package io.datarouter.web.user.authenticate.saml;

import io.datarouter.auth.authenticate.saml.AuthnRequestMessageConfig;
import io.datarouter.auth.authenticate.saml.RandomSamlKeyPair;
import io.datarouter.auth.authenticate.saml.SamlRegistrar;
import io.datarouter.auth.authenticate.saml.SamlTool;
import io.datarouter.auth.model.dto.InterpretedSamlAssertion;
import io.datarouter.auth.session.Session;
import io.datarouter.auth.session.UserSessionService;
import io.datarouter.auth.storage.user.saml.BaseDatarouterSamlDao;
import io.datarouter.auth.storage.user.saml.SamlAuthnRequestRedirectUrl;
import io.datarouter.auth.storage.user.saml.SamlAuthnRequestRedirectUrlKey;
import io.datarouter.scanner.Scanner;
import io.datarouter.util.string.StringTool;
import io.datarouter.util.timer.PhaseTimer;
import io.datarouter.web.exception.ExceptionRecorder;
import io.datarouter.web.handler.mav.Mav;
import io.datarouter.web.handler.mav.imp.GlobalRedirectMav;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.io.IOException;
import java.security.KeyPair;
import java.security.Security;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.xmlsec.config.impl.JavaCryptoValidationInitializer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/datarouter/web/user/authenticate/saml/SamlService.class */
public class SamlService {
    private static final Logger logger = LoggerFactory.getLogger(SamlService.class);
    private static final String SAML_RESPONSE = "SAMLResponse";
    private final DatarouterSamlSettings samlSettings;
    private final UserSessionService userSessionService;
    private final Optional<SamlRegistrar> samlRegistrar;
    private final KeyPair signingKeyPair;
    private final BaseDatarouterSamlDao samlDao;
    private final ExceptionRecorder exceptionRecorder;
    private final SamlConfigService samlConfigService;

    @Inject
    public SamlService(DatarouterSamlSettings datarouterSamlSettings, UserSessionService userSessionService, Optional<SamlRegistrar> optional, BaseDatarouterSamlDao baseDatarouterSamlDao, ExceptionRecorder exceptionRecorder, SamlConfigService samlConfigService) {
        this.samlSettings = datarouterSamlSettings;
        this.userSessionService = userSessionService;
        this.samlRegistrar = optional;
        this.samlDao = baseDatarouterSamlDao;
        this.exceptionRecorder = exceptionRecorder;
        this.samlConfigService = samlConfigService;
        PhaseTimer phaseTimer = new PhaseTimer();
        if (logger.isDebugEnabled()) {
            logger.debug((String) Arrays.stream(Security.getProviders()).map((v0) -> {
                return v0.getInfo();
            }).collect(Collectors.joining(", ", "Security providers: ", "")));
            phaseTimer.add("log");
        }
        try {
            new JavaCryptoValidationInitializer().init();
            phaseTimer.add("JavaCryptoValidationInitializer");
            InitializationService.initialize();
            phaseTimer.add("InitializationService");
            this.signingKeyPair = RandomSamlKeyPair.getKeyPair();
            phaseTimer.add("RandomSamlKeyPair");
            logger.warn("{}", phaseTimer);
        } catch (InitializationException e) {
            throw new RuntimeException("Initialization failed", e);
        }
    }

    public Mav mavSignout(HttpServletResponse httpServletResponse) {
        this.userSessionService.clearSessionCookies(httpServletResponse);
        return new GlobalRedirectMav((String) this.samlSettings.idpHomeUrl.get());
    }

    public void redirectToIdentityProvider(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.samlSettings.getShouldProcess().booleanValue()) {
            throw new RuntimeException("SAML Configuration error");
        }
        SamlTool.throwUnlessHttps(httpServletRequest);
        this.exceptionRecorder.recordHttpRequest(httpServletRequest);
        if (httpServletRequest.getMethod().equals("OPTIONS")) {
            logger.warn("received OPTIONS request URL={}", httpServletRequest.getRequestURL());
        }
        try {
            this.samlRegistrar.ifPresent((v0) -> {
                v0.register();
            });
        } catch (RuntimeException e) {
            if (!((Boolean) this.samlSettings.ignoreServiceProviderRegistrationFailures.get()).booleanValue()) {
                throw e;
            }
            logger.warn("Ignoring failure to register with IdP.", e);
        }
        MessageContext buildAuthnRequestAndContext = SamlTool.buildAuthnRequestAndContext(new AuthnRequestMessageConfig((String) this.samlSettings.entityId.get(), SamlTool.getUrlInRequestContext(httpServletRequest, (String) this.samlSettings.assertionConsumerServicePath.get()), (String) this.samlSettings.idpSamlUrl.get(), "", Optional.empty(), Optional.of(this.signingKeyPair)));
        persistAuthnRequestIdRedirectUrl(buildAuthnRequestAndContext, httpServletRequest);
        SamlTool.redirectWithAuthnRequestContext(httpServletResponse, buildAuthnRequestAndContext);
    }

    private void persistAuthnRequestIdRedirectUrl(MessageContext messageContext, HttpServletRequest httpServletRequest) {
        String requestUrl = this.samlConfigService.getRequestUrl(httpServletRequest);
        if (!isUrlOkForRedirect(requestUrl)) {
            logger.info("URL is not OK for redirect: {}", requestUrl);
        } else {
            this.samlDao.put(new SamlAuthnRequestRedirectUrl(((AuthnRequest) messageContext.getMessage()).getID(), requestUrl));
        }
    }

    public void consumeAssertion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.samlSettings.getShouldProcess().booleanValue() || httpServletRequest.getParameter(SAML_RESPONSE) == null) {
            send403(httpServletResponse);
            return;
        }
        SamlTool.throwUnlessHttps(httpServletRequest);
        MessageContext andValidateResponseMessageContext = SamlTool.getAndValidateResponseMessageContext(httpServletRequest, this.samlSettings.getSignatureCredential());
        Response response = (Response) andValidateResponseMessageContext.getMessage();
        SamlTool.logSamlObject("SamlService.consumeAssertion", response);
        Iterator it = response.getAssertions().iterator();
        while (it.hasNext()) {
            if (createAndSetSession(httpServletRequest, httpServletResponse, (Assertion) it.next()) != null) {
                redirectAfterAuthentication(httpServletRequest, httpServletResponse, andValidateResponseMessageContext);
                return;
            }
        }
        send403(httpServletResponse);
    }

    private void send403(HttpServletResponse httpServletResponse) {
        try {
            httpServletResponse.sendError(403);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private Session createAndSetSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion) {
        InterpretedSamlAssertion interpretSamlAssertion = interpretSamlAssertion(assertion);
        logger.warn("login in user from okta username={}", interpretSamlAssertion.username());
        Session signInUserFromSamlResponse = this.userSessionService.signInUserFromSamlResponse(httpServletRequest, interpretSamlAssertion);
        this.userSessionService.setSessionCookies(httpServletResponse, signInUserFromSamlResponse);
        return signInUserFromSamlResponse;
    }

    private InterpretedSamlAssertion interpretSamlAssertion(Assertion assertion) {
        Set set = (Set) SamlTool.streamAttributeValuesByName("groupAttributes", assertion).collect(Collectors.toSet());
        Scanner of = Scanner.of(set);
        Map<String, String> attributeToRoleGroupIdMap = this.samlSettings.getAttributeToRoleGroupIdMap();
        attributeToRoleGroupIdMap.getClass();
        return new InterpretedSamlAssertion(assertion.getSubject().getNameID().getValue(), (Set) Scanner.concat(new Iterable[]{set, (Set) of.map((v1) -> {
            return r1.get(v1);
        }).collect(HashSet::new)}).exclude((v0) -> {
            return Objects.isNull(v0);
        }).collect(HashSet::new), (Set) SamlTool.streamAttributeValuesByName("roleAttributes", assertion).collect(Collectors.toSet()));
    }

    private void redirectAfterAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext messageContext) {
        String redirectUrl = getRedirectUrl(httpServletRequest, messageContext);
        logger.debug("Redirecting to requested URL: " + redirectUrl);
        try {
            httpServletResponse.sendRedirect(redirectUrl);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private String getRedirectUrl(HttpServletRequest httpServletRequest, MessageContext messageContext) {
        SamlAuthnRequestRedirectUrl samlAuthnRequestRedirectUrl = this.samlDao.get(new SamlAuthnRequestRedirectUrlKey(((Response) messageContext.getMessage()).getInResponseTo()));
        return samlAuthnRequestRedirectUrl != null ? samlAuthnRequestRedirectUrl.getRedirectUrl() : getRedirectUrlFromResponseContext(messageContext, httpServletRequest);
    }

    private static boolean isUrlOkForRedirect(String str) {
        String str2 = StringTool.nullSafe(str).toLowerCase().split("\\?")[0];
        return (StringTool.isEmptyOrWhitespace(str2) || str2.endsWith("signin") || str2.endsWith("login")) ? false : true;
    }

    private static String getRedirectUrlFromResponseContext(MessageContext messageContext, HttpServletRequest httpServletRequest) {
        String relayState = messageContext.getSubcontext(SAMLBindingContext.class, true).getRelayState();
        if (isUrlOkForRedirect(relayState)) {
            return relayState;
        }
        logger.info("URL is not OK for redirect: {}", relayState);
        return SamlTool.getUrlInRequestContext(httpServletRequest, "/");
    }
}
