package org.openthinclient.web;

import com.vaadin.spring.annotation.EnableVaadin;
import java.io.IOException;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.openthinclient.service.apacheds.DirectoryServiceConfiguration;
import org.openthinclient.service.common.home.ManagerHome;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.config.Elements;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.search.LdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.web.filter.OncePerRequestFilter;
import org.vaadin.spring.http.HttpService;
import org.vaadin.spring.security.annotation.EnableVaadinSharedSecurity;
import org.vaadin.spring.security.config.VaadinSharedSecurityConfiguration;
import org.vaadin.spring.security.shared.VaadinAuthenticationSuccessHandler;
import org.vaadin.spring.security.shared.VaadinRedirectLogoutHandler;
import org.vaadin.spring.security.shared.VaadinSessionClosingLogoutHandler;
import org.vaadin.spring.security.shared.VaadinUrlAuthenticationSuccessHandler;
import org.vaadin.spring.security.web.VaadinRedirectStrategy;

@EnableVaadinSharedSecurity
@Configuration
@EnableWebSecurity
@EnableVaadin
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
/* loaded from: input_file:BOOT-INF/lib/manager-console-web-webapp-2021.2-BETA.jar:org/openthinclient/web/WebApplicationSecurityConfiguration.class */
public class WebApplicationSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private ManagerHome managerHome;

    @Value("${vaadin.servlet.urlMapping}")
    private String vaadinServletUrlMapping;

    @Autowired
    private VaadinRedirectStrategy redirectStrategy;

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected UserDetailsService userDetailsService() {
        return new LdapUserDetailsService(userSearch(), defaultLdapAuthoritiesPopulator());
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        DirectoryServiceConfiguration directoryServiceConfiguration = (DirectoryServiceConfiguration) this.managerHome.getConfiguration(DirectoryServiceConfiguration.class);
        String createLdapURL = createLdapURL(directoryServiceConfiguration);
        LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthentication = authenticationManagerBuilder.ldapAuthentication();
        ldapAuthentication.contextSource().url(createLdapURL).managerDn(directoryServiceConfiguration.getContextSecurityPrincipal()).managerPassword(directoryServiceConfiguration.getContextSecurityCredentials());
        ldapAuthentication.userDnPatterns("cn={0},ou=users").ldapAuthoritiesPopulator(defaultLdapAuthoritiesPopulator()).contextSource();
    }

    @Bean
    public DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator() {
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(contextSource(), "cn=administrators,ou=RealmConfiguration") { // from class: org.openthinclient.web.WebApplicationSecurityConfiguration.1
            @Override // org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator
            public Set<GrantedAuthority> getGroupMembershipRoles(String str, String str2) {
                Set<GrantedAuthority> groupMembershipRoles = super.getGroupMembershipRoles(str, str2);
                if (groupMembershipRoles.stream().filter(grantedAuthority -> {
                    return "ROLE_ADMINISTRATORS".equals(grantedAuthority.getAuthority());
                }).findFirst().isPresent()) {
                    return groupMembershipRoles;
                }
                throw new BadCredentialsException("User is not allowed to login as an administrator");
            }
        };
        defaultLdapAuthoritiesPopulator.setGroupRoleAttribute("cn");
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter("uniquemember={0}");
        defaultLdapAuthoritiesPopulator.setSearchSubtree(true);
        return defaultLdapAuthoritiesPopulator;
    }

    @Bean
    public LdapUserSearch userSearch() {
        return new FilterBasedLdapUserSearch("ou=users", "(cn={0})", contextSource());
    }

    @Bean
    public BaseLdapPathContextSource contextSource() {
        DirectoryServiceConfiguration directoryServiceConfiguration = (DirectoryServiceConfiguration) this.managerHome.getConfiguration(DirectoryServiceConfiguration.class);
        DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(createLdapURL(directoryServiceConfiguration));
        defaultSpringSecurityContextSource.setUserDn(directoryServiceConfiguration.getContextSecurityPrincipal());
        defaultSpringSecurityContextSource.setPassword(directoryServiceConfiguration.getContextSecurityCredentials());
        return defaultSpringSecurityContextSource;
    }

    private String createLdapURL(DirectoryServiceConfiguration directoryServiceConfiguration) {
        return "ldap://localhost:" + directoryServiceConfiguration.getEmbeddedLdapPort() + "/ou=" + directoryServiceConfiguration.getPrimaryOU() + "," + directoryServiceConfiguration.getEmbeddedCustomRootPartitionName();
    }

    @Bean
    public FilterRegistrationBean redirectToDashboardUIFilter() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.addUrlPatterns("/");
        filterRegistrationBean.addUrlPatterns(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + "first-start");
        filterRegistrationBean.setFilter(new OncePerRequestFilter() { // from class: org.openthinclient.web.WebApplicationSecurityConfiguration.2
            @Override // org.springframework.web.filter.OncePerRequestFilter
            protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException {
                httpServletResponse.sendRedirect(WebUtil.getServletMappingRoot(WebApplicationSecurityConfiguration.this.vaadinServletUrlMapping));
            }
        });
        return filterRegistrationBean;
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().disable();
        httpSecurity.authorizeRequests().antMatchers(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + "login/**").anonymous().antMatchers(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + "UIDL/**").permitAll().antMatchers(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + "HEARTBEAT/**").permitAll().anyRequest().authenticated();
        httpSecurity.httpBasic().disable();
        httpSecurity.formLogin().disable();
        httpSecurity.logout().addLogoutHandler(new VaadinSessionClosingLogoutHandler()).logoutUrl(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + Elements.LOGOUT).logoutSuccessUrl(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + "login?logout").permitAll();
        httpSecurity.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint(WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + "login"));
        httpSecurity.rememberMe().rememberMeServices(rememberMeServices()).key("openthinclient-manager");
        httpSecurity.sessionManagement().sessionAuthenticationStrategy(sessionAuthenticationStrategy());
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/VAADIN/**").antMatchers("/actuator/health").antMatchers("/api/v1/**").antMatchers("/openthinclient/files/**").antMatchers("/download/**").antMatchers("/ws/**");
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public RememberMeServices rememberMeServices() {
        return new TokenBasedRememberMeServices("openthinclient-manager", userDetailsService());
    }

    @Bean
    public SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new SessionFixationProtectionStrategy();
    }

    @Bean(name = {VaadinSharedSecurityConfiguration.VAADIN_AUTHENTICATION_SUCCESS_HANDLER_BEAN})
    public VaadinAuthenticationSuccessHandler vaadinAuthenticationSuccessHandler(HttpService httpService, VaadinRedirectStrategy vaadinRedirectStrategy) {
        return new VaadinUrlAuthenticationSuccessHandler(httpService, vaadinRedirectStrategy, WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping));
    }

    @Bean(name = {VaadinSharedSecurityConfiguration.VAADIN_LOGOUT_HANDLER_BEAN})
    public VaadinRedirectLogoutHandler vaadinRedirectLogoutHandler(VaadinRedirectStrategy vaadinRedirectStrategy) {
        return new VaadinRedirectLogoutHandler(vaadinRedirectStrategy, WebUtil.getServletMappingRoot(this.vaadinServletUrlMapping) + Elements.LOGOUT);
    }
}
