package org.appng.application.authentication.saml;

import com.coveo.saml.SamlClient;
import com.coveo.saml.SamlException;
import com.coveo.saml.SamlResponse;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.appng.api.BusinessException;
import org.appng.api.Environment;
import org.appng.api.Scope;
import org.appng.api.model.Application;
import org.appng.api.model.AuthSubject;
import org.appng.api.model.Site;
import org.appng.api.model.Subject;
import org.appng.api.model.UserType;
import org.appng.api.support.ElementHelper;
import org.appng.application.authentication.AbstractLogon;
import org.appng.application.authentication.AuthenticationSettings;
import org.appng.application.authentication.MessageConstants;
import org.appng.core.domain.SubjectImpl;
import org.appng.core.service.CoreService;
import org.appng.tools.ui.StringNormalizer;
import org.appng.xml.platform.Message;
import org.appng.xml.platform.MessageType;
import org.appng.xml.platform.Messages;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AttributeValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.MessageSource;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

@RestController
/* loaded from: input_file:org/appng/application/authentication/saml/SamlController.class */
public class SamlController implements InitializingBean {
    private final Site site;
    private final Application application;
    private final CoreService coreService;
    private final MessageSource messageSource;

    @Value("${samlEnabled}")
    private boolean samlEnabled;

    @Value("${samlClientId}")
    private String clientId;

    @Value("${samlForwardTarget}")
    private String forwardTarget;
    private List<String> userGroups;
    private SamlClient samlClient;
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlController.class);
    private static String SAML_LOGIN = "SamlLogin";
    private static final ResponseEntity NOT_IMPLEMENTED = ResponseEntity.status(HttpStatus.NOT_IMPLEMENTED).build();
    public static String CLAIM = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/";

    public void afterPropertiesSet() throws Exception {
        if (!this.samlEnabled) {
            LOGGER.debug("SAML is disabled");
            return;
        }
        byte[] bytes = this.application.getProperties().getClob(AuthenticationSettings.SAML_DESCRIPTOR).getBytes(StandardCharsets.UTF_8);
        this.userGroups = this.application.getProperties().getList(AuthenticationSettings.SAML_CREATE_NEW_USER_WITH_GROUPS, ",");
        String endpoint = getEndpoint();
        this.samlClient = SamlClient.fromMetadata(this.clientId, endpoint, new InputStreamReader(new ByteArrayInputStream(bytes)), SamlClient.SamlIdpBinding.POST);
        LOGGER.info("Created SAML client '{}' with endpoint {} and IDP", new Object[]{this.clientId, endpoint, this.samlClient.getIdentityProviderUrl()});
    }

    @GetMapping(path = {"/saml", "/saml/login"}, produces = {"text/html"})
    public void login(HttpServletResponse httpServletResponse) throws IOException, SamlException {
        if (this.samlEnabled) {
            this.samlClient.redirectToIdentityProvider(httpServletResponse, (String) null);
        } else {
            httpServletResponse.setStatus(NOT_IMPLEMENTED.getStatusCodeValue());
        }
    }

    @PostMapping(path = {"/saml"}, produces = {"text/plain"}, consumes = {"application/x-www-form-urlencoded"})
    public ResponseEntity<Void> reply(HttpServletRequest httpServletRequest, Environment environment) {
        if (!this.samlEnabled) {
            return NOT_IMPLEMENTED;
        }
        String str = MessageConstants.USER_LOGIN_FAIL;
        MessageType messageType = MessageType.ERROR;
        String str2 = this.forwardTarget;
        try {
            SamlResponse decodeAndValidateSamlResponse = this.samlClient.decodeAndValidateSamlResponse(httpServletRequest.getParameter("SAMLResponse"), httpServletRequest.getMethod());
            String nameID = decodeAndValidateSamlResponse.getNameID();
            LOGGER.debug("Received SAMLResponse for {}", nameID);
            Assertion assertion = decodeAndValidateSamlResponse.getAssertion();
            HashMap hashMap = new HashMap();
            Iterator it = assertion.getAttributeStatements().iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    String name = attribute.getName();
                    Stream filter = attribute.getAttributeValues().stream().filter(xMLObject -> {
                        return xMLObject instanceof AttributeValue;
                    });
                    Class<AttributeValue> cls = AttributeValue.class;
                    Objects.requireNonNull(AttributeValue.class);
                    List<String> list = (List) filter.map((v1) -> {
                        return r1.cast(v1);
                    }).map((v0) -> {
                        return v0.getTextContent();
                    }).collect(Collectors.toList());
                    hashMap.put(name, list);
                    LOGGER.debug("Attribute {} with values {}", name, StringUtils.join(list, ", "));
                }
            }
            Subject subjectByEmail = this.coreService.getSubjectByEmail(nameID);
            if (null == subjectByEmail && !this.userGroups.isEmpty()) {
                subjectByEmail = createUser(environment, nameID, hashMap);
            }
            if (null == subjectByEmail) {
                str = MessageConstants.USER_UNKNOWN;
                messageType = MessageType.INVALID;
            } else if (subjectByEmail.isLocked()) {
                str = MessageConstants.USER_IS_LOCKED;
            } else {
                boolean loginByUserName = this.coreService.loginByUserName(environment, subjectByEmail.getAuthName());
                LOGGER.info("Logged in {} : {}", subjectByEmail.getAuthName(), Boolean.valueOf(loginByUserName));
                if (loginByUserName) {
                    str = MessageConstants.USER_AUTHENTICATED;
                    messageType = MessageType.OK;
                    str2 = AbstractLogon.getSuccessPage(this.application.getProperties(), loginByUserName, (List) environment.getSubject().getGroups().stream().map((v0) -> {
                        return v0.getName();
                    }).collect(Collectors.toList()));
                    environment.setAttribute(Scope.SESSION, SAML_LOGIN, Boolean.TRUE);
                }
            }
        } catch (SamlException e) {
            LOGGER.error("Error processing SAML Response", e);
        }
        Messages messages = new Messages();
        Message message = new Message();
        message.setClazz(messageType);
        message.setContent(this.messageSource.getMessage(str, new Object[0], environment.getLocale()));
        messages.getMessageList().add(message);
        ElementHelper.addMessages(environment, messages);
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set("Location", str2);
        LOGGER.info("Forwarding to {}", str2);
        return new ResponseEntity<>(httpHeaders, HttpStatus.FOUND);
    }

    private Subject createUser(Environment environment, String str, Map<String, List<String>> map) {
        String str2 = map.get(CLAIM + "givenname").get(0);
        String str3 = map.get(CLAIM + "surname").get(0);
        String lowerCase = StringUtils.lowerCase(StringNormalizer.normalize(str2 + "." + str3));
        try {
            SubjectImpl subjectImpl = new SubjectImpl();
            subjectImpl.setEmail(str);
            subjectImpl.setLanguage(environment.getLocale().getLanguage());
            subjectImpl.setName(lowerCase);
            subjectImpl.setTimeZone(environment.getTimeZone().getID());
            subjectImpl.setPasswordChangePolicy(AuthSubject.PasswordChangePolicy.MUST_NOT);
            subjectImpl.setRealname(str2 + " " + str3);
            subjectImpl.setDescription("automatically created from SAML login at " + new Date());
            subjectImpl.setUserType(UserType.LOCAL_USER);
            Subject createSubject = this.coreService.createSubject(subjectImpl);
            this.coreService.addGroupsToSubject(subjectImpl.getName(), this.userGroups, true);
            LOGGER.info("Created user {} with group(s)", lowerCase, StringUtils.join(this.userGroups, ", "));
            return createSubject;
        } catch (BusinessException e) {
            LOGGER.error("Error creating new user " + lowerCase, e);
            return null;
        }
    }

    @PostMapping(path = {"/saml/sign-on"}, produces = {"text/plain"}, consumes = {"text/plain", "application/xml"})
    public ResponseEntity<String> signOn(@RequestBody String str) {
        return !this.samlEnabled ? NOT_IMPLEMENTED : new ResponseEntity<>(str, HttpStatus.OK);
    }

    @PostMapping(path = {"/saml/logout"}, consumes = {"application/x-www-form-urlencoded"})
    public ResponseEntity<String> logout(HttpServletRequest httpServletRequest, Environment environment) {
        if (!this.samlEnabled) {
            return NOT_IMPLEMENTED;
        }
        LOGGER.debug("logout request: {}", httpServletRequest.getParameterMap());
        try {
            LOGGER.debug("logout response: {}", this.samlClient.decodeAndValidateSamlLogoutResponse(httpServletRequest.getParameter("SAMLResponse"), httpServletRequest.getMethod()));
        } catch (SamlException e) {
            e.printStackTrace();
        }
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @GetMapping(path = {"/saml/logout"})
    public void logout(HttpServletResponse httpServletResponse) {
        if (!this.samlEnabled) {
            httpServletResponse.setStatus(NOT_IMPLEMENTED.getStatusCodeValue());
            return;
        }
        try {
            this.samlClient.redirectToIdentityProviderLogout(httpServletResponse, "status", "statustext");
        } catch (IOException | SamlException e) {
            e.printStackTrace();
        }
    }

    public boolean isEnabled() {
        return this.samlEnabled;
    }

    public boolean isSamlLogin(Environment environment) {
        return Boolean.TRUE.equals(environment.getAttribute(Scope.SESSION, SAML_LOGIN));
    }

    public String getEndpoint() {
        return String.format("%s/service/%s/%s/rest/saml", this.site.getDomain(), this.site.getName(), this.application.getName());
    }

    public String getLogoutPath() {
        return String.format("%s/service/%s/%s/rest/saml/logout", this.site.getDomain(), this.site.getName(), this.application.getName());
    }

    public SamlController(Site site, Application application, CoreService coreService, MessageSource messageSource) {
        this.site = site;
        this.application = application;
        this.coreService = coreService;
        this.messageSource = messageSource;
    }
}
