package cn.home1.oss.environment.configserver;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.sql.DataSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.datasource.DataSourceTransactionManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.JdbcUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.transaction.PlatformTransactionManager;

@Configuration
@EnableWebSecurity
@Order(2147483640)
/* loaded from: input_file:cn/home1/oss/environment/configserver/WebSecurityConfiguration.class */
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final Logger log = LoggerFactory.getLogger(WebSecurityConfiguration.class);

    @Value("${spring.cloud.config.server.prefix:}")
    private String configServerPrefix;

    @Value("${spring.cloud.config.server.prefix:}/users/login")
    private String loginEndpoint;

    @Value("${management.context-path:}")
    private String managementContextPath;

    @Value("${spring.cloud.config.monitor.endpoint.path:}/monitor")
    private String monitorEndpoint;

    @Value("${spring.cloud.config.server.monitor.whitelist:}")
    private String monitorWhitelist;
    private String webhookPassword = UUID.randomUUID().toString();

    @Autowired
    private Environment environment;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private JdbcTemplate jdbcTemplate;

    @Autowired
    private SecurityProperties securityProperties;

    @Autowired
    private UserService userService;

    public void init(WebSecurity webSecurity) throws Exception {
        if (isH2DataSource().booleanValue()) {
            webSecurity.ignoring().antMatchers(new String[]{"/h2-console/**", "/index.html", "/webjars/**"});
        }
        super.init(webSecurity);
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        JdbcUserDetailsManagerConfigurer jdbcAuthentication = authenticationManagerBuilder.jdbcAuthentication();
        jdbcAuthentication.passwordEncoder(passwordEncoder());
        jdbcAuthentication.dataSource(this.dataSource);
        JdbcUserDetailsManager userDetailsService = jdbcAuthentication.getUserDetailsService();
        userDetailsService.setJdbcTemplate(this.jdbcTemplate);
        createGroups(jdbcAuthentication);
        createAdminUser(jdbcAuthentication);
        createWebhookUser(jdbcAuthentication);
        this.userService.setPasswordEncoder(passwordEncoder());
        this.userService.setUserDetailsManager(userDetailsService);
        if (isH2DataSource().booleanValue()) {
            String property = System.getProperty("defaultPassword", "user_pass");
            this.userService.deleteUser("oss-todomvc-app", Security.USER_USER, Boolean.FALSE);
            this.userService.createUser("oss-todomvc-app", Security.USER_USER, property);
            this.userService.deleteUser("oss-todomvc-thymeleaf", Security.USER_USER, Boolean.FALSE);
            this.userService.createUser("oss-todomvc-thymeleaf", Security.USER_USER, property);
            this.userService.deleteUser("oss-todomvc-gateway", Security.USER_USER, Boolean.FALSE);
            this.userService.createUser("oss-todomvc-gateway", Security.USER_USER, property);
        }
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.csrf().disable().addFilterBefore(usernameModifyFilter(), BasicAuthenticationFilter.class).addFilterBefore(monitorWhitelistFilter(), BasicAuthenticationFilter.class).authorizeRequests().antMatchers(new String[]{this.configServerPrefix + "/encrypt", this.configServerPrefix + this.monitorEndpoint})).permitAll().antMatchers(new String[]{this.configServerPrefix + "/decrypt"})).hasRole(Security.ADMIN).antMatchers(new String[]{this.configServerPrefix + "/users/login"})).permitAll().antMatchers(new String[]{this.configServerPrefix + "/users/*"})).hasRole(Security.ADMIN).anyRequest()).authenticated().and().httpBasic();
    }

    private void createGroups(JdbcUserDetailsManagerConfigurer jdbcUserDetailsManagerConfigurer) {
        JdbcUserDetailsManager userDetailsService = jdbcUserDetailsManagerConfigurer.getUserDetailsService();
        List findAllGroups = userDetailsService.findAllGroups();
        if (!findAllGroups.contains(Security.ROLE_ADMIN)) {
            userDetailsService.createGroup(Security.ROLE_ADMIN, Lists.newArrayList(new GrantedAuthority[]{new SimpleGrantedAuthority(Security.ROLE_ADMIN)}));
        }
        if (!findAllGroups.contains(Security.ROLE_USER)) {
            userDetailsService.createGroup(Security.ROLE_USER, Lists.newArrayList(new GrantedAuthority[]{new SimpleGrantedAuthority(Security.ROLE_USER)}));
        }
        if (findAllGroups.contains(Security.ROLE_WEBHOOK)) {
            return;
        }
        userDetailsService.createGroup(Security.ROLE_WEBHOOK, Lists.newArrayList(new GrantedAuthority[]{new SimpleGrantedAuthority(Security.ROLE_WEBHOOK)}));
    }

    private void createAdminUser(JdbcUserDetailsManagerConfigurer jdbcUserDetailsManagerConfigurer) {
        JdbcUserDetailsManager userDetailsService = jdbcUserDetailsManagerConfigurer.getUserDetailsService();
        String name = this.securityProperties.getUser().getName();
        String password = this.securityProperties.getUser().getPassword();
        List list = (List) this.securityProperties.getUser().getRole().stream().sorted().distinct().collect(Collectors.toList());
        Preconditions.checkArgument(!Security.USER_USER.equals(name), "can not use user as admin username.");
        Preconditions.checkArgument(!Security.USER_WEBHOOK.equals(name), "can not use webhook as admin username.");
        Preconditions.checkArgument(list.contains(Security.ADMIN), "user must has role 'ADMIN'");
        try {
            for (String str : userDetailsService.findUsersInGroup(Security.ROLE_ADMIN)) {
                userDetailsService.removeUserFromGroup(str, Security.ROLE_ADMIN);
                userDetailsService.deleteUser(str);
            }
            jdbcUserDetailsManagerConfigurer.getUserDetailsService().deleteUser(name);
            jdbcUserDetailsManagerConfigurer.withUser(name).password(passwordEncoder().encode(password)).roles((String[]) list.stream().toArray(i -> {
                return new String[i];
            }));
            userDetailsService.addUserToGroup(name, Security.ROLE_ADMIN);
        } catch (UsernameNotFoundException e) {
            log.debug("username '{}' not found", name, e);
            jdbcUserDetailsManagerConfigurer.withUser(name).password(passwordEncoder().encode(password)).roles((String[]) list.stream().toArray(i2 -> {
                return new String[i2];
            }));
            userDetailsService.addUserToGroup(name, Security.ROLE_ADMIN);
        }
    }

    private void createWebhookUser(JdbcUserDetailsManagerConfigurer jdbcUserDetailsManagerConfigurer) {
        JdbcUserDetailsManager userDetailsService = jdbcUserDetailsManagerConfigurer.getUserDetailsService();
        String str = this.webhookPassword;
        ArrayList newArrayList = Lists.newArrayList(new String[]{Security.WEBHOOK});
        try {
            userDetailsService.removeUserFromGroup(Security.USER_WEBHOOK, Security.ROLE_WEBHOOK);
            userDetailsService.deleteUser(Security.USER_WEBHOOK);
            jdbcUserDetailsManagerConfigurer.withUser(Security.USER_WEBHOOK).password(passwordEncoder().encode(str)).roles((String[]) newArrayList.stream().toArray(i -> {
                return new String[i];
            }));
            userDetailsService.addUserToGroup(Security.USER_WEBHOOK, Security.ROLE_WEBHOOK);
        } catch (UsernameNotFoundException e) {
            log.debug("username '{}' not found", Security.USER_WEBHOOK, e);
            jdbcUserDetailsManagerConfigurer.withUser(Security.USER_WEBHOOK).password(passwordEncoder().encode(str)).roles((String[]) newArrayList.stream().toArray(i2 -> {
                return new String[i2];
            }));
            userDetailsService.addUserToGroup(Security.USER_WEBHOOK, Security.ROLE_WEBHOOK);
        }
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    public MonitorWhitelistFilter monitorWhitelistFilter() {
        MonitorWhitelistFilter monitorWhitelistFilter = new MonitorWhitelistFilter();
        monitorWhitelistFilter.setEnvironment(this.environment);
        monitorWhitelistFilter.setMonitorEndpoint(this.monitorEndpoint);
        monitorWhitelistFilter.setMonitorWhitelist(this.monitorWhitelist);
        monitorWhitelistFilter.setWebhookPassword(this.webhookPassword);
        return monitorWhitelistFilter;
    }

    public UsernameModifyFilter usernameModifyFilter() {
        UsernameModifyFilter usernameModifyFilter = new UsernameModifyFilter();
        usernameModifyFilter.setAdminUsername(this.securityProperties.getUser().getName());
        usernameModifyFilter.setConfigServerPrefix(this.configServerPrefix);
        usernameModifyFilter.setEnvironment(this.environment);
        usernameModifyFilter.setLoginEndpoint(this.loginEndpoint);
        usernameModifyFilter.setManagementContextPath(this.managementContextPath);
        return usernameModifyFilter;
    }

    @Bean
    public PlatformTransactionManager transactionManager() {
        return new DataSourceTransactionManager(this.dataSource);
    }

    private Boolean isH2DataSource() {
        return Boolean.valueOf("org.h2.Driver".equals(this.dataSource.getDriverClassName()));
    }
}
