package dk.digitalidentity.security;

import dk.digitalidentity.security.model.IdentityProvider;
import dk.digitalidentity.security.model.PrivilegeList;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.xml.bind.JAXBContext;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.log4j.Logger;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.xml.XMLObject;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
import org.springframework.security.saml.SAMLCredential;

/* loaded from: input_file:dk/digitalidentity/security/RoleFilter.class */
public class RoleFilter implements Filter {
    private static final Logger logger = Logger.getLogger(RoleFilter.class);
    private boolean shouldLogToken;
    private SamlLoginPostProcessor postProcesser;
    private SamlIdentityProviderProvider identityProviderProvider;
    private String roleClaimName;

    public RoleFilter(SamlLoginPostProcessor samlLoginPostProcessor, boolean z, String str, SamlIdentityProviderProvider samlIdentityProviderProvider) {
        this.postProcesser = samlLoginPostProcessor;
        this.shouldLogToken = z;
        this.roleClaimName = str;
        this.identityProviderProvider = samlIdentityProviderProvider;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Attribute attribute;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated() && authentication.getClass().equals(ExpiringUsernameAuthenticationToken.class) && (authentication.getCredentials() instanceof SAMLCredential)) {
            ArrayList<GrantedAuthority> arrayList = new ArrayList<>();
            String str = "";
            try {
                SAMLCredential sAMLCredential = (SAMLCredential) authentication.getCredentials();
                if (this.shouldLogToken) {
                    logToken(sAMLCredential);
                }
                if (this.identityProviderProvider != null) {
                    IdentityProvider byEntityId = this.identityProviderProvider.getByEntityId(sAMLCredential.getRemoteEntityID());
                    if (byEntityId != null) {
                        str = byEntityId.getCvr();
                    } else {
                        logger.error("Failed to extract CVR from Identity Provider - EntityId unknown: " + sAMLCredential.getRemoteEntityID());
                    }
                } else if ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(sAMLCredential.getNameID().getFormat())) {
                    str = getNameIdValue("O", sAMLCredential.getNameID().getValue());
                }
                String attributeAsString = sAMLCredential.getAttributeAsString("dk:gov:saml:attribute:Privileges_intermediate");
                if (attributeAsString != null) {
                    Iterator<PrivilegeList.PrivilegeGroup> it = ((PrivilegeList) JAXBContext.newInstance(new Class[]{PrivilegeList.class}).createUnmarshaller().unmarshal(new InputStreamReader(new ByteArrayInputStream(Base64.getDecoder().decode(attributeAsString))))).getPrivilegeGroup().iterator();
                    while (it.hasNext()) {
                        arrayList.add(new SimpleGrantedAuthority("ROLE_" + it.next().getPrivilege()));
                    }
                }
                if (this.roleClaimName != null && this.roleClaimName.length() > 0 && (attribute = sAMLCredential.getAttribute(this.roleClaimName)) != null) {
                    Iterator it2 = attribute.getAttributeValues().iterator();
                    while (it2.hasNext()) {
                        arrayList.add(new SimpleGrantedAuthority("ROLE_" + ((XMLObject) it2.next()).getDOM().getTextContent()));
                    }
                }
            } catch (Exception e) {
                logger.error("Bad or missing token", e);
            }
            if (this.postProcesser != null) {
                this.postProcesser.process(authentication.getPrincipal(), str, arrayList);
            }
            SecurityContextHolder.getContext().setAuthentication(new AuthenticationTokenWithRoles(authentication.getPrincipal(), authentication.getCredentials(), arrayList, str));
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private static String getNameIdValue(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        int indexOf = str2.indexOf(str + "=");
        if (indexOf >= 0) {
            for (int length = indexOf + str.length() + 1; length < str2.length() && str2.charAt(length) != ' ' && str2.charAt(length) != ','; length++) {
                sb.append(str2.charAt(length));
            }
        }
        return sb.toString();
    }

    private static void logToken(SAMLCredential sAMLCredential) {
        try {
            DOMSource dOMSource = new DOMSource(sAMLCredential.getAuthenticationAssertion().getDOM());
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            StringWriter stringWriter = new StringWriter();
            newTransformer.setOutputProperty("method", "xml");
            newTransformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
            newTransformer.setOutputProperty("omit-xml-declaration", "yes");
            newTransformer.setOutputProperty("indent", "yes");
            newTransformer.setOutputProperty("encoding", "UTF-8");
            newTransformer.transform(dOMSource, new StreamResult(stringWriter));
            logger.info(stringWriter.toString());
        } catch (Exception e) {
            logger.error("Failed to log token", e);
        }
    }
}
