package org.apache.syncope.sra;

import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.syncope.common.lib.types.SAML2BindingType;
import org.apache.syncope.sra.SRAProperties;
import org.apache.syncope.sra.security.CsrfRouteMatcher;
import org.apache.syncope.sra.security.LogoutRouteMatcher;
import org.apache.syncope.sra.security.PublicRouteMatcher;
import org.apache.syncope.sra.security.cas.CASSecurityConfigUtils;
import org.apache.syncope.sra.security.oauth2.OAuth2SecurityConfigUtils;
import org.apache.syncope.sra.security.pac4j.NoOpLogoutHandler;
import org.apache.syncope.sra.security.saml2.SAML2MetadataEndpoint;
import org.apache.syncope.sra.security.saml2.SAML2SecurityConfigUtils;
import org.pac4j.core.http.callback.NoParameterCallbackUrlResolver;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cache.CacheManager;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.io.FileUrlResource;
import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import reactor.core.publisher.Mono;

@EnableWebFluxSecurity
@Configuration(proxyBeanMethods = false)
/* loaded from: input_file:org/apache/syncope/sra/SecurityConfig.class */
public class SecurityConfig {
    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "SAML2")
    @Bean
    @Order(0)
    public SecurityWebFilterChain saml2SecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        ServerWebExchangeMatcher pathMatchers = ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, new String[]{SAML2MetadataEndpoint.METADATA_URL});
        return serverHttpSecurity.securityMatcher(pathMatchers).authorizeExchange().anyExchange().permitAll().and().csrf().requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(pathMatchers)).and().build();
    }

    @ConditionalOnMissingBean
    @Bean
    @Order(1)
    public SecurityWebFilterChain actuatorSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        EndpointRequest.EndpointServerWebExchangeMatcher anyEndpoint = EndpointRequest.toAnyEndpoint();
        return serverHttpSecurity.securityMatcher(anyEndpoint).authorizeExchange().anyExchange().authenticated().and().httpBasic().and().csrf().requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(anyEndpoint)).and().build();
    }

    @ConditionalOnMissingBean
    @Bean
    public ReactiveUserDetailsService actuatorUserDetailsService(SRAProperties sRAProperties) {
        return new MapReactiveUserDetailsService(new UserDetails[]{User.builder().username(sRAProperties.getAnonymousUser()).password("{noop}" + sRAProperties.getAnonymousKey()).roles(new String[]{"ANONYMOUS"}).build()});
    }

    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OIDC")
    @Bean
    public ClientRegistration oidcClientRegistration(SRAProperties sRAProperties) {
        return ClientRegistrations.fromOidcIssuerLocation(sRAProperties.getOidc().getConfiguration()).registrationId(SRAProperties.AMType.OIDC.name()).clientId(sRAProperties.getOidc().getClientId()).clientSecret(sRAProperties.getOidc().getClientSecret()).scope((String[]) sRAProperties.getOidc().getScopes().toArray(i -> {
            return new String[i];
        })).build();
    }

    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OIDC")
    @Bean
    public ReactiveClientRegistrationRepository oidcClientRegistrationRepository(@Qualifier("oidcClientRegistration") ClientRegistration clientRegistration) {
        return new InMemoryReactiveClientRegistrationRepository(new ClientRegistration[]{clientRegistration});
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OIDC")
    @Bean
    public OAuth2TokenValidator<Jwt> oidcJWTValidator(SRAProperties sRAProperties) {
        return JwtValidators.createDefaultWithIssuer(sRAProperties.getOidc().getConfiguration());
    }

    @ConditionalOnMissingBean
    @Bean
    public Converter<Map<String, Object>, Map<String, Object>> jwtClaimSetConverter() {
        return MappedJwtClaimSetConverter.withDefaults(Map.of());
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OIDC")
    @Bean
    public ReactiveJwtDecoder oidcJWTDecoder(@Qualifier("oidcClientRegistration") ClientRegistration clientRegistration, @Qualifier("oidcJWTValidator") OAuth2TokenValidator<Jwt> oAuth2TokenValidator, @Qualifier("jwtClaimSetConverter") Converter<Map<String, Object>, Map<String, Object>> converter) {
        NimbusReactiveJwtDecoder build = NimbusReactiveJwtDecoder.withJwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.RS256).jwsAlgorithm(SignatureAlgorithm.RS512).build();
        build.setJwtValidator(oAuth2TokenValidator);
        build.setClaimSetConverter(converter);
        return build;
    }

    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OAUTH2")
    @Bean
    public ClientRegistration oauth2ClientRegistration(SRAProperties sRAProperties) {
        return ClientRegistration.withRegistrationId(SRAProperties.AMType.OAUTH2.name()).redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}").tokenUri(sRAProperties.getOauth2().getTokenUri()).authorizationUri(sRAProperties.getOauth2().getAuthorizationUri()).userInfoUri(sRAProperties.getOauth2().getUserInfoUri()).userNameAttributeName(sRAProperties.getOauth2().getUserNameAttributeName()).clientId(sRAProperties.getOauth2().getClientId()).clientSecret(sRAProperties.getOauth2().getClientSecret()).scope((String[]) sRAProperties.getOauth2().getScopes().toArray(i -> {
            return new String[i];
        })).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).jwkSetUri(sRAProperties.getOauth2().getJwkSetUri()).build();
    }

    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OAUTH2")
    @Bean
    public ReactiveClientRegistrationRepository oauth2ClientRegistrationRepository(@Qualifier("oauth2ClientRegistration") ClientRegistration clientRegistration) {
        return new InMemoryReactiveClientRegistrationRepository(new ClientRegistration[]{clientRegistration});
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OAUTH2")
    @Bean
    public OAuth2TokenValidator<Jwt> oauth2JWTValidator(SRAProperties sRAProperties) {
        return sRAProperties.getOauth2().getIssuer() == null ? JwtValidators.createDefault() : JwtValidators.createDefaultWithIssuer(sRAProperties.getOauth2().getIssuer());
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "OAUTH2")
    @Bean
    public ReactiveJwtDecoder oauth2JWTDecoder(@Qualifier("oauth2ClientRegistration") ClientRegistration clientRegistration, @Qualifier("oauth2JWTValidator") OAuth2TokenValidator<Jwt> oAuth2TokenValidator, @Qualifier("jwtClaimSetConverter") Converter<Map<String, Object>, Map<String, Object>> converter) {
        String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
        NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = StringUtils.isBlank(jwkSetUri) ? new NimbusReactiveJwtDecoder(jwt -> {
            try {
                return Mono.just(jwt.getJWTClaimsSet());
            } catch (ParseException e) {
                return Mono.error(e);
            }
        }) : NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri).build();
        nimbusReactiveJwtDecoder.setJwtValidator(oAuth2TokenValidator);
        nimbusReactiveJwtDecoder.setClaimSetConverter(converter);
        return nimbusReactiveJwtDecoder;
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE}, havingValue = "SAML2")
    @Bean
    public SAML2Client saml2Client(ResourcePatternResolver resourcePatternResolver, SRAProperties sRAProperties) {
        final SAML2Configuration sAML2Configuration = new SAML2Configuration(resourcePatternResolver.getResource(sRAProperties.getSaml2().getKeystore()), sRAProperties.getSaml2().getKeystoreStorePass(), sRAProperties.getSaml2().getKeystoreKeypass(), resourcePatternResolver.getResource(sRAProperties.getSaml2().getIdpMetadata()));
        sAML2Configuration.setKeystoreType(sRAProperties.getSaml2().getKeystoreType());
        if (sAML2Configuration.getKeystoreResource() instanceof FileUrlResource) {
            sAML2Configuration.setKeystoreGenerator(new BaseSAML2KeystoreGenerator(sAML2Configuration) { // from class: org.apache.syncope.sra.SecurityConfig.1
                protected void store(KeyStore keyStore, X509Certificate x509Certificate, PrivateKey privateKey) throws Exception {
                }

                public InputStream retrieve() throws Exception {
                    return sAML2Configuration.getKeystoreResource().getInputStream();
                }
            });
        }
        sAML2Configuration.setAuthnRequestBindingType(sRAProperties.getSaml2().getAuthnRequestBinding().getUri());
        sAML2Configuration.setResponseBindingType(SAML2BindingType.POST.getUri());
        sAML2Configuration.setSpLogoutRequestBindingType(sRAProperties.getSaml2().getLogoutRequestBinding().getUri());
        sAML2Configuration.setSpLogoutResponseBindingType(sRAProperties.getSaml2().getLogoutResponseBinding().getUri());
        sAML2Configuration.setServiceProviderEntityId(sRAProperties.getSaml2().getEntityId());
        sAML2Configuration.setWantsAssertionsSigned(true);
        sAML2Configuration.setAuthnRequestSigned(true);
        sAML2Configuration.setSpLogoutRequestSigned(true);
        sAML2Configuration.setServiceProviderMetadataResourceFilepath(sRAProperties.getSaml2().getSpMetadataFilePath());
        sAML2Configuration.setAcceptedSkew(sRAProperties.getSaml2().getSkew());
        sAML2Configuration.setLogoutHandler(new NoOpLogoutHandler());
        SAML2Client sAML2Client = new SAML2Client(sAML2Configuration);
        sAML2Client.setName(SRAProperties.AMType.SAML2.name());
        sAML2Client.setCallbackUrl(sRAProperties.getSaml2().getEntityId() + "/login/saml2/sso");
        sAML2Client.setCallbackUrlResolver(new NoParameterCallbackUrlResolver());
        sAML2Client.init();
        return sAML2Client;
    }

    @ConditionalOnProperty(prefix = SRAProperties.PREFIX, name = {SRAProperties.AM_TYPE})
    @Bean
    @Order(2)
    public SecurityWebFilterChain routesSecurityFilterChain(@Qualifier("saml2Client") ObjectProvider<SAML2Client> objectProvider, SRAProperties sRAProperties, ServerHttpSecurity serverHttpSecurity, CacheManager cacheManager, LogoutRouteMatcher logoutRouteMatcher, PublicRouteMatcher publicRouteMatcher, CsrfRouteMatcher csrfRouteMatcher, ConfigurableApplicationContext configurableApplicationContext) {
        ServerHttpSecurity.AuthorizeExchangeSpec authenticated = ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) serverHttpSecurity.authorizeExchange().matchers(new ServerWebExchangeMatcher[]{publicRouteMatcher})).permitAll().anyExchange().authenticated();
        switch (sRAProperties.getAmType()) {
            case OIDC:
            case OAUTH2:
                OAuth2SecurityConfigUtils.forLogin(serverHttpSecurity, sRAProperties.getAmType(), configurableApplicationContext);
                OAuth2SecurityConfigUtils.forLogout(authenticated, sRAProperties.getAmType(), cacheManager, logoutRouteMatcher, configurableApplicationContext);
                serverHttpSecurity.oauth2ResourceServer().jwt().jwtDecoder((ReactiveJwtDecoder) configurableApplicationContext.getBean(ReactiveJwtDecoder.class));
                break;
            case SAML2:
                objectProvider.ifAvailable(sAML2Client -> {
                    SAML2SecurityConfigUtils.forLogin(serverHttpSecurity, sAML2Client, publicRouteMatcher);
                    SAML2SecurityConfigUtils.forLogout(authenticated, sAML2Client, cacheManager, logoutRouteMatcher, configurableApplicationContext);
                });
                break;
            case CAS:
                CASSecurityConfigUtils.forLogin(serverHttpSecurity, sRAProperties.getCas().getProtocol(), sRAProperties.getCas().getServerPrefix(), publicRouteMatcher);
                CASSecurityConfigUtils.forLogout(authenticated, cacheManager, sRAProperties.getCas().getServerPrefix(), logoutRouteMatcher, configurableApplicationContext);
                break;
        }
        return authenticated.and().csrf().requireCsrfProtectionMatcher(csrfRouteMatcher).and().build();
    }
}
