package de.rtb.pcon.config.security;

import de.rtb.pcon.config.DevelopmentProperties;
import de.rtb.pcon.model.UserRole;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.sql.DataSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springdoc.core.utils.Constants;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

@EnableWebSecurity
@Configuration
@EnableMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
/* loaded from: input_file:WEB-INF/classes/de/rtb/pcon/config/security/HttpSecurityConfig.class */
public class HttpSecurityConfig {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) HttpSecurityConfig.class);

    /* loaded from: input_file:WEB-INF/classes/de/rtb/pcon/config/security/HttpSecurityConfig$CsrfCookieFilter.class */
    private static final class CsrfCookieFilter extends OncePerRequestFilter {
        private CsrfCookieFilter() {
        }

        @Override // org.springframework.web.filter.OncePerRequestFilter
        protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
            ((CsrfToken) httpServletRequest.getAttribute(CsrfToken.class.getName())).getToken();
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    @Bean
    UserDetailsManager userDetailManager(PasswordEncoder passwordEncoder, DataSource dataSource) {
        JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(dataSource);
        jdbcUserDetailsManager.setDataSource(dataSource);
        jdbcUserDetailsManager.setUsersByUsernameQuery("select usa_login, usa_password, usa_enabled from control.user_authentication where usa_login=?");
        jdbcUserDetailsManager.setAuthoritiesByUsernameQuery("select usa_login, usr_role from control.user_authentication left join control.user_role on usa_id = usr_user_id where usa_login=?");
        return jdbcUserDetailsManager;
    }

    @Bean
    SecurityFilterChain web(HttpSecurity httpSecurity, DevelopmentProperties developmentProperties, WanSecurityProps wanSecurityProps) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            authorizationManagerRequestMatcherRegistry.requestMatchers("/", DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL, "/login.html", "/logout", "/logout.html", "/error", "/error.html").permitAll().requestMatchers("/file/download/job/**").authenticated().requestMatchers("/api/export/v1/**").hasAuthority(UserRole.ROLE_PCON_VIEW.name()).requestMatchers("/api/enforcement/v1/**").hasAnyAuthority(UserRole.ROLE_ENFORCEMENT_VIEW.name()).requestMatchers("/api/enforcement/aims2/**").hasAuthority(UserRole.ROLE_ENFORCEMENT_VIEW.name()).requestMatchers("/api/pcon/ui/**").hasAuthority(UserRole.ROLE_PCON_VIEW.name()).requestMatchers("/control/**").authenticated().requestMatchers(Constants.DEFAULT_SWAGGER_UI_PATH, "/swagger-ui/**", "/api-docs/v3/**").hasAuthority(UserRole.ROLE_GENERAL_VIEW_API_DOC.name()).requestMatchers("/welcome.html").hasAuthority(UserRole.ROLE_PCON_VIEW.name());
            if (wanSecurityProps.isFreeActuators()) {
                authorizationManagerRequestMatcherRegistry.requestMatchers("/actuator/**").permitAll();
            } else {
                authorizationManagerRequestMatcherRegistry.requestMatchers("/actuator/**").hasAuthority(UserRole.ROLE_GENERAL_SERVER_MONITOR.name());
            }
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginProcessingUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).loginPage("/login.html");
        }).logout(logoutConfigurer -> {
            Customizer.withDefaults();
        }).httpBasic(Customizer.withDefaults());
        if (developmentProperties.isDisableCsrf()) {
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.disable();
            });
            log.warn("CSRF token is disabled. Do not use in production!");
        } else {
            CookieCsrfTokenRepository withHttpOnlyFalse = CookieCsrfTokenRepository.withHttpOnlyFalse();
            CsrfTokenRequestAttributeHandler csrfTokenRequestAttributeHandler = new CsrfTokenRequestAttributeHandler();
            httpSecurity.csrf(csrfConfigurer2 -> {
                csrfConfigurer2.csrfTokenRepository(withHttpOnlyFalse).csrfTokenRequestHandler(csrfTokenRequestAttributeHandler).ignoringRequestMatchers(new AntPathRequestMatcher("/api/pcon/ui/zones/*/bonus/disposable/codes/list"));
            }).addFilterAfter((Filter) new CsrfCookieFilter(), BasicAuthenticationFilter.class);
        }
        return httpSecurity.build();
    }
}
