package org.apache.cxf.rs.security.saml.sso;

import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.logging.Level;
import javax.security.auth.callback.CallbackHandler;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.util.DOM2Writer;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.security.crypto.JCAConstants;
import org.springframework.beans.factory.BeanFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/cxf-rt-rs-security-sso-saml-3.2.4.jar:org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.class */
public class SamlRedirectBindingFilter extends AbstractServiceProviderFilter {
    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        if (checkSecurityContext(currentMessage)) {
            return;
        }
        try {
            SamlRequestInfo createSamlRequestInfo = createSamlRequestInfo(currentMessage);
            String encode = URLEncoder.encode(createSamlRequestInfo.getSamlRequest(), StandardCharsets.UTF_8.name());
            UriBuilder fromUri = UriBuilder.fromUri(getIdpServiceAddress());
            fromUri.queryParam("SAMLRequest", encode);
            fromUri.queryParam("RelayState", createSamlRequestInfo.getRelayState());
            if (isSignRequest()) {
                signRequest(encode, createSamlRequestInfo.getRelayState(), fromUri);
            }
            containerRequestContext.abortWith(Response.seeOther(fromUri.build(new Object[0])).header("Cache-Control", "no-cache, no-store").header("Pragma", "no-cache").header("Set-Cookie", createCookie("RelayState", createSamlRequestInfo.getRelayState(), createSamlRequestInfo.getWebAppContext(), createSamlRequestInfo.getWebAppDomain())).build());
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw ExceptionUtils.toInternalServerErrorException(e, null);
        }
    }

    @Override // org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter
    protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception {
    }

    @Override // org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter
    protected String encodeAuthnRequest(Element element) throws IOException {
        return Base64Utility.encode(new DeflateEncoderDecoder().deflateToken(DOM2Writer.nodeToString(element).getBytes(StandardCharsets.UTF_8)));
    }

    private void signRequest(String str, String str2, UriBuilder uriBuilder) throws Exception {
        Crypto signatureCrypto = getSignatureCrypto();
        if (signatureCrypto == null) {
            LOG.fine("No crypto instance of properties file configured for signature");
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        String signatureUsername = getSignatureUsername();
        if (signatureUsername == null) {
            LOG.fine("No user configured for signature");
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        CallbackHandler callbackHandler = getCallbackHandler();
        if (callbackHandler == null) {
            LOG.fine("No CallbackHandler configured to supply a password for signature");
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(signatureUsername);
        X509Certificate[] x509Certificates = signatureCrypto.getX509Certificates(cryptoType);
        if (x509Certificates == null) {
            throw new Exception("No issuer certs were found to sign the request using name: " + signatureUsername);
        }
        String str3 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        String algorithm = x509Certificates[0].getPublicKey().getAlgorithm();
        String str4 = JCAConstants.SIGNATURE_RSA_SHA1;
        LOG.fine("automatic sig algo detection: " + algorithm);
        if (algorithm.equalsIgnoreCase(JCAConstants.KEY_ALGO_DSA)) {
            str3 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
            str4 = JCAConstants.SIGNATURE_DSA_SHA1;
        }
        LOG.fine("Using Signature algorithm " + str3);
        uriBuilder.queryParam("SigAlg", URLEncoder.encode(str3, StandardCharsets.UTF_8.name()));
        WSPasswordCallback[] wSPasswordCallbackArr = {new WSPasswordCallback(signatureUsername, 3)};
        callbackHandler.handle(wSPasswordCallbackArr);
        PrivateKey privateKey = signatureCrypto.getPrivateKey(signatureUsername, wSPasswordCallbackArr[0].getPassword());
        Signature signature = Signature.getInstance(str4);
        signature.initSign(privateKey);
        signature.update(("SAMLRequest=" + str + BeanFactory.FACTORY_BEAN_PREFIX + "RelayState=" + str2 + BeanFactory.FACTORY_BEAN_PREFIX + "SigAlg=" + URLEncoder.encode(str3, StandardCharsets.UTF_8.name())).getBytes(StandardCharsets.UTF_8));
        uriBuilder.queryParam("Signature", URLEncoder.encode(Base64.getEncoder().encodeToString(signature.sign()), StandardCharsets.UTF_8.name()));
    }
}
