package com.evolveum.midpoint.web.security.module;

import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.MidPointAuthenticationSuccessHandler;
import com.evolveum.midpoint.web.security.MidpointAuthenticationFailureHandler;
import com.evolveum.midpoint.web.security.MidpointHostBasedSamlServiceProviderProvisioning;
import com.evolveum.midpoint.web.security.MidpointOpenSamlImplementation;
import com.evolveum.midpoint.web.security.MidpointSamlKeyStoreProvider;
import com.evolveum.midpoint.web.security.MidpointServiceProviderLogoutHandler;
import com.evolveum.midpoint.web.security.SamlAuthenticationEntryPoint;
import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
import com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationRequestFilter;
import com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationResponseFilter;
import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer;
import com.evolveum.midpoint.web.security.module.configuration.SamlModuleWebSecurityConfiguration;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import java.util.ArrayList;
import java.util.Collections;
import java.util.UUID;
import javax.servlet.Filter;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.saml.SamlAuthentication;
import org.springframework.security.saml.SamlRequestMatcher;
import org.springframework.security.saml.provider.SamlProviderLogoutFilter;
import org.springframework.security.saml.provider.SamlServerConfiguration;
import org.springframework.security.saml.provider.provisioning.SamlProviderProvisioning;
import org.springframework.security.saml.provider.service.ServiceProviderService;
import org.springframework.security.saml.provider.service.config.SamlServiceProviderServerBeanConfiguration;
import org.springframework.security.saml.spi.SpringSecuritySaml;
import org.springframework.security.saml.spi.opensaml.OpenSamlImplementation;
import org.springframework.security.saml.util.StringUtils;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.logout.CompositeLogoutHandler;
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

/* loaded from: input_file:com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.class */
public class SamlModuleWebSecurityConfig<C extends SamlModuleWebSecurityConfiguration> extends ModuleWebSecurityConfig<C> {
    private static final Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfig.class);
    public static final String SAML_LOGIN_PATH = "/saml2/select";

    @Autowired
    private ModelAuditRecorder auditProvider;
    private SamlModuleWebSecurityConfig<C>.MidpointSamlProviderServerBeanConfiguration beanConfiguration;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig$MidpointSamlProviderServerBeanConfiguration.class */
    public class MidpointSamlProviderServerBeanConfiguration extends SamlServiceProviderServerBeanConfiguration {
        private final SamlModuleWebSecurityConfiguration configuration;
        private final SamlServerConfiguration saml2Config;

        /* loaded from: input_file:com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig$MidpointSamlProviderServerBeanConfiguration$MidpointSimpleAuthenticationManager.class */
        private class MidpointSimpleAuthenticationManager implements AuthenticationManager {
            private MidpointSimpleAuthenticationManager() {
            }

            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication.isAuthenticated() && (authentication.getPrincipal() instanceof MidPointPrincipal)) {
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                }
                return authentication;
            }
        }

        public MidpointSamlProviderServerBeanConfiguration(SamlModuleWebSecurityConfiguration samlModuleWebSecurityConfiguration) {
            this.configuration = samlModuleWebSecurityConfiguration;
            this.saml2Config = samlModuleWebSecurityConfiguration.getSamlConfiguration();
        }

        @Bean(name = {"samlServiceProviderProvisioning"})
        public SamlProviderProvisioning<ServiceProviderService> getSamlProvisioning() {
            return new MidpointHostBasedSamlServiceProviderProvisioning(samlConfigurationRepository(), samlTransformer(), samlValidator(), samlMetadataCache(), authenticationRequestEnhancer());
        }

        @Bean
        public SpringSecuritySaml samlImplementation() {
            OpenSamlImplementation init = new MidpointOpenSamlImplementation(samlTime()).init();
            init.setSamlKeyStoreProvider(new MidpointSamlKeyStoreProvider());
            return init;
        }

        protected SamlServerConfiguration getDefaultHostSamlServerConfiguration() {
            return this.saml2Config;
        }

        public Filter spAuthenticationRequestFilter() {
            return new MidpointSamlAuthenticationRequestFilter(getSamlProvisioning());
        }

        public Filter spAuthenticationResponseFilter() {
            MidpointSamlAuthenticationResponseFilter midpointSamlAuthenticationResponseFilter = new MidpointSamlAuthenticationResponseFilter(SamlModuleWebSecurityConfig.this.auditProvider, getSamlProvisioning());
            try {
                midpointSamlAuthenticationResponseFilter.setAuthenticationManager(new ProviderManager(Collections.emptyList(), SamlModuleWebSecurityConfig.this.authenticationManager()));
            } catch (Exception e) {
                SamlModuleWebSecurityConfig.LOGGER.error("Couldn't initialize authentication manager for saml2 module");
            }
            midpointSamlAuthenticationResponseFilter.setAuthenticationSuccessHandler((AuthenticationSuccessHandler) SamlModuleWebSecurityConfig.this.getObjectPostProcessor().postProcess(new MidPointAuthenticationSuccessHandler().setPrefix(this.configuration.getPrefix())));
            midpointSamlAuthenticationResponseFilter.setAuthenticationFailureHandler(new MidpointAuthenticationFailureHandler());
            return midpointSamlAuthenticationResponseFilter;
        }

        public Filter spSamlLogoutFilter() {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new SecurityContextLogoutHandler());
            arrayList.add(new CookieClearingLogoutHandler(new String[]{"JSESSIONID"}));
            arrayList.add(new MidpointServiceProviderLogoutHandler(getSamlProvisioning()));
            return new SamlProviderLogoutFilter(getSamlProvisioning(), new CompositeLogoutHandler(arrayList), new SamlRequestMatcher(getSamlProvisioning(), "logout") { // from class: com.evolveum.midpoint.web.security.module.SamlModuleWebSecurityConfig.MidpointSamlProviderServerBeanConfiguration.1
                public boolean matches(HttpServletRequest httpServletRequest) {
                    ModuleAuthentication processingModule = SecurityUtils.getProcessingModule(false);
                    if (processingModule == null || !processingModule.isInternalLogout()) {
                        return super.matches(httpServletRequest);
                    }
                    processingModule.setInternalLogout(false);
                    return true;
                }
            }, SamlModuleWebSecurityConfig.this.createLogoutHandler(), new LogoutHandler[0]);
        }
    }

    /* loaded from: input_file:com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig$SamlAuthenticationDetailsSource.class */
    private class SamlAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, Object> {
        private final WebAuthenticationDetailsSource detailsSource = new WebAuthenticationDetailsSource();

        private SamlAuthenticationDetailsSource() {
        }

        public Object buildDetails(HttpServletRequest httpServletRequest) {
            ModuleAuthentication processingModuleAuthentication;
            return ((SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) && (processingModuleAuthentication = SecurityContextHolder.getContext().getAuthentication().getProcessingModuleAuthentication()) != null && (processingModuleAuthentication.getAuthentication() instanceof SamlAuthentication)) ? processingModuleAuthentication.getAuthentication() : this.detailsSource.buildDetails(httpServletRequest);
        }
    }

    public SamlModuleWebSecurityConfig(C c) {
        super(c);
        this.beanConfiguration = new MidpointSamlProviderServerBeanConfiguration(c);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.evolveum.midpoint.web.security.module.ModuleWebSecurityConfig
    public void configure(HttpSecurity httpSecurity) throws Exception {
        getObjectPostProcessor().postProcess(getBeanConfiguration());
        super.configure(httpSecurity);
        httpSecurity.antMatcher(StringUtils.stripEndingSlases(getPrefix()) + "/**");
        httpSecurity.csrf().disable();
        ((MidpointExceptionHandlingConfigurer) getOrApply(httpSecurity, new MidpointExceptionHandlingConfigurer() { // from class: com.evolveum.midpoint.web.security.module.SamlModuleWebSecurityConfig.1
            @Override // com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer
            protected Authentication createNewAuthentication(AnonymousAuthenticationToken anonymousAuthenticationToken) {
                if (anonymousAuthenticationToken.getDetails() instanceof SamlAuthentication) {
                    return (SamlAuthentication) anonymousAuthenticationToken.getDetails();
                }
                return null;
            }
        })).authenticationEntryPoint(new SamlAuthenticationEntryPoint(SAML_LOGIN_PATH));
        httpSecurity.addFilterAfter(getBeanConfiguration().samlConfigurationFilter(), BasicAuthenticationFilter.class).addFilterAfter(getBeanConfiguration().spMetadataFilter(), getBeanConfiguration().samlConfigurationFilter().getClass()).addFilterAfter(getBeanConfiguration().spAuthenticationRequestFilter(), getBeanConfiguration().spMetadataFilter().getClass()).addFilterAfter(getBeanConfiguration().spAuthenticationResponseFilter(), getBeanConfiguration().spAuthenticationRequestFilter().getClass()).addFilterAfter(getBeanConfiguration().spSamlLogoutFilter(), getBeanConfiguration().spAuthenticationResponseFilter().getClass());
    }

    public SamlServiceProviderServerBeanConfiguration getBeanConfiguration() {
        return this.beanConfiguration;
    }

    @Override // com.evolveum.midpoint.web.security.module.ModuleWebSecurityConfig
    protected AnonymousAuthenticationFilter createAnonymousFilter() {
        MidpointAnonymousAuthenticationFilter midpointAnonymousAuthenticationFilter = new MidpointAnonymousAuthenticationFilter(this.authRegistry, this.authChannelRegistry, this.prismContext, UUID.randomUUID().toString(), "anonymousUser", AuthorityUtils.createAuthorityList(new String[]{"ROLE_ANONYMOUS"})) { // from class: com.evolveum.midpoint.web.security.module.SamlModuleWebSecurityConfig.2
            @Override // com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter
            protected void processAuthentication(ServletRequest servletRequest) {
                MidpointAuthentication authentication;
                ModuleAuthentication processingModuleAuthentication;
                if (!(SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) || (processingModuleAuthentication = (authentication = SecurityContextHolder.getContext().getAuthentication()).getProcessingModuleAuthentication()) == null) {
                    return;
                }
                if (processingModuleAuthentication.getAuthentication() == null || (processingModuleAuthentication.getAuthentication() instanceof SamlAuthentication)) {
                    Authentication createBasicAuthentication = createBasicAuthentication((HttpServletRequest) servletRequest);
                    processingModuleAuthentication.setAuthentication(createBasicAuthentication);
                    authentication.setPrincipal(createBasicAuthentication.getPrincipal());
                }
            }
        };
        midpointAnonymousAuthenticationFilter.setAuthenticationDetailsSource(new SamlAuthenticationDetailsSource());
        return midpointAnonymousAuthenticationFilter;
    }
}
