package com.evolveum.midpoint.authentication.impl.provider;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.module.authentication.Saml2ModuleAuthenticationImpl;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.NameID;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.7.5-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/provider/Saml2Provider.class */
public class Saml2Provider extends RemoteModuleProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) Saml2Provider.class);
    private final OpenSaml4AuthenticationProvider openSamlProvider = new OpenSaml4AuthenticationProvider();
    private final Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2Authentication> defaultConverter = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter();

    /* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.7.5-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/provider/Saml2Provider$MidpointSaml2AuthenticatedPrincipal.class */
    public static class MidpointSaml2AuthenticatedPrincipal extends DefaultSaml2AuthenticatedPrincipal {
        private final String spNameQualifier;
        private final String nameIdFormat;

        public MidpointSaml2AuthenticatedPrincipal(String str, Map<String, List<Object>> map, NameID nameID) {
            super(str, map);
            this.spNameQualifier = nameID.getSPNameQualifier();
            this.nameIdFormat = nameID.getFormat();
        }

        public String getNameIdFormat() {
            return this.nameIdFormat;
        }

        public String getSpNameQualifier() {
            return this.spNameQualifier;
        }
    }

    public Saml2Provider() {
        initSamlProvider();
    }

    private void initSamlProvider() {
        this.openSamlProvider.setResponseAuthenticationConverter(responseToken -> {
            Saml2Authentication convert = this.defaultConverter.convert(responseToken);
            if (convert == null) {
                return null;
            }
            DefaultSaml2AuthenticatedPrincipal defaultSaml2AuthenticatedPrincipal = (DefaultSaml2AuthenticatedPrincipal) convert.getPrincipal();
            Map<String, List<Object>> attributes = defaultSaml2AuthenticatedPrincipal.getAttributes();
            Assertion assertion = (Assertion) CollectionUtils.firstElement(responseToken.getResponse().getAssertions());
            if (assertion == null) {
                return convert;
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            Iterator<AttributeStatement> it = assertion.getAttributeStatements().iterator();
            while (it.hasNext()) {
                for (Attribute attribute : it.next().getAttributes()) {
                    if (attributes.containsKey(attribute.getName())) {
                        List<Object> list = attributes.get(attribute.getName());
                        linkedHashMap.put(attribute.getName(), list);
                        if (StringUtils.isNotEmpty(attribute.getFriendlyName())) {
                            linkedHashMap.put(attribute.getFriendlyName(), list);
                        }
                    }
                }
            }
            MidpointSaml2AuthenticatedPrincipal midpointSaml2AuthenticatedPrincipal = new MidpointSaml2AuthenticatedPrincipal(defaultSaml2AuthenticatedPrincipal.getName(), linkedHashMap, assertion.getSubject().getNameID());
            midpointSaml2AuthenticatedPrincipal.setRelyingPartyRegistrationId(responseToken.getToken().getRelyingPartyRegistration().getRegistrationId());
            Saml2Authentication saml2Authentication = new Saml2Authentication(midpointSaml2AuthenticatedPrincipal, convert.getSaml2Response(), convert.getAuthorities());
            saml2Authentication.setDetails(assertion.getSubject().getNameID());
            return saml2Authentication;
        });
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws AuthenticationException {
        if (!(authentication instanceof Saml2AuthenticationToken)) {
            LOGGER.error("Unsupported authentication {}", authentication);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
        Saml2AuthenticationToken saml2AuthenticationToken = (Saml2AuthenticationToken) authentication;
        try {
            Saml2Authentication saml2Authentication = (Saml2Authentication) this.openSamlProvider.authenticate(saml2AuthenticationToken);
            Saml2ModuleAuthenticationImpl saml2ModuleAuthenticationImpl = (Saml2ModuleAuthenticationImpl) AuthUtil.getProcessingModule();
            try {
                DefaultSaml2AuthenticatedPrincipal defaultSaml2AuthenticatedPrincipal = (DefaultSaml2AuthenticatedPrincipal) saml2Authentication.getPrincipal();
                saml2AuthenticationToken.setDetails(defaultSaml2AuthenticatedPrincipal);
                PreAuthenticatedAuthenticationToken preAuthenticationToken = getPreAuthenticationToken(authentication, defineEnteredUsername(defaultSaml2AuthenticatedPrincipal.getAttributes(), saml2ModuleAuthenticationImpl.getAdditionalConfiguration().get(saml2AuthenticationToken.getRelyingPartyRegistration().getRegistrationId()).getNameOfUsernameAttribute()), cls, list, authenticationChannel);
                LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) preAuthenticationToken.getPrincipal()).getAuthorities());
                return preAuthenticationToken;
            } catch (AuthenticationException e) {
                saml2ModuleAuthenticationImpl.setAuthentication(saml2AuthenticationToken);
                LOGGER.info("Authentication with saml module failed: {}", e.getMessage());
                throw e;
            }
        } catch (AuthenticationException e2) {
            getAuditProvider().auditLoginFailure(null, null, createConnectEnvironment(getChannel()), e2.getMessage());
            throw e2;
        }
    }

    private String defineEnteredUsername(Map<String, List<Object>> map, String str) {
        if (!map.containsKey(str)) {
            LOGGER.error("Couldn't find attribute for username in saml response");
            throw new AuthenticationServiceException("web.security.provider.invalid");
        }
        List<Object> list = map.get(str);
        if (list == null || list.isEmpty() || list.get(0) == null) {
            LOGGER.error("Saml attribute, which define username don't contains value");
            throw new AuthenticationServiceException("web.security.provider.invalid");
        }
        if (list.size() == 1) {
            return (String) list.iterator().next();
        }
        LOGGER.error("Saml attribute, which define username contains more values {}", list);
        throw new AuthenticationServiceException("web.security.provider.invalid");
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class cls) {
        return this.openSamlProvider.supports(cls);
    }
}
