package com.hazelcast.webmonitor.security.spi.impl.saml;

import com.coveo.saml.SamlClient;
import com.coveo.saml.SamlException;
import com.hazelcast.webmonitor.configreplacer.ConfigReplacerHelper;
import com.hazelcast.webmonitor.model.SamlConfig;
import com.hazelcast.webmonitor.security.spi.SecurityConfigApiException;
import com.hazelcast.webmonitor.security.spi.SecurityConfigParameter;
import com.hazelcast.webmonitor.security.spi.SecurityProvider;
import com.hazelcast.webmonitor.service.HomeDirectoryProvider;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.Initializer;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
import org.springframework.core.type.filter.AssignableTypeFilter;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/saml/SamlSecurityProvider.class
 */
/* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/saml/SamlSecurityProvider.class */
public class SamlSecurityProvider implements SecurityProvider {
    private static final List<SecurityConfigParameter> CONFIG_PARAMETERS = Collections.unmodifiableList(Arrays.asList(SecurityConfigParameter.stringParam("relyingPartyId", "Relying Party Identifier"), SecurityConfigParameter.stringParam("postBackUrl", "Post Back URL"), SecurityConfigParameter.stringParam("groupAttribute", "Group Attribute"), SecurityConfigParameter.stringParam("idpMetadata", "Identity Provider Metadata"), SecurityConfigParameter.stringParam("groupNameSeparator", "Group Name Separator", ","), SecurityConfigParameter.stringParam("adminGroup", "Admin Group", "MancenterAdmin"), SecurityConfigParameter.stringParam("userGroup", "User Group", "MancenterUser"), SecurityConfigParameter.stringParam("readonlyUserGroup", "Read-only User Group", "MancenterReadonlyUser"), SecurityConfigParameter.stringParam("metricsOnlyGroup", "Metrics-only Group", "MancenterMetricsOnlyUser")));
    private static final String COMMENT = "Management Center SAML Configuration";
    private static final int TEST_CONFIG_IDP_CONNECTION_TIMEOUT_MILLIS = 5000;
    private final AuthenticationProvider authenticationProvider = new NoOpAuthenticationProvider();
    private final File file;

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/saml/SamlSecurityProvider$NoOpAuthenticationProvider.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/saml/SamlSecurityProvider$NoOpAuthenticationProvider.class */
    private static final class NoOpAuthenticationProvider implements AuthenticationProvider {
        private NoOpAuthenticationProvider() {
        }

        @Override // org.springframework.security.authentication.AuthenticationProvider
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            throw new UnsupportedOperationException("SAML is configured. Username/password authentication is disabled.");
        }

        @Override // org.springframework.security.authentication.AuthenticationProvider
        public boolean supports(Class<?> cls) {
            return false;
        }
    }

    public SamlSecurityProvider(HomeDirectoryProvider homeDirectoryProvider) {
        this.file = homeDirectoryProvider.get().resolve("saml.properties").toFile();
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public String getName() {
        return "SAML";
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public List<SecurityConfigParameter> getConfigParameters() {
        return CONFIG_PARAMETERS;
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public void saveConfig(Map<String, String> map) {
        writeConfig(newSamlConfig(map));
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public AuthenticationProvider getAuthenticationProvider() {
        return this.authenticationProvider;
    }

    /* JADX WARN: Failed to calculate best type for var: r17v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r18v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 17, insn: 0x016d: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r17 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:64:0x016d */
    /* JADX WARN: Not initialized variable reg: 18, insn: 0x0172: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r18 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:66:0x0172 */
    /* JADX WARN: Type inference failed for: r17v0, types: [org.apache.http.impl.client.CloseableHttpClient] */
    /* JADX WARN: Type inference failed for: r18v0, types: [java.lang.Throwable] */
    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public Optional<String> testConfig(String str, String str2, Map<String, String> map) {
        SamlClient newSamlClient = newSamlClient(newSamlConfig(map));
        RequestConfig build = RequestConfig.custom().setConnectTimeout(5000).setSocketTimeout(5000).build();
        try {
            UrlEncodedFormEntity urlEncodedFormEntity = new UrlEncodedFormEntity(Collections.singletonList(new BasicNameValuePair("SAMLRequest", newSamlClient.getSamlRequest())), StandardCharsets.UTF_8);
            String identityProviderUrl = newSamlClient.getIdentityProviderUrl();
            HttpUriRequest build2 = RequestBuilder.post(identityProviderUrl).setConfig(build).setEntity(urlEncodedFormEntity).build();
            try {
                try {
                    CloseableHttpClient build3 = HttpClientBuilder.create().build();
                    Throwable th = null;
                    CloseableHttpResponse execute = build3.execute(build2);
                    Throwable th2 = null;
                    try {
                        HttpStatus valueOf = HttpStatus.valueOf(execute.getStatusLine().getStatusCode());
                        if (!valueOf.is2xxSuccessful() && !valueOf.is3xxRedirection()) {
                            throw new SecurityConfigApiException("POST request to SAML Identity Provider located at " + identityProviderUrl + " returned " + valueOf);
                        }
                        if (execute != null) {
                            if (0 != 0) {
                                try {
                                    execute.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                execute.close();
                            }
                        }
                        if (build3 != null) {
                            if (0 != 0) {
                                try {
                                    build3.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                build3.close();
                            }
                        }
                        return Optional.empty();
                    } catch (Throwable th5) {
                        if (execute != null) {
                            if (0 != 0) {
                                try {
                                    execute.close();
                                } catch (Throwable th6) {
                                    th2.addSuppressed(th6);
                                }
                            } else {
                                execute.close();
                            }
                        }
                        throw th5;
                    }
                } catch (IOException e) {
                    throw new SecurityConfigApiException("Failed to make a POST request to SAML Identity Provider located at " + identityProviderUrl, e);
                }
            } finally {
            }
        } catch (SamlException e2) {
            throw new SecurityConfigApiException("Failed to get SAML request: " + e2.getMessage(), e2);
        }
    }

    public SamlClient newSamlClient() {
        return newSamlClient(readConfig());
    }

    public static SamlClient newSamlClient(SamlConfig samlConfig) {
        try {
            initializeOpenSAML();
            return SamlClient.fromMetadata(samlConfig.getRelyingPartyId(), samlConfig.getPostBackUrl(), new StringReader(samlConfig.getIdpMetadata()));
        } catch (SamlException | ClassNotFoundException | IllegalAccessException | InstantiationException | InitializationException e) {
            throw new SecurityConfigApiException("Failed to create SAML client: " + e.getMessage(), e);
        }
    }

    private static void initializeOpenSAML() throws ClassNotFoundException, InitializationException, InstantiationException, IllegalAccessException {
        ClassPathScanningCandidateComponentProvider classPathScanningCandidateComponentProvider = new ClassPathScanningCandidateComponentProvider(false);
        classPathScanningCandidateComponentProvider.addIncludeFilter(new AssignableTypeFilter(Initializer.class));
        Iterator<BeanDefinition> it = classPathScanningCandidateComponentProvider.findCandidateComponents("org/opensaml").iterator();
        while (it.hasNext()) {
            ((Initializer) Class.forName(it.next().getBeanClassName()).newInstance()).init();
        }
    }

    public SamlConfig readConfig() {
        Properties properties = new Properties();
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(new FileInputStream(this.file), StandardCharsets.UTF_8);
            Throwable th = null;
            try {
                try {
                    properties.load(inputStreamReader);
                    SamlConfig fromProperties = SamlConfig.fromProperties(ConfigReplacerHelper.replace(properties));
                    if (inputStreamReader != null) {
                        if (0 != 0) {
                            try {
                                inputStreamReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStreamReader.close();
                        }
                    }
                    return fromProperties;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new SecurityConfigApiException("SAML configuration couldn't be read from file [" + this.file.getAbsolutePath() + "]");
        }
    }

    private void writeConfig(SamlConfig samlConfig) {
        Properties properties = new Properties();
        properties.putAll(samlConfig.toProperties());
        try {
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(new FileOutputStream(this.file), StandardCharsets.UTF_8);
            Throwable th = null;
            try {
                try {
                    properties.store(outputStreamWriter, COMMENT);
                    if (outputStreamWriter != null) {
                        if (0 != 0) {
                            try {
                                outputStreamWriter.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            outputStreamWriter.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new SecurityConfigApiException("SAML configuration couldn't be written to file [" + this.file.getAbsolutePath() + "]");
        }
    }

    private static SamlConfig newSamlConfig(Map<String, String> map) {
        String str = map.get("relyingPartyId");
        String str2 = map.get("postBackUrl");
        String str3 = map.get("groupAttribute");
        String str4 = map.get("idpMetadata");
        String str5 = map.get("groupNameSeparator");
        String str6 = map.get("adminGroup");
        String str7 = map.get("userGroup");
        String str8 = map.get("readonlyUserGroup");
        return SamlConfig.builder().relyingPartyId(str).postBackUrl(str2).groupAttribute(str3).idpMetadata(str4).groupNameSeparator(str5).adminGroup(str6).readonlyUserGroup(str8).userGroup(str7).metricsOnlyGroup(map.get("metricsOnlyGroup")).build();
    }
}
