package org.thingsboard.server.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.ArrayList;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.thingsboard.server.dao.audit.AuditLogLevelFilter;
import org.thingsboard.server.exception.ThingsboardErrorResponseHandler;
import org.thingsboard.server.service.security.auth.jwt.JwtAuthenticationProvider;
import org.thingsboard.server.service.security.auth.jwt.JwtTokenAuthenticationProcessingFilter;
import org.thingsboard.server.service.security.auth.jwt.RefreshTokenAuthenticationProvider;
import org.thingsboard.server.service.security.auth.jwt.RefreshTokenProcessingFilter;
import org.thingsboard.server.service.security.auth.jwt.SkipPathRequestMatcher;
import org.thingsboard.server.service.security.auth.jwt.extractor.TokenExtractor;
import org.thingsboard.server.service.security.auth.rest.RestAuthenticationProvider;
import org.thingsboard.server.service.security.auth.rest.RestLoginProcessingFilter;
import org.thingsboard.server.service.security.auth.rest.RestPublicLoginProcessingFilter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(2147483642)
/* loaded from: input_file:org/thingsboard/server/config/ThingsboardSecurityConfiguration.class */
public class ThingsboardSecurityConfiguration extends WebSecurityConfigurerAdapter {
    public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization";
    public static final String JWT_TOKEN_QUERY_PARAM = "token";
    public static final String DEVICE_API_ENTRY_POINT = "/api/v1/**";
    public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login";
    public static final String PUBLIC_LOGIN_ENTRY_POINT = "/api/auth/login/public";
    public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token";
    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**";
    public static final String WS_TOKEN_BASED_AUTH_ENTRY_POINT = "/api/ws/**";

    @Autowired
    private ThingsboardErrorResponseHandler restAccessDeniedHandler;

    @Autowired
    private AuthenticationSuccessHandler successHandler;

    @Autowired
    private AuthenticationFailureHandler failureHandler;

    @Autowired
    private RestAuthenticationProvider restAuthenticationProvider;

    @Autowired
    private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired
    private RefreshTokenAuthenticationProvider refreshTokenAuthenticationProvider;

    @Autowired
    @Qualifier("jwtHeaderTokenExtractor")
    private TokenExtractor jwtHeaderTokenExtractor;

    @Autowired
    @Qualifier("jwtQueryTokenExtractor")
    private TokenExtractor jwtQueryTokenExtractor;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private ObjectMapper objectMapper;

    @Autowired
    private RateLimitProcessingFilter rateLimitProcessingFilter;
    public static final String WEBJARS_ENTRY_POINT = "/webjars/**";
    protected static final String[] NON_TOKEN_BASED_AUTH_ENTRY_POINTS = {"/index.html", "/static/**", "/api/noauth/**", WEBJARS_ENTRY_POINT};

    @Bean
    protected RestLoginProcessingFilter buildRestLoginProcessingFilter() throws Exception {
        RestLoginProcessingFilter restLoginProcessingFilter = new RestLoginProcessingFilter(FORM_BASED_LOGIN_ENTRY_POINT, this.successHandler, this.failureHandler, this.objectMapper);
        restLoginProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return restLoginProcessingFilter;
    }

    @Bean
    protected RestPublicLoginProcessingFilter buildRestPublicLoginProcessingFilter() throws Exception {
        RestPublicLoginProcessingFilter restPublicLoginProcessingFilter = new RestPublicLoginProcessingFilter(PUBLIC_LOGIN_ENTRY_POINT, this.successHandler, this.failureHandler, this.objectMapper);
        restPublicLoginProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return restPublicLoginProcessingFilter;
    }

    @Bean
    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList(NON_TOKEN_BASED_AUTH_ENTRY_POINTS));
        arrayList.addAll(Arrays.asList(WS_TOKEN_BASED_AUTH_ENTRY_POINT, TOKEN_REFRESH_ENTRY_POINT, FORM_BASED_LOGIN_ENTRY_POINT, PUBLIC_LOGIN_ENTRY_POINT, DEVICE_API_ENTRY_POINT, WEBJARS_ENTRY_POINT));
        JwtTokenAuthenticationProcessingFilter jwtTokenAuthenticationProcessingFilter = new JwtTokenAuthenticationProcessingFilter(this.failureHandler, this.jwtHeaderTokenExtractor, new SkipPathRequestMatcher(arrayList, TOKEN_BASED_AUTH_ENTRY_POINT));
        jwtTokenAuthenticationProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return jwtTokenAuthenticationProcessingFilter;
    }

    @Bean
    protected RefreshTokenProcessingFilter buildRefreshTokenProcessingFilter() throws Exception {
        RefreshTokenProcessingFilter refreshTokenProcessingFilter = new RefreshTokenProcessingFilter(TOKEN_REFRESH_ENTRY_POINT, this.successHandler, this.failureHandler, this.objectMapper);
        refreshTokenProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return refreshTokenProcessingFilter;
    }

    @Bean
    protected JwtTokenAuthenticationProcessingFilter buildWsJwtTokenAuthenticationProcessingFilter() throws Exception {
        JwtTokenAuthenticationProcessingFilter jwtTokenAuthenticationProcessingFilter = new JwtTokenAuthenticationProcessingFilter(this.failureHandler, this.jwtQueryTokenExtractor, new AntPathRequestMatcher(WS_TOKEN_BASED_AUTH_ENTRY_POINT));
        jwtTokenAuthenticationProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return jwtTokenAuthenticationProcessingFilter;
    }

    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(this.restAuthenticationProvider);
        authenticationManagerBuilder.authenticationProvider(this.jwtAuthenticationProvider);
        authenticationManagerBuilder.authenticationProvider(this.refreshTokenAuthenticationProvider);
    }

    @Bean
    protected BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers(new String[]{"/static/**"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.headers().cacheControl().and().frameOptions().disable().and().cors().and().csrf().disable().exceptionHandling().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers(new String[]{WEBJARS_ENTRY_POINT})).permitAll().antMatchers(new String[]{DEVICE_API_ENTRY_POINT})).permitAll().antMatchers(new String[]{FORM_BASED_LOGIN_ENTRY_POINT})).permitAll().antMatchers(new String[]{PUBLIC_LOGIN_ENTRY_POINT})).permitAll().antMatchers(new String[]{TOKEN_REFRESH_ENTRY_POINT})).permitAll().antMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS)).permitAll().and().authorizeRequests().antMatchers(new String[]{WS_TOKEN_BASED_AUTH_ENTRY_POINT})).authenticated().antMatchers(new String[]{TOKEN_BASED_AUTH_ENTRY_POINT})).authenticated().and().exceptionHandling().accessDeniedHandler(this.restAccessDeniedHandler).and().addFilterBefore(buildRestLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildRestPublicLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildRefreshTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildWsJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterAfter(this.rateLimitProcessingFilter, UsernamePasswordAuthenticationFilter.class);
    }

    @ConditionalOnMissingBean({CorsFilter.class})
    @Bean
    public CorsFilter corsFilter(@Autowired MvcCorsProperties mvcCorsProperties) {
        if (mvcCorsProperties.getMappings().size() == 0) {
            return new CorsFilter(new UrlBasedCorsConfigurationSource());
        }
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.setCorsConfigurations(mvcCorsProperties.getMappings());
        return new CorsFilter(urlBasedCorsConfigurationSource);
    }

    @Bean
    public AuditLogLevelFilter auditLogLevelFilter(@Autowired AuditLogLevelProperties auditLogLevelProperties) {
        return new AuditLogLevelFilter(auditLogLevelProperties.getMask());
    }
}
