package org.cloudfoundry.identity.uaa.login.saml;

import java.util.Date;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.NewUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.zone.IdentityProvider;
import org.cloudfoundry.identity.uaa.zone.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
import org.springframework.security.saml.SAMLAuthenticationProvider;
import org.springframework.security.saml.SAMLAuthenticationToken;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/login/saml/LoginSamlAuthenticationProvider.class */
public class LoginSamlAuthenticationProvider extends SAMLAuthenticationProvider implements ApplicationEventPublisherAware {
    private UaaUserDatabase userDatabase;
    private ApplicationEventPublisher eventPublisher;
    private IdentityProviderProvisioning identityProviderProvisioning;

    public void setIdentityProviderProvisioning(IdentityProviderProvisioning identityProviderProvisioning) {
        this.identityProviderProvisioning = identityProviderProvisioning;
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public ApplicationEventPublisher getApplicationEventPublisher() {
        return this.eventPublisher;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!supports(authentication.getClass())) {
            throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted");
        }
        IdentityZone identityZone = IdentityZoneHolder.get();
        String alias = ((SAMLAuthenticationToken) authentication).getCredentials().getPeerExtendedMetadata().getAlias();
        try {
            IdentityProvider retrieveByOrigin = this.identityProviderProvisioning.retrieveByOrigin(alias, IdentityZoneHolder.get().getId());
            boolean isAddShadowUserOnLogin = ((SamlIdentityProviderDefinition) retrieveByOrigin.getConfigValue(SamlIdentityProviderDefinition.class)).isAddShadowUserOnLogin();
            if (!retrieveByOrigin.isActive()) {
                throw new ProviderNotFoundException("Identity Provider has been disabled by administrator.");
            }
            ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = getExpiringUsernameAuthenticationToken(authentication);
            return new LoginSamlAuthenticationToken(createIfMissing(new UaaPrincipal("NaN", expiringUsernameAuthenticationToken.getName(), expiringUsernameAuthenticationToken.getName(), alias, expiringUsernameAuthenticationToken.getName(), identityZone.getId()), (SecurityContextHolder.getContext().getAuthentication() == null || !(SecurityContextHolder.getContext().getAuthentication().getPrincipal() instanceof UaaPrincipal)) ? null : (UaaPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal(), isAddShadowUserOnLogin), expiringUsernameAuthenticationToken);
        } catch (EmptyResultDataAccessException e) {
            throw new ProviderNotFoundException("Not identity provider found in zone.");
        }
    }

    protected ExpiringUsernameAuthenticationToken getExpiringUsernameAuthenticationToken(Authentication authentication) {
        return super.authenticate(authentication);
    }

    protected void publish(ApplicationEvent applicationEvent) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(applicationEvent);
        }
    }

    protected UaaPrincipal evaluateInvitiationPrincipal(UaaPrincipal uaaPrincipal, UaaPrincipal uaaPrincipal2) {
        if (uaaPrincipal2 != null && Origin.UNKNOWN.equals(uaaPrincipal2.getOrigin())) {
            if (uaaPrincipal.getEmail().equalsIgnoreCase(uaaPrincipal2.getEmail())) {
                return uaaPrincipal2;
            }
            throw new BadCredentialsException("SAML User email mismatch. Authenticated email doesn't match invited email.");
        }
        return uaaPrincipal;
    }

    protected UaaPrincipal createIfMissing(UaaPrincipal uaaPrincipal, UaaPrincipal uaaPrincipal2, boolean z) {
        UaaUser retrieveUserByName;
        UaaPrincipal evaluateInvitiationPrincipal = evaluateInvitiationPrincipal(uaaPrincipal, uaaPrincipal2);
        try {
            if (evaluateInvitiationPrincipal == uaaPrincipal2) {
                z = false;
                retrieveUserByName = this.userDatabase.retrieveUserById(evaluateInvitiationPrincipal.getId()).modifyOrigin(uaaPrincipal.getOrigin());
                publish(new InvitedUserAuthenticatedEvent(retrieveUserByName));
            } else {
                retrieveUserByName = this.userDatabase.retrieveUserByName(evaluateInvitiationPrincipal.getName(), evaluateInvitiationPrincipal.getOrigin());
            }
        } catch (UsernameNotFoundException e) {
            if (!z) {
                throw new LoginSAMLException("SAML user does not exist. You can correct this by creating a shadow user for the SAML user.", e);
            }
            publish(new NewUserAuthenticatedEvent(getUser(evaluateInvitiationPrincipal)));
            try {
                retrieveUserByName = this.userDatabase.retrieveUserByName(evaluateInvitiationPrincipal.getName(), evaluateInvitiationPrincipal.getOrigin());
            } catch (UsernameNotFoundException e2) {
                throw new BadCredentialsException("Unable to establish shadow user for SAML user:" + evaluateInvitiationPrincipal.getName());
            }
        }
        UaaPrincipal uaaPrincipal3 = new UaaPrincipal(retrieveUserByName);
        publish(new UserAuthenticationSuccessEvent(retrieveUserByName, new UaaAuthentication(uaaPrincipal3, retrieveUserByName.getAuthorities(), null)));
        return uaaPrincipal3;
    }

    protected UaaUser getUser(UaaPrincipal uaaPrincipal) {
        String name = uaaPrincipal.getName();
        String str = null;
        String origin = uaaPrincipal.getOrigin() != null ? uaaPrincipal.getOrigin() : Origin.LOGIN_SERVER;
        String zoneId = uaaPrincipal.getZoneId();
        if (name == null && 0 != 0) {
            name = null;
        }
        if (name == null && "NaN".equals("NaN")) {
            throw new BadCredentialsException("Cannot determine username from credentials supplied");
        }
        if (name == null) {
            name = Origin.UNKNOWN;
        }
        if (0 == 0) {
            str = name.contains("@") ? (name.split("@").length != 2 || name.startsWith("@") || name.endsWith("@")) ? name.replaceAll("@", "") + "@unknown.org" : name : name + "@unknown.org";
        }
        String str2 = null;
        if (0 == 0) {
            str2 = str.split("@")[0];
        }
        String str3 = null;
        if (0 == 0) {
            str3 = str.split("@")[1];
        }
        return new UaaUser("NaN", name, "", str, UaaAuthority.USER_AUTHORITIES, str2, str3, new Date(), new Date(), origin, name, false, zoneId, null, null);
    }
}
