package org.squashtest.tm.web.config;

import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.function.Supplier;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.util.StringUtils;
import org.squashtest.tm.api.security.acls.Roles;
import org.squashtest.tm.api.security.authentication.ConditionalOnAuthProviderProperty;
import org.squashtest.tm.api.security.authentication.SecurityExemptionEndPoint;
import org.squashtest.tm.service.internal.security.InternalAuthenticationProviderFeatures;
import org.squashtest.tm.service.internal.security.SquashDaoAuthenticationProvider;
import org.squashtest.tm.service.internal.security.SquashUserDetailsManager;
import org.squashtest.tm.service.internal.security.SquashUserDetailsManagerImpl;
import org.squashtest.tm.web.security.authentication.SinglePageAppAuthenticationFailureHandler;
import org.squashtest.tm.web.security.authentication.SinglePageAppAuthenticationSuccessHandler;

@Configuration
/* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig.class */
public class WebSecurityConfig {
    private static final String ALTERNATE_AUTH_PATH = "/auth/**";
    private static final String LOGIN = "/login";
    private static final String LOGOUT = "/logout";
    private static final String ROOT_PATH = "/";
    private static final String CONTROLLERS_ROOT_URL = "/backend";
    private static final String[] ADMIN_ONLY_URLS = {"/backend/ai-servers/**", "/backend/bugtracker/**", "/backend/bugtrackers/**", "/backend/custom-field-view/**", "/backend/environment-variable-view/**", "/backend/info-list-items/**", "/backend/info-list-view/**", "/backend/info-lists/**", "/backend/profile-view/**", "/backend/project-templates/**", "/backend/projects/**", "/backend/requirement-link-type/**", "/backend/requirements-links/**", "/backend/scm-server-view/**", "/backend/scm-servers/**", "/backend/system/**", "/backend/team-view/**", "/backend/teams/**", "/backend/test-automation-servers/**", "/backend/user-view/**", "/backend/users/**", "/backend/users/**"};

    @Value("${squash.security.basic.token-charset}")
    private static String basicAuthCharset = "ISO-8859-1";

    @Configuration
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$ActuatorWebSecurityConfigurationAdapter.class */
    public static class ActuatorWebSecurityConfigurationAdapter {

        @Value("${squash.cloud-mode-enabled:false}")
        private boolean needsInfrastructureAdmin;

        @Bean
        @Order(15)
        protected SecurityFilterChain actuatorFilterChain(HttpSecurity httpSecurity, JwtTokenFilter jwtTokenFilter, CustomAccessDeniedHandler customAccessDeniedHandler) throws Exception {
            String str = this.needsInfrastructureAdmin ? Roles.ROLE_INFRASTRUCTURE_ADMIN : Roles.ROLE_ADMIN;
            httpSecurity.csrf((v0) -> {
                v0.disable();
            }).securityMatcher("/actuator/**").authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.anyRequest().hasAuthority(str);
            }).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.accessDeniedHandler(customAccessDeniedHandler);
            }).httpBasic(httpBasicConfigurer -> {
                httpBasicConfigurer.withObjectPostProcessor(new BasicAuthCharsetConfigurer(WebSecurityConfig.basicAuthCharset));
            });
            httpSecurity.addFilterBefore((Filter) jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
            return httpSecurity.build();
        }
    }

    @Configuration
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$ApiWebSecurityConfigurationAdapter.class */
    public static class ApiWebSecurityConfigurationAdapter {
        @Bean
        CustomRestApiBasicAuthFilter customRestApiBasicAuthFilter() {
            return new CustomRestApiBasicAuthFilter();
        }

        @Bean
        @Order(20)
        protected SecurityFilterChain apiFilterChain(HttpSecurity httpSecurity, JwtTokenFilter jwtTokenFilter, CustomAccessDeniedHandler customAccessDeniedHandler, DenyInfrastructureAdminFilter denyInfrastructureAdminFilter) throws Exception {
            httpSecurity.csrf((v0) -> {
                v0.disable();
            }).securityMatcher("/api/**").authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.anyRequest().authenticated();
            }).httpBasic(httpBasicConfigurer -> {
                httpBasicConfigurer.withObjectPostProcessor(new BasicAuthCharsetConfigurer(WebSecurityConfig.basicAuthCharset)).realmName("squash-api").authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
                    httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"squah-api\"");
                    httpServletResponse.addHeader("Content-Type", "application/json");
                    httpServletResponse.sendError(401, authenticationException.getMessage() + ". You may authenticate using 1/ basic authentication or 2/ fetching a cookie JSESSIONID from /login");
                });
            }).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.accessDeniedHandler(customAccessDeniedHandler);
            }).logout(logoutConfigurer -> {
                logoutConfigurer.logoutUrl(WebSecurityConfig.LOGOUT).invalidateHttpSession(true).logoutSuccessUrl("/").permitAll();
            });
            httpSecurity.addFilterBefore((Filter) customRestApiBasicAuthFilter(), BasicAuthenticationFilter.class);
            httpSecurity.addFilterBefore((Filter) jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
            httpSecurity.addFilterAfter((Filter) denyInfrastructureAdminFilter, AuthorizationFilter.class);
            return httpSecurity.build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$BasicAuthCharsetConfigurer.class */
    public static final class BasicAuthCharsetConfigurer extends Record implements ObjectPostProcessor<BasicAuthenticationFilter> {
        private final String charset;

        private BasicAuthCharsetConfigurer(String str) {
            this.charset = str;
        }

        @Override // org.springframework.security.config.annotation.ObjectPostProcessor
        public <O extends BasicAuthenticationFilter> O postProcess(O o) {
            o.setCredentialsCharset(this.charset);
            return o;
        }

        public String charset() {
            return this.charset;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, BasicAuthCharsetConfigurer.class), BasicAuthCharsetConfigurer.class, "charset", "FIELD:Lorg/squashtest/tm/web/config/WebSecurityConfig$BasicAuthCharsetConfigurer;->charset:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, BasicAuthCharsetConfigurer.class), BasicAuthCharsetConfigurer.class, "charset", "FIELD:Lorg/squashtest/tm/web/config/WebSecurityConfig$BasicAuthCharsetConfigurer;->charset:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, BasicAuthCharsetConfigurer.class, Object.class), BasicAuthCharsetConfigurer.class, "charset", "FIELD:Lorg/squashtest/tm/web/config/WebSecurityConfig$BasicAuthCharsetConfigurer;->charset:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    @Configuration
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$SquashTAWebSecurityConfigurationAdapter.class */
    public static class SquashTAWebSecurityConfigurationAdapter {
        @Bean
        @Order(10)
        protected SecurityFilterChain squashTaFilterChain(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.csrf((v0) -> {
                v0.disable();
            }).securityMatcher("/automated-executions/**").authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.anyRequest().hasRole("TA_API_CLIENT");
            }).httpBasic(httpBasicConfigurer -> {
                httpBasicConfigurer.withObjectPostProcessor(new BasicAuthCharsetConfigurer(WebSecurityConfig.basicAuthCharset));
            });
            return httpSecurity.build();
        }
    }

    @Configuration
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$StandardWebSecurityConfigurerAdapter.class */
    public static class StandardWebSecurityConfigurerAdapter {
        private static final List<String> DEFAULT_IGNORE_AUTH_URLS = Arrays.asList("/", "/login", WebSecurityConfig.ALTERNATE_AUTH_PATH, WebSecurityConfig.LOGOUT, "/logged-out");

        @Value("${squash.security.filter.debug.enabled:false}")
        private boolean debugSecurityFilter;

        @Value("${squash.security.ignored:/scripts/**}")
        private String[] secIngored;

        @Autowired
        private Environment environment;

        @Value("${authentication.provider:internal}")
        private String authenticationProvider;

        @Inject
        @Named("userDetailsManager.caseSensitive")
        private SquashUserDetailsManager caseSensitive;

        @Inject
        @Named("userDetailsManager.caseInsensitive")
        private SquashUserDetailsManager caseInsensitive;

        @Autowired(required = false)
        private Collection<SecurityExemptionEndPoint> securityExemptionEndPoints = Collections.emptyList();

        @Value("${squash.security.preferred-auth-url:/login}")
        private String entryPointUrl = "/login";

        /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/config/WebSecurityConfig$StandardWebSecurityConfigurerAdapter$SpaCsrfTokenRequestHandler.class */
        static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
            private final CsrfTokenRequestHandler plain = new CsrfTokenRequestAttributeHandler();
            private final CsrfTokenRequestHandler xor = new XorCsrfTokenRequestAttributeHandler();

            SpaCsrfTokenRequestHandler() {
            }

            @Override // org.springframework.security.web.csrf.CsrfTokenRequestHandler
            public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Supplier<CsrfToken> supplier) {
                this.xor.handle(httpServletRequest, httpServletResponse, supplier);
                supplier.get();
            }

            @Override // org.springframework.security.web.csrf.CsrfTokenRequestHandler, org.springframework.security.web.csrf.CsrfTokenRequestResolver
            public String resolveCsrfTokenValue(HttpServletRequest httpServletRequest, CsrfToken csrfToken) {
                return (StringUtils.hasText(httpServletRequest.getHeader(csrfToken.getHeaderName())) ? this.plain : this.xor).resolveCsrfTokenValue(httpServletRequest, csrfToken);
            }
        }

        @Bean
        public SessionRegistry sessionRegistry() {
            return new SessionRegistryImpl();
        }

        @Bean
        public HttpSessionEventPublisher httpSessionEventPublisher() {
            return new HttpSessionEventPublisher();
        }

        @Bean
        public WebSecurityCustomizer standardWebSecurityCustomizer() {
            return webSecurity -> {
                webSecurity.debug(this.debugSecurityFilter).ignoring().requestMatchers(this.secIngored);
            };
        }

        @ConditionalOnAuthProviderProperty(value = InternalAuthenticationProviderFeatures.NAME, matchIfMissing = true)
        @Bean
        public DaoAuthenticationProvider internalDaoAuthenticationProvider(SquashUserDetailsManager squashUserDetailsManager, PasswordEncoder passwordEncoder) {
            SquashDaoAuthenticationProvider squashDaoAuthenticationProvider = new SquashDaoAuthenticationProvider();
            squashDaoAuthenticationProvider.setUserDetailsService(squashUserDetailsManager);
            squashDaoAuthenticationProvider.setPasswordEncoder(passwordEncoder);
            return squashDaoAuthenticationProvider;
        }

        @Bean
        @Order(30)
        protected SecurityFilterChain standardFilterChain(HttpSecurity httpSecurity, SquashUserDetailsManager squashUserDetailsManager, PasswordEncoder passwordEncoder) throws Exception {
            configureInternalAuthenticationProvider(httpSecurity, squashUserDetailsManager, passwordEncoder);
            configureCsrf(httpSecurity).headers(headersConfigurer -> {
                headersConfigurer.frameOptions((v0) -> {
                    v0.sameOrigin();
                });
            }).httpBasic(Customizer.withDefaults()).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                authorizationManagerRequestMatcherRegistry.requestMatchers(gatherIgnoringAuthUrlPatterns()).permitAll().requestMatchers("/backend/login", "/backend/logout", "/backend/login-page", "/backend/version", "/index.html", "/login", "/favicon.ico").permitAll().requestMatchers("/plugin/**", "/index").permitAll().requestMatchers(AngularAppPageUrls.getAllUrlsPatterns()).permitAll().requestMatchers("/*.js", "/**.js", "/**.json", "/*.js.map", "/**.js.map", "/resources/**", "/*.css", "/*.ts", "/*.ttf", "/assets/**").permitAll().requestMatchers(WebSecurityConfig.ADMIN_ONLY_URLS).hasAuthority(Roles.ROLE_ADMIN).anyRequest().access((supplier, requestAuthorizationContext) -> {
                    return checkAccess((Authentication) supplier.get());
                });
            }).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.authenticationEntryPoint(mainEntryPoint());
            }).formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginProcessingUrl("/backend/login").successHandler(singlePageAppAuthenticationSuccessHandler()).failureHandler(singlePageAppAuthenticationFailureHandler());
            }).sessionManagement(sessionManagementConfigurer -> {
                sessionManagementConfigurer.maximumSessions(-1).sessionRegistry(sessionRegistry());
            });
            DefaultSecurityFilterChain build = httpSecurity.build();
            AuthenticationManager authenticationManager = (AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class);
            ((SquashUserDetailsManagerImpl) this.caseSensitive).setAuthenticationManager(authenticationManager);
            ((SquashUserDetailsManagerImpl) this.caseInsensitive).setAuthenticationManager(authenticationManager);
            return build;
        }

        private AuthorizationDecision checkAccess(Authentication authentication) {
            AuthorizationDecision check = AuthenticatedAuthorizationManager.authenticated().check(() -> {
                return authentication;
            }, null);
            return check.isGranted() ? new AuthorizationDecision(authentication.getAuthorities().stream().noneMatch(grantedAuthority -> {
                return Roles.ROLE_INFRASTRUCTURE_ADMIN.equals(grantedAuthority.getAuthority()) || Roles.ROLE_TA_API_CLIENT.equals(grantedAuthority.getAuthority());
            })) : check;
        }

        private void configureInternalAuthenticationProvider(HttpSecurity httpSecurity, SquashUserDetailsManager squashUserDetailsManager, PasswordEncoder passwordEncoder) {
            if (this.authenticationProvider.contains(InternalAuthenticationProviderFeatures.NAME)) {
                httpSecurity.authenticationProvider((AuthenticationProvider) internalDaoAuthenticationProvider(squashUserDetailsManager, passwordEncoder));
            }
        }

        private HttpSecurity configureCsrf(HttpSecurity httpSecurity) throws Exception {
            if (isTestProfileActive()) {
                httpSecurity.csrf((v0) -> {
                    v0.disable();
                });
            } else {
                httpSecurity.csrf(csrfConfigurer -> {
                    csrfConfigurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()).ignoringRequestMatchers(gatherIgnoringCsrfUrlPatterns());
                });
            }
            return httpSecurity;
        }

        private boolean isTestProfileActive() {
            return Arrays.asList(this.environment.getActiveProfiles()).contains("test");
        }

        @Bean
        public SinglePageAppAuthenticationSuccessHandler singlePageAppAuthenticationSuccessHandler() {
            return new SinglePageAppAuthenticationSuccessHandler();
        }

        @Bean
        public SinglePageAppAuthenticationFailureHandler singlePageAppAuthenticationFailureHandler() {
            return new SinglePageAppAuthenticationFailureHandler();
        }

        @Bean
        public AuthenticationEntryPoint mainEntryPoint() {
            return new MainEntryPoint(this.entryPointUrl);
        }

        private String[] gatherIgnoringCsrfUrlPatterns() {
            ArrayList arrayList = new ArrayList(Collections.singletonList(WebSecurityConfig.ALTERNATE_AUTH_PATH));
            Iterator<SecurityExemptionEndPoint> it = this.securityExemptionEndPoints.iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next().getIgnoreCsrfUrlPatterns());
            }
            return (String[]) arrayList.toArray(new String[0]);
        }

        @Bean
        public HttpFirewall customHttpFirewall() {
            StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
            strictHttpFirewall.setAllowSemicolon(true);
            strictHttpFirewall.setAllowUrlEncodedPercent(true);
            return strictHttpFirewall;
        }

        private String[] gatherIgnoringAuthUrlPatterns() {
            ArrayList arrayList = new ArrayList(DEFAULT_IGNORE_AUTH_URLS);
            Iterator<SecurityExemptionEndPoint> it = this.securityExemptionEndPoints.iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next().getIgnoreAuthUrlPatterns());
            }
            return (String[]) arrayList.toArray(new String[0]);
        }
    }
}
