package org.apache.atlas.web.security;

import java.util.LinkedHashMap;
import javax.inject.Inject;
import org.apache.atlas.web.filters.ActiveServerFilter;
import org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint;
import org.apache.atlas.web.filters.AtlasAuthenticationFilter;
import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:org/apache/atlas/web/security/AtlasSecurityConfig.class */
public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
    private static final Logger LOG = LoggerFactory.getLogger(AtlasSecurityConfig.class);
    private final AtlasAuthenticationProvider authenticationProvider;
    private final AtlasAuthenticationSuccessHandler successHandler;
    private final AtlasAuthenticationFailureHandler failureHandler;
    private final AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter;
    private final AtlasAuthenticationFilter atlasAuthenticationFilter;
    private final AtlasCSRFPreventionFilter csrfPreventionFilter;
    private final AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint;
    private final Configuration configuration;
    private final StaleTransactionCleanupFilter staleTransactionCleanupFilter;
    private final ActiveServerFilter activeServerFilter;

    @Inject
    public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter atlasKnoxSSOAuthenticationFilter, AtlasCSRFPreventionFilter atlasCSRFPreventionFilter, AtlasAuthenticationFilter atlasAuthenticationFilter, AtlasAuthenticationProvider atlasAuthenticationProvider, AtlasAuthenticationSuccessHandler atlasAuthenticationSuccessHandler, AtlasAuthenticationFailureHandler atlasAuthenticationFailureHandler, AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint, Configuration configuration, StaleTransactionCleanupFilter staleTransactionCleanupFilter, ActiveServerFilter activeServerFilter) {
        this.ssoAuthenticationFilter = atlasKnoxSSOAuthenticationFilter;
        this.csrfPreventionFilter = atlasCSRFPreventionFilter;
        this.atlasAuthenticationFilter = atlasAuthenticationFilter;
        this.authenticationProvider = atlasAuthenticationProvider;
        this.successHandler = atlasAuthenticationSuccessHandler;
        this.failureHandler = atlasAuthenticationFailureHandler;
        this.atlasAuthenticationEntryPoint = atlasAuthenticationEntryPoint;
        this.configuration = configuration;
        this.staleTransactionCleanupFilter = staleTransactionCleanupFilter;
        this.activeServerFilter = activeServerFilter;
    }

    public BasicAuthenticationEntryPoint getAuthenticationEntryPoint() {
        BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthenticationEntryPoint.setRealmName("atlas.com");
        return basicAuthenticationEntryPoint;
    }

    public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(new RequestHeaderRequestMatcher(AtlasCSRFPreventionFilter.HEADER_USER_AGENT, "Mozilla"), this.atlasAuthenticationEntryPoint);
        DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint = new DelegatingAuthenticationEntryPoint(linkedHashMap);
        delegatingAuthenticationEntryPoint.setDefaultEntryPoint(getAuthenticationEntryPoint());
        return delegatingAuthenticationEntryPoint;
    }

    @Inject
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(this.authenticationProvider);
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers(new String[]{"/login.jsp", "/css/**", "/img/**", "/libs/**", "/js/**", "/ieerror.html", "/api/atlas/admin/status", "/api/atlas/admin/metrics"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).authenticated().and().headers().addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", new String[]{"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:"})).addHeaderWriter(new StaticHeadersWriter("Server", new String[]{"Apache Atlas"})).and().servletApi().and().csrf().disable().sessionManagement().enableSessionUrlRewriting(false).sessionCreationPolicy(SessionCreationPolicy.ALWAYS).sessionFixation().newSession().and().httpBasic().authenticationEntryPoint(getDelegatingAuthenticationEntryPoint()).and().formLogin().loginPage("/login.jsp").loginProcessingUrl("/j_spring_security_check").successHandler(this.successHandler).failureHandler(this.failureHandler).usernameParameter("j_username").passwordParameter("j_password").and().logout().logoutSuccessUrl("/login.jsp").deleteCookies(new String[]{"ATLASSESSIONID"}).logoutUrl("/logout.html");
        boolean z = !StringUtils.isEmpty(this.configuration.getString("atlas.migration.data.filename"));
        if (this.configuration.getBoolean("atlas.server.ha.enabled", false) || z) {
            if (z) {
                LOG.info("Atlas is in Migration Mode, enabling ActiveServerFilter");
            } else {
                LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter");
            }
            httpSecurity.addFilterAfter(this.activeServerFilter, BasicAuthenticationFilter.class);
        }
        httpSecurity.addFilterAfter(this.staleTransactionCleanupFilter, BasicAuthenticationFilter.class).addFilterBefore(this.ssoAuthenticationFilter, BasicAuthenticationFilter.class).addFilterAfter(this.atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class).addFilterAfter(this.csrfPreventionFilter, AtlasAuthenticationFilter.class);
    }
}
