package com.linecorp.centraldogma.server.auth.saml;

import com.linecorp.armeria.common.AggregatedHttpRequest;
import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.MediaType;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.armeria.server.saml.InvalidSamlRequestException;
import com.linecorp.armeria.server.saml.SamlBindingProtocol;
import com.linecorp.armeria.server.saml.SamlIdentityProviderConfig;
import com.linecorp.armeria.server.saml.SamlSingleSignOnHandler;
import com.linecorp.centraldogma.internal.shaded.guava.base.Preconditions;
import com.linecorp.centraldogma.internal.shaded.guava.base.Strings;
import com.linecorp.centraldogma.server.auth.Session;
import com.linecorp.centraldogma.server.internal.api.HttpApiUtil;
import io.netty.handler.codec.http.QueryStringDecoder;
import java.time.Duration;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.annotation.Nullable;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response;

/* loaded from: input_file:com/linecorp/centraldogma/server/auth/saml/SamlAuthSsoHandler.class */
final class SamlAuthSsoHandler implements SamlSingleSignOnHandler {
    private final Supplier<String> sessionIdGenerator;
    private final Function<Session, CompletableFuture<Void>> loginSessionPropagator;
    private final Duration sessionValidDuration;
    private final Function<String, String> loginNameNormalizer;

    @Nullable
    private final String subjectLoginNameIdFormat;

    @Nullable
    private final String attributeLoginName;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlAuthSsoHandler(Supplier<String> supplier, Function<Session, CompletableFuture<Void>> function, Duration duration, Function<String, String> function2, @Nullable String str, @Nullable String str2) {
        this.sessionIdGenerator = (Supplier) Objects.requireNonNull(supplier, "sessionIdGenerator");
        this.loginSessionPropagator = (Function) Objects.requireNonNull(function, "loginSessionPropagator");
        this.sessionValidDuration = (Duration) Objects.requireNonNull(duration, "sessionValidDuration");
        this.loginNameNormalizer = (Function) Objects.requireNonNull(function2, "loginNameNormalizer");
        Preconditions.checkArgument((Strings.isNullOrEmpty(str) && Strings.isNullOrEmpty(str2)) ? false : true, "a name ID format of a subject or an attribute name should be specified for finding a login name");
        this.subjectLoginNameIdFormat = str;
        this.attributeLoginName = str2;
    }

    public CompletionStage<Void> beforeInitiatingSso(ServiceRequestContext serviceRequestContext, HttpRequest httpRequest, MessageContext<AuthnRequest> messageContext, SamlIdentityProviderConfig samlIdentityProviderConfig) {
        List list = (List) new QueryStringDecoder(httpRequest.path(), true).parameters().get("ref");
        if (list == null || list.isEmpty()) {
            return CompletableFuture.completedFuture(null);
        }
        String str = (String) list.get(0);
        if (samlIdentityProviderConfig.ssoEndpoint().bindingProtocol() == SamlBindingProtocol.HTTP_REDIRECT && str.length() > 80) {
            return CompletableFuture.completedFuture(null);
        }
        SAMLBindingContext subcontext = messageContext.getSubcontext(SAMLBindingContext.class, true);
        if (!$assertionsDisabled && subcontext == null) {
            throw new AssertionError(SAMLBindingContext.class.getName());
        }
        subcontext.setRelayState(str);
        return CompletableFuture.completedFuture(null);
    }

    public HttpResponse loginSucceeded(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, MessageContext<Response> messageContext, @Nullable String str, @Nullable String str2) {
        Response response = (Response) ((MessageContext) Objects.requireNonNull(messageContext, "message")).getMessage();
        String str3 = (String) Optional.ofNullable(findLoginNameFromSubjects(response)).orElseGet(() -> {
            return findLoginNameFromAttributes(response);
        });
        if (Strings.isNullOrEmpty(str3)) {
            return loginFailed(serviceRequestContext, aggregatedHttpRequest, messageContext, new IllegalStateException("Cannot get a username from the response"));
        }
        String str4 = this.sessionIdGenerator.get();
        Session session = new Session(str4, this.loginNameNormalizer.apply(str3), this.sessionValidDuration);
        String str5 = !Strings.isNullOrEmpty(str2) ? "window.location.href='/#" + str2 + '\'' : "window.location.href='/'";
        return HttpResponse.from(this.loginSessionPropagator.apply(session).thenApply(r10 -> {
            return HttpResponse.of(HttpStatus.OK, MediaType.HTML_UTF_8, HtmlUtil.getHtmlWithOnload("localStorage.setItem('sessionId','" + str4 + "')", str5));
        }));
    }

    @Nullable
    private String findLoginNameFromSubjects(Response response) {
        if (Strings.isNullOrEmpty(this.subjectLoginNameIdFormat)) {
            return null;
        }
        return (String) response.getAssertions().stream().map(assertion -> {
            return assertion.getSubject().getNameID();
        }).filter(nameID -> {
            return nameID.getFormat().equals(this.subjectLoginNameIdFormat);
        }).map((v0) -> {
            return v0.getValue();
        }).findFirst().orElse(null);
    }

    @Nullable
    private String findLoginNameFromAttributes(Response response) {
        if (Strings.isNullOrEmpty(this.attributeLoginName)) {
            return null;
        }
        return (String) response.getAssertions().stream().flatMap(assertion -> {
            return assertion.getAttributeStatements().stream();
        }).flatMap(attributeStatement -> {
            return attributeStatement.getAttributes().stream();
        }).filter(attribute -> {
            return attribute.getName().equals(this.attributeLoginName);
        }).findFirst().map(attribute2 -> {
            XSString xSString = (XMLObject) attribute2.getAttributeValues().get(0);
            if (xSString instanceof XSString) {
                return xSString.getValue();
            }
            return null;
        }).orElse(null);
    }

    public HttpResponse loginFailed(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, @Nullable MessageContext<Response> messageContext, Throwable th) {
        return HttpApiUtil.newResponse(serviceRequestContext, th instanceof InvalidSamlRequestException ? HttpStatus.BAD_REQUEST : HttpStatus.INTERNAL_SERVER_ERROR, th);
    }

    static {
        $assertionsDisabled = !SamlAuthSsoHandler.class.desiredAssertionStatus();
    }
}
