package org.mitre.springboot.config.oauth2;

import java.util.Collections;
import java.util.HashSet;
import org.mitre.oauth2.web.CorsFilter;
import org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider;
import org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter;
import org.mitre.openid.connect.filter.MultiUrlRequestMatcher;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;

@Configuration
@Order(110)
/* loaded from: input_file:org/mitre/springboot/config/oauth2/TokenWebSecurityConfig.class */
public class TokenWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    protected CorsFilter corsFilter;

    @Autowired
    protected OAuth2AuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    @Qualifier("clientUserDetailsService")
    protected UserDetailsService clientUserDetailsService;

    @Autowired
    @Qualifier("uriEncodedClientUserDetailsService")
    protected UserDetailsService uriEncodedClientUserDetailsService;

    @Autowired
    protected OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler;

    @Autowired
    @Lazy
    protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter;

    @Autowired
    @Lazy
    protected JWTBearerClientAssertionTokenEndpointFilter jwtBearerClientAssertionTokenEndpointFilter;

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(this.clientUserDetailsService);
        authenticationManagerBuilder.userDetailsService(this.uriEncodedClientUserDetailsService);
    }

    @ConditionalOnMissingBean({ClientCredentialsTokenEndpointFilter.class})
    @Autowired
    @Bean
    public ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(@Qualifier("clientAuthenticationMatcher") MultiUrlRequestMatcher multiUrlRequestMatcher) throws Exception {
        ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new ClientCredentialsTokenEndpointFilter();
        clientCredentialsTokenEndpointFilter.setRequiresAuthenticationRequestMatcher(multiUrlRequestMatcher);
        clientCredentialsTokenEndpointFilter.setAuthenticationManager(authenticationManager());
        return clientCredentialsTokenEndpointFilter;
    }

    @ConditionalOnMissingBean({JWTBearerClientAssertionTokenEndpointFilter.class})
    @Autowired
    @Bean
    public JWTBearerClientAssertionTokenEndpointFilter jwtBearerClientAssertionTokenEndpointFilter(@Qualifier("clientAuthenticationMatcher") MultiUrlRequestMatcher multiUrlRequestMatcher, JWTBearerAuthenticationProvider jWTBearerAuthenticationProvider) {
        JWTBearerClientAssertionTokenEndpointFilter jWTBearerClientAssertionTokenEndpointFilter = new JWTBearerClientAssertionTokenEndpointFilter(multiUrlRequestMatcher);
        jWTBearerClientAssertionTokenEndpointFilter.setAuthenticationManager(new ProviderManager(Collections.singletonList(jWTBearerAuthenticationProvider)));
        return jWTBearerClientAssertionTokenEndpointFilter;
    }

    @ConditionalOnMissingBean({JWTBearerAuthenticationProvider.class})
    @Bean
    public JWTBearerAuthenticationProvider jwtBearerAuthenticationProvider() {
        return new JWTBearerAuthenticationProvider();
    }

    @ConditionalOnMissingBean(type = {"javax.servlet.http.HttpServletRequest.MultiUrlRequestMatcher"}, name = {"clientAuthenticationMatcher"})
    @Bean(name = {"clientAuthenticationMatcher"})
    public MultiUrlRequestMatcher clientAuthenticationMatcher() {
        HashSet hashSet = new HashSet();
        hashSet.add("/introspect");
        hashSet.add("/revoke");
        hashSet.add("/token");
        return new MultiUrlRequestMatcher(hashSet);
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((HttpSecurity.RequestMatcherConfigurer) httpSecurity.requestMatchers().antMatchers(new String[]{"/token", "/introspect**", "/revoke**"})).and().httpBasic().authenticationEntryPoint(this.authenticationEntryPoint).and().authorizeRequests().antMatchers(HttpMethod.OPTIONS, new String[]{"/token"})).permitAll().antMatchers(new String[]{"/token"})).authenticated().and().addFilterAfter(this.jwtBearerClientAssertionTokenEndpointFilter, AbstractPreAuthenticatedProcessingFilter.class).addFilterAfter(this.clientCredentialsTokenEndpointFilter, BasicAuthenticationFilter.class).addFilterAfter(this.corsFilter, SecurityContextPersistenceFilter.class).exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint).accessDeniedHandler(this.oAuth2AccessDeniedHandler).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}
