package org.thingsboard.server.config;

import java.util.ArrayList;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.filter.ShallowEtagHeaderFilter;
import org.thingsboard.server.dao.oauth2.OAuth2Configuration;
import org.thingsboard.server.exception.ThingsboardErrorResponseHandler;
import org.thingsboard.server.queue.util.TbCoreComponent;
import org.thingsboard.server.service.security.auth.jwt.JwtAuthenticationProvider;
import org.thingsboard.server.service.security.auth.jwt.JwtTokenAuthenticationProcessingFilter;
import org.thingsboard.server.service.security.auth.jwt.RefreshTokenAuthenticationProvider;
import org.thingsboard.server.service.security.auth.jwt.RefreshTokenProcessingFilter;
import org.thingsboard.server.service.security.auth.jwt.SkipPathRequestMatcher;
import org.thingsboard.server.service.security.auth.jwt.extractor.TokenExtractor;
import org.thingsboard.server.service.security.auth.oauth2.HttpCookieOAuth2AuthorizationRequestRepository;
import org.thingsboard.server.service.security.auth.rest.RestAuthenticationProvider;
import org.thingsboard.server.service.security.auth.rest.RestLoginProcessingFilter;
import org.thingsboard.server.service.security.auth.rest.RestPublicLoginProcessingFilter;
import org.thingsboard.server.transport.http.config.PayloadSizeFilter;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@TbCoreComponent
@Order(2147483642)
/* loaded from: input_file:org/thingsboard/server/config/ThingsboardSecurityConfiguration.class */
public class ThingsboardSecurityConfiguration {
    public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization";
    public static final String JWT_TOKEN_HEADER_PARAM_V2 = "Authorization";
    public static final String JWT_TOKEN_QUERY_PARAM = "token";
    public static final String DEVICE_API_ENTRY_POINT = "/api/v1/**";
    public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login";
    public static final String PUBLIC_LOGIN_ENTRY_POINT = "/api/auth/login/public";
    public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token";
    protected static final String[] NON_TOKEN_BASED_AUTH_ENTRY_POINTS = {"/index.html", "/assets/**", "/static/**", "/api/noauth/**", "/webjars/**", "/api/license/**", "/api/images/public/**", "/.well-known/**"};
    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**";
    public static final String WS_ENTRY_POINT = "/api/ws/**";
    public static final String MAIL_OAUTH2_PROCESSING_ENTRY_POINT = "/api/admin/mail/oauth2/code";
    public static final String DEVICE_CONNECTIVITY_CERTIFICATE_DOWNLOAD_ENTRY_POINT = "/api/device-connectivity/*/certificate/download";

    @Value("${server.http.max_payload_size:/api/image*/**=52428800;/api/resource/**=52428800;/api/**=16777216}")
    private String maxPayloadSizeConfig;

    @Autowired
    private ThingsboardErrorResponseHandler restAccessDeniedHandler;

    @Autowired(required = false)
    @Qualifier("oauth2AuthenticationSuccessHandler")
    private AuthenticationSuccessHandler oauth2AuthenticationSuccessHandler;

    @Autowired(required = false)
    @Qualifier("oauth2AuthenticationFailureHandler")
    private AuthenticationFailureHandler oauth2AuthenticationFailureHandler;

    @Autowired(required = false)
    private HttpCookieOAuth2AuthorizationRequestRepository httpCookieOAuth2AuthorizationRequestRepository;

    @Autowired
    @Qualifier("defaultAuthenticationSuccessHandler")
    private AuthenticationSuccessHandler successHandler;

    @Autowired
    @Qualifier("defaultAuthenticationFailureHandler")
    private AuthenticationFailureHandler failureHandler;

    @Autowired
    private RestAuthenticationProvider restAuthenticationProvider;

    @Autowired
    private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired
    private RefreshTokenAuthenticationProvider refreshTokenAuthenticationProvider;

    @Autowired(required = false)
    OAuth2Configuration oauth2Configuration;

    @Autowired
    @Qualifier("jwtHeaderTokenExtractor")
    private TokenExtractor jwtHeaderTokenExtractor;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private RateLimitProcessingFilter rateLimitProcessingFilter;

    @Autowired
    private OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver;

    @Bean
    protected PayloadSizeFilter payloadSizeFilter() {
        return new PayloadSizeFilter(this.maxPayloadSizeConfig);
    }

    @Bean
    protected FilterRegistrationBean<ShallowEtagHeaderFilter> buildEtagFilter() throws Exception {
        ShallowEtagHeaderFilter shallowEtagHeaderFilter = new ShallowEtagHeaderFilter();
        shallowEtagHeaderFilter.setWriteWeakETag(true);
        FilterRegistrationBean<ShallowEtagHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<>(shallowEtagHeaderFilter, new ServletRegistrationBean[0]);
        filterRegistrationBean.addUrlPatterns(new String[]{"*.js", "*.css", "*.ico", "/assets/*", "/static/*"});
        filterRegistrationBean.setName("etagFilter");
        return filterRegistrationBean;
    }

    @Bean
    protected RestLoginProcessingFilter buildRestLoginProcessingFilter() throws Exception {
        RestLoginProcessingFilter restLoginProcessingFilter = new RestLoginProcessingFilter("/api/auth/login", this.successHandler, this.failureHandler);
        restLoginProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return restLoginProcessingFilter;
    }

    @Bean
    protected RestPublicLoginProcessingFilter buildRestPublicLoginProcessingFilter() throws Exception {
        RestPublicLoginProcessingFilter restPublicLoginProcessingFilter = new RestPublicLoginProcessingFilter(PUBLIC_LOGIN_ENTRY_POINT, this.successHandler, this.failureHandler);
        restPublicLoginProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return restPublicLoginProcessingFilter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList(NON_TOKEN_BASED_AUTH_ENTRY_POINTS));
        arrayList.addAll(Arrays.asList(WS_ENTRY_POINT, "/api/auth/token", "/api/auth/login", PUBLIC_LOGIN_ENTRY_POINT, DEVICE_API_ENTRY_POINT, MAIL_OAUTH2_PROCESSING_ENTRY_POINT, DEVICE_CONNECTIVITY_CERTIFICATE_DOWNLOAD_ENTRY_POINT));
        JwtTokenAuthenticationProcessingFilter jwtTokenAuthenticationProcessingFilter = new JwtTokenAuthenticationProcessingFilter(this.failureHandler, this.jwtHeaderTokenExtractor, new SkipPathRequestMatcher(arrayList, TOKEN_BASED_AUTH_ENTRY_POINT));
        jwtTokenAuthenticationProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return jwtTokenAuthenticationProcessingFilter;
    }

    @Bean
    protected RefreshTokenProcessingFilter buildRefreshTokenProcessingFilter() throws Exception {
        RefreshTokenProcessingFilter refreshTokenProcessingFilter = new RefreshTokenProcessingFilter("/api/auth/token", this.successHandler, this.failureHandler);
        refreshTokenProcessingFilter.setAuthenticationManager(this.authenticationManager);
        return refreshTokenProcessingFilter;
    }

    @Bean
    public AuthenticationManager authenticationManager(ObjectPostProcessor<Object> objectPostProcessor) throws Exception {
        DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher = (DefaultAuthenticationEventPublisher) objectPostProcessor.postProcess(new DefaultAuthenticationEventPublisher());
        AuthenticationManagerBuilder authenticationManagerBuilder = new AuthenticationManagerBuilder(objectPostProcessor);
        authenticationManagerBuilder.authenticationEventPublisher(defaultAuthenticationEventPublisher);
        authenticationManagerBuilder.authenticationProvider(this.restAuthenticationProvider);
        authenticationManagerBuilder.authenticationProvider(this.jwtAuthenticationProvider);
        authenticationManagerBuilder.authenticationProvider(this.refreshTokenAuthenticationProvider);
        return (AuthenticationManager) authenticationManagerBuilder.build();
    }

    @Bean
    @Order(0)
    SecurityFilterChain resources(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(new String[]{"/*.js", "/*.css", "/*.ico", "/assets/**", "/static/**"});
        }).headers(headersConfigurer -> {
            headersConfigurer.defaultsDisabled().addHeaderWriter(new StaticHeadersWriter("Cache-Control", new String[]{"max-age=0, public"}));
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        }).requestCache((v0) -> {
            v0.disable();
        }).securityContext((v0) -> {
            v0.disable();
        }).sessionManagement((v0) -> {
            v0.disable();
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.cacheControl(cacheControlConfig -> {
            }).frameOptions(frameOptionsConfig -> {
            }).disable();
        }).cors(corsConfigurer -> {
        }).csrf((v0) -> {
            v0.disable();
        }).exceptionHandling(exceptionHandlingConfigurer -> {
        }).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS)).permitAll().requestMatchers(new String[]{"/api/auth/login", PUBLIC_LOGIN_ENTRY_POINT, "/api/auth/token", MAIL_OAUTH2_PROCESSING_ENTRY_POINT, DEVICE_CONNECTIVITY_CERTIFICATE_DOWNLOAD_ENTRY_POINT, WS_ENTRY_POINT})).permitAll().requestMatchers(new String[]{TOKEN_BASED_AUTH_ENTRY_POINT})).authenticated().anyRequest()).permitAll();
        }).exceptionHandling(exceptionHandlingConfigurer2 -> {
            exceptionHandlingConfigurer2.accessDeniedHandler(this.restAccessDeniedHandler);
        }).addFilterBefore(buildRestLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildRestPublicLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(buildRefreshTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class).addFilterBefore(payloadSizeFilter(), UsernamePasswordAuthenticationFilter.class).addFilterAfter(this.rateLimitProcessingFilter, UsernamePasswordAuthenticationFilter.class);
        if (this.oauth2Configuration != null) {
            httpSecurity.oauth2Login(oAuth2LoginConfigurer -> {
                oAuth2LoginConfigurer.authorizationEndpoint(authorizationEndpointConfig -> {
                    authorizationEndpointConfig.authorizationRequestRepository(this.httpCookieOAuth2AuthorizationRequestRepository).authorizationRequestResolver(this.oAuth2AuthorizationRequestResolver);
                }).loginPage("/oauth2Login").loginProcessingUrl(this.oauth2Configuration.getLoginProcessingUrl()).successHandler(this.oauth2AuthenticationSuccessHandler).failureHandler(this.oauth2AuthenticationFailureHandler);
            });
        }
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean({CorsFilter.class})
    @Bean
    public CorsFilter corsFilter(@Autowired MvcCorsProperties mvcCorsProperties) {
        if (mvcCorsProperties.getMappings().isEmpty()) {
            return new CorsFilter(new UrlBasedCorsConfigurationSource());
        }
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.setCorsConfigurations(mvcCorsProperties.getMappings());
        return new CorsFilter(urlBasedCorsConfigurationSource);
    }
}
