package com.alibaba.nacos.console.security.nacos;

import com.alibaba.nacos.auth.common.AuthConfigs;
import com.alibaba.nacos.auth.common.AuthSystemTypes;
import com.alibaba.nacos.console.filter.JwtAuthenticationTokenFilter;
import com.alibaba.nacos.console.security.nacos.users.NacosUserDetailsServiceImpl;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsUtils;

@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:com/alibaba/nacos/console/security/nacos/NacosAuthConfig.class */
public class NacosAuthConfig extends WebSecurityConfigurerAdapter {
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String SECURITY_IGNORE_URLS_SPILT_CHAR = ",";
    public static final String LOGIN_ENTRY_POINT = "/v1/auth/login";
    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/v1/auth/**";
    public static final String TOKEN_PREFIX = "Bearer ";
    public static final String CONSOLE_RESOURCE_NAME_PREFIX = "console/";
    public static final String UPDATE_PASSWORD_ENTRY_POINT = "console/user/password";

    @Autowired
    private Environment env;

    @Autowired
    private JwtTokenManager tokenProvider;

    @Autowired
    private AuthConfigs authConfigs;

    @Autowired
    private NacosUserDetailsServiceImpl userDetailsService;

    @Bean(name = {"org.springframework.security.authenticationManager"})
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    public void configure(WebSecurity webSecurity) {
        String str = AuthSystemTypes.NACOS.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType()) ? "/**" : null;
        if (StringUtils.isBlank(this.authConfigs.getNacosAuthSystemType())) {
            str = this.env.getProperty("nacos.security.ignore.urls", "/**");
        }
        if (StringUtils.isNotBlank(str)) {
            for (String str2 : str.trim().split(SECURITY_IGNORE_URLS_SPILT_CHAR)) {
                webSecurity.ignoring().antMatchers(new String[]{str2.trim()});
            }
        }
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder());
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        if (StringUtils.isBlank(this.authConfigs.getNacosAuthSystemType())) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.csrf().disable().cors().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().requestMatchers(new RequestMatcher[]{CorsUtils::isPreFlightRequest})).permitAll().antMatchers(new String[]{LOGIN_ENTRY_POINT})).permitAll().and().authorizeRequests().antMatchers(new String[]{TOKEN_BASED_AUTH_ENTRY_POINT})).authenticated().and().exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint());
            httpSecurity.headers().cacheControl();
            httpSecurity.addFilterBefore(new JwtAuthenticationTokenFilter(this.tokenProvider), UsernamePasswordAuthenticationFilter.class);
        }
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
