package com.evolveum.midpoint.authentication.impl.filter.saml;

import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import java.util.LinkedHashMap;
import java.util.Map;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.8.9-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/saml/MidpointSaml2LoginConfigurer.class */
public class MidpointSaml2LoginConfigurer<B extends HttpSecurityBuilder<B>> extends AbstractAuthenticationFilterConfigurer<B, MidpointSaml2LoginConfigurer<B>, Saml2WebSsoAuthenticationFilter> {
    private static final String FILTER_PROCESSING_URL = "/saml2/authenticate/{registrationId}";
    private String loginProcessingUrl = Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
    private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
    private AuthenticationManager authenticationManager;
    private Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter;
    private final ModelAuditRecorder auditProvider;

    public MidpointSaml2LoginConfigurer(ModelAuditRecorder modelAuditRecorder) {
        this.auditProvider = modelAuditRecorder;
    }

    public MidpointSaml2LoginConfigurer<B> authenticationManager(AuthenticationManager authenticationManager) {
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        this.authenticationManager = authenticationManager;
        return this;
    }

    public MidpointSaml2LoginConfigurer relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
        return this;
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
    public MidpointSaml2LoginConfigurer<B> loginProcessingUrl(String str) {
        Assert.hasText(str, "loginProcessingUrl cannot be empty");
        Assert.state(str.contains("{registrationId}"), "{registrationId} path variable is required");
        this.loginProcessingUrl = str;
        return this;
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
    protected RequestMatcher createLoginProcessingUrlMatcher(String str) {
        return new AntPathRequestMatcher(str);
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer, org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void init(B b) throws Exception {
        this.saml2WebSsoAuthenticationFilter = new MidpointSaml2WebSsoAuthenticationFilter(new Saml2AuthenticationTokenConverter(new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)), this.loginProcessingUrl, this.auditProvider);
        setAuthenticationFilter(this.saml2WebSsoAuthenticationFilter);
        super.loginProcessingUrl(this.loginProcessingUrl);
        Map<String, String> identityProviderUrlMap = getIdentityProviderUrlMap(this.relyingPartyRegistrationRepository);
        if (!(identityProviderUrlMap.size() == 1)) {
            super.init((MidpointSaml2LoginConfigurer<B>) b);
            return;
        }
        updateAuthenticationDefaults();
        updateAccessDefaults(b);
        registerAuthenticationEntryPoint(b, new LoginUrlAuthenticationEntryPoint(identityProviderUrlMap.entrySet().iterator().next().getKey()));
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer, org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(B b) throws Exception {
        OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository));
        openSaml4AuthenticationRequestResolver.setRequestMatcher(new AntPathRequestMatcher("/saml2/authenticate/{registrationId}"));
        b.addFilter(new MidpointSaml2WebSsoAuthenticationRequestFilter(openSaml4AuthenticationRequestResolver, (SecurityContextRepository) b.getSharedObject(SecurityContextRepository.class)));
        super.configure((MidpointSaml2LoginConfigurer<B>) b);
        if (this.authenticationManager != null) {
            this.saml2WebSsoAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
        }
    }

    private Map<String, String> getIdentityProviderUrlMap(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (relyingPartyRegistrationRepository instanceof Iterable) {
            ((Iterable) relyingPartyRegistrationRepository).forEach(relyingPartyRegistration -> {
                linkedHashMap.put("/saml2/authenticate/{registrationId}".replace("{registrationId}", relyingPartyRegistration.getRegistrationId()), relyingPartyRegistration.getRegistrationId());
            });
        }
        return linkedHashMap;
    }
}
