package org.opensaml.saml.saml2.binding.decoding.impl;

import io.asgardeo.java.saml.sdk.util.SSOAgentConstants;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy;
import org.joda.time.Chronology;
import org.joda.time.DateTime;
import org.joda.time.chrono.ISOChronology;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.InOutOperationContext;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.BindingDescriptor;
import org.opensaml.saml.common.binding.EndpointResolver;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.binding.artifact.SAMLSourceLocationArtifact;
import org.opensaml.saml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml.common.binding.impl.DefaultEndpointResolver;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.config.SAMLConfigurationSupport;
import org.opensaml.saml.criterion.ArtifactCriterion;
import org.opensaml.saml.criterion.EndpointCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.saml2.binding.artifact.SAML2Artifact;
import org.opensaml.saml.saml2.binding.artifact.SAML2ArtifactBuilderFactory;
import org.opensaml.saml.saml2.core.Artifact;
import org.opensaml.saml.saml2.core.ArtifactResolve;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.ecp.RelayState;
import org.opensaml.saml.saml2.metadata.ArtifactResolutionService;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.SecurityException;
import org.opensaml.soap.client.SOAPClient;
import org.opensaml.soap.common.SOAPException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-3.3.1.jar:org/opensaml/saml/saml2/binding/decoding/impl/HTTPArtifactDecoder.class */
public class HTTPArtifactDecoder extends BaseHttpServletRequestXMLMessageDecoder<SAMLObject> implements SAMLMessageDecoder {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) HTTPArtifactDecoder.class);

    @Nullable
    private BindingDescriptor bindingDescriptor;

    @NonnullAfterInit
    private SAML2ArtifactBuilderFactory artifactBuilderFactory;

    @NonnullAfterInit
    private EndpointResolver<ArtifactResolutionService> artifactEndpointResolver;

    @NonnullAfterInit
    private RoleDescriptorResolver roleDescriptorResolver;

    @NonnullAfterInit
    private QName peerEntityRole;
    private SOAPClient soapClient;
    private IdentifierGenerationStrategy idStrategy;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder, org.opensaml.messaging.decoder.servlet.AbstractHttpServletRequestMessageDecoder, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.roleDescriptorResolver == null) {
            throw new ComponentInitializationException("RoleDescriptorResolver cannot be null");
        }
        if (this.peerEntityRole == null) {
            throw new ComponentInitializationException("Peer entity role cannot be null");
        }
        if (this.soapClient == null) {
            throw new ComponentInitializationException("SOAPClient cannot be null");
        }
        if (this.idStrategy == null) {
            this.idStrategy = new SecureRandomIdentifierGenerationStrategy();
        }
        if (this.artifactBuilderFactory == null) {
            this.artifactBuilderFactory = SAMLConfigurationSupport.getSAML2ArtifactBuilderFactory();
            if (this.artifactBuilderFactory == null) {
                throw new ComponentInitializationException("Could not obtain a required instance of SAML2ArtifactBuilderFactory");
            }
        }
        if (this.artifactEndpointResolver == null) {
            this.artifactEndpointResolver = new DefaultEndpointResolver();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder, org.opensaml.messaging.decoder.servlet.AbstractHttpServletRequestMessageDecoder, org.opensaml.messaging.decoder.AbstractMessageDecoder, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doDestroy() {
        super.doDestroy();
        this.bindingDescriptor = null;
        this.artifactBuilderFactory = null;
        this.artifactEndpointResolver = null;
        this.roleDescriptorResolver = null;
        this.peerEntityRole = null;
        this.soapClient = null;
        this.idStrategy = null;
    }

    @NonnullAfterInit
    public IdentifierGenerationStrategy getIdentifierGenerationStrategy() {
        return this.idStrategy;
    }

    public void setIdentifierGenerationStrategy(@Nullable IdentifierGenerationStrategy identifierGenerationStrategy) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.idStrategy = identifierGenerationStrategy;
    }

    @NonnullAfterInit
    public QName getPeerEntityRole() {
        return this.peerEntityRole;
    }

    public void setPeerEntityRole(@Nonnull QName qName) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.peerEntityRole = qName;
    }

    @NonnullAfterInit
    public EndpointResolver<ArtifactResolutionService> getArtifactEndpointResolver() {
        return this.artifactEndpointResolver;
    }

    public void setArtifactEndpointResolver(@Nullable EndpointResolver<ArtifactResolutionService> endpointResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.artifactEndpointResolver = endpointResolver;
    }

    @NonnullAfterInit
    public RoleDescriptorResolver getRoleDescriptorResolver() {
        return this.roleDescriptorResolver;
    }

    public void setRoleDescriptorResolver(@Nullable RoleDescriptorResolver roleDescriptorResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.roleDescriptorResolver = roleDescriptorResolver;
    }

    @NonnullAfterInit
    public SAML2ArtifactBuilderFactory getArtifactBuilderFactory() {
        return this.artifactBuilderFactory;
    }

    public void setArtifactBuilderFactory(@Nullable SAML2ArtifactBuilderFactory sAML2ArtifactBuilderFactory) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.artifactBuilderFactory = sAML2ArtifactBuilderFactory;
    }

    @NonnullAfterInit
    public SOAPClient getSOAPClient() {
        return this.soapClient;
    }

    public void setSOAPClient(@Nonnull SOAPClient sOAPClient) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.soapClient = sOAPClient;
    }

    @Override // org.opensaml.saml.common.binding.decoding.SAMLMessageDecoder
    @NotEmpty
    @Nonnull
    public String getBindingURI() {
        return SAMLConstants.SAML2_ARTIFACT_BINDING_URI;
    }

    @Nullable
    public BindingDescriptor getBindingDescriptor() {
        return this.bindingDescriptor;
    }

    public void setBindingDescriptor(@Nullable BindingDescriptor bindingDescriptor) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.bindingDescriptor = bindingDescriptor;
    }

    @Override // org.opensaml.messaging.decoder.AbstractMessageDecoder
    protected void doDecode() throws MessageDecodingException {
        MessageContext messageContext = new MessageContext();
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        String trim = StringSupport.trim(httpServletRequest.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME));
        this.log.debug("Decoded SAML relay state of: {}", trim);
        SAMLBindingSupport.setRelayState(messageContext, trim);
        processArtifact(messageContext, httpServletRequest);
        populateBindingContext(messageContext);
        setMessageContext(messageContext);
    }

    private void processArtifact(MessageContext messageContext, HttpServletRequest httpServletRequest) throws MessageDecodingException {
        String trimOrNull = StringSupport.trimOrNull(httpServletRequest.getParameter(SSOAgentConstants.SAML2SSO.SAML2_ARTIFACT_RESP));
        if (trimOrNull == null) {
            this.log.error("URL SAMLart parameter was missing or did not contain a value.");
            throw new MessageDecodingException("URL SAMLart parameter was missing or did not contain a value.");
        }
        try {
            SAML2Artifact parseArtifact = parseArtifact(trimOrNull);
            RoleDescriptor resolvePeerRoleDescriptor = resolvePeerRoleDescriptor(parseArtifact);
            if (resolvePeerRoleDescriptor == null) {
                throw new MessageDecodingException("Failed to resolve peer RoleDescriptor based on inbound artifact");
            }
            messageContext.setMessage(dereferenceArtifact(parseArtifact, resolvePeerRoleDescriptor, resolveArtifactEndpoint(parseArtifact, resolvePeerRoleDescriptor)));
        } catch (MessageDecodingException e) {
            throw e;
        } catch (Exception e2) {
            throw new MessageDecodingException("Fatal error decoding or resolving inbound artifact", e2);
        }
    }

    private SAMLObject dereferenceArtifact(SAML2Artifact sAML2Artifact, RoleDescriptor roleDescriptor, ArtifactResolutionService artifactResolutionService) throws MessageDecodingException {
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(buildArtifactResolveRequestMessage(sAML2Artifact, artifactResolutionService.getLocation(), roleDescriptor));
        InOutOperationContext inOutOperationContext = new InOutOperationContext(null, messageContext);
        try {
            this.log.trace("Executing ArtifactResolve over SOAP 1.1 binding to endpoint: {}", artifactResolutionService.getLocation());
            this.soapClient.send(artifactResolutionService.getLocation(), inOutOperationContext);
            return (SAMLObject) inOutOperationContext.getInboundMessageContext().getMessage();
        } catch (SecurityException | SOAPException e) {
            throw new MessageDecodingException("Error dereferencing artifact", e);
        }
    }

    private ArtifactResolve buildArtifactResolveRequestMessage(SAML2Artifact sAML2Artifact, String str, RoleDescriptor roleDescriptor) {
        ArtifactResolve artifactResolve = (ArtifactResolve) XMLObjectSupport.buildXMLObject(ArtifactResolve.DEFAULT_ELEMENT_NAME);
        Artifact artifact = (Artifact) XMLObjectSupport.buildXMLObject(Artifact.DEFAULT_ELEMENT_NAME);
        artifact.setArtifact(Base64Support.encode(sAML2Artifact.getArtifactBytes(), false));
        artifactResolve.setArtifact(artifact);
        artifactResolve.setID(this.idStrategy.generateIdentifier(true));
        artifactResolve.setDestination(str);
        artifactResolve.setIssueInstant(new DateTime((Chronology) ISOChronology.getInstanceUTC()));
        artifactResolve.setIssuer(buildIssuer(roleDescriptor));
        return artifactResolve;
    }

    private Issuer buildIssuer(RoleDescriptor roleDescriptor) {
        return (Issuer) XMLObjectSupport.buildXMLObject(Issuer.DEFAULT_ELEMENT_NAME);
    }

    private ArtifactResolutionService resolveArtifactEndpoint(SAML2Artifact sAML2Artifact, RoleDescriptor roleDescriptor) throws MessageDecodingException {
        RoleDescriptorCriterion roleDescriptorCriterion = new RoleDescriptorCriterion(roleDescriptor);
        ArtifactResolutionService artifactResolutionService = (ArtifactResolutionService) XMLObjectSupport.buildXMLObject(ArtifactResolutionService.DEFAULT_ELEMENT_NAME);
        artifactResolutionService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
        if (sAML2Artifact instanceof SAMLSourceLocationArtifact) {
            artifactResolutionService.setLocation(((SAMLSourceLocationArtifact) sAML2Artifact).getSourceLocation());
        }
        artifactResolutionService.setIndex(Integer.valueOf(SAMLBindingSupport.convertSAML2ArtifactEndpointIndex(sAML2Artifact.getEndpointIndex())));
        try {
            ArtifactResolutionService artifactResolutionService2 = (ArtifactResolutionService) this.artifactEndpointResolver.resolveSingle(new CriteriaSet(roleDescriptorCriterion, new EndpointCriterion(artifactResolutionService, false)));
            if (artifactResolutionService2 != null) {
                return artifactResolutionService2;
            }
            throw new MessageDecodingException("Unable to resolve ArtifactResolutionService endpoint");
        } catch (ResolverException e) {
            throw new MessageDecodingException("Unable to resolve ArtifactResolutionService endpoint");
        }
    }

    private RoleDescriptor resolvePeerRoleDescriptor(SAML2Artifact sAML2Artifact) throws MessageDecodingException {
        try {
            return this.roleDescriptorResolver.resolveSingle(new CriteriaSet(new ArtifactCriterion(sAML2Artifact), new ProtocolCriterion(SAMLConstants.SAML20P_NS), new EntityRoleCriterion(getPeerEntityRole())));
        } catch (ResolverException e) {
            throw new MessageDecodingException("Error resolving peer entity RoleDescriptor", e);
        }
    }

    private SAML2Artifact parseArtifact(String str) throws MessageDecodingException {
        return this.artifactBuilderFactory.buildArtifact(str);
    }

    protected void populateBindingContext(MessageContext<SAMLObject> messageContext) {
        SAMLBindingContext sAMLBindingContext = (SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class, true);
        sAMLBindingContext.setBindingUri(getBindingURI());
        sAMLBindingContext.setBindingDescriptor(this.bindingDescriptor);
        sAMLBindingContext.setHasBindingSignature(false);
        sAMLBindingContext.setIntendedDestinationEndpointURIRequired(false);
    }
}
