package cronapp.framework.security;

import cronapp.framework.CronappFrameworkException;
import cronapp.framework.api.ApiManager;
import java.io.InputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.OffsetDateTime;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import lombok.Generated;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.Customizer;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
import org.springframework.stereotype.Component;

@ConditionalOnProperty(prefix = "cronapp.security.saml", name = {"enabled"}, havingValue = "true")
@Component
/* loaded from: input_file:cronapp/framework/security/SamlConfiguration.class */
public class SamlConfiguration {
    private final Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2Authentication> defaultConverter = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter();
    private final SamlProperties properties;
    private final GrantedAuthorityRepository grantedAuthorityRepository;
    private final AuthenticationProviders authenticationProviders;
    private final ApiAuthenticationFailureHandler authenticationFailureHandler;
    private final ApiAuthenticationSuccessHandler authenticationSuccessHandler;
    private final ApiUserDetailsManager userDetailsManager;

    @Bean
    public HttpSecurityCustomizer samlCustomizer() {
        return httpSecurity -> {
            httpSecurity.saml2Login(saml2LoginConfigurer -> {
                saml2LoginConfigurer.failureHandler(this.authenticationFailureHandler);
                saml2LoginConfigurer.successHandler(this.authenticationSuccessHandler);
            }).saml2Metadata(Customizer.withDefaults()).saml2Logout(Customizer.withDefaults());
        };
    }

    @Bean
    public OpenSaml4AuthenticationProvider samlAuthenticationProvider() {
        OpenSaml4AuthenticationProvider openSaml4AuthenticationProvider = new OpenSaml4AuthenticationProvider();
        openSaml4AuthenticationProvider.setResponseAuthenticationConverter(responseAuthenticationConverter());
        return openSaml4AuthenticationProvider;
    }

    private Converter<OpenSaml4AuthenticationProvider.ResponseToken, ? extends AbstractAuthenticationToken> responseAuthenticationConverter() {
        return responseToken -> {
            Saml2Authentication saml2Authentication = (Saml2Authentication) this.defaultConverter.convert(responseToken);
            if (saml2Authentication == null) {
                return null;
            }
            Object principal = saml2Authentication.getPrincipal();
            if (!(principal instanceof Saml2AuthenticatedPrincipal)) {
                throw new Saml2AuthenticationException(new Saml2Error("internal_validation_error", "Invalid principal"));
            }
            Saml2AuthenticatedPrincipal saml2AuthenticatedPrincipal = (Saml2AuthenticatedPrincipal) principal;
            List attribute = saml2AuthenticatedPrincipal.getAttribute("memberOf");
            Saml2Authentication saml2Authentication2 = new Saml2Authentication(saml2AuthenticatedPrincipal, saml2Authentication.getSaml2Response(), this.grantedAuthorityRepository.findAll(attribute != null ? attribute.stream().map((v0) -> {
                return v0.toString();
            }).toList() : List.of()));
            if (!this.userDetailsManager.userExists(saml2Authentication2.getName())) {
                this.userDetailsManager.createUser(createCronappUserDetails(saml2Authentication2));
            }
            saml2Authentication2.setDetails(this.userDetailsManager.loadUserByUsername(saml2Authentication2.getName()));
            return saml2Authentication2;
        };
    }

    @Bean
    public RelyingPartyRegistrationRepository samlRegistrationRepository() {
        Set set = (Set) this.properties.getRegistrations().stream().map(this::getSamlRegistration).collect(Collectors.toSet());
        this.properties.getRegistrations().forEach(samlRegistrationProperties -> {
            this.authenticationProviders.addMethod(new AuthenticationMethod(samlRegistrationProperties.getName(), "/saml2/authenticate/" + samlRegistrationProperties.getName(), samlRegistrationProperties.getIcon(), samlRegistrationProperties.getDisplayName(), "saml"));
        });
        return new InMemoryRelyingPartyRegistrationRepository(set);
    }

    private RelyingPartyRegistration getSamlRegistration(SamlRegistrationProperties samlRegistrationProperties) {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream inputStream = new ClassPathResource(samlRegistrationProperties.getKeystoreFile()).getInputStream();
        try {
            keyStore.load(inputStream, samlRegistrationProperties.getKeystorePass().toCharArray());
            if (inputStream != null) {
                inputStream.close();
            }
            Key key = keyStore.getKey(samlRegistrationProperties.getPrivateKeyAlias(), samlRegistrationProperties.getPrivateKeyPass().toCharArray());
            if (!(key instanceof PrivateKey)) {
                throw new CronappFrameworkException("Key is not a private key");
            }
            PrivateKey privateKey = (PrivateKey) key;
            Certificate certificate = keyStore.getCertificate(samlRegistrationProperties.getPrivateKeyAlias());
            if (certificate == null) {
                throw new CronappFrameworkException("Certificate not found");
            }
            Saml2X509Credential signing = Saml2X509Credential.signing(privateKey, (X509Certificate) certificate);
            RelyingPartyRegistration.Builder singleLogoutServiceBinding = RelyingPartyRegistrations.fromMetadataLocation(samlRegistrationProperties.getMetadataUrl()).registrationId(samlRegistrationProperties.getName()).signingX509Credentials(collection -> {
                collection.add(signing);
            }).singleLogoutServiceBinding(Saml2MessageBinding.POST);
            if (samlRegistrationProperties.getEntityId() != null) {
                singleLogoutServiceBinding.entityId(samlRegistrationProperties.getEntityId());
            }
            return singleLogoutServiceBinding.build();
        } finally {
        }
    }

    @Bean
    public Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> samlAuthenticationRequestRepository() {
        return new HttpSessionSaml2AuthenticationRequestRepository();
    }

    public static CronappUserDetails createCronappUserDetails(Saml2Authentication saml2Authentication) {
        String name = saml2Authentication.getName();
        String normalize = ApiManager.normalize(name);
        String str = normalize + "@no-email";
        return CronappUserDetails.newBuilder().setName(name).setUserName(name).setNormalizedUserName(normalize).setEmail(str).setNormalizedEmail(ApiManager.normalize(str)).setEmailConfirmed(true).setSecurityStamp(UUID.randomUUID().toString()).setPhoneNumberConfirmed(true).setTwoFactorEnabled(false).setLockoutEnd(OffsetDateTime.MIN).setLockoutEnabled(false).setAccessFailedCount(0).setAuthorities(new HashSet(saml2Authentication.getAuthorities())).setPayload(Map.of()).build();
    }

    @Generated
    public SamlConfiguration(SamlProperties samlProperties, GrantedAuthorityRepository grantedAuthorityRepository, AuthenticationProviders authenticationProviders, ApiAuthenticationFailureHandler apiAuthenticationFailureHandler, ApiAuthenticationSuccessHandler apiAuthenticationSuccessHandler, ApiUserDetailsManager apiUserDetailsManager) {
        this.properties = samlProperties;
        this.grantedAuthorityRepository = grantedAuthorityRepository;
        this.authenticationProviders = authenticationProviders;
        this.authenticationFailureHandler = apiAuthenticationFailureHandler;
        this.authenticationSuccessHandler = apiAuthenticationSuccessHandler;
        this.userDetailsManager = apiUserDetailsManager;
    }
}
