package pl.edu.icm.unity.saml.sp;

import eu.emi.security.authn.x509.X509Credential;
import java.security.PublicKey;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import org.eclipse.jetty.servlet.ServletHolder;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticationStepContext;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.RememberMeToken;
import pl.edu.icm.unity.engine.api.authn.remote.AbstractRemoteVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.AuthenticationTriggeringContext;
import pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultTranslator;
import pl.edu.icm.unity.engine.api.authn.remote.SharedRemoteAuthenticationContextStore;
import pl.edu.icm.unity.engine.api.endpoint.SharedEndpointManagement;
import pl.edu.icm.unity.engine.api.files.URIAccessService;
import pl.edu.icm.unity.engine.api.server.AdvertisedAddressProvider;
import pl.edu.icm.unity.engine.api.utils.ExecutorsService;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.saml.SAMLEndpointDefinition;
import pl.edu.icm.unity.saml.SAMLHelper;
import pl.edu.icm.unity.saml.idp.IdentityTypeMapper;
import pl.edu.icm.unity.saml.metadata.LocalSPMetadataManager;
import pl.edu.icm.unity.saml.metadata.MultiMetadataServlet;
import pl.edu.icm.unity.saml.metadata.cfg.SPRemoteMetaManager;
import pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor;
import pl.edu.icm.unity.saml.slo.SLOReplyInstaller;
import pl.edu.icm.unity.saml.sp.config.SAMLSPConfiguration;
import pl.edu.icm.unity.saml.sp.config.SAMLSPConfigurationParser;
import pl.edu.icm.unity.saml.sp.config.TrustedIdPConfiguration;
import pl.edu.icm.unity.saml.sp.config.TrustedIdPKey;
import pl.edu.icm.unity.saml.sp.config.TrustedIdPs;
import pl.edu.icm.unity.saml.sp.web.IdPVisalSettings;
import pl.edu.icm.unity.types.authn.IdPInfo;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLVerificator.class */
public class SAMLVerificator extends AbstractRemoteVerificator implements SAMLExchange {
    public static final String NAME = "saml2";
    public static final String METADATA_SERVLET_PATH = "/saml-sp-metadata";
    public static final String DESC = "Handles SAML assertions obtained from remote IdPs";
    private final SPRemoteMetaManager.Factory remoteMetadataManagerFactory;
    private MultiMetadataServlet metadataServlet;
    private ExecutorsService executorsService;
    private String responseConsumerAddress;
    private Map<String, SPRemoteMetaManager> remoteMetadataManagers;
    private SPRemoteMetaManager myMetadataManager;
    private SLOSPManager sloManager;
    private SLOReplyInstaller sloReplyInstaller;
    private URIAccessService uriAccessService;
    private Map<String, LocalSPMetadataManager> localMetadataManagers;
    private final SAMLResponseVerificator responseVerificator;
    private final SAMLSPConfigurationParser configurationParser;
    private SAMLSPConfiguration spConfiguration;
    private static final Logger log = Log.getLogger("unity.server.saml", SAMLVerificator.class);
    public static final Duration REQUEST_VALIDITY = Duration.of(600000, ChronoUnit.MILLIS);

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        private MultiMetadataServlet metadataServlet;
        private Map<String, SPRemoteMetaManager> remoteMetadataManagers;
        private Map<String, LocalSPMetadataManager> localSPMetadataManagers;

        @Autowired
        public Factory(ObjectFactory<SAMLVerificator> objectFactory, SamlContextManagement samlContextManagement, SharedEndpointManagement sharedEndpointManagement, SharedRemoteAuthenticationContextStore sharedRemoteAuthenticationContextStore) throws EngineException {
            super(SAMLVerificator.NAME, SAMLVerificator.DESC, objectFactory);
            sharedEndpointManagement.deployInternalEndpointServlet(SAMLResponseConsumerServlet.PATH, new ServletHolder(new SAMLResponseConsumerServlet(samlContextManagement, sharedRemoteAuthenticationContextStore)), false);
            this.metadataServlet = new MultiMetadataServlet(SAMLVerificator.METADATA_SERVLET_PATH);
            sharedEndpointManagement.deployInternalEndpointServlet(SAMLVerificator.METADATA_SERVLET_PATH, new ServletHolder(this.metadataServlet), false);
            this.remoteMetadataManagers = Collections.synchronizedMap(new HashMap());
            this.localSPMetadataManagers = Collections.synchronizedMap(new HashMap());
        }

        public CredentialVerificator newInstance() {
            SAMLVerificator sAMLVerificator = (SAMLVerificator) this.factory.getObject();
            sAMLVerificator.init(this.remoteMetadataManagers, this.localSPMetadataManagers, this.metadataServlet);
            return sAMLVerificator;
        }
    }

    @Autowired
    public SAMLVerificator(RemoteAuthnResultTranslator remoteAuthnResultTranslator, ExecutorsService executorsService, SLOSPManager sLOSPManager, SLOReplyInstaller sLOReplyInstaller, SharedEndpointManagement sharedEndpointManagement, AdvertisedAddressProvider advertisedAddressProvider, URIAccessService uRIAccessService, SAMLResponseVerificator sAMLResponseVerificator, SAMLSPConfigurationParser sAMLSPConfigurationParser, SPRemoteMetaManager.Factory factory) {
        super(NAME, DESC, SAMLExchange.ID, remoteAuthnResultTranslator);
        this.executorsService = executorsService;
        this.sloManager = sLOSPManager;
        this.sloReplyInstaller = sLOReplyInstaller;
        this.uriAccessService = uRIAccessService;
        this.responseVerificator = sAMLResponseVerificator;
        this.configurationParser = sAMLSPConfigurationParser;
        this.remoteMetadataManagerFactory = factory;
        this.responseConsumerAddress = advertisedAddressProvider.get() + sharedEndpointManagement.getBaseContextPath() + "/spSAMLResponseConsumer";
    }

    private void init(Map<String, SPRemoteMetaManager> map, Map<String, LocalSPMetadataManager> map2, MultiMetadataServlet multiMetadataServlet) {
        this.remoteMetadataManagers = map;
        this.localMetadataManagers = map2;
        this.metadataServlet = multiMetadataServlet;
    }

    public String getSerializedConfiguration() throws InternalException {
        throw new UnsupportedOperationException("Not implemented");
    }

    public void setSerializedConfiguration(String str) {
        this.spConfiguration = this.configurationParser.parse(str);
        if (this.localMetadataManagers.containsKey(this.instanceName)) {
            this.localMetadataManagers.get(this.instanceName).updateConfiguration(this.spConfiguration);
        } else {
            LocalSPMetadataManager localSPMetadataManager = new LocalSPMetadataManager(this.executorsService, this.responseConsumerAddress, this.sloManager, this.sloReplyInstaller, this.metadataServlet, this.uriAccessService);
            localSPMetadataManager.updateConfiguration(this.spConfiguration);
            this.localMetadataManagers.put(this.instanceName, localSPMetadataManager);
        }
        this.myMetadataManager = this.remoteMetadataManagers.containsKey(this.instanceName) ? this.remoteMetadataManagers.get(this.instanceName) : this.remoteMetadataManagerFactory.getInstance();
        this.myMetadataManager.setBaseConfiguration(this.spConfiguration);
        if (!this.remoteMetadataManagers.containsKey(this.instanceName)) {
            this.remoteMetadataManagers.put(this.instanceName, this.myMetadataManager);
        }
        try {
            initSLO();
        } catch (EngineException e) {
            throw new InternalException("Can't initialize Single Logout subsystem for the authenticator " + getName(), e);
        }
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public void destroy() {
        this.myMetadataManager.unregisterAll();
    }

    private void initSLO() throws EngineException {
        SAMLLogoutProcessor.SamlTrustProvider samlTrustProvider = new SAMLLogoutProcessor.SamlTrustProvider() { // from class: pl.edu.icm.unity.saml.sp.SAMLVerificator.1
            @Override // pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.SamlTrustProvider
            public Collection<SAMLEndpointDefinition> getSLOEndpoints(NameIDType nameIDType) {
                return (Collection) SAMLVerificator.this.getTrustedIdPs().getIdPBySamlRequester(nameIDType, TrustedIdPs.EndpointBindingCategory.WEB).map(trustedIdPConfiguration -> {
                    return trustedIdPConfiguration.logoutEndpoints;
                }).orElse(null);
            }

            @Override // pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.SamlTrustProvider
            public List<PublicKey> getTrustedKeys(NameIDType nameIDType) {
                return (List) SAMLVerificator.this.getTrustedIdPs().getIdPBySamlRequester(nameIDType, TrustedIdPs.EndpointBindingCategory.WEB).map(trustedIdPConfiguration -> {
                    return trustedIdPConfiguration.publicKeys;
                }).orElse(null);
            }
        };
        String str = this.spConfiguration.sloPath;
        String str2 = this.spConfiguration.sloRealm;
        if (str == null || str2 == null) {
            log.debug("Single Logout functionality will be disabled for SAML authenticator " + getName() + " as its path and/or realm are/is undefined.");
            return;
        }
        String str3 = this.spConfiguration.requesterSamlId;
        X509Credential x509Credential = this.spConfiguration.requesterCredential;
        IdentityTypeMapper identityTypeMapper = new IdentityTypeMapper(this.spConfiguration.effectiveMappings);
        this.sloManager.deployAsyncServlet(str, identityTypeMapper, REQUEST_VALIDITY, str3, x509Credential, samlTrustProvider, str2);
        this.sloManager.deploySyncServlet(str, identityTypeMapper, REQUEST_VALIDITY, str3, x509Credential, samlTrustProvider, str2);
        this.sloReplyInstaller.enable();
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public RemoteAuthnContext createSAMLRequest(TrustedIdPKey trustedIdPKey, String str, AuthenticationStepContext authenticationStepContext, RememberMeToken.LoginMachineDetails loginMachineDetails, String str2, AuthenticationTriggeringContext authenticationTriggeringContext) {
        RedirectedAuthnState redirectedAuthnState = new RedirectedAuthnState(authenticationStepContext, this::processResponse, loginMachineDetails, str2, authenticationTriggeringContext);
        TrustedIdPConfiguration trustedIdPConfiguration = getTrustedIdPs().get(trustedIdPKey);
        boolean z = trustedIdPConfiguration.signRequest;
        AuthnRequestDocument createSAMLRequest = SAMLHelper.createSAMLRequest(this.responseConsumerAddress, z, this.spConfiguration.requesterSamlId, trustedIdPConfiguration.idpEndpointURL, trustedIdPConfiguration.requestedNameFormat, true, z ? this.spConfiguration.requesterCredential : null);
        return new RemoteAuthnContext(trustedIdPConfiguration, this.spConfiguration, redirectedAuthnState, createSAMLRequest.xmlText(), createSAMLRequest.getAuthnRequest().getID(), str);
    }

    private AuthenticationResult processResponse(RedirectedAuthnState redirectedAuthnState) {
        return this.responseVerificator.processResponse(redirectedAuthnState, ((RemoteAuthnContext) redirectedAuthnState).getIdp().translationProfile);
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public Set<TrustedIdPKey> getTrustedIdpKeysWithWebBindings() {
        return getTrustedIdPs().getKeys();
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public TrustedIdPs getTrustedIdPs() {
        return this.myMetadataManager.getTrustedIdPs().withWebBinding();
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public IdPVisalSettings getVisualSettings(TrustedIdPKey trustedIdPKey, Locale locale) {
        TrustedIdPConfiguration trustedIdPConfiguration = this.myMetadataManager.getTrustedIdPs().get(trustedIdPKey);
        if (trustedIdPConfiguration == null) {
            throw new IllegalArgumentException("There is no IdP with key " + trustedIdPKey);
        }
        return new IdPVisalSettings(trustedIdPConfiguration.logoURI.getValue(locale.toLanguageTag()), trustedIdPConfiguration.tags, trustedIdPConfiguration.name.getValue(locale.toLanguageTag()), trustedIdPConfiguration.federationId);
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Remote;
    }

    public List<IdPInfo> getIdPs() {
        ArrayList arrayList = new ArrayList();
        this.myMetadataManager.getTrustedIdPs().getAll().forEach(trustedIdPConfiguration -> {
            arrayList.add(IdPInfo.builder().withId(trustedIdPConfiguration.samlId).withConfigId(trustedIdPConfiguration.key.asString()).withDisplayedName(trustedIdPConfiguration.name).withGroup(trustedIdPConfiguration.federationId != null ? new IdPInfo.IdpGroup(trustedIdPConfiguration.federationId, Optional.ofNullable(trustedIdPConfiguration.federationName)) : null).build());
        });
        return arrayList;
    }
}
