package org.springframework.security.config.websocket;

import java.util.Comparator;
import java.util.Map;
import java.util.function.Supplier;
import org.springframework.beans.BeansException;
import org.springframework.beans.PropertyValue;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanReference;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
import org.springframework.beans.factory.support.ManagedList;
import org.springframework.beans.factory.support.ManagedMap;
import org.springframework.beans.factory.support.RootBeanDefinition;
import org.springframework.beans.factory.xml.BeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.beans.factory.xml.XmlReaderContext;
import org.springframework.expression.Expression;
import org.springframework.messaging.Message;
import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.messaging.simp.annotation.support.SimpAnnotationMethodMessageHandler;
import org.springframework.security.access.expression.ExpressionUtils;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.vote.ConsensusBased;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.config.Elements;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.messaging.access.expression.ExpressionBasedMessageSecurityMetadataSourceFactory;
import org.springframework.security.messaging.access.expression.MessageAuthorizationContextSecurityExpressionHandler;
import org.springframework.security.messaging.access.expression.MessageExpressionVoter;
import org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor;
import org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor;
import org.springframework.security.messaging.access.intercept.MessageAuthorizationContext;
import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
import org.springframework.security.messaging.context.AuthenticationPrincipalArgumentResolver;
import org.springframework.security.messaging.context.SecurityContextChannelInterceptor;
import org.springframework.security.messaging.util.matcher.MessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpMessageTypeMatcher;
import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
import org.springframework.util.PathMatcher;
import org.springframework.util.StringUtils;
import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element;

/* loaded from: input_file:org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.class */
public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements BeanDefinitionParser {
    private static final String ID_ATTR = "id";
    private static final String DISABLED_ATTR = "same-origin-disabled";
    private static final String USE_AUTHORIZATION_MANAGER_ATTR = "use-authorization-manager";
    private static final String AUTHORIZATION_MANAGER_REF_ATTR = "authorization-manager-ref";
    private static final String SECURITY_CONTEXT_HOLDER_STRATEGY_REF_ATTR = "security-context-holder-strategy-ref";
    private static final String PATTERN_ATTR = "pattern";
    private static final String ACCESS_ATTR = "access";
    private static final String TYPE_ATTR = "type";
    private static final String PATH_MATCHER_BEAN_NAME = "springSecurityMessagePathMatcher";

    /* loaded from: input_file:org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser$DelegatingPathMatcher.class */
    static class DelegatingPathMatcher implements PathMatcher {
        private PathMatcher delegate = new AntPathMatcher();

        DelegatingPathMatcher() {
        }

        public boolean isPattern(String str) {
            return this.delegate.isPattern(str);
        }

        public boolean match(String str, String str2) {
            return this.delegate.match(str, str2);
        }

        public boolean matchStart(String str, String str2) {
            return this.delegate.matchStart(str, str2);
        }

        public String extractPathWithinPattern(String str, String str2) {
            return this.delegate.extractPathWithinPattern(str, str2);
        }

        public Map<String, String> extractUriTemplateVariables(String str, String str2) {
            return this.delegate.extractUriTemplateVariables(str, str2);
        }

        public Comparator<String> getPatternComparator(String str) {
            return this.delegate.getPatternComparator(str);
        }

        public String combine(String str, String str2) {
            return this.delegate.combine(str, str2);
        }

        void setPathMatcher(PathMatcher pathMatcher) {
            this.delegate = pathMatcher;
        }
    }

    /* loaded from: input_file:org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser$ExpressionBasedAuthorizationManager.class */
    private static final class ExpressionBasedAuthorizationManager implements AuthorizationManager<MessageAuthorizationContext<?>> {
        private final SecurityExpressionHandler<MessageAuthorizationContext<?>> expressionHandler;
        private final Expression expression;

        private ExpressionBasedAuthorizationManager(String str) {
            this(new MessageAuthorizationContextSecurityExpressionHandler(), str);
        }

        private ExpressionBasedAuthorizationManager(SecurityExpressionHandler<MessageAuthorizationContext<?>> securityExpressionHandler, String str) {
            Assert.notNull(securityExpressionHandler, "expressionHandler cannot be null");
            Assert.notNull(str, "expression cannot be null");
            this.expressionHandler = securityExpressionHandler;
            this.expression = this.expressionHandler.getExpressionParser().parseExpression(str);
        }

        public AuthorizationDecision check(Supplier<Authentication> supplier, MessageAuthorizationContext<?> messageAuthorizationContext) {
            return new AuthorizationDecision(ExpressionUtils.evaluateAsBoolean(this.expression, this.expressionHandler.createEvaluationContext(supplier, messageAuthorizationContext)));
        }

        public /* bridge */ /* synthetic */ AuthorizationDecision check(Supplier supplier, Object obj) {
            return check((Supplier<Authentication>) supplier, (MessageAuthorizationContext<?>) obj);
        }
    }

    /* loaded from: input_file:org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser$MessageMatcherDelegatingAuthorizationManagerFactory.class */
    private static class MessageMatcherDelegatingAuthorizationManagerFactory {
        private MessageMatcherDelegatingAuthorizationManagerFactory() {
        }

        private static AuthorizationManager<Message<?>> createMessageMatcherDelegatingAuthorizationManager(Map<MessageMatcher<?>, AuthorizationManager<MessageAuthorizationContext<?>>> map) {
            MessageMatcherDelegatingAuthorizationManager.Builder builder = MessageMatcherDelegatingAuthorizationManager.builder();
            for (Map.Entry<MessageMatcher<?>, AuthorizationManager<MessageAuthorizationContext<?>>> entry : map.entrySet()) {
                builder.matchers(new MessageMatcher[]{entry.getKey()}).access(entry.getValue());
            }
            return builder.anyMessage().permitAll().build();
        }
    }

    /* loaded from: input_file:org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser$MessageSecurityPostProcessor.class */
    static class MessageSecurityPostProcessor implements BeanDefinitionRegistryPostProcessor {
        private static final String WEB_SOCKET_AMMH_CLASS_NAME = "org.springframework.web.socket.messaging.WebSocketAnnotationMethodMessageHandler";
        private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
        private static final String INTERCEPTORS_PROP = "interceptors";
        private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
        private static final String TEMPLATE_EXPRESSION_BEAN_ID = "annotationExpressionTemplateDefaults";
        private final String inboundSecurityInterceptorId;
        private final boolean sameOriginDisabled;

        MessageSecurityPostProcessor(String str, boolean z) {
            this.inboundSecurityInterceptorId = str;
            this.sameOriginDisabled = z;
        }

        public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry beanDefinitionRegistry) throws BeansException {
            for (String str : beanDefinitionRegistry.getBeanDefinitionNames()) {
                BeanDefinition beanDefinition = beanDefinitionRegistry.getBeanDefinition(str);
                String beanClassName = beanDefinition.getBeanClassName();
                if (SimpAnnotationMethodMessageHandler.class.getName().equals(beanClassName) || WEB_SOCKET_AMMH_CLASS_NAME.equals(beanClassName)) {
                    PropertyValue propertyValue = beanDefinition.getPropertyValues().getPropertyValue(CUSTOM_ARG_RESOLVERS_PROP);
                    ManagedList managedList = new ManagedList();
                    if (propertyValue != null) {
                        managedList.addAll((ManagedList) propertyValue.getValue());
                    }
                    RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(AuthenticationPrincipalArgumentResolver.class);
                    if (beanDefinitionRegistry.containsBeanDefinition(TEMPLATE_EXPRESSION_BEAN_ID)) {
                        rootBeanDefinition.getPropertyValues().add("templateDefaults", new RuntimeBeanReference(TEMPLATE_EXPRESSION_BEAN_ID));
                    }
                    managedList.add(rootBeanDefinition);
                    beanDefinition.getPropertyValues().add(CUSTOM_ARG_RESOLVERS_PROP, managedList);
                    if (!beanDefinitionRegistry.containsBeanDefinition(WebSocketMessageBrokerSecurityBeanDefinitionParser.PATH_MATCHER_BEAN_NAME)) {
                        PropertyValue propertyValue2 = beanDefinition.getPropertyValues().getPropertyValue("pathMatcher");
                        Object value = propertyValue2 != null ? propertyValue2.getValue() : null;
                        if (value instanceof BeanReference) {
                            beanDefinitionRegistry.registerAlias(((BeanReference) value).getBeanName(), WebSocketMessageBrokerSecurityBeanDefinitionParser.PATH_MATCHER_BEAN_NAME);
                        }
                    }
                } else if ("org.springframework.web.socket.server.support.WebSocketHttpRequestHandler".equals(beanClassName)) {
                    addCsrfTokenHandshakeInterceptor(beanDefinition);
                } else if ("org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService".equals(beanClassName)) {
                    addCsrfTokenHandshakeInterceptor(beanDefinition);
                } else if ("org.springframework.web.socket.sockjs.transport.handler.DefaultSockJsService".equals(beanClassName)) {
                    addCsrfTokenHandshakeInterceptor(beanDefinition);
                }
            }
            if (beanDefinitionRegistry.containsBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID)) {
                ManagedList managedList2 = new ManagedList();
                managedList2.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
                if (!this.sameOriginDisabled) {
                    managedList2.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
                }
                managedList2.add(beanDefinitionRegistry.getBeanDefinition(this.inboundSecurityInterceptorId));
                BeanDefinition beanDefinition2 = beanDefinitionRegistry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);
                PropertyValue propertyValue3 = beanDefinition2.getPropertyValues().getPropertyValue(INTERCEPTORS_PROP);
                if (propertyValue3 != null) {
                    managedList2.addAll((ManagedList) propertyValue3.getValue());
                }
                beanDefinition2.getPropertyValues().add(INTERCEPTORS_PROP, managedList2);
                if (beanDefinitionRegistry.containsBeanDefinition(WebSocketMessageBrokerSecurityBeanDefinitionParser.PATH_MATCHER_BEAN_NAME)) {
                    return;
                }
                beanDefinitionRegistry.registerBeanDefinition(WebSocketMessageBrokerSecurityBeanDefinitionParser.PATH_MATCHER_BEAN_NAME, new RootBeanDefinition(AntPathMatcher.class));
            }
        }

        private void addCsrfTokenHandshakeInterceptor(BeanDefinition beanDefinition) {
            if (this.sameOriginDisabled) {
                return;
            }
            ManagedList managedList = new ManagedList();
            managedList.add(new RootBeanDefinition(CsrfTokenHandshakeInterceptor.class));
            managedList.addAll((ManagedList) beanDefinition.getPropertyValues().get("handshakeInterceptors"));
            beanDefinition.getPropertyValues().add("handshakeInterceptors", managedList);
        }

        public void postProcessBeanFactory(ConfigurableListableBeanFactory configurableListableBeanFactory) throws BeansException {
        }
    }

    /* loaded from: input_file:org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser$SecurityContextHolderStrategyFactory.class */
    static class SecurityContextHolderStrategyFactory implements FactoryBean<SecurityContextHolderStrategy> {
        SecurityContextHolderStrategyFactory() {
        }

        /* renamed from: getObject, reason: merged with bridge method [inline-methods] */
        public SecurityContextHolderStrategy m105getObject() throws Exception {
            return SecurityContextHolder.getContextHolderStrategy();
        }

        public Class<?> getObjectType() {
            return SecurityContextHolderStrategy.class;
        }
    }

    public BeanDefinition parse(Element element, ParserContext parserContext) {
        String attribute = element.getAttribute(ID_ATTR);
        String parseAuthorization = parseAuthorization(element, parserContext);
        BeanDefinitionRegistry registry = parserContext.getRegistry();
        if (StringUtils.hasText(attribute)) {
            registry.registerAlias(parseAuthorization, attribute);
            if (registry.containsBeanDefinition(PATH_MATCHER_BEAN_NAME)) {
                return null;
            }
            registry.registerBeanDefinition(PATH_MATCHER_BEAN_NAME, new RootBeanDefinition(AntPathMatcher.class));
            return null;
        }
        boolean parseBoolean = Boolean.parseBoolean(element.getAttribute(DISABLED_ATTR));
        XmlReaderContext readerContext = parserContext.getReaderContext();
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(MessageSecurityPostProcessor.class);
        rootBeanDefinition.addConstructorArgValue(parseAuthorization);
        rootBeanDefinition.addConstructorArgValue(Boolean.valueOf(parseBoolean));
        readerContext.registerWithGeneratedName(rootBeanDefinition.getBeanDefinition());
        return null;
    }

    private String parseAuthorization(Element element, ParserContext parserContext) {
        boolean z = true;
        if (StringUtils.hasText(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR))) {
            z = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
        }
        if (!z && !StringUtils.hasText(element.getAttribute(AUTHORIZATION_MANAGER_REF_ATTR))) {
            return parseSecurityMetadataSource(element, parserContext);
        }
        return parseAuthorizationManager(element, parserContext);
    }

    private String parseAuthorizationManager(Element element, ParserContext parserContext) {
        XmlReaderContext readerContext = parserContext.getReaderContext();
        String createAuthorizationManager = createAuthorizationManager(element, parserContext);
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(AuthorizationChannelInterceptor.class);
        rootBeanDefinition.addConstructorArgReference(createAuthorizationManager);
        String attribute = element.getAttribute(SECURITY_CONTEXT_HOLDER_STRATEGY_REF_ATTR);
        if (StringUtils.hasText(attribute)) {
            rootBeanDefinition.addPropertyValue("securityContextHolderStrategy", new RuntimeBeanReference(attribute));
        } else {
            rootBeanDefinition.addPropertyValue("securityContextHolderStrategy", BeanDefinitionBuilder.rootBeanDefinition(SecurityContextHolderStrategyFactory.class).getBeanDefinition());
        }
        return readerContext.registerWithGeneratedName(rootBeanDefinition.getBeanDefinition());
    }

    private String createAuthorizationManager(Element element, ParserContext parserContext) {
        XmlReaderContext readerContext = parserContext.getReaderContext();
        String attribute = element.getAttribute(AUTHORIZATION_MANAGER_REF_ATTR);
        if (StringUtils.hasText(attribute)) {
            return attribute;
        }
        Element childElementByTagName = DomUtils.getChildElementByTagName(element, Elements.EXPRESSION_HANDLER);
        String attribute2 = childElementByTagName != null ? childElementByTagName.getAttribute("ref") : null;
        ManagedMap managedMap = new ManagedMap();
        for (Element element2 : DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_MESSAGE)) {
            String attribute3 = element2.getAttribute(PATTERN_ATTR);
            String attribute4 = element2.getAttribute(ACCESS_ATTR);
            BeanDefinition createMatcher = createMatcher(attribute3, element2.getAttribute(TYPE_ATTR), parserContext, element2);
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedAuthorizationManager.class);
            if (StringUtils.hasText(attribute2)) {
                rootBeanDefinition.addConstructorArgReference(attribute2);
            }
            rootBeanDefinition.addConstructorArgValue(attribute4);
            managedMap.put(createMatcher, rootBeanDefinition.getBeanDefinition());
        }
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(MessageMatcherDelegatingAuthorizationManagerFactory.class);
        rootBeanDefinition2.setFactoryMethod("createMessageMatcherDelegatingAuthorizationManager");
        rootBeanDefinition2.addConstructorArgValue(managedMap);
        return readerContext.registerWithGeneratedName(rootBeanDefinition2.getBeanDefinition());
    }

    private String parseSecurityMetadataSource(Element element, ParserContext parserContext) {
        BeanDefinitionRegistry registry = parserContext.getRegistry();
        XmlReaderContext readerContext = parserContext.getReaderContext();
        ManagedMap managedMap = new ManagedMap();
        Element childElementByTagName = DomUtils.getChildElementByTagName(element, Elements.EXPRESSION_HANDLER);
        String attribute = childElementByTagName != null ? childElementByTagName.getAttribute("ref") : null;
        boolean hasText = StringUtils.hasText(attribute);
        for (Element element2 : DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_MESSAGE)) {
            managedMap.put(createMatcher(element2.getAttribute(PATTERN_ATTR), element2.getAttribute(TYPE_ATTR), parserContext, element2), element2.getAttribute(ACCESS_ATTR));
        }
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedMessageSecurityMetadataSourceFactory.class);
        rootBeanDefinition.setFactoryMethod("createExpressionMessageMetadataSource");
        rootBeanDefinition.addConstructorArgValue(managedMap);
        if (hasText) {
            rootBeanDefinition.addConstructorArgReference(attribute);
        }
        String registerWithGeneratedName = readerContext.registerWithGeneratedName(rootBeanDefinition.getBeanDefinition());
        ManagedList managedList = new ManagedList();
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(MessageExpressionVoter.class);
        if (hasText) {
            rootBeanDefinition2.addPropertyReference("expressionHandler", attribute);
        }
        managedList.add(rootBeanDefinition2.getBeanDefinition());
        BeanDefinitionBuilder rootBeanDefinition3 = BeanDefinitionBuilder.rootBeanDefinition(ConsensusBased.class);
        rootBeanDefinition3.addConstructorArgValue(managedList);
        BeanDefinitionBuilder rootBeanDefinition4 = BeanDefinitionBuilder.rootBeanDefinition(ChannelSecurityInterceptor.class);
        rootBeanDefinition4.addConstructorArgValue(registry.getBeanDefinition(registerWithGeneratedName));
        rootBeanDefinition4.addPropertyValue("accessDecisionManager", rootBeanDefinition3.getBeanDefinition());
        return readerContext.registerWithGeneratedName(rootBeanDefinition4.getBeanDefinition());
    }

    private BeanDefinition createMatcher(String str, String str2, ParserContext parserContext, Element element) {
        boolean hasText = StringUtils.hasText(str);
        boolean hasText2 = StringUtils.hasText(str2);
        if (!hasText) {
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(SimpMessageTypeMatcher.class);
            rootBeanDefinition.addConstructorArgValue(str2);
            return rootBeanDefinition.getBeanDefinition();
        }
        String str3 = null;
        if (hasText && hasText2) {
            SimpMessageType valueOf = SimpMessageType.valueOf(str2);
            if (SimpMessageType.MESSAGE == valueOf) {
                str3 = "createMessageMatcher";
            } else if (SimpMessageType.SUBSCRIBE == valueOf) {
                str3 = "createSubscribeMatcher";
            } else {
                parserContext.getReaderContext().error("Cannot use intercept-websocket@message-type=" + str2 + " with a pattern because the type does not have a destination.", element);
            }
        }
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(SimpDestinationMessageMatcher.class);
        rootBeanDefinition2.setFactoryMethod(str3);
        rootBeanDefinition2.addConstructorArgValue(str);
        rootBeanDefinition2.addConstructorArgValue(new RuntimeBeanReference(PATH_MATCHER_BEAN_NAME));
        return rootBeanDefinition2.getBeanDefinition();
    }
}
