package eu.unicore.security.wsutil.client.authn;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.assertion.Assertion;
import eu.unicore.samly2.assertion.AssertionParser;
import eu.unicore.samly2.assertion.AttributeAssertionParser;
import eu.unicore.samly2.elements.NameID;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.security.canl.PasswordCallback;
import eu.unicore.security.canl.TruststoreProperties;
import eu.unicore.security.etd.TrustDelegation;
import eu.unicore.security.wsutil.client.SAMLAttributePushOutHandler;
import eu.unicore.security.wsutil.samlclient.AuthnResponseAssertions;
import eu.unicore.security.wsutil.samlclient.SAMLAuthnClient;
import eu.unicore.util.httpclient.DefaultClientConfiguration;
import eu.unicore.util.httpclient.ETDClientSettings;
import eu.unicore.util.httpclient.SessionIDProviderImpl;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import org.apache.log4j.spi.LoggingEventFieldResolver;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;

/* loaded from: input_file:eu/unicore/security/wsutil/client/authn/SAMLAuthN.class */
public class SAMLAuthN extends PropertiesBasedAuthenticationProvider {
    public static final String NAME = "unity";
    protected UsernameCallback usernameCallback;
    protected AssertionsCache assertionsCache;

    public SAMLAuthN(Properties properties, PasswordCallback passwordCallback, UsernameCallback usernameCallback, AssertionsCache assertionsCache) {
        super(properties, passwordCallback);
        this.assertionsCache = new InMemoryAssertionCache();
        this.usernameCallback = usernameCallback;
        this.assertionsCache = assertionsCache;
    }

    protected SAMLAuthN() {
        this.assertionsCache = new InMemoryAssertionCache();
    }

    @Override // eu.unicore.security.wsutil.client.authn.AuthenticationProvider
    public String getName() {
        return NAME;
    }

    @Override // eu.unicore.security.wsutil.client.authn.AuthenticationProvider
    public String getDescription() {
        return "Authenticate with login and password to a Unity service. The obtained SAML credentials are locally stored and used until they expire. For this method, a truststore must be properly configured, but no keystore/certificate credential is required.";
    }

    @Override // eu.unicore.security.wsutil.client.authn.AuthenticationProvider
    public DefaultClientConfiguration getClientConfiguration(String str, String str2, DelegationSpecification delegationSpecification) throws Exception {
        SAMLAuthNProperties sAMLAuthNProperties = new SAMLAuthNProperties(this.properties);
        DefaultClientConfiguration anonymousClientConfiguration = getAnonymousClientConfiguration();
        if (str == null) {
            throw new IllegalArgumentException("SAMLAuthN always require target service address");
        }
        String value = sAMLAuthNProperties.getValue(SAMLAuthNProperties.ADDRESS);
        String extractServerID = SessionIDProviderImpl.extractServerID(str);
        AuthnResponseAssertions authnResponseAssertions = this.assertionsCache.get(getKey(extractServerID, str2));
        if (authnResponseAssertions == null) {
            authnResponseAssertions = doSAMLAuthn(getUsername(sAMLAuthNProperties), getPassword(sAMLAuthNProperties), value, str2, extractServerID, anonymousClientConfiguration);
            this.assertionsCache.store(getKey(extractServerID, str2), authnResponseAssertions);
        }
        return buildFinalSettings(authnResponseAssertions, anonymousClientConfiguration, delegationSpecification);
    }

    @Override // eu.unicore.security.wsutil.client.authn.AuthenticationProvider
    public String getUsage() {
        return "The following properties can be used in the UCC preference file to configure the Unity/SAML authentication. Many of these are optional. Refer to the manual and/or the example files.\n" + getMeta(SAMLAuthNProperties.class, SAMLAuthNProperties.PREFIX) + "\nFor configuring your trusted CAs:\n" + getMeta(TruststoreProperties.class, TruststoreProperties.DEFAULT_PREFIX);
    }

    private AuthnResponseAssertions doSAMLAuthn(String str, char[] cArr, String str2, String str3, String str4, DefaultClientConfiguration defaultClientConfiguration) throws MalformedURLException, SAMLValidationException {
        defaultClientConfiguration.setHttpAuthn(true);
        defaultClientConfiguration.setHttpPassword(String.valueOf(cArr));
        defaultClientConfiguration.setHttpUser(str);
        return new SAMLAuthnClient(str2, defaultClientConfiguration).authenticate(SAMLConstants.NFORMAT_DN, str3 != null ? new NameID(str3, SAMLConstants.NFORMAT_DN) : new NameID(str4, SAMLConstants.NFORMAT_ENTITY), str4);
    }

    private String getKey(String str, String str2) {
        return str2 == null ? LoggingEventFieldResolver.EMPTY_STRING : X500NameUtils.getComparableForm(str2) + "|||||" + str;
    }

    private DefaultClientConfiguration buildFinalSettings(AuthnResponseAssertions authnResponseAssertions, DefaultClientConfiguration defaultClientConfiguration, DelegationSpecification delegationSpecification) throws IOException {
        List<AssertionParser> authNAssertions = authnResponseAssertions.getAuthNAssertions();
        List<AssertionDocument> otherAssertions = authnResponseAssertions.getOtherAssertions();
        List<AttributeAssertionParser> attributeAssertions = authnResponseAssertions.getAttributeAssertions();
        DefaultClientConfiguration mo276clone = defaultClientConfiguration.mo276clone();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        if (authNAssertions.size() != 1) {
            throw new IOException("SAML service returned " + authNAssertions.size() + " authentication assertions. We need exactly one - this service is unsupported.");
        }
        arrayList.add(new Assertion(authNAssertions.get(0).getXMLBeanDoc()));
        Iterator<AttributeAssertionParser> it = attributeAssertions.iterator();
        while (it.hasNext()) {
            AssertionDocument xMLBeanDoc = it.next().getXMLBeanDoc();
            try {
                arrayList2.add(new TrustDelegation(xMLBeanDoc));
            } catch (Exception e) {
                arrayList.add(new Assertion(xMLBeanDoc));
            }
        }
        if (otherAssertions.size() > 0) {
            System.out.println("SAML service returned some unknown assertions which are neither attribute nor authentication assertions. Those assertions will be ignored.");
        }
        mo276clone.getExtraSecurityTokens().put(SAMLAttributePushOutHandler.PUSHED_ASSERTIONS, arrayList);
        if (delegationSpecification.isDelegate()) {
            if (arrayList2.isEmpty()) {
                throw new IOException("Trust delegation was not found in the received assertions. Probably you are using a UNICORE unaware SAML service.");
            }
            if (arrayList2.size() > 1) {
                throw new IOException("Multiple trust delegations were found in the received assertions. This is unsupported.");
            }
            ETDClientSettings eTDSettings = mo276clone.getETDSettings();
            eTDSettings.setTrustDelegationTokens(Collections.singletonList(arrayList2.get(0)));
            eTDSettings.setRequestedUser(((TrustDelegation) arrayList2.get(0)).getCustodianDN());
        }
        return mo276clone;
    }

    private String getUsername(SAMLAuthNProperties sAMLAuthNProperties) throws IOException {
        String value = sAMLAuthNProperties.getValue("username");
        return value == null ? this.usernameCallback.getUsername() : value;
    }

    private char[] getPassword(SAMLAuthNProperties sAMLAuthNProperties) {
        String value = sAMLAuthNProperties.getValue("password");
        return value == null ? this.truststorePasswordCallback.getPassword("login", "Unity password") : value.toCharArray();
    }

    protected void setAssertionsCache(AssertionsCache assertionsCache) {
        this.assertionsCache = assertionsCache;
    }
}
