package org.squashtest.tm.service;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import javax.inject.Inject;
import javax.inject.Named;
import javax.sql.DataSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cache.CacheManager;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.annotation.Primary;
import org.springframework.context.annotation.Role;
import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
import org.springframework.core.annotation.Order;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.acls.domain.AclAuthorizationStrategy;
import org.springframework.security.acls.domain.AclAuthorizationStrategyImpl;
import org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.domain.SpringCacheBasedAclCache;
import org.springframework.security.acls.jdbc.BasicLookupStrategy;
import org.springframework.security.acls.model.AclCache;
import org.springframework.security.acls.model.AclService;
import org.springframework.security.acls.model.ObjectIdentityGenerator;
import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.GlobalAuthenticationConfigurerAdapter;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.squashtest.tm.api.security.authentication.ConditionalOnAuthProviderProperty;
import org.squashtest.tm.security.acls.CustomPermissionFactory;
import org.squashtest.tm.security.acls.Slf4jAuditLogger;
import org.squashtest.tm.service.feature.FeatureManager;
import org.squashtest.tm.service.internal.chart.engine.QuerydslToolbox;
import org.squashtest.tm.service.internal.security.AffirmativeBasedCompositePermissionEvaluator;
import org.squashtest.tm.service.internal.security.SquashDaoAuthenticationProvider;
import org.squashtest.tm.service.internal.security.SquashUserDetailsManager;
import org.squashtest.tm.service.internal.security.SquashUserDetailsManagerImpl;
import org.squashtest.tm.service.internal.security.SquashUserDetailsManagerProxyFactory;
import org.squashtest.tm.service.internal.spring.ArgumentPositionParameterNameDiscoverer;
import org.squashtest.tm.service.internal.spring.CompositeDelegatingParameterNameDiscoverer;
import org.squashtest.tm.service.security.Authorizations;
import org.squashtest.tm.service.security.acls.ExtraPermissionEvaluator;
import org.squashtest.tm.service.security.acls.domain.DatabaseBackedObjectIdentityGeneratorStrategy;
import org.squashtest.tm.service.security.acls.domain.InheritableAclsObjectIdentityRetrievalStrategy;

@Configuration
/* loaded from: input_file:org/squashtest/tm/service/SecurityConfig.class */
public class SecurityConfig {
    private static final String DBTYPE_POSTGRES = "POSTGRES";
    private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfig.class);

    @Inject
    @Lazy
    private FeatureManager featureManager;

    @Autowired(required = false)
    private Collection<ExtraPermissionEvaluator> extraPermissionEvaluators = Collections.emptyList();

    @Value("${jooq.sql.dialect:'MYSQL'}")
    private String dbType;

    @ConditionalOnAuthProviderProperty(value = "internal", matchIfMissing = true)
    @Configuration
    @Order(QuerydslToolbox.BY_DAY_SUBSTRING_SIZE)
    /* loaded from: input_file:org/squashtest/tm/service/SecurityConfig$InternalAuthenticationConfig.class */
    public static class InternalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter {

        @Inject
        private SquashUserDetailsManager squashUserDetailsManager;

        @Inject
        private PasswordEncoder passwordEncoder;

        public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
            authenticationManagerBuilder.authenticationProvider(daoAuthenticationProvider());
            authenticationManagerBuilder.eraseCredentials(false);
        }

        @Bean
        public DaoAuthenticationProvider daoAuthenticationProvider() {
            SecurityConfig.LOGGER.info("initializing : daoAuthenticationProvider");
            SquashDaoAuthenticationProvider squashDaoAuthenticationProvider = new SquashDaoAuthenticationProvider();
            squashDaoAuthenticationProvider.setUserDetailsService(this.squashUserDetailsManager);
            squashDaoAuthenticationProvider.setPasswordEncoder(this.passwordEncoder);
            return squashDaoAuthenticationProvider;
        }
    }

    @Configuration
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, order = -2147483548, mode = AdviceMode.PROXY, proxyTargetClass = false)
    /* loaded from: input_file:org/squashtest/tm/service/SecurityConfig$SquashMethodSecurityConfiguration.class */
    public static class SquashMethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

        @Inject
        @Named("userDetailsManager.caseSensitive")
        private SquashUserDetailsManager caseSensitive;

        @Inject
        @Named("userDetailsManager.caseInsensitive")
        private SquashUserDetailsManager caseInsensitive;

        protected MethodSecurityExpressionHandler createExpressionHandler() {
            DefaultMethodSecurityExpressionHandler createExpressionHandler = super.createExpressionHandler();
            if (createExpressionHandler instanceof DefaultMethodSecurityExpressionHandler) {
                createExpressionHandler.setParameterNameDiscoverer(new CompositeDelegatingParameterNameDiscoverer(Arrays.asList(new LocalVariableTableParameterNameDiscoverer(), new ArgumentPositionParameterNameDiscoverer())));
            } else {
                SecurityConfig.LOGGER.error("Programmatic error : MethodSecurityExpressionHandler is not an instance of DefaultMethodSecurityExpressionHandler ! Check Spring Security source and fix " + getClass().getSimpleName() + " accordingly");
            }
            return createExpressionHandler;
        }

        protected AccessDecisionManager accessDecisionManager() {
            AffirmativeBased accessDecisionManager = super.accessDecisionManager();
            if (accessDecisionManager instanceof AffirmativeBased) {
                accessDecisionManager.setAllowIfAllAbstainDecisions(true);
            } else {
                SecurityConfig.LOGGER.error("Programmatic error : AccesDecisionManager is not an instance of AffirmativeBased ! Check Spring Security source and fix " + getClass().getSimpleName() + " accordingly");
            }
            return accessDecisionManager;
        }

        protected AuthenticationManager authenticationManager() throws Exception {
            AuthenticationManager authenticationManager = super.authenticationManager();
            ((SquashUserDetailsManagerImpl) this.caseSensitive).setAuthenticationManager(authenticationManager);
            ((SquashUserDetailsManagerImpl) this.caseInsensitive).setAuthenticationManager(authenticationManager);
            return authenticationManager;
        }
    }

    @Bean
    public PermissionFactory permissionFactory() {
        return new CustomPermissionFactory();
    }

    @Bean
    public GrantedAuthority aclAdminAuthority() {
        return new SimpleGrantedAuthority(Authorizations.ROLE_ADMIN);
    }

    @Bean({"squashtest.core.security.ObjectIdentityRetrievalStrategy"})
    public ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy() {
        return new InheritableAclsObjectIdentityRetrievalStrategy();
    }

    @Bean({"squashtest.core.security.ObjectIdentityGeneratorStrategy"})
    public ObjectIdentityGenerator objectIdentityGenerator() {
        return new DatabaseBackedObjectIdentityGeneratorStrategy(objectIdentityRetrievalStrategy());
    }

    @Bean
    public BasicLookupStrategy lookupStrategy(DataSource dataSource, CacheManager cacheManager) {
        BasicLookupStrategy basicLookupStrategy = new BasicLookupStrategy(dataSource, aclCache(cacheManager), aclAuthorizationStrategy(), grantingStrategy());
        basicLookupStrategy.setSelectClause("select oid.IDENTITY as object_id_identity,\n  gp.PERMISSION_ORDER,\n  oid.ID as acl_id,\n  null as parent_object, /* oid.parent */\n  true as entries_inheriting, /* oid.entries_inheriting*/\n  rse.ID as ace_id,\n  gp.PERMISSION_MASK as mask,\n  gp.GRANTING as granting,\n  true as audit_success, /* audit success */\n  false as audit_failure, /* audit failure */\n  true as ace_principal, /* sid is principal */\n  u.LOGIN as ace_sid,\n  true as acl_principal, /* owner is prinipal */\n  u.LOGIN as acl_sid, /* owner sid */\n  ocl.CLASSNAME as class\nfrom ACL_OBJECT_IDENTITY oid\n  left join ACL_CLASS ocl on ocl.ID = oid.CLASS_ID\n  left join ACL_GROUP_PERMISSION gp on gp.CLASS_ID = ocl.ID\n  left join ACL_GROUP g on g.ID = gp.ACL_GROUP_ID\n  left join ACL_RESPONSIBILITY_SCOPE_ENTRY rse on rse.ACL_GROUP_ID = g.ID and rse.OBJECT_IDENTITY_ID = oid.ID\n  inner join CORE_PARTY party on party.PARTY_ID = rse.PARTY_ID\n  left join CORE_TEAM team on team.PARTY_ID = party.PARTY_ID\n  left join CORE_TEAM_MEMBER tmemb on tmemb.TEAM_ID = team.PARTY_ID,\n  CORE_USER u \nwhere((u.PARTY_ID = tmemb.USER_ID) or (u.PARTY_ID = party.PARTY_ID)) and u.ACTIVE = true and (\n");
        basicLookupStrategy.setLookupObjectIdentitiesWhereClause(DBTYPE_POSTGRES.equals(this.dbType) ? "(oid.IDENTITY::varchar(36) = ? and ocl.CLASSNAME = ?)" : "(oid.IDENTITY = ? and ocl.CLASSNAME = ?)");
        basicLookupStrategy.setLookupPrimaryKeysWhereClause("(oid.ID = ?)");
        basicLookupStrategy.setOrderByClause(") order by oid.IDENTITY asc, gp.PERMISSION_ORDER asc");
        basicLookupStrategy.setPermissionFactory(permissionFactory());
        return basicLookupStrategy;
    }

    @Bean
    public DefaultPermissionGrantingStrategy grantingStrategy() {
        return new DefaultPermissionGrantingStrategy(new Slf4jAuditLogger());
    }

    @Bean
    public AclAuthorizationStrategy aclAuthorizationStrategy() {
        return new AclAuthorizationStrategyImpl(new GrantedAuthority[]{aclAdminAuthority(), aclAdminAuthority(), aclAdminAuthority()});
    }

    @Bean(name = {"squashtest.core.security.JdbcUserDetailsManager"})
    @Primary
    public SquashUserDetailsManagerProxyFactory userDetailsManager(DataSource dataSource) {
        SquashUserDetailsManagerProxyFactory squashUserDetailsManagerProxyFactory = new SquashUserDetailsManagerProxyFactory();
        squashUserDetailsManagerProxyFactory.setCaseInsensitiveManager(caseInensitiveUserDetailsManager(dataSource));
        squashUserDetailsManagerProxyFactory.setCaseSensitiveManager(caseSensitiveUserDetailsManager(dataSource));
        squashUserDetailsManagerProxyFactory.setFeatures(this.featureManager);
        return squashUserDetailsManagerProxyFactory;
    }

    @Bean
    @Role(2)
    @Order(0)
    public PasswordEncoder shaPasswordEncoder() {
        return new MessageDigestPasswordEncoder("SHA-1");
    }

    @Bean(name = {"userDetailsManager.caseSensitive"})
    public SquashUserDetailsManager caseSensitiveUserDetailsManager(DataSource dataSource) {
        SquashUserDetailsManagerImpl newSquashUserDetailsManager = newSquashUserDetailsManager(dataSource);
        newSquashUserDetailsManager.setUsersByUsernameQuery("select LOGIN, PASSWORD, ACTIVE from AUTH_USER where LOGIN = ?");
        newSquashUserDetailsManager.setUserExistsSql("select LOGIN from AUTH_USER where LOGIN = ?");
        newSquashUserDetailsManager.setGroupAuthoritiesByUsernameQuery("select g.ID, g.QUALIFIED_NAME, ga.AUTHORITY \nfrom CORE_GROUP g \n  inner join CORE_GROUP_AUTHORITY ga on ga.GROUP_ID = g.ID\n  inner join CORE_GROUP_MEMBER gm on gm.GROUP_ID = g.ID\n  inner join CORE_PARTY party on party.PARTY_ID = gm.PARTY_ID\n  left join CORE_TEAM team on team.PARTY_ID = party.PARTY_ID\n  left join CORE_TEAM_MEMBER tmemb on tmemb.TEAM_ID = team.PARTY_ID,\n  CORE_USER u \nwhere( (u.PARTY_ID = tmemb.USER_ID AND u.ACTIVE = true) or (u.PARTY_ID = party.PARTY_ID) ) and ( u.LOGIN = ?)");
        newSquashUserDetailsManager.setAuthoritiesByUsernameQuery("select cpa.PARTY_ID,  cpa.AUTHORITY from CORE_PARTY_AUTHORITY cpa\n  inner join CORE_PARTY party on party.PARTY_ID = cpa.PARTY_ID\n  left join CORE_TEAM team on team.PARTY_ID = party.PARTY_ID\n  left join CORE_TEAM_MEMBER tmemb on tmemb.TEAM_ID = team.PARTY_ID,\n  CORE_USER u \nwhere( (u.PARTY_ID = tmemb.USER_ID AND u.ACTIVE = true) or (u.PARTY_ID = party.PARTY_ID) ) and ( u.LOGIN = ?)");
        return newSquashUserDetailsManager;
    }

    @Bean(name = {"userDetailsManager.caseInsensitive"})
    public SquashUserDetailsManager caseInensitiveUserDetailsManager(DataSource dataSource) {
        SquashUserDetailsManagerImpl newSquashUserDetailsManager = newSquashUserDetailsManager(dataSource);
        newSquashUserDetailsManager.setUsersByUsernameQuery("select LOGIN, PASSWORD, ACTIVE from AUTH_USER where lower(LOGIN) = lower(?)");
        newSquashUserDetailsManager.setUserExistsSql("select LOGIN from AUTH_USER where lower(LOGIN) = lower(?)");
        newSquashUserDetailsManager.setGroupAuthoritiesByUsernameQuery("select g.ID, g.QUALIFIED_NAME, ga.AUTHORITY \nfrom CORE_GROUP g \n  inner join CORE_GROUP_AUTHORITY ga on ga.GROUP_ID = g.ID\n  inner join CORE_GROUP_MEMBER gm on gm.GROUP_ID = g.ID\n  inner join CORE_PARTY party on party.PARTY_ID = gm.PARTY_ID\n  left join CORE_TEAM team on team.PARTY_ID = party.PARTY_ID\n  left join CORE_TEAM_MEMBER tmemb on tmemb.TEAM_ID = team.PARTY_ID,\n  CORE_USER u \nwhere ((u.PARTY_ID = tmemb.USER_ID AND u.ACTIVE = true) or (u.PARTY_ID = party.PARTY_ID)) \n  and (lower(u.LOGIN) = lower(?))");
        newSquashUserDetailsManager.setAuthoritiesByUsernameQuery("select cpa.PARTY_ID,  cpa.AUTHORITY \nfrom CORE_PARTY_AUTHORITY cpa\n  inner join CORE_PARTY party on party.PARTY_ID = cpa.PARTY_ID\n  left join CORE_TEAM team on team.PARTY_ID = party.PARTY_ID\n  left join CORE_TEAM_MEMBER tmemb on tmemb.TEAM_ID = team.PARTY_ID,\n  CORE_USER u \nwhere ((u.PARTY_ID = tmemb.USER_ID AND u.ACTIVE = true) or (u.PARTY_ID = party.PARTY_ID) ) \n  and (lower(u.LOGIN) = lower(?))");
        return newSquashUserDetailsManager;
    }

    private SquashUserDetailsManagerImpl newSquashUserDetailsManager(DataSource dataSource) {
        SquashUserDetailsManagerImpl squashUserDetailsManagerImpl = new SquashUserDetailsManagerImpl();
        squashUserDetailsManagerImpl.setDataSource(dataSource);
        squashUserDetailsManagerImpl.setChangePasswordSql("update AUTH_USER set PASSWORD = ? where LOGIN = ?");
        squashUserDetailsManagerImpl.setUpdateUserSql("update AUTH_USER set PASSWORD = ?, ACTIVE = ? where LOGIN = ?");
        squashUserDetailsManagerImpl.setDeleteUserSql("delete from AUTH_USER where LOGIN = ?");
        squashUserDetailsManagerImpl.setCreateUserSql("insert into AUTH_USER (LOGIN, PASSWORD, ACTIVE) values (?,?,?)");
        squashUserDetailsManagerImpl.setCreateAuthoritySql("insert into CORE_PARTY_AUTHORITY (PARTY_ID, AUTHORITY) values ((select cu.PARTY_ID from CORE_USER cu where cu.LOGIN = ?), ?)");
        squashUserDetailsManagerImpl.setDeleteUserAuthoritiesSql("delete from CORE_PARTY_AUTHORITY\nwhere PARTY_ID in (\n  select cu.PARTY_ID from CORE_USER cu\n  where cu.LOGIN = ?\n)");
        squashUserDetailsManagerImpl.setEnableAuthorities(true);
        squashUserDetailsManagerImpl.setEnableGroups(true);
        return squashUserDetailsManagerImpl;
    }

    @Bean
    public AffirmativeBasedCompositePermissionEvaluator permissionEvaluator(@Named("squashtest.core.security.AclService") AclService aclService, ObjectIdentityGenerator objectIdentityGenerator) {
        AffirmativeBasedCompositePermissionEvaluator affirmativeBasedCompositePermissionEvaluator = new AffirmativeBasedCompositePermissionEvaluator(aclService, this.extraPermissionEvaluators);
        affirmativeBasedCompositePermissionEvaluator.setObjectIdentityRetrievalStrategy(objectIdentityRetrievalStrategy());
        affirmativeBasedCompositePermissionEvaluator.setObjectIdentityGenerator(objectIdentityGenerator);
        affirmativeBasedCompositePermissionEvaluator.setPermissionFactory(permissionFactory());
        return affirmativeBasedCompositePermissionEvaluator;
    }

    @Bean
    public AclCache aclCache(CacheManager cacheManager) {
        return new SpringCacheBasedAclCache(cacheManager.getCache("aclCache"), grantingStrategy(), aclAuthorizationStrategy());
    }
}
