package com.evolveum.midpoint.web.security.provider;

import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.model.api.context.PasswordAuthenticationContext;
import com.evolveum.midpoint.model.api.context.PreAuthenticationContext;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.module.authentication.Saml2ModuleAuthentication;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.NameID;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/provider/Saml2Provider.class */
public class Saml2Provider extends MidPointAbstractAuthenticationProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) Saml2Provider.class);
    private final OpenSaml4AuthenticationProvider openSamlProvider = new OpenSaml4AuthenticationProvider();
    private final Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2Authentication> defaultConverter = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter();

    @Autowired
    @Qualifier("passwordAuthenticationEvaluator")
    private AuthenticationEvaluator<PasswordAuthenticationContext> authenticationEvaluator;

    /* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/provider/Saml2Provider$MidpointSaml2AuthenticatedPrincipal.class */
    public class MidpointSaml2AuthenticatedPrincipal extends DefaultSaml2AuthenticatedPrincipal {
        private final String spNameQualifier;
        private final String nameIdFormat;

        public MidpointSaml2AuthenticatedPrincipal(String str, Map<String, List<Object>> map, NameID nameID) {
            super(str, map);
            this.spNameQualifier = nameID.getSPNameQualifier();
            this.nameIdFormat = nameID.getFormat();
        }

        public String getNameIdFormat() {
            return this.nameIdFormat;
        }

        public String getSpNameQualifier() {
            return this.spNameQualifier;
        }
    }

    public Saml2Provider() {
        this.openSamlProvider.setResponseAuthenticationConverter(responseToken -> {
            Saml2Authentication convert = this.defaultConverter.convert(responseToken);
            DefaultSaml2AuthenticatedPrincipal defaultSaml2AuthenticatedPrincipal = (DefaultSaml2AuthenticatedPrincipal) convert.getPrincipal();
            Map<String, List<Object>> attributes = defaultSaml2AuthenticatedPrincipal.getAttributes();
            Assertion assertion = (Assertion) CollectionUtils.firstElement(responseToken.getResponse().getAssertions());
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            Iterator<AttributeStatement> it = assertion.getAttributeStatements().iterator();
            while (it.hasNext()) {
                for (Attribute attribute : it.next().getAttributes()) {
                    if (attributes.containsKey(attribute.getName())) {
                        List<Object> list = attributes.get(attribute.getName());
                        linkedHashMap.put(attribute.getName(), list);
                        if (StringUtils.isNotEmpty(attribute.getFriendlyName())) {
                            linkedHashMap.put(attribute.getFriendlyName(), list);
                        }
                    }
                }
            }
            MidpointSaml2AuthenticatedPrincipal midpointSaml2AuthenticatedPrincipal = new MidpointSaml2AuthenticatedPrincipal(defaultSaml2AuthenticatedPrincipal.getName(), linkedHashMap, assertion.getSubject().getNameID());
            midpointSaml2AuthenticatedPrincipal.setRelyingPartyRegistrationId(responseToken.getToken().getRelyingPartyRegistration().getRegistrationId());
            Saml2Authentication saml2Authentication = new Saml2Authentication(midpointSaml2AuthenticatedPrincipal, convert.getSaml2Response(), convert.getAuthorities());
            saml2Authentication.setDetails(assertion.getSubject().getNameID());
            return saml2Authentication;
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    public AuthenticationEvaluator getEvaluator() {
        return this.authenticationEvaluator;
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected void writeAuthentication(Authentication authentication, MidpointAuthentication midpointAuthentication, ModuleAuthentication moduleAuthentication, Authentication authentication2) {
        Object principal = authentication2.getPrincipal();
        if (principal != null && (principal instanceof GuiProfiledPrincipal)) {
            midpointAuthentication.setPrincipal(principal);
        }
        if (authentication2 instanceof PreAuthenticatedAuthenticationToken) {
            ((PreAuthenticatedAuthenticationToken) authentication2).setDetails(authentication);
        }
        moduleAuthentication.setAuthentication(authentication2);
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws AuthenticationException {
        ConnectionEnvironment createEnvironment = createEnvironment(authenticationChannel);
        if (!(authentication instanceof Saml2AuthenticationToken)) {
            LOGGER.error("Unsupported authentication {}", authentication);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
        Saml2AuthenticationToken saml2AuthenticationToken = (Saml2AuthenticationToken) authentication;
        Saml2Authentication saml2Authentication = (Saml2Authentication) this.openSamlProvider.authenticate(saml2AuthenticationToken);
        Saml2ModuleAuthentication saml2ModuleAuthentication = (Saml2ModuleAuthentication) SecurityUtils.getProcessingModule(true);
        try {
            DefaultSaml2AuthenticatedPrincipal defaultSaml2AuthenticatedPrincipal = (DefaultSaml2AuthenticatedPrincipal) saml2Authentication.getPrincipal();
            saml2AuthenticationToken.setDetails(defaultSaml2AuthenticatedPrincipal);
            Map<String, List<Object>> attributes = defaultSaml2AuthenticatedPrincipal.getAttributes();
            String nameOfUsernameAttribute = saml2ModuleAuthentication.getAdditionalConfiguration().get(saml2AuthenticationToken.getRelyingPartyRegistration().getRegistrationId()).getNameOfUsernameAttribute();
            if (!attributes.containsKey(nameOfUsernameAttribute)) {
                LOGGER.error("Couldn't find attribute for username in saml response");
                throw new AuthenticationServiceException("web.security.auth.saml2.username.null");
            }
            List<Object> list2 = attributes.get(nameOfUsernameAttribute);
            if (list2 == null || list2.isEmpty() || list2.get(0) == null) {
                LOGGER.error("Saml attribute, which define username don't contains value");
                throw new AuthenticationServiceException("web.security.auth.saml2.username.null");
            }
            if (list2.size() != 1) {
                LOGGER.error("Saml attribute, which define username contains more values {}", list2);
                throw new AuthenticationServiceException("web.security.auth.saml2.username.more.values");
            }
            PreAuthenticationContext preAuthenticationContext = new PreAuthenticationContext((String) list2.iterator().next(), cls, list);
            if (authenticationChannel != null) {
                preAuthenticationContext.setSupportActivationByChannel(authenticationChannel.isSupportActivationByChannel());
            }
            PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated = this.authenticationEvaluator.authenticateUserPreAuthenticated(createEnvironment, preAuthenticationContext);
            LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) authenticateUserPreAuthenticated.getPrincipal()).getAuthorities());
            return authenticateUserPreAuthenticated;
        } catch (AuthenticationException e) {
            saml2ModuleAuthentication.setAuthentication(saml2AuthenticationToken);
            LOGGER.info("Authentication with saml module failed: {}", e.getMessage());
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected Authentication createNewAuthenticationToken(Authentication authentication, Collection collection) {
        return authentication instanceof PreAuthenticatedAuthenticationToken ? new PreAuthenticatedAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), collection) : authentication;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class cls) {
        return this.openSamlProvider.supports(cls);
    }
}
