package org.keycloak.saml;

import java.io.IOException;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.namespace.QName;
import org.jboss.logging.Logger;
import org.keycloak.common.util.HtmlUtils;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.saml.BaseSAML2BindingBuilder;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.StringUtil;
import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
import org.keycloak.saml.processing.core.saml.v2.util.DocumentUtil;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
import org.keycloak.saml.processing.web.util.PostBindingUtil;
import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/keycloak/saml/BaseSAML2BindingBuilder.class */
public class BaseSAML2BindingBuilder<T extends BaseSAML2BindingBuilder> {
    protected static final Logger logger = Logger.getLogger(BaseSAML2BindingBuilder.class);
    protected String signingKeyName;
    protected KeyPair signingKeyPair;
    protected X509Certificate signingCertificate;
    protected boolean sign;
    protected boolean signAssertions;
    protected String relayState;
    protected PublicKey encryptionPublicKey;
    protected boolean encrypt;
    protected SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA_SHA1;
    protected int encryptionKeySize = 128;
    protected String encryptionAlgorithm = "AES";
    protected String canonicalizationMethodType = "http://www.w3.org/2001/10/xml-exc-c14n#";

    /* loaded from: input_file:org/keycloak/saml/BaseSAML2BindingBuilder$BasePostBindingBuilder.class */
    public class BasePostBindingBuilder {
        protected Document document;
        protected BaseSAML2BindingBuilder builder;

        public BasePostBindingBuilder(BaseSAML2BindingBuilder baseSAML2BindingBuilder, Document document) throws ProcessingException {
            this.builder = baseSAML2BindingBuilder;
            this.document = document;
            if (baseSAML2BindingBuilder.signAssertions) {
                baseSAML2BindingBuilder.signAssertion(document);
            }
            if (baseSAML2BindingBuilder.encrypt) {
                baseSAML2BindingBuilder.encryptDocument(document);
            }
            if (baseSAML2BindingBuilder.sign) {
                baseSAML2BindingBuilder.signDocument(document);
            }
        }

        public String encoded() throws ProcessingException, ConfigurationException, IOException {
            return PostBindingUtil.base64Encode(new String(DocumentUtil.getDocumentAsString(this.document).getBytes(GeneralConstants.SAML_CHARSET), GeneralConstants.SAML_CHARSET));
        }

        public Document getDocument() {
            return this.document;
        }

        public String getHtmlResponse(String str) throws ProcessingException, ConfigurationException, IOException {
            return this.builder.buildHtmlPostResponse(this.document, str, false);
        }

        public String getHtmlRequest(String str) throws ProcessingException, ConfigurationException, IOException {
            return this.builder.buildHtmlPostResponse(this.document, str, true);
        }

        public String getRelayState() {
            return BaseSAML2BindingBuilder.this.relayState;
        }
    }

    /* loaded from: input_file:org/keycloak/saml/BaseSAML2BindingBuilder$BaseRedirectBindingBuilder.class */
    public static class BaseRedirectBindingBuilder {
        protected Document document;
        protected BaseSAML2BindingBuilder builder;

        public BaseRedirectBindingBuilder(BaseSAML2BindingBuilder baseSAML2BindingBuilder, Document document) throws ProcessingException {
            this.builder = baseSAML2BindingBuilder;
            this.document = document;
            if (baseSAML2BindingBuilder.encrypt) {
                baseSAML2BindingBuilder.encryptDocument(document);
            }
            if (baseSAML2BindingBuilder.signAssertions) {
                baseSAML2BindingBuilder.signAssertion(document);
            }
        }

        public Document getDocument() {
            return this.document;
        }

        public URI generateURI(String str, boolean z) throws ConfigurationException, ProcessingException, IOException {
            return this.builder.generateRedirectUri(z ? "SAMLRequest" : "SAMLResponse", str, this.document);
        }

        public URI requestURI(String str) throws ConfigurationException, ProcessingException, IOException {
            return this.builder.generateRedirectUri("SAMLRequest", str, this.document);
        }

        public URI responseURI(String str) throws ConfigurationException, ProcessingException, IOException {
            return this.builder.generateRedirectUri("SAMLResponse", str, this.document);
        }
    }

    public T canonicalizationMethod(String str) {
        this.canonicalizationMethodType = str;
        return this;
    }

    public T signDocument() {
        this.sign = true;
        return this;
    }

    public T signAssertions() {
        this.signAssertions = true;
        return this;
    }

    public T signWith(String str, KeyPair keyPair) {
        this.signingKeyName = str;
        this.signingKeyPair = keyPair;
        return this;
    }

    public T signWith(String str, PrivateKey privateKey, PublicKey publicKey) {
        this.signingKeyName = str;
        this.signingKeyPair = new KeyPair(publicKey, privateKey);
        return this;
    }

    public T signWith(String str, KeyPair keyPair, X509Certificate x509Certificate) {
        this.signingKeyName = str;
        this.signingKeyPair = keyPair;
        this.signingCertificate = x509Certificate;
        return this;
    }

    public T signWith(String str, PrivateKey privateKey, PublicKey publicKey, X509Certificate x509Certificate) {
        this.signingKeyName = str;
        this.signingKeyPair = new KeyPair(publicKey, privateKey);
        this.signingCertificate = x509Certificate;
        return this;
    }

    public T signatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
        this.signatureAlgorithm = signatureAlgorithm;
        return this;
    }

    public T encrypt(PublicKey publicKey) {
        this.encrypt = true;
        this.encryptionPublicKey = publicKey;
        return this;
    }

    public T encryptionAlgorithm(String str) {
        this.encryptionAlgorithm = str;
        return this;
    }

    public T encryptionKeySize(int i) {
        this.encryptionKeySize = i;
        return this;
    }

    public T relayState(String str) {
        this.relayState = str;
        return this;
    }

    public BaseRedirectBindingBuilder redirectBinding(Document document) throws ProcessingException {
        return new BaseRedirectBindingBuilder(this, document);
    }

    public BaseSAML2BindingBuilder<T>.BasePostBindingBuilder postBinding(Document document) throws ProcessingException {
        return new BasePostBindingBuilder(this, document);
    }

    public String getSAMLNSPrefix(Document document) {
        Node item = document.getDocumentElement().getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()).item(0);
        if (item == null) {
            throw new IllegalStateException("Unable to find assertion in saml response document");
        }
        return item.getPrefix();
    }

    public void encryptDocument(Document document) throws ProcessingException {
        String sAMLNSPrefix = getSAMLNSPrefix(document);
        try {
            QName qName = new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ENCRYPTED_ASSERTION.get(), sAMLNSPrefix);
            XMLEncryptionUtil.encryptElement(new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get(), sAMLNSPrefix), document, this.encryptionPublicKey, new SecretKeySpec(RandomSecret.createRandomSecret(this.encryptionKeySize / 8), this.encryptionAlgorithm), this.encryptionKeySize, qName, true);
        } catch (Exception e) {
            throw new ProcessingException("failed to encrypt", e);
        }
    }

    public void signDocument(Document document) throws ProcessingException {
        String xmlSignatureMethod = this.signatureAlgorithm.getXmlSignatureMethod();
        String xmlSignatureDigestMethod = this.signatureAlgorithm.getXmlSignatureDigestMethod();
        SAML2Signature sAML2Signature = new SAML2Signature();
        if (xmlSignatureMethod != null) {
            sAML2Signature.setSignatureMethod(xmlSignatureMethod);
        }
        if (xmlSignatureDigestMethod != null) {
            sAML2Signature.setDigestMethod(xmlSignatureDigestMethod);
        }
        sAML2Signature.setNextSibling(sAML2Signature.getNextSiblingOfIssuer(document));
        if (this.signingCertificate != null) {
            sAML2Signature.setX509Certificate(this.signingCertificate);
        }
        sAML2Signature.signSAMLDocument(document, this.signingKeyName, this.signingKeyPair, this.canonicalizationMethodType);
    }

    public void signAssertion(Document document) throws ProcessingException {
        Element childElement = org.keycloak.saml.common.util.DocumentUtil.getChildElement(document.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
        if (childElement == null) {
            return;
        }
        Node cloneNode = childElement.cloneNode(true);
        try {
            Document createDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
            createDocument.adoptNode(cloneNode);
            createDocument.appendChild(cloneNode);
            signDocument(createDocument);
            document.adoptNode(cloneNode);
            ((Element) childElement.getParentNode()).replaceChild(cloneNode, childElement);
        } catch (ConfigurationException e) {
            throw new ProcessingException(e);
        }
    }

    public String buildHtmlPostResponse(Document document, String str, boolean z) throws ProcessingException, ConfigurationException, IOException {
        return buildHtml(getSAMLResponse(document), str, z);
    }

    public static String getSAMLResponse(Document document) throws ProcessingException, ConfigurationException, IOException {
        return PostBindingUtil.base64Encode(new String(org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString(document).getBytes(GeneralConstants.SAML_CHARSET), GeneralConstants.SAML_CHARSET));
    }

    public String buildHtml(String str, String str2, boolean z) {
        String str3 = z ? "SAMLRequest" : "SAMLResponse";
        HashMap hashMap = new HashMap();
        hashMap.put(str3, str);
        if (StringUtil.isNotNull(this.relayState)) {
            hashMap.put("RelayState", this.relayState);
        }
        return buildHtmlForm(str2, hashMap);
    }

    public String buildHtmlForm(String str, Map<String, String> map) {
        StringBuilder sb = new StringBuilder();
        sb.append("<HTML>").append("<HEAD>").append("<TITLE>Authentication Redirect</TITLE>").append("</HEAD>").append("<BODY Onload=\"document.forms[0].submit()\">").append("<FORM METHOD=\"POST\" ACTION=\"").append(str).append("\">");
        sb.append("<p>Redirecting, please wait.</p>");
        for (String str2 : map.keySet()) {
            sb.append("<INPUT TYPE=\"HIDDEN\" NAME=\"").append(str2).append("\"").append(" VALUE=\"").append(HtmlUtils.escapeAttribute(map.get(str2))).append("\"/>");
        }
        sb.append("<NOSCRIPT>").append("<P>JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue.</P>").append("<INPUT TYPE=\"SUBMIT\" VALUE=\"CONTINUE\" />").append("</NOSCRIPT>").append("</FORM></BODY></HTML>");
        return sb.toString();
    }

    public String base64Encoded(Document document) throws ConfigurationException, ProcessingException, IOException {
        String documentAsString = DocumentUtil.getDocumentAsString(document);
        logger.debugv("saml document: {0}", documentAsString);
        return RedirectBindingUtil.deflateBase64Encode(documentAsString.getBytes(GeneralConstants.SAML_CHARSET));
    }

    public URI generateRedirectUri(String str, String str2, Document document) throws ConfigurationException, ProcessingException, IOException {
        KeycloakUriBuilder fromUri = KeycloakUriBuilder.fromUri(str2);
        int length = fromUri.getQuery() == null ? 0 : fromUri.getQuery().length();
        fromUri.queryParam(str, new Object[]{base64Encoded(document)});
        if (this.relayState != null) {
            fromUri.queryParam("RelayState", new Object[]{this.relayState});
        }
        if (this.sign) {
            fromUri.queryParam("SigAlg", new Object[]{this.signatureAlgorithm.getXmlSignatureMethod()});
            String rawQuery = fromUri.build(new Object[0]).getRawQuery();
            if (length > 0) {
                rawQuery = rawQuery.substring(length + 1);
            }
            Signature createSignature = this.signatureAlgorithm.createSignature();
            byte[] bArr = new byte[0];
            try {
                createSignature.initSign(this.signingKeyPair.getPrivate());
                createSignature.update(rawQuery.getBytes(GeneralConstants.SAML_CHARSET));
                fromUri.queryParam("Signature", new Object[]{RedirectBindingUtil.base64Encode(createSignature.sign())});
            } catch (InvalidKeyException | SignatureException e) {
                throw new ProcessingException(e);
            }
        }
        return fromUri.build(new Object[0]);
    }
}
