package com.atlassian.plugins.authentication.sso.web.saml;

import com.atlassian.plugin.spring.scanner.annotation.imports.ComponentImport;
import com.atlassian.plugins.authentication.api.config.IdpConfig;
import com.atlassian.plugins.authentication.api.config.IdpConfigService;
import com.atlassian.plugins.authentication.api.config.IdpSearchParameters;
import com.atlassian.plugins.authentication.api.config.SsoType;
import com.atlassian.plugins.authentication.api.config.saml.SamlConfig;
import com.atlassian.plugins.authentication.sso.util.ApplicationStateValidator;
import com.atlassian.plugins.authentication.sso.web.AbstractConsumerServlet;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandler;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandlerNotConfiguredException;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandlerProvider;
import com.atlassian.plugins.authentication.sso.web.SessionData;
import com.atlassian.plugins.authentication.sso.web.SessionDataService;
import com.atlassian.plugins.authentication.sso.web.saml.provider.InvalidSamlResponse;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlProvider;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlRequest;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlResponse;
import com.atlassian.plugins.authentication.sso.web.usercontext.AuthenticationFailedException;
import com.atlassian.plugins.authentication.sso.web.usercontext.PrincipalResolver;
import com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.ProvisioningService;
import com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression;
import com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper;
import com.atlassian.plugins.authentication.sso.web.usercontext.rememberme.RememberMeCookieHandler;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.auth.AuthenticationListener;
import com.atlassian.sal.api.auth.Authenticator;
import com.atlassian.sal.api.message.I18nResolver;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import java.io.IOException;
import java.io.Serializable;
import java.security.Principal;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import javax.annotation.Nonnull;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/plugins/authentication/sso/web/saml/SamlConsumerServlet.class */
public class SamlConsumerServlet extends AbstractConsumerServlet {
    private static final Logger log = LoggerFactory.getLogger(SamlConsumerServlet.class);
    public static final String URL = "/plugins/servlet/samlconsumer";
    public static final String SAML_RESPONSE_PARAM = "SAMLResponse";
    public static final String RELAY_STATE_QUERY_PARAM = "RelayState";
    private final SamlProvider samlProvider;
    private final SamlAssertionValidationService samlAssertionValidationService;
    private final AuthenticationHandlerProvider authenticationHandlerProvider;
    private final SamlUserDataFromIdpMapper mapper;

    @Inject
    public SamlConsumerServlet(@ComponentImport ApplicationProperties applicationProperties, IdpConfigService idpConfigService, PrincipalResolver principalResolver, SamlProvider samlProvider, SessionDataService sessionDataService, SamlAssertionValidationService samlAssertionValidationService, @ComponentImport AuthenticationListener authenticationListener, @ComponentImport I18nResolver i18nResolver, RememberMeCookieHandler rememberMeCookieHandler, ApplicationStateValidator applicationStateValidator, AuthenticationHandlerProvider authenticationHandlerProvider, ProvisioningService provisioningService, SamlUserDataFromIdpMapper samlUserDataFromIdpMapper) {
        super(applicationProperties, principalResolver, sessionDataService, authenticationListener, i18nResolver, rememberMeCookieHandler, applicationStateValidator, idpConfigService, provisioningService);
        this.samlProvider = samlProvider;
        this.samlAssertionValidationService = samlAssertionValidationService;
        this.authenticationHandlerProvider = authenticationHandlerProvider;
        this.mapper = samlUserDataFromIdpMapper;
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.debug("Received SAML callback request");
        Optional<SessionData> sessionData = this.sessionDataService.getSessionData(httpServletRequest, httpServletResponse, httpServletRequest.getParameter(RELAY_STATE_QUERY_PARAM));
        IdpConfig idpConfig = null;
        try {
            SamlConfig samlConfig = (SamlConfig) sessionData.map(this::fetchSamlConfigFromSession).orElseGet(() -> {
                return fetchSamlConfigByIssuer(httpServletRequest);
            });
            this.applicationStateValidator.checkCanProcessAuthenticationRequest(samlConfig);
            SamlResponse extractSamlResponse = this.samlProvider.extractSamlResponse(httpServletRequest, httpServletResponse, getServiceProviderInfo(), samlConfig, (SamlRequest) sessionData.map(sessionData2 -> {
                return (SamlRequest) sessionData2.getAuthenticationRequest();
            }).orElse(null));
            this.applicationStateValidator.checkHasAppropriateLicenseForSamlResponse(extractSamlResponse);
            this.samlAssertionValidationService.validateAssertionId(extractSamlResponse);
            String username = getUsername(extractSamlResponse, samlConfig);
            if (samlConfig.getJustInTimeConfig().isEnabled().orElse(false).booleanValue()) {
                this.provisioningService.handleJustInTimeProvisioning(this.mapper.mapUser(extractSamlResponse, username, samlConfig), httpServletRequest);
            }
            Principal orElseThrow = this.principalResolver.resolvePrincipal(username, httpServletRequest).orElseThrow(() -> {
                return new AuthenticationFailedException("Received SSO request for user " + username + ", but the user does not exist");
            });
            if (!this.principalResolver.isAllowedToAuthenticate(orElseThrow, httpServletRequest)) {
                throw new AuthenticationFailedException("Received SSO request for user " + username + ", but the user is not permitted to log in");
            }
            authenticationSuccess(httpServletRequest, httpServletResponse, orElseThrow, "saml.authentication.successful");
            String extractTargetUrlOrReturnBaseUrl = this.sessionDataService.extractTargetUrlOrReturnBaseUrl(sessionData);
            log.debug("Authenticated user {} from IDP with ID '{}', redirecting to {}", new Object[]{orElseThrow.getName(), samlConfig.getId(), extractTargetUrlOrReturnBaseUrl});
            refreshRememberMeCookieIfNeeded(samlConfig, httpServletRequest, httpServletResponse, extractSamlResponse, orElseThrow);
            httpServletResponse.sendRedirect(extractTargetUrlOrReturnBaseUrl);
        } catch (InvalidSamlResponse e) {
            log.warn("Received an invalid SamlResponse: {}", e.toString());
            e.setTargetUrl((String) sessionData.flatMap((v0) -> {
                return v0.getTargetUrl();
            }).map((v0) -> {
                return v0.toString();
            }).orElse(null));
            if (0 != 0) {
                e.setIdpConfigId(idpConfig.getId());
            }
            this.authenticationListener.authenticationFailure(new Authenticator.Result.Failure(this.i18nResolver.createMessage("saml.authentication.invalidsamlresponse", new Serializable[]{httpServletRequest.getRemoteAddr()})), httpServletRequest, httpServletResponse);
            throw e;
        } catch (AuthenticationFailedException e2) {
            log.debug("Failed to authenticate: {}", e2.toString());
            this.authenticationListener.authenticationFailure(new Authenticator.Result.Failure(this.i18nResolver.createMessage("saml.authentication.authenticationfailed", new Serializable[]{null})), httpServletRequest, httpServletResponse);
            throw e2;
        }
    }

    private SamlConfig fetchSamlConfigFromSession(SessionData sessionData) {
        return SamlConfig.from(this.idpConfigService.getIdpConfig(Long.valueOf(sessionData.getIdpConfigId()))).orElseThrow(() -> {
            return new AuthenticationHandlerNotConfiguredException("SP initiated SAML flow: session IDP Config is not SAML in SAML callback");
        });
    }

    private SamlConfig fetchSamlConfigByIssuer(HttpServletRequest httpServletRequest) {
        List<String> issuers = this.samlProvider.getIssuers(httpServletRequest);
        List list = (List) this.idpConfigService.getIdpConfigs(IdpSearchParameters.allEnabledOfType(SsoType.SAML)).stream().map(idpConfig -> {
            return (SamlConfig) idpConfig;
        }).filter(samlConfig -> {
            return issuers.stream().anyMatch(str -> {
                return Objects.equals(str, samlConfig.getIssuer());
            });
        }).collect(Collectors.toList());
        if (list.size() == 1) {
            return (SamlConfig) list.get(0);
        }
        log.error("IDP initiated SAML flow: could not retrieve IDP config for issuers {}", issuers);
        throw new AuthenticationHandlerNotConfiguredException("Could not log in from Identity Provider");
    }

    private void refreshRememberMeCookieIfNeeded(SamlConfig samlConfig, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlResponse samlResponse, Principal principal) {
        if (samlConfig.isEnableRememberMe() || hasRememberMeFlagFromCrowd(samlResponse)) {
            this.rememberMeCookieHandler.refreshRememberMeCookie(httpServletRequest, httpServletResponse, principal);
            log.debug("Refreshed 'remember me' cookie for {}", principal.getName());
        }
    }

    private boolean hasRememberMeFlagFromCrowd(SamlResponse samlResponse) {
        Iterable<String> attribute = samlResponse.getAttribute("atl.crowd.properties.remember_me");
        return attribute != null && StreamSupport.stream(attribute.spliterator(), false).anyMatch(Boolean::parseBoolean);
    }

    private String getUsername(@Nonnull SamlResponse samlResponse, @Nonnull SamlConfig samlConfig) {
        return new MappingExpression(Strings.isNullOrEmpty(samlConfig.getUsernameAttribute()) ? "${NameID}" : samlConfig.getUsernameAttribute()).evaluateWithValues(str -> {
            return getAttributeOrNameId(samlResponse, str);
        });
    }

    private String getAttributeOrNameId(SamlResponse samlResponse, String str) {
        return "NameID".equalsIgnoreCase(str) ? samlResponse.getNameId() : (String) Iterables.getOnlyElement(samlResponse.getAttribute(str));
    }

    private SamlProvider.ServiceProviderInfo getServiceProviderInfo() {
        AuthenticationHandler authenticationHandler = this.authenticationHandlerProvider.getAuthenticationHandler(SsoType.SAML);
        return new SamlProvider.ServiceProviderInfo(authenticationHandler.getIssuerUrl(), authenticationHandler.getConsumerServletUrl());
    }
}
