package com.evolveum.midpoint.web.security.factory.module;

import com.evolveum.midpoint.model.api.authentication.AuthModule;
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.model.common.SystemObjectCache;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.module.SamlModuleWebSecurityConfig;
import com.evolveum.midpoint.web.security.module.authentication.Saml2ModuleAuthentication;
import com.evolveum.midpoint.web.security.module.configuration.SamlModuleWebSecurityConfiguration;
import com.evolveum.midpoint.web.security.provider.Saml2Provider;
import com.evolveum.midpoint.web.security.util.AuthModuleImpl;
import com.evolveum.midpoint.web.security.util.IdentityProvider;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2Type;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModulesType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Map;
import javax.servlet.ServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.saml.provider.config.ExternalProviderConfiguration;
import org.springframework.security.saml.provider.service.ServiceProviderService;
import org.springframework.security.saml.provider.service.config.LocalServiceProviderConfiguration;
import org.springframework.security.saml.provider.service.config.SamlServiceProviderServerBeanConfiguration;
import org.springframework.security.saml.util.StringUtils;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.stereotype.Component;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

@Component
/* loaded from: input_file:com/evolveum/midpoint/web/security/factory/module/Saml2ModuleFactory.class */
public class Saml2ModuleFactory extends AbstractModuleFactory {
    private static final Trace LOGGER = TraceManager.getTrace(Saml2ModuleFactory.class);

    @Autowired
    private Protector protector;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Override // com.evolveum.midpoint.web.security.factory.module.AbstractModuleFactory
    public boolean match(AbstractAuthenticationModuleType abstractAuthenticationModuleType) {
        return abstractAuthenticationModuleType instanceof AuthenticationModuleSaml2Type;
    }

    @Override // com.evolveum.midpoint.web.security.factory.module.AbstractModuleFactory
    public AuthModule createModuleFilter(AbstractAuthenticationModuleType abstractAuthenticationModuleType, String str, ServletRequest servletRequest, Map<Class<? extends Object>, Object> map, AuthenticationModulesType authenticationModulesType, CredentialsPolicyType credentialsPolicyType, AuthenticationChannel authenticationChannel) throws Exception {
        if (!(abstractAuthenticationModuleType instanceof AuthenticationModuleSaml2Type)) {
            LOGGER.error("This factory support only AuthenticationModuleSaml2Type, but modelType is " + abstractAuthenticationModuleType);
            return null;
        }
        isSupportedChannel(authenticationChannel);
        SamlModuleWebSecurityConfiguration.setProtector(this.protector);
        SamlModuleWebSecurityConfiguration build = SamlModuleWebSecurityConfiguration.build((AuthenticationModuleSaml2Type) abstractAuthenticationModuleType, str, getPublicUrlPrefix(servletRequest), servletRequest);
        build.setPrefixOfSequence(str);
        build.addAuthenticationProvider((AuthenticationProvider) getObjectObjectPostProcessor().postProcess(new Saml2Provider()));
        SamlModuleWebSecurityConfig samlModuleWebSecurityConfig = (SamlModuleWebSecurityConfig) getObjectObjectPostProcessor().postProcess(new SamlModuleWebSecurityConfig(build));
        samlModuleWebSecurityConfig.setObjectPostProcessor(getObjectObjectPostProcessor());
        HttpSecurity newHttpSecurity = samlModuleWebSecurityConfig.getNewHttpSecurity();
        setSharedObjects(newHttpSecurity, map);
        ModuleAuthentication createEmptyModuleAuthentication = createEmptyModuleAuthentication(samlModuleWebSecurityConfig.getBeanConfiguration(), build);
        createEmptyModuleAuthentication.setFocusType(abstractAuthenticationModuleType.getFocusType());
        return AuthModuleImpl.build((SecurityFilterChain) newHttpSecurity.build(), build, createEmptyModuleAuthentication);
    }

    public ModuleAuthentication createEmptyModuleAuthentication(SamlServiceProviderServerBeanConfiguration samlServiceProviderServerBeanConfiguration, SamlModuleWebSecurityConfiguration samlModuleWebSecurityConfiguration) {
        Saml2ModuleAuthentication saml2ModuleAuthentication = new Saml2ModuleAuthentication();
        ServiceProviderService hostedProvider = samlServiceProviderServerBeanConfiguration.getSamlProvisioning().getHostedProvider();
        LocalServiceProviderConfiguration configuration = hostedProvider.getConfiguration();
        ArrayList arrayList = new ArrayList();
        configuration.getProviders().stream().forEach(externalIdentityProviderConfiguration -> {
            try {
                arrayList.add(new IdentityProvider().setLinkText(externalIdentityProviderConfiguration.getLinktext()).setRedirectLink(getDiscoveryRedirect(hostedProvider, externalIdentityProviderConfiguration)));
            } catch (Exception e) {
                LOGGER.debug("Unable to retrieve metadata for provider:" + externalIdentityProviderConfiguration.getMetadata() + " with message:" + e.getMessage());
            }
        });
        saml2ModuleAuthentication.setProviders(arrayList);
        saml2ModuleAuthentication.setNamesOfUsernameAttributes(samlModuleWebSecurityConfiguration.getNamesOfUsernameAttributes());
        saml2ModuleAuthentication.setNameOfModule(samlModuleWebSecurityConfiguration.getNameOfModule());
        saml2ModuleAuthentication.setPrefix(samlModuleWebSecurityConfiguration.getPrefix());
        return saml2ModuleAuthentication;
    }

    private String getDiscoveryRedirect(ServiceProviderService serviceProviderService, ExternalProviderConfiguration externalProviderConfiguration) throws UnsupportedEncodingException {
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(serviceProviderService.getConfiguration().getBasePath());
        fromUriString.pathSegment(new String[]{StringUtils.stripSlashes(serviceProviderService.getConfiguration().getPrefix()) + "/discovery"});
        fromUriString.queryParam("idp", new Object[]{UriUtils.encode(serviceProviderService.getRemoteProvider(externalProviderConfiguration).getEntityId(), StandardCharsets.UTF_8.toString())});
        return fromUriString.build().toUriString();
    }

    private String getPublicUrlPrefix(ServletRequest servletRequest) {
        try {
            return SystemConfigurationTypeUtil.getPublicHttpUrlPattern(this.systemObjectCache.getSystemConfiguration(new OperationResult("load system configuration")).asObjectable(), servletRequest.getServerName());
        } catch (SchemaException e) {
            LOGGER.error("Couldn't load system configuration", e);
            return null;
        }
    }
}
