package eu.openanalytics.shinyproxy;

import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.security.ICustomSecurityConfig;
import eu.openanalytics.containerproxy.service.ProxyAccessControlService;
import eu.openanalytics.containerproxy.service.UserService;
import eu.openanalytics.containerproxy.ui.AuthController;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.inject.Inject;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;

@Component
/* loaded from: input_file:BOOT-INF/classes/eu/openanalytics/shinyproxy/UISecurityConfig.class */
public class UISecurityConfig implements ICustomSecurityConfig {

    @Inject
    private IAuthenticationBackend auth;

    @Inject
    private UserService userService;

    @Inject
    @Lazy
    private SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler;

    @Inject
    private ProxyAccessControlService proxyAccessControlService;

    @Inject
    private HandlerMappingIntrospector handlerMappingIntrospector;

    @Override // eu.openanalytics.containerproxy.security.ICustomSecurityConfig
    public void apply(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(new MvcRequestMatcher(this.handlerMappingIntrospector, "/app/{specId}/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/app_i/{specId}/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/app_direct/{specId}/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/app_direct_i/{specId}/**")).access((supplier, requestAuthorizationContext) -> {
                return new AuthorizationDecision(this.proxyAccessControlService.canAccessOrHasExistingProxy((Authentication) supplier.get(), requestAuthorizationContext));
            });
        });
        if (this.auth.hasAuthorization()) {
            httpSecurity.addFilterAfter((Filter) new AuthenticationRequiredFilter(), ExceptionTranslationFilter.class);
            this.savedRequestAwareAuthenticationSuccessHandler.setRedirectStrategy(new DefaultRedirectStrategy(this) { // from class: eu.openanalytics.shinyproxy.UISecurityConfig.1
                @Override // org.springframework.security.web.DefaultRedirectStrategy, org.springframework.security.web.RedirectStrategy
                public void sendRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
                    if (AppRequestInfo.fromURI(calculateRedirectUrl(httpServletRequest.getContextPath(), str)) != null) {
                        httpServletRequest.getSession().setAttribute(AuthController.AUTH_SUCCESS_URL_SESSION_ATTR, ServletUriComponentsBuilder.fromUriString(str).replaceQueryParam("continue", new Object[0]).build().toUriString());
                    }
                    httpServletResponse.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path(AuthController.AUTH_SUCCESS_URL).build().toUriString());
                }
            });
        }
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
            authorizationManagerRequestMatcherRegistry2.requestMatchers(new MvcRequestMatcher(this.handlerMappingIntrospector, "/admin"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/admin/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/grafana/**")).access((supplier, requestAuthorizationContext) -> {
                return new AuthorizationDecision(this.userService.isAdmin((Authentication) supplier.get()));
            });
        });
    }
}
