package org.springframework.security.saml;

import java.io.IOException;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLException;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.util.URLBuilder;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.util.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.context.SAMLContextProvider;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.log.SAMLLogger;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.security.saml.websso.WebSSOProfile;
import org.springframework.security.saml.websso.WebSSOProfileOptions;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.10.RELEASE.jar:org/springframework/security/saml/SAMLEntryPoint.class */
public class SAMLEntryPoint extends GenericFilterBean implements AuthenticationEntryPoint {
    protected static final Logger log = LoggerFactory.getLogger(SAMLEntryPoint.class);
    protected WebSSOProfileOptions defaultOptions;
    protected WebSSOProfile webSSOprofile;
    protected WebSSOProfile webSSOprofileECP;
    protected WebSSOProfile webSSOprofileHoK;
    protected MetadataManager metadata;
    protected SAMLLogger samlLogger;
    protected SAMLContextProvider contextProvider;
    protected SAMLDiscovery samlDiscovery;
    protected String filterProcessesUrl = FILTER_URL;
    public static final String FILTER_URL = "/saml/login";
    public static final String IDP_PARAMETER = "idp";
    public static final String DISCOVERY_RESPONSE_PARAMETER = "disco";

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        FilterInvocation filterInvocation = new FilterInvocation(servletRequest, servletResponse, filterChain);
        if (processFilter(filterInvocation.getRequest())) {
            commence(filterInvocation.getRequest(), filterInvocation.getResponse(), null);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    protected boolean processFilter(HttpServletRequest httpServletRequest) {
        return SAMLUtil.processFilter(this.filterProcessesUrl, httpServletRequest);
    }

    @Override // org.springframework.security.web.AuthenticationEntryPoint
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        try {
            SAMLMessageContext localAndPeerEntity = this.contextProvider.getLocalAndPeerEntity(httpServletRequest, httpServletResponse);
            if (isECP(localAndPeerEntity)) {
                initializeECP(localAndPeerEntity, authenticationException);
            } else if (isDiscovery(localAndPeerEntity)) {
                initializeDiscovery(localAndPeerEntity);
            } else {
                initializeSSO(localAndPeerEntity, authenticationException);
            }
        } catch (SAMLException e) {
            log.debug("Error initializing entry point", (Throwable) e);
            throw new ServletException(e);
        } catch (MetadataProviderException e2) {
            log.debug("Error initializing entry point", (Throwable) e2);
            throw new ServletException(e2);
        } catch (MessageEncodingException e3) {
            log.debug("Error initializing entry point", (Throwable) e3);
            throw new ServletException(e3);
        }
    }

    protected void initializeECP(SAMLMessageContext sAMLMessageContext, AuthenticationException authenticationException) throws MetadataProviderException, SAMLException, MessageEncodingException {
        WebSSOProfileOptions profileOptions = getProfileOptions(sAMLMessageContext, authenticationException);
        log.debug("Processing SSO using ECP profile");
        this.webSSOprofileECP.sendAuthenticationRequest(sAMLMessageContext, profileOptions);
        this.samlLogger.log(SAMLConstants.AUTH_N_REQUEST, SAMLConstants.SUCCESS, sAMLMessageContext);
    }

    protected void initializeSSO(SAMLMessageContext sAMLMessageContext, AuthenticationException authenticationException) throws MetadataProviderException, SAMLException, MessageEncodingException {
        WebSSOProfileOptions profileOptions = getProfileOptions(sAMLMessageContext, authenticationException);
        if (SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(SAMLUtil.getConsumerService((SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata(), profileOptions.getAssertionConsumerIndex()).getBinding())) {
            if (this.webSSOprofileHoK != null) {
                log.debug("Processing SSO using WebSSO HolderOfKey profile");
                this.webSSOprofileHoK.sendAuthenticationRequest(sAMLMessageContext, profileOptions);
                this.samlLogger.log(SAMLConstants.AUTH_N_REQUEST, SAMLConstants.SUCCESS, sAMLMessageContext);
                return;
            }
            log.warn("WebSSO HoK profile was specified to be used, but profile is not configured in the EntryPoint, HoK will be skipped");
        }
        log.debug("Processing SSO using WebSSO profile");
        this.webSSOprofile.sendAuthenticationRequest(sAMLMessageContext, profileOptions);
        this.samlLogger.log(SAMLConstants.AUTH_N_REQUEST, SAMLConstants.SUCCESS, sAMLMessageContext);
    }

    protected void initializeDiscovery(SAMLMessageContext sAMLMessageContext) throws ServletException, IOException, MetadataProviderException {
        String str;
        String idpDiscoveryURL = sAMLMessageContext.getLocalExtendedMetadata().getIdpDiscoveryURL();
        if (idpDiscoveryURL != null) {
            URLBuilder uRLBuilder = new URLBuilder(idpDiscoveryURL);
            List<Pair<String, String>> queryParams = uRLBuilder.getQueryParams();
            queryParams.add(new Pair<>("entityID", sAMLMessageContext.getLocalEntityId()));
            queryParams.add(new Pair<>(SAMLDiscovery.RETURN_ID_PARAM, IDP_PARAMETER));
            str = uRLBuilder.buildURL();
            log.debug("Using discovery URL from extended metadata");
        } else {
            String str2 = SAMLDiscovery.FILTER_URL;
            if (this.samlDiscovery != null) {
                str2 = this.samlDiscovery.getFilterProcessesUrl();
            }
            str = ((String) sAMLMessageContext.getInboundMessageTransport().getAttribute(SAMLConstants.LOCAL_CONTEXT_PATH)) + str2 + "?" + SAMLDiscovery.RETURN_ID_PARAM + "=" + IDP_PARAMETER + BeanFactory.FACTORY_BEAN_PREFIX + "entityID=" + sAMLMessageContext.getLocalEntityId();
            log.debug("Using local discovery URL");
        }
        log.debug("Redirecting to discovery URL {}", str);
        ((HTTPOutTransport) sAMLMessageContext.getOutboundMessageTransport()).sendRedirect(str);
    }

    protected WebSSOProfileOptions getProfileOptions(SAMLMessageContext sAMLMessageContext, AuthenticationException authenticationException) throws MetadataProviderException {
        return this.defaultOptions != null ? this.defaultOptions.m17886clone() : new WebSSOProfileOptions();
    }

    public void setDefaultProfileOptions(WebSSOProfileOptions webSSOProfileOptions) {
        if (webSSOProfileOptions != null) {
            this.defaultOptions = webSSOProfileOptions.m17886clone();
        } else {
            this.defaultOptions = null;
        }
    }

    protected boolean isDiscovery(SAMLMessageContext sAMLMessageContext) {
        return (sAMLMessageContext.isPeerUserSelected() || !sAMLMessageContext.getLocalExtendedMetadata().isIdpDiscoveryEnabled() || isDiscoResponse(sAMLMessageContext)) ? false : true;
    }

    protected boolean isECP(SAMLMessageContext sAMLMessageContext) {
        if (!(sAMLMessageContext.getLocalExtendedMetadata().isEcpEnabled() && SAMLUtil.isECPRequest(((HttpServletRequestAdapter) sAMLMessageContext.getInboundMessageTransport()).getWrappedRequest()))) {
            return false;
        }
        if (this.webSSOprofileECP != null) {
            return true;
        }
        log.warn("ECP profile was specified to be used, but profile is not configured in the EntryPoint, ECP will be skipped");
        return false;
    }

    private boolean isDiscoResponse(SAMLMessageContext sAMLMessageContext) {
        String parameterValue = ((HTTPInTransport) sAMLMessageContext.getInboundMessageTransport()).getParameterValue(DISCOVERY_RESPONSE_PARAMETER);
        return parameterValue != null && parameterValue.toLowerCase().trim().equals("true");
    }

    @Autowired
    @Qualifier("webSSOprofile")
    public void setWebSSOprofile(WebSSOProfile webSSOProfile) {
        Assert.notNull(webSSOProfile, "WebSSOPRofile can't be null");
        this.webSSOprofile = webSSOProfile;
    }

    @Autowired(required = false)
    @Qualifier("ecpprofile")
    public void setWebSSOprofileECP(WebSSOProfile webSSOProfile) {
        this.webSSOprofileECP = webSSOProfile;
    }

    @Autowired(required = false)
    @Qualifier("hokWebSSOProfile")
    public void setWebSSOprofileHoK(WebSSOProfile webSSOProfile) {
        this.webSSOprofileHoK = webSSOProfile;
    }

    @Autowired
    public void setSamlLogger(SAMLLogger sAMLLogger) {
        Assert.notNull(sAMLLogger, "SAML Logger can't be null");
        this.samlLogger = sAMLLogger;
    }

    @Autowired(required = false)
    public void setSamlDiscovery(SAMLDiscovery sAMLDiscovery) {
        this.samlDiscovery = sAMLDiscovery;
    }

    @Autowired
    public void setContextProvider(SAMLContextProvider sAMLContextProvider) {
        Assert.notNull(sAMLContextProvider, "Context provider can't be null");
        this.contextProvider = sAMLContextProvider;
    }

    @Autowired
    public void setMetadata(MetadataManager metadataManager) {
        Assert.notNull(metadataManager, "MetadataManager can't be null");
        this.metadata = metadataManager;
    }

    public String getFilterProcessesUrl() {
        return this.filterProcessesUrl;
    }

    public void setFilterProcessesUrl(String str) {
        this.filterProcessesUrl = str;
    }

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws ServletException {
        super.afterPropertiesSet();
        Assert.notNull(this.webSSOprofile, "WebSSO profile must be set");
        Assert.notNull(this.metadata, "Metadata must be set");
        Assert.notNull(this.samlLogger, "Logger must be set");
        Assert.notNull(this.contextProvider, "Context provider must be set");
    }
}
