package com.linecorp.armeria.server.saml;

import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.MediaType;
import com.linecorp.armeria.common.util.Exceptions;
import com.linecorp.armeria.internal.shaded.guava.base.MoreObjects;
import com.linecorp.armeria.server.HttpService;
import com.linecorp.armeria.server.Server;
import com.linecorp.armeria.server.ServiceConfig;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.armeria.server.SimpleDecoratingHttpService;
import com.linecorp.armeria.server.auth.Authorizer;
import java.util.Objects;
import javax.annotation.Nullable;
import org.joda.time.DateTime;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/linecorp/armeria/server/saml/SamlDecorator.class */
final class SamlDecorator extends SimpleDecoratingHttpService {
    private static final Logger logger = LoggerFactory.getLogger(SamlDecorator.class);
    private final SamlServiceProvider sp;
    private final SamlPortConfigAutoFiller portConfigHolder;
    private final String myEntityId;
    private final Credential signingCredential;
    private final Authorizer<HttpRequest> authorizer;
    private final SamlRequestIdManager requestIdManager;
    private final SamlSingleSignOnHandler ssoHandler;

    @Nullable
    private Server server;

    /* loaded from: input_file:com/linecorp/armeria/server/saml/SamlDecorator$MessageContextAndIdpConfig.class */
    private static final class MessageContextAndIdpConfig {
        private final MessageContext<AuthnRequest> messageContext;
        private final SamlIdentityProviderConfig idpConfig;

        private MessageContextAndIdpConfig(MessageContext<AuthnRequest> messageContext, SamlIdentityProviderConfig samlIdentityProviderConfig) {
            this.messageContext = messageContext;
            this.idpConfig = samlIdentityProviderConfig;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlDecorator(SamlServiceProvider samlServiceProvider, HttpService httpService) {
        super(httpService);
        this.sp = samlServiceProvider;
        this.portConfigHolder = samlServiceProvider.portConfigAutoFiller();
        this.myEntityId = samlServiceProvider.entityId();
        this.signingCredential = samlServiceProvider.signingCredential();
        this.authorizer = samlServiceProvider.authorizer();
        this.ssoHandler = samlServiceProvider.ssoHandler();
        this.requestIdManager = samlServiceProvider.requestIdManager();
    }

    public void serviceAdded(ServiceConfig serviceConfig) throws Exception {
        super.serviceAdded(serviceConfig);
        if (this.server != null) {
            if (this.server != serviceConfig.server()) {
                throw new IllegalStateException("cannot be added to more than one server");
            }
        } else {
            this.server = serviceConfig.server();
            this.server.addListener(this.portConfigHolder);
        }
    }

    public HttpResponse serve(ServiceRequestContext serviceRequestContext, HttpRequest httpRequest) throws Exception {
        return HttpResponse.from(this.authorizer.authorize(serviceRequestContext, httpRequest).handle((bool, th) -> {
            if (th != null || !bool.booleanValue()) {
                return HttpResponse.from((this.portConfigHolder.isDone() ? this.sp.idpConfigSelector().select(this.sp, serviceRequestContext, httpRequest) : this.portConfigHolder.future().thenCompose(samlPortConfig -> {
                    return this.sp.idpConfigSelector().select(this.sp, serviceRequestContext, httpRequest);
                })).thenApply(samlIdentityProviderConfig -> {
                    if (samlIdentityProviderConfig == null) {
                        throw new RuntimeException("cannot find a suitable identity provider from configurations");
                    }
                    AuthnRequest createAuthRequest = createAuthRequest(samlIdentityProviderConfig, (String) MoreObjects.firstNonNull(this.sp.hostname(), serviceRequestContext.config().virtualHost().defaultHostname()));
                    MessageContext messageContext = new MessageContext();
                    messageContext.setMessage(createAuthRequest);
                    return new MessageContextAndIdpConfig(messageContext, samlIdentityProviderConfig);
                }).thenCompose(messageContextAndIdpConfig -> {
                    return this.ssoHandler.beforeInitiatingSso(serviceRequestContext, httpRequest, messageContextAndIdpConfig.messageContext, messageContextAndIdpConfig.idpConfig).thenApply(r3 -> {
                        return messageContextAndIdpConfig;
                    });
                }).thenApply(messageContextAndIdpConfig2 -> {
                    SAMLBindingContext subcontext = messageContextAndIdpConfig2.messageContext.getSubcontext(SAMLBindingContext.class);
                    String relayState = subcontext != null ? subcontext.getRelayState() : null;
                    SamlEndpoint ssoEndpoint = messageContextAndIdpConfig2.idpConfig.ssoEndpoint();
                    try {
                        if (ssoEndpoint.bindingProtocol() == SamlBindingProtocol.HTTP_REDIRECT) {
                            return HttpRedirectBindingUtil.responseWithLocation(HttpRedirectBindingUtil.toRedirectionUrl((SAMLObject) messageContextAndIdpConfig2.messageContext.getMessage(), ssoEndpoint.toUriString(), "SAMLRequest", this.signingCredential, this.sp.signatureAlgorithm(), relayState));
                        }
                        return HttpResponse.of(HttpStatus.OK, MediaType.HTML_UTF_8, HttpPostBindingUtil.getSsoForm(ssoEndpoint.toUriString(), "SAMLRequest", HttpPostBindingUtil.toSignedBase64((SignableSAMLObject) messageContextAndIdpConfig2.messageContext.getMessage(), this.signingCredential, this.sp.signatureAlgorithm()), relayState));
                    } catch (SamlException e) {
                        return fail(serviceRequestContext, e);
                    }
                }).exceptionally(th -> {
                    return fail(serviceRequestContext, th);
                }));
            }
            try {
                return unwrap().serve(serviceRequestContext, httpRequest);
            } catch (Exception e) {
                return (HttpResponse) Exceptions.throwUnsafely(e);
            }
        }));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static HttpResponse fail(ServiceRequestContext serviceRequestContext, Throwable th) {
        logger.trace("{} Cannot initiate SAML authentication", serviceRequestContext, th);
        return HttpResponse.of(HttpStatus.UNAUTHORIZED);
    }

    private AuthnRequest createAuthRequest(SamlIdentityProviderConfig samlIdentityProviderConfig, String str) {
        Objects.requireNonNull(samlIdentityProviderConfig, "idp");
        AuthnRequest build = SamlMessageUtil.build(AuthnRequest.DEFAULT_ELEMENT_NAME);
        Issuer build2 = SamlMessageUtil.build(Issuer.DEFAULT_ELEMENT_NAME);
        build2.setValue(this.myEntityId);
        build.setIssuer(build2);
        build.setIssueInstant(DateTime.now());
        build.setDestination(samlIdentityProviderConfig.ssoEndpoint().toUriString());
        build.setID(this.requestIdManager.newId());
        SamlPortConfig config = this.portConfigHolder.config();
        SamlEndpoint acsEndpoint = samlIdentityProviderConfig.acsEndpoint() != null ? samlIdentityProviderConfig.acsEndpoint() : this.sp.defaultAcsConfig().endpoint();
        build.setAssertionConsumerServiceURL(acsEndpoint.toUriString(config.scheme().uriText(), str, config.port()));
        build.setProtocolBinding(acsEndpoint.bindingProtocol().urn());
        SamlNameIdPolicy nameIdPolicy = samlIdentityProviderConfig.nameIdPolicy();
        NameIDPolicy build3 = SamlMessageUtil.build(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        build3.setFormat(nameIdPolicy.format().urn());
        build3.setAllowCreate(Boolean.valueOf(nameIdPolicy.isCreatable()));
        build.setNameIDPolicy(build3);
        AuthnContextClassRef build4 = SamlMessageUtil.build(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
        build4.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password");
        RequestedAuthnContext build5 = SamlMessageUtil.build(RequestedAuthnContext.DEFAULT_ELEMENT_NAME);
        build5.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        build5.getAuthnContextClassRefs().add(build4);
        build.setRequestedAuthnContext(build5);
        return build;
    }
}
