package io.datarouter.web.user.authenticate.saml;

import io.datarouter.util.collection.SetTool;
import io.datarouter.util.string.StringTool;
import io.datarouter.web.handler.mav.Mav;
import io.datarouter.web.handler.mav.imp.GlobalRedirectMav;
import io.datarouter.web.user.session.service.Role;
import io.datarouter.web.user.session.service.RoleManager;
import io.datarouter.web.user.session.service.Session;
import io.datarouter.web.user.session.service.UserSessionService;
import java.io.IOException;
import java.security.KeyPair;
import java.security.Security;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.xmlsec.config.JavaCryptoValidationInitializer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/datarouter/web/user/authenticate/saml/SamlService.class */
public class SamlService {
    private static final Logger logger = LoggerFactory.getLogger(SamlService.class);
    private static final String SAML_RESPONSE = "SAMLResponse";
    private final SamlSettings samlSettings;
    private final UserSessionService userSessionService;
    private final RoleManager roleManager;
    private final Optional<SamlRegistrar> samlRegistrar;
    private final KeyPair signingKeyPair;

    @Inject
    public SamlService(SamlSettings samlSettings, UserSessionService userSessionService, RoleManager roleManager, Optional<SamlRegistrar> optional) {
        this.samlSettings = samlSettings;
        this.userSessionService = userSessionService;
        this.roleManager = roleManager;
        this.samlRegistrar = optional;
        if (logger.isDebugEnabled()) {
            logger.debug((String) Arrays.asList(Security.getProviders()).stream().map((v0) -> {
                return v0.getInfo();
            }).collect(Collectors.joining(", ", "Security providers: ", "")));
        }
        try {
            new JavaCryptoValidationInitializer().init();
            InitializationService.initialize();
            this.signingKeyPair = RandomSamlKeyPair.getKeyPair();
        } catch (InitializationException e) {
            throw new RuntimeException("Initialization failed", e);
        }
    }

    public Mav mavSignout(HttpServletResponse httpServletResponse) {
        this.userSessionService.clearSessionCookies(httpServletResponse);
        return new GlobalRedirectMav((String) this.samlSettings.idpHomeUrl.getValue());
    }

    public void redirectToIdentityProvider(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.samlSettings.getShouldProcess().booleanValue()) {
            throw new RuntimeException("SAML Configuration error");
        }
        try {
            this.samlRegistrar.ifPresent(samlRegistrar -> {
                samlRegistrar.register();
            });
        } catch (RuntimeException e) {
            if (!((Boolean) this.samlSettings.ignoreServiceProviderRegistrationFailures.getValue()).booleanValue()) {
                throw e;
            }
            logger.warn("Ignoring failure to register with IdP.", e);
        }
        SamlTool.redirectWithAuthnRequestContext(httpServletResponse, SamlTool.buildAuthnRequestAndContext(new AuthnRequestMessageConfig((String) this.samlSettings.entityId.getValue(), SamlTool.getUrlInRequestContext(httpServletRequest, (String) this.samlSettings.assertionConsumerServicePath.getValue()), (String) this.samlSettings.idpSamlUrl.getValue(), getUrlWithQueryString(httpServletRequest), null, this.signingKeyPair)));
    }

    private static String getUrlWithQueryString(HttpServletRequest httpServletRequest) {
        return String.valueOf(httpServletRequest.getRequestURL().toString()) + (httpServletRequest.getQueryString() != null ? "?" + httpServletRequest.getQueryString() : "");
    }

    public void consumeAssertion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.samlSettings.getShouldProcess().booleanValue() || httpServletRequest.getParameter(SAML_RESPONSE) == null) {
            send403(httpServletResponse);
            return;
        }
        MessageContext<SAMLObject> andValidateResponseMessageContext = SamlTool.getAndValidateResponseMessageContext(httpServletRequest, this.samlSettings.getSignatureCredential());
        Iterator it = ((Response) andValidateResponseMessageContext.getMessage()).getAssertions().iterator();
        while (it.hasNext()) {
            if (createAndSetSession(httpServletRequest, httpServletResponse, (Assertion) it.next()) != null) {
                redirect(httpServletRequest, httpServletResponse, getRedirectUrlFromResponse(andValidateResponseMessageContext, httpServletRequest));
                return;
            }
        }
        send403(httpServletResponse);
    }

    private void send403(HttpServletResponse httpServletResponse) {
        try {
            httpServletResponse.sendError(403);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private Session createAndSetSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion) {
        Session signInUserWithCreateIfNecessary = this.userSessionService.signInUserWithCreateIfNecessary(httpServletRequest, assertion.getSubject().getNameID().getValue(), determineRoles(assertion, this.samlSettings.getAttributeToRoleGroupIdMap()), "SAML User");
        this.userSessionService.setSessionCookies(httpServletResponse, signInUserWithCreateIfNecessary);
        return signInUserWithCreateIfNecessary;
    }

    private Set<Role> determineRoles(Assertion assertion, Map<String, String> map) {
        if (!((Boolean) this.samlSettings.shouldAllowRoleGroups.getValue()).booleanValue()) {
            return this.roleManager.getDefaultRoles();
        }
        Stream filter = SamlTool.streamGroupNameValues(assertion).map((v1) -> {
            return r4.get(v1);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        });
        RoleManager roleManager = this.roleManager;
        return SetTool.union(new Collection[]{this.roleManager.getDefaultRoles(), (Collection) filter.map(roleManager::getRolesForGroup).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet())});
    }

    private void redirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String urlInRequestContext = str == null ? SamlTool.getUrlInRequestContext(httpServletRequest, "/") : str;
        logger.debug("Redirecting to requested URL: " + urlInRequestContext);
        try {
            httpServletResponse.sendRedirect(urlInRequestContext);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private static String getRedirectUrlFromResponse(MessageContext<SAMLObject> messageContext, HttpServletRequest httpServletRequest) {
        String nullSafe = StringTool.nullSafe(messageContext.getSubcontext(SAMLBindingContext.class, true).getRelayState());
        String str = nullSafe.toLowerCase().split("\\?")[0];
        return (StringTool.isEmptyOrWhitespace(str) || str.endsWith("signin") || str.endsWith("login")) ? String.valueOf(httpServletRequest.getContextPath()) + "/" : nullSafe;
    }
}
