package eu.openanalytics.containerproxy.auth.impl;

import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.auth.impl.saml.AuthenticationFailureHandler;
import eu.openanalytics.containerproxy.auth.impl.saml.DisableSaml2LogoutRequestFilterFilter;
import eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration;
import eu.openanalytics.containerproxy.auth.impl.saml.Saml2MetadataFilter;
import eu.openanalytics.containerproxy.util.ContextPathHelper;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import javax.inject.Inject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.CorsFilter;

@ConditionalOnProperty(name = {"proxy.authentication"}, havingValue = SAMLAuthenticationBackend.NAME)
@Component
/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.class */
public class SAMLAuthenticationBackend implements IAuthenticationBackend {
    public static final String NAME = "saml";

    @Inject
    private Environment environment;

    @Inject
    private OpenSaml4AuthenticationProvider samlAuthenticationProvider;

    @Autowired
    private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

    @Inject
    private Saml2LogoutRequestResolver saml2LogoutRequestResolver;

    @Inject
    @Lazy
    private SavedRequestAwareAuthenticationSuccessHandler successHandler;

    @Inject
    private ContextPathHelper contextPathHelper;

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend$LogoutMethod.class */
    private enum LogoutMethod {
        LOCAL,
        SAML
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend$Saml2RequestMatcher.class */
    public static class Saml2RequestMatcher implements RequestMatcher {
        private Saml2RequestMatcher() {
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication == null) {
                return false;
            }
            return authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal;
        }
    }

    public static String determineLogoutSuccessURL(Environment environment) {
        String property = environment.getProperty(SAMLConfiguration.PROP_SUCCESS_LOGOUT_URL);
        if (property == null || property.trim().isEmpty()) {
            property = "/";
        }
        return property;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getName() {
        return NAME;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public boolean hasAuthorization() {
        return true;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureHttpSecurity(HttpSecurity httpSecurity) throws Exception {
        Saml2MetadataFilter saml2MetadataFilter = new Saml2MetadataFilter(this.relyingPartyRegistrationRepository.findByRegistrationId("shinyproxy"), new OpenSamlMetadataResolver());
        AuthenticationFailureHandler authenticationFailureHandler = new AuthenticationFailureHandler();
        httpSecurity.saml2Login(saml2LoginConfigurer -> {
            saml2LoginConfigurer.loginPage(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).relyingPartyRegistrationRepository(this.relyingPartyRegistrationRepository).loginProcessingUrl(SAMLConfiguration.SAML_SERVICE_LOCATION_PATH).authenticationManager(new ProviderManager(this.samlAuthenticationProvider)).failureHandler(authenticationFailureHandler).successHandler(this.successHandler);
        }).saml2Logout(saml2LogoutConfigurer -> {
            saml2LogoutConfigurer.logoutUrl(SAMLConfiguration.SAML_LOGOUT_SERVICE_LOCATION_PATH).logoutResponse(logoutResponseConfigurer -> {
                logoutResponseConfigurer.logoutUrl(SAMLConfiguration.SAML_LOGOUT_SERVICE_RESPONSE_LOCATION_PATH);
            }).logoutRequest(logoutRequestConfigurer -> {
                logoutRequestConfigurer.logoutRequestResolver(this.saml2LogoutRequestResolver);
            });
            saml2LogoutConfigurer.addObjectPostProcessor(new ObjectPostProcessor<LogoutFilter>(this) { // from class: eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend.1
                @Override // org.springframework.security.config.ObjectPostProcessor
                public <O extends LogoutFilter> O postProcess(O o) {
                    o.setLogoutRequestMatcher(new AndRequestMatcher(new AntPathRequestMatcher(SAMLConfiguration.SAML_LOGOUT_SERVICE_LOCATION_PATH, "GET"), new Saml2RequestMatcher()));
                    return o;
                }
            });
            saml2LogoutConfigurer.addObjectPostProcessor(new ObjectPostProcessor<Saml2LogoutRequestFilter>(this) { // from class: eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend.2
                @Override // org.springframework.security.config.ObjectPostProcessor
                public <O extends Saml2LogoutRequestFilter> O postProcess(O o) {
                    o.setBeanName("Saml2LogoutRequestFilter");
                    return o;
                }
            });
        }).addFilterBefore((Filter) saml2MetadataFilter, Saml2WebSsoAuthenticationFilter.class).addFilterAfter((Filter) new DisableSaml2LogoutRequestFilterFilter(), CorsFilter.class);
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder authenticationManagerBuilder) {
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getLogoutURL() {
        return ((LogoutMethod) this.environment.getProperty(SAMLConfiguration.PROP_SAML_LOGOUT_METHOD, LogoutMethod.class, LogoutMethod.LOCAL)) == LogoutMethod.LOCAL ? "/logout" : SAMLConfiguration.SAML_LOGOUT_SERVICE_LOCATION_PATH;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getLogoutSuccessURL() {
        return determineLogoutSuccessURL(this.environment);
    }

    public String getLoginRedirectURI() {
        return this.contextPathHelper.withoutEndingSlash() + "/saml2/authenticate/shinyproxy";
    }
}
