package org.webswing.security.modules.saml2;

import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import main.Main;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.exception.HttpAction;
import org.pac4j.core.logout.handler.LogoutHandler;
import org.pac4j.core.profile.definition.CommonProfileDefinition;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.credentials.authenticator.SAML2Authenticator;
import org.pac4j.saml.profile.SAML2Profile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.webswing.server.services.security.api.AbstractWebswingUser;
import org.webswing.server.services.security.api.WebswingAuthenticationException;
import org.webswing.server.services.security.modules.AbstractExtendableSecurityModule;

/* loaded from: input_file:org/webswing/security/modules/saml2/Saml2SecurityModule.class */
public class Saml2SecurityModule extends AbstractExtendableSecurityModule<Saml2SecurityModuleConfig> {
    private static final Logger log = LoggerFactory.getLogger(Saml2SecurityModule.class);
    private static final String SP_METADATA = "metadata";
    private static final String SAML_PARAMETER = "SAMLResponse";
    private SAML2Client client;
    private SessionStore store;
    private String userAttributeName;
    private String rolesAttributeName;

    public Saml2SecurityModule(Saml2SecurityModuleConfig saml2SecurityModuleConfig) {
        super(saml2SecurityModuleConfig);
    }

    public void init() {
        super.init();
        try {
            SAML2Configuration sAML2Configuration = new SAML2Configuration();
            String identityProviderMetadataFile = getConfig().getIdentityProviderMetadataFile();
            File file = getFile(identityProviderMetadataFile);
            if (file == null || !file.isFile()) {
                throw new SAMLException("The SAML2 Identity provider metadata file " + identityProviderMetadataFile + " does not exist.");
            }
            sAML2Configuration.setIdentityProviderMetadataResourceFilepath(file.getAbsolutePath());
            String replaceVariables = getConfig().getContext().replaceVariables(getConfig().getServiceProviderConsumerUrl());
            if (StringUtils.isEmpty(replaceVariables)) {
                throw new SAMLException("The SAML2 serviceProviderConsumerUrl property must not be empty.");
            }
            String replaceVariables2 = getConfig().getContext().replaceVariables(getConfig().getServiceProviderEntityId());
            if (StringUtils.isEmpty(replaceVariables2)) {
                throw new RuntimeException("The SAML2 Service provider entityId property must not be empty.");
            }
            sAML2Configuration.setServiceProviderEntityId(replaceVariables2);
            String replaceVariables3 = getConfig().getContext().replaceVariables(getConfig().getDecryptionKeyAlias());
            String replaceVariables4 = getConfig().getContext().replaceVariables(getConfig().getKeyStorePwd());
            String replaceVariables5 = getConfig().getContext().replaceVariables(getConfig().getKeyPwd());
            sAML2Configuration.setKeystorePassword(replaceVariables4);
            sAML2Configuration.setKeystoreAlias(replaceVariables3);
            sAML2Configuration.setPrivateKeyPassword(replaceVariables5);
            sAML2Configuration.setKeystoreResourceFilepath(getConfig().getContext().replaceVariables(getConfig().getKeyStore()));
            sAML2Configuration.setAuthnRequestSigned(getConfig().isAuthnRequestSigned());
            sAML2Configuration.setNameIdPolicyFormat(getConfig().getNameIdPolicyFormat());
            sAML2Configuration.setAuthnRequestBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
            sAML2Configuration.setSpLogoutRequestBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
            sAML2Configuration.setSpLogoutResponseBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
            sAML2Configuration.setLogoutHandler(new LogoutHandler<WebContext>() { // from class: org.webswing.security.modules.saml2.Saml2SecurityModule.1
                public void destroySessionFront(WebContext webContext, String str) {
                }

                public void destroySessionBack(WebContext webContext, String str) {
                }
            });
            sAML2Configuration.setMaximumAuthenticationLifetime(28800);
            sAML2Configuration.setUseNameQualifier(false);
            this.store = new Saml2SessionStore(getConfig().getContext());
            try {
                this.client = new SAML2Client(sAML2Configuration);
                SAML2Authenticator sAML2Authenticator = new SAML2Authenticator(sAML2Configuration.getAttributeAsId());
                sAML2Authenticator.setProfileDefinition(new CommonProfileDefinition(objArr -> {
                    return new SAML2Profile(true);
                }));
                this.client.setAuthenticator(sAML2Authenticator);
                this.client.setCallbackUrl(replaceVariables);
                this.client.init();
                this.userAttributeName = getConfig().getContext().replaceVariables(getConfig().getUserAttributeName());
                this.rolesAttributeName = getConfig().getContext().replaceVariables(getConfig().getRolesAttributeName());
            } catch (Exception e) {
                throw new SAMLException("The SAML2 client initialization failed.", e);
            }
        } catch (SAMLException e2) {
            throw new RuntimeException("Failed to initialize SAML2 webswing security module. ", e2);
        }
    }

    private File getFile(String str) throws SAMLException {
        File resolveFile = getConfig().getContext().resolveFile(str);
        if (resolveFile != null) {
            return resolveFile;
        }
        try {
            File file = new File(Main.getTempDir(), Base64.encodeBase64URLSafeString(str.getBytes()));
            FileUtils.copyURLToFile(new URL(str), file);
            return file;
        } catch (MalformedURLException e) {
            return null;
        } catch (IOException e2) {
            throw new SAMLException("Invalid SAML2 configuration. Failed to load file '" + str + "'", e2);
        }
    }

    protected void serveLoginPartial(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebswingAuthenticationException webswingAuthenticationException) throws IOException {
        if (webswingAuthenticationException != null) {
            sendPartialHtml(httpServletRequest, httpServletResponse, "errorPartial.html", webswingAuthenticationException);
            return;
        }
        String location = this.client.getRedirectActionBuilder().redirect(new Saml2WebContext(httpServletRequest, httpServletResponse, this.store)).getLocation();
        try {
            URIBuilder uRIBuilder = new URIBuilder(location);
            List<NameValuePair> queryParams = uRIBuilder.getQueryParams();
            uRIBuilder.clearParameters();
            for (NameValuePair nameValuePair : queryParams) {
                if (getConfig().isAuthnRequestSigned() || (!"SigAlg".equals(nameValuePair.getName()) && !"Signature".equals(nameValuePair.getName()))) {
                    uRIBuilder.addParameter(nameValuePair.getName(), nameValuePair.getValue());
                }
            }
            sendRedirect(httpServletRequest, httpServletResponse, uRIBuilder.build().toString());
        } catch (URISyntaxException e) {
            log.error("failed to parse SAML2 redirect url:" + location, e);
            sendRedirect(httpServletRequest, httpServletResponse, location);
        }
    }

    protected AbstractWebswingUser authenticate(HttpServletRequest httpServletRequest) throws WebswingAuthenticationException {
        if (StringUtils.isEmpty(httpServletRequest.getParameter(SAML_PARAMETER))) {
            return null;
        }
        try {
            Saml2WebContext saml2WebContext = new Saml2WebContext(httpServletRequest, this.store);
            SAML2Profile userProfile = this.client.getUserProfile(this.client.getCredentials(saml2WebContext), saml2WebContext);
            logSuccess(httpServletRequest, userProfile.getId());
            return new Saml2User(userProfile, userProfile.getId(), userProfile.getAttributes(), this.userAttributeName, this.rolesAttributeName);
        } catch (Exception e) {
            if ((e instanceof HttpAction) && e.getCode() == 200) {
                return null;
            }
            logFailure(httpServletRequest, null, "Failed to authenticate." + e.getMessage());
            log.error("Failed to authenticate", e);
            throw new WebswingAuthenticationException("Failed to auhenticate. " + e.getMessage(), "login.failedToAuthenticate", e);
        }
    }

    public AbstractWebswingUser doLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletRequest.getParameter(SP_METADATA) == null) {
            return super.doLogin(httpServletRequest, httpServletResponse);
        }
        serveSpMetadata(httpServletRequest, httpServletResponse);
        return null;
    }

    public void doServeAuthenticated(AbstractWebswingUser abstractWebswingUser, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletRequest.getParameter(SP_METADATA) != null) {
            serveSpMetadata(httpServletRequest, httpServletResponse);
        }
        super.doServeAuthenticated(abstractWebswingUser, str, httpServletRequest, httpServletResponse);
    }

    private void serveSpMetadata(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        J2EContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
        try {
            String metadata = this.client.getServiceProviderMetadataResolver().getMetadata();
            j2EContext.setResponseStatus(200);
            j2EContext.setResponseContentType("application/xml");
            j2EContext.writeResponseContent(metadata);
        } catch (IOException e) {
            j2EContext.setResponseStatus(500);
            j2EContext.writeResponseContent("Failed to generate SP metadata xml");
            log.error("Failed to generate SP metadata xml", e);
        }
    }

    public void doLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AbstractWebswingUser abstractWebswingUser) throws ServletException, IOException {
        if (!getConfig().isSingleLogout() || !(abstractWebswingUser instanceof Saml2User)) {
            logoutRedirect(httpServletRequest, httpServletResponse, replaceVar(getConfig().getLogoutUrl()));
        } else {
            sendRedirect(httpServletRequest, httpServletResponse, this.client.getLogoutActionBuilder().getLogoutAction(new Saml2WebContext(httpServletRequest, httpServletResponse, this.store), ((Saml2User) abstractWebswingUser).getProfile(), (String) null).getLocation());
        }
    }
}
