package eu.openanalytics;

import eu.openanalytics.components.LogoutHandler;
import eu.openanalytics.services.AppService;
import java.util.HashSet;
import java.util.Set;
import javax.inject.Inject;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.ldap.LdapUserServiceBeanDefinitionParser;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:eu/openanalytics/WebSecurityConfig.class */
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Inject
    LogoutHandler logoutHandler;

    @Inject
    Environment environment;

    @Inject
    AppService appService;

    @Configuration
    /* loaded from: input_file:eu/openanalytics/WebSecurityConfig$AuthenticationConfiguration.class */
    protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {

        @Inject
        private Environment environment;

        protected AuthenticationConfiguration() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
        public void init(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
            if (WebSecurityConfig.hasAuth(this.environment)) {
                String[] strArr = {this.environment.getProperty("shiny.proxy.ldap.user-dn-pattern")};
                if (strArr[0] == null || strArr[0].isEmpty()) {
                    strArr = new String[0];
                }
                String property = this.environment.getProperty("shiny.proxy.ldap.manager-dn");
                if (property != null && property.isEmpty()) {
                    property = null;
                }
                DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(this.environment.getProperty("shiny.proxy.ldap.url"));
                if (property != null) {
                    defaultSpringSecurityContextSource.setUserDn(property);
                    defaultSpringSecurityContextSource.setPassword(this.environment.getProperty("shiny.proxy.ldap.manager-password"));
                }
                defaultSpringSecurityContextSource.afterPropertiesSet();
                CNLdapAuthoritiesPopulator cNLdapAuthoritiesPopulator = new CNLdapAuthoritiesPopulator(defaultSpringSecurityContextSource, this.environment.getProperty("shiny.proxy.ldap.group-search-base", ""));
                cNLdapAuthoritiesPopulator.setGroupRoleAttribute(SchemaConstants.CN_AT);
                cNLdapAuthoritiesPopulator.setGroupSearchFilter(this.environment.getProperty("shiny.proxy.ldap.group-search-filter", LdapUserServiceBeanDefinitionParser.DEF_GROUP_SEARCH_FILTER));
                authenticationManagerBuilder.ldapAuthentication().userDnPatterns(strArr).userSearchBase(this.environment.getProperty("shiny.proxy.ldap.user-search-base", "")).userSearchFilter(this.environment.getProperty("shiny.proxy.ldap.user-search-filter")).ldapAuthoritiesPopulator(cNLdapAuthoritiesPopulator).contextSource(defaultSpringSecurityContextSource);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:eu/openanalytics/WebSecurityConfig$CNLdapAuthoritiesPopulator.class */
    public static class CNLdapAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
        private static final Log logger = LogFactory.getLog(DefaultLdapAuthoritiesPopulator.class);

        public CNLdapAuthoritiesPopulator(ContextSource contextSource, String str) {
            super(contextSource, str);
        }

        @Override // org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator
        public Set<GrantedAuthority> getGroupMembershipRoles(String str, String str2) {
            if (getGroupSearchBase() == null) {
                return new HashSet();
            }
            HashSet hashSet = new HashSet();
            if (logger.isDebugEnabled()) {
                logger.debug("Searching for roles for user '" + str2 + "', DN = '" + str + "', with filter " + getGroupSearchFilter() + " in search base '" + getGroupSearchBase() + "'");
            }
            Set<String> searchForSingleAttributeValues = getLdapTemplate().searchForSingleAttributeValues(getGroupSearchBase(), getGroupSearchFilter(), new String[]{str, str2, getCn(str)}, getGroupRoleAttribute());
            if (logger.isDebugEnabled()) {
                logger.debug("Roles from search: " + searchForSingleAttributeValues);
            }
            for (String str3 : searchForSingleAttributeValues) {
                if (isConvertToUpperCase()) {
                    str3 = str3.toUpperCase();
                }
                hashSet.add(new SimpleGrantedAuthority(getRolePrefix() + str3));
            }
            return hashSet;
        }

        private String getCn(String str) {
            try {
                for (Rdn rdn : new LdapName(str).getRdns()) {
                    if (rdn.getType().equalsIgnoreCase("CN")) {
                        return rdn.getValue().toString();
                    }
                }
                return "";
            } catch (InvalidNameException e) {
                return "";
            }
        }
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/css/**").and().ignoring().antMatchers("/webjars/**");
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((HttpSecurity) httpSecurity.csrf().disable()).headers().frameOptions().sameOrigin();
        if (hasAuth(this.environment)) {
            httpSecurity.authorizeRequests().antMatchers("/login").permitAll();
            for (AppService.ShinyApp shinyApp : this.appService.getApps()) {
                String[] appRoles = this.appService.getAppRoles(shinyApp.getName());
                if (appRoles != null && appRoles.length > 0) {
                    httpSecurity.authorizeRequests().antMatchers("/app/" + shinyApp.getName()).hasAnyRole(appRoles);
                }
            }
            httpSecurity.authorizeRequests().anyRequest().fullyAuthenticated();
            ((HttpSecurity) httpSecurity.formLogin().loginPage("/login").and()).logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessHandler(this.logoutHandler).logoutSuccessUrl("/login");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean hasAuth(Environment environment) {
        String lowerCase = environment.getProperty("shiny.proxy.authentication", "").toLowerCase();
        return (lowerCase.isEmpty() || lowerCase.equals("none")) ? false : true;
    }
}
