package eu.openanalytics.containerproxy.auth.impl.saml;

import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.impl.AuthnRequestMarshaller;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

@Configuration
@ConditionalOnProperty(name = {"proxy.authentication"}, havingValue = SAMLAuthenticationBackend.NAME)
/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.class */
public class SAMLConfiguration {
    public static final String DEFAULT_NAME_ATTRIBUTE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
    public static final String NAME_ATTRIBUTE_NAME_ID_VALUE = "https://shinyproxy.io/nameid";
    public static final String PROP_LOG_ATTRIBUTES = "proxy.saml.log-attributes";
    public static final String PROP_FORCE_AUTHN = "proxy.saml.force-authn";
    public static final String PROP_NAME_ATTRIBUTE = "proxy.saml.name-attribute";
    public static final String PROP_ROLES_ATTRIBUTE = "proxy.saml.roles-attribute";
    public static final String PROP_KEYSTORE = "proxy.saml.keystore";
    public static final String PROP_ENCRYPTION_CERT_NAME = "proxy.saml.encryption-cert-name";
    public static final String PROP_ENCRYPTION_CERT_PASSWORD = "proxy.saml.encryption-cert-password";
    public static final String PROP_ENCRYPTION_KEYSTORE_PASSWORD = "proxy.saml.keystore-password";
    public static final String PROP_APP_ENTITY_ID = "proxy.saml.app-entity-id";
    public static final String PROP_BASE_URL = "proxy.saml.app-base-url";
    public static final String PROP_METADATA_URL = "proxy.saml.idp-metadata-url";
    public static final String PROP_SUCCESS_LOGOUT_URL = "proxy.saml.logout-url";
    public static final String PROP_SAML_LOGOUT_METHOD = "proxy.saml.logout-method";
    public static final String REG_ID = "shinyproxy";
    public static final String SAML_SERVICE_LOCATION_PATH = "/saml/SSO";
    public static final String SAML_LOGOUT_SERVICE_LOCATION_PATH = "/saml/logout";
    public static final String SAML_LOGOUT_SERVICE_RESPONSE_LOCATION_PATH = "/saml/SingleLogout";
    public static final String SAML_METADATA_PATH = "/saml/metadata";

    @Inject
    private Environment environment;

    @PostConstruct
    public void init() {
        if (((Boolean) this.environment.getProperty(PROP_FORCE_AUTHN, Boolean.class, false)).booleanValue()) {
            OpenSamlInitializationService.requireInitialize(xMLObjectProviderRegistry -> {
                xMLObjectProviderRegistry.getMarshallerFactory().registerMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME, new AuthnRequestMarshaller(this) { // from class: eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration.1
                    @Override // org.opensaml.saml.common.AbstractSAMLObjectMarshaller, org.opensaml.core.xml.io.AbstractXMLObjectMarshaller, org.opensaml.core.xml.io.Marshaller
                    @Nonnull
                    public Element marshall(XMLObject xMLObject, Element element) throws MarshallingException {
                        configureAuthnRequest((AuthnRequest) xMLObject);
                        return super.marshall(xMLObject, element);
                    }

                    @Override // org.opensaml.saml.common.AbstractSAMLObjectMarshaller, org.opensaml.core.xml.io.AbstractXMLObjectMarshaller, org.opensaml.core.xml.io.Marshaller
                    @Nonnull
                    public Element marshall(XMLObject xMLObject, Document document) throws MarshallingException {
                        configureAuthnRequest((AuthnRequest) xMLObject);
                        return super.marshall(xMLObject, document);
                    }

                    private void configureAuthnRequest(AuthnRequest authnRequest) {
                        authnRequest.setForceAuthn((Boolean) true);
                    }
                });
            });
        }
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistration() throws IOException, GeneralSecurityException {
        String property = this.environment.getProperty(PROP_BASE_URL);
        String property2 = this.environment.getProperty(PROP_METADATA_URL);
        String property3 = this.environment.getProperty(PROP_APP_ENTITY_ID);
        if (property == null) {
            throw new IllegalArgumentException("[SAML] Configuration error, missing property proxy.saml.app-base-url");
        }
        if (property2 == null) {
            throw new IllegalArgumentException("[SAML] Configuration error, missing property proxy.saml.idp-metadata-url");
        }
        if (property3 == null) {
            throw new IllegalArgumentException("[SAML] Configuration error, missing property proxy.saml.app-entity-id");
        }
        RelyingPartyRegistration.Builder singleLogoutServiceResponseLocation = RelyingPartyRegistrations.fromMetadataLocation(property2).assertionConsumerServiceLocation(ServletUriComponentsBuilder.fromUriString(property).path(SAML_SERVICE_LOCATION_PATH).toUriString()).registrationId("shinyproxy").entityId(property3).singleLogoutServiceBinding(Saml2MessageBinding.POST).singleLogoutServiceLocation(ServletUriComponentsBuilder.fromUriString(property).path(SAML_LOGOUT_SERVICE_LOCATION_PATH).toUriString()).singleLogoutServiceResponseLocation(ServletUriComponentsBuilder.fromUriString(property).path(SAML_LOGOUT_SERVICE_RESPONSE_LOCATION_PATH).toUriString());
        Saml2X509Credential singingCredential = getSingingCredential();
        if (singingCredential != null) {
            singleLogoutServiceResponseLocation.signingX509Credentials(collection -> {
                collection.add(singingCredential);
            });
        }
        return new InMemoryRelyingPartyRegistrationRepository(singleLogoutServiceResponseLocation.build());
    }

    @Bean
    public Saml2AuthenticationTokenConverter saml2AuthenticationTokenConverter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        return new Saml2AuthenticationTokenConverter((httpServletRequest, str) -> {
            return relyingPartyRegistrationRepository.findByRegistrationId("shinyproxy");
        });
    }

    @Bean
    public Saml2LogoutRequestResolver saml2LogoutRequestResolver(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        return new OpenSaml4LogoutRequestResolver((httpServletRequest, str) -> {
            return relyingPartyRegistrationRepository.findByRegistrationId("shinyproxy");
        });
    }

    @Bean
    public OpenSaml4AuthenticationProvider openSamlAuthenticationProvider() {
        OpenSaml4AuthenticationProvider openSaml4AuthenticationProvider = new OpenSaml4AuthenticationProvider();
        openSaml4AuthenticationProvider.setResponseAuthenticationConverter(new ResponseAuthenticationConverter(this.environment));
        return openSaml4AuthenticationProvider;
    }

    private Saml2X509Credential getSingingCredential() throws GeneralSecurityException, IOException {
        String property = this.environment.getProperty(PROP_ENCRYPTION_CERT_NAME);
        String property2 = this.environment.getProperty(PROP_ENCRYPTION_CERT_PASSWORD);
        String property3 = this.environment.getProperty(PROP_KEYSTORE);
        if (property == null || property2 == null || property3 == null) {
            return null;
        }
        String property4 = this.environment.getProperty(PROP_ENCRYPTION_KEYSTORE_PASSWORD, property2);
        KeyStore keyStore = KeyStore.getInstance("pkcs12");
        keyStore.load(Files.newInputStream(Paths.get(property3, new String[0]), new OpenOption[0]), property4.toCharArray());
        return Saml2X509Credential.signing((PrivateKey) keyStore.getKey(property, property2.toCharArray()), (X509Certificate) keyStore.getCertificate(property));
    }
}
