package com.evolveum.midpoint.authentication.impl.module.configuration;

import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.filter.saml.MidpointAssertingPartyMetadataConverter;
import com.evolveum.midpoint.authentication.impl.module.configuration.SamlAdditionalConfiguration;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModuleSaml2KeyStoreKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModuleSaml2KeyTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModuleSaml2SimpleKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2AuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2KeyAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2ProviderAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2ProviderMetadataAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2ServiceProviderAuthenticationModuleType;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCSException;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.ResourceLoader;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/module/configuration/SamlModuleWebSecurityConfiguration.class */
public class SamlModuleWebSecurityConfiguration extends RemoteModuleWebSecurityConfiguration {
    public static final String SSO_LOCATION_URL_SUFFIX = "/SSO/alias/{registrationId}";
    public static final String LOGOUT_LOCATION_URL_SUFFIX = "/logout/alias/{registrationId}";
    private InMemoryRelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
    private final Map<String, SamlAdditionalConfiguration> additionalConfiguration = new HashMap();
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SamlModuleWebSecurityConfiguration.class);
    private static final ResourceLoader RESOURCE_LOADER = new DefaultResourceLoader();
    private static final MidpointAssertingPartyMetadataConverter ASSERTING_PARTY_METADATA_CONVERTER = new MidpointAssertingPartyMetadataConverter();

    private SamlModuleWebSecurityConfiguration() {
    }

    public static SamlModuleWebSecurityConfiguration build(Saml2AuthenticationModuleType saml2AuthenticationModuleType, String str, String str2, ServletRequest servletRequest) {
        SamlModuleWebSecurityConfiguration buildInternal = buildInternal(saml2AuthenticationModuleType, str, str2, servletRequest);
        buildInternal.validate();
        return buildInternal;
    }

    private static SamlModuleWebSecurityConfiguration buildInternal(Saml2AuthenticationModuleType saml2AuthenticationModuleType, String str, String str2, ServletRequest servletRequest) {
        SamlModuleWebSecurityConfiguration samlModuleWebSecurityConfiguration = new SamlModuleWebSecurityConfiguration();
        build(samlModuleWebSecurityConfiguration, saml2AuthenticationModuleType, str);
        List<Saml2ServiceProviderAuthenticationModuleType> serviceProvider = saml2AuthenticationModuleType.getServiceProvider();
        ArrayList arrayList = new ArrayList();
        serviceProvider.forEach(saml2ServiceProviderAuthenticationModuleType -> {
            Saml2KeyAuthenticationModuleType keys = saml2ServiceProviderAuthenticationModuleType.getKeys();
            Saml2ProviderAuthenticationModuleType identityProvider = saml2ServiceProviderAuthenticationModuleType.getIdentityProvider();
            RelyingPartyRegistration.Builder relyingPartyFromMetadata = getRelyingPartyFromMetadata(identityProvider.getMetadata(), identityProvider);
            SamlAdditionalConfiguration.Builder builder = SamlAdditionalConfiguration.builder();
            createRelyingPartyRegistration(relyingPartyFromMetadata, builder, identityProvider, str2, samlModuleWebSecurityConfiguration, keys, saml2ServiceProviderAuthenticationModuleType, servletRequest);
            RelyingPartyRegistration build = relyingPartyFromMetadata.build();
            arrayList.add(build);
            samlModuleWebSecurityConfiguration.additionalConfiguration.put(build.getRegistrationId(), builder.build());
        });
        samlModuleWebSecurityConfiguration.setRelyingPartyRegistrationRepository(new InMemoryRelyingPartyRegistrationRepository(arrayList));
        return samlModuleWebSecurityConfiguration;
    }

    private static void createRelyingPartyRegistration(RelyingPartyRegistration.Builder builder, SamlAdditionalConfiguration.Builder builder2, Saml2ProviderAuthenticationModuleType saml2ProviderAuthenticationModuleType, String str, SamlModuleWebSecurityConfiguration samlModuleWebSecurityConfiguration, Saml2KeyAuthenticationModuleType saml2KeyAuthenticationModuleType, Saml2ServiceProviderAuthenticationModuleType saml2ServiceProviderAuthenticationModuleType, ServletRequest servletRequest) {
        builder2.nameOfUsernameAttribute(saml2ProviderAuthenticationModuleType.getNameOfUsernameAttribute()).linkText(saml2ProviderAuthenticationModuleType.getLinkText() == null ? saml2ProviderAuthenticationModuleType.getEntityId() : saml2ProviderAuthenticationModuleType.getLinkText());
        String aliasForPath = StringUtils.isNotEmpty(saml2ServiceProviderAuthenticationModuleType.getAliasForPath()) ? saml2ServiceProviderAuthenticationModuleType.getAliasForPath() : StringUtils.isNotEmpty(saml2ServiceProviderAuthenticationModuleType.getAlias()) ? saml2ServiceProviderAuthenticationModuleType.getAlias() : saml2ServiceProviderAuthenticationModuleType.getEntityId();
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(StringUtils.isNotBlank(str) ? str : AuthSequenceUtil.getBasePath((HttpServletRequest) servletRequest));
        UriComponentsBuilder cloneBuilder = fromUriString.cloneBuilder();
        cloneBuilder.pathSegment(AuthUtil.stripSlashes(samlModuleWebSecurityConfiguration.getPrefixOfModule()) + "/SSO/alias/{registrationId}");
        UriComponentsBuilder cloneBuilder2 = fromUriString.cloneBuilder();
        cloneBuilder2.pathSegment(AuthUtil.stripSlashes(samlModuleWebSecurityConfiguration.getPrefixOfModule()) + "/logout/alias/{registrationId}");
        builder.registrationId(aliasForPath).entityId(saml2ServiceProviderAuthenticationModuleType.getEntityId()).assertionConsumerServiceLocation(cloneBuilder.build().toUriString()).singleLogoutServiceLocation(cloneBuilder2.build().toUriString()).assertingPartyDetails(builder3 -> {
            builder3.entityId(saml2ProviderAuthenticationModuleType.getEntityId());
            if (saml2ServiceProviderAuthenticationModuleType.isSignRequests() != null) {
                builder3.wantAuthnRequestsSigned(Boolean.TRUE.equals(saml2ServiceProviderAuthenticationModuleType.isSignRequests()));
            }
            if (saml2ProviderAuthenticationModuleType.getVerificationKeys() == null || saml2ProviderAuthenticationModuleType.getVerificationKeys().isEmpty()) {
                return;
            }
            builder3.verificationX509Credentials(collection -> {
                saml2ProviderAuthenticationModuleType.getVerificationKeys().forEach(protectedStringType -> {
                    byte[] bArr = new byte[0];
                    try {
                        bArr = protector.decryptString(protectedStringType).getBytes();
                    } catch (EncryptionException e) {
                        LOGGER.error("Couldn't obtain clear string for provider verification key");
                    }
                    try {
                        collection.add(new Saml2X509Credential((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr)), Saml2X509Credential.Saml2X509CredentialType.VERIFICATION));
                    } catch (CertificateException e2) {
                        LOGGER.error("Couldn't obtain certificate from " + protectedStringType);
                    }
                });
            });
        });
        Saml2X509Credential saml2X509Credential = null;
        if (saml2KeyAuthenticationModuleType != null) {
            ModuleSaml2SimpleKeyType activeSimpleKey = saml2KeyAuthenticationModuleType.getActiveSimpleKey();
            if (activeSimpleKey != null) {
                saml2X509Credential = getSaml2Credential(activeSimpleKey, true);
            }
            ModuleSaml2KeyStoreKeyType activeKeyStoreKey = saml2KeyAuthenticationModuleType.getActiveKeyStoreKey();
            if (activeKeyStoreKey != null) {
                saml2X509Credential = getSaml2Credential(activeKeyStoreKey, true);
            }
            ArrayList arrayList = new ArrayList();
            if (saml2X509Credential != null) {
                arrayList.add(saml2X509Credential);
            }
            if (saml2KeyAuthenticationModuleType.getStandBySimpleKey() != null && !saml2KeyAuthenticationModuleType.getStandBySimpleKey().isEmpty()) {
                Iterator<ModuleSaml2SimpleKeyType> it = saml2KeyAuthenticationModuleType.getStandBySimpleKey().iterator();
                while (it.hasNext()) {
                    Saml2X509Credential saml2Credential = getSaml2Credential(it.next(), false);
                    if (saml2Credential != null) {
                        arrayList.add(saml2Credential);
                    }
                }
            }
            if (saml2KeyAuthenticationModuleType.getStandByKeyStoreKey() != null && !saml2KeyAuthenticationModuleType.getStandByKeyStoreKey().isEmpty()) {
                Iterator<ModuleSaml2KeyStoreKeyType> it2 = saml2KeyAuthenticationModuleType.getStandByKeyStoreKey().iterator();
                while (it2.hasNext()) {
                    Saml2X509Credential saml2Credential2 = getSaml2Credential(it2.next(), false);
                    if (saml2Credential2 != null) {
                        arrayList.add(saml2Credential2);
                    }
                }
            }
            if (arrayList.isEmpty()) {
                return;
            }
            builder.decryptionX509Credentials(collection -> {
                arrayList.forEach(saml2X509Credential2 -> {
                    if (saml2X509Credential2.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION)) {
                        collection.add(saml2X509Credential2);
                    }
                });
            });
            builder.signingX509Credentials(collection2 -> {
                arrayList.forEach(saml2X509Credential2 -> {
                    if (saml2X509Credential2.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.SIGNING)) {
                        collection2.add(saml2X509Credential2);
                    }
                });
            });
        }
    }

    private static RelyingPartyRegistration.Builder getRelyingPartyFromMetadata(Saml2ProviderMetadataAuthenticationModuleType saml2ProviderMetadataAuthenticationModuleType, Saml2ProviderAuthenticationModuleType saml2ProviderAuthenticationModuleType) {
        RelyingPartyRegistration.Builder withRegistrationId = RelyingPartyRegistration.withRegistrationId("builder");
        if (saml2ProviderMetadataAuthenticationModuleType != null) {
            if (saml2ProviderMetadataAuthenticationModuleType.getXml() != null || saml2ProviderMetadataAuthenticationModuleType.getPathToFile() != null) {
                String str = null;
                try {
                    str = createMetadata(saml2ProviderMetadataAuthenticationModuleType);
                } catch (IOException e) {
                    LOGGER.error("Couldn't obtain metadata as string from " + saml2ProviderMetadataAuthenticationModuleType);
                }
                if (StringUtils.isNotEmpty(str)) {
                    withRegistrationId = ASSERTING_PARTY_METADATA_CONVERTER.convert(new ByteArrayInputStream(str.getBytes()), saml2ProviderAuthenticationModuleType);
                }
            }
            if (saml2ProviderMetadataAuthenticationModuleType.getMetadataUrl() != null) {
                try {
                    InputStream inputStream = RESOURCE_LOADER.getResource(saml2ProviderMetadataAuthenticationModuleType.getMetadataUrl()).getInputStream();
                    try {
                        withRegistrationId = ASSERTING_PARTY_METADATA_CONVERTER.convert(inputStream, saml2ProviderAuthenticationModuleType);
                        if (inputStream != null) {
                            inputStream.close();
                        }
                    } finally {
                    }
                } catch (IOException e2) {
                    if (e2.getCause() instanceof Saml2Exception) {
                        throw ((Saml2Exception) e2.getCause());
                    }
                    throw new Saml2Exception(e2);
                }
            }
        }
        return withRegistrationId;
    }

    private static String createMetadata(Saml2ProviderMetadataAuthenticationModuleType saml2ProviderMetadataAuthenticationModuleType) throws IOException {
        if (saml2ProviderMetadataAuthenticationModuleType != null) {
            String metadataUrl = saml2ProviderMetadataAuthenticationModuleType.getMetadataUrl();
            if (StringUtils.isNotBlank(metadataUrl)) {
                return metadataUrl;
            }
            String pathToFile = saml2ProviderMetadataAuthenticationModuleType.getPathToFile();
            if (StringUtils.isNotBlank(pathToFile)) {
                return readFile(pathToFile);
            }
            byte[] xml = saml2ProviderMetadataAuthenticationModuleType.getXml();
            if (xml != null && xml.length != 0) {
                return new String(xml);
            }
        }
        throw new IllegalArgumentException("Metadata is not present");
    }

    private static String readFile(String str) throws IOException {
        return new String(Files.readAllBytes(Paths.get(str, new String[0])));
    }

    public InMemoryRelyingPartyRegistrationRepository getRelyingPartyRegistrationRepository() {
        return this.relyingPartyRegistrationRepository;
    }

    public void setRelyingPartyRegistrationRepository(InMemoryRelyingPartyRegistrationRepository inMemoryRelyingPartyRegistrationRepository) {
        this.relyingPartyRegistrationRepository = inMemoryRelyingPartyRegistrationRepository;
    }

    public Map<String, SamlAdditionalConfiguration> getAdditionalConfiguration() {
        return this.additionalConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl
    public void validate() {
        super.validate();
        if (getRelyingPartyRegistrationRepository() == null) {
            throw new IllegalArgumentException("Saml configuration is null");
        }
    }

    public static Saml2X509Credential getSaml2Credential(ModuleSaml2SimpleKeyType moduleSaml2SimpleKeyType, boolean z) {
        if (moduleSaml2SimpleKeyType == null) {
            return null;
        }
        try {
            try {
                return new Saml2X509Credential(getPrivateKey(moduleSaml2SimpleKeyType, protector), (X509Certificate) getCertificate(moduleSaml2SimpleKeyType, protector), (Saml2X509Credential.Saml2X509CredentialType[]) getTypesForKey(z, moduleSaml2SimpleKeyType.getType()).toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
            } catch (EncryptionException | CertificateException | Base64Exception e) {
                throw new Saml2Exception("Unable get certificate from " + moduleSaml2SimpleKeyType, e);
            }
        } catch (EncryptionException | IOException | OperatorCreationException | PKCSException e2) {
            throw new Saml2Exception("Unable get key from " + moduleSaml2SimpleKeyType, e2);
        }
    }

    private static List<Saml2X509Credential.Saml2X509CredentialType> getTypesForKey(boolean z, ModuleSaml2KeyTypeType moduleSaml2KeyTypeType) {
        ArrayList arrayList = new ArrayList();
        if (z) {
            arrayList.add(Saml2X509Credential.Saml2X509CredentialType.SIGNING);
            arrayList.add(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
        } else if (moduleSaml2KeyTypeType == null) {
            arrayList.add(Saml2X509Credential.Saml2X509CredentialType.SIGNING);
            arrayList.add(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
        } else if (ModuleSaml2KeyTypeType.UNSPECIFIED.equals(moduleSaml2KeyTypeType)) {
            arrayList.add(Saml2X509Credential.Saml2X509CredentialType.SIGNING);
            arrayList.add(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
        } else {
            Saml2X509Credential.Saml2X509CredentialType valueOf = Saml2X509Credential.Saml2X509CredentialType.valueOf(moduleSaml2KeyTypeType.name());
            if (valueOf.equals(Saml2X509Credential.Saml2X509CredentialType.SIGNING) || valueOf.equals(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION)) {
                arrayList.add(valueOf);
            }
        }
        return arrayList;
    }

    public static Saml2X509Credential getSaml2Credential(ModuleSaml2KeyStoreKeyType moduleSaml2KeyStoreKeyType, boolean z) {
        if (moduleSaml2KeyStoreKeyType == null) {
            return null;
        }
        try {
            PrivateKey privateKey = getPrivateKey(moduleSaml2KeyStoreKeyType, protector);
            try {
                Certificate certificate = getCertificate(moduleSaml2KeyStoreKeyType, protector);
                if (certificate instanceof X509Certificate) {
                    return new Saml2X509Credential(privateKey, (X509Certificate) certificate, (Saml2X509Credential.Saml2X509CredentialType[]) getTypesForKey(z, moduleSaml2KeyStoreKeyType.getType()).toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
                }
                throw new Saml2Exception("Alias " + moduleSaml2KeyStoreKeyType.getKeyAlias() + " don't return certificate of X509Certificate type.");
            } catch (EncryptionException | IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new Saml2Exception("Unable get certificate from " + moduleSaml2KeyStoreKeyType, e);
            }
        } catch (EncryptionException | IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
            throw new Saml2Exception("Unable get key from " + moduleSaml2KeyStoreKeyType, e2);
        }
    }
}
