package com.evolveum.midpoint.web.security.module.configuration;

import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.util.KeyStoreKey;
import com.evolveum.midpoint.web.security.util.MidpointSamlLocalServiceProviderConfiguration;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2KeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2NameIdType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2NetworkType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2ProviderMetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2ProviderType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2ServiceProviderType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleSaml2Type;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModuleSaml2KeyStoreKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModuleSaml2SimpleKeyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.saml.key.KeyType;
import org.springframework.security.saml.key.SimpleKey;
import org.springframework.security.saml.provider.SamlServerConfiguration;
import org.springframework.security.saml.provider.config.NetworkConfiguration;
import org.springframework.security.saml.provider.config.RotatingKeys;
import org.springframework.security.saml.provider.service.config.ExternalIdentityProviderConfiguration;
import org.springframework.security.saml.saml2.signature.AlgorithmMethod;
import org.springframework.security.saml.saml2.signature.DigestMethod;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.class */
public class SamlModuleWebSecurityConfiguration extends ModuleWebSecurityConfigurationImpl {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SamlModuleWebSecurityConfiguration.class);
    private static Protector protector;
    private SamlServerConfiguration samlConfiguration;
    private Map<String, String> namesOfUsernameAttributes = new HashMap();

    private SamlModuleWebSecurityConfiguration() {
    }

    public static void setProtector(Protector protector2) {
        protector = protector2;
    }

    public static SamlModuleWebSecurityConfiguration build(AuthenticationModuleSaml2Type authenticationModuleSaml2Type, String str, String str2, ServletRequest servletRequest) {
        SamlModuleWebSecurityConfiguration buildInternal = buildInternal(authenticationModuleSaml2Type, str, str2, servletRequest);
        buildInternal.validate();
        return buildInternal;
    }

    private static SamlModuleWebSecurityConfiguration buildInternal(AuthenticationModuleSaml2Type authenticationModuleSaml2Type, String str, String str2, ServletRequest servletRequest) {
        SamlModuleWebSecurityConfiguration samlModuleWebSecurityConfiguration = new SamlModuleWebSecurityConfiguration();
        build(samlModuleWebSecurityConfiguration, authenticationModuleSaml2Type, str);
        SamlServerConfiguration samlServerConfiguration = new SamlServerConfiguration();
        AuthenticationModuleSaml2NetworkType network = authenticationModuleSaml2Type.getNetwork();
        if (network != null) {
            NetworkConfiguration networkConfiguration = new NetworkConfiguration();
            if (network.getConnectTimeout().intValue() != 0) {
                networkConfiguration.setConnectTimeout(network.getConnectTimeout().intValue());
            }
            if (network.getReadTimeout().intValue() != 0) {
                networkConfiguration.setReadTimeout(network.getReadTimeout().intValue());
            }
            samlServerConfiguration.setNetwork(networkConfiguration);
        }
        AuthenticationModuleSaml2ServiceProviderType serviceProvider = authenticationModuleSaml2Type.getServiceProvider();
        MidpointSamlLocalServiceProviderConfiguration midpointSamlLocalServiceProviderConfiguration = new MidpointSamlLocalServiceProviderConfiguration();
        midpointSamlLocalServiceProviderConfiguration.setEntityId(serviceProvider.getEntityId()).setSignMetadata(Boolean.TRUE.equals(serviceProvider.isSignRequests())).setSignRequests(Boolean.TRUE.equals(serviceProvider.isSignRequests())).setWantAssertionsSigned(Boolean.TRUE.equals(serviceProvider.isWantAssertionsSigned())).setSingleLogoutEnabled(Boolean.TRUE.equals(serviceProvider.isSingleLogoutEnabled()));
        if (StringUtils.isNotBlank(str2)) {
            midpointSamlLocalServiceProviderConfiguration.setBasePath(str2);
        } else {
            midpointSamlLocalServiceProviderConfiguration.setBasePath(getBasePath((HttpServletRequest) servletRequest));
        }
        ArrayList arrayList = new ArrayList();
        Iterator<AuthenticationModuleSaml2NameIdType> it = serviceProvider.getNameId().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().value());
        }
        midpointSamlLocalServiceProviderConfiguration.setNameIds(arrayList);
        if (serviceProvider.getDefaultDigest() != null) {
            midpointSamlLocalServiceProviderConfiguration.setDefaultDigest(DigestMethod.fromUrn(serviceProvider.getDefaultDigest().value()));
        }
        if (serviceProvider.getDefaultSigningAlgorithm() != null) {
            midpointSamlLocalServiceProviderConfiguration.setDefaultSigningAlgorithm(AlgorithmMethod.fromUrn(serviceProvider.getDefaultSigningAlgorithm().value()));
        }
        AuthenticationModuleSaml2KeyType keys = serviceProvider.getKeys();
        RotatingKeys rotatingKeys = new RotatingKeys();
        if (keys != null) {
            ModuleSaml2SimpleKeyType activeSimpleKey = keys.getActiveSimpleKey();
            if (activeSimpleKey != null) {
                try {
                    rotatingKeys.setActive(createSimpleKey(activeSimpleKey));
                } catch (EncryptionException e) {
                    LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + activeSimpleKey);
                }
            }
            ModuleSaml2KeyStoreKeyType activeKeyStoreKey = keys.getActiveKeyStoreKey();
            if (activeKeyStoreKey != null) {
                try {
                    rotatingKeys.setActive(createKeyStoreKey(activeKeyStoreKey));
                } catch (EncryptionException e2) {
                    LOGGER.error("Couldn't obtain clear string for configuration of KeyStoreKey from " + activeKeyStoreKey);
                }
            }
            if (keys.getStandBySimpleKey() != null && !keys.getStandBySimpleKey().isEmpty()) {
                for (ModuleSaml2SimpleKeyType moduleSaml2SimpleKeyType : keys.getStandBySimpleKey()) {
                    try {
                        rotatingKeys.getStandBy().add(createSimpleKey(moduleSaml2SimpleKeyType));
                    } catch (EncryptionException e3) {
                        LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + moduleSaml2SimpleKeyType);
                    }
                }
            }
            if (keys.getStandByKeyStoreKey() != null && !keys.getStandByKeyStoreKey().isEmpty()) {
                for (ModuleSaml2KeyStoreKeyType moduleSaml2KeyStoreKeyType : keys.getStandByKeyStoreKey()) {
                    try {
                        rotatingKeys.getStandBy().add(createKeyStoreKey(moduleSaml2KeyStoreKeyType));
                    } catch (EncryptionException e4) {
                        LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + moduleSaml2KeyStoreKeyType);
                    }
                }
            }
        }
        midpointSamlLocalServiceProviderConfiguration.setKeys(rotatingKeys);
        midpointSamlLocalServiceProviderConfiguration.setAlias(serviceProvider.getAlias());
        midpointSamlLocalServiceProviderConfiguration.setAliasForPath(serviceProvider.getAliasForPath());
        ArrayList arrayList2 = new ArrayList();
        for (AuthenticationModuleSaml2ProviderType authenticationModuleSaml2ProviderType : serviceProvider.getProvider()) {
            ExternalIdentityProviderConfiguration externalIdentityProviderConfiguration = new ExternalIdentityProviderConfiguration();
            externalIdentityProviderConfiguration.setAlias(authenticationModuleSaml2ProviderType.getAlias()).setSkipSslValidation(Boolean.TRUE.equals(authenticationModuleSaml2ProviderType.isSkipSslValidation())).setMetadataTrustCheck(Boolean.TRUE.equals(authenticationModuleSaml2ProviderType.isMetadataTrustCheck())).setAuthenticationRequestBinding(URI.create(authenticationModuleSaml2ProviderType.getAuthenticationRequestBinding()));
            if (StringUtils.isNotBlank(authenticationModuleSaml2ProviderType.getLinkText())) {
                externalIdentityProviderConfiguration.setLinktext(authenticationModuleSaml2ProviderType.getLinkText());
            }
            ArrayList arrayList3 = new ArrayList();
            Iterator<ProtectedStringType> it2 = authenticationModuleSaml2ProviderType.getVerificationKeys().iterator();
            while (it2.hasNext()) {
                try {
                    protector.decryptString(it2.next());
                } catch (EncryptionException e5) {
                    LOGGER.error("Couldn't obtain clear string for provider verification key");
                }
            }
            if (arrayList3 != null && !arrayList3.isEmpty()) {
                externalIdentityProviderConfiguration.setVerificationKeys(arrayList3);
            }
            try {
                externalIdentityProviderConfiguration.setMetadata(createMetadata(authenticationModuleSaml2ProviderType.getMetadata(), true));
            } catch (Exception e6) {
                LOGGER.error("Couldn't obtain metadata as string from " + authenticationModuleSaml2ProviderType.getMetadata());
            }
            arrayList2.add(externalIdentityProviderConfiguration);
            samlModuleWebSecurityConfiguration.addNameOfUsernameAttributeOfIP(authenticationModuleSaml2ProviderType.getEntityId(), authenticationModuleSaml2ProviderType.getNameOfUsernameAttribute());
        }
        midpointSamlLocalServiceProviderConfiguration.setProviders(arrayList2);
        try {
            midpointSamlLocalServiceProviderConfiguration.setMetadata(createMetadata(serviceProvider.getMetadata(), false));
        } catch (Exception e7) {
            LOGGER.error("Couldn't obtain metadata as string from " + serviceProvider.getMetadata());
        }
        midpointSamlLocalServiceProviderConfiguration.setPrefix(samlModuleWebSecurityConfiguration.getPrefix());
        samlServerConfiguration.setServiceProvider(midpointSamlLocalServiceProviderConfiguration);
        samlModuleWebSecurityConfiguration.setSamlConfiguration(samlServerConfiguration);
        return samlModuleWebSecurityConfiguration;
    }

    private static String createMetadata(AuthenticationModuleSaml2ProviderMetadataType authenticationModuleSaml2ProviderMetadataType, boolean z) throws IOException {
        if (authenticationModuleSaml2ProviderMetadataType != null) {
            String metadataUrl = authenticationModuleSaml2ProviderMetadataType.getMetadataUrl();
            if (StringUtils.isNotBlank(metadataUrl)) {
                return metadataUrl;
            }
            String pathToFile = authenticationModuleSaml2ProviderMetadataType.getPathToFile();
            if (StringUtils.isNotBlank(pathToFile)) {
                return readFile(pathToFile);
            }
            byte[] xml = authenticationModuleSaml2ProviderMetadataType.getXml();
            if (xml != null && xml.length != 0) {
                return new String(xml);
            }
        }
        if (z) {
            throw new IllegalArgumentException("Metadata is not present");
        }
        return null;
    }

    private static String readFile(String str) throws IOException {
        return new String(Files.readAllBytes(Paths.get(str, new String[0])));
    }

    private static SimpleKey createSimpleKey(ModuleSaml2SimpleKeyType moduleSaml2SimpleKeyType) throws EncryptionException {
        SimpleKey simpleKey = new SimpleKey();
        simpleKey.setName(moduleSaml2SimpleKeyType.getName());
        simpleKey.setPrivateKey(protector.decryptString(moduleSaml2SimpleKeyType.getPrivateKey()));
        simpleKey.setPassphrase(protector.decryptString(moduleSaml2SimpleKeyType.getPassphrase()));
        simpleKey.setCertificate(protector.decryptString(moduleSaml2SimpleKeyType.getCertificate()));
        if (moduleSaml2SimpleKeyType.getType() != null) {
            simpleKey.setType(KeyType.fromTypeName(moduleSaml2SimpleKeyType.getType().name()));
        }
        return simpleKey;
    }

    private static KeyStoreKey createKeyStoreKey(ModuleSaml2KeyStoreKeyType moduleSaml2KeyStoreKeyType) throws EncryptionException {
        KeyStoreKey keyStoreKey = new KeyStoreKey();
        keyStoreKey.setKeyAlias(moduleSaml2KeyStoreKeyType.getKeyAlias());
        keyStoreKey.setKeyPassword(protector.decryptString(moduleSaml2KeyStoreKeyType.getKeyPassword()));
        keyStoreKey.setKeyStorePath(moduleSaml2KeyStoreKeyType.getKeyStorePath());
        keyStoreKey.setKeyStorePassword(protector.decryptString(moduleSaml2KeyStoreKeyType.getKeyStorePassword()));
        if (moduleSaml2KeyStoreKeyType.getType() != null) {
            keyStoreKey.setType(KeyType.fromTypeName(moduleSaml2KeyStoreKeyType.getType().name()));
        }
        return keyStoreKey;
    }

    private static String getBasePath(HttpServletRequest httpServletRequest) {
        boolean z = true;
        if (443 == httpServletRequest.getServerPort() && "https".equals(httpServletRequest.getScheme())) {
            z = false;
        } else if (80 == httpServletRequest.getServerPort() && "http".equals(httpServletRequest.getScheme())) {
            z = false;
        }
        return httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + (z ? ":" + httpServletRequest.getServerPort() : "") + httpServletRequest.getContextPath();
    }

    public SamlServerConfiguration getSamlConfiguration() {
        return this.samlConfiguration;
    }

    public void setSamlConfiguration(SamlServerConfiguration samlServerConfiguration) {
        this.samlConfiguration = samlServerConfiguration;
    }

    public Map<String, String> getNamesOfUsernameAttributes() {
        return this.namesOfUsernameAttributes;
    }

    public void addNameOfUsernameAttributeOfIP(String str, String str2) {
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
            throw new IllegalArgumentException("Couldn't use attribute name '" + str2 + "' for alias '" + str + "'");
        }
        getNamesOfUsernameAttributes().put(str, str2);
    }

    public void setNamesOfUsernameAttributes(Map<String, String> map) {
        this.namesOfUsernameAttributes = map;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.web.security.module.configuration.ModuleWebSecurityConfigurationImpl
    public void validate() {
        super.validate();
        if (getSamlConfiguration() == null) {
            throw new IllegalArgumentException("Saml configuration is null");
        }
    }
}
