package org.springframework.security.config.annotation.web.configurers.saml2;

import de.ingrid.ibus.comm.processor.UdkMetaclassPreProcessor;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.log4j.spi.LocationInfo;
import org.opensaml.core.Version;
import org.springframework.context.ApplicationContext;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
import org.springframework.security.saml2.provider.service.web.OpenSaml4AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.OpenSaml5AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.OpenSamlAuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml5AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.ParameterRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:ingrid-ibus-7.5.0/lib/spring-security-config-6.4.3.jar:org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.class */
public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>> extends AbstractAuthenticationFilterConfigurer<B, Saml2LoginConfigurer<B>, Saml2WebSsoAuthenticationFilter> {
    private static final boolean USE_OPENSAML_5 = Version.getVersion().startsWith(UdkMetaclassPreProcessor.UDK_METACLASS_DATABASE);
    private String loginPage;
    private Saml2AuthenticationRequestResolver authenticationRequestResolver;
    private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
    private AuthenticationConverter authenticationConverter;
    private AuthenticationManager authenticationManager;
    private Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter;
    private String authenticationRequestUri = "/saml2/authenticate";
    private String[] authenticationRequestParams = {"registrationId={registrationId}"};
    private RequestMatcher authenticationRequestMatcher = RequestMatchers.anyOf(new AntPathRequestMatcher("/saml2/authenticate/{registrationId}"), new AntPathQueryRequestMatcher(this.authenticationRequestUri, this.authenticationRequestParams));
    private RequestMatcher loginProcessingUrl = RequestMatchers.anyOf(new AntPathRequestMatcher("/login/saml2/sso/{registrationId}"), new AntPathRequestMatcher("/login/saml2/sso"));

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ingrid-ibus-7.5.0/lib/spring-security-config-6.4.3.jar:org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer$AntPathQueryRequestMatcher.class */
    public static class AntPathQueryRequestMatcher implements RequestMatcher {
        private final RequestMatcher matcher;

        AntPathQueryRequestMatcher(String str, String... strArr) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new AntPathRequestMatcher(str));
            for (String str2 : strArr) {
                String[] split = str2.split("=");
                if (split.length == 1) {
                    arrayList.add(new ParameterRequestMatcher(split[0]));
                } else {
                    arrayList.add(new ParameterRequestMatcher(split[0], split[1]));
                }
            }
            this.matcher = new AndRequestMatcher(arrayList);
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            return matcher(httpServletRequest).isMatch();
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public RequestMatcher.MatchResult matcher(HttpServletRequest httpServletRequest) {
            return this.matcher.matcher(httpServletRequest);
        }
    }

    public Saml2LoginConfigurer<B> authenticationConverter(AuthenticationConverter authenticationConverter) {
        Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
        this.authenticationConverter = authenticationConverter;
        return this;
    }

    public Saml2LoginConfigurer<B> authenticationManager(AuthenticationManager authenticationManager) {
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        this.authenticationManager = authenticationManager;
        return this;
    }

    public Saml2LoginConfigurer<B> relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
        return this;
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
    public Saml2LoginConfigurer<B> loginPage(String str) {
        Assert.hasText(str, "loginPage cannot be empty");
        this.loginPage = str;
        return this;
    }

    public Saml2LoginConfigurer<B> authenticationRequestResolver(Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver) {
        Assert.notNull(saml2AuthenticationRequestResolver, "authenticationRequestResolver cannot be null");
        this.authenticationRequestResolver = saml2AuthenticationRequestResolver;
        return this;
    }

    @Deprecated
    public Saml2LoginConfigurer<B> authenticationRequestUri(String str) {
        return authenticationRequestUriQuery(str);
    }

    public Saml2LoginConfigurer<B> authenticationRequestUriQuery(String str) {
        Assert.state(str.contains("{registrationId}"), "authenticationRequestUri must contain {registrationId} path variable or query value");
        String[] split = str.split("[?&]");
        this.authenticationRequestUri = split[0];
        this.authenticationRequestParams = new String[split.length - 1];
        System.arraycopy(split, 1, this.authenticationRequestParams, 0, split.length - 1);
        this.authenticationRequestMatcher = new AntPathQueryRequestMatcher(this.authenticationRequestUri, this.authenticationRequestParams);
        return this;
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
    public Saml2LoginConfigurer<B> loginProcessingUrl(String str) {
        Assert.hasText(str, "loginProcessingUrl cannot be empty");
        this.loginProcessingUrl = new AntPathRequestMatcher(str);
        return this;
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
    protected RequestMatcher createLoginProcessingUrlMatcher(String str) {
        return new AntPathRequestMatcher(str);
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer, org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void init(B b) throws Exception {
        registerDefaultCsrfOverride(b);
        relyingPartyRegistrationRepository((Saml2LoginConfigurer<B>) b);
        this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(b));
        this.saml2WebSsoAuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
        this.saml2WebSsoAuthenticationFilter.setRequiresAuthenticationRequestMatcher(this.loginProcessingUrl);
        setAuthenticationRequestRepository(b, this.saml2WebSsoAuthenticationFilter);
        setAuthenticationFilter(this.saml2WebSsoAuthenticationFilter);
        if (StringUtils.hasText(this.loginPage)) {
            super.loginPage(this.loginPage);
            super.init((Saml2LoginConfigurer<B>) b);
        } else {
            Map<String, String> identityProviderUrlMap = getIdentityProviderUrlMap(this.authenticationRequestUri, this.authenticationRequestParams, this.relyingPartyRegistrationRepository);
            if (identityProviderUrlMap.size() == 1) {
                updateAuthenticationDefaults();
                updateAccessDefaults(b);
                registerAuthenticationEntryPoint(b, getLoginEntryPoint(b, identityProviderUrlMap.entrySet().iterator().next().getKey()));
            } else {
                super.init((Saml2LoginConfigurer<B>) b);
            }
        }
        initDefaultLoginFilter(b);
        if (this.authenticationManager == null) {
            registerDefaultAuthenticationProvider(b);
        }
    }

    @Override // org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer, org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(B b) throws Exception {
        Saml2WebSsoAuthenticationRequestFilter authenticationRequestFilter = getAuthenticationRequestFilter(b);
        authenticationRequestFilter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(b));
        b.addFilter((Filter) postProcess(authenticationRequestFilter));
        super.configure((Saml2LoginConfigurer<B>) b);
        if (this.authenticationManager != null) {
            this.saml2WebSsoAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(B b) {
        if (this.relyingPartyRegistrationRepository == null) {
            this.relyingPartyRegistrationRepository = (RelyingPartyRegistrationRepository) getSharedOrBean(b, RelyingPartyRegistrationRepository.class);
        }
        return this.relyingPartyRegistrationRepository;
    }

    private AuthenticationEntryPoint getLoginEntryPoint(B b, String str) {
        AndRequestMatcher andRequestMatcher = new AndRequestMatcher(new OrRequestMatcher(new AntPathRequestMatcher(getLoginPage()), new AntPathRequestMatcher("/favicon.ico")), getAuthenticationEntryPointMatcher(b));
        NegatedRequestMatcher negatedRequestMatcher = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest"));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(new AndRequestMatcher(negatedRequestMatcher, new NegatedRequestMatcher(andRequestMatcher)), new LoginUrlAuthenticationEntryPoint(str));
        DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint = new DelegatingAuthenticationEntryPoint(linkedHashMap);
        delegatingAuthenticationEntryPoint.setDefaultEntryPoint(getAuthenticationEntryPoint());
        return delegatingAuthenticationEntryPoint;
    }

    private void setAuthenticationRequestRepository(B b, Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter) {
        saml2WebSsoAuthenticationFilter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(b));
    }

    private Saml2WebSsoAuthenticationRequestFilter getAuthenticationRequestFilter(B b) {
        return new Saml2WebSsoAuthenticationRequestFilter(getAuthenticationRequestResolver(b));
    }

    private Saml2AuthenticationRequestResolver getAuthenticationRequestResolver(B b) {
        if (this.authenticationRequestResolver != null) {
            return this.authenticationRequestResolver;
        }
        Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver = (Saml2AuthenticationRequestResolver) getBeanOrNull(b, Saml2AuthenticationRequestResolver.class);
        if (saml2AuthenticationRequestResolver != null) {
            return saml2AuthenticationRequestResolver;
        }
        if (USE_OPENSAML_5) {
            OpenSaml5AuthenticationRequestResolver openSaml5AuthenticationRequestResolver = new OpenSaml5AuthenticationRequestResolver(relyingPartyRegistrationRepository((Saml2LoginConfigurer<B>) b));
            openSaml5AuthenticationRequestResolver.setRequestMatcher(this.authenticationRequestMatcher);
            return openSaml5AuthenticationRequestResolver;
        }
        OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(relyingPartyRegistrationRepository((Saml2LoginConfigurer<B>) b));
        openSaml4AuthenticationRequestResolver.setRequestMatcher(this.authenticationRequestMatcher);
        return openSaml4AuthenticationRequestResolver;
    }

    private AuthenticationConverter getAuthenticationConverter(B b) {
        if (this.authenticationConverter != null) {
            return this.authenticationConverter;
        }
        AuthenticationConverter authenticationConverter = (AuthenticationConverter) getBeanOrNull(b, Saml2AuthenticationTokenConverter.class);
        if (authenticationConverter == null) {
            authenticationConverter = (AuthenticationConverter) getBeanOrNull(b, OpenSamlAuthenticationTokenConverter.class);
        }
        if (authenticationConverter != null) {
            return authenticationConverter;
        }
        if (USE_OPENSAML_5) {
            AuthenticationConverter authenticationConverter2 = (AuthenticationConverter) getBeanOrNull(b, OpenSaml5AuthenticationTokenConverter.class);
            if (authenticationConverter2 != null) {
                return authenticationConverter2;
            }
            OpenSaml5AuthenticationTokenConverter openSaml5AuthenticationTokenConverter = new OpenSaml5AuthenticationTokenConverter(this.relyingPartyRegistrationRepository);
            openSaml5AuthenticationTokenConverter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(b));
            openSaml5AuthenticationTokenConverter.setRequestMatcher(this.loginProcessingUrl);
            return openSaml5AuthenticationTokenConverter;
        }
        AuthenticationConverter authenticationConverter3 = (AuthenticationConverter) getBeanOrNull(b, OpenSaml4AuthenticationTokenConverter.class);
        if (authenticationConverter3 != null) {
            return authenticationConverter3;
        }
        OpenSaml4AuthenticationTokenConverter openSaml4AuthenticationTokenConverter = new OpenSaml4AuthenticationTokenConverter(this.relyingPartyRegistrationRepository);
        openSaml4AuthenticationTokenConverter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(b));
        openSaml4AuthenticationTokenConverter.setRequestMatcher(this.loginProcessingUrl);
        return openSaml4AuthenticationTokenConverter;
    }

    private void registerDefaultAuthenticationProvider(B b) {
        if (USE_OPENSAML_5) {
            if (((OpenSaml5AuthenticationProvider) getBeanOrNull(b, OpenSaml5AuthenticationProvider.class)) == null) {
                b.authenticationProvider((AuthenticationProvider) postProcess(new OpenSaml5AuthenticationProvider()));
            }
        } else if (((OpenSaml4AuthenticationProvider) getBeanOrNull(b, OpenSaml4AuthenticationProvider.class)) == null) {
            b.authenticationProvider((AuthenticationProvider) postProcess(new OpenSaml4AuthenticationProvider()));
        }
    }

    private void registerDefaultCsrfOverride(B b) {
        CsrfConfigurer csrfConfigurer = (CsrfConfigurer) b.getConfigurer(CsrfConfigurer.class);
        if (csrfConfigurer == null) {
            return;
        }
        csrfConfigurer.ignoringRequestMatchers(this.loginProcessingUrl);
    }

    private void initDefaultLoginFilter(B b) {
        DefaultLoginPageGeneratingFilter defaultLoginPageGeneratingFilter = (DefaultLoginPageGeneratingFilter) b.getSharedObject(DefaultLoginPageGeneratingFilter.class);
        if (defaultLoginPageGeneratingFilter == null || isCustomLoginPage()) {
            return;
        }
        defaultLoginPageGeneratingFilter.setSaml2LoginEnabled(true);
        defaultLoginPageGeneratingFilter.setSaml2AuthenticationUrlToProviderName(getIdentityProviderUrlMap(this.authenticationRequestUri, this.authenticationRequestParams, this.relyingPartyRegistrationRepository));
        defaultLoginPageGeneratingFilter.setLoginPageUrl(getLoginPage());
        defaultLoginPageGeneratingFilter.setFailureUrl(getFailureUrl());
    }

    private Map<String, String> getIdentityProviderUrlMap(String str, String[] strArr, RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (relyingPartyRegistrationRepository instanceof Iterable) {
            Iterable iterable = (Iterable) relyingPartyRegistrationRepository;
            StringBuilder sb = new StringBuilder(LocationInfo.NA);
            for (String str2 : strArr) {
                sb.append(str2 + "&");
            }
            sb.deleteCharAt(sb.length() - 1);
            String str3 = str + String.valueOf(sb);
            iterable.forEach(relyingPartyRegistration -> {
                linkedHashMap.put(str3.replace("{registrationId}", relyingPartyRegistration.getRegistrationId()), relyingPartyRegistration.getRegistrationId());
            });
        }
        return linkedHashMap;
    }

    private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> getAuthenticationRequestRepository(B b) {
        Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> saml2AuthenticationRequestRepository = (Saml2AuthenticationRequestRepository) getBeanOrNull(b, Saml2AuthenticationRequestRepository.class);
        return saml2AuthenticationRequestRepository == null ? new HttpSessionSaml2AuthenticationRequestRepository() : saml2AuthenticationRequestRepository;
    }

    private <C> C getSharedOrBean(B b, Class<C> cls) {
        C c = (C) b.getSharedObject(cls);
        return c != null ? c : (C) getBeanOrNull(b, cls);
    }

    private <C> C getBeanOrNull(B b, Class<C> cls) {
        ApplicationContext applicationContext = (ApplicationContext) b.getSharedObject(ApplicationContext.class);
        if (applicationContext == null) {
            return null;
        }
        return (C) applicationContext.getBeanProvider(cls).getIfUnique();
    }

    private <C> void setSharedObject(B b, Class<C> cls, C c) {
        if (b.getSharedObject(cls) == null) {
            b.setSharedObject(cls, c);
        }
    }
}
