package org.apereo.cas.config;

import java.util.Properties;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.web.security.AdminPagesSecurityProperties;
import org.apereo.cas.util.ResourceUtils;
import org.apereo.cas.web.pac4j.CasSecurityInterceptor;
import org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator;
import org.pac4j.cas.client.direct.DirectCasClient;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer;
import org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer;
import org.pac4j.core.authorization.generator.SpringSecurityPropertiesAuthorizationGenerator;
import org.pac4j.core.config.Config;
import org.pac4j.http.client.direct.IpClient;
import org.pac4j.http.credentials.authenticator.IpRegexpAuthenticator;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMappingCustomizer;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.mvc.WebContentInterceptor;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("casSecurityContextConfiguration")
/* loaded from: input_file:WEB-INF/lib/cas-server-webapp-config-5.2.5.jar:org/apereo/cas/config/CasSecurityContextConfiguration.class */
public class CasSecurityContextConfiguration extends WebMvcConfigurerAdapter {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CasSecurityContextConfiguration.class);
    private static final String CAS_CLIENT_NAME = "CasClient";

    @Autowired
    private CasConfigurationProperties casProperties;

    /* loaded from: input_file:WEB-INF/lib/cas-server-webapp-config-5.2.5.jar:org/apereo/cas/config/CasSecurityContextConfiguration$CasAdminStatusInterceptor.class */
    public class CasAdminStatusInterceptor extends HandlerInterceptorAdapter {
        public CasAdminStatusInterceptor() {
        }

        @Override // org.springframework.web.servlet.handler.HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
        public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
            return Pattern.compile("/status(/)*$").matcher(httpServletRequest.getRequestURI()).find() ? CasSecurityContextConfiguration.this.requiresAuthenticationStatusInterceptor().preHandle(httpServletRequest, httpServletResponse, obj) : CasSecurityContextConfiguration.this.requiresAuthenticationStatusAdminEndpointsInterceptor().preHandle(httpServletRequest, httpServletResponse, obj);
        }

        @Override // org.springframework.web.servlet.handler.HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
        public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, ModelAndView modelAndView) throws Exception {
            if (Pattern.compile("/status(/)*$").matcher(httpServletRequest.getRequestURI()).find()) {
                CasSecurityContextConfiguration.this.requiresAuthenticationStatusInterceptor().postHandle(httpServletRequest, httpServletResponse, obj, modelAndView);
            }
            CasSecurityContextConfiguration.this.requiresAuthenticationStatusAdminEndpointsInterceptor().postHandle(httpServletRequest, httpServletResponse, obj, modelAndView);
        }
    }

    @Bean
    public WebContentInterceptor webContentInterceptor() {
        WebContentInterceptor webContentInterceptor = new WebContentInterceptor();
        webContentInterceptor.setCacheSeconds(0);
        webContentInterceptor.setAlwaysUseFullPath(true);
        return webContentInterceptor;
    }

    @RefreshScope
    @Bean
    public SecurityInterceptor requiresAuthenticationStatusInterceptor() {
        return new CasSecurityInterceptor(new Config(new IpClient(new IpRegexpAuthenticator(this.casProperties.getAdminPagesSecurity().getIp()))), "IpClient");
    }

    @RefreshScope
    @Bean
    public Config casAdminPagesPac4jConfig() {
        try {
            AdminPagesSecurityProperties adminPagesSecurity = this.casProperties.getAdminPagesSecurity();
            if (StringUtils.isNotBlank(adminPagesSecurity.getLoginUrl()) && StringUtils.isNotBlank(adminPagesSecurity.getService())) {
                DirectCasClient directCasClient = new DirectCasClient(new CasConfiguration(adminPagesSecurity.getLoginUrl()));
                directCasClient.setName(CAS_CLIENT_NAME);
                Config config = new Config(adminPagesSecurity.getService(), directCasClient);
                if (adminPagesSecurity.getUsers() == null) {
                    LOGGER.warn("List of authorized users for admin pages security is not defined. Allowing access for all authenticated users");
                    directCasClient.setAuthorizationGenerator(new DefaultCasAuthorizationGenerator());
                    config.setAuthorizer(new IsAuthenticatedAuthorizer());
                } else {
                    Resource prepareClasspathResourceIfNeeded = ResourceUtils.prepareClasspathResourceIfNeeded(adminPagesSecurity.getUsers());
                    if (prepareClasspathResourceIfNeeded != null && prepareClasspathResourceIfNeeded.exists()) {
                        LOGGER.debug("Loading list of authorized users from [{}]", prepareClasspathResourceIfNeeded);
                        Properties properties = new Properties();
                        properties.load(prepareClasspathResourceIfNeeded.getInputStream());
                        directCasClient.setAuthorizationGenerator(new SpringSecurityPropertiesAuthorizationGenerator(properties));
                        config.setAuthorizer(new RequireAnyRoleAuthorizer(adminPagesSecurity.getAdminRoles()));
                    }
                }
                return config;
            }
        } catch (Exception e) {
            LOGGER.warn(e.getMessage(), (Throwable) e);
        }
        return new Config();
    }

    @RefreshScope
    @Bean
    public SecurityInterceptor requiresAuthenticationStatusAdminEndpointsInterceptor() {
        Config casAdminPagesPac4jConfig = casAdminPagesPac4jConfig();
        return casAdminPagesPac4jConfig.getClients() == null ? requiresAuthenticationStatusInterceptor() : new CasSecurityInterceptor(casAdminPagesPac4jConfig, CAS_CLIENT_NAME, "securityHeaders,csrfToken,".concat(getAuthorizerName()));
    }

    @Override // org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter, org.springframework.web.servlet.config.annotation.WebMvcConfigurer
    public void addInterceptors(InterceptorRegistry interceptorRegistry) {
        interceptorRegistry.addInterceptor(statusInterceptor()).addPathPatterns("/status/**");
        interceptorRegistry.addInterceptor(webContentInterceptor()).addPathPatterns(ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER);
    }

    @Bean
    public HandlerInterceptorAdapter statusInterceptor() {
        return new CasAdminStatusInterceptor();
    }

    @RefreshScope
    @Bean
    public EndpointHandlerMappingCustomizer mappingCustomizer() {
        return endpointHandlerMapping -> {
            endpointHandlerMapping.setInterceptors(statusInterceptor());
        };
    }

    private String getAuthorizerName() {
        return this.casProperties.getAdminPagesSecurity().getUsers() == null ? IsAuthenticatedAuthorizer.class.getSimpleName() : RequireAnyRoleAuthorizer.class.getSimpleName();
    }
}
