package org.flowable.ui.task.conf;

import java.util.Collections;
import org.flowable.ui.common.filter.FlowableCookieFilterRegistrationBean;
import org.flowable.ui.common.properties.FlowableCommonAppProperties;
import org.flowable.ui.common.properties.FlowableRestAppProperties;
import org.flowable.ui.common.security.ActuatorRequestMatcher;
import org.flowable.ui.common.security.ClearFlowableCookieLogoutHandler;
import org.flowable.ui.common.security.DefaultPrivileges;
import org.flowable.ui.common.service.idm.RemoteIdmService;
import org.flowable.ui.task.properties.FlowableTaskAppProperties;
import org.flowable.ui.task.security.AjaxLogoutSuccessHandler;
import org.flowable.ui.task.security.RemoteIdmAuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;

@Configuration(proxyBeanMethods = false)
/* loaded from: input_file:WEB-INF/lib/flowable-ui-task-conf-6.5.0.jar:org/flowable/ui/task/conf/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SecurityConfiguration.class);

    @Autowired
    protected RemoteIdmAuthenticationProvider authenticationProvider;

    @ConditionalOnClass({EndpointRequest.class})
    @Configuration
    @Order(5)
    /* loaded from: input_file:WEB-INF/lib/flowable-ui-task-conf-6.5.0.jar:org/flowable/ui/task/conf/SecurityConfiguration$ActuatorWebSecurityConfigurationAdapter.class */
    public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).csrf().disable();
            ((HttpSecurity) httpSecurity.requestMatcher(new ActuatorRequestMatcher()).authorizeRequests().requestMatchers(EndpointRequest.to((Class<?>[]) new Class[]{InfoEndpoint.class, HealthEndpoint.class})).authenticated().requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyAuthority("access-admin").and()).httpBasic();
        }
    }

    @Configuration
    @Order(1)
    /* loaded from: input_file:WEB-INF/lib/flowable-ui-task-conf-6.5.0.jar:org/flowable/ui/task/conf/SecurityConfiguration$ApiWebSecurityConfigurationAdapter.class */
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected final FlowableRestAppProperties restAppProperties;
        protected final FlowableTaskAppProperties taskAppProperties;

        public ApiWebSecurityConfigurationAdapter(FlowableRestAppProperties flowableRestAppProperties, FlowableTaskAppProperties flowableTaskAppProperties) {
            this.restAppProperties = flowableRestAppProperties;
            this.taskAppProperties = flowableTaskAppProperties;
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).csrf().disable();
            if (!this.taskAppProperties.isRestEnabled()) {
                httpSecurity.antMatcher("/*-api/**").authorizeRequests().antMatchers("/*-api/**").denyAll();
            } else if (this.restAppProperties.isVerifyRestApiPrivilege()) {
                ((HttpSecurity) httpSecurity.antMatcher("/*-api/**").authorizeRequests().antMatchers("/*-api/**").hasAuthority("access-rest-api").and()).httpBasic();
            } else {
                ((HttpSecurity) httpSecurity.antMatcher("/*-api/**").authorizeRequests().antMatchers("/*-api/**").authenticated().and()).httpBasic();
            }
        }
    }

    @Configuration
    @Order(10)
    /* loaded from: input_file:WEB-INF/lib/flowable-ui-task-conf-6.5.0.jar:org/flowable/ui/task/conf/SecurityConfiguration$FormLoginWebSecurityConfigurerAdapter.class */
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        protected FilterRegistrationBean flowableCookieFilterRegistration;

        @Autowired
        protected AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).addFilterBefore(this.flowableCookieFilterRegistration.getFilter(), UsernamePasswordAuthenticationFilter.class).logout().logoutUrl("/app/logout").logoutSuccessHandler(this.ajaxLogoutSuccessHandler).addLogoutHandler(new ClearFlowableCookieLogoutHandler()).and()).csrf().disable()).headers().frameOptions().sameOrigin().addHeaderWriter(new XXssProtectionHeaderWriter()).and()).authorizeRequests().antMatchers("/app/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK).antMatchers("/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK);
        }
    }

    @Bean
    public FlowableCookieFilterRegistrationBean flowableCookieFilterRegistration(RemoteIdmService remoteIdmService, FlowableCommonAppProperties flowableCommonAppProperties) {
        FlowableCookieFilterRegistrationBean flowableCookieFilterRegistrationBean = new FlowableCookieFilterRegistrationBean(remoteIdmService, flowableCommonAppProperties);
        flowableCookieFilterRegistrationBean.addUrlPatterns("/app/*");
        flowableCookieFilterRegistrationBean.setRequiredPrivileges(Collections.singletonList(DefaultPrivileges.ACCESS_TASK));
        return flowableCookieFilterRegistrationBean;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) {
        try {
            authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) this.authenticationProvider);
        } catch (Exception e) {
            LOGGER.error("Could not configure authentication mechanism:", (Throwable) e);
        }
    }
}
