package org.flowable.ui.idm.conf;

import org.apache.catalina.authenticator.Constants;
import org.flowable.idm.api.IdmIdentityService;
import org.flowable.ui.common.properties.FlowableRestAppProperties;
import org.flowable.ui.common.security.ActuatorRequestMatcher;
import org.flowable.ui.common.security.ClearFlowableCookieLogoutHandler;
import org.flowable.ui.common.security.DefaultPrivileges;
import org.flowable.ui.idm.properties.FlowableIdmAppProperties;
import org.flowable.ui.idm.security.AjaxAuthenticationFailureHandler;
import org.flowable.ui.idm.security.AjaxAuthenticationSuccessHandler;
import org.flowable.ui.idm.security.AjaxLogoutSuccessHandler;
import org.flowable.ui.idm.security.CustomDaoAuthenticationProvider;
import org.flowable.ui.idm.security.CustomLdapAuthenticationProvider;
import org.flowable.ui.idm.security.CustomPersistentRememberMeServices;
import org.flowable.ui.idm.security.Http401UnauthorizedEntryPoint;
import org.flowable.ui.idm.security.UserDetailsService;
import org.flowable.ui.idm.web.CustomFormLoginConfig;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;

@Configuration(proxyBeanMethods = false)
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
/* loaded from: input_file:WEB-INF/lib/flowable-ui-idm-conf-6.5.0.jar:org/flowable/ui/idm/conf/SecurityConfiguration.class */
public class SecurityConfiguration {

    @Autowired
    protected IdmIdentityService identityService;

    @Autowired
    protected FlowableIdmAppProperties idmAppProperties;

    @ConditionalOnClass({EndpointRequest.class})
    @Configuration
    @Order(5)
    /* loaded from: input_file:WEB-INF/lib/flowable-ui-idm-conf-6.5.0.jar:org/flowable/ui/idm/conf/SecurityConfiguration$ActuatorWebSecurityConfigurationAdapter.class */
    public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).csrf().disable();
            ((HttpSecurity) httpSecurity.requestMatcher(new ActuatorRequestMatcher()).authorizeRequests().requestMatchers(EndpointRequest.to((Class<?>[]) new Class[]{InfoEndpoint.class, HealthEndpoint.class})).authenticated().requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyAuthority(DefaultPrivileges.ACCESS_ADMIN).and()).httpBasic();
        }
    }

    @Configuration
    @Order(1)
    /* loaded from: input_file:WEB-INF/lib/flowable-ui-idm-conf-6.5.0.jar:org/flowable/ui/idm/conf/SecurityConfiguration$ApiWebSecurityConfigurationAdapter.class */
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected final FlowableRestAppProperties restAppProperties;
        protected final FlowableIdmAppProperties idmAppProperties;

        public ApiWebSecurityConfigurationAdapter(FlowableRestAppProperties flowableRestAppProperties, FlowableIdmAppProperties flowableIdmAppProperties) {
            this.restAppProperties = flowableRestAppProperties;
            this.idmAppProperties = flowableIdmAppProperties;
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).csrf().disable();
            if (!this.idmAppProperties.isRestEnabled()) {
                httpSecurity.antMatcher("/api/**").authorizeRequests().antMatchers("/api/**").denyAll();
            } else if (this.restAppProperties.isVerifyRestApiPrivilege()) {
                ((HttpSecurity) httpSecurity.antMatcher("/api/**").authorizeRequests().antMatchers("/api/**").hasAuthority(DefaultPrivileges.ACCESS_REST_API).and()).httpBasic();
            } else {
                ((HttpSecurity) httpSecurity.antMatcher("/api/**").authorizeRequests().antMatchers("/api/**").authenticated().and()).httpBasic();
            }
        }
    }

    @Configuration
    @Order(10)
    /* loaded from: input_file:WEB-INF/lib/flowable-ui-idm-conf-6.5.0.jar:org/flowable/ui/idm/conf/SecurityConfiguration$FormLoginWebSecurityConfigurerAdapter.class */
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private FlowableIdmAppProperties idmAppProperties;

        @Autowired
        private AjaxAuthenticationSuccessHandler ajaxAuthenticationSuccessHandler;

        @Autowired
        private AjaxAuthenticationFailureHandler ajaxAuthenticationFailureHandler;

        @Autowired
        private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;

        @Autowired
        private Http401UnauthorizedEntryPoint authenticationEntryPoint;

        @Autowired
        private RememberMeServices rememberMeServices;

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint).and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).rememberMe().rememberMeServices(this.rememberMeServices).key(this.idmAppProperties.getSecurity().getRememberMeKey()).and()).logout().logoutUrl("/app/logout").logoutSuccessHandler(this.ajaxLogoutSuccessHandler).addLogoutHandler(new ClearFlowableCookieLogoutHandler()).permitAll().and()).csrf().disable()).headers().frameOptions().sameOrigin().addHeaderWriter(new XXssProtectionHeaderWriter()).and()).authorizeRequests().antMatchers(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER).permitAll().antMatchers("/app/rest/authenticate").permitAll().antMatchers("/app/**").hasAuthority(DefaultPrivileges.ACCESS_IDM);
            CustomFormLoginConfig customFormLoginConfig = new CustomFormLoginConfig();
            customFormLoginConfig.loginProcessingUrl("/app/authentication").successHandler(this.ajaxAuthenticationSuccessHandler).failureHandler(this.ajaxAuthenticationFailureHandler).usernameParameter(Constants.FORM_USERNAME).passwordParameter(Constants.FORM_PASSWORD).permitAll();
            httpSecurity.apply((HttpSecurity) customFormLoginConfig);
        }
    }

    @Bean
    public UserDetailsService userDetailsService() {
        UserDetailsService userDetailsService = new UserDetailsService();
        userDetailsService.setUserValidityPeriod(this.idmAppProperties.getSecurity().getUserValidityPeriod());
        return userDetailsService;
    }

    @ConditionalOnMissingBean({AuthenticationProvider.class})
    @ConditionalOnProperty(prefix = "flowable.idm.ldap", name = {"enabled"}, havingValue = "false", matchIfMissing = true)
    @Bean(name = {"dbAuthenticationProvider"})
    public AuthenticationProvider dbAuthenticationProvider(PasswordEncoder passwordEncoder, org.springframework.security.core.userdetails.UserDetailsService userDetailsService) {
        CustomDaoAuthenticationProvider customDaoAuthenticationProvider = new CustomDaoAuthenticationProvider();
        customDaoAuthenticationProvider.setUserDetailsService(userDetailsService);
        customDaoAuthenticationProvider.setPasswordEncoder(passwordEncoder);
        return customDaoAuthenticationProvider;
    }

    @ConditionalOnProperty(prefix = "flowable.idm.ldap", name = {"enabled"}, havingValue = "true")
    @Bean(name = {"ldapAuthenticationProvider"})
    public AuthenticationProvider ldapAuthenticationProvider(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) {
        return new CustomLdapAuthenticationProvider(userDetailsService, this.identityService);
    }

    @Bean
    public CustomPersistentRememberMeServices rememberMeServices(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) {
        return new CustomPersistentRememberMeServices(this.idmAppProperties, userDetailsService);
    }
}
