package org.apache.syncope.sra.security.saml2;

import java.net.URI;
import java.util.Objects;
import org.apache.syncope.sra.security.pac4j.NoOpSessionStore;
import org.apache.syncope.sra.security.pac4j.ServerWebExchangeContext;
import org.apache.syncope.sra.security.web.server.DoNothingIfCommittedServerRedirectStrategy;
import org.apache.syncope.sra.session.SessionUtils;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.ServerRedirectStrategy;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/apache/syncope/sra/security/saml2/SAML2WebSsoAuthenticationWebFilter.class */
public class SAML2WebSsoAuthenticationWebFilter extends AuthenticationWebFilter {
    public static final String FILTER_PROCESSES_URI = "/login/saml2/sso";
    private static final ServerWebExchangeMatcher MATCHER = ServerWebExchangeMatchers.pathMatchers(new String[]{FILTER_PROCESSES_URI});
    private final SAML2Client saml2Client;

    public SAML2WebSsoAuthenticationWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager, SAML2Client sAML2Client) {
        super(reactiveAuthenticationManager);
        this.saml2Client = sAML2Client;
        setRequiresAuthenticationMatcher(matchSamlResponse());
        setServerAuthenticationConverter(convertSamlResponse());
        setAuthenticationSuccessHandler(redirectToInitialRequestURI());
    }

    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        Mono filter = super.filter(serverWebExchange, webFilterChain);
        ServerHttpResponse response = serverWebExchange.getResponse();
        Objects.requireNonNull(response);
        return filter.then(Mono.defer(response::setComplete));
    }

    private ServerWebExchangeMatcher matchSamlResponse() {
        return serverWebExchange -> {
            return serverWebExchange.getFormData().filter(multiValueMap -> {
                return multiValueMap.containsKey("SAMLResponse");
            }).flatMap(multiValueMap2 -> {
                return ServerWebExchangeMatcher.MatchResult.match();
            }).switchIfEmpty(ServerWebExchangeMatcher.MatchResult.notMatch());
        };
    }

    private ServerAuthenticationConverter convertSamlResponse() {
        return serverWebExchange -> {
            return serverWebExchange.getFormData().flatMap(multiValueMap -> {
                return MATCHER.matches(serverWebExchange).flatMap(matchResult -> {
                    ServerWebExchangeContext form = new ServerWebExchangeContext(serverWebExchange).setForm(multiValueMap);
                    SAML2Credentials sAML2Credentials = (SAML2Credentials) this.saml2Client.getCredentialsExtractor().extract(form, NoOpSessionStore.INSTANCE).orElseThrow(() -> {
                        return new IllegalStateException("No AuthnResponse found");
                    });
                    this.saml2Client.getAuthenticator().validate(sAML2Credentials, form, NoOpSessionStore.INSTANCE);
                    return Mono.just(new SAML2AuthenticationToken(sAML2Credentials));
                });
            });
        };
    }

    private ServerAuthenticationSuccessHandler redirectToInitialRequestURI() {
        return new ServerAuthenticationSuccessHandler() { // from class: org.apache.syncope.sra.security.saml2.SAML2WebSsoAuthenticationWebFilter.1
            private final ServerRedirectStrategy redirectStrategy = new DoNothingIfCommittedServerRedirectStrategy();

            public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
                return webFilterExchange.getExchange().getSession().flatMap(webSession -> {
                    return this.redirectStrategy.sendRedirect(webFilterExchange.getExchange(), (URI) webSession.getRequiredAttribute(SessionUtils.INITIAL_REQUEST_URI));
                });
            }
        };
    }
}
