package com.alibaba.nacos.plugin.auth.impl;

import com.alibaba.nacos.auth.config.AuthConfigs;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.core.code.ControllerMethodsCache;
import com.alibaba.nacos.plugin.auth.impl.constant.AuthConstants;
import com.alibaba.nacos.plugin.auth.impl.constant.AuthSystemTypes;
import com.alibaba.nacos.plugin.auth.impl.filter.JwtAuthenticationTokenFilter;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUserDetailsServiceImpl;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.io.DecodingException;
import java.nio.charset.StandardCharsets;
import java.util.Properties;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsUtils;

@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/NacosAuthConfig.class */
public class NacosAuthConfig extends WebSecurityConfigurerAdapter {
    private static final String SECURITY_IGNORE_URLS_SPILT_CHAR = ",";
    private static final String LOGIN_ENTRY_POINT = "/v1/auth/login";
    private static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/v1/auth/**";
    private static final String DEFAULT_ALL_PATH_PATTERN = "/**";
    private static final String PROPERTY_IGNORE_URLS = "nacos.security.ignore.urls";

    @Autowired
    private Environment env;

    @Autowired
    private JwtTokenManager tokenProvider;

    @Autowired
    private AuthConfigs authConfigs;

    @Autowired
    private NacosUserDetailsServiceImpl userDetailsService;

    @Autowired
    private LdapAuthenticationProvider ldapAuthenticationProvider;

    @Autowired
    private ControllerMethodsCache methodsCache;
    private String secretKey;
    private byte[] secretKeyBytes;
    private long tokenValidityInSeconds;

    @PostConstruct
    public void init() {
        this.methodsCache.initClassMethod("com.alibaba.nacos.plugin.auth.impl.controller");
        initProperties();
    }

    private void initProperties() {
        Properties authPluginProperties = this.authConfigs.getAuthPluginProperties(AuthConstants.AUTH_PLUGIN_TYPE);
        this.tokenValidityInSeconds = Long.parseLong(authPluginProperties.getProperty(AuthConstants.TOKEN_EXPIRE_SECONDS, AuthConstants.DEFAULT_TOKEN_EXPIRE_SECONDS));
        this.secretKey = authPluginProperties.getProperty(AuthConstants.TOKEN_SECRET_KEY, AuthConstants.DEFAULT_TOKEN_SECRET_KEY);
    }

    @Bean(name = {"org.springframework.security.authenticationManager"})
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    public void configure(WebSecurity webSecurity) {
        String str = null;
        if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType())) {
            str = DEFAULT_ALL_PATH_PATTERN;
        } else if (AuthSystemTypes.LDAP.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType())) {
            str = DEFAULT_ALL_PATH_PATTERN;
        }
        if (StringUtils.isBlank(this.authConfigs.getNacosAuthSystemType())) {
            str = this.env.getProperty(PROPERTY_IGNORE_URLS, DEFAULT_ALL_PATH_PATTERN);
        }
        if (StringUtils.isNotBlank(str)) {
            for (String str2 : str.trim().split(SECURITY_IGNORE_URLS_SPILT_CHAR)) {
                webSecurity.ignoring().antMatchers(new String[]{str2.trim()});
            }
        }
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType())) {
            authenticationManagerBuilder.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder());
        } else if (AuthSystemTypes.LDAP.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType())) {
            authenticationManagerBuilder.authenticationProvider(this.ldapAuthenticationProvider);
        }
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        if (StringUtils.isBlank(this.authConfigs.getNacosAuthSystemType())) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.csrf().disable().cors().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().requestMatchers(new RequestMatcher[]{CorsUtils::isPreFlightRequest})).permitAll().antMatchers(new String[]{LOGIN_ENTRY_POINT})).permitAll().and().authorizeRequests().antMatchers(new String[]{TOKEN_BASED_AUTH_ENTRY_POINT})).authenticated().and().exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint());
            httpSecurity.headers().cacheControl();
            httpSecurity.addFilterBefore(new JwtAuthenticationTokenFilter(this.tokenProvider), UsernamePasswordAuthenticationFilter.class);
        }
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    public byte[] getSecretKeyBytes() {
        if (this.secretKeyBytes == null) {
            try {
                this.secretKeyBytes = (byte[]) Decoders.BASE64.decode(this.secretKey);
            } catch (DecodingException e) {
                this.secretKeyBytes = this.secretKey.getBytes(StandardCharsets.UTF_8);
            }
        }
        return this.secretKeyBytes;
    }

    public long getTokenValidityInSeconds() {
        return this.tokenValidityInSeconds;
    }
}
