFilter(authenticationManager, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.handlerInitializer.getResourceAccessExceptionHandler(), CertificateOrAuthProtectedEndpoints.this.protectedEndpoints);
                }

                private CookieContentFilter cookieFilter(AuthenticationManager authenticationManager) {
                    return new CookieContentFilter(authenticationManager, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.handlerInitializer.getResourceAccessExceptionHandler(), NewSecurityConfiguration.this.authConfigurationProperties, CertificateOrAuthProtectedEndpoints.this.protectedEndpoints);
                }

                private BearerContentFilter bearerContentFilter(AuthenticationManager authenticationManager) {
                    return new BearerContentFilter(authenticationManager, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.handlerInitializer.getResourceAccessExceptionHandler(), CertificateOrAuthProtectedEndpoints.this.protectedEndpoints);
                }
            }

            @Bean
            public SecurityFilterChain certificateOrAuthEndpointsFilterChain(HttpSecurity httpSecurity) throws Exception {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) ((HttpSecurity.RequestMatcherConfigurer) ((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{"/application/**"})).antMatchers(HttpMethod.POST, new String[]{SafResourceAccessController.FULL_CONTEXT_PATH})).antMatchers(new String[]{"/gateway/services/**"})).and()).authorizeRequests().anyRequest()).authenticated().and().logout().disable();
                if (NewSecurityConfiguration.this.isAttlsEnabled) {
                    httpSecurity.x509().and().addFilterBefore(reversedCategorizeCertFilter(), X509AuthenticationFilter.class);
                } else {
                    httpSecurity.x509();
                }
                return (SecurityFilterChain) httpSecurity.authenticationProvider(this.compoundAuthProvider).authenticationProvider(this.tokenAuthenticationProvider).authenticationProvider(new CertificateAuthenticationProvider()).apply(new CustomSecurityFilters()).and().build();
            }

            private CategorizeCertsFilter reversedCategorizeCertFilter() {
                CategorizeCertsFilter categorizeCertsFilter = new CategorizeCertsFilter(NewSecurityConfiguration.this.publicKeyCertificatesBase64);
                categorizeCertsFilter.setCertificateForClientAuth(x509Certificate -> {
                    return categorizeCertsFilter.getPublicKeyCertificatesBase64().contains(categorizeCertsFilter.base64EncodePublicKey(x509Certificate));
                });
                categorizeCertsFilter.setNotCertificateForClientAuth(x509Certificate2 -> {
                    return !categorizeCertsFilter.getPublicKeyCertificatesBase64().contains(categorizeCertsFilter.base64EncodePublicKey(x509Certificate2));
                });
                return categorizeCertsFilter;
            }

            @Generated
            public CertificateOrAuthProtectedEndpoints(CompoundAuthProvider compoundAuthProvider, AuthenticationProvider authenticationProvider) {
                this.compoundAuthProvider = compoundAuthProvider;
                this.tokenAuthenticationProvider = authenticationProvider;
            }
        }

        @Configuration
        @Order(4)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$CertificateProtectedEndpoints.class */
        class CertificateProtectedEndpoints {
            @Bean
            public SecurityFilterChain certificateEndpointsFilterChain(HttpSecurity httpSecurity) throws Exception {
                return (SecurityFilterChain) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) ((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(HttpMethod.DELETE, new String[]{"/gateway/cache/services/**"})).antMatchers(new String[]{"/gateway/auth/invalidate/**", "/gateway/auth/distribute/**"})).and()).authorizeRequests().anyRequest()).authenticated().and().logout().disable().x509().userDetailsService(new SimpleUserDetailService()).and().build();
            }

            @Generated
            public CertificateProtectedEndpoints() {
            }
        }

        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$CustomSecurityFilters.class */
        private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
            private CustomSecurityFilters() {
            }

            public void configure(HttpSecurity httpSecurity) throws Exception {
                httpSecurity.addFilterBefore(new CategorizeCertsFilter(NewSecurityConfiguration.this.publicKeyCertificatesBase64), X509AuthenticationFilter.class).addFilterBefore(new StoreAccessTokenInfoFilter(NewSecurityConfiguration.this.handlerInitializer.getUnAuthorizedHandler().getHandler()), X509AuthenticationFilter.class).addFilterBefore(accessTokenFilter("/**", (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class)), X509AuthenticationFilter.class).addFilterAfter(x509AuthenticationFilter("/**"), X509AuthenticationFilter.class).addFilterAfter(new ShouldBeAlreadyAuthenticatedFilter("/**", NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler()), X509AuthenticationFilter.class);
            }

            private LoginFilter accessTokenFilter(String str, AuthenticationManager authenticationManager) {
                return new LoginFilter(str, NewSecurityConfiguration.this.successfulAuthAccessTokenHandler, NewSecurityConfiguration.this.failedAccessTokenHandler, NewSecurityConfiguration.this.securityObjectMapper, authenticationManager, NewSecurityConfiguration.this.handlerInitializer.getResourceAccessExceptionHandler());
            }

            private org.zowe.apiml.security.common.login.X509AuthenticationFilter x509AuthenticationFilter(String str) {
                return new org.zowe.apiml.security.common.login.X509AuthenticationFilter(str, NewSecurityConfiguration.this.successfulAuthAccessTokenHandler, NewSecurityConfiguration.this.x509AuthenticationProvider);
            }
        }

        @Configuration
        @Order(100)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$DefaultSecurity.class */
        class DefaultSecurity {
            @Bean
            public WebSecurityCustomizer webSecurityCustomizer() {
                StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
                strictHttpFirewall.setAllowUrlEncodedSlash(true);
                strictHttpFirewall.setAllowBackSlash(true);
                strictHttpFirewall.setAllowUrlEncodedPercent(true);
                strictHttpFirewall.setAllowUrlEncodedPeriod(true);
                strictHttpFirewall.setAllowSemicolon(true);
                return webSecurity -> {
                    webSecurity.httpFirewall(strictHttpFirewall);
                    webSecurity.ignoring().antMatchers(new String[]{InternalServerErrorController.ERROR_ENDPOINT, "/error", "/application/health", "/application/info", "/application/version", "/gateway/auth/keys/public/all", "/gateway/auth/keys/public/current"});
                    if (NewSecurityConfiguration.this.isMetricsEnabled) {
                        webSecurity.ignoring().antMatchers(new String[]{"/application/hystrix.stream"});
                    }
                };
            }

            @Generated
            public DefaultSecurity() {
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Configuration
        @Order(2)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$Query.class */
        public class Query {
            private final TokenAuthenticationProvider tokenAuthenticationProvider;

            /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$Query$CustomSecurityFilters.class */
            private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
                private CustomSecurityFilters() {
                }

                public void configure(HttpSecurity httpSecurity) throws Exception {
                    httpSecurity.addFilterBefore(queryFilter("/**", (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class)), UsernamePasswordAuthenticationFilter.class);
                }

                private QueryFilter queryFilter(String str, AuthenticationManager authenticationManager) {
                    return new QueryFilter(str, NewSecurityConfiguration.this.successfulQueryHandler, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.authenticationService, HttpMethod.GET, false, authenticationManager);
                }
            }

            @Bean
            public SecurityFilterChain queryFilterChain(HttpSecurity httpSecurity) throws Exception {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{NewSecurityConfiguration.this.authConfigurationProperties.getGatewayQueryEndpoint(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayQueryEndpointOldFormat()})).and()).authorizeRequests().anyRequest()).authenticated().and().authenticationProvider(this.tokenAuthenticationProvider).logout().disable().apply(new CustomSecurityFilters());
                return (SecurityFilterChain) httpSecurity.build();
            }

            @Generated
            public Query(TokenAuthenticationProvider tokenAuthenticationProvider) {
                this.tokenAuthenticationProvider = tokenAuthenticationProvider;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Configuration
        @ConditionalOnProperty(name = {"apiml.security.allowTokenRefresh"}, havingValue = "true")
        @Order(6)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$Refresh.class */
        public class Refresh {
            private final AuthenticationProvider tokenAuthenticationProvider;

            /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$Refresh$CustomSecurityFilters.class */
            private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
                private CustomSecurityFilters() {
                }

                public void configure(HttpSecurity httpSecurity) throws Exception {
                    httpSecurity.addFilterBefore(refreshFilter("/**", (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class)), UsernamePasswordAuthenticationFilter.class);
                }

                private QueryFilter refreshFilter(String str, AuthenticationManager authenticationManager) {
                    return new QueryFilter(str, NewSecurityConfiguration.this.successfulRefreshHandler, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.authenticationService, HttpMethod.POST, true, authenticationManager);
                }
            }

            @Bean
            public SecurityFilterChain refreshFilterChain(HttpSecurity httpSecurity) throws Exception {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{NewSecurityConfiguration.this.authConfigurationProperties.getGatewayRefreshEndpoint(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayRefreshEndpointOldFormat()})).and()).authorizeRequests().anyRequest()).authenticated().and().authenticationProvider(this.tokenAuthenticationProvider).logout().disable().x509().userDetailsService(new SimpleUserDetailService()).and().apply(new CustomSecurityFilters());
                return (SecurityFilterChain) httpSecurity.build();
            }

            @Generated
            public Refresh(AuthenticationProvider authenticationProvider) {
                this.tokenAuthenticationProvider = authenticationProvider;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Configuration
        @Order(3)
        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$Ticket.class */
        public class Ticket {
            private final AuthenticationProvider tokenAuthenticationProvider;

            /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AccessToken$Ticket$CustomSecurityFilters.class */
            private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
                private CustomSecurityFilters() {
                }

                public void configure(HttpSecurity httpSecurity) throws Exception {
                    httpSecurity.addFilterBefore(ticketFilter("/**", (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class)), UsernamePasswordAuthenticationFilter.class);
                }

                private QueryFilter ticketFilter(String str, AuthenticationManager authenticationManager) {
                    return new QueryFilter(str, NewSecurityConfiguration.this.successfulTicketHandler, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.authenticationService, HttpMethod.POST, true, authenticationManager);
                }
            }

            @Bean
            public SecurityFilterChain ticketFilterChain(HttpSecurity httpSecurity) throws Exception {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{NewSecurityConfiguration.this.authConfigurationProperties.getGatewayTicketEndpoint(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayTicketEndpointOldFormat()})).and()).authorizeRequests().anyRequest()).authenticated().and().authenticationProvider(this.tokenAuthenticationProvider).logout().disable().x509().userDetailsService(new SimpleUserDetailService()).and().apply(new CustomSecurityFilters());
                return (SecurityFilterChain) httpSecurity.build();
            }

            @Generated
            public Ticket(AuthenticationProvider authenticationProvider) {
                this.tokenAuthenticationProvider = authenticationProvider;
            }
        }

        @Bean
        public SecurityFilterChain accessTokenFilterChain(HttpSecurity httpSecurity) throws Exception {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{NewSecurityConfiguration.this.authConfigurationProperties.getGatewayAccessTokenEndpoint()})).and()).authorizeRequests().anyRequest()).permitAll().and().x509().and().authenticationProvider(this.compoundAuthProvider).authenticationProvider(this.tokenAuthenticationProvider).authenticationProvider(new CertificateAuthenticationProvider()).apply(new CustomSecurityFilters());
            return (SecurityFilterChain) httpSecurity.build();
        }

        @Bean
        public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
            return (SecurityFilterChain) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{"/**", "/gateway/version"})).and()).authorizeRequests().anyRequest()).permitAll().and().logout().disable().addFilterBefore(new CategorizeCertsFilter(NewSecurityConfiguration.this.publicKeyCertificatesBase64), AnonymousAuthenticationFilter.class).build();
        }

        @Generated
        public AccessToken(CompoundAuthProvider compoundAuthProvider, AuthenticationProvider authenticationProvider) {
            this.compoundAuthProvider = compoundAuthProvider;
            this.tokenAuthenticationProvider = authenticationProvider;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Configuration
    @Order(1)
    /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AuthenticationFunctionality.class */
    public class AuthenticationFunctionality {
        private final CompoundAuthProvider compoundAuthProvider;

        /* loaded from: input_file:org/zowe/apiml/gateway/security/config/NewSecurityConfiguration$AuthenticationFunctionality$CustomSecurityFilters.class */
        private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
            private CustomSecurityFilters() {
            }

            public void configure(HttpSecurity httpSecurity) throws Exception {
                httpSecurity.addFilterBefore(new CategorizeCertsFilter(NewSecurityConfiguration.this.publicKeyCertificatesBase64), X509AuthenticationFilter.class).addFilterBefore(loginFilter("/**", (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class)), X509AuthenticationFilter.class).addFilterAfter(x509AuthenticationFilter("/**"), X509AuthenticationFilter.class).addFilterAfter(new ShouldBeAlreadyAuthenticatedFilter("/**", NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler()), X509AuthenticationFilter.class);
            }

            private LoginFilter loginFilter(String str, AuthenticationManager authenticationManager) {
                return new LoginFilter(str, NewSecurityConfiguration.this.handlerInitializer.getSuccessfulLoginHandler(), NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler(), NewSecurityConfiguration.this.securityObjectMapper, authenticationManager, NewSecurityConfiguration.this.handlerInitializer.getResourceAccessExceptionHandler());
            }

            private org.zowe.apiml.security.common.login.X509AuthenticationFilter x509AuthenticationFilter(String str) {
                return new org.zowe.apiml.security.common.login.X509AuthenticationFilter(str, NewSecurityConfiguration.this.handlerInitializer.getSuccessfulLoginHandler(), NewSecurityConfiguration.this.x509AuthenticationProvider);
            }
        }

        @Bean
        public SecurityFilterChain authenticationFunctionalityFilterChain(HttpSecurity httpSecurity) throws Exception {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) NewSecurityConfiguration.this.baseConfigure(((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{NewSecurityConfiguration.this.authConfigurationProperties.getGatewayLoginEndpoint(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayLoginEndpointOldFormat(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayLogoutEndpoint(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayLogoutEndpointOldFormat()})).and()).authorizeRequests().anyRequest()).permitAll().and().x509().and().logout().logoutRequestMatcher(new RegexRequestMatcher(String.format("(%s|%s)", NewSecurityConfiguration.this.authConfigurationProperties.getGatewayLogoutEndpoint(), NewSecurityConfiguration.this.authConfigurationProperties.getGatewayLogoutEndpointOldFormat()), HttpMethod.POST.name())).addLogoutHandler(logoutHandler()).logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT)).and().authenticationProvider(this.compoundAuthProvider).authenticationProvider(new CertificateAuthenticationProvider()).apply(new CustomSecurityFilters());
            return (SecurityFilterChain) httpSecurity.build();
        }

        private LogoutHandler logoutHandler() {
            return new JWTLogoutHandler(NewSecurityConfiguration.this.authenticationService, NewSecurityConfiguration.this.handlerInitializer.getAuthenticationFailureHandler());
        }

        @Generated
        public AuthenticationFunctionality(CompoundAuthProvider compoundAuthProvider) {
            this.compoundAuthProvider = compoundAuthProvider;
        }
    }

    protected HttpSecurity baseConfigure(HttpSecurity httpSecurity) throws Exception {
        if (this.isAttlsEnabled) {
            httpSecurity.addFilterBefore(new AttlsFilter(), X509AuthenticationFilter.class);
            httpSecurity.addFilterBefore(new SecureConnectionFilter(), AttlsFilter.class);
        }
        return httpSecurity.cors().and().csrf().disable().headers().httpStrictTransportSecurity().and().frameOptions().disable().and().exceptionHandling().authenticationEntryPoint(this.handlerInitializer.getBasicAuthUnauthorizedHandler()).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling().authenticationEntryPoint(this.handlerInitializer.getBasicAuthUnauthorizedHandler()).and();
    }

    @Generated
    public NewSecurityConfiguration(ObjectMapper objectMapper, AuthenticationService authenticationService, AuthConfigurationProperties authConfigurationProperties, HandlerInitializer handlerInitializer, SuccessfulAccessTokenHandler successfulAccessTokenHandler, SuccessfulQueryHandler successfulQueryHandler, SuccessfulTicketHandler successfulTicketHandler, SuccessfulRefreshHandler successfulRefreshHandler, FailedAccessTokenHandler failedAccessTokenHandler, Set<String> set, X509AuthenticationProvider x509AuthenticationProvider) {
        this.securityObjectMapper = objectMapper;
        this.authenticationService = authenticationService;
        this.authConfigurationProperties = authConfigurationProperties;
        this.handlerInitializer = handlerInitializer;
        this.successfulAuthAccessTokenHandler = successfulAccessTokenHandler;
        this.successfulQueryHandler = successfulQueryHandler;
        this.successfulTicketHandler = successfulTicketHandler;
        this.successfulRefreshHandler = successfulRefreshHandler;
        this.failedAccessTokenHandler = failedAccessTokenHandler;
        this.publicKeyCertificatesBase64 = set;
        this.x509AuthenticationProvider = x509AuthenticationProvider;
    }
}
