package org.springframework.security.saml.provider.service.authentication;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.SamlRequestMatcher;
import org.springframework.security.saml.provider.provisioning.SamlProviderProvisioning;
import org.springframework.security.saml.provider.service.ServiceProviderService;
import org.springframework.security.saml.saml2.authentication.Response;
import org.springframework.security.saml.saml2.metadata.IdentityProviderMetadata;
import org.springframework.security.saml.saml2.metadata.ServiceProviderMetadata;
import org.springframework.security.saml.spi.DefaultSamlAuthentication;
import org.springframework.security.saml.validation.ValidationResult;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml/provider/service/authentication/SamlAuthenticationResponseFilter.class */
public class SamlAuthenticationResponseFilter extends AbstractAuthenticationProcessingFilter {
    private static Log logger = LogFactory.getLog(SamlAuthenticationResponseFilter.class);
    private final SamlProviderProvisioning<ServiceProviderService> provisioning;

    public SamlAuthenticationResponseFilter(SamlProviderProvisioning<ServiceProviderService> samlProviderProvisioning) {
        this(new SamlRequestMatcher(samlProviderProvisioning, "SSO"), samlProviderProvisioning);
    }

    private SamlAuthenticationResponseFilter(RequestMatcher requestMatcher, SamlProviderProvisioning<ServiceProviderService> samlProviderProvisioning) {
        super(requestMatcher);
        this.provisioning = samlProviderProvisioning;
        setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return StringUtils.hasText(getSamlResponseData(httpServletRequest)) && super.requiresAuthentication(httpServletRequest, httpServletResponse);
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        String samlResponseData = getSamlResponseData(httpServletRequest);
        if (!StringUtils.hasText(samlResponseData)) {
            throw new AuthenticationCredentialsNotFoundException("SAMLResponse parameter missing");
        }
        ServiceProviderService hostedProvider = getProvisioning().getHostedProvider();
        Response response = (Response) hostedProvider.fromXml(samlResponseData, true, HttpMethod.GET.matches(httpServletRequest.getMethod()), Response.class);
        if (logger.isTraceEnabled()) {
            logger.trace("Received SAMLResponse XML:" + response.getOriginalXML());
        }
        IdentityProviderMetadata identityProviderMetadata = (IdentityProviderMetadata) hostedProvider.getRemoteProvider(response);
        ValidationResult validate = hostedProvider.validate(response);
        if (validate.hasErrors()) {
            throw new InsufficientAuthenticationException(validate.toString());
        }
        DefaultSamlAuthentication defaultSamlAuthentication = new DefaultSamlAuthentication(true, response.getAssertions().get(0), identityProviderMetadata.getEntityId(), ((ServiceProviderMetadata) hostedProvider.getMetadata()).getEntityId(), httpServletRequest.getParameter("RelayState"));
        defaultSamlAuthentication.setResponseXml(response.getOriginalXML());
        return getAuthenticationManager().authenticate(defaultSamlAuthentication);
    }

    private SamlProviderProvisioning<ServiceProviderService> getProvisioning() {
        return this.provisioning;
    }

    private String getSamlResponseData(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("SAMLResponse");
    }
}
