package org.codelibs.fess.sso.saml;

import com.onelogin.saml2.Auth;
import com.onelogin.saml2.authn.AuthnRequestParams;
import com.onelogin.saml2.logout.LogoutRequestParams;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.settings.SettingsBuilder;
import java.io.OutputStreamWriter;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.codelibs.core.lang.StringUtil;
import org.codelibs.core.net.UuidUtil;
import org.codelibs.fess.Constants;
import org.codelibs.fess.app.web.base.login.ActionResponseCredential;
import org.codelibs.fess.app.web.base.login.FessLoginAssist;
import org.codelibs.fess.app.web.base.login.SamlCredential;
import org.codelibs.fess.exception.SsoLoginException;
import org.codelibs.fess.exception.SsoMessageException;
import org.codelibs.fess.exception.SsoProcessException;
import org.codelibs.fess.mylasta.action.FessUserBean;
import org.codelibs.fess.sso.SsoAuthenticator;
import org.codelibs.fess.sso.SsoResponseType;
import org.codelibs.fess.util.ComponentUtil;
import org.dbflute.optional.OptionalEntity;
import org.lastaflute.web.login.credential.LoginCredential;
import org.lastaflute.web.response.ActionResponse;
import org.lastaflute.web.response.HtmlResponse;
import org.lastaflute.web.response.StreamResponse;
import org.lastaflute.web.util.LaRequestUtil;
import org.lastaflute.web.util.LaResponseUtil;

/* loaded from: input_file:org/codelibs/fess/sso/saml/SamlAuthenticator.class */
public class SamlAuthenticator implements SsoAuthenticator {
    private static final Logger logger = LogManager.getLogger(SamlAuthenticator.class);
    protected static final String SAML_PREFIX = "saml.";
    protected static final String SAML_STATE = "SAML_STATE";
    private Map<String, Object> defaultSettings;

    @PostConstruct
    public void init() {
        if (logger.isDebugEnabled()) {
            logger.debug("Initialize {}", getClass().getSimpleName());
        }
        ComponentUtil.getSsoManager().register(this);
        this.defaultSettings = new HashMap();
        this.defaultSettings.put("onelogin.saml2.strict", Constants.TRUE);
        this.defaultSettings.put("onelogin.saml2.debug", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.sp.entityid", "http://localhost:8080/sso/metadata");
        this.defaultSettings.put("onelogin.saml2.sp.assertion_consumer_service.url", "http://localhost:8080/sso/");
        this.defaultSettings.put("onelogin.saml2.sp.assertion_consumer_service.binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        this.defaultSettings.put("onelogin.saml2.sp.single_logout_service.url", "http://localhost:8080/sso/logout");
        this.defaultSettings.put("onelogin.saml2.sp.single_logout_service.binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        this.defaultSettings.put("onelogin.saml2.sp.nameidformat", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
        this.defaultSettings.put("onelogin.saml2.sp.x509cert", Constants.DEFAULT_IGNORE_FAILURE_TYPE);
        this.defaultSettings.put("onelogin.saml2.sp.privatekey", Constants.DEFAULT_IGNORE_FAILURE_TYPE);
        this.defaultSettings.put("onelogin.saml2.idp.single_sign_on_service.binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        this.defaultSettings.put("onelogin.saml2.idp.single_logout_service.response.url", Constants.DEFAULT_IGNORE_FAILURE_TYPE);
        this.defaultSettings.put("onelogin.saml2.idp.single_logout_service.binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        this.defaultSettings.put("onelogin.saml2.security.nameid_encrypted", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.authnrequest_signed", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.logoutrequest_signed", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.logoutresponse_signed", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.want_messages_signed", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.want_assertions_signed", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.sign_metadata", Constants.DEFAULT_IGNORE_FAILURE_TYPE);
        this.defaultSettings.put("onelogin.saml2.security.want_assertions_encrypted", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.want_nameid_encrypted", Constants.FALSE);
        this.defaultSettings.put("onelogin.saml2.security.requested_authncontext", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password");
        this.defaultSettings.put("onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison", "exact");
        this.defaultSettings.put("onelogin.saml2.security.want_xml_validation", Constants.TRUE);
        this.defaultSettings.put("onelogin.saml2.security.signature_algorithm", "http://www.w3.org/2000/09/xmldsig#rsa-sha1");
        this.defaultSettings.put("onelogin.saml2.organization.name", "CodeLibs");
        this.defaultSettings.put("onelogin.saml2.organization.displayname", "Fess");
        this.defaultSettings.put("onelogin.saml2.organization.url", "https://fess.codelibs.org/");
        this.defaultSettings.put("onelogin.saml2.organization.lang", Constants.DEFAULT_IGNORE_FAILURE_TYPE);
        this.defaultSettings.put("onelogin.saml2.contacts.technical.given_name", "Technical Guy");
        this.defaultSettings.put("onelogin.saml2.contacts.technical.email_address", "technical@example.com");
        this.defaultSettings.put("onelogin.saml2.contacts.support.given_name", "Support Guy");
        this.defaultSettings.put("onelogin.saml2.contacts.support.email_address", "support@@example.com");
    }

    protected Saml2Settings getSettings() {
        HashMap hashMap = new HashMap(this.defaultSettings);
        ComponentUtil.getSystemProperties().entrySet().stream().forEach(entry -> {
            String obj = entry.getKey().toString();
            if (obj.startsWith(SAML_PREFIX)) {
                hashMap.put("onelogin.saml2." + obj.substring(SAML_PREFIX.length()), entry.getValue());
            }
        });
        return new SettingsBuilder().fromValues(hashMap).build();
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public LoginCredential getLoginCredential() {
        return (LoginCredential) LaRequestUtil.getOptionalRequest().map(httpServletRequest -> {
            if (logger.isDebugEnabled()) {
                logger.debug("Logging in with SAML Authenticator");
            }
            HttpServletResponse response = LaResponseUtil.getResponse();
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null || !StringUtil.isNotBlank((String) session.getAttribute(SAML_STATE))) {
                try {
                    String login = new Auth(getSettings(), httpServletRequest, response).login((String) null, new AuthnRequestParams(false, false, true), true);
                    httpServletRequest.getSession().setAttribute(SAML_STATE, UuidUtil.create());
                    return new ActionResponseCredential(() -> {
                        return HtmlResponse.fromRedirectPathAsIs(login);
                    });
                } catch (Exception e) {
                    throw new SsoLoginException("Invalid SAML redirect URL.", e);
                }
            }
            session.removeAttribute(SAML_STATE);
            try {
                Auth auth = new Auth(getSettings(), httpServletRequest, response);
                auth.processResponse();
                if (!auth.isAuthenticated()) {
                    if (!logger.isDebugEnabled()) {
                        return null;
                    }
                    logger.debug("Authentication is failed.");
                    return null;
                }
                List errors = auth.getErrors();
                if (errors.isEmpty()) {
                    return createLoginCredential(httpServletRequest, response, auth);
                }
                logger.warn("{}", errors.stream().collect(Collectors.joining(", ")));
                if (auth.isDebugActive().booleanValue() && StringUtil.isNotBlank(auth.getLastErrorReason())) {
                    logger.warn("Authentication Failure: {} - Reason: {}", errors.stream().collect(Collectors.joining(", ")), auth.getLastErrorReason());
                    return null;
                }
                logger.warn("Authentication Failure: {}", errors.stream().collect(Collectors.joining(", ")));
                return null;
            } catch (Exception e2) {
                logger.warn("Authentication is failed.", e2);
                return null;
            }
        }).orElseGet(() -> {
            return null;
        });
    }

    protected LoginCredential createLoginCredential(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Auth auth) {
        SamlCredential samlCredential = new SamlCredential(auth);
        if (logger.isDebugEnabled()) {
            logger.debug("SamlCredential: {}", samlCredential);
        }
        return samlCredential;
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public void resolveCredential(FessLoginAssist.LoginCredentialResolver loginCredentialResolver) {
        loginCredentialResolver.resolve(SamlCredential.class, samlCredential -> {
            return OptionalEntity.of(samlCredential.getUser());
        });
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public String logout(FessUserBean fessUserBean) {
        if (fessUserBean.getFessUser() instanceof SamlCredential.SamlUser) {
            return (String) LaRequestUtil.getOptionalRequest().map(httpServletRequest -> {
                if (logger.isDebugEnabled()) {
                    logger.debug("Logging out with SAML Authenticator");
                }
                HttpServletResponse response = LaResponseUtil.getResponse();
                SamlCredential.SamlUser samlUser = (SamlCredential.SamlUser) fessUserBean.getFessUser();
                try {
                    return new Auth(getSettings(), httpServletRequest, response).logout((String) null, new LogoutRequestParams(samlUser.getSessionIndex(), samlUser.getName(), samlUser.getNameIdFormat(), samlUser.getNameidNameQualifier(), samlUser.getNameidSPNameQualifier()), true);
                } catch (Exception e) {
                    logger.warn("Failed to logout from IdP: {}", samlUser, e);
                    return null;
                }
            }).orElse((Object) null);
        }
        return null;
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public ActionResponse getResponse(SsoResponseType ssoResponseType) {
        switch (ssoResponseType) {
            case METADATA:
                return getMetadataResponse();
            case LOGOUT:
                return getLogoutResponse();
            default:
                return null;
        }
    }

    protected ActionResponse getMetadataResponse() {
        return (ActionResponse) LaRequestUtil.getOptionalRequest().map(httpServletRequest -> {
            if (logger.isDebugEnabled()) {
                logger.debug("Accessing metadata with SAML Authenticator");
            }
            try {
                Saml2Settings settings = new Auth(getSettings(), httpServletRequest, LaResponseUtil.getResponse()).getSettings();
                settings.setSPValidationOnly(true);
                String sPMetadata = settings.getSPMetadata();
                List validateMetadata = Saml2Settings.validateMetadata(sPMetadata);
                if (validateMetadata.isEmpty()) {
                    return new StreamResponse("metadata").contentType("application/xhtml+xml").stream(writtenStreamOut -> {
                        OutputStreamWriter outputStreamWriter = new OutputStreamWriter(writtenStreamOut.stream(), org.codelibs.fess.crawler.Constants.UTF_8_CHARSET);
                        try {
                            outputStreamWriter.write(sPMetadata);
                            outputStreamWriter.close();
                        } catch (Throwable th) {
                            try {
                                outputStreamWriter.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                            throw th;
                        }
                    });
                }
                String str = (String) validateMetadata.stream().collect(Collectors.joining(", "));
                throw new SsoMessageException(fessMessages -> {
                    fessMessages.addErrorsFailedToProcessSsoRequest("_global", str);
                }, "Failed to log out.", new SsoProcessException(str));
            } catch (SsoMessageException e) {
                throw e;
            } catch (Exception e2) {
                throw new SsoMessageException(fessMessages2 -> {
                    fessMessages2.addErrorsFailedToProcessSsoRequest("_global", e2.getMessage());
                }, "Failed to process metadata.", e2);
            }
        }).orElseThrow(() -> {
            return new SsoMessageException(fessMessages -> {
                fessMessages.addErrorsFailedToProcessSsoRequest("_global", "Invalid state.");
            }, "Failed to process metadata.", new SsoProcessException("Invalid state."));
        });
    }

    protected ActionResponse getLogoutResponse() {
        LaRequestUtil.getOptionalRequest().map(httpServletRequest -> {
            if (logger.isDebugEnabled()) {
                logger.debug("Logging out with SAML Authenticator");
            }
            try {
                Auth auth = new Auth(getSettings(), httpServletRequest, LaResponseUtil.getResponse());
                auth.processSLO();
                List errors = auth.getErrors();
                if (errors.isEmpty()) {
                    throw new SsoMessageException(fessMessages -> {
                        fessMessages.addSuccessSsoLogout("_global");
                    }, "Logged out");
                }
                String str = (String) errors.stream().collect(Collectors.joining(", "));
                throw new SsoMessageException(fessMessages2 -> {
                    fessMessages2.addErrorsFailedToProcessSsoRequest("_global", str);
                }, "Failed to log out.", new SsoProcessException(str));
            } catch (SsoMessageException e) {
                throw e;
            } catch (Exception e2) {
                throw new SsoMessageException(fessMessages3 -> {
                    fessMessages3.addErrorsFailedToProcessSsoRequest("_global", e2.getMessage());
                }, "Failed to log out.", e2);
            }
        }).orElseThrow(() -> {
            return new SsoMessageException(fessMessages -> {
                fessMessages.addErrorsFailedToProcessSsoRequest("_global", "Invalid state.");
            }, "Failed to log out.", new SsoProcessException("Invalid state."));
        });
        return null;
    }
}
