package com.hazelcast.webmonitor.controller.internal;

import com.coveo.saml.SamlClient;
import com.coveo.saml.SamlException;
import com.coveo.saml.SamlResponse;
import com.hazelcast.webmonitor.controller.dto.SamlFormDTO;
import com.hazelcast.webmonitor.model.SamlConfig;
import com.hazelcast.webmonitor.security.InvalidSamlResponseException;
import com.hazelcast.webmonitor.security.UserHasNoRolesException;
import com.hazelcast.webmonitor.security.spi.SecurityConfigApiException;
import com.hazelcast.webmonitor.security.spi.SecurityProvider;
import com.hazelcast.webmonitor.security.spi.impl.AuthenticationManagerImpl;
import com.hazelcast.webmonitor.security.spi.impl.saml.SamlSecurityProvider;
import com.hazelcast.webmonitor.utils.StringUtil;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.core.xml.schema.impl.XSAnyImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.thymeleaf.context.Context;
import org.thymeleaf.spring4.SpringTemplateEngine;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/classes/com/hazelcast/webmonitor/controller/internal/SamlController.class
 */
@Controller
/* loaded from: input_file:com/hazelcast/webmonitor/controller/internal/SamlController.class */
public class SamlController {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlController.class);
    private final AuthenticationManagerImpl authenticationManager;
    private final SpringTemplateEngine springTemplateEngine;
    private final AuthenticationFailureHandler authenticationFailureHandler;

    public SamlController(AuthenticationManagerImpl authenticationManagerImpl, SpringTemplateEngine springTemplateEngine, AuthenticationFailureHandler authenticationFailureHandler) {
        this.authenticationManager = authenticationManagerImpl;
        this.springTemplateEngine = springTemplateEngine;
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    @GetMapping({"/saml"})
    @ResponseBody
    public SamlFormDTO saml() throws SamlException {
        SamlClient samlClient = getSamlClient();
        return new SamlFormDTO(samlClient.getIdentityProviderUrl(), samlClient.getSamlRequest());
    }

    @GetMapping(value = {"/saml/metadata"}, produces = {"text/xml; charset=utf-8"})
    @ResponseBody
    public String samlMetadata() {
        Context context = new Context();
        context.setVariable("saml_postback_url", getSamlConfig().getPostBackUrl());
        return this.springTemplateEngine.process("saml-sp-metadata-template", context);
    }

    @PostMapping(value = {"/saml/sso"}, produces = {"text/html; charset=utf-8"})
    public void sso(@RequestParam(name = "SAMLResponse") String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        LOGGER.debug("Received SAML response: {}", str);
        SamlClient samlClient = getSamlClient();
        SamlConfig samlConfig = getSamlConfig();
        try {
            SamlResponse decodeAndValidateSamlResponse = samlClient.decodeAndValidateSamlResponse(str);
            String nameID = decodeAndValidateSamlResponse.getNameID();
            Collection<? extends GrantedAuthority> authorities = getAuthorities(decodeAndValidateSamlResponse, samlConfig);
            if (authorities.isEmpty()) {
                this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, new UserHasNoRolesException());
                return;
            }
            LOGGER.debug("Authenticating user via SAML - username={}, authorities={}", nameID, authorities);
            SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(nameID, null, authorities));
            httpServletResponse.sendRedirect(StringUtil.isNullOrEmptyAfterTrim(httpServletRequest.getContextPath()) ? "/" : httpServletRequest.getContextPath());
        } catch (SamlException e) {
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, new InvalidSamlResponseException(e));
        }
    }

    private Collection<? extends GrantedAuthority> getAuthorities(SamlResponse samlResponse, SamlConfig samlConfig) {
        Set set = (Set) samlResponse.getAssertion().getAttributeStatements().stream().flatMap(attributeStatement -> {
            return attributeStatement.getAttributes().stream();
        }).filter(attribute -> {
            return samlConfig.getGroupAttribute().equalsIgnoreCase(attribute.getName());
        }).flatMap(attribute2 -> {
            return attribute2.getAttributeValues().stream();
        }).map(this::getAttributeValue).filter((v0) -> {
            return Objects.nonNull(v0);
        }).flatMap(str -> {
            return Arrays.stream(str.split(Pattern.quote(samlConfig.getGroupNameSeparator())));
        }).collect(Collectors.toSet());
        LOGGER.debug("Values for the configured group attribute [{}] are: {}", samlConfig.getGroupAttribute(), set);
        return set.contains(samlConfig.getAdminGroup()) ? Collections.singleton(SecurityProvider.ADMIN_AUTHORITY) : set.contains(samlConfig.getUserGroup()) ? Collections.singleton(SecurityProvider.USER_AUTHORITY) : set.contains(samlConfig.getReadonlyUserGroup()) ? Collections.singleton(SecurityProvider.READONLY_USER_AUTHORITY) : set.contains(samlConfig.getMetricsOnlyGroup()) ? Collections.singleton(SecurityProvider.METRICS_ONLY_AUTHORITY) : Collections.emptySet();
    }

    private SamlConfig getSamlConfig() {
        return getSamlSecurityProvider().readConfig();
    }

    private SamlClient getSamlClient() {
        return getSamlSecurityProvider().newSamlClient();
    }

    private SamlSecurityProvider getSamlSecurityProvider() {
        if (!this.authenticationManager.isSecurityProviderConfigured()) {
            throw new SecurityConfigApiException("Security provider needs to be configured for SAML authentication to work.");
        }
        if (this.authenticationManager.getCurrentSecurityProvider() instanceof SamlSecurityProvider) {
            return (SamlSecurityProvider) this.authenticationManager.getCurrentSecurityProvider();
        }
        throw new SecurityConfigApiException("Current security provider needs to be SAML for SAML authentication to work.");
    }

    private String getAttributeValue(XMLObject xMLObject) {
        if (xMLObject == null) {
            return null;
        }
        return xMLObject instanceof XSString ? getStringAttributeValue((XSString) xMLObject) : xMLObject instanceof XSAnyImpl ? getAnyAttributeValue((XSAnyImpl) xMLObject) : xMLObject.toString();
    }

    private String getStringAttributeValue(XSString xSString) {
        return xSString.getValue();
    }

    private String getAnyAttributeValue(XSAnyImpl xSAnyImpl) {
        return xSAnyImpl.getTextContent();
    }
}
