package pl.edu.icm.sedno.web.security.authentication.provider;

import org.apache.commons.lang.StringUtils;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLRuntimeException;
import org.opensaml.saml2.core.impl.NameIDImpl;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.SAMLAuthenticationToken;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl;
import pl.edu.icm.sedno.model.authentication.SamlServer;
import pl.edu.icm.sedno.model.users.FederativeIdentity;
import pl.edu.icm.sedno.services.dict.DynamicDictRepository;
import pl.edu.icm.sedno.web.security.authentication.token.ExternalAuthentication;

/* loaded from: input_file:WEB-INF/classes/pl/edu/icm/sedno/web/security/authentication/provider/SednoSamlAuthenticationProvider.class */
public class SednoSamlAuthenticationProvider extends AbstractExternalAuthenticationProvider {
    private static final Logger logger = LoggerFactory.getLogger(SednoSamlAuthenticationProvider.class);
    private static final SAMLDefaultLogger samlLogger = new SAMLDefaultLogger();
    protected WebSSOProfileConsumer consumer = new WebSSOProfileConsumerImpl();
    protected WebSSOProfileConsumer hokConsumer = new WebSSOProfileConsumerHoKImpl();
    private boolean forcePrincipalAsString = false;
    protected SAMLUserDetailsService userDetails;

    @Autowired
    private DynamicDictRepository dynamicDictRepository;

    /* JADX WARN: Multi-variable type inference failed */
    @Override // pl.edu.icm.sedno.web.security.authentication.provider.AbstractExternalAuthenticationProvider
    protected ExternalAuthentication authenticateExternal(Authentication authentication) throws AuthenticationException {
        if (!supports(authentication.getClass())) {
            throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted");
        }
        SAMLMessageContext credentials = ((SAMLAuthenticationToken) authentication).getCredentials();
        NameIDImpl validationAndGetPrincipal = validationAndGetPrincipal(credentials);
        logger.info("InboundMessageIssuer " + credentials.getInboundMessageIssuer());
        String nameQualifier = validationAndGetPrincipal.getNameQualifier();
        if (StringUtils.isEmpty(nameQualifier)) {
            nameQualifier = credentials.getInboundMessageIssuer();
        }
        ExternalAuthentication createInstance = ExternalAuthentication.createInstance(FederativeIdentity.createSamlIdentity((SamlServer) this.dynamicDictRepository.getByCode(SamlServer.class, nameQualifier), validationAndGetPrincipal.getValue()));
        samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.SUCCESS, credentials, createInstance, null);
        return createInstance;
    }

    private NameIDImpl validationAndGetPrincipal(SAMLMessageContext sAMLMessageContext) throws AuthenticationException {
        SAMLCredential processAuthenticationResponse;
        try {
            if (SAMLConstants.SAML2_WEBSSO_PROFILE_URI.equals(sAMLMessageContext.getCommunicationProfileId())) {
                processAuthenticationResponse = this.consumer.processAuthenticationResponse(sAMLMessageContext);
            } else {
                if (!SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(sAMLMessageContext.getCommunicationProfileId())) {
                    throw new SAMLException("Unsupported profile encountered in the context " + sAMLMessageContext.getCommunicationProfileId());
                }
                processAuthenticationResponse = this.hokConsumer.processAuthenticationResponse(sAMLMessageContext);
            }
            return (NameIDImpl) getPrincipal(processAuthenticationResponse, getUserDetails(processAuthenticationResponse));
        } catch (SAMLException e) {
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, sAMLMessageContext, e);
            throw new AuthenticationServiceException("Error validating SAML message", e);
        } catch (SAMLRuntimeException e2) {
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, sAMLMessageContext, e2);
            throw new AuthenticationServiceException("Error validating SAML message", e2);
        } catch (DecryptionException e3) {
            logger.debug("Error decrypting SAML message", (Throwable) e3);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, sAMLMessageContext);
            throw new AuthenticationServiceException("Error decrypting SAML message", e3);
        } catch (SecurityException e4) {
            logger.debug("Error validating signature", (Throwable) e4);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, sAMLMessageContext);
            throw new AuthenticationServiceException("Error validating SAML message signature", e4);
        } catch (ValidationException e5) {
            logger.debug("Error validating signature", (Throwable) e5);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, sAMLMessageContext);
            throw new AuthenticationServiceException("Error validating SAML message signature", e5);
        }
    }

    protected Object getUserDetails(SAMLCredential sAMLCredential) {
        if (this.userDetails != null) {
            return this.userDetails.loadUserBySAML(sAMLCredential);
        }
        return null;
    }

    protected Object getPrincipal(SAMLCredential sAMLCredential, Object obj) {
        return isForcePrincipalAsString() ? sAMLCredential.getNameID().getValue() : obj != null ? obj : sAMLCredential.getNameID();
    }

    public boolean isForcePrincipalAsString() {
        return this.forcePrincipalAsString;
    }

    @Override // pl.edu.icm.sedno.web.security.authentication.provider.AbstractExternalAuthenticationProvider, org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<? extends Object> cls) {
        return cls.equals(SAMLAuthenticationToken.class);
    }
}
