package org.springframework.security.config.http;

import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.springframework.beans.BeanMetadataElement;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanReference;
import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.parsing.BeanComponentDefinition;
import org.springframework.beans.factory.support.AbstractBeanDefinition;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.xml.BeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.core.ResolvableType;
import org.springframework.security.config.Elements;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.StringUtils;
import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.1.1.jar:org/springframework/security/config/http/Saml2LoginBeanDefinitionParser.class */
public final class Saml2LoginBeanDefinitionParser implements BeanDefinitionParser {
    private static final String DEFAULT_LOGIN_URI = "/login";
    private static final String DEFAULT_AUTHENTICATION_REQUEST_PROCESSING_URL = "/saml2/authenticate/{registrationId}";
    private static final String ATT_LOGIN_PROCESSING_URL = "login-processing-url";
    private static final String ATT_LOGIN_PAGE = "login-page";
    private static final String ELT_RELYING_PARTY_REGISTRATION = "relying-party-registration";
    private static final String ELT_REGISTRATION_ID = "registration-id";
    private static final String ATT_AUTHENTICATION_FAILURE_HANDLER_REF = "authentication-failure-handler-ref";
    private static final String ATT_AUTHENTICATION_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
    private static final String ATT_AUTHENTICATION_MANAGER_REF = "authentication-manager-ref";
    private final List<BeanDefinition> csrfIgnoreRequestMatchers;
    private final BeanReference portMapper;
    private final BeanReference portResolver;
    private final BeanReference requestCache;
    private final boolean allowSessionCreation;
    private final BeanReference authenticationManager;
    private final BeanReference authenticationFilterSecurityContextRepositoryRef;
    private final List<BeanReference> authenticationProviders;
    private final Map<BeanDefinition, BeanMetadataElement> entryPoints;
    private String loginProcessingUrl = "/login/saml2/sso/{registrationId}";
    private BeanDefinition saml2WebSsoAuthenticationRequestFilter;
    private BeanDefinition saml2AuthenticationUrlToProviderName;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.1.1.jar:org/springframework/security/config/http/Saml2LoginBeanDefinitionParser$Saml2LoginBeanConfig.class */
    public static class Saml2LoginBeanConfig implements ApplicationContextAware {
        private ApplicationContext context;

        Map<String, String> getAuthenticationUrlToProviderName() {
            Iterable iterable = null;
            Iterable iterable2 = (RelyingPartyRegistrationRepository) this.context.getBean(RelyingPartyRegistrationRepository.class);
            ResolvableType as = ResolvableType.forInstance(iterable2).as(Iterable.class);
            if (as != ResolvableType.NONE && RelyingPartyRegistration.class.isAssignableFrom(as.resolveGenerics()[0])) {
                iterable = iterable2;
            }
            if (iterable == null) {
                return Collections.emptyMap();
            }
            String str = Saml2LoginBeanDefinitionParser.DEFAULT_AUTHENTICATION_REQUEST_PROCESSING_URL;
            HashMap hashMap = new HashMap();
            iterable.forEach(relyingPartyRegistration -> {
                hashMap.put(str.replace("{registrationId}", relyingPartyRegistration.getRegistrationId()), relyingPartyRegistration.getRegistrationId());
            });
            return hashMap;
        }

        @Override // org.springframework.context.ApplicationContextAware
        public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
            this.context = applicationContext;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Saml2LoginBeanDefinitionParser(List<BeanDefinition> list, BeanReference beanReference, BeanReference beanReference2, BeanReference beanReference3, boolean z, BeanReference beanReference4, BeanReference beanReference5, List<BeanReference> list2, Map<BeanDefinition, BeanMetadataElement> map) {
        this.csrfIgnoreRequestMatchers = list;
        this.portMapper = beanReference;
        this.portResolver = beanReference2;
        this.requestCache = beanReference3;
        this.allowSessionCreation = z;
        this.authenticationManager = beanReference4;
        this.authenticationFilterSecurityContextRepositoryRef = beanReference5;
        this.authenticationProviders = list2;
        this.entryPoints = map;
    }

    @Override // org.springframework.beans.factory.xml.BeanDefinitionParser
    public BeanDefinition parse(Element element, ParserContext parserContext) {
        String attribute = element.getAttribute(ATT_LOGIN_PROCESSING_URL);
        if (StringUtils.hasText(attribute)) {
            this.loginProcessingUrl = attribute;
        }
        AbstractBeanDefinition beanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) Saml2LoginBeanConfig.class).getBeanDefinition();
        String generateBeanName = parserContext.getReaderContext().generateBeanName(beanDefinition);
        parserContext.registerBeanComponent(new BeanComponentDefinition(beanDefinition, generateBeanName));
        registerDefaultCsrfOverride();
        BeanMetadataElement relyingPartyRegistrationRepository = Saml2LoginBeanDefinitionParserUtils.getRelyingPartyRegistrationRepository(element);
        BeanMetadataElement authenticationRequestRepository = Saml2LoginBeanDefinitionParserUtils.getAuthenticationRequestRepository(element);
        BeanMetadataElement authenticationRequestResolver = Saml2LoginBeanDefinitionParserUtils.getAuthenticationRequestResolver(element);
        if (authenticationRequestResolver == null) {
            authenticationRequestResolver = Saml2LoginBeanDefinitionParserUtils.createDefaultAuthenticationRequestResolver(relyingPartyRegistrationRepository);
        }
        BeanMetadataElement authenticationConverter = Saml2LoginBeanDefinitionParserUtils.getAuthenticationConverter(element);
        if (authenticationConverter == null) {
            if (!this.loginProcessingUrl.contains("{registrationId}")) {
                parserContext.getReaderContext().error("loginProcessingUrl must contain {registrationId} path variable", element);
            }
            authenticationConverter = Saml2LoginBeanDefinitionParserUtils.createDefaultAuthenticationConverter(relyingPartyRegistrationRepository);
        }
        BeanDefinitionBuilder addPropertyValue = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) Saml2WebSsoAuthenticationFilter.class).addConstructorArgValue(authenticationConverter).addConstructorArgValue(this.loginProcessingUrl).addPropertyValue("authenticationRequestRepository", authenticationRequestRepository);
        resolveLoginPage(element, parserContext);
        resolveAuthenticationSuccessHandler(element, addPropertyValue);
        resolveAuthenticationFailureHandler(element, addPropertyValue);
        resolveAuthenticationManager(element, addPropertyValue);
        resolveSecurityContextRepository(element, addPropertyValue);
        this.saml2WebSsoAuthenticationRequestFilter = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) Saml2WebSsoAuthenticationRequestFilter.class).addConstructorArgValue(authenticationRequestResolver).addPropertyValue("authenticationRequestRepository", authenticationRequestRepository).getBeanDefinition();
        this.authenticationProviders.add(new RuntimeBeanReference(parserContext.getReaderContext().registerWithGeneratedName(Saml2LoginBeanDefinitionParserUtils.createAuthenticationProvider())));
        this.saml2AuthenticationUrlToProviderName = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) Map.class).setFactoryMethodOnBean("getAuthenticationUrlToProviderName", generateBeanName).getBeanDefinition();
        return addPropertyValue.getBeanDefinition();
    }

    private void resolveAuthenticationManager(Element element, BeanDefinitionBuilder beanDefinitionBuilder) {
        String attribute = element.getAttribute(ATT_AUTHENTICATION_MANAGER_REF);
        if (StringUtils.hasText(attribute)) {
            beanDefinitionBuilder.addPropertyReference("authenticationManager", attribute);
        } else {
            beanDefinitionBuilder.addPropertyValue("authenticationManager", this.authenticationManager);
        }
    }

    private void resolveSecurityContextRepository(Element element, BeanDefinitionBuilder beanDefinitionBuilder) {
        if (this.authenticationFilterSecurityContextRepositoryRef != null) {
            beanDefinitionBuilder.addPropertyValue("securityContextRepository", this.authenticationFilterSecurityContextRepositoryRef);
        }
    }

    private void resolveLoginPage(Element element, ParserContext parserContext) {
        String attribute = element.getAttribute(ATT_LOGIN_PAGE);
        Object extractSource = parserContext.extractSource(element);
        AbstractBeanDefinition abstractBeanDefinition = null;
        if (StringUtils.hasText(attribute)) {
            WebConfigUtils.validateHttpRedirect(attribute, parserContext, extractSource);
            abstractBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) LoginUrlAuthenticationEntryPoint.class).addConstructorArgValue(attribute).addPropertyValue("portMapper", this.portMapper).addPropertyValue("portResolver", this.portResolver).getBeanDefinition();
        } else {
            Map<String, String> identityProviderUrlMap = getIdentityProviderUrlMap(element);
            if (identityProviderUrlMap.size() == 1) {
                abstractBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) LoginUrlAuthenticationEntryPoint.class).addConstructorArgValue(identityProviderUrlMap.entrySet().iterator().next().getKey()).addPropertyValue("portMapper", this.portMapper).addPropertyValue("portResolver", this.portResolver).getBeanDefinition();
            }
        }
        if (abstractBeanDefinition != null) {
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) AntPathRequestMatcher.class);
            rootBeanDefinition.addConstructorArgValue(this.loginProcessingUrl);
            this.entryPoints.put(rootBeanDefinition.getBeanDefinition(), abstractBeanDefinition);
        }
    }

    private void resolveAuthenticationFailureHandler(Element element, BeanDefinitionBuilder beanDefinitionBuilder) {
        String attribute = element.getAttribute(ATT_AUTHENTICATION_FAILURE_HANDLER_REF);
        if (StringUtils.hasText(attribute)) {
            beanDefinitionBuilder.addPropertyReference("authenticationFailureHandler", attribute);
            return;
        }
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler");
        rootBeanDefinition.addConstructorArgValue("/login?error");
        rootBeanDefinition.addPropertyValue("allowSessionCreation", Boolean.valueOf(this.allowSessionCreation));
        beanDefinitionBuilder.addPropertyValue("authenticationFailureHandler", rootBeanDefinition.getBeanDefinition());
    }

    private void resolveAuthenticationSuccessHandler(Element element, BeanDefinitionBuilder beanDefinitionBuilder) {
        String attribute = element.getAttribute(ATT_AUTHENTICATION_SUCCESS_HANDLER_REF);
        if (StringUtils.hasText(attribute)) {
            beanDefinitionBuilder.addPropertyReference("authenticationSuccessHandler", attribute);
        } else {
            beanDefinitionBuilder.addPropertyValue("authenticationSuccessHandler", BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler").addPropertyValue("requestCache", this.requestCache).getBeanDefinition());
        }
    }

    private void registerDefaultCsrfOverride() {
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) AntPathRequestMatcher.class);
        rootBeanDefinition.addConstructorArgValue(this.loginProcessingUrl);
        this.csrfIgnoreRequestMatchers.add(rootBeanDefinition.getBeanDefinition());
    }

    private Map<String, String> getIdentityProviderUrlMap(Element element) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Element childElementByTagName = DomUtils.getChildElementByTagName(element.getOwnerDocument().getDocumentElement(), Elements.RELYING_PARTY_REGISTRATIONS);
        if (childElementByTagName != null) {
            Iterator<Element> it = DomUtils.getChildElementsByTagName(childElementByTagName, ELT_RELYING_PARTY_REGISTRATION).iterator();
            while (it.hasNext()) {
                String attribute = it.next().getAttribute(ELT_REGISTRATION_ID);
                linkedHashMap.put(DEFAULT_AUTHENTICATION_REQUEST_PROCESSING_URL.replace("{registrationId}", attribute), attribute);
            }
        }
        return linkedHashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BeanDefinition getSaml2WebSsoAuthenticationRequestFilter() {
        return this.saml2WebSsoAuthenticationRequestFilter;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BeanDefinition getSaml2AuthenticationUrlToProviderName() {
        return this.saml2AuthenticationUrlToProviderName;
    }
}
