package com.linecorp.armeria.server.saml;

import com.google.common.annotations.VisibleForTesting;
import com.linecorp.armeria.common.AggregatedHttpMessage;
import com.linecorp.armeria.common.HttpHeaderNames;
import com.linecorp.armeria.common.HttpHeaders;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.server.saml.SamlService;
import io.netty.handler.codec.http.HttpHeaderValues;
import io.netty.handler.codec.http.QueryStringEncoder;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.Inflater;
import java.util.zip.InflaterOutputStream;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/linecorp/armeria/server/saml/HttpRedirectBindingUtil.class */
public final class HttpRedirectBindingUtil {
    private static final String DEFAULT_CACHE_CONTROL;
    private static final String DEFAULT_PRAGMA;
    static final /* synthetic */ boolean $assertionsDisabled;

    static HttpHeaders headersWithLocation(String str) {
        return HttpHeaders.of(HttpStatus.FOUND).add(HttpHeaderNames.LOCATION, str).add(HttpHeaderNames.CACHE_CONTROL, DEFAULT_CACHE_CONTROL).add(HttpHeaderNames.PRAGMA, DEFAULT_PRAGMA);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HttpResponse responseWithLocation(String str) {
        return HttpResponse.of(headersWithLocation(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String toRedirectionUrl(SAMLObject sAMLObject, String str, String str2, Credential credential, String str3, @Nullable String str4) throws SamlException {
        Objects.requireNonNull(sAMLObject, "msg");
        Objects.requireNonNull(str, "endpointUrl");
        Objects.requireNonNull(str2, "messageParamName");
        Objects.requireNonNull(credential, "signingCredential");
        Objects.requireNonNull(str3, "signatureAlgorithm");
        QueryStringEncoder queryStringEncoder = new QueryStringEncoder("");
        queryStringEncoder.addParam(str2, toDeflatedBase64(sAMLObject));
        if (str4 != null) {
            if (str4.length() > 80) {
                throw new IllegalArgumentException("too long relayState string: " + str4.length());
            }
            queryStringEncoder.addParam("RelayState", str4);
        }
        queryStringEncoder.addParam("SigAlg", str3);
        queryStringEncoder.addParam("Signature", generateSignature(credential, str3, queryStringEncoder.toString().substring(1)));
        return str + queryStringEncoder;
    }

    private static void validateSignature(Credential credential, SamlService.SamlParameters samlParameters, String str) throws SamlException {
        Objects.requireNonNull(credential, "validationCredential");
        Objects.requireNonNull(samlParameters, "parameters");
        Objects.requireNonNull(str, "messageParamName");
        String firstValue = samlParameters.getFirstValue("Signature");
        String firstValue2 = samlParameters.getFirstValue("SigAlg");
        QueryStringEncoder queryStringEncoder = new QueryStringEncoder("");
        queryStringEncoder.addParam(str, samlParameters.getFirstValue(str));
        String firstValueOrNull = samlParameters.getFirstValueOrNull("RelayState");
        if (firstValueOrNull != null) {
            queryStringEncoder.addParam("RelayState", firstValueOrNull);
        }
        queryStringEncoder.addParam("SigAlg", firstValue2);
        try {
            if (XMLSigningUtil.verifyWithURI(credential, firstValue2, Base64.getMimeDecoder().decode(firstValue), queryStringEncoder.toString().substring(1).getBytes(StandardCharsets.UTF_8))) {
            } else {
                throw new SamlException("failed to validate a signature");
            }
        } catch (SecurityException e) {
            throw new SamlException("failed to validate a signature", e);
        } catch (IllegalArgumentException e2) {
            throw new SamlException("failed to decode a base64 signature string", e2);
        }
    }

    @VisibleForTesting
    static String generateSignature(Credential credential, String str, String str2) throws SamlException {
        try {
            return Base64.getEncoder().encodeToString(XMLSigningUtil.signWithURI(credential, str, str2.getBytes(StandardCharsets.UTF_8)));
        } catch (SecurityException e) {
            throw new SamlException("failed to generate a signature", e);
        }
    }

    static String toDeflatedBase64(SAMLObject sAMLObject) throws SamlException {
        Objects.requireNonNull(sAMLObject, "message");
        try {
            String nodeToString = SerializeSupport.nodeToString(XMLObjectSupport.marshall(sAMLObject));
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(Base64.getEncoder().wrap(byteArrayOutputStream), new Deflater(8, true));
                Throwable th = null;
                try {
                    try {
                        deflaterOutputStream.write(nodeToString.getBytes(StandardCharsets.UTF_8));
                        $closeResource(null, deflaterOutputStream);
                        return byteArrayOutputStream.toString();
                    } finally {
                    }
                } catch (Throwable th2) {
                    $closeResource(th, deflaterOutputStream);
                    throw th2;
                }
            } catch (IOException e) {
                throw new SamlException("failed to deflate a SAML message", e);
            }
        } catch (MarshallingException e2) {
            throw new SamlException("failed to serialize a SAML message", e2);
        }
    }

    static XMLObject fromDeflatedBase64(String str) throws SamlException {
        Objects.requireNonNull(str, "base64Encoded");
        try {
            byte[] decode = Base64.getMimeDecoder().decode(str);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(byteArrayOutputStream, new Inflater(true));
                try {
                    inflaterOutputStream.write(decode);
                    $closeResource(null, inflaterOutputStream);
                    return SamlMessageUtil.deserialize(byteArrayOutputStream.toByteArray());
                } catch (Throwable th) {
                    $closeResource(null, inflaterOutputStream);
                    throw th;
                }
            } catch (IOException e) {
                throw new SamlException("failed to inflate a SAML message", e);
            }
        } catch (IllegalArgumentException e2) {
            throw new SamlException("failed to decode a deflated base64 string", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T extends SAMLObject> MessageContext<T> toSamlObject(AggregatedHttpMessage aggregatedHttpMessage, String str, Map<String, SamlIdentityProviderConfig> map, @Nullable SamlIdentityProviderConfig samlIdentityProviderConfig) throws SamlException {
        Issuer issuer;
        SamlIdentityProviderConfig samlIdentityProviderConfig2;
        Objects.requireNonNull(aggregatedHttpMessage, "msg");
        Objects.requireNonNull(str, "name");
        Objects.requireNonNull(map, "idpConfigs");
        SamlService.SamlParameters samlParameters = new SamlService.SamlParameters(aggregatedHttpMessage);
        RequestAbstractType requestAbstractType = (SAMLObject) fromDeflatedBase64(samlParameters.getFirstValue(str));
        MessageContext<T> messageContext = new MessageContext<>();
        messageContext.setMessage(requestAbstractType);
        if (requestAbstractType instanceof RequestAbstractType) {
            issuer = requestAbstractType.getIssuer();
        } else {
            if (!(requestAbstractType instanceof StatusResponseType)) {
                throw new SamlException("invalid message type: " + requestAbstractType.getClass().getSimpleName());
            }
            issuer = ((StatusResponseType) requestAbstractType).getIssuer();
        }
        if (issuer != null) {
            String value = issuer.getValue();
            samlIdentityProviderConfig2 = map.get(value);
            if (samlIdentityProviderConfig2 == null) {
                throw new SamlException("a message from unknown identity provider: " + value);
            }
        } else {
            if (samlIdentityProviderConfig == null) {
                throw new SamlException("failed to get an Issuer element");
            }
            samlIdentityProviderConfig2 = samlIdentityProviderConfig;
        }
        validateSignature(samlIdentityProviderConfig2.signingCredential(), samlParameters, str);
        String firstValueOrNull = samlParameters.getFirstValueOrNull("RelayState");
        if (firstValueOrNull != null) {
            SAMLBindingContext subcontext = messageContext.getSubcontext(SAMLBindingContext.class, true);
            if (!$assertionsDisabled && subcontext == null) {
                throw new AssertionError();
            }
            subcontext.setRelayState(firstValueOrNull);
        }
        return messageContext;
    }

    private HttpRedirectBindingUtil() {
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }

    static {
        $assertionsDisabled = !HttpRedirectBindingUtil.class.desiredAssertionStatus();
        DEFAULT_CACHE_CONTROL = String.join(",", HttpHeaderValues.NO_CACHE, HttpHeaderValues.NO_STORE);
        DEFAULT_PRAGMA = HttpHeaderValues.NO_CACHE.toString();
    }
}
