package eu.openanalytics.containerproxy.security;

import eu.openanalytics.containerproxy.ContainerProxyApplication;
import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
import eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration;
import eu.openanalytics.containerproxy.service.IdentifierService;
import eu.openanalytics.containerproxy.ui.AuthController;
import eu.openanalytics.containerproxy.ui.TemplateResolverConfig;
import eu.openanalytics.containerproxy.util.AppRecoveryFilter;
import eu.openanalytics.containerproxy.util.EnvironmentUtils;
import eu.openanalytics.containerproxy.util.OverridingHeaderWriter;
import jakarta.servlet.Filter;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.inject.Inject;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.env.Environment;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.Elements;
import org.springframework.security.config.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.AccessDeniedHandlerImpl;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.MissingCsrfTokenException;
import org.springframework.security.web.header.Header;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/security/WebSecurityConfig.class */
public class WebSecurityConfig {
    public static final String PROP_DISABLE_NO_SNIFF_HEADER = "proxy.api-security.disable-no-sniff-header";
    public static final String PROP_DISABLE_HSTS_HEADER = "proxy.api-security.disable-hsts-header";
    public static final String PROP_DISABLE_XSS_PROTECTION_HEADER = "proxy.api-security.disable-xss-protection-header";
    public static final String PROP_CUSTOM_HEADERS = "proxy.api-security.custom-headers";
    public static final String PROP_OAUTH2_RESOURCE_ID = "proxy.oauth2.resource-id";
    public static final String PROP_OAUTH2_JWKS_URL = "proxy.oauth2.jwks-url";
    public static final String PROP_OAUTH2_ROLES_CLAIM = "proxy.oauth2.roles-claim";
    public static final String PROP_OAUTH2_USERNAME_ATTRIBUTE = "proxy.oauth2.username-attribute";
    private final Logger logger = LogManager.getLogger(getClass());

    @Inject
    private UserLogoutHandler logoutHandler;

    @Inject
    private IAuthenticationBackend auth;

    @Inject
    private Environment environment;

    @Inject
    private AppRecoveryFilter appRecoveryFilter;

    @Inject
    private IdentifierService identifierService;

    @Autowired(required = false)
    private List<ICustomSecurityConfig> customConfigs;

    @Inject
    private HandlerMappingIntrospector handlerMappingIntrospector;

    @Inject
    @Lazy
    private SavedRequestAwareAuthenticationSuccessHandler successHandler;

    private void checkForIncorrectConfiguration(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getScheme().equals("http") && ContainerProxyApplication.secureCookiesEnabled.booleanValue()) {
            this.logger.warn("WARNING: Invalid configuration detected: ShinyProxy is accessed over HTTP but secure-cookies is enabled. Secure-cookies only work when accessing ShinyProxy over HTTPS. Ensure that ShinyProxy is accessed over HTTPS or disable secure-cookies");
        }
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        if (EnvironmentUtils.readList(this.environment, TemplateResolverConfig.PROP_CORS_ALLOWED_ORIGINS) != null) {
            httpSecurity.cors(Customizer.withDefaults());
        }
        httpSecurity.addFilterAfter((Filter) this.appRecoveryFilter, BasicAuthenticationFilter.class);
        httpSecurity.addFilterAfter((Filter) new UserAgentFilter(), BasicAuthenticationFilter.class);
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.requireCsrfProtectionMatcher(new AntPathRequestMatcher(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL, "POST"));
        });
        httpSecurity.exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.accessDeniedHandler(new AccessDeniedHandler() { // from class: eu.openanalytics.containerproxy.security.WebSecurityConfig.1
                final AntPathRequestMatcher matcher = new AntPathRequestMatcher(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL, "POST");
                final AccessDeniedHandler defaultAccessDeniedHandler = new AccessDeniedHandlerImpl();

                @Override // org.springframework.security.web.access.AccessDeniedHandler
                public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {
                    WebSecurityConfig.this.checkForIncorrectConfiguration(httpServletRequest);
                    if (this.matcher.matcher(httpServletRequest).isMatch() && (accessDeniedException instanceof MissingCsrfTokenException)) {
                        httpServletResponse.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).queryParam("error", "expired").build().toUriString());
                    } else {
                        this.defaultAccessDeniedHandler.handle(httpServletRequest, httpServletResponse, accessDeniedException);
                    }
                }
            });
        });
        httpSecurity.headers(headersConfigurer -> {
            if (((Boolean) this.environment.getProperty(PROP_DISABLE_NO_SNIFF_HEADER, Boolean.class, false)).booleanValue()) {
                headersConfigurer.contentTypeOptions((v0) -> {
                    v0.disable();
                });
            } else {
                headersConfigurer.contentTypeOptions(Customizer.withDefaults());
            }
            if (((Boolean) this.environment.getProperty(PROP_DISABLE_XSS_PROTECTION_HEADER, Boolean.class, false)).booleanValue()) {
                headersConfigurer.xssProtection((v0) -> {
                    v0.disable();
                });
            } else {
                headersConfigurer.xssProtection(Customizer.withDefaults());
            }
            if (((Boolean) this.environment.getProperty(PROP_DISABLE_HSTS_HEADER, Boolean.class, false)).booleanValue()) {
                headersConfigurer.httpStrictTransportSecurity((v0) -> {
                    v0.disable();
                });
            } else {
                headersConfigurer.httpStrictTransportSecurity(Customizer.withDefaults());
            }
            String property = this.environment.getProperty("server.frame-options", "disable");
            String upperCase = property.toUpperCase();
            boolean z = -1;
            switch (upperCase.hashCode()) {
                case -1905676600:
                    if (upperCase.equals("DISABLE")) {
                        z = false;
                        break;
                    }
                    break;
                case -445843700:
                    if (upperCase.equals("SAMEORIGIN")) {
                        z = 2;
                        break;
                    }
                    break;
                case 2094604:
                    if (upperCase.equals("DENY")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    headersConfigurer.frameOptions((v0) -> {
                        v0.disable();
                    });
                    break;
                case true:
                    headersConfigurer.frameOptions((v0) -> {
                        v0.deny();
                    });
                    break;
                case true:
                    headersConfigurer.frameOptions((v0) -> {
                        v0.sameOrigin();
                    });
                    break;
                default:
                    if (property.toUpperCase().startsWith("ALLOW-FROM")) {
                        headersConfigurer.frameOptions((v0) -> {
                            v0.disable();
                        }).addHeaderWriter(new StaticHeadersWriter("X-Frame-Options", property));
                        break;
                    }
                    break;
            }
            List<Header> customHeaders = getCustomHeaders();
            if (!customHeaders.isEmpty()) {
                headersConfigurer.addHeaderWriter(new OverridingHeaderWriter(customHeaders));
            }
            headersConfigurer.cacheControl((v0) -> {
                v0.disable();
            });
            headersConfigurer.addHeaderWriter(new CustomCacheControlHeadersWriter());
        });
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers(new MvcRequestMatcher(this.handlerMappingIntrospector, "/actuator/health"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/actuator/health/readiness"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/actuator/health/liveness"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/actuator/prometheus"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/actuator/recyclable")).permitAll().requestMatchers(new MvcRequestMatcher(this.handlerMappingIntrospector, SAMLConfiguration.SAML_METADATA_PATH)).permitAll().requestMatchers(new MvcRequestMatcher(this.handlerMappingIntrospector, DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL), new MvcRequestMatcher(this.handlerMappingIntrospector, "/signin/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/auth-error"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/error"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/app-access-denied"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/logout-success"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/favicon.ico"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/" + this.identifierService.instanceId + "/favicon"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/css/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/" + this.identifierService.instanceId + "/css/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/img/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/" + this.identifierService.instanceId + "/img/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/js/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/" + this.identifierService.instanceId + "/js/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/assets/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/" + this.identifierService.instanceId + "/assets/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/webjars/**"), new MvcRequestMatcher(this.handlerMappingIntrospector, "/" + this.identifierService.instanceId + "/webjars/**")).permitAll();
        });
        if (this.customConfigs != null) {
            Iterator<ICustomSecurityConfig> it = this.customConfigs.iterator();
            while (it.hasNext()) {
                it.next().apply(httpSecurity);
            }
        }
        if (this.auth.hasAuthorization()) {
            httpSecurity.formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginPage(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).successHandler(this.successHandler);
            });
            httpSecurity.logout(logoutConfigurer -> {
                logoutConfigurer.logoutUrl(this.auth.getLogoutURL()).logoutRequestMatcher(new AntPathRequestMatcher("/logout")).addLogoutHandler(this.logoutHandler).logoutSuccessHandler(this.auth.getLogoutSuccessHandler());
            });
            httpSecurity.httpBasic(httpBasicConfigurer -> {
                httpBasicConfigurer.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL));
            });
        }
        if (this.auth.hasAuthorization()) {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                authorizationManagerRequestMatcherRegistry2.anyRequest().fullyAuthenticated();
            });
        } else {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry3 -> {
                authorizationManagerRequestMatcherRegistry3.anyRequest().anonymous();
            });
        }
        this.auth.configureHttpSecurity(httpSecurity);
        httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
        });
        String property = this.environment.getProperty(PROP_OAUTH2_JWKS_URL);
        String property2 = this.environment.getProperty(PROP_OAUTH2_RESOURCE_ID);
        if (property != null && property2 != null) {
            httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                    jwtConfigurer.decoder(jwtDecoder(property, property2)).jwtAuthenticationConverter(jwtAuthenticationConverter());
                });
            });
        }
        httpSecurity.requestCache(requestCacheConfigurer -> {
            requestCacheConfigurer.addObjectPostProcessor(new ObjectPostProcessor<RequestCacheAwareFilter>(this) { // from class: eu.openanalytics.containerproxy.security.WebSecurityConfig.2
                @Override // org.springframework.security.config.ObjectPostProcessor
                public <O extends RequestCacheAwareFilter> O postProcess(O o) {
                    return new FixedRequestCacheAwareFilter(o);
                }
            });
        });
        return httpSecurity.build();
    }

    private NimbusJwtDecoder jwtDecoder(String str, String str2) {
        String property = this.environment.getProperty(PROP_OAUTH2_USERNAME_ATTRIBUTE, "sub");
        DelegatingOAuth2TokenValidator delegatingOAuth2TokenValidator = new DelegatingOAuth2TokenValidator(Arrays.asList(new JwtTimestampValidator(), jwt -> {
            return jwt.getAudience().contains(str2) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error("custom_code", "Invalid audience", null));
        }, jwt2 -> {
            return jwt2.hasClaim(property) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error("custom_code", "Username claim missing", null));
        }));
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(str).build();
        build.setJwtValidator(delegatingOAuth2TokenValidator);
        return build;
    }

    private Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter() {
        String property = this.environment.getProperty(PROP_OAUTH2_ROLES_CLAIM);
        String property2 = this.environment.getProperty(PROP_OAUTH2_USERNAME_ATTRIBUTE, "sub");
        return jwt -> {
            HashSet hashSet = new HashSet();
            if (property != null) {
                for (String str : OpenIDAuthenticationBackend.parseRolesClaim(this.logger, Elements.JWT, property, jwt.getClaim(property))) {
                    hashSet.add(new SimpleGrantedAuthority((str.toUpperCase().startsWith("ROLE_") ? str : "ROLE_" + str).toUpperCase()));
                }
            }
            String claimAsString = jwt.getClaimAsString(property2);
            if (claimAsString == null) {
                throw new IllegalArgumentException(String.format("Cannot extract username from OAuth token, no claim %s found", property2));
            }
            return new JwtAuthenticationToken(jwt, hashSet, claimAsString);
        };
    }

    @Bean
    public SavedRequestAwareAuthenticationSuccessHandler SavedRequestAwareAuthenticationSuccessHandler() {
        SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        savedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl(AuthController.AUTH_SUCCESS_URL);
        return savedRequestAwareAuthenticationSuccessHandler;
    }

    private List<Header> getCustomHeaders() {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        String property = this.environment.getProperty(String.format("proxy.api-security.custom-headers[%d].name", 0));
        while (property != null) {
            String property2 = this.environment.getProperty(String.format("proxy.api-security.custom-headers[%d].value", Integer.valueOf(i)));
            if (property2 == null) {
                this.logger.warn("Missing header value for header {}", property);
                i++;
            } else {
                arrayList.add(new Header(property, property2));
                i++;
                property = this.environment.getProperty(String.format("proxy.api-security.custom-headers[%d].name", Integer.valueOf(i)));
            }
        }
        return arrayList;
    }
}
