package org.apereo.cas.mgmt.config;

import java.util.List;
import javax.servlet.Filter;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.CasManagementConfigurationProperties;
import org.pac4j.core.authorization.authorizer.Authorizer;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.matching.matcher.PathMatcher;
import org.pac4j.springframework.security.web.CallbackFilter;
import org.pac4j.springframework.security.web.SecurityFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

@EnableConfigurationProperties({CasConfigurationProperties.class, ServerProperties.class, CasManagementConfigurationProperties.class})
@Configuration(value = "casManagementSecurityConfiguration", proxyBeanMethods = false)
@EnableWebSecurity
/* loaded from: input_file:WEB-INF/lib/cas-mgmt-webapp-config-6.6.0.jar:org/apereo/cas/mgmt/config/CasManagementSecurityConfiguration.class */
public class CasManagementSecurityConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CasManagementSecurityConfiguration.class);

    private static String getDefaultCallbackUrl(ServerProperties serverProperties, CasManagementConfigurationProperties casManagementConfigurationProperties) {
        return casManagementConfigurationProperties.getServerName().concat(serverProperties.getServlet().getContextPath()).concat(CallbackFilter.DEFAULT_CALLBACK_SUFFIX);
    }

    @ConditionalOnMissingBean(name = {"pac4jClientConfiguration"})
    @Bean
    public Config pac4jClientConfiguration(ServerProperties serverProperties, List<Client> list, @Qualifier("managementWebappAuthorizer") Authorizer authorizer, CasManagementConfigurationProperties casManagementConfigurationProperties) {
        Config config = new Config(new Clients(getDefaultCallbackUrl(serverProperties, casManagementConfigurationProperties), list));
        config.addAuthorizer("mgmtAuthorizer", authorizer);
        config.addMatcher("excludedPath", new PathMatcher().excludeRegex("^/.*\\.(css|png|ico)$"));
        return config;
    }

    @Bean
    public WebSecurityConfigurerAdapter callbackFilterAdapter(final CasManagementConfigurationProperties casManagementConfigurationProperties, @Qualifier("pac4jClientConfiguration") final Config config) {
        return new WebSecurityConfigurerAdapter() { // from class: org.apereo.cas.mgmt.config.CasManagementSecurityConfiguration.1
            @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
            protected void configure(HttpSecurity httpSecurity) throws Exception {
                CasManagementSecurityConfiguration.LOGGER.debug("Configuring Callback security filter");
                httpSecurity.antMatcher("/callback/**").addFilterBefore((Filter) new CallbackFilter(config), BasicAuthenticationFilter.class);
                if (casManagementConfigurationProperties.isCasSso()) {
                    CasManagementSecurityConfiguration.LOGGER.debug("Configuring CAS security filter");
                    SecurityFilter securityFilter = new SecurityFilter(config, "CasClient", "mgmtAuthorizer");
                    securityFilter.setMatchers("excludedPath");
                    httpSecurity.antMatcher("/**").addFilterBefore((Filter) securityFilter, BasicAuthenticationFilter.class).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
                    httpSecurity.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
                    httpSecurity.headers().frameOptions().sameOrigin();
                    httpSecurity.requiresChannel().anyRequest().requiresSecure();
                }
                if (StringUtils.isNotBlank(casManagementConfigurationProperties.getAuthzIpRegex())) {
                    CasManagementSecurityConfiguration.LOGGER.debug("Configuring Static IP security filter.");
                    httpSecurity.antMatcher("/**").addFilterBefore((Filter) new SecurityFilter(config, "IpClient", "mgmtAuthorizer"), BasicAuthenticationFilter.class).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
                    httpSecurity.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
                    httpSecurity.headers().frameOptions().sameOrigin();
                    httpSecurity.requiresChannel().anyRequest().requiresSecure();
                }
            }
        };
    }
}
