package de.ingrid.ibus;

import de.ingrid.codelists.CodeListService;
import de.ingrid.codelists.comm.HttpCLCommunication;
import de.ingrid.codelists.comm.ICodeListCommunication;
import de.ingrid.codelists.persistency.XmlCodeListPersistency;
import de.ingrid.ibus.config.CodelistConfiguration;
import de.ingrid.ibus.config.ElasticsearchConfiguration;
import de.ingrid.ibus.config.IBusConfiguration;
import de.ingrid.ibus.service.SecurityService;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import org.springframework.util.StringUtils;

@EnableConfigurationProperties({CodelistConfiguration.class, ElasticsearchConfiguration.class, IBusConfiguration.class})
@Configuration
/* loaded from: input_file:ingrid-ibus-7.5.0/lib/ingrid-ibus-backend-7.5.0.jar:de/ingrid/ibus/WebSecurityConfig.class */
public class WebSecurityConfig {
    private static Logger log = LogManager.getLogger((Class<?>) WebSecurityConfig.class);

    @Value("${development:false}")
    private boolean developmentMode;

    @Value("${app.enable.cors:false}")
    private boolean enableCors;

    @Value("${app.enable.csrf:true}")
    private boolean enableCsrf;

    @Value("${codelistrepo.url:http://not-configured}")
    private String codelistUrl;

    @Value("${codelistrepo.username:}")
    private String codelistUsername;

    @Value("${codelistrepo.password:}")
    private String codelistPassword;

    @Value("${spring.security.user.password:}")
    private String ibusPassword;
    private final SecurityService securityService;
    private final InMemoryUserDetailsManager userDetailsService = new InMemoryUserDetailsManager();
    private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ingrid-ibus-7.5.0/lib/ingrid-ibus-backend-7.5.0.jar:de/ingrid/ibus/WebSecurityConfig$SpaCsrfTokenRequestHandler.class */
    public static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
        private final CsrfTokenRequestHandler plain = new CsrfTokenRequestAttributeHandler();
        private final CsrfTokenRequestHandler xor = new XorCsrfTokenRequestAttributeHandler();

        SpaCsrfTokenRequestHandler() {
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRequestHandler
        public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Supplier<CsrfToken> supplier) {
            this.xor.handle(httpServletRequest, httpServletResponse, supplier);
            supplier.get();
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRequestHandler, org.springframework.security.web.csrf.CsrfTokenRequestResolver
        public String resolveCsrfTokenValue(HttpServletRequest httpServletRequest, CsrfToken csrfToken) {
            return (StringUtils.hasText(httpServletRequest.getHeader(csrfToken.getHeaderName())) ? this.plain : this.xor).resolveCsrfTokenValue(httpServletRequest, csrfToken);
        }
    }

    public WebSecurityConfig(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        return this.passwordEncoder;
    }

    @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(this.userDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(this.passwordEncoder);
        if (this.securityService.isPasswordDefined) {
            this.userDetailsService.createUser(User.withUsername("admin").password(this.ibusPassword).roles("admin").build());
        }
        return daoAuthenticationProvider;
    }

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity, SecurityService securityService) throws Exception {
        if (this.developmentMode) {
            return httpSecurity.cors(Customizer.withDefaults()).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.anyRequest().permitAll();
            }).csrf((v0) -> {
                v0.disable();
            }).build();
        }
        if (this.enableCsrf) {
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
            });
        } else {
            httpSecurity.csrf((v0) -> {
                v0.disable();
            });
        }
        if (this.enableCors) {
            httpSecurity.cors(Customizer.withDefaults());
        } else {
            httpSecurity.cors((v0) -> {
                v0.disable();
            });
        }
        return httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
            authorizationManagerRequestMatcherRegistry2.requestMatchers("/css/**").permitAll().requestMatchers("/login*").permitAll().anyRequest().access((supplier, requestAuthorizationContext) -> {
                return new AuthorizationDecision(securityService.hasPermission((Authentication) supplier.get()));
            });
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginPage(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).permitAll();
        }).logout((v0) -> {
            v0.permitAll();
        }).build();
    }

    @Bean
    CodeListService codelistService() {
        CodeListService codeListService = new CodeListService();
        codeListService.setComm(codelistCommunication());
        ArrayList arrayList = new ArrayList();
        XmlCodeListPersistency xmlCodeListPersistency = new XmlCodeListPersistency();
        xmlCodeListPersistency.setPathToXml("data/codelists");
        arrayList.add(xmlCodeListPersistency);
        codeListService.setPersistencies(arrayList);
        codeListService.setDefaultPersistency(0);
        return codeListService;
    }

    public void secureWebapp(String str) {
        this.securityService.isPasswordDefined = true;
        UserDetails build = User.withUsername("admin").password(str).roles(new String[0]).build();
        if (this.userDetailsService.userExists("admin")) {
            this.userDetailsService.updateUser(build);
        } else {
            this.userDetailsService.createUser(build);
        }
    }

    private ICodeListCommunication codelistCommunication() {
        HttpCLCommunication httpCLCommunication = new HttpCLCommunication();
        httpCLCommunication.setRequestUrl(this.codelistUrl + "/rest/getCodelists");
        httpCLCommunication.setUsername(this.codelistUsername);
        httpCLCommunication.setPassword(this.codelistPassword);
        return httpCLCommunication;
    }
}
