package io.camunda.tasklist.webapp.security;

import io.camunda.tasklist.property.TasklistProperties;
import jakarta.json.Json;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.apache.hc.core5.http.ContentType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.logging.LoggersEndpoint;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;

/* loaded from: input_file:io/camunda/tasklist/webapp/security/BaseWebConfigurer.class */
public abstract class BaseWebConfigurer {

    @Autowired
    protected TasklistProperties tasklistProperties;

    @Autowired
    TasklistProfileService errorMessageService;

    @Autowired
    private TasklistProfileService profileService;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    final CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity, HandlerMappingIntrospector handlerMappingIntrospector) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder = (AuthenticationManagerBuilder) httpSecurity.getSharedObject(AuthenticationManagerBuilder.class);
        applySecurityHeadersSettings(httpSecurity);
        applySecurityFilterSettings(httpSecurity, handlerMappingIntrospector);
        applyAuthenticationSettings(authenticationManagerBuilder);
        applyOAuth2Settings(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    protected abstract void applyOAuth2Settings(HttpSecurity httpSecurity) throws Exception;

    protected void applySecurityHeadersSettings(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.headers().frameOptions().disable().contentSecurityPolicy(this.tasklistProperties.getSecurityProperties().getContentSecurityPolicy());
    }

    protected void applySecurityFilterSettings(HttpSecurity httpSecurity, HandlerMappingIntrospector handlerMappingIntrospector) throws Exception {
        defaultFilterSettings(httpSecurity, handlerMappingIntrospector);
    }

    private void defaultFilterSettings(HttpSecurity httpSecurity, HandlerMappingIntrospector handlerMappingIntrospector) throws Exception {
        if (this.tasklistProperties.isCsrfPreventionEnabled()) {
            this.logger.info("CSRF Protection Enabled");
            configureCSRF(httpSecurity);
        } else {
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.disable();
            });
        }
        httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.requestMatchers(TasklistURIs.getAuthWhitelist(handlerMappingIntrospector))).permitAll().requestMatchers(new RequestMatcher[]{AntPathRequestMatcher.antMatcher(TasklistURIs.GRAPHQL_URL), AntPathRequestMatcher.antMatcher(TasklistURIs.ALL_REST_VERSION_API), AntPathRequestMatcher.antMatcher(TasklistURIs.ERROR_URL)})).authenticated().requestMatchers(new RequestMatcher[]{AntPathRequestMatcher.antMatcher("/login")})).authenticated();
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginProcessingUrl(TasklistURIs.LOGIN_RESOURCE).successHandler(this::successHandler).failureHandler(this::failureHandler).permitAll();
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl(TasklistURIs.LOGOUT_RESOURCE).logoutSuccessHandler(this::logoutSuccessHandler).permitAll().invalidateHttpSession(true).deleteCookies(new String[]{TasklistURIs.COOKIE_JSESSIONID, TasklistURIs.X_CSRF_TOKEN});
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(this::failureHandler);
        });
    }

    protected void applyAuthenticationSettings(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
    }

    private void logoutSuccessHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        httpServletResponse.setStatus(HttpStatus.NO_CONTENT.value());
    }

    private void failureHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        httpServletRequest.getSession().invalidate();
        sendJSONErrorMessage(httpServletResponse, this.profileService.getMessageByProfileFor(authenticationException));
    }

    private void csrfHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException {
        httpServletResponse.setStatus(403);
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setCharacterEncoding(TasklistURIs.RESPONSE_CHARACTER_ENCODING);
        httpServletResponse.getWriter().write("{\"error\": \"Access denied due to invalid CSRF token.\"}");
    }

    public static void sendJSONErrorMessage(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.reset();
        httpServletResponse.setCharacterEncoding(TasklistURIs.RESPONSE_CHARACTER_ENCODING);
        httpServletResponse.getWriter().append((CharSequence) Json.createObjectBuilder().add("message", str).build().toString());
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        httpServletResponse.setContentType(ContentType.APPLICATION_JSON.getMimeType());
    }

    private void successHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        addCSRFTokenWhenAvailable(httpServletRequest, httpServletResponse).setStatus(HttpStatus.NO_CONTENT.value());
        httpServletResponse.setStatus(HttpStatus.NO_CONTENT.value());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureCSRF(HttpSecurity httpSecurity) throws Exception {
        this.cookieCsrfTokenRepository.setHeaderName(TasklistURIs.X_CSRF_TOKEN);
        this.cookieCsrfTokenRepository.setCookieCustomizer(responseCookieBuilder -> {
            responseCookieBuilder.httpOnly(true);
        });
        this.cookieCsrfTokenRepository.setCookieName(TasklistURIs.X_CSRF_TOKEN);
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(this.cookieCsrfTokenRepository).requireCsrfProtectionMatcher(new CsrfRequireMatcher()).ignoringRequestMatchers(new RequestMatcher[]{EndpointRequest.to(new Class[]{LoggersEndpoint.class})});
        }).addFilterAfter(getCSRFHeaderFilter(), CsrfFilter.class).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.accessDeniedHandler(this::csrfHandler);
        });
    }

    protected OncePerRequestFilter getCSRFHeaderFilter() {
        return new OncePerRequestFilter() { // from class: io.camunda.tasklist.webapp.security.BaseWebConfigurer.1
            protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
                filterChain.doFilter(httpServletRequest, BaseWebConfigurer.this.addCSRFTokenWhenAvailable(httpServletRequest, httpServletResponse));
            }
        };
    }

    protected HttpServletResponse addCSRFTokenWhenAvailable(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CsrfToken csrfToken;
        if (shouldAddCSRF(httpServletRequest) && (csrfToken = (CsrfToken) httpServletRequest.getAttribute(CsrfToken.class.getName())) != null) {
            httpServletResponse.setHeader(TasklistURIs.X_CSRF_TOKEN, csrfToken.getToken());
        }
        return httpServletResponse;
    }

    boolean shouldAddCSRF(HttpServletRequest httpServletRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        String requestURI = httpServletRequest.getRequestURI();
        return authentication != null && authentication.isAuthenticated() && (requestURI == null || !requestURI.contains(TasklistURIs.LOGOUT_RESOURCE)) && ("GET".equalsIgnoreCase(httpServletRequest.getMethod()) || (requestURI != null && requestURI.contains(TasklistURIs.LOGIN_RESOURCE)));
    }
}
