package com.evolveum.midpoint.web.security.provider;

import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.model.api.context.PasswordAuthenticationContext;
import com.evolveum.midpoint.model.api.context.PreAuthenticationContext;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.module.authentication.Saml2ModuleAuthentication;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import java.util.Collection;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.saml2.attribute.Attribute;
import org.springframework.security.saml.spi.DefaultSamlAuthentication;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/provider/Saml2Provider.class */
public class Saml2Provider extends MidPointAbstractAuthenticationProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) Saml2Provider.class);

    @Autowired
    private transient AuthenticationEvaluator<PasswordAuthenticationContext> authenticationEvaluator;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    public AuthenticationEvaluator getEvaluator() {
        return this.authenticationEvaluator;
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected void writeAutentication(Authentication authentication, MidpointAuthentication midpointAuthentication, ModuleAuthentication moduleAuthentication, Authentication authentication2) {
        Object principal = authentication2.getPrincipal();
        if (principal != null && (principal instanceof GuiProfiledPrincipal)) {
            midpointAuthentication.setPrincipal((GuiProfiledPrincipal) principal);
        }
        moduleAuthentication.setAuthentication(authentication);
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws AuthenticationException {
        ConnectionEnvironment createEnviroment = createEnviroment(authenticationChannel);
        try {
            if (!(authentication instanceof DefaultSamlAuthentication)) {
                LOGGER.error("Unsupported authentication {}", authentication);
                throw new AuthenticationServiceException("web.security.provider.unavailable");
            }
            DefaultSamlAuthentication defaultSamlAuthentication = (DefaultSamlAuthentication) authentication;
            Saml2ModuleAuthentication saml2ModuleAuthentication = (Saml2ModuleAuthentication) SecurityUtils.getProcessingModule(true);
            String str = "";
            for (Attribute attribute : ((DefaultSamlAuthentication) authentication).getAssertion().getAttributes()) {
                if (attribute != null && ((attribute.getFriendlyName() != null && attribute.getFriendlyName().equals(saml2ModuleAuthentication.getNamesOfUsernameAttributes().get(defaultSamlAuthentication.getAssertingEntityId()))) || (attribute.getName() != null && attribute.getName().equals(saml2ModuleAuthentication.getNamesOfUsernameAttributes().get(defaultSamlAuthentication.getAssertingEntityId()))))) {
                    List<Object> values = attribute.getValues();
                    if (values == null) {
                        LOGGER.error("Saml attribute, which define username don't contains value");
                        throw new AuthenticationServiceException("web.security.auth.saml2.username.null");
                    }
                    if (values.size() != 1) {
                        LOGGER.error("Saml attribute, which define username contains more values {}", values);
                        throw new AuthenticationServiceException("web.security.auth.saml2.username.more.values");
                    }
                    str = (String) values.iterator().next();
                }
            }
            PreAuthenticationContext preAuthenticationContext = new PreAuthenticationContext(str, cls, list);
            if (authenticationChannel != null) {
                preAuthenticationContext.setSupportActivationByChannel(authenticationChannel.isSupportActivationByChannel());
            }
            PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated = this.authenticationEvaluator.authenticateUserPreAuthenticated(createEnviroment, preAuthenticationContext);
            LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) authenticateUserPreAuthenticated.getPrincipal()).getAuthorities());
            return authenticateUserPreAuthenticated;
        } catch (AuthenticationException e) {
            LOGGER.info("Authentication with saml module failed: {}", e.getMessage());
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected Authentication createNewAuthenticationToken(Authentication authentication, Collection collection) {
        return authentication instanceof PreAuthenticatedAuthenticationToken ? new PreAuthenticatedAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), collection) : authentication;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class cls) {
        return DefaultSamlAuthentication.class.equals(cls);
    }
}
