package com.netflix.genie.web.security.saml;

import com.google.common.collect.Lists;
import com.netflix.genie.web.security.saml.SAMLProperties;
import com.netflix.genie.web.security.x509.X509UserDetailsService;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Timer;
import javax.servlet.Filter;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cloud.netflix.zuul.filters.discovery.DiscoveryClientRouteLocator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.saml.SAMLAuthenticationProvider;
import org.springframework.security.saml.SAMLBootstrap;
import org.springframework.security.saml.SAMLDiscovery;
import org.springframework.security.saml.SAMLEntryPoint;
import org.springframework.security.saml.SAMLLogoutFilter;
import org.springframework.security.saml.SAMLLogoutProcessingFilter;
import org.springframework.security.saml.SAMLProcessingFilter;
import org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter;
import org.springframework.security.saml.context.SAMLContextProviderImpl;
import org.springframework.security.saml.context.SAMLContextProviderLB;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.metadata.CachingMetadataManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.metadata.MetadataDisplayFilter;
import org.springframework.security.saml.metadata.MetadataGenerator;
import org.springframework.security.saml.metadata.MetadataGeneratorFilter;
import org.springframework.security.saml.parser.ParserPoolHolder;
import org.springframework.security.saml.processor.HTTPArtifactBinding;
import org.springframework.security.saml.processor.HTTPPAOS11Binding;
import org.springframework.security.saml.processor.HTTPPostBinding;
import org.springframework.security.saml.processor.HTTPRedirectDeflateBinding;
import org.springframework.security.saml.processor.HTTPSOAP11Binding;
import org.springframework.security.saml.processor.SAMLProcessorImpl;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.ArtifactResolutionProfile;
import org.springframework.security.saml.websso.ArtifactResolutionProfileImpl;
import org.springframework.security.saml.websso.SingleLogoutProfile;
import org.springframework.security.saml.websso.SingleLogoutProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfile;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl;
import org.springframework.security.saml.websso.WebSSOProfileECPImpl;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfileOptions;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@ConditionalOnProperty({"genie.security.saml.enabled"})
@Configuration
@Order(5)
/* loaded from: input_file:WEB-INF/lib/genie-web-3.3.5.jar:com/netflix/genie/web/security/saml/SAMLConfig.class */
public class SAMLConfig extends WebSecurityConfigurerAdapter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SAMLConfig.class);

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired
    private X509UserDetailsService x509UserDetailsService;

    @Autowired
    private SAMLProperties samlProperties;

    @Bean
    public static SAMLBootstrap samlBootstrap() {
        return new SAMLBootstrap();
    }

    @Bean
    public VelocityEngine velocityEngine() {
        return VelocityFactory.getEngine();
    }

    @Bean(initMethod = "initialize")
    public StaticBasicParserPool parserPool() {
        return new StaticBasicParserPool();
    }

    @Bean(name = {"parserPoolHolder"})
    public ParserPoolHolder parserPoolHolder() {
        return new ParserPoolHolder();
    }

    @Bean
    public MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager() {
        return new MultiThreadedHttpConnectionManager();
    }

    @Bean
    public HttpClient httpClient() {
        return new HttpClient(multiThreadedHttpConnectionManager());
    }

    @Bean
    public SAMLAuthenticationProvider samlAuthenticationProvider(SAMLUserDetailsService sAMLUserDetailsService) {
        SAMLAuthenticationProvider sAMLAuthenticationProvider = new SAMLAuthenticationProvider();
        sAMLAuthenticationProvider.setUserDetails(sAMLUserDetailsService);
        sAMLAuthenticationProvider.setForcePrincipalAsString(false);
        return sAMLAuthenticationProvider;
    }

    @Bean
    public SAMLContextProviderImpl contextProvider(SAMLProperties sAMLProperties) {
        if (sAMLProperties.getLoadBalancer() == null) {
            log.info("Using SAMLContextProviderImpl implementation of SAMLContextProvider for context provider bean.");
            return new SAMLContextProviderImpl();
        }
        log.info("Using SAMLContextProviderLB implementation of SAMLContextProvider for context provider bean.");
        SAMLContextProviderLB sAMLContextProviderLB = new SAMLContextProviderLB();
        SAMLProperties.LoadBalancer loadBalancer = sAMLProperties.getLoadBalancer();
        String scheme = loadBalancer.getScheme();
        log.info("Setting the load balancer scheme to {}", scheme);
        sAMLContextProviderLB.setScheme(scheme);
        String serverName = loadBalancer.getServerName();
        log.info("Setting the load balancer server name to {}", serverName);
        sAMLContextProviderLB.setServerName(serverName);
        String contextPath = loadBalancer.getContextPath();
        log.info("Setting the load balancer context path to {}", contextPath);
        sAMLContextProviderLB.setContextPath(contextPath);
        int serverPort = loadBalancer.getServerPort();
        log.info("Setting the load balancer port to {}", Integer.valueOf(serverPort));
        sAMLContextProviderLB.setServerPort(serverPort);
        boolean isIncludeServerPortInRequestURL = loadBalancer.isIncludeServerPortInRequestURL();
        log.info("Setting whether to include the server port in the request URL to {}", Boolean.valueOf(isIncludeServerPortInRequestURL));
        sAMLContextProviderLB.setIncludeServerPortInRequestURL(isIncludeServerPortInRequestURL);
        return sAMLContextProviderLB;
    }

    @Bean
    public SAMLDefaultLogger samlLogger() {
        return new SAMLDefaultLogger();
    }

    @Bean
    public WebSSOProfileConsumer webSSOprofileConsumer() {
        return new WebSSOProfileConsumerImpl();
    }

    @Bean
    public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
        return new WebSSOProfileConsumerHoKImpl();
    }

    @Bean
    public WebSSOProfile webSSOprofile() {
        return new WebSSOProfileImpl();
    }

    @Bean
    public WebSSOProfileConsumerHoKImpl hokWebSSOProfile() {
        return new WebSSOProfileConsumerHoKImpl();
    }

    @Bean
    public WebSSOProfileECPImpl ecpprofile() {
        return new WebSSOProfileECPImpl();
    }

    @Bean
    public SingleLogoutProfile logoutProfile() {
        return new SingleLogoutProfileImpl();
    }

    @Bean
    public KeyManager keyManager() {
        Resource resource = this.resourceLoader.getResource("classpath:" + this.samlProperties.getKeystore().getName());
        HashMap hashMap = new HashMap();
        hashMap.put(this.samlProperties.getKeystore().getDefaultKey().getName(), this.samlProperties.getKeystore().getDefaultKey().getPassword());
        return new JKSKeyManager(resource, this.samlProperties.getKeystore().getPassword(), hashMap, this.samlProperties.getKeystore().getDefaultKey().getName());
    }

    @Bean
    public WebSSOProfileOptions defaultWebSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        return webSSOProfileOptions;
    }

    @Bean
    public SAMLEntryPoint samlEntryPoint() {
        SAMLEntryPoint sAMLEntryPoint = new SAMLEntryPoint();
        sAMLEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
        return sAMLEntryPoint;
    }

    @Bean
    public ExtendedMetadata extendedMetadata() {
        return new ExtendedMetadata();
    }

    @Bean
    public SAMLDiscovery samlIDPDiscovery() {
        return new SAMLDiscovery();
    }

    @Bean
    @Qualifier("idp-ssocircle")
    public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider(SAMLProperties sAMLProperties) throws MetadataProviderException {
        HTTPMetadataProvider hTTPMetadataProvider = new HTTPMetadataProvider(new Timer(true), httpClient(), sAMLProperties.getIdp().getServiceProviderMetadataURL());
        hTTPMetadataProvider.setParserPool(parserPool());
        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(hTTPMetadataProvider, extendedMetadata());
        extendedMetadataDelegate.setMetadataTrustCheck(true);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        return extendedMetadataDelegate;
    }

    @Bean
    @Qualifier("metadata")
    public CachingMetadataManager metadata(ExtendedMetadataDelegate extendedMetadataDelegate) throws MetadataProviderException {
        return new CachingMetadataManager(Lists.newArrayList(extendedMetadataDelegate));
    }

    @Bean
    public MetadataGenerator metadataGenerator() {
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setEntityId(this.samlProperties.getSp().getEntityId());
        metadataGenerator.setExtendedMetadata(extendedMetadata());
        metadataGenerator.setIncludeDiscoveryExtension(false);
        metadataGenerator.setKeyManager(keyManager());
        if (this.samlProperties.getSp().getEntityBaseURL() != null) {
            metadataGenerator.setEntityBaseURL(this.samlProperties.getSp().getEntityBaseURL());
        }
        return metadataGenerator;
    }

    @Bean
    public MetadataDisplayFilter metadataDisplayFilter() {
        return new MetadataDisplayFilter();
    }

    @Bean
    public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
        return new SavedRequestAwareAuthenticationSuccessHandler();
    }

    @Bean
    public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
        SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler();
        simpleUrlAuthenticationFailureHandler.setUseForward(true);
        simpleUrlAuthenticationFailureHandler.setDefaultFailureUrl("/error");
        return simpleUrlAuthenticationFailureHandler;
    }

    @Bean
    public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
        SAMLWebSSOHoKProcessingFilter sAMLWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
        sAMLWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
        sAMLWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
        sAMLWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
        return sAMLWebSSOHoKProcessingFilter;
    }

    @Bean
    public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
        SAMLProcessingFilter sAMLProcessingFilter = new SAMLProcessingFilter();
        sAMLProcessingFilter.setAuthenticationManager(authenticationManager());
        sAMLProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
        sAMLProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
        return sAMLProcessingFilter;
    }

    @Bean
    public MetadataGeneratorFilter metadataGeneratorFilter() {
        return new MetadataGeneratorFilter(metadataGenerator());
    }

    @Bean
    public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
        SimpleUrlLogoutSuccessHandler simpleUrlLogoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
        simpleUrlLogoutSuccessHandler.setDefaultTargetUrl("/");
        return simpleUrlLogoutSuccessHandler;
    }

    @Bean
    public SecurityContextLogoutHandler logoutHandler() {
        SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
        securityContextLogoutHandler.setInvalidateHttpSession(true);
        securityContextLogoutHandler.setClearAuthentication(true);
        return securityContextLogoutHandler;
    }

    @Bean
    public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
        return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
    }

    @Bean
    public SAMLLogoutFilter samlLogoutFilter() {
        return new SAMLLogoutFilter(successLogoutHandler(), new LogoutHandler[]{logoutHandler()}, new LogoutHandler[]{logoutHandler()});
    }

    private ArtifactResolutionProfile artifactResolutionProfile() {
        ArtifactResolutionProfileImpl artifactResolutionProfileImpl = new ArtifactResolutionProfileImpl(httpClient());
        artifactResolutionProfileImpl.setProcessor(new SAMLProcessorImpl(soapBinding()));
        return artifactResolutionProfileImpl;
    }

    @Bean
    public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
        return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
    }

    @Bean
    public HTTPSOAP11Binding soapBinding() {
        return new HTTPSOAP11Binding(parserPool());
    }

    @Bean
    public HTTPPostBinding httpPostBinding() {
        return new HTTPPostBinding(parserPool(), velocityEngine());
    }

    @Bean
    public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
        return new HTTPRedirectDeflateBinding(parserPool());
    }

    @Bean
    public HTTPSOAP11Binding httpSOAP11Binding() {
        return new HTTPSOAP11Binding(parserPool());
    }

    @Bean
    public HTTPPAOS11Binding httpPAOS11Binding() {
        return new HTTPPAOS11Binding(parserPool());
    }

    @Bean
    public SAMLProcessorImpl processor() {
        return new SAMLProcessorImpl(Lists.newArrayList(httpRedirectDeflateBinding(), httpPostBinding(), artifactBinding(parserPool(), velocityEngine()), httpSOAP11Binding(), httpPAOS11Binding()));
    }

    @Bean
    public FilterChainProxy samlFilter() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter()));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery()));
        return new FilterChainProxy(arrayList);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.httpBasic().authenticationEntryPoint(samlEntryPoint());
        httpSecurity.csrf().disable();
        httpSecurity.addFilterBefore((Filter) metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter((Filter) samlFilter(), BasicAuthenticationFilter.class);
        ((HttpSecurity) httpSecurity.antMatcher(DiscoveryClientRouteLocator.DEFAULT_ROUTE).authorizeRequests().antMatchers("/actuator/**").permitAll().antMatchers("/api/**").permitAll().antMatchers("/error").permitAll().antMatchers("/saml/**").permitAll().anyRequest().authenticated().and()).x509().authenticationUserDetailsService(this.x509UserDetailsService);
        httpSecurity.logout().logoutSuccessUrl("/");
    }

    void setSamlProperties(SAMLProperties sAMLProperties) {
        this.samlProperties = sAMLProperties;
    }

    void setResourceLoader(ResourceLoader resourceLoader) {
        this.resourceLoader = resourceLoader;
    }
}
