package net.oneandone.stool.server.users;

import java.util.LinkedHashMap;
import javax.servlet.Filter;
import net.oneandone.stool.server.Server;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.LdapAuthenticator;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.search.LdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:net/oneandone/stool/server/users/SecurityConfiguration.class */
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private Server server;

    protected boolean enabled() {
        return this.server.configuration.auth();
    }

    public void configure(WebSecurity webSecurity) {
        if (this.server.configuration.auth()) {
            webSecurity.ignoring().antMatchers(HttpMethod.OPTIONS, new String[]{"/**"});
        } else {
            webSecurity.ignoring().anyRequest();
        }
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        if (!enabled()) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/**"})).anonymous();
        } else {
            httpSecurity.csrf().disable();
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.addFilter(basicAuthenticationFilter()).headers().httpStrictTransportSecurity().disable().and().addFilterAfter(new TokenAuthenticationFilter(this.server.userManager), BasicAuthenticationFilter.class).addFilter(casAuthenticationFilter()).exceptionHandling().authenticationEntryPoint(entryPoints()).and().authorizeRequests().antMatchers(new String[]{"/webjars/**"})).permitAll().anyRequest()).authenticated();
        }
    }

    private AuthenticationEntryPoint entryPoints() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(new AntPathRequestMatcher("/api/**"), new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        linkedHashMap.put(new AntPathRequestMatcher("/**"), casAuthenticationEntryPoint());
        return new DelegatingAuthenticationEntryPoint(linkedHashMap);
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(ldapAuthenticationProvider());
        authenticationManagerBuilder.authenticationProvider(casAuthenticationProvider());
    }

    @Bean
    public Filter basicAuthenticationFilter() throws Exception {
        return new BasicAuthenticationFilter(authenticationManager());
    }

    @Bean
    public DefaultSpringSecurityContextSource ldapContextSource() {
        DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(enabled() ? this.server.configuration.ldapUrl : "ldap://will-no-be-used");
        defaultSpringSecurityContextSource.setUserDn(this.server.configuration.ldapPrincipal);
        defaultSpringSecurityContextSource.setPassword(this.server.configuration.ldapCredentials);
        return defaultSpringSecurityContextSource;
    }

    @Bean
    public LdapUserSearch ldapUserSearch() {
        return new FilterBasedLdapUserSearch("ou=users,ou=" + this.server.configuration.ldapUnit, "(uid={0})", ldapContextSource());
    }

    @Bean
    public LdapAuthenticator ldapAuthenticator() {
        BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource());
        bindAuthenticator.setUserSearch(ldapUserSearch());
        return bindAuthenticator;
    }

    @Bean
    public LdapAuthoritiesPopulator ldapAuthoritiesPopulator() {
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource(), "ou=roles,ou=" + this.server.configuration.ldapUnit);
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter("(member=uid={1})");
        defaultLdapAuthoritiesPopulator.setGroupRoleAttribute("ou");
        defaultLdapAuthoritiesPopulator.setSearchSubtree(false);
        defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
        return defaultLdapAuthoritiesPopulator;
    }

    @Bean
    public AuthenticationProvider ldapAuthenticationProvider() {
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setDefaultAuthority("ROLE_LOGIN");
        LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(ldapAuthenticator(), ldapAuthoritiesPopulator());
        ldapAuthenticationProvider.setAuthoritiesMapper(simpleAuthorityMapper);
        ldapAuthenticationProvider.setUserDetailsContextMapper(userDetailsContextMapper());
        return ldapAuthenticationProvider;
    }

    @Bean
    public UserDetailsContextMapper userDetailsContextMapper() {
        return new UserDetailsMapper();
    }

    @Bean
    public UserDetailsService userDetailsServiceBean() {
        if (!enabled()) {
            return new InMemoryUserDetailsManager();
        }
        LdapUserDetailsService ldapUserDetailsService = new LdapUserDetailsService(ldapUserSearch(), ldapAuthoritiesPopulator());
        ldapUserDetailsService.setUserDetailsMapper(userDetailsContextMapper());
        return ldapUserDetailsService;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(new Cas20ServiceTicketValidator(this.server.configuration.ldapSso));
        casAuthenticationProvider.setKey("cas");
        casAuthenticationProvider.setAuthenticationUserDetailsService(new UserDetailsByNameServiceWrapper(userDetailsServiceBean()));
        return casAuthenticationProvider;
    }

    private CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setServiceProperties(serviceProperties());
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        return casAuthenticationFilter;
    }

    private CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl(this.server.configuration.ldapSso + "/login/");
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        String str = (System.getProperty("security.require-ssl") != null ? "https" : "http") + "://" + this.server.configuration.dockerHost + ":" + this.server.configuration.portFirst + "/login/cas";
        Server.LOGGER.info("sso service: " + str);
        serviceProperties.setService(str);
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }
}
