package io.camunda.tasklist.webapp.security.identity;

import io.camunda.tasklist.webapp.security.BaseWebConfigurer;
import io.camunda.tasklist.webapp.security.TasklistProfileService;
import io.camunda.tasklist.webapp.security.TasklistURIs;
import io.camunda.tasklist.webapp.security.oauth.IdentityOAuth2WebConfigurer;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;

@Profile({TasklistProfileService.IDENTITY_AUTH_PROFILE})
@EnableWebSecurity
@Component("webSecurityConfig")
/* loaded from: input_file:io/camunda/tasklist/webapp/security/identity/IdentityWebSecurityConfig.class */
public class IdentityWebSecurityConfig extends BaseWebConfigurer {
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    protected IdentityOAuth2WebConfigurer oAuth2WebConfigurer;

    @Override // io.camunda.tasklist.webapp.security.BaseWebConfigurer
    protected void applyOAuth2Settings(HttpSecurity httpSecurity) throws Exception {
        this.oAuth2WebConfigurer.configure(httpSecurity);
    }

    @Override // io.camunda.tasklist.webapp.security.BaseWebConfigurer
    protected void applySecurityFilterSettings(HttpSecurity httpSecurity, HandlerMappingIntrospector handlerMappingIntrospector) throws Exception {
        if (this.tasklistProperties.isCsrfPreventionEnabled()) {
            this.logger.info("CSRF Protection Enabled");
            configureCSRF(httpSecurity);
        } else {
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.disable();
            });
        }
        httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(TasklistURIs.getAuthWhitelist(handlerMappingIntrospector))).permitAll().requestMatchers(new RequestMatcher[]{AntPathRequestMatcher.antMatcher(TasklistURIs.GRAPHQL_URL), AntPathRequestMatcher.antMatcher(TasklistURIs.ALL_REST_V1_API), AntPathRequestMatcher.antMatcher(TasklistURIs.ERROR_URL)})).authenticated().requestMatchers(new RequestMatcher[]{AntPathRequestMatcher.antMatcher("/tasklist")})).authenticated();
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(this::authenticationEntry);
        });
    }

    protected void authenticationEntry(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        String requestURI = httpServletRequest.getRequestURI();
        if (httpServletRequest.getQueryString() != null && !httpServletRequest.getQueryString().isEmpty()) {
            requestURI = requestURI + "?" + httpServletRequest.getQueryString();
        }
        if (StringUtils.containsAny(requestURI.toLowerCase(), new CharSequence[]{TasklistURIs.GRAPHQL_URL, TasklistURIs.REST_V1_API})) {
            httpServletRequest.getSession().invalidate();
            sendJSONErrorMessage(httpServletResponse, authenticationException.getMessage());
        } else {
            this.logger.debug("Try to access protected resource {}. Save it for later redirect", requestURI);
            httpServletRequest.getSession().setAttribute(TasklistURIs.REQUESTED_URL, requestURI);
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/api/login");
        }
    }
}
