package org.flowable.rest.conf;

import org.apache.commons.lang3.StringUtils;
import org.flowable.rest.app.properties.RestAppProperties;
import org.flowable.rest.security.BasicAuthenticationProvider;
import org.flowable.rest.security.SecurityConstants;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
/* loaded from: input_file:WEB-INF/classes/org/flowable/rest/conf/SecurityConfiguration.class */
public class SecurityConfiguration {
    protected final RestAppProperties restAppProperties;

    public SecurityConfiguration(RestAppProperties restAppProperties) {
        this.restAppProperties = restAppProperties;
    }

    @Bean
    public AuthenticationProvider authenticationProvider() {
        BasicAuthenticationProvider basicAuthenticationProvider = new BasicAuthenticationProvider();
        basicAuthenticationProvider.setVerifyRestApiPrivilege(isVerifyRestApiPrivilege());
        return basicAuthenticationProvider;
    }

    @Bean
    public SecurityFilterChain restApiSecurity(HttpSecurity httpSecurity, AuthenticationProvider authenticationProvider) throws Exception {
        HttpSecurity csrf = httpSecurity.authenticationProvider(authenticationProvider).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).csrf((v0) -> {
            v0.disable();
        });
        if (this.restAppProperties.getCors().isEnabled()) {
            csrf.apply((HttpSecurity) new PropertyBasedCorsFilter(this.restAppProperties));
        }
        if (isSwaggerDocsEnabled()) {
            csrf.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.requestMatchers(AntPathRequestMatcher.antMatcher("/docs/**")).permitAll();
            });
        } else {
            csrf.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                authorizationManagerRequestMatcherRegistry2.requestMatchers(AntPathRequestMatcher.antMatcher("/docs/**")).denyAll();
            });
        }
        csrf.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry3 -> {
            authorizationManagerRequestMatcherRegistry3.requestMatchers(EndpointRequest.to((Class<?>[]) new Class[]{InfoEndpoint.class, HealthEndpoint.class})).authenticated().requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyAuthority(SecurityConstants.ACCESS_ADMIN);
        });
        if (isVerifyRestApiPrivilege()) {
            csrf.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry4 -> {
                authorizationManagerRequestMatcherRegistry4.anyRequest().hasAuthority(SecurityConstants.PRIVILEGE_ACCESS_REST_API);
            });
        } else {
            csrf.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry5 -> {
                authorizationManagerRequestMatcherRegistry5.anyRequest().authenticated();
            });
        }
        csrf.httpBasic(Customizer.withDefaults());
        return httpSecurity.build();
    }

    protected boolean isVerifyRestApiPrivilege() {
        String authenticationMode = this.restAppProperties.getAuthenticationMode();
        if (StringUtils.isNotEmpty(authenticationMode)) {
            return "verify-privilege".equals(authenticationMode);
        }
        return true;
    }

    protected boolean isSwaggerDocsEnabled() {
        return this.restAppProperties.isSwaggerDocsEnabled();
    }
}
