package com.evolveum.midpoint.authentication.impl.filter.saml;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.impl.module.authentication.Saml2ModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.provider.Saml2Provider;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import jakarta.servlet.http.HttpServletRequest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateCrtKey;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.jetbrains.annotations.NotNull;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.security.crypto.JCAConstants;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.AuthenticatedPrincipal;
import org.springframework.security.core.Authentication;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/saml/MidpointSaml2LogoutRequestResolver.class */
public class MidpointSaml2LogoutRequestResolver implements Saml2LogoutRequestResolver {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) MidpointSaml2LogoutRequestResolver.class);
    private final OpenSaml4LogoutRequestResolver resolver;
    private final RelyingPartyRegistrationRepository relyingPartyRegistrations;

    public MidpointSaml2LogoutRequestResolver(InMemoryRelyingPartyRegistrationRepository inMemoryRelyingPartyRegistrationRepository) {
        this.relyingPartyRegistrations = new InMemoryRelyingPartyRegistrationRepository(createRegistrationsWithFakeKeys(inMemoryRelyingPartyRegistrationRepository));
        this.resolver = new OpenSaml4LogoutRequestResolver(new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrations));
        this.resolver.setParametersConsumer(this::resolveParameters);
    }

    private List<RelyingPartyRegistration> createRegistrationsWithFakeKeys(InMemoryRelyingPartyRegistrationRepository inMemoryRelyingPartyRegistrationRepository) {
        ArrayList arrayList = new ArrayList();
        inMemoryRelyingPartyRegistrationRepository.forEach(relyingPartyRegistration -> {
            if (relyingPartyRegistration.getAssertingPartyDetails() != null && !relyingPartyRegistration.getAssertingPartyDetails().getWantAuthnRequestsSigned() && relyingPartyRegistration.getSigningX509Credentials().isEmpty()) {
                LOGGER.debug("Relying party registration with id: " + relyingPartyRegistration.getRegistrationId() + " doesn't contain any singing key. Logout request need sign key for signing of logout request, so we try creating fake key and certificate.");
                RelyingPartyRegistration.Builder withRelyingPartyRegistration = RelyingPartyRegistration.withRelyingPartyRegistration(relyingPartyRegistration);
                try {
                    createFakeKeyForSign(withRelyingPartyRegistration);
                    arrayList.add(withRelyingPartyRegistration.build());
                    LOGGER.debug("We add fake key and certificate to relying party registration with id: " + relyingPartyRegistration.getRegistrationId());
                    return;
                } catch (IOException | NoSuchAlgorithmException | CertificateException | OperatorCreationException e) {
                    LOGGER.debug("Couldn't generate fake key pair for logout.", e);
                }
            }
            LOGGER.debug("We use original saml relying party registration without fake key and certificate");
            arrayList.add(relyingPartyRegistration);
        });
        return arrayList;
    }

    private void resolveParameters(OpenSaml4LogoutRequestResolver.LogoutRequestParameters logoutRequestParameters) {
        if (logoutRequestParameters.getLogoutRequest() == null || logoutRequestParameters.getAuthentication() == null || !(logoutRequestParameters.getAuthentication().getPrincipal() instanceof Saml2Provider.MidpointSaml2AuthenticatedPrincipal)) {
            return;
        }
        LogoutRequest logoutRequest = logoutRequestParameters.getLogoutRequest();
        Saml2Provider.MidpointSaml2AuthenticatedPrincipal midpointSaml2AuthenticatedPrincipal = (Saml2Provider.MidpointSaml2AuthenticatedPrincipal) logoutRequestParameters.getAuthentication().getPrincipal();
        logoutRequest.getNameID().setSPNameQualifier(midpointSaml2AuthenticatedPrincipal.getSpNameQualifier());
        logoutRequest.getNameID().setFormat(midpointSaml2AuthenticatedPrincipal.getNameIdFormat());
    }

    @Override // org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver
    public Saml2LogoutRequest resolve(HttpServletRequest httpServletRequest, Authentication authentication) {
        try {
            Saml2AuthenticationToken saml2AuthenticationToken = null;
            if (authentication instanceof MidpointAuthentication) {
                ModuleAuthentication processingModuleAuthentication = ((MidpointAuthentication) authentication).getProcessingModuleAuthentication();
                if (processingModuleAuthentication instanceof Saml2ModuleAuthenticationImpl) {
                    if (processingModuleAuthentication.getAuthentication() instanceof Saml2AuthenticationToken) {
                        saml2AuthenticationToken = (Saml2AuthenticationToken) processingModuleAuthentication.getAuthentication();
                    } else if (((processingModuleAuthentication.getAuthentication() instanceof PreAuthenticatedAuthenticationToken) || (processingModuleAuthentication.getAuthentication() instanceof AnonymousAuthenticationToken)) && (processingModuleAuthentication.getAuthentication().getDetails() instanceof Saml2AuthenticationToken)) {
                        saml2AuthenticationToken = (Saml2AuthenticationToken) processingModuleAuthentication.getAuthentication().getDetails();
                    }
                }
            } else if ((authentication instanceof AnonymousAuthenticationToken) && (authentication.getDetails() instanceof Saml2AuthenticationToken)) {
                saml2AuthenticationToken = (Saml2AuthenticationToken) authentication.getDetails();
            }
            if (saml2AuthenticationToken == null) {
                return this.resolver.resolve(httpServletRequest, authentication);
            }
            AuthenticatedPrincipal authenticatedPrincipal = saml2AuthenticationToken.getDetails() instanceof AuthenticatedPrincipal ? (AuthenticatedPrincipal) saml2AuthenticationToken.getDetails() : null;
            if (!(authenticatedPrincipal instanceof Saml2AuthenticatedPrincipal)) {
                final String entityId = saml2AuthenticationToken.getRelyingPartyRegistration().getEntityId();
                final String registrationId = saml2AuthenticationToken.getRelyingPartyRegistration().getRegistrationId();
                authenticatedPrincipal = new Saml2AuthenticatedPrincipal() { // from class: com.evolveum.midpoint.authentication.impl.filter.saml.MidpointSaml2LogoutRequestResolver.1
                    @Override // org.springframework.security.core.AuthenticatedPrincipal
                    public String getName() {
                        return entityId;
                    }

                    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal
                    public String getRelyingPartyRegistrationId() {
                        return registrationId;
                    }
                };
            }
            return this.resolver.resolve(httpServletRequest, new Saml2Authentication(authenticatedPrincipal, saml2AuthenticationToken.getSaml2Response(), null));
        } catch (Saml2Exception e) {
            LOGGER.debug("Couldn't create logout request.", (Throwable) e);
            return null;
        }
    }

    private void createFakeKeyForSign(RelyingPartyRegistration.Builder builder) throws NoSuchAlgorithmException, CertificateException, OperatorCreationException, IOException {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance(JCAConstants.KEY_ALGO_RSA).generateKeyPair();
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) generateKeyPair.getPrivate();
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(getX509v3CertificateBuilder(rSAPrivateCrtKey, SubjectPublicKeyInfo.getInstance(generateKeyPair.getPublic().getEncoded())).build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider(new BouncyCastleProvider()).build(generateKeyPair.getPrivate())).getEncoded()));
        builder.signingX509Credentials(collection -> {
            collection.add(Saml2X509Credential.signing(rSAPrivateCrtKey, x509Certificate));
        });
    }

    @NotNull
    private X509v3CertificateBuilder getX509v3CertificateBuilder(RSAPrivateCrtKey rSAPrivateCrtKey, SubjectPublicKeyInfo subjectPublicKeyInfo) {
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(12, 10);
        return new X509v3CertificateBuilder(new X500Name("CN=MidPoint,O=Evolveum,L=,C="), rSAPrivateCrtKey.getCrtCoefficient(), time, calendar.getTime(), new X500Name("CN=MidPoint,O=Evolveum,L=,C="), subjectPublicKeyInfo);
    }
}
