package io.camunda.operate.webapp.security;

import io.camunda.operate.OperateProfileService;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.property.WebSecurityProperties;
import io.camunda.operate.webapp.api.v1.entities.Incident;
import io.camunda.webapps.util.HttpUtils;
import jakarta.json.Json;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import org.apache.http.entity.ContentType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.logging.LoggersEndpoint;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:io/camunda/operate/webapp/security/BaseWebConfigurer.class */
public abstract class BaseWebConfigurer {
    protected OperateProperties operateProperties;
    OperateProfileService errorMessageService;
    private final WebSecurityProperties webSecurityProperties;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    final CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();

    public BaseWebConfigurer(OperateProperties operateProperties, OperateProfileService operateProfileService) {
        this.operateProperties = operateProperties;
        this.errorMessageService = operateProfileService;
        this.webSecurityProperties = operateProperties.getWebSecurity();
    }

    public static void sendJSONErrorMessage(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.reset();
        httpServletResponse.setCharacterEncoding(OperateURIs.RESPONSE_CHARACTER_ENCODING);
        PrintWriter writer = httpServletResponse.getWriter();
        httpServletResponse.setContentType(ContentType.APPLICATION_JSON.getMimeType());
        writer.append((CharSequence) Json.createObjectBuilder().add(Incident.MESSAGE_FIELD, str).build().toString());
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain actuatorFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            ((HttpSecurity.RequestMatcherConfigurer) requestMatcherConfigurer.requestMatchers(new RequestMatcher[]{EndpointRequest.toAnyEndpoint()})).requestMatchers(new String[]{"/error"});
        });
        return (SecurityFilterChain) configureActuatorSecurity(httpSecurity).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        }).build();
    }

    private HttpSecurity configureActuatorSecurity(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity.csrf((v0) -> {
            v0.disable();
        }).cors((v0) -> {
            v0.disable();
        }).logout((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).httpBasic((v0) -> {
            v0.disable();
        }).anonymous((v0) -> {
            v0.disable();
        });
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder = (AuthenticationManagerBuilder) httpSecurity.getSharedObject(AuthenticationManagerBuilder.class);
        applySecurityHeadersSettings(httpSecurity);
        applySecurityFilterSettings(httpSecurity);
        applyAuthenticationSettings(authenticationManagerBuilder);
        applyOAuth2Settings(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    protected void applySecurityHeadersSettings(HttpSecurity httpSecurity) throws Exception {
        WebSecurityProperties webSecurity = this.operateProperties.getWebSecurity();
        String contentSecurityPolicy = getContentSecurityPolicy();
        httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig -> {
                contentSecurityPolicyConfig.policyDirectives(contentSecurityPolicy);
            }).httpStrictTransportSecurity(hstsConfig -> {
                hstsConfig.maxAgeInSeconds(webSecurity.getHttpStrictTransportSecurityMaxAgeInSeconds()).includeSubDomains(webSecurity.getHttpStrictTransportSecurityIncludeSubDomains());
            });
        });
    }

    protected String getContentSecurityPolicy() {
        if (this.operateProperties.getCloud().getClusterId() == null) {
            if (this.webSecurityProperties.getContentSecurityPolicy() != null) {
                return this.webSecurityProperties.getContentSecurityPolicy();
            }
            WebSecurityProperties webSecurityProperties = this.webSecurityProperties;
            return "default-src 'self'; base-uri 'self'; script-src 'self'; script-src-elem 'self' cdn.jsdelivr.net; connect-src 'self' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' cdn.jsdelivr.net; img-src * data:; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src 'self' https:; object-src 'none'; font-src 'self' fonts.camunda.io cdn.jsdelivr.net; worker-src 'self' blob:; sandbox allow-forms allow-scripts allow-same-origin allow-popups";
        }
        if (this.webSecurityProperties.getContentSecurityPolicy() != null) {
            return this.webSecurityProperties.getContentSecurityPolicy();
        }
        WebSecurityProperties webSecurityProperties2 = this.webSecurityProperties;
        return "default-src 'self'; base-uri 'self'; script-src 'self'; script-src-elem 'self' cdn.jsdelivr.net *.mixpanel.com *.osano.com *.appcues.com; connect-src 'self' cdn.jsdelivr.net *.appcues.net wss://api.appcues.net *.osano.com *.mixpanel.com; style-src 'self' 'unsafe-inline' cdn.jsdelivr.net *.appcues.com *.osano.com *.mixpanel.com; img-src * data:; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src 'self' https: *.osano.com *.mixpanel.com; object-src 'none'; font-src 'self' fonts.camunda.io cdn.jsdelivr.net; worker-src 'self' *.osano.com *.mixpanel.com blob:; sandbox allow-forms allow-scripts allow-same-origin allow-popups";
    }

    protected void applySecurityFilterSettings(HttpSecurity httpSecurity) throws Exception {
        defaultFilterSettings(httpSecurity);
    }

    private void defaultFilterSettings(HttpSecurity httpSecurity) throws Exception {
        if (this.operateProperties.isCsrfPreventionEnabled()) {
            this.logger.info("CSRF Protection is enabled");
            configureCSRF(httpSecurity);
        } else {
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.disable();
            });
        }
        httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(OperateURIs.AUTH_WHITELIST)).permitAll().requestMatchers(new String[]{OperateURIs.API, OperateURIs.PUBLIC_API})).authenticated();
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginProcessingUrl(OperateURIs.LOGIN_RESOURCE).successHandler(this::successHandler).failureHandler(this::failureHandler).permitAll();
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl(OperateURIs.LOGOUT_RESOURCE).logoutSuccessHandler(this::logoutSuccessHandler).permitAll().deleteCookies(new String[]{OperateURIs.COOKIE_JSESSIONID, OperateURIs.X_CSRF_TOKEN}).clearAuthentication(true).invalidateHttpSession(true);
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(this::failureHandler);
        });
    }

    protected void applyAuthenticationSettings(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
    }

    protected abstract void applyOAuth2Settings(HttpSecurity httpSecurity) throws Exception;

    /* JADX INFO: Access modifiers changed from: protected */
    public void logoutSuccessHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        httpServletResponse.setStatus(HttpStatus.NO_CONTENT.value());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void failureHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        String requestedUrl = HttpUtils.getRequestedUrl(httpServletRequest);
        if (requestedUrl.contains("/api/") || requestedUrl.contains("/v1/") || requestedUrl.contains("/v2/")) {
            sendError(httpServletRequest, httpServletResponse, authenticationException);
        } else {
            storeRequestedUrlAndRedirectToLogin(httpServletRequest, httpServletResponse, requestedUrl);
        }
    }

    private void storeRequestedUrlAndRedirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        this.logger.warn("Try to access protected resource {}. Save it for later redirect", str);
        httpServletRequest.getSession(true).setAttribute("requestedUrl", str);
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/api/login");
    }

    private void successHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        addCSRFTokenWhenAvailable(httpServletRequest, httpServletResponse).setStatus(HttpStatus.NO_CONTENT.value());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureCSRF(HttpSecurity httpSecurity) throws Exception {
        this.cookieCsrfTokenRepository.setHeaderName(OperateURIs.X_CSRF_TOKEN);
        this.cookieCsrfTokenRepository.setCookieHttpOnly(true);
        this.cookieCsrfTokenRepository.setCookieName(OperateURIs.X_CSRF_TOKEN);
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(this.cookieCsrfTokenRepository).requireCsrfProtectionMatcher(new CsrfRequireMatcher()).ignoringRequestMatchers(new RequestMatcher[]{EndpointRequest.to(new Class[]{LoggersEndpoint.class})});
        }).addFilterAfter(getCSRFHeaderFilter(), CsrfFilter.class);
    }

    protected OncePerRequestFilter getCSRFHeaderFilter() {
        return new OncePerRequestFilter() { // from class: io.camunda.operate.webapp.security.BaseWebConfigurer.1
            protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
                filterChain.doFilter(httpServletRequest, BaseWebConfigurer.this.addCSRFTokenWhenAvailable(httpServletRequest, httpServletResponse));
            }
        };
    }

    protected HttpServletResponse addCSRFTokenWhenAvailable(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CsrfToken csrfToken;
        if (shouldAddCSRF(httpServletRequest) && (csrfToken = (CsrfToken) httpServletRequest.getAttribute(CsrfToken.class.getName())) != null) {
            httpServletResponse.setHeader(OperateURIs.X_CSRF_TOKEN, csrfToken.getToken());
        }
        return httpServletResponse;
    }

    boolean shouldAddCSRF(HttpServletRequest httpServletRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        String requestURI = httpServletRequest.getRequestURI();
        return authentication != null && authentication.isAuthenticated() && (requestURI == null || !requestURI.contains("logout")) && ("GET".equalsIgnoreCase(httpServletRequest.getMethod()) || (requestURI != null && requestURI.contains("login")));
    }

    protected void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        httpServletRequest.getSession().invalidate();
        sendJSONErrorMessage(httpServletResponse, this.errorMessageService.getMessageByProfileFor(authenticationException));
    }
}
