package org.frankframework.lifecycle.servlets;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HttpMethod;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.MapPropertySource;
import org.springframework.core.env.PropertySource;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AndRequestMatcher;

/* loaded from: input_file:WEB-INF/lib/frankframework-security-8.1.0.jar:org/frankframework/lifecycle/servlets/ServletAuthenticatorBase.class */
public abstract class ServletAuthenticatorBase implements IAuthenticator, ApplicationContextAware {
    private static final String HTTP_SECURITY_BEAN_NAME = "org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.httpSecurity";
    public static final List<String> DEFAULT_IBIS_ROLES = Collections.unmodifiableList(Arrays.asList("IbisObserver", "IbisAdmin", "IbisDataAdmin", "IbisTester", "IbisWebService"));
    public static final String ALLOW_OPTIONS_REQUESTS_KEY = "application.security.http.allowUnsecureOptionsRequests";
    private ApplicationContext applicationContext;
    protected final Logger log = LogManager.getLogger(this);
    private final Set<String> publicEndpoints = new HashSet();
    private final Set<String> privateEndpoints = new HashSet();
    private Set<String> securityRoles = new HashSet();
    private Properties applicationConstants = null;
    private boolean allowUnsecureOptionsRequest = false;

    @Override // org.springframework.context.ApplicationContextAware
    public final void setApplicationContext(ApplicationContext applicationContext) {
        this.applicationContext = applicationContext;
        this.allowUnsecureOptionsRequest = ((Boolean) applicationContext.getEnvironment().getProperty(ALLOW_OPTIONS_REQUESTS_KEY, Boolean.TYPE, false)).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final synchronized Properties getEnvironmentProperties() {
        if (this.applicationConstants == null) {
            this.applicationConstants = new Properties();
            for (PropertySource<?> propertySource : ((ConfigurableEnvironment) this.applicationContext.getEnvironment()).getPropertySources()) {
                if (propertySource instanceof MapPropertySource) {
                    this.applicationConstants.putAll(((MapPropertySource) propertySource).getSource());
                }
            }
        }
        return this.applicationConstants;
    }

    @Override // org.frankframework.lifecycle.servlets.IAuthenticator
    public final void registerServlet(ServletConfiguration servletConfiguration) {
        addEndpoints(servletConfiguration);
        addSecurityRoles(servletConfiguration.getSecurityRoles());
    }

    private void addSecurityRoles(List<String> list) {
        if (list.isEmpty()) {
            this.securityRoles.addAll(DEFAULT_IBIS_ROLES);
        } else {
            this.securityRoles.addAll(list);
        }
    }

    private void addEndpoints(ServletConfiguration servletConfiguration) {
        for (String str : servletConfiguration.getUrlMapping()) {
            if (this.publicEndpoints.contains(str) || this.privateEndpoints.contains(str)) {
                throw new IllegalStateException("endpoint already configured");
            }
            boolean z = str.charAt(0) == '!';
            if (z || servletConfiguration.getSecurityRoles().isEmpty()) {
                String substring = z ? str.substring(1) : str;
                this.log.info("registering public endpoint with url [{}]", substring);
                this.publicEndpoints.add(substring);
            } else {
                this.log.info("registering private endpoint with url pattern [{}]", str);
                this.privateEndpoints.add(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> getPrivateEndpoints() {
        return Collections.unmodifiableSet(this.privateEndpoints);
    }

    @Override // org.frankframework.lifecycle.servlets.IAuthenticator
    public void build() {
        if (this.applicationContext == null) {
            throw new IllegalStateException("Authenticator is not wired through local BeanFactory");
        }
        if (this.privateEndpoints.isEmpty()) {
            this.log.info("no url matchers found, ignoring Authenticator [{}]", this::getClass);
        } else {
            ((ConfigurableApplicationContext) this.applicationContext).getBeanFactory().registerSingleton("HttpSecurityChain-" + getClass().getSimpleName() + "-" + hashCode(), createSecurityFilterChain());
        }
    }

    private SecurityFilterChain createSecurityFilterChain() {
        return configureHttpSecurity((HttpSecurity) this.applicationContext.getBean(HTTP_SECURITY_BEAN_NAME, HttpSecurity.class));
    }

    @Override // org.frankframework.lifecycle.servlets.IAuthenticator
    public SecurityFilterChain configureHttpSecurity(HttpSecurity httpSecurity) {
        try {
            httpSecurity.headers().frameOptions().sameOrigin();
            httpSecurity.csrf().disable();
            URLRequestMatcher uRLRequestMatcher = new URLRequestMatcher(this.privateEndpoints);
            httpSecurity.securityMatcher(uRLRequestMatcher);
            httpSecurity.formLogin().disable();
            httpSecurity.logout().disable();
            if (this.publicEndpoints.isEmpty()) {
                httpSecurity.anonymous().disable();
            } else {
                httpSecurity.authorizeHttpRequests().requestMatchers(new URLRequestMatcher(this.publicEndpoints)).permitAll();
                httpSecurity.anonymous();
            }
            httpSecurity.authorizeHttpRequests().requestMatchers(new AndRequestMatcher(uRLRequestMatcher, this::authorizationRequestMatcher)).authenticated();
            return configure(httpSecurity);
        } catch (Exception e) {
            throw new IllegalStateException("unable to configure Spring Security", e);
        }
    }

    protected boolean authorizationRequestMatcher(HttpServletRequest httpServletRequest) {
        return (this.allowUnsecureOptionsRequest && HttpMethod.OPTIONS.equals(httpServletRequest.getMethod())) ? false : true;
    }

    protected abstract SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception;

    public ApplicationContext getApplicationContext() {
        return this.applicationContext;
    }

    public Set<String> getSecurityRoles() {
        return this.securityRoles;
    }
}
