package dk.digitalidentity.saml.configuration;

import dk.digitalidentity.saml.extension.SamlIdentityProviderProvider;
import dk.digitalidentity.saml.filter.CsrfHeaderFilter;
import dk.digitalidentity.saml.io.ADFSResource;
import dk.digitalidentity.saml.io.MemoryResource;
import dk.digitalidentity.saml.io.WarnOnlyMetadataProvider;
import dk.digitalidentity.saml.model.IdentityProvider;
import dk.digitalidentity.saml.security.PfxKeyManager;
import dk.digitalidentity.saml.service.TokenUserDetailsService;
import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Timer;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.servlet.Filter;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
import org.apache.log4j.Logger;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.util.resource.FilesystemResource;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.springframework.beans.factory.BeanInitializationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.Resource;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.saml.SAMLAuthenticationProvider;
import org.springframework.security.saml.SAMLBootstrap;
import org.springframework.security.saml.SAMLDiscovery;
import org.springframework.security.saml.SAMLEntryPoint;
import org.springframework.security.saml.SAMLLogoutFilter;
import org.springframework.security.saml.SAMLLogoutProcessingFilter;
import org.springframework.security.saml.SAMLProcessingFilter;
import org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter;
import org.springframework.security.saml.context.SAMLContextProviderImpl;
import org.springframework.security.saml.context.SAMLContextProviderLB;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.metadata.CachingMetadataManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.metadata.MetadataDisplayFilter;
import org.springframework.security.saml.metadata.MetadataGenerator;
import org.springframework.security.saml.metadata.MetadataGeneratorFilter;
import org.springframework.security.saml.parser.ParserPoolHolder;
import org.springframework.security.saml.processor.HTTPPostBinding;
import org.springframework.security.saml.processor.HTTPRedirectDeflateBinding;
import org.springframework.security.saml.processor.SAMLProcessorImpl;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.SingleLogoutProfile;
import org.springframework.security.saml.websso.SingleLogoutProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfile;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl;
import org.springframework.security.saml.websso.WebSSOProfileHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfileOptions;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@PropertySource({"classpath:saml-default.properties"})
/* loaded from: input_file:dk/digitalidentity/saml/configuration/SamlConfiguration.class */
public class SamlConfiguration extends WebSecurityConfigurerAdapter {
    private static final Logger log = Logger.getLogger(SamlConfiguration.class);

    @Value("${saml.keystore.type:PKCS12}")
    private String keystoreType;

    @Value("${saml.keystore.location}")
    private String keystore;

    @Value("${saml.keystore.password}")
    private String password;

    @Value("${saml.keystore.alias:}")
    private String alias;

    @Value("${saml.page.success}")
    private String successUrl;

    @Value("${saml.page.error}")
    private String errorUrl;

    @Value("${saml.page.logout}")
    private String logoutUrl;

    @Value("${saml.baseUrl}")
    private String baseUrl;

    @Value("${saml.idp.selfsigned}")
    private boolean allowUntrustedCertificates;

    @Value("${saml.proxy.includeport}")
    private boolean proxyIncludePort;

    @Value("${saml.forceAuthn}")
    private boolean forceAuthn;

    @Value("${saml.proxy.contextpath}")
    private String proxyContextPath;

    @Value("${saml.idp.metadatafile}")
    private String idpMetadataFile;

    @Value("${saml.nonsecured.pages}")
    private String[] nonSecuredPages;

    @Value("${saml.csrf.enabled}")
    private boolean csrfEnabled;

    @Value("${saml.csrf.bypass}")
    private String[] nonCsrfPages;

    @Value("${saml.idp.discovery}")
    private boolean idpDiscovery;

    @Value("${saml.idp.discovery.path}")
    private String idpDiscoveryPath;

    @Value("${saml.timestamp.skew}")
    private int timestampSkew;

    @Value("${saml.timestamp.validity}")
    private int timestampValidity;

    @Autowired(required = false)
    private SamlIdentityProviderProvider identityProviderProvider;

    @Autowired
    private TokenUserDetailsService tokenUserDetailsService;

    @Bean
    public VelocityEngine velocityEngine() {
        return VelocityFactory.getEngine();
    }

    @Bean(initMethod = "initialize")
    public StaticBasicParserPool parserPool() {
        return new StaticBasicParserPool();
    }

    @Bean(name = {"parserPoolHolder"})
    public ParserPoolHolder parserPoolHolder() {
        return new ParserPoolHolder();
    }

    @Bean
    public MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager() {
        return new MultiThreadedHttpConnectionManager();
    }

    @Bean
    public HttpClient httpClient() {
        return new HttpClient(multiThreadedHttpConnectionManager());
    }

    @Bean
    public SAMLAuthenticationProvider samlAuthenticationProvider() {
        SAMLAuthenticationProvider sAMLAuthenticationProvider = new SAMLAuthenticationProvider();
        sAMLAuthenticationProvider.setUserDetails(this.tokenUserDetailsService);
        return sAMLAuthenticationProvider;
    }

    @Bean
    public SAMLContextProviderImpl contextProvider() {
        SAMLContextProviderLB sAMLContextProviderLB = new SAMLContextProviderLB();
        try {
            URL url = new URL(this.baseUrl);
            sAMLContextProviderLB.setScheme(url.getProtocol());
            sAMLContextProviderLB.setServerName(url.getHost());
            sAMLContextProviderLB.setServerPort(url.getPort());
            sAMLContextProviderLB.setIncludeServerPortInRequestURL(this.proxyIncludePort);
            sAMLContextProviderLB.setContextPath(this.proxyContextPath);
            return sAMLContextProviderLB;
        } catch (Exception e) {
            throw new BeanInitializationException(e.getMessage(), e);
        }
    }

    @Bean
    public static SAMLBootstrap sAMLBootstrap() {
        return new CustomSamlBootstrap();
    }

    @Bean
    public SAMLDefaultLogger samlLogger() {
        return new SAMLDefaultLogger();
    }

    @Bean
    public WebSSOProfileConsumer webSSOprofileConsumer() {
        WebSSOProfileConsumerImpl webSSOProfileConsumerImpl = new WebSSOProfileConsumerImpl();
        webSSOProfileConsumerImpl.setResponseSkew(this.timestampSkew);
        webSSOProfileConsumerImpl.setMaxAuthenticationAge(this.timestampValidity);
        webSSOProfileConsumerImpl.setReleaseDOM(false);
        return webSSOProfileConsumerImpl;
    }

    @Bean
    public WebSSOProfile webSSOprofile() {
        WebSSOProfileImpl webSSOProfileImpl = new WebSSOProfileImpl();
        webSSOProfileImpl.setResponseSkew(this.timestampSkew);
        webSSOProfileImpl.setMaxAssertionTime(this.timestampValidity);
        return webSSOProfileImpl;
    }

    @Bean
    public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
        return new WebSSOProfileConsumerHoKImpl();
    }

    @Bean
    public WebSSOProfileHoKImpl hokWebSSOProfile() {
        return new WebSSOProfileHoKImpl();
    }

    @Bean
    public SingleLogoutProfile logoutprofile() {
        SingleLogoutProfileImpl singleLogoutProfileImpl = new SingleLogoutProfileImpl();
        singleLogoutProfileImpl.setResponseSkew(this.timestampSkew);
        return singleLogoutProfileImpl;
    }

    @Bean
    public KeyManager keyManager() {
        Resource resource = new DefaultResourceLoader().getResource(this.keystore);
        if ("PKCS12".equals(this.keystoreType)) {
            return new PfxKeyManager(resource, this.password);
        }
        HashMap hashMap = new HashMap();
        hashMap.put(this.alias, this.password);
        return new JKSKeyManager(resource, this.password, hashMap, this.alias);
    }

    @Bean
    public WebSSOProfileOptions defaultWebSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        webSSOProfileOptions.setForceAuthN(Boolean.valueOf(this.forceAuthn));
        return webSSOProfileOptions;
    }

    @Bean
    public SAMLEntryPoint samlEntryPoint() {
        SAMLEntryPoint sAMLEntryPoint = new SAMLEntryPoint();
        sAMLEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
        return sAMLEntryPoint;
    }

    @Bean
    public ExtendedMetadata extendedMetadata() {
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();
        extendedMetadata.setIdpDiscoveryEnabled(this.idpDiscovery);
        extendedMetadata.setSignMetadata(false);
        return extendedMetadata;
    }

    @Bean
    @Qualifier("metadata")
    public CachingMetadataManager metadata() throws Exception {
        ArrayList arrayList = new ArrayList();
        if (this.allowUntrustedCertificates) {
            allowUntrustedCert();
        }
        if (this.idpDiscovery) {
            for (IdentityProvider identityProvider : this.identityProviderProvider.getIdentityProviders()) {
                try {
                    WarnOnlyMetadataProvider warnOnlyMetadataProvider = new WarnOnlyMetadataProvider(new Timer(), (identityProvider.getMetadata() == null || !identityProvider.getMetadata().startsWith("http")) ? new MemoryResource(identityProvider.getMetadata()) : new ADFSResource(identityProvider.getMetadata(), this.allowUntrustedCertificates));
                    warnOnlyMetadataProvider.setParserPool(parserPool());
                    ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(warnOnlyMetadataProvider);
                    extendedMetadataDelegate.setMetadataTrustCheck(false);
                    arrayList.add(extendedMetadataDelegate);
                } catch (Exception e) {
                    log.warn("Failed to load metadata for: " + identityProvider.getEntityId(), e);
                }
            }
        } else if (this.idpMetadataFile.startsWith("file:")) {
            WarnOnlyMetadataProvider warnOnlyMetadataProvider2 = new WarnOnlyMetadataProvider(new Timer(), new FilesystemResource(this.idpMetadataFile.substring("file:".length())));
            warnOnlyMetadataProvider2.setParserPool(parserPool());
            ExtendedMetadataDelegate extendedMetadataDelegate2 = new ExtendedMetadataDelegate(warnOnlyMetadataProvider2);
            extendedMetadataDelegate2.setMetadataTrustCheck(false);
            arrayList.add(extendedMetadataDelegate2);
        } else {
            if (!this.idpMetadataFile.startsWith("url:")) {
                throw new BeanInitializationException("idpMetadataFile location type unknown: " + this.idpMetadataFile);
            }
            try {
                WarnOnlyMetadataProvider warnOnlyMetadataProvider3 = new WarnOnlyMetadataProvider(new Timer(), new ADFSResource(this.idpMetadataFile.substring("url:".length()), this.allowUntrustedCertificates));
                warnOnlyMetadataProvider3.setParserPool(parserPool());
                ExtendedMetadataDelegate extendedMetadataDelegate3 = new ExtendedMetadataDelegate(warnOnlyMetadataProvider3);
                extendedMetadataDelegate3.setMetadataTrustCheck(false);
                arrayList.add(extendedMetadataDelegate3);
            } catch (Exception e2) {
                throw new BeanInitializationException("Failed to load metadata at: " + this.idpMetadataFile, e2);
            }
        }
        return new CachingMetadataManager(arrayList);
    }

    @Bean
    public MetadataGenerator metadataGenerator() {
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setEntityId(this.baseUrl);
        metadataGenerator.setEntityBaseURL(this.baseUrl);
        metadataGenerator.setExtendedMetadata(extendedMetadata());
        metadataGenerator.setKeyManager(keyManager());
        metadataGenerator.setIncludeDiscoveryExtension(this.idpDiscovery);
        return metadataGenerator;
    }

    @Bean
    public MetadataDisplayFilter metadataDisplayFilter() {
        return new MetadataDisplayFilter();
    }

    @Bean
    public SimpleUrlAuthenticationSuccessHandler successRedirectHandler() {
        SimpleUrlAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler;
        if (this.successUrl == null || this.successUrl.equals("")) {
            savedRequestAwareAuthenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
            savedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl("/");
        } else {
            savedRequestAwareAuthenticationSuccessHandler = new SimpleUrlAuthenticationSuccessHandler();
            savedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl(this.successUrl);
        }
        return savedRequestAwareAuthenticationSuccessHandler;
    }

    @Bean
    public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
        SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler();
        simpleUrlAuthenticationFailureHandler.setUseForward(true);
        simpleUrlAuthenticationFailureHandler.setDefaultFailureUrl(this.errorUrl);
        return simpleUrlAuthenticationFailureHandler;
    }

    @Bean
    public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
        SAMLWebSSOHoKProcessingFilter sAMLWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
        sAMLWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
        sAMLWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
        sAMLWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
        return sAMLWebSSOHoKProcessingFilter;
    }

    @Bean
    public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
        SAMLProcessingFilter sAMLProcessingFilter = new SAMLProcessingFilter();
        sAMLProcessingFilter.setAuthenticationManager(authenticationManager());
        sAMLProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
        sAMLProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
        return sAMLProcessingFilter;
    }

    @Bean
    public MetadataGeneratorFilter metadataGeneratorFilter() {
        return new MetadataGeneratorFilter(metadataGenerator());
    }

    @Bean
    public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
        SimpleUrlLogoutSuccessHandler simpleUrlLogoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
        simpleUrlLogoutSuccessHandler.setDefaultTargetUrl(this.logoutUrl);
        return simpleUrlLogoutSuccessHandler;
    }

    @Bean
    public SecurityContextLogoutHandler logoutHandler() {
        SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
        securityContextLogoutHandler.setInvalidateHttpSession(true);
        securityContextLogoutHandler.setClearAuthentication(true);
        return securityContextLogoutHandler;
    }

    @Bean
    public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
        return new SAMLLogoutProcessingFilter(successLogoutHandler(), new LogoutHandler[]{logoutHandler()});
    }

    @Bean
    public SAMLLogoutFilter samlLogoutFilter() {
        return new SAMLLogoutFilter(successLogoutHandler(), new LogoutHandler[]{logoutHandler()}, new LogoutHandler[]{logoutHandler()});
    }

    @Bean
    public HTTPPostBinding httpPostBinding() {
        return new HTTPPostBinding(parserPool(), velocityEngine());
    }

    @Bean
    public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
        return new HTTPRedirectDeflateBinding(parserPool());
    }

    @Bean
    public SAMLProcessorImpl processor() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(httpRedirectDeflateBinding());
        arrayList.add(httpPostBinding());
        return new SAMLProcessorImpl(arrayList);
    }

    @Bean
    public SAMLDiscovery samlIdPDiscovery() {
        SAMLDiscovery sAMLDiscovery = new SAMLDiscovery();
        sAMLDiscovery.setIdpSelectionPath(this.idpDiscoveryPath);
        return sAMLDiscovery;
    }

    @Bean
    public FilterChainProxy samlFilter() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), new Filter[]{samlEntryPoint()}));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), new Filter[]{samlLogoutFilter()}));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), new Filter[]{metadataDisplayFilter()}));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), new Filter[]{samlWebSSOProcessingFilter()}));
        arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), new Filter[]{samlLogoutProcessingFilter()}));
        if (this.idpDiscovery) {
            arrayList.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), new Filter[]{samlIdPDiscovery()}));
        }
        return new FilterChainProxy(arrayList);
    }

    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.httpBasic().authenticationEntryPoint(samlEntryPoint());
        if (this.csrfEnabled) {
            httpSecurity.csrf().ignoringAntMatchers(new String[]{"/saml/**"});
            for (String str : this.nonCsrfPages) {
                httpSecurity.csrf().ignoringAntMatchers(new String[]{str});
            }
            httpSecurity.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);
        } else {
            httpSecurity.csrf().disable();
        }
        httpSecurity.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/saml/**"})).permitAll();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(HttpMethod.OPTIONS)).permitAll();
        for (String str2 : this.nonSecuredPages) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{str2})).permitAll();
        }
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).authenticated();
        httpSecurity.logout().logoutSuccessUrl(this.logoutUrl);
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(samlAuthenticationProvider());
    }

    private static void allowUntrustedCert() {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: dk.digitalidentity.saml.configuration.SamlConfiguration.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }
        }};
        try {
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            sSLContext.init(null, trustManagerArr, new SecureRandom());
            SSLContext.setDefault(sSLContext);
        } catch (Exception e) {
            log.error("Failed to flag all certificates as trusted!", e);
        }
    }
}
