package org.apache.ambari.infra.conf.security;

import java.util.Arrays;
import java.util.Optional;
import javax.inject.Inject;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:org/apache/ambari/infra/conf/security/WebSecurityConfig.class */
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${infra-manager.admin-user.username:admin}")
    private String adminUserName;

    @Value("${infra-manager.admin-user.password:@null}")
    private String adminUserPassword;

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.csrf().disable().authorizeRequests().requestMatchers(new RequestMatcher[]{publicEndpoints()})).permitAll().antMatchers(new String[]{"/**"})).hasRole("ADMIN").and().httpBasic();
    }

    private RequestMatcher publicEndpoints() {
        return new OrRequestMatcher(Arrays.asList(new AntPathRequestMatcher("/docs/**"), new AntPathRequestMatcher("/swagger-ui/**"), new AntPathRequestMatcher("/api/v1/swagger.yaml")));
    }

    @Inject
    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder, PasswordEncoder passwordEncoder, HadoopCredentialStore hadoopCredentialStore) throws Exception {
        authenticationManagerBuilder.inMemoryAuthentication().passwordEncoder(passwordEncoder).withUser(this.adminUserName).password(passwordEncoder.encode(new CompositeSecret(hadoopCredentialStore.getSecret("infra_manager_admin_user_password"), () -> {
            return Optional.ofNullable(this.adminUserPassword);
        }).get().orElseThrow(() -> {
            return new IllegalStateException("Password for admin not set!");
        }))).roles(new String[]{"ADMIN"});
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
