package com.vaadin.flow.spring.security;

import com.vaadin.flow.component.Component;
import com.vaadin.flow.internal.AnnotationReader;
import com.vaadin.flow.internal.hilla.EndpointRequestUtil;
import com.vaadin.flow.router.Route;
import com.vaadin.flow.router.internal.RouteUtil;
import com.vaadin.flow.server.VaadinServletContext;
import com.vaadin.flow.server.auth.NavigationAccessControl;
import jakarta.servlet.ServletContext;
import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.AccessDeniedHandlerImpl;
import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
import org.springframework.security.web.access.RequestMatcherDelegatingAccessDeniedHandler;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.csrf.CsrfException;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;
import org.springframework.web.context.WebApplicationContext;

/* loaded from: input_file:com/vaadin/flow/spring/security/VaadinSecurityConfigurer.class */
public final class VaadinSecurityConfigurer extends AbstractHttpConfigurer<VaadinSecurityConfigurer, HttpSecurity> {
    private static final Logger LOGGER = LoggerFactory.getLogger(VaadinSecurityConfigurer.class);
    private Class<? extends Component> loginView;
    private String formLoginPage;
    private String oauth2LoginPage;
    private String logoutSuccessUrl;
    private String postLogoutRedirectUri;
    private final List<LogoutHandler> logoutHandlers = new ArrayList();
    private boolean enableCsrfConfiguration = true;
    private boolean enableLogoutConfiguration = true;
    private boolean enableRequestCacheConfiguration = true;
    private boolean enableExceptionHandlingConfiguration = true;
    private boolean enableAuthorizedRequestsConfiguration = true;
    private Consumer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizedUrl> anyRequestAuthorizeRule = (v0) -> {
        v0.authenticated();
    };
    private boolean enableNavigationAccessControl = true;
    private boolean alreadyInitializedOnce = false;

    public static VaadinSecurityConfigurer vaadin() {
        return new VaadinSecurityConfigurer();
    }

    private VaadinSecurityConfigurer() {
    }

    public VaadinSecurityConfigurer loginView(Class<? extends Component> cls) {
        return loginView(cls, getDefaultLogoutSuccessUrl());
    }

    public VaadinSecurityConfigurer loginView(Class<? extends Component> cls, String str) {
        this.loginView = cls;
        this.formLoginPage = getRequestUtil().applyUrlMapping(getLoginViewPath(cls));
        this.logoutSuccessUrl = str;
        return this;
    }

    public VaadinSecurityConfigurer loginView(String str) {
        return loginView(str, getDefaultLogoutSuccessUrl());
    }

    public VaadinSecurityConfigurer loginView(String str, String str2) {
        this.formLoginPage = getRequestUtil().applyUrlMapping(str);
        this.logoutSuccessUrl = str2;
        return this;
    }

    public VaadinSecurityConfigurer oauth2LoginPage(String str) {
        return oauth2LoginPage(str, "{baseUrl}");
    }

    public VaadinSecurityConfigurer oauth2LoginPage(String str, String str2) {
        this.oauth2LoginPage = str;
        this.postLogoutRedirectUri = str2;
        return this;
    }

    public VaadinSecurityConfigurer logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler) {
        setSharedObject(LogoutSuccessHandler.class, logoutSuccessHandler);
        return this;
    }

    public VaadinSecurityConfigurer addLogoutHandler(LogoutHandler logoutHandler) {
        this.logoutHandlers.add(logoutHandler);
        return this;
    }

    public VaadinSecurityConfigurer enableCsrfConfiguration(boolean z) {
        this.enableCsrfConfiguration = z;
        return this;
    }

    public VaadinSecurityConfigurer enableLogoutConfiguration(boolean z) {
        this.enableLogoutConfiguration = z;
        return this;
    }

    public VaadinSecurityConfigurer enableRequestCacheConfiguration(boolean z) {
        this.enableRequestCacheConfiguration = z;
        return this;
    }

    public VaadinSecurityConfigurer enableExceptionHandlingConfiguration(boolean z) {
        this.enableExceptionHandlingConfiguration = z;
        return this;
    }

    public VaadinSecurityConfigurer enableAuthorizedRequestsConfiguration(boolean z) {
        this.enableAuthorizedRequestsConfiguration = z;
        return this;
    }

    public VaadinSecurityConfigurer anyRequest(Consumer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizedUrl> consumer) {
        this.anyRequestAuthorizeRule = consumer;
        return this;
    }

    public VaadinSecurityConfigurer enableNavigationAccessControl(boolean z) {
        this.enableNavigationAccessControl = z;
        return this;
    }

    public RequestMatcher defaultPermitMatcher() {
        String urlMapping = getRequestUtil().getUrlMapping();
        RequestUtil requestUtil = getRequestUtil();
        Objects.requireNonNull(requestUtil);
        RequestUtil requestUtil2 = getRequestUtil();
        Objects.requireNonNull(requestUtil2);
        RequestUtil requestUtil3 = getRequestUtil();
        Objects.requireNonNull(requestUtil3);
        RequestMatcher anyOf = RequestMatchers.anyOf(new RequestMatcher[]{requestUtil::isFrameworkInternalRequest, requestUtil2::isAnonymousRoute, requestUtil3::isCustomWebIcon, VaadinWebSecurity.getDefaultHttpSecurityPermitMatcher(urlMapping), VaadinWebSecurity.getDefaultWebSecurityIgnoreMatcher(urlMapping)});
        if (!EndpointRequestUtil.isHillaAvailable()) {
            return anyOf;
        }
        RequestUtil requestUtil4 = getRequestUtil();
        Objects.requireNonNull(requestUtil4);
        RequestUtil requestUtil5 = getRequestUtil();
        Objects.requireNonNull(requestUtil5);
        return RequestMatchers.anyOf(new RequestMatcher[]{anyOf, requestUtil4::isAllowedHillaView, requestUtil5::isAnonymousEndpoint});
    }

    public void init(HttpSecurity httpSecurity) throws Exception {
        if (this.formLoginPage != null) {
            httpSecurity.formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginPage(this.formLoginPage).permitAll();
                formLoginConfigurer.successHandler(getAuthenticationSuccessHandler());
            });
        } else if (this.oauth2LoginPage != null) {
            httpSecurity.oauth2Login(oAuth2LoginConfigurer -> {
                oAuth2LoginConfigurer.loginPage(this.oauth2LoginPage).permitAll();
                oAuth2LoginConfigurer.successHandler(getAuthenticationSuccessHandler());
            });
        }
        if (this.enableCsrfConfiguration) {
            httpSecurity.csrf(this::customizeCsrf);
        }
        if (this.enableLogoutConfiguration) {
            httpSecurity.logout(this::customizeLogout);
        }
        if (this.enableRequestCacheConfiguration) {
            httpSecurity.requestCache(this::customizeRequestCache);
        }
        if (this.enableExceptionHandlingConfiguration) {
            httpSecurity.exceptionHandling(this::customizeExceptionHandling);
        }
        if (this.enableAuthorizedRequestsConfiguration && !this.alreadyInitializedOnce) {
            httpSecurity.authorizeHttpRequests(this::customizeAuthorizeHttpRequests);
        }
        this.alreadyInitializedOnce = true;
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        VaadinRolePrefixHolder vaadinRolePrefixHolder = getVaadinRolePrefixHolder();
        if (vaadinRolePrefixHolder != null) {
            getAuthenticationContext().setRolePrefixHolder(vaadinRolePrefixHolder);
            Optional sharedObject = getSharedObject(SecurityContextHolderAwareRequestFilter.class);
            Objects.requireNonNull(vaadinRolePrefixHolder);
            sharedObject.ifPresent(vaadinRolePrefixHolder::resetRolePrefix);
        }
        getNavigationAccessControl().setEnabled(this.enableNavigationAccessControl);
        if (this.enableNavigationAccessControl) {
            if (this.loginView != null) {
                getNavigationAccessControl().setLoginView(this.loginView);
            } else if (this.formLoginPage != null) {
                getNavigationAccessControl().setLoginView(this.formLoginPage);
            } else if (this.oauth2LoginPage != null) {
                getNavigationAccessControl().setLoginView(this.oauth2LoginPage);
            }
        }
        if (!this.enableAuthorizedRequestsConfiguration || this.anyRequestAuthorizeRule == null) {
            return;
        }
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            this.anyRequestAuthorizeRule.accept((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest());
        });
    }

    private String getLoginViewPath(Class<? extends Component> cls) {
        if (AnnotationReader.getAnnotationFor(cls, Route.class).isEmpty()) {
            throw new IllegalArgumentException("Unable find a @Route annotation on the login view " + cls.getName());
        }
        WebApplicationContext applicationContext = getApplicationContext();
        if (!(applicationContext instanceof WebApplicationContext)) {
            throw new IllegalStateException("VaadinWebSecurityConfigurer cannot be used without WebApplicationContext.");
        }
        String routePath = RouteUtil.getRoutePath(new VaadinServletContext(applicationContext.getServletContext()), cls);
        if (!routePath.startsWith("/")) {
            routePath = "/" + routePath;
        }
        return routePath;
    }

    private String getServletContextPath() {
        return ((ServletContext) getSharedObjectOrBean(ServletContext.class)).getContextPath();
    }

    private String getDefaultLogoutSuccessUrl() {
        String servletContextPath = getServletContextPath();
        if (!servletContextPath.startsWith("/")) {
            servletContextPath = "/" + servletContextPath;
        }
        return servletContextPath;
    }

    private RequestUtil getRequestUtil() {
        return (RequestUtil) getSharedObjectOrBean(RequestUtil.class);
    }

    private AuthenticationContext getAuthenticationContext() {
        return (AuthenticationContext) getSharedObjectOrBean(AuthenticationContext.class);
    }

    private NavigationAccessControl getNavigationAccessControl() {
        return (NavigationAccessControl) getSharedObjectOrBean(NavigationAccessControl.class);
    }

    private VaadinRolePrefixHolder getVaadinRolePrefixHolder() {
        return (VaadinRolePrefixHolder) getSharedObjectOrBean(VaadinRolePrefixHolder.class);
    }

    private VaadinDefaultRequestCache getVaadinDefaultRequestCache() {
        return (VaadinDefaultRequestCache) getSharedObjectOrBean(VaadinDefaultRequestCache.class);
    }

    private VaadinSavedRequestAwareAuthenticationSuccessHandler getAuthenticationSuccessHandler() {
        return (VaadinSavedRequestAwareAuthenticationSuccessHandler) getSharedObject(VaadinSavedRequestAwareAuthenticationSuccessHandler.class).orElseGet(this::createAuthenticationSuccessHandler);
    }

    private VaadinSavedRequestAwareAuthenticationSuccessHandler createAuthenticationSuccessHandler() {
        VaadinSavedRequestAwareAuthenticationSuccessHandler vaadinSavedRequestAwareAuthenticationSuccessHandler = new VaadinSavedRequestAwareAuthenticationSuccessHandler();
        vaadinSavedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl(getRequestUtil().applyUrlMapping(""));
        Optional sharedObject = getSharedObject(RequestCache.class);
        Objects.requireNonNull(vaadinSavedRequestAwareAuthenticationSuccessHandler);
        sharedObject.ifPresent(vaadinSavedRequestAwareAuthenticationSuccessHandler::setRequestCache);
        getBuilder().setSharedObject(VaadinSavedRequestAwareAuthenticationSuccessHandler.class, vaadinSavedRequestAwareAuthenticationSuccessHandler);
        return vaadinSavedRequestAwareAuthenticationSuccessHandler;
    }

    private void customizeCsrf(CsrfConfigurer<HttpSecurity> csrfConfigurer) {
        if (!this.alreadyInitializedOnce) {
            RequestUtil requestUtil = getRequestUtil();
            Objects.requireNonNull(requestUtil);
            csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{requestUtil::isFrameworkInternalRequest});
        }
        if (this.formLoginPage != null) {
            csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{new AntPathRequestMatcher(this.formLoginPage)});
        }
    }

    private void customizeLogout(final LogoutConfigurer<HttpSecurity> logoutConfigurer) {
        Optional or = getSharedObject(LogoutSuccessHandler.class).or(() -> {
            return this.logoutSuccessUrl != null ? createSimpleUrlLogoutSuccessHandler(this.logoutSuccessUrl) : this.postLogoutRedirectUri != null ? createOidcLogoutSuccessHandler(this.postLogoutRedirectUri) : Optional.empty();
        });
        Objects.requireNonNull(logoutConfigurer);
        or.ifPresent(logoutConfigurer::logoutSuccessHandler);
        List logoutHandlers = logoutConfigurer.getLogoutHandlers();
        Stream<LogoutHandler> filter = this.logoutHandlers.stream().filter(logoutHandler -> {
            return !logoutHandlers.contains(logoutHandler);
        });
        Objects.requireNonNull(logoutConfigurer);
        filter.forEach(logoutConfigurer::addLogoutHandler);
        if (this.alreadyInitializedOnce) {
            return;
        }
        logoutConfigurer.withObjectPostProcessor(new ObjectPostProcessor<LogoutFilter>() { // from class: com.vaadin.flow.spring.security.VaadinSecurityConfigurer.1
            public <O extends LogoutFilter> O postProcess(O o) {
                VaadinSecurityConfigurer.this.getAuthenticationContext().setLogoutHandlers(logoutConfigurer.getLogoutSuccessHandler(), logoutConfigurer.getLogoutHandlers());
                return o;
            }
        });
    }

    private Optional<LogoutSuccessHandler> createSimpleUrlLogoutSuccessHandler(String str) {
        VaadinSimpleUrlLogoutSuccessHandler vaadinSimpleUrlLogoutSuccessHandler = new VaadinSimpleUrlLogoutSuccessHandler();
        vaadinSimpleUrlLogoutSuccessHandler.setRedirectStrategy(new UidlRedirectStrategy());
        vaadinSimpleUrlLogoutSuccessHandler.setDefaultTargetUrl(str);
        return Optional.of(vaadinSimpleUrlLogoutSuccessHandler);
    }

    private Optional<LogoutSuccessHandler> createOidcLogoutSuccessHandler(String str) {
        ClientRegistrationRepository clientRegistrationRepository = (ClientRegistrationRepository) getSharedObjectOrBean(ClientRegistrationRepository.class);
        if (clientRegistrationRepository == null) {
            LOGGER.warn("Cannot create OidcClientInitiatedLogoutSuccessHandler because ClientRegistrationRepository bean is not available.");
            return Optional.empty();
        }
        OidcClientInitiatedLogoutSuccessHandler oidcClientInitiatedLogoutSuccessHandler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
        oidcClientInitiatedLogoutSuccessHandler.setRedirectStrategy(new UidlRedirectStrategy());
        oidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(str);
        return Optional.of(oidcClientInitiatedLogoutSuccessHandler);
    }

    private void customizeRequestCache(RequestCacheConfigurer<HttpSecurity> requestCacheConfigurer) {
        VaadinDefaultRequestCache vaadinDefaultRequestCache = getVaadinDefaultRequestCache();
        if (vaadinDefaultRequestCache == null) {
            throw new IllegalStateException("No VaadinDefaultRequestCache bean or shared object found. Please make sure that either a bean or shared object of type VaadinDefaultRequestCache is available.");
        }
        Optional filter = getSharedObject(RequestCache.class).filter(requestCache -> {
            return !(requestCache instanceof VaadinDefaultRequestCache);
        });
        Objects.requireNonNull(vaadinDefaultRequestCache);
        filter.ifPresent(vaadinDefaultRequestCache::setDelegateRequestCache);
        requestCacheConfigurer.requestCache(vaadinDefaultRequestCache);
    }

    private void customizeExceptionHandling(ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer) {
        if (EndpointRequestUtil.isHillaAvailable()) {
            ExceptionHandlingConfigurer accessDeniedHandler = exceptionHandlingConfigurer.accessDeniedHandler(createAccessDeniedHandler());
            HttpStatusEntryPoint httpStatusEntryPoint = new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
            RequestUtil requestUtil = getRequestUtil();
            Objects.requireNonNull(requestUtil);
            accessDeniedHandler.defaultAuthenticationEntryPointFor(httpStatusEntryPoint, requestUtil::isEndpointRequest);
        }
        if (this.formLoginPage != null) {
            exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(this.formLoginPage), AnyRequestMatcher.INSTANCE);
        }
    }

    private AccessDeniedHandler createAccessDeniedHandler() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(CsrfException.class, (httpServletRequest, httpServletResponse, accessDeniedException) -> {
            httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        });
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        RequestUtil requestUtil = getRequestUtil();
        Objects.requireNonNull(requestUtil);
        linkedHashMap2.put(requestUtil::isEndpointRequest, new DelegatingAccessDeniedHandler(linkedHashMap, new AccessDeniedHandlerImpl()));
        return new RequestMatcherDelegatingAccessDeniedHandler(linkedHashMap2, new AccessDeniedHandlerImpl());
    }

    private void customizeAuthorizeHttpRequests(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{defaultPermitMatcher()})).permitAll();
    }

    private ApplicationContext getApplicationContext() {
        return (ApplicationContext) getBuilder().getSharedObject(ApplicationContext.class);
    }

    private <T> void setSharedObject(Class<T> cls, T t) {
        getBuilder().setSharedObject(cls, t);
    }

    private <T> Optional<T> getSharedObject(Class<T> cls) {
        return Optional.ofNullable(getBuilder().getSharedObject(cls));
    }

    private <T> T getSharedObjectOrBean(Class<T> cls) {
        return getSharedObject(cls).orElseGet(() -> {
            Object ifAvailable = getApplicationContext().getBeanProvider(cls).getIfAvailable();
            if (ifAvailable != null) {
                getBuilder().setSharedObject(cls, ifAvailable);
            }
            return ifAvailable;
        });
    }
}
