package com.mapr.admin.security;

import com.mapr.admin.model.oidc.SsoConf;
import com.mapr.admin.service.impl.MapRAdminService;
import com.mapr.admin.util.Oauth2Util;
import java.util.Arrays;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.eclipse.jetty.server.session.SessionHandler;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ImportResource;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@ImportResource({"classpath:applicationContext.xml", "classpath:spring-security.xml"})
@Configuration
@EnableWebSecurity
/* loaded from: input_file:com/mapr/admin/security/GlobalSecurityConfig.class */
public class GlobalSecurityConfig {
    private static final Logger log = LogManager.getLogger((Class<?>) GlobalSecurityConfig.class);
    String issuer;

    /* JADX WARN: Multi-variable type inference failed */
    @Bean
    public SecurityFilterChain configure(HttpSecurity httpSecurity) {
        ClientRegistrationRepository clientRegistrationRepository = clientRegistrationRepository();
        if (clientRegistrationRepository == null || authorizedClientService(clientRegistrationRepository) == null) {
            return null;
        }
        try {
            ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.antMatcher("/oauth/**").requestMatchers().antMatchers("/oauth/**", "/oauth2/authorization/*", OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI).and().authorizeRequests().anyRequest().authenticated().and()).csrf().disable()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).sessionFixation().migrateSession().and()).oauth2Login().clientRegistrationRepository(clientRegistrationRepository).authorizedClientService(authorizedClientService(clientRegistrationRepository)).successHandler(new Oauth2AuthenticationSuccessHandler()).and()).logout().invalidateHttpSession(true).clearAuthentication(true).deleteCookies(SessionHandler.__DefaultSessionCookie, "token").logoutRequestMatcher(new AntPathRequestMatcher("/oauth/logout")).logoutSuccessHandler(new Oauth2LogoutSuccessHandler(clientRegistrationRepository));
            return httpSecurity.build();
        } catch (Exception e) {
            log.error("Exception during configure oauth2 login: {}", e.getMessage());
            return null;
        }
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        SsoConf ssoConf = getSsoConf();
        if (ssoConf == null) {
            return null;
        }
        this.issuer = ssoConf.getIssuerEndPoint();
        log.debug("ssoConf: {}", ssoConf);
        if (StringUtils.isBlank(this.issuer)) {
            return null;
        }
        try {
            String providerName = ssoConf.getProviderName();
            String clientId = ssoConf.getClientId();
            String clientSecret = ssoConf.getClientSecret();
            ClientRegistration clientRegistration = null;
            if (providerName.equalsIgnoreCase("okta")) {
                clientRegistration = getOktaRegistration(clientId, clientSecret);
            } else if (providerName.equalsIgnoreCase("keycloak")) {
                clientRegistration = getKeyCloakRegistration(clientId, clientSecret);
            }
            if (clientRegistration == null) {
                return null;
            }
            System.setProperty("isSsoProviderRunning", "true");
            return new InMemoryClientRegistrationRepository(clientRegistration);
        } catch (Exception e) {
            log.error("Exception during clientRegistration: {}", e.getMessage());
            System.setProperty("isSsoProviderRunning", "false");
            return null;
        }
    }

    private ClientRegistration getKeyCloakRegistration(String str, String str2) {
        return ClientRegistrations.fromIssuerLocation(this.issuer).clientId(str).clientSecret(str2).scope(OidcScopes.OPENID).build();
    }

    private ClientRegistration getOktaRegistration(String str, String str2) {
        return CommonOAuth2Provider.OKTA.getBuilder("okta").issuerUri(this.issuer).authorizationUri(this.issuer + "/v1/authorize").authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).tokenUri(this.issuer + "/v1/token").jwkSetUri(this.issuer + "/v1/keys").scope(Arrays.asList(OidcScopes.OPENID, "offline_access", "email", "profile")).clientId(str).clientSecret(str2).build();
    }

    @Bean
    public OAuth2AuthorizedClientService authorizedClientService(ClientRegistrationRepository clientRegistrationRepository) {
        try {
            return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
        } catch (Exception e) {
            log.error("Exception during authorizedClientService: {}", e.getMessage());
            return null;
        }
    }

    private SsoConf getSsoConf() {
        SsoConf ssoConf;
        MapRAdminService mapRAdminService = new MapRAdminService();
        if (mapRAdminService.isKsEnabled()) {
            ssoConf = mapRAdminService.getClusterStartupResources().getSsoConf();
            log.debug("ssoconf from ks: {}", ssoConf);
        } else {
            try {
                ssoConf = Oauth2Util.getInstance().getSsoConf();
                if (ssoConf == null) {
                    log.info("SSO configuration not found");
                    System.setProperty("isSsoProviderRunning", "false");
                    return null;
                }
                if (StringUtils.isBlank(ssoConf.getIssuerEndPoint()) || StringUtils.isBlank(ssoConf.getProviderName())) {
                    return null;
                }
            } catch (Exception e) {
                log.error("Exception caught when getting ssoconf in clientRegistrationRepository, error is: " + e.getCause());
                return null;
            }
        }
        return ssoConf;
    }
}
