package dk.digitalidentity.saml.service;

import com.fasterxml.jackson.databind.ObjectMapper;
import dk.digitalidentity.saml.extension.SamlIdentityProviderProvider;
import dk.digitalidentity.saml.extension.SamlLoginPostProcessor;
import dk.digitalidentity.saml.model.CompactToken;
import dk.digitalidentity.saml.model.IdentityProvider;
import dk.digitalidentity.saml.model.TokenUser;
import dk.digitalidentity.saml.oiobpp.PrivilegeList;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.log4j.Logger;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.xml.XMLObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:dk/digitalidentity/saml/service/TokenUserDetailsService.class */
public class TokenUserDetailsService implements SAMLUserDetailsService {
    private static final Logger log = Logger.getLogger(TokenUserDetailsService.class);

    @Autowired(required = false)
    private SamlLoginPostProcessor postProcesser;

    @Autowired(required = false)
    private SamlIdentityProviderProvider identityProviderProvider;

    @Value("${saml.log.token}")
    private String logTokenValue;

    @Value("${saml.roles.claimname}")
    private String roleClaimName;

    public Object loadUserBySAML(SAMLCredential sAMLCredential) throws UsernameNotFoundException {
        ArrayList<GrantedAuthority> arrayList = new ArrayList<>();
        HashMap hashMap = new HashMap();
        String value = sAMLCredential.getNameID().getValue();
        String str = "";
        try {
            logToken(sAMLCredential);
            str = extractCvr(sAMLCredential);
            extractAttributes(sAMLCredential, hashMap);
            extractRolesFromOioBpp(sAMLCredential, arrayList);
            extractRolesFromClaim(sAMLCredential, arrayList);
        } catch (Exception e) {
            log.error("Bad or missing token", e);
        }
        TokenUser build = TokenUser.builder().authorities(arrayList).cvr(str).attributes(hashMap).username(value).build();
        if (this.postProcesser != null) {
            this.postProcesser.process(build);
        }
        return build;
    }

    private void extractAttributes(SAMLCredential sAMLCredential, Map<String, Object> map) {
        if ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(sAMLCredential.getNameID().getFormat())) {
            String nameIdValue = getNameIdValue("CN", sAMLCredential.getNameID().getValue());
            String nameIdValue2 = getNameIdValue("Serial", sAMLCredential.getNameID().getValue());
            map.put(TokenUser.ATTRIBUTE_NAME, nameIdValue);
            map.put(TokenUser.ATTRIBUTE_UUID, nameIdValue2);
        }
    }

    private String extractCvr(SAMLCredential sAMLCredential) {
        String str = "";
        if (this.identityProviderProvider != null) {
            IdentityProvider byEntityId = this.identityProviderProvider.getByEntityId(sAMLCredential.getRemoteEntityID());
            if (byEntityId != null) {
                str = byEntityId.getCvr();
            } else {
                log.error("Failed to extract CVR from Identity Provider - EntityId unknown: " + sAMLCredential.getRemoteEntityID());
            }
        } else if ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(sAMLCredential.getNameID().getFormat())) {
            str = getNameIdValue("O", sAMLCredential.getNameID().getValue());
        }
        return str;
    }

    private static void extractRolesFromOioBpp(SAMLCredential sAMLCredential, ArrayList<GrantedAuthority> arrayList) throws JAXBException {
        String attributeAsString = sAMLCredential.getAttributeAsString("dk:gov:saml:attribute:Privileges_intermediate");
        if (attributeAsString != null) {
            Iterator<PrivilegeList.PrivilegeGroup> it = ((PrivilegeList) JAXBContext.newInstance(new Class[]{PrivilegeList.class}).createUnmarshaller().unmarshal(new InputStreamReader(new ByteArrayInputStream(Base64.getDecoder().decode(attributeAsString))))).getPrivilegeGroup().iterator();
            while (it.hasNext()) {
                arrayList.add(new SimpleGrantedAuthority("ROLE_" + it.next().getPrivilege()));
            }
        }
    }

    private void extractRolesFromClaim(SAMLCredential sAMLCredential, ArrayList<GrantedAuthority> arrayList) {
        if (this.roleClaimName == null || this.roleClaimName.length() <= 0) {
            return;
        }
        for (Attribute attribute : sAMLCredential.getAttributes()) {
            if (this.roleClaimName.equalsIgnoreCase(attribute.getName())) {
                Iterator it = attribute.getAttributeValues().iterator();
                while (it.hasNext()) {
                    arrayList.add(new SimpleGrantedAuthority("ROLE_" + ((XMLObject) it.next()).getDOM().getTextContent()));
                }
            }
        }
    }

    private static String getNameIdValue(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        int indexOf = str2.indexOf(str + "=");
        if (indexOf >= 0) {
            for (int length = indexOf + str.length() + 1; length < str2.length() && str2.charAt(length) != ','; length++) {
                sb.append(str2.charAt(length));
            }
        }
        return sb.toString();
    }

    private void logToken(SAMLCredential sAMLCredential) {
        try {
            if ("full".equals(this.logTokenValue) || "true".equals(this.logTokenValue)) {
                DOMSource dOMSource = new DOMSource(sAMLCredential.getAuthenticationAssertion().getDOM());
                Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
                StringWriter stringWriter = new StringWriter();
                newTransformer.setOutputProperty("method", "xml");
                newTransformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
                newTransformer.setOutputProperty("omit-xml-declaration", "yes");
                newTransformer.setOutputProperty("indent", "yes");
                newTransformer.setOutputProperty("encoding", "UTF-8");
                newTransformer.transform(dOMSource, new StreamResult(stringWriter));
                log.info("Full token = " + stringWriter.toString());
            } else if ("compact".equals(this.logTokenValue)) {
                CompactToken compactToken = new CompactToken();
                compactToken.setNameId(sAMLCredential.getNameID().getValue());
                compactToken.setCvr(extractCvr(sAMLCredential));
                if (this.roleClaimName == null || this.roleClaimName.length() <= 0) {
                    compactToken.setRoles(new String(Base64.getDecoder().decode(sAMLCredential.getAttributeAsString("dk:gov:saml:attribute:Privileges_intermediate")), "UTF-8"));
                } else {
                    Attribute attribute = sAMLCredential.getAttribute(this.roleClaimName);
                    if (attribute != null) {
                        StringBuilder sb = new StringBuilder();
                        for (XMLObject xMLObject : attribute.getAttributeValues()) {
                            if (sb.length() > 0) {
                                sb.append(",");
                            }
                            sb.append(xMLObject.getDOM().getTextContent());
                        }
                        compactToken.setRoles(sb.toString());
                    }
                }
                log.info("Compact token = " + new ObjectMapper().writeValueAsString(compactToken));
            }
        } catch (Exception e) {
            log.error("Failed to log token", e);
        }
    }
}
