package org.cloudfoundry.identity.uaa.provider.saml;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.xml.namespace.QName;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.NewUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMember;
import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMembershipManager;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.user.UaaUserPrototype;
import org.cloudfoundry.identity.uaa.user.UserInfo;
import org.cloudfoundry.identity.uaa.util.UaaHttpRequestUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.cloudfoundry.identity.uaa.web.UaaSavedRequestAwareAuthenticationSuccessHandler;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.joda.time.DateTime;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.schema.XSAny;
import org.opensaml.xml.schema.XSBase64Binary;
import org.opensaml.xml.schema.XSBoolean;
import org.opensaml.xml.schema.XSBooleanValue;
import org.opensaml.xml.schema.XSDateTime;
import org.opensaml.xml.schema.XSInteger;
import org.opensaml.xml.schema.XSQName;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.schema.XSURI;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
import org.springframework.security.saml.SAMLAuthenticationProvider;
import org.springframework.security.saml.SAMLAuthenticationToken;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.class */
public class LoginSamlAuthenticationProvider extends SAMLAuthenticationProvider implements ApplicationEventPublisherAware {
    private static final Log logger = LogFactory.getLog(LoginSamlAuthenticationProvider.class);
    private UaaUserDatabase userDatabase;
    private ApplicationEventPublisher eventPublisher;
    private IdentityProviderProvisioning identityProviderProvisioning;
    private ScimGroupExternalMembershipManager externalMembershipManager;

    /* renamed from: org.cloudfoundry.identity.uaa.provider.saml.LoginSamlAuthenticationProvider$1, reason: invalid class name */
    /* loaded from: input_file:org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$cloudfoundry$identity$uaa$provider$SamlIdentityProviderDefinition$ExternalGroupMappingMode = new int[SamlIdentityProviderDefinition.ExternalGroupMappingMode.values().length];

        static {
            try {
                $SwitchMap$org$cloudfoundry$identity$uaa$provider$SamlIdentityProviderDefinition$ExternalGroupMappingMode[SamlIdentityProviderDefinition.ExternalGroupMappingMode.EXPLICITLY_MAPPED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$cloudfoundry$identity$uaa$provider$SamlIdentityProviderDefinition$ExternalGroupMappingMode[SamlIdentityProviderDefinition.ExternalGroupMappingMode.AS_SCOPES.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public void setIdentityProviderProvisioning(IdentityProviderProvisioning identityProviderProvisioning) {
        this.identityProviderProvisioning = identityProviderProvisioning;
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    public void setExternalMembershipManager(ScimGroupExternalMembershipManager scimGroupExternalMembershipManager) {
        this.externalMembershipManager = scimGroupExternalMembershipManager;
    }

    public void setUserDetails(SAMLUserDetailsService sAMLUserDetailsService) {
        super.setUserDetails(sAMLUserDetailsService);
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!supports(authentication.getClass())) {
            throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted");
        }
        IdentityZone identityZone = IdentityZoneHolder.get();
        logger.debug(String.format("Initiating SAML authentication in zone '%s' domain '%s'", identityZone.getId(), identityZone.getSubdomain()));
        SAMLMessageContext credentials = ((SAMLAuthenticationToken) authentication).getCredentials();
        String alias = credentials.getPeerExtendedMetadata().getAlias();
        String relayState = credentials.getRelayState();
        try {
            IdentityProvider retrieveByOrigin = this.identityProviderProvisioning.retrieveByOrigin(alias, IdentityZoneHolder.get().getId());
            SamlIdentityProviderDefinition samlIdentityProviderDefinition = (SamlIdentityProviderDefinition) retrieveByOrigin.getConfig();
            boolean isAddShadowUserOnLogin = samlIdentityProviderDefinition.isAddShadowUserOnLogin();
            if (!retrieveByOrigin.isActive()) {
                throw new ProviderNotFoundException("Identity Provider has been disabled by administrator for alias:" + alias);
            }
            ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = getExpiringUsernameAuthenticationToken(authentication);
            UaaPrincipal uaaPrincipal = new UaaPrincipal("NaN", expiringUsernameAuthenticationToken.getName(), expiringUsernameAuthenticationToken.getName(), alias, expiringUsernameAuthenticationToken.getName(), identityZone.getId());
            logger.debug(String.format("Mapped SAML authentication to IDP with origin '%s' and username '%s'", retrieveByOrigin.getOriginKey(), uaaPrincipal.getName()));
            Collection<? extends GrantedAuthority> retrieveSamlAuthorities = retrieveSamlAuthorities(samlIdentityProviderDefinition, (SAMLCredential) expiringUsernameAuthenticationToken.getCredentials());
            Collection<? extends GrantedAuthority> collection = null;
            switch (AnonymousClass1.$SwitchMap$org$cloudfoundry$identity$uaa$provider$SamlIdentityProviderDefinition$ExternalGroupMappingMode[retrieveByOrigin.getConfig().getGroupMappingMode().ordinal()]) {
                case 1:
                    collection = mapAuthorities(retrieveByOrigin.getOriginKey(), retrieveSamlAuthorities);
                    break;
                case 2:
                    collection = new LinkedList(retrieveSamlAuthorities);
                    break;
            }
            Set<String> filterSamlAuthorities = filterSamlAuthorities(samlIdentityProviderDefinition, retrieveSamlAuthorities);
            MultiValueMap<String, String> retrieveUserAttributes = retrieveUserAttributes(samlIdentityProviderDefinition, (SAMLCredential) expiringUsernameAuthenticationToken.getCredentials());
            if (samlIdentityProviderDefinition.getAuthnContext() != null && Collections.disjoint((Collection) retrieveUserAttributes.get(LoginSamlAuthenticationToken.AUTHENTICATION_CONTEXT_CLASS_REFERENCE), samlIdentityProviderDefinition.getAuthnContext())) {
                throw new BadCredentialsException("Identity Provider did not authenticate with the requested AuthnContext.");
            }
            UaaUser createIfMissing = createIfMissing(uaaPrincipal, isAddShadowUserOnLogin, collection, retrieveUserAttributes);
            UaaAuthentication uaaAuthentication = new LoginSamlAuthenticationToken(new UaaPrincipal(createIfMissing), expiringUsernameAuthenticationToken).getUaaAuthentication(createIfMissing.getAuthorities(), filterSamlAuthorities, retrieveUserAttributes);
            publish(new IdentityProviderAuthenticationSuccessEvent(createIfMissing, uaaAuthentication, "saml"));
            if (samlIdentityProviderDefinition.isStoreCustomAttributes()) {
                this.userDatabase.storeUserInfo(createIfMissing.getId(), new UserInfo().setUserAttributes(uaaAuthentication.getUserAttributes()).setRoles(new LinkedList(uaaAuthentication.getExternalGroups())));
            }
            configureRelayRedirect(relayState);
            return uaaAuthentication;
        } catch (EmptyResultDataAccessException e) {
            throw new ProviderNotFoundException("No SAML identity provider found in zone for alias:" + alias);
        }
    }

    public void configureRelayRedirect(String str) {
        if (UaaUrlUtils.isUrl(str)) {
            RequestContextHolder.currentRequestAttributes().setAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.URI_OVERRIDE_ATTRIBUTE, str, 0);
        }
    }

    protected ExpiringUsernameAuthenticationToken getExpiringUsernameAuthenticationToken(Authentication authentication) {
        return super.authenticate(authentication);
    }

    protected void publish(ApplicationEvent applicationEvent) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(applicationEvent);
        }
    }

    protected Set<String> filterSamlAuthorities(SamlIdentityProviderDefinition samlIdentityProviderDefinition, Collection<? extends GrantedAuthority> collection) {
        Set<String> retainAllMatches = UaaStringUtils.retainAllMatches((Set) collection.stream().map(grantedAuthority -> {
            return grantedAuthority.getAuthority();
        }).collect(Collectors.toSet()), (List) Optional.of(samlIdentityProviderDefinition.getExternalGroupsWhitelist()).orElse(Collections.EMPTY_LIST));
        logger.debug(String.format("White listed external SAML groups:'%s'", retainAllMatches));
        return retainAllMatches;
    }

    protected Collection<? extends GrantedAuthority> mapAuthorities(String str, Collection<? extends GrantedAuthority> collection) {
        LinkedList linkedList = new LinkedList();
        logger.debug("Mapping SAML authorities:" + collection);
        Iterator<? extends GrantedAuthority> it = collection.iterator();
        while (it.hasNext()) {
            String authority = it.next().getAuthority();
            logger.debug("Attempting to map external group: " + authority);
            Iterator<ScimGroupExternalMember> it2 = this.externalMembershipManager.getExternalGroupMapsByExternalGroup(authority, str, IdentityZoneHolder.get().getId()).iterator();
            while (it2.hasNext()) {
                String displayName = it2.next().getDisplayName();
                logger.debug(String.format("Mapped external: '%s' to internal: '%s'", authority, displayName));
                linkedList.add(new SimpleGrantedAuthority(displayName));
            }
        }
        return linkedList;
    }

    public Collection<? extends GrantedAuthority> retrieveSamlAuthorities(SamlIdentityProviderDefinition samlIdentityProviderDefinition, SAMLCredential sAMLCredential) {
        ArrayList arrayList = new ArrayList();
        if (samlIdentityProviderDefinition.getAttributeMappings().get("external_groups") != null) {
            LinkedList linkedList = new LinkedList();
            if (samlIdentityProviderDefinition.getAttributeMappings().get("external_groups") instanceof String) {
                linkedList.add((String) samlIdentityProviderDefinition.getAttributeMappings().get("external_groups"));
            } else if (samlIdentityProviderDefinition.getAttributeMappings().get("external_groups") instanceof Collection) {
                linkedList.addAll((Collection) samlIdentityProviderDefinition.getAttributeMappings().get("external_groups"));
            }
            for (Attribute attribute : sAMLCredential.getAttributes()) {
                if (linkedList.contains(attribute.getName()) || linkedList.contains(attribute.getFriendlyName())) {
                    if (attribute.getAttributeValues() != null && attribute.getAttributeValues().size() > 0) {
                        Iterator it = attribute.getAttributeValues().iterator();
                        while (it.hasNext()) {
                            arrayList.add(new SamlUserAuthority(getStringValue(attribute.getName(), samlIdentityProviderDefinition, (XMLObject) it.next())));
                        }
                    }
                }
            }
        }
        return arrayList == null ? Collections.EMPTY_LIST : arrayList;
    }

    public MultiValueMap<String, String> retrieveUserAttributes(SamlIdentityProviderDefinition samlIdentityProviderDefinition, SAMLCredential sAMLCredential) {
        logger.debug(String.format("Retrieving SAML user attributes [zone:%s, origin:%s]", samlIdentityProviderDefinition.getZoneId(), samlIdentityProviderDefinition.getIdpEntityAlias()));
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        if (samlIdentityProviderDefinition != null && samlIdentityProviderDefinition.getAttributeMappings() != null) {
            for (Map.Entry entry : samlIdentityProviderDefinition.getAttributeMappings().entrySet()) {
                if ((entry.getValue() instanceof String) && sAMLCredential.getAttribute((String) entry.getValue()) != null) {
                    String str = (String) entry.getKey();
                    Iterator it = sAMLCredential.getAttribute((String) entry.getValue()).getAttributeValues().iterator();
                    while (it.hasNext()) {
                        String stringValue = getStringValue(str, samlIdentityProviderDefinition, (XMLObject) it.next());
                        if (stringValue != null) {
                            linkedMultiValueMap.add(str, stringValue);
                        }
                    }
                }
            }
        }
        if (sAMLCredential.getAuthenticationAssertion() != null && sAMLCredential.getAuthenticationAssertion().getAuthnStatements() != null) {
            for (AuthnStatement authnStatement : sAMLCredential.getAuthenticationAssertion().getAuthnStatements()) {
                if (authnStatement.getAuthnContext() != null && authnStatement.getAuthnContext().getAuthnContextClassRef() != null) {
                    linkedMultiValueMap.add(LoginSamlAuthenticationToken.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
                }
            }
        }
        return linkedMultiValueMap;
    }

    protected String getStringValue(String str, SamlIdentityProviderDefinition samlIdentityProviderDefinition, XMLObject xMLObject) {
        String str2 = null;
        if (xMLObject instanceof XSString) {
            str2 = ((XSString) xMLObject).getValue();
        } else if (xMLObject instanceof XSAny) {
            str2 = ((XSAny) xMLObject).getTextContent();
        } else if (xMLObject instanceof XSInteger) {
            Integer value = ((XSInteger) xMLObject).getValue();
            str2 = value != null ? value.toString() : null;
        } else if (xMLObject instanceof XSBoolean) {
            XSBooleanValue value2 = ((XSBoolean) xMLObject).getValue();
            str2 = (value2 == null || value2.getValue() == null) ? null : value2.getValue().toString();
        } else if (xMLObject instanceof XSDateTime) {
            DateTime value3 = ((XSDateTime) xMLObject).getValue();
            str2 = value3 != null ? value3.toString() : null;
        } else if (xMLObject instanceof XSQName) {
            QName value4 = ((XSQName) xMLObject).getValue();
            str2 = value4 != null ? value4.toString() : null;
        } else if (xMLObject instanceof XSURI) {
            str2 = ((XSURI) xMLObject).getValue();
        } else if (xMLObject instanceof XSBase64Binary) {
            str2 = ((XSBase64Binary) xMLObject).getValue();
        }
        if (str2 != null) {
            logger.debug(String.format("Found SAML user attribute %s of value %s [zone:%s, origin:%s]", str, str2, samlIdentityProviderDefinition.getZoneId(), samlIdentityProviderDefinition.getIdpEntityAlias()));
            return str2;
        }
        if (xMLObject == null) {
            return null;
        }
        logger.debug(String.format("SAML user attribute %s at is not of type XSString or other recognizable type, %s [zone:%s, origin:%s]", str, xMLObject.getClass().getName(), samlIdentityProviderDefinition.getZoneId(), samlIdentityProviderDefinition.getIdpEntityAlias()));
        return null;
    }

    protected UaaUser createIfMissing(UaaPrincipal uaaPrincipal, boolean z, Collection<? extends GrantedAuthority> collection, MultiValueMap<String, String> multiValueMap) {
        UaaUser uaaUser = null;
        if (UaaHttpRequestUtils.isAcceptedInvitationAuthentication()) {
            String str = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", 1);
            UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str);
            if (multiValueMap.getFirst("email") == null) {
                multiValueMap = new LinkedMultiValueMap<>(multiValueMap);
                multiValueMap.add("email", retrieveUserById.getEmail());
            } else if (!((String) multiValueMap.getFirst("email")).equalsIgnoreCase(retrieveUserById.getEmail())) {
                throw new BadCredentialsException("SAML User email mismatch. Authenticated email doesn't match invited email.");
            }
            z = false;
            if (retrieveUserById.getUsername().equals(retrieveUserById.getEmail()) && !retrieveUserById.getUsername().equals(uaaPrincipal.getName())) {
                retrieveUserById = retrieveUserById.modifyUsername(uaaPrincipal.getName());
            }
            publish(new InvitedUserAuthenticatedEvent(retrieveUserById));
            uaaUser = this.userDatabase.retrieveUserById(str);
        }
        boolean z2 = false;
        UaaUser user = getUser(uaaPrincipal, multiValueMap);
        if (uaaUser == null) {
            try {
                uaaUser = this.userDatabase.retrieveUserByName(uaaPrincipal.getName(), uaaPrincipal.getOrigin());
            } catch (UsernameNotFoundException e) {
                UaaUser retrieveUserByEmail = this.userDatabase.retrieveUserByEmail(user.getEmail(), uaaPrincipal.getOrigin());
                if (retrieveUserByEmail != null) {
                    z2 = true;
                    uaaUser = retrieveUserByEmail.modifyUsername(uaaPrincipal.getName());
                } else {
                    if (!z) {
                        throw new LoginSAMLException("SAML user does not exist. You can correct this by creating a shadow user for the SAML user.", e);
                    }
                    publish(new NewUserAuthenticatedEvent(user));
                    try {
                        uaaUser = this.userDatabase.retrieveUserByName(uaaPrincipal.getName(), uaaPrincipal.getOrigin());
                    } catch (UsernameNotFoundException e2) {
                        throw new BadCredentialsException("Unable to establish shadow user for SAML user:" + uaaPrincipal.getName());
                    }
                }
            }
        }
        if (haveUserAttributesChanged(uaaUser, user)) {
            z2 = true;
            uaaUser = uaaUser.modifyAttributes(user.getEmail(), user.getGivenName(), user.getFamilyName(), user.getPhoneNumber(), uaaUser.isVerified() || user.isVerified());
        }
        publish(new ExternalGroupAuthorizationEvent(uaaUser, z2, collection, true));
        return this.userDatabase.retrieveUserById(uaaUser.getId());
    }

    protected UaaUser getUser(UaaPrincipal uaaPrincipal, MultiValueMap<String, String> multiValueMap) {
        String name = uaaPrincipal.getName();
        String str = (String) multiValueMap.getFirst("email");
        String str2 = (String) multiValueMap.getFirst("given_name");
        String str3 = (String) multiValueMap.getFirst("family_name");
        String str4 = (String) multiValueMap.getFirst("phone_number");
        String str5 = (String) multiValueMap.getFirst("email_verified");
        String origin = uaaPrincipal.getOrigin() != null ? uaaPrincipal.getOrigin() : "login-server";
        String zoneId = uaaPrincipal.getZoneId();
        if (name == null && str != null) {
            name = str;
        }
        if (name == null && "NaN".equals("NaN")) {
            throw new BadCredentialsException("Cannot determine username from credentials supplied");
        }
        if (name == null) {
            name = "unknown";
        }
        if (str == null) {
            str = name.contains("@") ? (name.split("@").length != 2 || name.startsWith("@") || name.endsWith("@")) ? name.replaceAll("@", "") + "@unknown.org" : name : name + "@unknown.org";
        }
        if (str2 == null) {
            str2 = str.split("@")[0];
        }
        if (str3 == null) {
            str3 = str.split("@")[1];
        }
        return new UaaUser(new UaaUserPrototype().withVerified(Boolean.valueOf(str5).booleanValue()).withEmail(str).withGivenName(str2).withFamilyName(str3).withPhoneNumber(str4).withModified(new Date()).withId("NaN").withUsername(name).withPassword("").withAuthorities(Collections.EMPTY_LIST).withCreated(new Date()).withOrigin(origin).withExternalId(name).withZoneId(zoneId).withSalt(null).withPasswordLastModified(null));
    }

    protected boolean haveUserAttributesChanged(UaaUser uaaUser, UaaUser uaaUser2) {
        return (uaaUser.isVerified() == uaaUser2.isVerified() && StringUtils.equals(uaaUser.getGivenName(), uaaUser2.getGivenName()) && StringUtils.equals(uaaUser.getFamilyName(), uaaUser2.getFamilyName()) && StringUtils.equals(uaaUser.getPhoneNumber(), uaaUser2.getPhoneNumber()) && StringUtils.equals(uaaUser.getEmail(), uaaUser2.getEmail())) ? false : true;
    }
}
