package eu.openanalytics.containerproxy.auth.impl.saml;

import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Timer;
import javax.inject.Inject;
import org.apache.commons.httpclient.HttpClient;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.util.resource.ResourceException;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.env.Environment;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLAuthenticationProvider;
import org.springframework.security.saml.SAMLBootstrap;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.SAMLEntryPoint;
import org.springframework.security.saml.SAMLProcessingFilter;
import org.springframework.security.saml.context.SAMLContextProviderImpl;
import org.springframework.security.saml.key.EmptyKeyManager;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.metadata.CachingMetadataManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.metadata.MetadataGenerator;
import org.springframework.security.saml.metadata.MetadataGeneratorFilter;
import org.springframework.security.saml.parser.ParserPoolHolder;
import org.springframework.security.saml.processor.HTTPPostBinding;
import org.springframework.security.saml.processor.HTTPRedirectDeflateBinding;
import org.springframework.security.saml.processor.SAMLProcessorImpl;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.WebSSOProfile;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfileOptions;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@ConditionalOnProperty(name = {"proxy.authentication"}, havingValue = SAMLAuthenticationBackend.NAME)
/* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.3.jar:eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.class */
public class SAMLConfiguration {
    private static final String DEFAULT_NAME_ATTRIBUTE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";

    @Inject
    private Environment environment;

    @Inject
    @Lazy
    private AuthenticationManager authenticationManager;

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.3.jar:eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration$SAMLFilterSet.class */
    public static class SAMLFilterSet extends FilterChainProxy {
        public SAMLFilterSet(List<SecurityFilterChain> list) {
            super(list);
        }
    }

    @Bean
    public SAMLEntryPoint samlEntryPoint() {
        SAMLEntryPoint sAMLEntryPoint = new SAMLEntryPoint();
        sAMLEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
        return sAMLEntryPoint;
    }

    @Bean
    public WebSSOProfileOptions defaultWebSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        return webSSOProfileOptions;
    }

    @Bean
    public static SAMLBootstrap samlBootstrap() {
        return new SAMLBootstrap();
    }

    @Bean
    public WebSSOProfile webSSOprofile() {
        return new WebSSOProfileImpl();
    }

    @Bean
    public KeyManager keyManager() {
        String property = this.environment.getProperty("proxy.saml.keystore");
        if (property == null || property.isEmpty()) {
            return new EmptyKeyManager();
        }
        String property2 = this.environment.getProperty("proxy.saml.encryption-cert-name");
        String property3 = this.environment.getProperty("proxy.saml.encryption-cert-password");
        String property4 = this.environment.getProperty("proxy.saml.keystore-password", property3);
        FileSystemResource fileSystemResource = new FileSystemResource(property);
        HashMap hashMap = new HashMap();
        hashMap.put(property2, property3);
        return new JKSKeyManager(fileSystemResource, property4, hashMap, property2);
    }

    @Bean
    public StaticBasicParserPool parserPool() {
        StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool();
        try {
            staticBasicParserPool.initialize();
        } catch (XMLParserException e) {
            e.printStackTrace();
        }
        return staticBasicParserPool;
    }

    @Bean(name = {"parserPoolHolder"})
    public ParserPoolHolder parserPoolHolder() {
        return new ParserPoolHolder();
    }

    @Bean
    public VelocityEngine velocityEngine() {
        return VelocityFactory.getEngine();
    }

    @Bean
    public HTTPPostBinding httpPostBinding() {
        return new HTTPPostBinding(parserPool(), velocityEngine());
    }

    @Bean
    public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
        return new HTTPRedirectDeflateBinding(parserPool());
    }

    @Bean
    public SAMLProcessorImpl processor() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(httpRedirectDeflateBinding());
        arrayList.add(httpPostBinding());
        return new SAMLProcessorImpl(arrayList);
    }

    @Bean
    public MetadataGeneratorFilter metadataGeneratorFilter() {
        return new MetadataGeneratorFilter(metadataGenerator());
    }

    @Bean
    public MetadataGenerator metadataGenerator() {
        String property = this.environment.getProperty("proxy.saml.app-entity-id");
        String property2 = this.environment.getProperty("proxy.saml.app-base-url");
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setEntityId(property);
        metadataGenerator.setEntityBaseURL(property2);
        metadataGenerator.setExtendedMetadata(extendedMetadata());
        metadataGenerator.setIncludeDiscoveryExtension(false);
        metadataGenerator.setRequestSigned(false);
        return metadataGenerator;
    }

    @Bean
    public ExtendedMetadata extendedMetadata() {
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();
        extendedMetadata.setIdpDiscoveryEnabled(false);
        extendedMetadata.setSignMetadata(false);
        return extendedMetadata;
    }

    @Bean
    public ExtendedMetadataDelegate idpMetadata() throws MetadataProviderException, ResourceException {
        HTTPMetadataProvider hTTPMetadataProvider = new HTTPMetadataProvider(new Timer(true), new HttpClient(), this.environment.getProperty("proxy.saml.idp-metadata-url"));
        hTTPMetadataProvider.setParserPool(parserPool());
        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(hTTPMetadataProvider, extendedMetadata());
        extendedMetadataDelegate.setMetadataTrustCheck(false);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        return extendedMetadataDelegate;
    }

    @Bean
    @Qualifier("metadata")
    public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(idpMetadata());
        return new CachingMetadataManager(arrayList);
    }

    @Bean
    public SAMLDefaultLogger samlLogger() {
        return new SAMLDefaultLogger();
    }

    @Bean
    public SAMLContextProviderImpl contextProvider() {
        return new SAMLContextProviderImpl();
    }

    @Bean
    public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
        SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        savedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl("/");
        return savedRequestAwareAuthenticationSuccessHandler;
    }

    @Bean
    public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
        SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler();
        simpleUrlAuthenticationFailureHandler.setUseForward(true);
        simpleUrlAuthenticationFailureHandler.setDefaultFailureUrl("/error");
        return simpleUrlAuthenticationFailureHandler;
    }

    @Bean
    public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
        SAMLProcessingFilter sAMLProcessingFilter = new SAMLProcessingFilter();
        sAMLProcessingFilter.setAuthenticationManager(this.authenticationManager);
        sAMLProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
        sAMLProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
        return sAMLProcessingFilter;
    }

    @Bean
    public WebSSOProfileConsumer webSSOprofileConsumer() {
        return new WebSSOProfileConsumerImpl();
    }

    @Bean
    public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
        return new WebSSOProfileConsumerHoKImpl();
    }

    @Bean
    public SAMLFilterSet samlFilter() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()));
        return new SAMLFilterSet(arrayList);
    }

    @Bean
    public SAMLAuthenticationProvider samlAuthenticationProvider() {
        SAMLAuthenticationProvider sAMLAuthenticationProvider = new SAMLAuthenticationProvider();
        sAMLAuthenticationProvider.setUserDetails(new SAMLUserDetailsService() { // from class: eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration.1
            @Override // org.springframework.security.saml.userdetails.SAMLUserDetailsService
            public Object loadUserBySAML(SAMLCredential sAMLCredential) throws UsernameNotFoundException {
                String[] attributeAsStringArray;
                String property = SAMLConfiguration.this.environment.getProperty("proxy.saml.name-attribute", SAMLConfiguration.DEFAULT_NAME_ATTRIBUTE);
                String attributeAsString = sAMLCredential.getAttributeAsString(property);
                if (attributeAsString == null) {
                    throw new UsernameNotFoundException("Name attribute missing from SAML assertion: " + property);
                }
                ArrayList arrayList = new ArrayList();
                String property2 = SAMLConfiguration.this.environment.getProperty("proxy.saml.roles-attribute");
                if (property2 != null && !property2.trim().isEmpty() && (attributeAsStringArray = sAMLCredential.getAttributeAsStringArray(property2)) != null && attributeAsStringArray.length > 0) {
                    Arrays.stream(attributeAsStringArray).map(str -> {
                        return "ROLE_" + str.toUpperCase();
                    }).forEach(str2 -> {
                        arrayList.add(new SimpleGrantedAuthority(str2));
                    });
                }
                return new User(attributeAsString, "", arrayList);
            }
        });
        sAMLAuthenticationProvider.setForcePrincipalAsString(false);
        return sAMLAuthenticationProvider;
    }
}
