package com.vaadin.flow.spring.security;

import com.vaadin.flow.component.Component;
import com.vaadin.flow.internal.AnnotationReader;
import com.vaadin.flow.router.Route;
import com.vaadin.flow.router.internal.RouteUtil;
import com.vaadin.flow.server.HandlerHelper;
import com.vaadin.flow.server.auth.ViewAccessChecker;
import com.vaadin.flow.spring.security.stateless.VaadinStatelessSecurityConfigurer;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.SecretKey;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.AccessDeniedHandlerImpl;
import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
import org.springframework.security.web.access.RequestMatcherDelegatingAccessDeniedHandler;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.csrf.CsrfException;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Import({VaadinAwareSecurityContextHolderStrategyConfiguration.class})
/* loaded from: input_file:com/vaadin/flow/spring/security/VaadinWebSecurity.class */
public abstract class VaadinWebSecurity {

    @Autowired
    private VaadinDefaultRequestCache vaadinDefaultRequestCache;

    @Autowired
    private RequestUtil requestUtil;

    @Autowired
    private ViewAccessChecker viewAccessChecker;

    @Value("#{servletContext.contextPath}")
    private String servletContextPath;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/vaadin/flow/spring/security/VaadinWebSecurity$Http401UnauthorizedAccessDeniedHandler.class */
    public static class Http401UnauthorizedAccessDeniedHandler implements AccessDeniedHandler {
        private Http401UnauthorizedAccessDeniedHandler() {
        }

        public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {
            httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        }
    }

    @Bean(name = {"VaadinSecurityFilterChainBean"})
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        configure(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        SecurityContextHolder.setStrategyName(VaadinAwareSecurityContextHolderStrategy.class.getName());
        ExceptionHandlingConfigurer accessDeniedHandler = httpSecurity.exceptionHandling().accessDeniedHandler(createAccessDeniedHandler());
        HttpStatusEntryPoint httpStatusEntryPoint = new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
        RequestUtil requestUtil = this.requestUtil;
        Objects.requireNonNull(requestUtil);
        accessDeniedHandler.defaultAuthenticationEntryPointFor(httpStatusEntryPoint, requestUtil::isEndpointRequest);
        CsrfConfigurer csrf = httpSecurity.csrf();
        RequestUtil requestUtil2 = this.requestUtil;
        Objects.requireNonNull(requestUtil2);
        csrf.ignoringRequestMatchers(new RequestMatcher[]{requestUtil2::isFrameworkInternalRequest});
        httpSecurity.requestCache().requestCache(this.vaadinDefaultRequestCache);
        ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.authorizeRequests();
        RequestUtil requestUtil3 = this.requestUtil;
        Objects.requireNonNull(requestUtil3);
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.requestMatchers(new RequestMatcher[]{requestUtil3::isFrameworkInternalRequest})).permitAll();
        RequestUtil requestUtil4 = this.requestUtil;
        Objects.requireNonNull(requestUtil4);
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.requestMatchers(new RequestMatcher[]{requestUtil4::isAnonymousEndpoint})).permitAll();
        RequestUtil requestUtil5 = this.requestUtil;
        Objects.requireNonNull(requestUtil5);
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.requestMatchers(new RequestMatcher[]{requestUtil5::isAnonymousRoute})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.requestMatchers(new RequestMatcher[]{getDefaultHttpSecurityPermitMatcher(this.requestUtil.getUrlMapping())})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.requestMatchers(new RequestMatcher[]{getDefaultWebSecurityIgnoreMatcher(this.requestUtil.getUrlMapping())})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.anyRequest()).authenticated();
        this.viewAccessChecker.enable();
    }

    @Bean(name = {"VaadinWebSecurityCustomizerBean"})
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            try {
                configure(webSecurity);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        };
    }

    protected void configure(WebSecurity webSecurity) throws Exception {
    }

    public static RequestMatcher getDefaultHttpSecurityPermitMatcher() {
        return getDefaultHttpSecurityPermitMatcher("/*");
    }

    public static RequestMatcher getDefaultHttpSecurityPermitMatcher(String str) {
        Objects.requireNonNull(str, "Vaadin servlet url mapping is required");
        Stream.Builder builder = Stream.builder();
        Stream map = Stream.of((Object[]) HandlerHelper.getPublicResourcesRequiringSecurityContext()).map(str2 -> {
            return RequestUtil.applyUrlMapping(str, str2);
        });
        Objects.requireNonNull(builder);
        map.forEach((v1) -> {
            r1.add(v1);
        });
        return new OrRequestMatcher((List) builder.build().map(AntPathRequestMatcher::new).collect(Collectors.toList()));
    }

    public static RequestMatcher getDefaultWebSecurityIgnoreMatcher() {
        return getDefaultWebSecurityIgnoreMatcher("/*");
    }

    public static RequestMatcher getDefaultWebSecurityIgnoreMatcher(String str) {
        Objects.requireNonNull(str, "Vaadin servlet url mapping is required");
        return new OrRequestMatcher((List) Stream.of((Object[]) HandlerHelper.getPublicResources()).map(str2 -> {
            return RequestUtil.applyUrlMapping(str, str2);
        }).map(AntPathRequestMatcher::new).collect(Collectors.toList()));
    }

    protected void setLoginView(HttpSecurity httpSecurity, String str) throws Exception {
        setLoginView(httpSecurity, str, "/");
    }

    protected void setLoginView(HttpSecurity httpSecurity, String str, String str2) throws Exception {
        String applyUrlMapping = applyUrlMapping(str);
        FormLoginConfigurer formLogin = httpSecurity.formLogin();
        formLogin.loginPage(applyUrlMapping).permitAll();
        formLogin.successHandler(getVaadinSavedRequestAwareAuthenticationSuccessHandler(httpSecurity));
        httpSecurity.logout().logoutSuccessUrl(str2);
        httpSecurity.exceptionHandling().defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(applyUrlMapping), AnyRequestMatcher.INSTANCE);
        this.viewAccessChecker.setLoginView(applyUrlMapping);
    }

    protected void setLoginView(HttpSecurity httpSecurity, Class<? extends Component> cls) throws Exception {
        setLoginView(httpSecurity, cls, "/");
    }

    protected void setLoginView(HttpSecurity httpSecurity, Class<? extends Component> cls, String str) throws Exception {
        Optional annotationFor = AnnotationReader.getAnnotationFor(cls, Route.class);
        if (!annotationFor.isPresent()) {
            throw new IllegalArgumentException("Unable find a @Route annotation on the login view " + cls.getName());
        }
        String routePath = RouteUtil.getRoutePath(cls, (Route) annotationFor.get());
        if (!routePath.startsWith("/")) {
            routePath = "/" + routePath;
        }
        String applyUrlMapping = applyUrlMapping(routePath);
        FormLoginConfigurer formLogin = httpSecurity.formLogin();
        formLogin.loginPage(applyUrlMapping).permitAll();
        formLogin.successHandler(getVaadinSavedRequestAwareAuthenticationSuccessHandler(httpSecurity));
        httpSecurity.csrf().ignoringAntMatchers(new String[]{applyUrlMapping});
        httpSecurity.logout().logoutSuccessUrl(str);
        httpSecurity.exceptionHandling().defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(applyUrlMapping), AnyRequestMatcher.INSTANCE);
        this.viewAccessChecker.setLoginView(cls);
    }

    protected void setOAuth2LoginPage(HttpSecurity httpSecurity, String str) throws Exception {
        httpSecurity.oauth2Login().loginPage(str).successHandler(getVaadinSavedRequestAwareAuthenticationSuccessHandler(httpSecurity)).permitAll();
        this.viewAccessChecker.setLoginView(this.servletContextPath + str);
    }

    protected void setStatelessAuthentication(HttpSecurity httpSecurity, SecretKey secretKey, String str) throws Exception {
        setStatelessAuthentication(httpSecurity, secretKey, str, 1800L);
    }

    protected void setStatelessAuthentication(HttpSecurity httpSecurity, SecretKey secretKey, String str, long j) throws Exception {
        VaadinStatelessSecurityConfigurer vaadinStatelessSecurityConfigurer = new VaadinStatelessSecurityConfigurer();
        httpSecurity.apply(vaadinStatelessSecurityConfigurer);
        vaadinStatelessSecurityConfigurer.withSecretKey().secretKey(secretKey).and().issuer(str).expiresIn(j);
    }

    protected String applyUrlMapping(String str) {
        return this.requestUtil.applyUrlMapping(str);
    }

    protected ViewAccessChecker getViewAccessChecker() {
        return this.viewAccessChecker;
    }

    private VaadinSavedRequestAwareAuthenticationSuccessHandler getVaadinSavedRequestAwareAuthenticationSuccessHandler(HttpSecurity httpSecurity) {
        VaadinSavedRequestAwareAuthenticationSuccessHandler vaadinSavedRequestAwareAuthenticationSuccessHandler = new VaadinSavedRequestAwareAuthenticationSuccessHandler();
        vaadinSavedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl(applyUrlMapping(""));
        RequestCache requestCache = (RequestCache) httpSecurity.getSharedObject(RequestCache.class);
        if (requestCache != null) {
            vaadinSavedRequestAwareAuthenticationSuccessHandler.setRequestCache(requestCache);
        }
        return vaadinSavedRequestAwareAuthenticationSuccessHandler;
    }

    private AccessDeniedHandler createAccessDeniedHandler() {
        AccessDeniedHandlerImpl accessDeniedHandlerImpl = new AccessDeniedHandlerImpl();
        Http401UnauthorizedAccessDeniedHandler http401UnauthorizedAccessDeniedHandler = new Http401UnauthorizedAccessDeniedHandler();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(CsrfException.class, http401UnauthorizedAccessDeniedHandler);
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        RequestUtil requestUtil = this.requestUtil;
        Objects.requireNonNull(requestUtil);
        linkedHashMap2.put(requestUtil::isEndpointRequest, new DelegatingAccessDeniedHandler(linkedHashMap, new AccessDeniedHandlerImpl()));
        return new RequestMatcherDelegatingAccessDeniedHandler(linkedHashMap2, accessDeniedHandlerImpl);
    }
}
