package org.springframework.security.saml2.provider.service.servlet.filter;

import java.nio.charset.StandardCharsets;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.saml2.provider.service.authentication.Saml2Error;
import org.springframework.security.saml2.provider.service.authentication.Saml2ErrorCodes;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.class */
public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}";
    private final RequestMatcher matcher;
    private final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

    public Saml2WebSsoAuthenticationFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        this(relyingPartyRegistrationRepository, DEFAULT_FILTER_PROCESSES_URI);
    }

    public Saml2WebSsoAuthenticationFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository, String str) {
        super(str);
        Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
        Assert.hasText(str, "filterProcessesUrl must contain a URL pattern");
        Assert.isTrue(str.contains("{registrationId}"), "filterProcessesUrl must contain a {registrationId} match variable");
        this.matcher = new AntPathRequestMatcher(str);
        setRequiresAuthenticationRequestMatcher(this.matcher);
        this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
        setAllowSessionCreation(true);
        setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return super.requiresAuthentication(httpServletRequest, httpServletResponse) && StringUtils.hasText(httpServletRequest.getParameter("SAMLResponse"));
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        String inflateIfRequired = inflateIfRequired(httpServletRequest, Saml2Utils.decode(httpServletRequest.getParameter("SAMLResponse")));
        String str = (String) this.matcher.matcher(httpServletRequest).getVariables().get("registrationId");
        RelyingPartyRegistration findByRegistrationId = this.relyingPartyRegistrationRepository.findByRegistrationId(str);
        if (findByRegistrationId == null) {
            throw new Saml2AuthenticationException(new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "Relying Party Registration not found with ID: " + str));
        }
        return getAuthenticationManager().authenticate(new Saml2AuthenticationToken(inflateIfRequired, httpServletRequest.getRequestURL().toString(), findByRegistrationId.getRemoteIdpEntityId(), Saml2Utils.getServiceProviderEntityId(findByRegistrationId, httpServletRequest), findByRegistrationId.getCredentials()));
    }

    private String inflateIfRequired(HttpServletRequest httpServletRequest, byte[] bArr) {
        return HttpMethod.GET.matches(httpServletRequest.getMethod()) ? Saml2Utils.inflate(bArr) : new String(bArr, StandardCharsets.UTF_8);
    }
}
