package pl.edu.icm.unity.saml.sp;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import org.eclipse.jetty.servlet.ServletHolder;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.AbstractRemoteVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultProcessor;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.engine.api.endpoint.SharedEndpointManagement;
import pl.edu.icm.unity.engine.api.files.URIAccessService;
import pl.edu.icm.unity.engine.api.server.AdvertisedAddressProvider;
import pl.edu.icm.unity.engine.api.utils.ExecutorsService;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.saml.SAMLEndpointDefinition;
import pl.edu.icm.unity.saml.SAMLHelper;
import pl.edu.icm.unity.saml.SAMLResponseValidatorUtil;
import pl.edu.icm.unity.saml.idp.IdentityTypeMapper;
import pl.edu.icm.unity.saml.metadata.LocalSPMetadataManager;
import pl.edu.icm.unity.saml.metadata.MultiMetadataServlet;
import pl.edu.icm.unity.saml.metadata.cfg.MetaToSPConfigConverter;
import pl.edu.icm.unity.saml.metadata.cfg.RemoteMetaManager;
import pl.edu.icm.unity.saml.metadata.srv.RemoteMetadataService;
import pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor;
import pl.edu.icm.unity.saml.slo.SLOReplyInstaller;
import pl.edu.icm.unity.saml.sp.web.IdPVisalSettings;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLVerificator.class */
public class SAMLVerificator extends AbstractRemoteVerificator implements SAMLExchange {
    private static final Logger log = Log.getLogger("unity.server.saml", SAMLVerificator.class);
    public static final String NAME = "saml2";
    public static final String METADATA_SERVLET_PATH = "/saml-sp-metadata";
    public static final String DESC = "Handles SAML assertions obtained from remote IdPs";
    private SAMLSPProperties samlProperties;
    private PKIManagement pkiMan;
    private MultiMetadataServlet metadataServlet;
    private ExecutorsService executorsService;
    private String responseConsumerAddress;
    private Map<String, RemoteMetaManager> remoteMetadataManagers;
    private RemoteMetaManager myMetadataManager;
    private ReplayAttackChecker replayAttackChecker;
    private SLOSPManager sloManager;
    private SLOReplyInstaller sloReplyInstaller;
    private RemoteMetadataService metadataService;
    private URIAccessService uriAccessService;
    private MessageSource msg;
    private Map<String, LocalSPMetadataManager> localMetadataManagers;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        private MultiMetadataServlet metadataServlet;
        private Map<String, RemoteMetaManager> remoteMetadataManagers;
        private Map<String, LocalSPMetadataManager> localSPMetadataManagers;

        @Autowired
        public Factory(ObjectFactory<SAMLVerificator> objectFactory, SamlContextManagement samlContextManagement, SharedEndpointManagement sharedEndpointManagement) throws EngineException {
            super(SAMLVerificator.NAME, SAMLVerificator.DESC, objectFactory);
            sharedEndpointManagement.deployInternalEndpointServlet(SAMLResponseConsumerServlet.PATH, new ServletHolder(new SAMLResponseConsumerServlet(samlContextManagement)), false);
            this.metadataServlet = new MultiMetadataServlet(SAMLVerificator.METADATA_SERVLET_PATH);
            sharedEndpointManagement.deployInternalEndpointServlet(SAMLVerificator.METADATA_SERVLET_PATH, new ServletHolder(this.metadataServlet), false);
            this.remoteMetadataManagers = Collections.synchronizedMap(new HashMap());
            this.localSPMetadataManagers = Collections.synchronizedMap(new HashMap());
        }

        public CredentialVerificator newInstance() {
            SAMLVerificator sAMLVerificator = (SAMLVerificator) this.factory.getObject();
            sAMLVerificator.init(this.remoteMetadataManagers, this.localSPMetadataManagers, this.metadataServlet);
            return sAMLVerificator;
        }
    }

    @Autowired
    public SAMLVerificator(RemoteAuthnResultProcessor remoteAuthnResultProcessor, @Qualifier("insecure") PKIManagement pKIManagement, ReplayAttackChecker replayAttackChecker, ExecutorsService executorsService, RemoteMetadataService remoteMetadataService, SLOSPManager sLOSPManager, SLOReplyInstaller sLOReplyInstaller, MessageSource messageSource, SharedEndpointManagement sharedEndpointManagement, AdvertisedAddressProvider advertisedAddressProvider, URIAccessService uRIAccessService) {
        super(NAME, DESC, SAMLExchange.ID, remoteAuthnResultProcessor);
        this.metadataService = remoteMetadataService;
        this.pkiMan = pKIManagement;
        this.executorsService = executorsService;
        this.msg = messageSource;
        this.replayAttackChecker = replayAttackChecker;
        this.sloManager = sLOSPManager;
        this.sloReplyInstaller = sLOReplyInstaller;
        this.uriAccessService = uRIAccessService;
        this.responseConsumerAddress = advertisedAddressProvider.get() + sharedEndpointManagement.getBaseContextPath() + SAMLResponseConsumerServlet.PATH;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void init(Map<String, RemoteMetaManager> map, Map<String, LocalSPMetadataManager> map2, MultiMetadataServlet multiMetadataServlet) {
        this.remoteMetadataManagers = map;
        this.localMetadataManagers = map2;
        this.metadataServlet = multiMetadataServlet;
    }

    public String getSerializedConfiguration() throws InternalException {
        StringWriter stringWriter = new StringWriter();
        try {
            this.samlProperties.getProperties().store(stringWriter, "");
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize SAML verificator configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            this.samlProperties = new SAMLSPProperties(properties, this.pkiMan);
            if (this.localMetadataManagers.containsKey(this.instanceName)) {
                this.localMetadataManagers.get(this.instanceName).updateConfiguration(this.samlProperties);
            } else {
                LocalSPMetadataManager localSPMetadataManager = new LocalSPMetadataManager(this.executorsService, this.responseConsumerAddress, this.sloManager, this.sloReplyInstaller, this.metadataServlet, this.uriAccessService);
                localSPMetadataManager.updateConfiguration(this.samlProperties);
                this.localMetadataManagers.put(this.instanceName, localSPMetadataManager);
            }
            if (this.remoteMetadataManagers.containsKey(this.instanceName)) {
                this.myMetadataManager = this.remoteMetadataManagers.get(this.instanceName);
                this.myMetadataManager.setBaseConfiguration(this.samlProperties);
            } else {
                this.myMetadataManager = new RemoteMetaManager(this.samlProperties, this.pkiMan, new MetaToSPConfigConverter(this.pkiMan, this.msg), this.metadataService, SAMLSPProperties.IDPMETA_PREFIX);
                this.remoteMetadataManagers.put(this.instanceName, this.myMetadataManager);
            }
            try {
                initSLO();
            } catch (EngineException e) {
                throw new InternalException("Can't initialize Single Logout subsystem for the authenticator " + getName(), e);
            }
        } catch (IOException e2) {
            throw new InternalException("Invalid configuration of the SAML verificator(?)", e2);
        } catch (ConfigurationException e3) {
            throw new InternalException("Invalid configuration of the SAML verificator", e3);
        }
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public void destroy() {
        this.myMetadataManager.unregisterAll();
    }

    private void initSLO() throws EngineException {
        SAMLLogoutProcessor.SamlTrustProvider samlTrustProvider = new SAMLLogoutProcessor.SamlTrustProvider() { // from class: pl.edu.icm.unity.saml.sp.SAMLVerificator.1
            @Override // pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.SamlTrustProvider
            public SamlTrustChecker getTrustChecker() {
                return SAMLVerificator.this.getSamlValidatorSettings().getTrustChecker();
            }

            @Override // pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.SamlTrustProvider
            public Collection<SAMLEndpointDefinition> getSLOEndpoints(NameIDType nameIDType) {
                SAMLSPProperties samlValidatorSettings = SAMLVerificator.this.getSamlValidatorSettings();
                String idPConfigKey = samlValidatorSettings.getIdPConfigKey(nameIDType);
                if (idPConfigKey == null) {
                    return null;
                }
                return samlValidatorSettings.getLogoutEndpointsFromStructuredList(idPConfigKey);
            }
        };
        String value = this.samlProperties.getValue(SAMLSPProperties.SLO_PATH);
        String value2 = this.samlProperties.getValue(SAMLSPProperties.SLO_REALM);
        if (value == null || value2 == null) {
            log.debug("Single Logout functionality will be disabled for SAML authenticator " + getName() + " as its path and/or realm are/is undefined.");
            return;
        }
        String value3 = this.samlProperties.getValue(SAMLSPProperties.REQUESTER_ID);
        X509Credential requesterCredential = this.samlProperties.getRequesterCredential();
        IdentityTypeMapper identityTypeMapper = new IdentityTypeMapper(this.samlProperties);
        this.sloManager.deployAsyncServlet(value, identityTypeMapper, 600000L, value3, requesterCredential, samlTrustProvider, value2);
        this.sloManager.deploySyncServlet(value, identityTypeMapper, 600000L, value3, requesterCredential, samlTrustProvider, value2);
        this.sloReplyInstaller.enable();
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public RemoteAuthnContext createSAMLRequest(String str, String str2) {
        RemoteAuthnContext remoteAuthnContext = new RemoteAuthnContext(getSamlValidatorSettings(), str);
        SAMLSPProperties contextConfig = remoteAuthnContext.getContextConfig();
        if (!contextConfig.isIdPDefinitionComplete(str)) {
            throw new IllegalStateException("The selected IdP is not valid anymore, seems it was disabled");
        }
        boolean isSignRequest = contextConfig.isSignRequest(str);
        AuthnRequestDocument createSAMLRequest = SAMLHelper.createSAMLRequest(this.responseConsumerAddress, isSignRequest, contextConfig.getValue(SAMLSPProperties.REQUESTER_ID), contextConfig.getValue(str + SAMLSPProperties.IDP_ADDRESS), contextConfig.getRequestedNameFormat(str), true, isSignRequest ? contextConfig.getRequesterCredential() : null);
        remoteAuthnContext.setRequest(createSAMLRequest.xmlText(), createSAMLRequest.getAuthnRequest().getID(), str2);
        return remoteAuthnContext;
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public AuthenticationResult verifySAMLResponse(RemoteAuthnContext remoteAuthnContext) throws AuthenticationException {
        AbstractRemoteVerificator.RemoteAuthnState startAuthnResponseProcessing = startAuthnResponseProcessing(remoteAuthnContext.getSandboxCallback(), new String[]{"unity.server.externaltranslation", "unity.server.saml"});
        try {
            RemotelyAuthenticatedInput remotelyAuthenticatedInput = getRemotelyAuthenticatedInput(remoteAuthnContext);
            SAMLSPProperties contextConfig = remoteAuthnContext.getContextConfig();
            String contextIdpKey = remoteAuthnContext.getContextIdpKey();
            return getResult(remotelyAuthenticatedInput, getTranslationProfile(contextConfig, contextIdpKey + "translationProfile", contextIdpKey + "embeddedTranslationProfile"), startAuthnResponseProcessing);
        } catch (Exception e) {
            finishAuthnResponseProcessing(startAuthnResponseProcessing, e);
            throw e;
        }
    }

    private RemotelyAuthenticatedInput getRemotelyAuthenticatedInput(RemoteAuthnContext remoteAuthnContext) throws AuthenticationException {
        try {
            return new SAMLResponseValidatorUtil(getSamlValidatorSettings(), this.replayAttackChecker, this.responseConsumerAddress).verifySAMLResponse(ResponseDocument.Factory.parse(remoteAuthnContext.getResponse()), remoteAuthnContext.getRequestId(), SAMLBindings.valueOf(remoteAuthnContext.getResponseBinding().toString()), remoteAuthnContext.getGroupAttribute(), remoteAuthnContext.getContextIdpKey());
        } catch (XmlException e) {
            throw new AuthenticationException("The SAML response can not be parsed - XML data is corrupted", e);
        }
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public SAMLSPProperties getSamlValidatorSettings() {
        return (SAMLSPProperties) this.myMetadataManager.getVirtualConfiguration();
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public IdPVisalSettings getVisualSettings(String str, Locale locale) {
        return this.myMetadataManager.getVisualSettings(str, locale);
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Remote;
    }
}
