package org.apache.nifi.web.security.configuration;

import com.github.benmanes.caffeine.cache.Caffeine;
import java.time.Duration;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.saml2.SamlUrlPath;
import org.apache.nifi.web.security.saml2.registration.EntityDescriptorCustomizer;
import org.apache.nifi.web.security.saml2.registration.Saml2RegistrationProperty;
import org.apache.nifi.web.security.saml2.registration.StandardRelyingPartyRegistrationRepository;
import org.apache.nifi.web.security.saml2.service.authentication.ResponseAuthenticationConverter;
import org.apache.nifi.web.security.saml2.service.web.StandardRelyingPartyRegistrationResolver;
import org.apache.nifi.web.security.saml2.service.web.StandardSaml2AuthenticationRequestRepository;
import org.apache.nifi.web.security.saml2.web.authentication.Saml2AuthenticationSuccessHandler;
import org.apache.nifi.web.security.saml2.web.authentication.identity.AttributeNameIdentityConverter;
import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2LocalLogoutFilter;
import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2LogoutSuccessHandler;
import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2SingleLogoutFilter;
import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2SingleLogoutHandler;
import org.apache.nifi.web.security.saml2.web.authentication.logout.StandardSaml2LogoutRequestRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cache.caffeine.CaffeineCache;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.metadata.Saml2MetadataResolver;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml3AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutResponseResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2RelyingPartyInitiatedLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
/* loaded from: input_file:org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.class */
public class SamlAuthenticationSecurityConfiguration {
    private static final Duration REQUEST_EXPIRATION = Duration.ofSeconds(60);
    private static final long REQUEST_MAXIMUM_CACHE_SIZE = 1000;
    private final NiFiProperties properties;
    private final BearerTokenProvider bearerTokenProvider;
    private final LogoutRequestManager logoutRequestManager;

    @Autowired
    public SamlAuthenticationSecurityConfiguration(NiFiProperties niFiProperties, BearerTokenProvider bearerTokenProvider, LogoutRequestManager logoutRequestManager) {
        this.properties = (NiFiProperties) Objects.requireNonNull(niFiProperties, "Properties required");
        this.bearerTokenProvider = (BearerTokenProvider) Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required");
        this.logoutRequestManager = (LogoutRequestManager) Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required");
    }

    @Bean
    public Saml2MetadataFilter saml2MetadataFilter() {
        Saml2MetadataFilter saml2MetadataFilter = new Saml2MetadataFilter(relyingPartyRegistrationResolver(), saml2MetadataResolver());
        saml2MetadataFilter.setRequestMatcher(new AntPathRequestMatcher(SamlUrlPath.METADATA.getPath()));
        return saml2MetadataFilter;
    }

    @Bean
    public Saml2WebSsoAuthenticationRequestFilter saml2WebSsoAuthenticationRequestFilter() {
        Saml2WebSsoAuthenticationRequestFilter saml2WebSsoAuthenticationRequestFilter = new Saml2WebSsoAuthenticationRequestFilter(saml2AuthenticationRequestResolver());
        saml2WebSsoAuthenticationRequestFilter.setAuthenticationRequestRepository(saml2AuthenticationRequestRepository());
        return saml2WebSsoAuthenticationRequestFilter;
    }

    @Bean
    public Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter(AuthenticationManager authenticationManager) {
        Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(new Saml2AuthenticationTokenConverter(relyingPartyRegistrationResolver()), SamlUrlPath.LOGIN_RESPONSE_REGISTRATION_ID.getPath());
        saml2WebSsoAuthenticationFilter.setAuthenticationManager(authenticationManager);
        saml2WebSsoAuthenticationFilter.setAuthenticationSuccessHandler(getAuthenticationSuccessHandler());
        saml2WebSsoAuthenticationFilter.setAuthenticationRequestRepository(saml2AuthenticationRequestRepository());
        saml2WebSsoAuthenticationFilter.setAllowSessionCreation(false);
        saml2WebSsoAuthenticationFilter.setSessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy());
        return saml2WebSsoAuthenticationFilter;
    }

    @Bean
    public Saml2SingleLogoutFilter saml2SingleLogoutFilter() {
        return new Saml2SingleLogoutFilter(this.logoutRequestManager, saml2SingleLogoutSuccessHandler());
    }

    @Bean
    public Saml2LogoutRequestFilter saml2LogoutRequestFilter() {
        Saml2LogoutRequestFilter saml2LogoutRequestFilter = new Saml2LogoutRequestFilter(relyingPartyRegistrationResolver(), saml2LogoutRequestValidator(), saml2LogoutResponseResolver(), new LogoutHandler[]{saml2SingleLogoutHandler()});
        saml2LogoutRequestFilter.setLogoutRequestMatcher(new AntPathRequestMatcher(SamlUrlPath.SINGLE_LOGOUT_RESPONSE.getPath()));
        return saml2LogoutRequestFilter;
    }

    @Bean
    public Saml2LogoutResponseFilter saml2LogoutResponseFilter() {
        Saml2LogoutResponseFilter saml2LogoutResponseFilter = new Saml2LogoutResponseFilter(relyingPartyRegistrationResolver(), saml2LogoutResponseValidator(), saml2LogoutSuccessHandler());
        saml2LogoutResponseFilter.setLogoutRequestRepository(saml2LogoutRequestRepository());
        saml2LogoutResponseFilter.setLogoutRequestMatcher(new AntPathRequestMatcher(SamlUrlPath.SINGLE_LOGOUT_RESPONSE.getPath()));
        return saml2LogoutResponseFilter;
    }

    @Bean
    public Saml2SingleLogoutHandler saml2SingleLogoutHandler() {
        return new Saml2SingleLogoutHandler();
    }

    @Bean
    public Saml2LocalLogoutFilter saml2LocalLogoutFilter() {
        return new Saml2LocalLogoutFilter(saml2LogoutSuccessHandler());
    }

    @Bean
    public OpenSamlAuthenticationProvider openSamlAuthenticationProvider() {
        OpenSamlAuthenticationProvider openSamlAuthenticationProvider = new OpenSamlAuthenticationProvider();
        openSamlAuthenticationProvider.setResponseAuthenticationConverter(new ResponseAuthenticationConverter(this.properties.getSamlGroupAttributeName()));
        return openSamlAuthenticationProvider;
    }

    @Bean
    public Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver() {
        return new OpenSaml3AuthenticationRequestResolver(relyingPartyRegistrationResolver());
    }

    @Bean
    public Saml2LogoutRequestValidator saml2LogoutRequestValidator() {
        return new OpenSamlLogoutRequestValidator();
    }

    @Bean
    public Saml2LogoutResponseValidator saml2LogoutResponseValidator() {
        return new OpenSamlLogoutResponseValidator();
    }

    @Bean
    public Saml2LogoutRequestResolver saml2LogoutRequestResolver() {
        return new OpenSaml3LogoutRequestResolver(relyingPartyRegistrationResolver());
    }

    @Bean
    public Saml2LogoutResponseResolver saml2LogoutResponseResolver() {
        return new OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver());
    }

    @Bean
    public Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> saml2AuthenticationRequestRepository() {
        return new StandardSaml2AuthenticationRequestRepository(new CaffeineCache(Saml2AuthenticationRequestRepository.class.getSimpleName(), Caffeine.newBuilder().maximumSize(REQUEST_MAXIMUM_CACHE_SIZE).expireAfterWrite(REQUEST_EXPIRATION).build()));
    }

    @Bean
    public RelyingPartyRegistrationResolver relyingPartyRegistrationResolver() {
        return new StandardRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository(), this.properties.getAllowedContextPathsAsList());
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
        return this.properties.isSamlEnabled() ? new StandardRelyingPartyRegistrationRepository(this.properties) : getDisabledRelyingPartyRegistrationRepository();
    }

    @Bean
    public Saml2MetadataResolver saml2MetadataResolver() {
        OpenSamlMetadataResolver openSamlMetadataResolver = new OpenSamlMetadataResolver();
        openSamlMetadataResolver.setEntityDescriptorCustomizer(new EntityDescriptorCustomizer(this.properties.isSamlWantAssertionsSigned(), this.properties.isSamlRequestSigningEnabled()));
        return openSamlMetadataResolver;
    }

    @Bean
    public Saml2LogoutSuccessHandler saml2LogoutSuccessHandler() {
        return new Saml2LogoutSuccessHandler(this.logoutRequestManager);
    }

    @Bean
    public Saml2RelyingPartyInitiatedLogoutSuccessHandler saml2SingleLogoutSuccessHandler() {
        Saml2RelyingPartyInitiatedLogoutSuccessHandler saml2RelyingPartyInitiatedLogoutSuccessHandler = new Saml2RelyingPartyInitiatedLogoutSuccessHandler(saml2LogoutRequestResolver());
        saml2RelyingPartyInitiatedLogoutSuccessHandler.setLogoutRequestRepository(saml2LogoutRequestRepository());
        return saml2RelyingPartyInitiatedLogoutSuccessHandler;
    }

    @Bean
    public Saml2LogoutRequestRepository saml2LogoutRequestRepository() {
        return new StandardSaml2LogoutRequestRepository(new CaffeineCache(Saml2LogoutRequestRepository.class.getSimpleName(), Caffeine.newBuilder().maximumSize(REQUEST_MAXIMUM_CACHE_SIZE).expireAfterWrite(REQUEST_EXPIRATION).build()));
    }

    private Saml2AuthenticationSuccessHandler getAuthenticationSuccessHandler() {
        Duration ofMillis = Duration.ofMillis((long) FormatUtils.getPreciseTimeDuration(this.properties.getSamlAuthenticationExpiration(), TimeUnit.MILLISECONDS));
        String samlServiceProviderEntityId = this.properties.getSamlServiceProviderEntityId();
        Saml2AuthenticationSuccessHandler saml2AuthenticationSuccessHandler = new Saml2AuthenticationSuccessHandler(this.bearerTokenProvider, IdentityMappingUtil.getIdentityMappings(this.properties), IdentityMappingUtil.getGroupMappings(this.properties), ofMillis, samlServiceProviderEntityId == null ? Saml2RegistrationProperty.REGISTRATION_ID.getProperty() : samlServiceProviderEntityId);
        String samlIdentityAttributeName = this.properties.getSamlIdentityAttributeName();
        if (StringUtils.isNotBlank(samlIdentityAttributeName)) {
            saml2AuthenticationSuccessHandler.setIdentityConverter(new AttributeNameIdentityConverter(samlIdentityAttributeName));
        }
        return saml2AuthenticationSuccessHandler;
    }

    private RelyingPartyRegistrationRepository getDisabledRelyingPartyRegistrationRepository() {
        return new InMemoryRelyingPartyRegistrationRepository(new RelyingPartyRegistration[]{RelyingPartyRegistration.withRegistrationId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty()).entityId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty()).assertingPartyDetails(builder -> {
            builder.entityId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty());
            builder.singleSignOnServiceLocation(SamlUrlPath.LOGIN_RESPONSE_REGISTRATION_ID.getPath());
        }).build()});
    }
}
