package org.eclipse.pass.main.security;

import jakarta.servlet.http.Cookie;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
import org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:org/eclipse/pass/main/security/SecurityConfiguration.class */
public class SecurityConfiguration {

    @Autowired
    private PassAuthenticationFilter passAuthFilter;

    @Value("${pass.logout-success-url}")
    private String logoutSuccessUrl;

    @Value("${pass.default-login-success-url}")
    private String defaultLoginSuccessUrl;

    @Value("${pass.login-processing-path}")
    private String loginProcessingPath;

    @Value("${pass.csp}")
    private String contentSecurityPolicy;

    @Value("${pass.logout-delete-cookies}")
    private List<String> logoutDeleteCookies;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.formLogin((v0) -> {
            v0.disable();
        });
        httpSecurity.anonymous((v0) -> {
            v0.disable();
        });
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).requireCsrfProtectionMatcher(new OrRequestMatcher(new RequestMatcher[]{CsrfFilter.DEFAULT_CSRF_MATCHER, new AntPathRequestMatcher("/doi/**")})).csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
        });
        ContentSecurityPolicyHeaderWriter contentSecurityPolicyHeaderWriter = new ContentSecurityPolicyHeaderWriter();
        contentSecurityPolicyHeaderWriter.setPolicyDirectives(this.contentSecurityPolicy);
        DelegatingRequestMatcherHeaderWriter delegatingRequestMatcherHeaderWriter = new DelegatingRequestMatcherHeaderWriter(new AntPathRequestMatcher("/app/**"), contentSecurityPolicyHeaderWriter);
        httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.addHeaderWriter(delegatingRequestMatcherHeaderWriter);
        });
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/error", "/favicon.ico", "/app/favicon.ico"})).permitAll().anyRequest()).authenticated();
        });
        HttpSessionRequestCache httpSessionRequestCache = new HttpSessionRequestCache();
        httpSessionRequestCache.setMatchingRequestParameterName((String) null);
        httpSecurity.requestCache(requestCacheConfigurer -> {
            requestCacheConfigurer.requestCache(httpSessionRequestCache);
        });
        httpSecurity.httpBasic(httpBasicConfigurer -> {
            httpBasicConfigurer.authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
                httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
            });
        });
        httpSecurity.saml2Login(saml2LoginConfigurer -> {
            saml2LoginConfigurer.defaultSuccessUrl(this.defaultLoginSuccessUrl).loginProcessingUrl(this.loginProcessingPath);
        });
        httpSecurity.saml2Metadata(Customizer.withDefaults());
        CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler((Cookie[]) this.logoutDeleteCookies.stream().map(str -> {
            String[] split = str.trim().split("\\s+");
            Cookie cookie = new Cookie(split[0], (String) null);
            cookie.setPath(split[1]);
            cookie.setMaxAge(0);
            return cookie;
        }).toArray(i -> {
            return new Cookie[i];
        }));
        httpSecurity.logout(logoutConfigurer -> {
            logoutConfigurer.logoutSuccessUrl(this.logoutSuccessUrl).addLogoutHandler(cookieClearingLogoutHandler);
        });
        httpSecurity.addFilterAfter(this.passAuthFilter, Saml2WebSsoAuthenticationFilter.class);
        httpSecurity.addFilterAfter(new CsrfCookieFilter(), Saml2WebSsoAuthenticationFilter.class);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository));
        openSaml4AuthenticationRequestResolver.setAuthnRequestCustomizer(authnRequestContext -> {
            authnRequestContext.getAuthnRequest().setForceAuthn(true);
        });
        return openSaml4AuthenticationRequestResolver;
    }
}
