package org.wso2.carbon.identity.sso.saml.builders.assertion;

import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.core.xml.schema.impl.XSStringBuilder;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AttributeValue;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.core.impl.AssertionBuilder;
import org.opensaml.saml.saml2.core.impl.AttributeBuilder;
import org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder;
import org.opensaml.saml.saml2.core.impl.AudienceBuilder;
import org.opensaml.saml.saml2.core.impl.AudienceRestrictionBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnContextBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder;
import org.opensaml.saml.saml2.core.impl.ConditionsBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.SubjectBuilder;
import org.opensaml.saml.saml2.core.impl.SubjectConfirmationBuilder;
import org.opensaml.saml.saml2.core.impl.SubjectConfirmationDataBuilder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationContextProperty;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.builders.AuthenticatingAuthorityImpl;
import org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.class */
public class DefaultSAMLAssertionBuilder implements SAMLAssertionBuilder {
    private static final Log log = LogFactory.getLog(DefaultSAMLAssertionBuilder.class);

    @Override // org.wso2.carbon.identity.sso.saml.builders.assertion.SAMLAssertionBuilder
    public void init() throws IdentityException {
    }

    @Override // org.wso2.carbon.identity.sso.saml.builders.assertion.SAMLAssertionBuilder
    public Assertion buildAssertion(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, DateTime dateTime, String str) throws IdentityException {
        try {
            DateTime dateTime2 = new DateTime();
            Assertion buildObject = new AssertionBuilder().buildObject();
            setBasicInfo(buildObject, dateTime2);
            setSubject(sAMLSSOAuthnReqDTO, dateTime, buildObject);
            addAuthStatement(sAMLSSOAuthnReqDTO, str, buildObject);
            addAttributeStatements(sAMLSSOAuthnReqDTO, buildObject);
            setConditions(sAMLSSOAuthnReqDTO, dateTime2, dateTime, buildObject);
            setSignature(sAMLSSOAuthnReqDTO, buildObject);
            return buildObject;
        } catch (Exception e) {
            log.error("Error when reading claim values for generating SAML Response", e);
            throw IdentityException.error("Error when reading claim values for generating SAML Response", e);
        }
    }

    protected void setBasicInfo(Assertion assertion, DateTime dateTime) throws IdentityException {
        assertion.setID(SAMLSSOUtil.createID());
        assertion.setVersion(SAMLVersion.VERSION_20);
        assertion.setIssuer(SAMLSSOUtil.getIssuer());
        assertion.setIssueInstant(dateTime);
    }

    protected void setNameId(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, Subject subject) {
        NameID buildObject = new NameIDBuilder().buildObject();
        buildObject.setValue(sAMLSSOAuthnReqDTO.getUser().getAuthenticatedSubjectIdentifier());
        if (sAMLSSOAuthnReqDTO.getNameIDFormat() != null) {
            buildObject.setFormat(sAMLSSOAuthnReqDTO.getNameIDFormat());
        } else {
            buildObject.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
        }
        subject.setNameID(buildObject);
    }

    protected void addSubjectConfirmation(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, DateTime dateTime, Subject subject) {
        SubjectConfirmation buildObject = new SubjectConfirmationBuilder().buildObject();
        buildObject.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);
        SubjectConfirmationData buildObject2 = new SubjectConfirmationDataBuilder().buildObject();
        buildObject2.setRecipient(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
        buildObject2.setNotOnOrAfter(dateTime);
        if (!sAMLSSOAuthnReqDTO.isIdPInitSSOEnabled()) {
            buildObject2.setInResponseTo(sAMLSSOAuthnReqDTO.getId());
        }
        buildObject.setSubjectConfirmationData(buildObject2);
        subject.getSubjectConfirmations().add(buildObject);
        if (sAMLSSOAuthnReqDTO.getRequestedRecipients() == null || sAMLSSOAuthnReqDTO.getRequestedRecipients().length <= 0) {
            return;
        }
        for (String str : sAMLSSOAuthnReqDTO.getRequestedRecipients()) {
            SubjectConfirmation buildObject3 = new SubjectConfirmationBuilder().buildObject();
            buildObject3.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);
            SubjectConfirmationData buildObject4 = new SubjectConfirmationDataBuilder().buildObject();
            buildObject4.setRecipient(str);
            buildObject4.setNotOnOrAfter(dateTime);
            if (!sAMLSSOAuthnReqDTO.isIdPInitSSOEnabled()) {
                buildObject4.setInResponseTo(sAMLSSOAuthnReqDTO.getId());
            }
            buildObject3.setSubjectConfirmationData(buildObject4);
            subject.getSubjectConfirmations().add(buildObject3);
        }
    }

    protected void setSubject(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, DateTime dateTime, Assertion assertion) {
        Subject buildObject = new SubjectBuilder().buildObject();
        setNameId(sAMLSSOAuthnReqDTO, buildObject);
        addSubjectConfirmation(sAMLSSOAuthnReqDTO, dateTime, buildObject);
        assertion.setSubject(buildObject);
    }

    protected void setSignature(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, Assertion assertion) throws IdentityException {
        if (sAMLSSOAuthnReqDTO.getDoSignAssertions()) {
            SAMLSSOUtil.setSignature(assertion, sAMLSSOAuthnReqDTO.getSigningAlgorithmUri(), sAMLSSOAuthnReqDTO.getDigestAlgorithmUri(), new SignKeyDataHolder(sAMLSSOAuthnReqDTO.getUser().getAuthenticatedSubjectIdentifier()));
        }
    }

    protected void setConditions(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, DateTime dateTime, DateTime dateTime2, Assertion assertion) {
        AudienceRestriction buildObject = new AudienceRestrictionBuilder().buildObject();
        addAudience(buildObject, sAMLSSOAuthnReqDTO.getIssuerWithDomain());
        if (StringUtils.isNotEmpty(sAMLSSOAuthnReqDTO.getIssuerQualifier())) {
            addAudience(buildObject, SAMLSSOUtil.getIssuerWithoutQualifier(sAMLSSOAuthnReqDTO.getIssuer()));
        }
        if (sAMLSSOAuthnReqDTO.getRequestedAudiences() != null) {
            for (String str : sAMLSSOAuthnReqDTO.getRequestedAudiences()) {
                addAudience(buildObject, str);
            }
        }
        Conditions buildObject2 = new ConditionsBuilder().buildObject();
        buildObject2.setNotBefore(dateTime);
        buildObject2.setNotOnOrAfter(dateTime2);
        buildObject2.getAudienceRestrictions().add(buildObject);
        assertion.setConditions(buildObject2);
    }

    private void addAudience(AudienceRestriction audienceRestriction, String str) {
        Audience buildObject = new AudienceBuilder().buildObject();
        buildObject.setAudienceURI(str);
        audienceRestriction.getAudiences().add(buildObject);
    }

    protected void addAttributeStatements(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, Assertion assertion) throws IdentityException {
        AttributeStatement buildAttributeStatement;
        Map<String, String> attributes = SAMLSSOUtil.getAttributes(sAMLSSOAuthnReqDTO);
        try {
            attributes.put(SAMLSSOConstants.IDP_SESSION_KEY, sAMLSSOAuthnReqDTO.getIdpSessionIdentifier());
            if (log.isDebugEnabled()) {
                log.debug("IDP session key is added to user attributes");
            }
        } catch (UnsupportedOperationException e) {
        }
        if (attributes == null || attributes.isEmpty() || (buildAttributeStatement = buildAttributeStatement(attributes)) == null) {
            return;
        }
        assertion.getAttributeStatements().add(buildAttributeStatement);
    }

    protected void addAuthStatement(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, String str, Assertion assertion) {
        DateTime dateTime = sAMLSSOAuthnReqDTO.getCreatedTimeStamp() != 0 ? new DateTime(sAMLSSOAuthnReqDTO.getCreatedTimeStamp()) : new DateTime();
        if (sAMLSSOAuthnReqDTO.getIdpAuthenticationContextProperties().get(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF) != null && !sAMLSSOAuthnReqDTO.getIdpAuthenticationContextProperties().get(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF).isEmpty()) {
            for (AuthenticationContextProperty authenticationContextProperty : sAMLSSOAuthnReqDTO.getIdpAuthenticationContextProperties().get(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF)) {
                if (authenticationContextProperty.getPassThroughData() != null) {
                    Map map = (Map) authenticationContextProperty.getPassThroughData();
                    if (map.get(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF) != null) {
                        List<String> list = (List) map.get(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF);
                        String str2 = map.get("IdPEntityId") != null ? (String) map.get("IdPEntityId") : null;
                        DateTime dateTime2 = (DateTime) map.get(SAMLSSOConstants.AUTHN_INSTANT);
                        if (dateTime2 == null) {
                            if (log.isDebugEnabled()) {
                                log.debug("Treating AuthnInstant as current time, as it is not found in the pass-through data");
                            }
                            dateTime2 = dateTime;
                        }
                        for (String str3 : list) {
                            if (StringUtils.isNotBlank(str3)) {
                                if (log.isDebugEnabled()) {
                                    log.debug("Passing AuthnContextClassRef: " + str3 + " and AuthenticatingAuthority:" + str2 + " in the AuthnStatement");
                                }
                                assertion.getAuthnStatements().add(getAuthnStatement(sAMLSSOAuthnReqDTO, str, str3, dateTime2, str2));
                            }
                        }
                    }
                }
            }
        }
        if (assertion.getAuthnStatements().isEmpty()) {
            assertion.getAuthnStatements().add(getAuthnStatement(sAMLSSOAuthnReqDTO, str, "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", dateTime, null));
        }
    }

    private AuthnStatement getAuthnStatement(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, String str, String str2, DateTime dateTime, String str3) {
        AuthnStatement buildObject = new AuthnStatementBuilder().buildObject();
        buildObject.setAuthnInstant(dateTime);
        if (SAMLSSOUtil.isSAMLNotOnOrAfterPeriodDefined(IdentityUtil.getProperty("SSOService.SAMLSessionNotOnOrAfterPeriod"))) {
            buildObject.setSessionNotOnOrAfter(new DateTime(dateTime.getMillis() + TimeUnit.SECONDS.toMillis(SAMLSSOUtil.getSAMLSessionNotOnOrAfterPeriod(r0))));
        }
        AuthnContext buildObject2 = new AuthnContextBuilder().buildObject();
        AuthnContextClassRef buildObject3 = new AuthnContextClassRefBuilder().buildObject();
        buildObject3.setAuthnContextClassRef(str2);
        buildObject2.setAuthnContextClassRef(buildObject3);
        if (StringUtils.isNotBlank(str3)) {
            AuthenticatingAuthorityImpl authenticatingAuthorityImpl = new AuthenticatingAuthorityImpl();
            authenticatingAuthorityImpl.setURI(str3);
            buildObject2.getAuthenticatingAuthorities().add(authenticatingAuthorityImpl);
        }
        buildObject.setAuthnContext(buildObject2);
        if (sAMLSSOAuthnReqDTO.isDoSingleLogout()) {
            buildObject.setSessionIndex(str);
        }
        return buildObject;
    }

    protected AttributeStatement buildAttributeStatement(Map<String, String> map) {
        String str = map.get("MultiAttributeSeparator");
        String multiAttributeSeparator = StringUtils.isNotBlank(str) ? str : FrameworkUtils.getMultiAttributeSeparator();
        map.remove("MultiAttributeSeparator");
        map.remove("identityProviderMappedUserRoles");
        AttributeStatement buildObject = new AttributeStatementBuilder().buildObject();
        Iterator<Map.Entry<String, String>> it = map.entrySet().iterator();
        boolean z = false;
        for (int i = 0; i < map.size(); i++) {
            Map.Entry<String, String> next = it.next();
            String key = next.getKey();
            String value = next.getValue();
            if (key != null && !key.trim().isEmpty() && value != null && !value.trim().isEmpty()) {
                z = true;
                Attribute buildObject2 = new AttributeBuilder().buildObject();
                buildObject2.setName(key);
                buildObject2.setNameFormat(SAMLSSOConstants.NAME_FORMAT_BASIC);
                XSStringBuilder builder = XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
                if (multiAttributeSeparator == null || !value.contains(multiAttributeSeparator)) {
                    XSString buildObject3 = builder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
                    buildObject3.setValue(value);
                    buildObject2.getAttributeValues().add(buildObject3);
                } else {
                    for (String str2 : value.split(Pattern.quote(multiAttributeSeparator))) {
                        if (str2 != null && str2.trim().length() > 0) {
                            XSString buildObject4 = builder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
                            buildObject4.setValue(str2);
                            buildObject2.getAttributeValues().add(buildObject4);
                        }
                    }
                }
                buildObject.getAttributes().add(buildObject2);
            }
        }
        if (z) {
            return buildObject;
        }
        return null;
    }
}
