package org.springframework.security.saml;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import javax.servlet.ServletException;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLRuntimeException;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.log.SAMLLogger;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.1.RELEASE.jar:org/springframework/security/saml/SAMLAuthenticationProvider.class */
public class SAMLAuthenticationProvider implements AuthenticationProvider, InitializingBean {
    private static final Logger log = LoggerFactory.getLogger(SAMLAuthenticationProvider.class);
    private boolean forcePrincipalAsString = true;
    private boolean excludeCredential = false;
    protected WebSSOProfileConsumer consumer;
    protected WebSSOProfileConsumer hokConsumer;
    protected SAMLLogger samlLogger;
    protected SAMLUserDetailsService userDetails;

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        SAMLCredential processAuthenticationResponse;
        if (!supports(authentication.getClass())) {
            throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted");
        }
        SAMLMessageContext credentials = ((SAMLAuthenticationToken) authentication).getCredentials();
        try {
            if (SAMLConstants.SAML2_WEBSSO_PROFILE_URI.equals(credentials.getCommunicationProfileId())) {
                processAuthenticationResponse = this.consumer.processAuthenticationResponse(credentials);
            } else {
                if (!SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(credentials.getCommunicationProfileId())) {
                    throw new SAMLException("Unsupported profile encountered in the context " + credentials.getCommunicationProfileId());
                }
                processAuthenticationResponse = this.hokConsumer.processAuthenticationResponse(credentials);
            }
            Object userDetails = getUserDetails(processAuthenticationResponse);
            ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = new ExpiringUsernameAuthenticationToken(getExpirationDate(processAuthenticationResponse), getPrincipal(processAuthenticationResponse, userDetails), this.excludeCredential ? null : processAuthenticationResponse, getEntitlements(processAuthenticationResponse, userDetails));
            expiringUsernameAuthenticationToken.setDetails(userDetails);
            this.samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.SUCCESS, credentials, expiringUsernameAuthenticationToken, null);
            return expiringUsernameAuthenticationToken;
        } catch (SAMLException e) {
            log.debug("Error validating SAML message", (Throwable) e);
            this.samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, credentials, e);
            throw new AuthenticationServiceException("Error validating SAML message", e);
        } catch (SAMLRuntimeException e2) {
            log.debug("Error validating SAML message", (Throwable) e2);
            this.samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, credentials, e2);
            throw new AuthenticationServiceException("Error validating SAML message", e2);
        } catch (DecryptionException e3) {
            log.debug("Error decrypting SAML message", (Throwable) e3);
            this.samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, credentials, e3);
            throw new AuthenticationServiceException("Error decrypting SAML message", e3);
        } catch (SecurityException e4) {
            log.debug("Error validating signature", (Throwable) e4);
            this.samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, credentials, e4);
            throw new AuthenticationServiceException("Error validating SAML message signature", e4);
        } catch (ValidationException e5) {
            log.debug("Error validating signature", (Throwable) e5);
            this.samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, credentials, e5);
            throw new AuthenticationServiceException("Error validating SAML message signature", e5);
        }
    }

    protected Object getUserDetails(SAMLCredential sAMLCredential) {
        if (getUserDetails() != null) {
            return getUserDetails().loadUserBySAML(sAMLCredential);
        }
        return null;
    }

    protected Object getPrincipal(SAMLCredential sAMLCredential, Object obj) {
        return isForcePrincipalAsString() ? sAMLCredential.getNameID().getValue() : obj != null ? obj : sAMLCredential.getNameID();
    }

    protected Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential sAMLCredential, Object obj) {
        if (!(obj instanceof UserDetails)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(((UserDetails) obj).getAuthorities());
        return arrayList;
    }

    protected Date getExpirationDate(SAMLCredential sAMLCredential) {
        DateTime dateTime = null;
        Iterator<AuthnStatement> it = sAMLCredential.getAuthenticationAssertion().getAuthnStatements().iterator();
        while (it.hasNext()) {
            DateTime sessionNotOnOrAfter = it.next().getSessionNotOnOrAfter();
            if (sessionNotOnOrAfter != null && (dateTime == null || dateTime.isAfter(sessionNotOnOrAfter))) {
                dateTime = sessionNotOnOrAfter;
            }
        }
        if (dateTime != null) {
            return dateTime.toDate();
        }
        return null;
    }

    public SAMLUserDetailsService getUserDetails() {
        return this.userDetails;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class cls) {
        return SAMLAuthenticationToken.class.isAssignableFrom(cls);
    }

    @Autowired(required = false)
    public void setUserDetails(SAMLUserDetailsService sAMLUserDetailsService) {
        this.userDetails = sAMLUserDetailsService;
    }

    @Autowired
    public void setSamlLogger(SAMLLogger sAMLLogger) {
        Assert.notNull(sAMLLogger, "SAMLLogger can't be null");
        this.samlLogger = sAMLLogger;
    }

    @Autowired
    @Qualifier("webSSOprofileConsumer")
    public void setConsumer(WebSSOProfileConsumer webSSOProfileConsumer) {
        Assert.notNull(webSSOProfileConsumer, "WebSSO Profile Consumer can't be null");
        this.consumer = webSSOProfileConsumer;
    }

    @Autowired
    @Qualifier("hokWebSSOprofileConsumer")
    public void setHokConsumer(WebSSOProfileConsumer webSSOProfileConsumer) {
        this.hokConsumer = webSSOProfileConsumer;
    }

    public boolean isForcePrincipalAsString() {
        return this.forcePrincipalAsString;
    }

    public void setForcePrincipalAsString(boolean z) {
        this.forcePrincipalAsString = z;
    }

    public boolean isExcludeCredential() {
        return this.excludeCredential;
    }

    public void setExcludeCredential(boolean z) {
        this.excludeCredential = z;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws ServletException {
        Assert.notNull(this.consumer, "WebSSO Profile Consumer can't be null");
        Assert.notNull(this.hokConsumer, "WebSSO Profile HoK Consumer can't be null");
        Assert.notNull(this.samlLogger, "SAMLLogger can't be null");
    }
}
