package org.springframework.cloud.common.security;

import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.Filter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.oauth2.OAuth2ClientProperties;
import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
import org.springframework.cloud.common.security.support.DataflowPrincipalExtractor;
import org.springframework.cloud.common.security.support.DefaultAuthoritiesExtractor;
import org.springframework.cloud.common.security.support.ExternalOauth2ResourceAuthoritiesExtractor;
import org.springframework.cloud.common.security.support.OnOAuth2SecurityEnabled;
import org.springframework.cloud.common.security.support.SecurityConfigUtils;
import org.springframework.cloud.common.security.support.SecurityStateBean;
import org.springframework.cloud.common.security.support.TokenStoreClearingLogoutSuccessHandler;
import org.springframework.cloud.common.security.support.TokenValidatingUserInfoTokenServices;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.event.EventListener;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.filter.OAuth2AuthenticationFailureEvent;
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter;
import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.token.AccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordAccessTokenProvider;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.HttpMediaTypeNotAcceptableException;
import org.springframework.web.accept.HeaderContentNegotiationStrategy;
import org.springframework.web.context.request.NativeWebRequest;

@EnableWebSecurity
@ConditionalOnMissingBean({WebSecurityConfigurerAdapter.class})
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.ANY)
@EnableOAuth2Client
@Configuration
@ConditionalOnClass({WebSecurityConfigurerAdapter.class})
@Conditional({OnOAuth2SecurityEnabled.class})
/* loaded from: input_file:BOOT-INF/lib/spring-cloud-common-security-config-web-1.1.4.RELEASE.jar:org/springframework/cloud/common/security/OAuthSecurityConfiguration.class */
public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) OAuthSecurityConfiguration.class);

    @Autowired
    protected SecurityStateBean securityStateBean;

    @Autowired
    protected SecurityProperties securityProperties;

    @Autowired
    protected OAuth2ClientContext oauth2ClientContext;

    @Autowired
    protected AuthorizationCodeResourceDetails authorizationCodeResourceDetails;

    @Autowired
    protected ResourceServerProperties resourceServerProperties;

    @Autowired
    protected OAuth2ClientProperties oAuth2ClientProperties;

    @Autowired
    protected ApplicationEventPublisher applicationEventPublisher;

    @Autowired
    protected AuthorizationProperties authorizationProperties;

    @Autowired
    protected BaseOAuth2ProtectedResourceDetails clientCredentialsResourceDetails;

    @Autowired(required = false)
    private PrincipalExtractor principalExtractor;

    /* loaded from: input_file:BOOT-INF/lib/spring-cloud-common-security-config-web-1.1.4.RELEASE.jar:org/springframework/cloud/common/security/OAuthSecurityConfiguration$BrowserDetectingContentNegotiationStrategy.class */
    protected static class BrowserDetectingContentNegotiationStrategy extends HeaderContentNegotiationStrategy {
        protected BrowserDetectingContentNegotiationStrategy() {
        }

        @Override // org.springframework.web.accept.HeaderContentNegotiationStrategy, org.springframework.web.accept.ContentNegotiationStrategy
        public List<MediaType> resolveMediaTypes(NativeWebRequest nativeWebRequest) throws HttpMediaTypeNotAcceptableException {
            List<MediaType> resolveMediaTypes = super.resolveMediaTypes(nativeWebRequest);
            String header = nativeWebRequest.getHeader("User-Agent");
            return (header == null || !header.contains("Mozilla/5.0") || resolveMediaTypes.contains(MediaType.APPLICATION_JSON)) ? Collections.singletonList(MediaType.APPLICATION_JSON) : Collections.singletonList(MediaType.TEXT_HTML);
        }
    }

    @Configuration
    /* loaded from: input_file:BOOT-INF/lib/spring-cloud-common-security-config-web-1.1.4.RELEASE.jar:org/springframework/cloud/common/security/OAuthSecurityConfiguration$ResourceServerConfiguration.class */
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        ResourceServerTokenServices resourceServerTokenServices;

        protected ResourceServerConfiguration() {
        }

        @Override // org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter, org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurer
        public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) throws Exception {
            super.configure(resourceServerSecurityConfigurer);
            resourceServerSecurityConfigurer.tokenServices(this.resourceServerTokenServices);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        MediaTypeRequestMatcher mediaTypeRequestMatcher = new MediaTypeRequestMatcher(new BrowserDetectingContentNegotiationStrategy(), MediaType.TEXT_HTML);
        BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthenticationEntryPoint.setRealmName(SecurityConfigUtils.BASIC_AUTH_REALM_NAME);
        basicAuthenticationEntryPoint.afterPropertiesSet();
        Filter oauthFilter = oauthFilter();
        BasicAuthenticationFilter basicAuthenticationFilter = new BasicAuthenticationFilter(providerManager(), basicAuthenticationEntryPoint);
        httpSecurity.addFilterAfter(oauthFilter, (Class<? extends Filter>) basicAuthenticationFilter.getClass());
        httpSecurity.addFilterBefore((Filter) basicAuthenticationFilter, (Class<? extends Filter>) oauthFilter.getClass());
        httpSecurity.addFilterBefore((Filter) oAuth2AuthenticationProcessingFilter(), (Class<? extends Filter>) basicAuthenticationFilter.getClass());
        this.authorizationProperties.getAuthenticatedPaths().add("/");
        this.authorizationProperties.getAuthenticatedPaths().add(dashboard("/**"));
        this.authorizationProperties.getAuthenticatedPaths().add(this.authorizationProperties.getDashboardUrl());
        this.authorizationProperties.getPermitAllPaths().add(this.authorizationProperties.getDashboardUrl());
        this.authorizationProperties.getPermitAllPaths().add(dashboard("/**"));
        SecurityConfigUtils.configureSimpleSecurity(httpSecurity.authorizeRequests().antMatchers((String[]) this.authorizationProperties.getPermitAllPaths().toArray(new String[0])).permitAll().antMatchers((String[]) this.authorizationProperties.getAuthenticatedPaths().toArray(new String[0])).authenticated(), this.authorizationProperties).anyRequest().denyAll();
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.httpBasic().and()).logout().logoutSuccessHandler(logoutSuccessHandler()).and()).csrf().disable()).exceptionHandling().defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(this.authorizationProperties.getLoginProcessingUrl()), mediaTypeRequestMatcher).defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, AnyRequestMatcher.INSTANCE);
        this.securityStateBean.setAuthenticationEnabled(true);
    }

    @Bean
    LogoutSuccessHandler logoutSuccessHandler() {
        TokenStoreClearingLogoutSuccessHandler tokenStoreClearingLogoutSuccessHandler = new TokenStoreClearingLogoutSuccessHandler(tokenStore(), this.oAuth2ClientProperties);
        tokenStoreClearingLogoutSuccessHandler.setDefaultTargetUrl(dashboard("/logout-success-oauth.html"));
        return tokenStoreClearingLogoutSuccessHandler;
    }

    @Bean
    TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    protected TokenValidatingUserInfoTokenServices resourceServerTokenServices() {
        TokenValidatingUserInfoTokenServices tokenValidatingUserInfoTokenServices = new TokenValidatingUserInfoTokenServices(this.resourceServerProperties.getUserInfoUri(), this.resourceServerProperties.getTokenInfoUri(), this.authorizationCodeResourceDetails.getClientId(), this.authorizationCodeResourceDetails.getClientSecret());
        tokenValidatingUserInfoTokenServices.setTokenStore(tokenStore());
        tokenValidatingUserInfoTokenServices.setSupportRefreshToken(true);
        tokenValidatingUserInfoTokenServices.setRestTemplate(oAuth2RestTemplate());
        tokenValidatingUserInfoTokenServices.setAuthoritiesExtractor(StringUtils.isEmpty(this.authorizationProperties.getExternalAuthoritiesUrl()) ? new DefaultAuthoritiesExtractor(this.authorizationProperties.isMapOauthScopes(), this.authorizationProperties.getRoleMappings(), oAuth2RestTemplate()) : new ExternalOauth2ResourceAuthoritiesExtractor(oAuth2RestTemplate(), URI.create(this.authorizationProperties.getExternalAuthoritiesUrl())));
        if (this.principalExtractor == null) {
            tokenValidatingUserInfoTokenServices.setPrincipalExtractor(new DataflowPrincipalExtractor());
        } else {
            tokenValidatingUserInfoTokenServices.setPrincipalExtractor(this.principalExtractor);
        }
        return tokenValidatingUserInfoTokenServices;
    }

    @Bean
    protected OAuth2RestTemplate oAuth2RestTemplate() {
        return new OAuth2RestTemplate(this.authorizationCodeResourceDetails, this.oauth2ClientContext);
    }

    public AccessTokenProvider userAccessTokenProvider() {
        return new ResourceOwnerPasswordAccessTokenProvider();
    }

    @Bean
    protected AuthenticationProvider authenticationProvider() {
        return new ManualOAuthAuthenticationProvider(resourceServerTokenServices(), this.oauth2ClientContext);
    }

    @Bean
    protected ProviderManager providerManager() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(authenticationProvider());
        return new ProviderManager(arrayList);
    }

    protected Filter oauthFilter() {
        OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter = new OAuth2ClientAuthenticationProcessingFilter("/login");
        oAuth2ClientAuthenticationProcessingFilter.setRestTemplate(oAuth2RestTemplate());
        oAuth2ClientAuthenticationProcessingFilter.setTokenServices(resourceServerTokenServices());
        oAuth2ClientAuthenticationProcessingFilter.setApplicationEventPublisher(this.applicationEventPublisher);
        return oAuth2ClientAuthenticationProcessingFilter;
    }

    protected OAuth2AuthenticationProcessingFilter oAuth2AuthenticationProcessingFilter() {
        OAuth2AuthenticationProcessingFilter oAuth2AuthenticationProcessingFilter = new OAuth2AuthenticationProcessingFilter();
        oAuth2AuthenticationProcessingFilter.setAuthenticationManager(oauthAuthenticationManager());
        oAuth2AuthenticationProcessingFilter.setStateless(false);
        return oAuth2AuthenticationProcessingFilter;
    }

    @Bean
    public AuthenticationManager oauthAuthenticationManager() {
        OAuth2AuthenticationManager oAuth2AuthenticationManager = new OAuth2AuthenticationManager();
        oAuth2AuthenticationManager.setTokenServices(resourceServerTokenServices());
        return oAuth2AuthenticationManager;
    }

    @EventListener
    public void handleOAuth2AuthenticationFailureEvent(OAuth2AuthenticationFailureEvent oAuth2AuthenticationFailureEvent) {
        logger.error("An error occurred while accessing an authentication REST resource.", (Throwable) oAuth2AuthenticationFailureEvent.getException());
    }

    protected String dashboard(String str) {
        return this.authorizationProperties.getDashboardUrl() + str;
    }
}
