package org.squashtest.tm.plugin.saml;

import java.io.InputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.time.Duration;
import java.util.Iterator;
import java.util.Map;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.Resource;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.converter.RsaKeyConverters;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.squashtest.tm.plugin.saml.beans.FeatureAwareSAMLExpirationToken;
import org.squashtest.tm.plugin.saml.config.SamlLoginRedirectFilter;
import org.squashtest.tm.plugin.saml.controller.SquashSAMLAuthFailureController;
import org.squashtest.tm.plugin.saml.properties.DefaultWebSSOProfileOptions;
import org.squashtest.tm.plugin.saml.properties.MetadataProperties;
import org.squashtest.tm.plugin.saml.properties.ReverseProxyProperties;
import org.squashtest.tm.plugin.saml.properties.SAMLProperties;
import org.squashtest.tm.plugin.saml.properties.SPProperties;
import org.squashtest.tm.plugin.saml.properties.SessionProperties;

@EnableConfigurationProperties({SAMLProperties.class})
@SAMLActivationSwitch
@Configuration
/* loaded from: input_file:org/squashtest/tm/plugin/saml/SAMLConfig.class */
public class SAMLConfig {
    private static final Logger LOGGER = LoggerFactory.getLogger(SAMLConfig.class);
    public static final String SAML_PROVIDER_NAME = "saml";
    private static final String METADATA_URL = "/auth/saml/metadata/{registrationId}";
    private static final String LOGIN_PROCESSING_URL = "/auth/saml/sso/{registrationId}";
    private static final String SINGLE_LOGOUT_PROCESSING_URL = "/auth/saml/SingleLogout";
    private static final String AUTHENTICATION_REQUEST_URI = "/auth/saml/login/{registrationId}";
    private final SAMLProperties samlProperties;
    private final UserDetailsService userDetailsService;

    public SAMLConfig(SAMLProperties sAMLProperties, UserDetailsService userDetailsService) {
        this.samlProperties = sAMLProperties;
        this.userDetailsService = userDetailsService;
    }

    @Bean
    @Order(28)
    public SecurityFilterChain samlSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.securityMatcher(new String[]{"/auth/saml/**"}).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{SquashSAMLAuthFailureController.FAIL_URL})).permitAll().anyRequest()).authenticated();
        }).authenticationProvider(samlAuthenticationProvider()).saml2Login(saml2LoginConfigurer -> {
            saml2LoginConfigurer.loginProcessingUrl(LOGIN_PROCESSING_URL).authenticationRequestUri(AUTHENTICATION_REQUEST_URI).successHandler(samlSuccessRedirectHandler()).failureHandler(samlAuthenticationFailureHandler());
        }).saml2Metadata(saml2MetadataConfigurer -> {
            saml2MetadataConfigurer.metadataUrl(METADATA_URL);
        }).saml2Logout(saml2LogoutConfigurer -> {
            saml2LogoutConfigurer.logoutRequest(logoutRequestConfigurer -> {
                logoutRequestConfigurer.logoutUrl(SINGLE_LOGOUT_PROCESSING_URL);
            });
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    public Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository));
        openSaml4AuthenticationRequestResolver.setRequestMatcher(new AntPathRequestMatcher(AUTHENTICATION_REQUEST_URI));
        DefaultWebSSOProfileOptions sso = this.samlProperties.getSso();
        openSaml4AuthenticationRequestResolver.setAuthnRequestCustomizer(authnRequestContext -> {
            sso.configureAuthnRequest(authnRequestContext.getAuthnRequest());
        });
        if (sso.containRelayState()) {
            openSaml4AuthenticationRequestResolver.setRelayStateResolver(httpServletRequest -> {
                return httpServletRequest.getParameter(sso.getRelayState());
            });
        }
        return openSaml4AuthenticationRequestResolver;
    }

    @Bean
    public OpenSaml4AuthenticationProvider samlAuthenticationProvider() {
        OpenSaml4AuthenticationProvider openSaml4AuthenticationProvider = new OpenSaml4AuthenticationProvider();
        openSaml4AuthenticationProvider.setResponseAuthenticationConverter(this::authenticationConverter);
        openSaml4AuthenticationProvider.setAssertionValidator(this::buildValidator);
        return openSaml4AuthenticationProvider;
    }

    private FeatureAwareSAMLExpirationToken authenticationConverter(OpenSaml4AuthenticationProvider.ResponseToken responseToken) {
        Saml2Authentication saml2Authentication = (Saml2Authentication) OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter().convert(responseToken);
        return new SquashSAMLAuthProvider(samlProviderFeatures()).authenticate(saml2Authentication, samlUserDetailsService().loadUserBySAML((DefaultSaml2AuthenticatedPrincipal) saml2Authentication.getPrincipal()));
    }

    @Bean
    public SquashSAMLUserDetailsService samlUserDetailsService() {
        return new SquashSAMLUserDetailsService(this.samlProperties.getUserMapping(), this.userDetailsService);
    }

    private Saml2ResponseValidatorResult buildValidator(OpenSaml4AuthenticationProvider.AssertionToken assertionToken) {
        SessionProperties session = this.samlProperties.getSession();
        Saml2ResponseValidatorResult saml2ResponseValidatorResult = (Saml2ResponseValidatorResult) OpenSaml4AuthenticationProvider.createDefaultAssertionValidatorWithParameters(map -> {
            map.put("saml2.ClockSkew", Duration.ofSeconds(session.getClockSkew()));
            map.put("saml2.Lifetime", Duration.ofSeconds(session.getMaxAssertionTime()));
        }).convert(assertionToken);
        if (saml2ResponseValidatorResult.hasErrors()) {
            return saml2ResponseValidatorResult;
        }
        Assertion assertion = assertionToken.getAssertion();
        AuthnStatementValidator authnStatementValidator = new AuthnStatementValidator();
        ValidationContext validationContext = new ValidationContext(Map.of("saml2.Statement.Authn.MaxTimeSinceAuthn", Duration.ofSeconds(session.getMaxAuthTime())));
        Iterator it = assertion.getAuthnStatements().iterator();
        while (it.hasNext()) {
            try {
                if (authnStatementValidator.validate((AuthnStatement) it.next(), assertion, validationContext) != ValidationResult.VALID) {
                    return Saml2ResponseValidatorResult.failure(new Saml2Error[]{new Saml2Error("invalid_assertion", "Invalid assertion for SAML response: Authentication statement is too old")});
                }
            } catch (Exception e) {
                LOGGER.error("Error validating authentication statement assertion", e);
                return Saml2ResponseValidatorResult.failure(new Saml2Error[]{new Saml2Error("invalid_assertion", String.format("Invalid assertion for SAML response : %s", e.getMessage()))});
            }
        }
        return saml2ResponseValidatorResult;
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrations() {
        LOGGER.info("initializing : relyingPartyRegistrationRepository");
        String metadataUrl = this.samlProperties.getIdp().getMetadataUrl();
        SPProperties sp = this.samlProperties.getSp();
        MetadataProperties metadata = sp.getMetadata();
        String buildBaseUrl = buildBaseUrl();
        RelyingPartyRegistration.Builder singleLogoutServiceLocation = RelyingPartyRegistrations.fromMetadataLocation(metadataUrl).registrationId(sp.getRegistrationId()).entityId(sp.getEntityId()).assertionConsumerServiceLocation(buildBaseUrl + "/auth/saml/sso/{registrationId}").singleLogoutServiceLocation(buildBaseUrl + "/auth/saml/SingleLogout");
        configureCredentials(singleLogoutServiceLocation);
        metadata.configureAdditionalProperties(singleLogoutServiceLocation);
        return new InMemoryRelyingPartyRegistrationRepository(new RelyingPartyRegistration[]{singleLogoutServiceLocation.build()});
    }

    private String buildBaseUrl() {
        ReverseProxyProperties proxy = this.samlProperties.getProxy();
        if (!proxy.isEnabled()) {
            return "{baseUrl}";
        }
        LOGGER.trace("Building base URL with proxy settings");
        StringBuilder sb = new StringBuilder();
        sb.append(proxy.getScheme()).append("://").append(proxy.getServerName());
        if (proxy.isIncludePortInUrl()) {
            sb.append(":").append(proxy.getServerPort());
        }
        sb.append(proxy.getContextPath());
        return sb.toString();
    }

    private void configureCredentials(RelyingPartyRegistration.Builder builder) {
        MetadataProperties metadata = this.samlProperties.getSp().getMetadata();
        try {
            RSAPrivateKey readPrivateKey = readPrivateKey(metadata.getPrivateKey());
            X509Certificate readCertificate = readCertificate(metadata.getCertificate());
            Saml2X509Credential signing = Saml2X509Credential.signing(readPrivateKey, readCertificate);
            Saml2X509Credential decryption = Saml2X509Credential.decryption(readPrivateKey, readCertificate);
            builder.signingX509Credentials(collection -> {
                collection.add(signing);
            });
            builder.decryptionX509Credentials(collection2 -> {
                collection2.add(decryption);
            });
        } catch (Exception e) {
            throw new Saml2Exception("Error loading credentials", e);
        }
    }

    private RSAPrivateKey readPrivateKey(Resource resource) {
        Throwable th = null;
        try {
            try {
                InputStream inputStream = resource.getInputStream();
                try {
                    RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) RsaKeyConverters.pkcs8().convert(inputStream);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    return rSAPrivateKey;
                } catch (Throwable th2) {
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    private X509Certificate readCertificate(Resource resource) {
        Throwable th = null;
        try {
            try {
                InputStream inputStream = resource.getInputStream();
                try {
                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    return x509Certificate;
                } catch (Throwable th2) {
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    @ConditionalOnProperty(value = {"authentication.provider"}, havingValue = SAML_PROVIDER_NAME)
    @Bean
    public SamlLoginRedirectFilter samlLoginRedirectFilter() {
        LOGGER.info("initializing : samlLoginRedirectFilter");
        return new SamlLoginRedirectFilter(this.samlProperties.getSp().getRegistrationId());
    }

    @Bean
    public SavedRequestAwareAuthenticationSuccessHandler samlSuccessRedirectHandler() {
        LOGGER.info("initializing : samlSuccessRedirectHandler");
        SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        savedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl("/home-workspace");
        return savedRequestAwareAuthenticationSuccessHandler;
    }

    @Bean
    public SimpleUrlAuthenticationFailureHandler samlAuthenticationFailureHandler() {
        LOGGER.info("initializing : samlAuthenticationFailureHandler");
        SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler();
        simpleUrlAuthenticationFailureHandler.setDefaultFailureUrl(SquashSAMLAuthFailureController.FAIL_URL);
        return simpleUrlAuthenticationFailureHandler;
    }

    @Bean
    public SAMLProviderFeatures samlProviderFeatures() {
        return new SAMLProviderFeatures();
    }
}
