package com.hazelcast.webmonitor.config;

import com.hazelcast.internal.auditlog.AuditlogService;
import com.hazelcast.webmonitor.auditlog.impl.EventLogTypeIds;
import com.hazelcast.webmonitor.configreplacer.SystemProperties;
import com.hazelcast.webmonitor.security.CustomAccessDeniedHandler;
import com.hazelcast.webmonitor.security.CustomAuthenticationFailureHandler;
import com.hazelcast.webmonitor.security.CustomAuthenticationSuccessHandler;
import com.hazelcast.webmonitor.security.DevModeAuthenticationFilter;
import com.hazelcast.webmonitor.security.LoginListener;
import com.hazelcast.webmonitor.security.spi.impl.AuthenticationManagerImpl;
import com.hazelcast.webmonitor.security.spi.impl.builtin.TokenBasedAuthenticationToken;
import com.hazelcast.webmonitor.service.AuthTokenManager;
import com.hazelcast.webmonitor.session.SessionControlAuthenticationStrategy;
import com.hazelcast.webmonitor.utils.StringUtil;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.session.SessionDestroyedEvent;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
import org.springframework.security.web.session.ConcurrentSessionFilter;
import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/classes/com/hazelcast/webmonitor/config/SecurityConfig.class
 */
@EnableWebSecurity
/* loaded from: input_file:com/hazelcast/webmonitor/config/SecurityConfig.class */
public class SecurityConfig {
    public static final String MC_DISABLE_CSRF_SYS_PROP = "hazelcast.mc.disable.csrf";
    public static final int ONE_YEAR_IN_SECONDS = 31536000;
    private final CustomAuthenticationSuccessHandler successHandler;
    private final CustomAuthenticationFailureHandler failureHandler;
    private final List<LoginListener> loginListeners;
    private final AuthTokenManager authTokenManager;
    private final AuthenticationManagerImpl authenticationManager;
    private final AuditlogService auditService;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SecurityConfig.class);
    private static final String[] ALL_ROLES = {"ADMIN", "USER", "READONLY_USER", "METRICS_ONLY"};

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/config/SecurityConfig$BasicAuthRequestMatcher.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/config/SecurityConfig$BasicAuthRequestMatcher.class */
    private static class BasicAuthRequestMatcher implements RequestMatcher {
        private BasicAuthRequestMatcher() {
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            String header = httpServletRequest.getHeader("Authorization");
            return header != null && header.startsWith("Basic");
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/config/SecurityConfig$BasicAuthSecurityConfiguration.class
     */
    @Configuration
    @Order(1)
    /* loaded from: input_file:com/hazelcast/webmonitor/config/SecurityConfig$BasicAuthSecurityConfiguration.class */
    public class BasicAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
        public BasicAuthSecurityConfiguration() {
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.headers().httpStrictTransportSecurity().maxAgeInSeconds(31536000L).and().and()).requestMatcher(new BasicAuthRequestMatcher()).csrf().disable()).authorizeRequests().anyRequest().hasAnyRole(SecurityConfig.ALL_ROLES).and()).httpBasic().and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected AuthenticationManager authenticationManager() {
            return SecurityConfig.this.authenticationManager;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/config/SecurityConfig$DefaultSecurityConfiguration.class
     */
    @Configuration
    @Order(2)
    /* loaded from: input_file:com/hazelcast/webmonitor/config/SecurityConfig$DefaultSecurityConfiguration.class */
    public class DefaultSecurityConfiguration extends WebSecurityConfigurerAdapter {
        public DefaultSecurityConfiguration() {
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
        public void configure(WebSecurity webSecurity) {
            StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
            strictHttpFirewall.setAllowUrlEncodedSlash(true);
            webSecurity.ignoring().antMatchers("/rest/**").antMatchers("/api/buildInfo").and().httpFirewall(strictHttpFirewall);
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            AuthenticationManagerImpl authenticationManagerImpl = SecurityConfig.this.authenticationManager;
            authenticationManagerImpl.getClass();
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.csrf().ignoringAntMatchers("/saml/sso**").ignoringAntMatchers("/oidc/sso**").and()).addFilter((Filter) new WebAsyncManagerIntegrationFilter()).sessionManagement().and()).securityContext().and()).servletApi().and()).logout().logoutSuccessUrl("/login.html").and()).exceptionHandling().accessDeniedHandler(new CustomAccessDeniedHandler()).authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)).and()).addFilterAt(SecurityConfig.this.authenticationFilter(), BasicAuthenticationFilter.class).headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)).contentSecurityPolicy("script-src 'self' 'unsafe-inline' 'unsafe-eval'").and().and()).addFilterAt(SecurityConfig.this.concurrencyFilter(), ConcurrentSessionFilter.class).addFilterBefore((Filter) new DevModeAuthenticationFilter(authenticationManagerImpl::isDevModeActive), AnonymousAuthenticationFilter.class).authorizeRequests().antMatchers("/main*", "/api/**").hasAnyRole(SecurityConfig.ALL_ROLES);
            if (SystemProperties.getBoolean(SecurityConfig.MC_DISABLE_CSRF_SYS_PROP, false)) {
                httpSecurity.csrf().disable();
            }
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected AuthenticationManager authenticationManager() {
            return SecurityConfig.this.authenticationManager;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/config/SecurityConfig$LoginAuthenticationFilter.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/config/SecurityConfig$LoginAuthenticationFilter.class */
    public final class LoginAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
        private LoginAuthenticationFilter() {
        }

        @Override // org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
            Authentication attemptTokenAuthentication = attemptTokenAuthentication(httpServletRequest);
            if (attemptTokenAuthentication == null) {
                attemptTokenAuthentication = super.attemptAuthentication(httpServletRequest, httpServletResponse);
            }
            if (attemptTokenAuthentication.isAuthenticated()) {
                Iterator it = SecurityConfig.this.loginListeners.iterator();
                while (it.hasNext()) {
                    ((LoginListener) it.next()).userLoggedIn(httpServletRequest);
                }
            }
            return attemptTokenAuthentication;
        }

        private Authentication attemptTokenAuthentication(HttpServletRequest httpServletRequest) throws AuthenticationException {
            if (!httpServletRequest.getMethod().equals("POST")) {
                return null;
            }
            String parameter = httpServletRequest.getParameter("token");
            if (StringUtil.isNullOrEmptyAfterTrim(parameter)) {
                return null;
            }
            try {
                return getAuthenticationManager().authenticate(new TokenBasedAuthenticationToken((String) SecurityConfig.this.authTokenManager.find(parameter).map((v0) -> {
                    return v0.getUsername();
                }).orElse(""), parameter));
            } catch (AuthenticationException e) {
                throw e;
            } catch (Exception e2) {
                SecurityConfig.LOGGER.error("Token authentication failed: could not read token data", (Throwable) e2);
                throw new AuthenticationServiceException("Token authentication failed", e2);
            }
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/config/SecurityConfig$SessionDestroyedListener.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/config/SecurityConfig$SessionDestroyedListener.class */
    private class SessionDestroyedListener implements ApplicationListener<SessionDestroyedEvent> {
        private SessionDestroyedListener() {
        }

        /* JADX WARN: Type inference failed for: r0v15, types: [com.hazelcast.internal.auditlog.EventBuilder] */
        @Override // org.springframework.context.ApplicationListener
        public void onApplicationEvent(SessionDestroyedEvent sessionDestroyedEvent) {
            List<SecurityContext> securityContexts = sessionDestroyedEvent.getSecurityContexts();
            if (securityContexts.isEmpty()) {
                return;
            }
            SecurityConfig.this.auditService.eventBuilder(EventLogTypeIds.USER_LOGGED_OUT).message("User logged out or user session expired").addParameter("username", (String) securityContexts.stream().findFirst().map((v0) -> {
                return v0.getAuthentication();
            }).map((v0) -> {
                return v0.getName();
            }).orElse("N/A")).log();
        }
    }

    @Autowired
    public SecurityConfig(CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler, CustomAuthenticationFailureHandler customAuthenticationFailureHandler, List<LoginListener> list, AuthTokenManager authTokenManager, AuthenticationManagerImpl authenticationManagerImpl, AuditlogService auditlogService) {
        this.successHandler = customAuthenticationSuccessHandler;
        this.failureHandler = customAuthenticationFailureHandler;
        this.loginListeners = list;
        this.authTokenManager = authTokenManager;
        this.authenticationManager = authenticationManagerImpl;
        this.auditService = auditlogService;
    }

    @Bean
    public SessionRegistryImpl sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public CompositeSessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new CompositeSessionAuthenticationStrategy(Arrays.asList(new SessionControlAuthenticationStrategy(sessionRegistry()), new SessionFixationProtectionStrategy(), new RegisterSessionAuthenticationStrategy(sessionRegistry())));
    }

    @Bean
    public UsernamePasswordAuthenticationFilter authenticationFilter() {
        LoginAuthenticationFilter loginAuthenticationFilter = new LoginAuthenticationFilter();
        loginAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
        loginAuthenticationFilter.setAuthenticationSuccessHandler(this.successHandler);
        loginAuthenticationFilter.setAuthenticationFailureHandler(this.failureHandler);
        loginAuthenticationFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
        return loginAuthenticationFilter;
    }

    @Bean
    public DefaultWebSecurityExpressionHandler securityExpressionHandler() {
        return new DefaultWebSecurityExpressionHandler();
    }

    @Bean
    public ConcurrentSessionFilter concurrencyFilter() {
        return new ConcurrentSessionFilter(sessionRegistry(), new SimpleRedirectSessionInformationExpiredStrategy("/expireSession"));
    }

    @Bean
    public SessionDestroyedListener sessionDestroyedListener() {
        return new SessionDestroyedListener();
    }
}
