package org.squashtest.tm.web.config;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.squashtest.tm.api.security.authentication.ApiSecurityExemptionEndPoint;
import org.squashtest.tm.api.security.authentication.SecurityExemptionEndPoint;
import org.squashtest.tm.service.security.Authorizations;
import org.squashtest.tm.web.security.authentication.SinglePageAppAuthenticationFailureHandler;
import org.squashtest.tm.web.security.authentication.SinglePageAppAuthenticationSuccessHandler;

@Configuration
/* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig.class */
public class WebSecurityConfig {
    private static final String ALTERNATE_AUTH_PATH = "/auth/**";
    private static final String LOGIN = "/login";
    private static final String LOGOUT = "/logout";
    private static final String ROOT_PATH = "/";
    private static final String CONTROLLERS_ROOT_URL = "/backend";
    private static final String[] ADMIN_OR_PROJECT_MANAGER_URLS = {"/backend/project-view/**", "/backend/generic-projects/**", "/backend/custom-field-binding/**", "/backend/milestones/**", "/backend/milestone-view/**", "/backend/milestone-binding/**", "/backend/scm-repositories/**", "/backend/info-list-binding/**", "/backend/referential/admin"};
    private static final String[] ADMIN_ONLY_URLS = {"/backend/project-templates/**", "/backend/projects/**", "/backend/bugtracker/**", "/backend/bugtrackers/**", "/backend/users/**", "/backend/custom-field-view/**", "/backend/environment-variables/**", "/backend/environment-variable-view/**", "/backend/info-lists/**", "/backend/info-list-items/**", "/backend/info-list-view/**", "/backend/requirements-links/**", "/backend/requirement-link-type/**", "/backend/scm-server-view/**", "/backend/scm-servers/**", "/backend/system/**", "/backend/system-view/**", "/backend/teams/**", "/backend/team-view/**", "/backend/test-automation-servers/**", "/backend/users/**", "/backend/user-view/**"};

    @Configuration
    @Order(20)
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$ApiWebSecurityConfigurationAdapter.class */
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Value("${squash.security.basic.token-charset}")
        private String basicAuthCharset = "ISO-8859-1";

        @Autowired(required = false)
        private final Collection<ApiSecurityExemptionEndPoint> apiSecurityExemptionEndPoints = Collections.emptyList();

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        public void configure(WebSecurity webSecurity) {
            webSecurity.ignoring().antMatchers(gatherIgnoringAuthUrlPatterns());
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.csrf().disable()).authorizeRequests().antMatchers(gatherIgnoringAuthUrlPatterns()).permitAll().and()).antMatcher("/api/**").authorizeRequests().anyRequest().authenticated().and()).httpBasic().withObjectPostProcessor(new BasicAuthCharsetConfigurer(this.basicAuthCharset)).realmName("squash-api").authenticationEntryPoint(new AuthenticationEntryPoint() { // from class: org.squashtest.tm.web.config.WebSecurityConfig.ApiWebSecurityConfigurationAdapter.1
                @Override // org.springframework.security.web.AuthenticationEntryPoint
                public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
                    httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"squah-api\"");
                    httpServletResponse.addHeader("Content-Type", "application/json");
                    httpServletResponse.sendError(401, String.valueOf(authenticationException.getMessage()) + ". You may authenticate using 1/ basic authentication or 2/ fetching a cookie JSESSIONID from /login");
                }
            }).and()).logout().permitAll().logoutRequestMatcher(new AntPathRequestMatcher(WebSecurityConfig.LOGOUT)).invalidateHttpSession(true).logoutSuccessUrl("/");
        }

        private String[] gatherIgnoringAuthUrlPatterns() {
            ArrayList arrayList = new ArrayList();
            Iterator<ApiSecurityExemptionEndPoint> it = this.apiSecurityExemptionEndPoints.iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next().getIgnoreAuthUrlPatterns());
            }
            return (String[]) arrayList.toArray(new String[0]);
        }
    }

    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$BasicAuthCharsetConfigurer.class */
    private static final class BasicAuthCharsetConfigurer implements ObjectPostProcessor<BasicAuthenticationFilter> {
        private final String charset;

        public BasicAuthCharsetConfigurer(String str) {
            this.charset = str;
        }

        @Override // org.springframework.security.config.annotation.ObjectPostProcessor
        public <O extends BasicAuthenticationFilter> O postProcess(O o) {
            o.setCredentialsCharset(this.charset);
            return o;
        }
    }

    @Configuration
    @Order(10)
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$SquashTAWebSecurityConfigurationAdapter.class */
    public static class SquashTAWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Value("${squash.security.basic.token-charset}")
        private String basicAuthCharset = "ISO-8859-1";

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        @Bean
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) httpSecurity.csrf().disable()).antMatcher("/automated-executions/**").authorizeRequests().anyRequest().access("hasRole('ROLE_TA_API_CLIENT')").and()).httpBasic().withObjectPostProcessor(new BasicAuthCharsetConfigurer(this.basicAuthCharset));
        }
    }

    @Configuration
    @Order(30)
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$StandardWebSecurityConfigurerAdapter.class */
    public static class StandardWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        private static final List<String> DEFAULT_IGNORE_AUTH_URLS = Arrays.asList("/", "/login", WebSecurityConfig.ALTERNATE_AUTH_PATH, WebSecurityConfig.LOGOUT, "/logged-out");

        @Value("${squash.security.filter.debug.enabled:false}")
        private boolean debugSecurityFilter;

        @Value("${squash.security.ignored:/scripts/**}")
        private String[] secIngored;

        @Autowired(required = false)
        private Collection<SecurityExemptionEndPoint> securityExemptionEndPoints = Collections.emptyList();

        @Value("${squash.security.preferred-auth-url:/login}")
        private String entryPointUrl = "/login";

        @Bean
        public SessionRegistry sessionRegistry() {
            return new SessionRegistryImpl();
        }

        @Bean
        public HttpSessionEventPublisher httpSessionEventPublisher() {
            return new HttpSessionEventPublisher();
        }

        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        public void configure(WebSecurity webSecurity) throws Exception {
            webSecurity.debug(this.debugSecurityFilter).ignoring().antMatchers(this.secIngored);
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.headers().frameOptions().sameOrigin().and()).csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers(gatherIgnoringCsrfUrlPatterns()).and()).httpBasic().and()).authorizeRequests().antMatchers(gatherIgnoringAuthUrlPatterns()).permitAll().antMatchers("/backend/login", "/backend/logout", "/backend/login-page", "/backend/version", "/index.html", "/login", "/favicon.ico").permitAll().antMatchers("/plugin/**", "/index").permitAll().antMatchers(AngularAppPageUrls.getAllUrlsPatterns()).permitAll().antMatchers("/*.js", "/**/*.js", "/**/*.json", "/*.js.map", "/**/*.js.map", "/resources/**", "/*.css", "/*.ts", "/*.ttf", "/assets/**").permitAll().antMatchers(WebSecurityConfig.ADMIN_OR_PROJECT_MANAGER_URLS).access(Authorizations.HAS_ROLE_ADMIN_OR_PROJECT_MANAGER).antMatchers(WebSecurityConfig.ADMIN_ONLY_URLS).access(Authorizations.HAS_ROLE_ADMIN).anyRequest().authenticated().and()).exceptionHandling().authenticationEntryPoint(mainEntryPoint()).and()).formLogin().loginProcessingUrl("/backend/login").successHandler(singlePageAppAuthenticationSuccessHandler()).failureHandler(singlePageAppAuthenticationFailureHandler()).and()).sessionManagement().maximumSessions(-1).sessionRegistry(sessionRegistry());
        }

        @Bean
        public SinglePageAppAuthenticationSuccessHandler singlePageAppAuthenticationSuccessHandler() {
            return new SinglePageAppAuthenticationSuccessHandler();
        }

        @Bean
        public SinglePageAppAuthenticationFailureHandler singlePageAppAuthenticationFailureHandler() {
            return new SinglePageAppAuthenticationFailureHandler();
        }

        @Bean
        public AuthenticationEntryPoint mainEntryPoint() {
            return new MainEntryPoint(this.entryPointUrl);
        }

        private String[] gatherIgnoringCsrfUrlPatterns() {
            ArrayList arrayList = new ArrayList(Collections.singletonList(WebSecurityConfig.ALTERNATE_AUTH_PATH));
            Iterator<SecurityExemptionEndPoint> it = this.securityExemptionEndPoints.iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next().getIgnoreCsrfUrlPatterns());
            }
            return (String[]) arrayList.toArray(new String[0]);
        }

        private String[] gatherIgnoringAuthUrlPatterns() {
            ArrayList arrayList = new ArrayList(DEFAULT_IGNORE_AUTH_URLS);
            Iterator<SecurityExemptionEndPoint> it = this.securityExemptionEndPoints.iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next().getIgnoreAuthUrlPatterns());
            }
            return (String[]) arrayList.toArray(new String[0]);
        }
    }
}
