package org.springframework.security.saml.context;

import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.ws.security.ServletRequestX509CredentialAdapter;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.trust.ExplicitX509CertificateTrustEngine;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator;
import org.opensaml.xml.security.x509.PKIXTrustEvaluator;
import org.opensaml.xml.security.x509.PKIXValidationInformationResolver;
import org.opensaml.xml.security.x509.PKIXX509CredentialTrustEngine;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.SAMLEntryPoint;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.storage.HttpSessionStorageFactory;
import org.springframework.security.saml.storage.SAMLMessageStorageFactory;
import org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator;
import org.springframework.security.saml.trust.PKIXInformationResolver;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.4.RELEASE.jar:org/springframework/security/saml/context/SAMLContextProviderImpl.class */
public class SAMLContextProviderImpl implements SAMLContextProvider, InitializingBean {
    protected static final Logger log = LoggerFactory.getLogger((Class<?>) SAMLContextProviderImpl.class);
    private static ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
    protected KeyManager keyManager;
    protected MetadataManager metadata;
    protected MetadataCredentialResolver metadataResolver;
    protected PKIXValidationInformationResolver pkixResolver;
    protected PKIXTrustEvaluator pkixTrustEvaluator;
    protected SAMLMessageStorageFactory storageFactory = new HttpSessionStorageFactory();

    @Override // org.springframework.security.saml.context.SAMLContextProvider
    public SAMLMessageContext getLocalEntity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws MetadataProviderException {
        SAMLMessageContext sAMLMessageContext = new SAMLMessageContext();
        populateGenericContext(httpServletRequest, httpServletResponse, sAMLMessageContext);
        populateLocalEntityId(sAMLMessageContext, httpServletRequest.getRequestURI());
        populateLocalContext(sAMLMessageContext);
        return sAMLMessageContext;
    }

    @Override // org.springframework.security.saml.context.SAMLContextProvider
    public SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws MetadataProviderException {
        SAMLMessageContext sAMLMessageContext = new SAMLMessageContext();
        populateGenericContext(httpServletRequest, httpServletResponse, sAMLMessageContext);
        populateLocalEntityId(sAMLMessageContext, httpServletRequest.getRequestURI());
        populateLocalContext(sAMLMessageContext);
        populatePeerEntityId(sAMLMessageContext);
        populatePeerContext(sAMLMessageContext);
        return sAMLMessageContext;
    }

    protected void populatePeerEntityId(SAMLMessageContext sAMLMessageContext) throws MetadataProviderException {
        HTTPInTransport hTTPInTransport = (HTTPInTransport) sAMLMessageContext.getInboundMessageTransport();
        String str = (String) hTTPInTransport.getAttribute(SAMLConstants.PEER_ENTITY_ID);
        if (str != null) {
            log.debug("Using protocol specified IDP {}", str);
        } else {
            str = hTTPInTransport.getParameterValue(SAMLEntryPoint.IDP_PARAMETER);
            if (str != null) {
                log.debug("Using user specified IDP {} from request", str);
                sAMLMessageContext.setPeerUserSelected(true);
            } else {
                str = this.metadata.getDefaultIDP();
                log.debug("No IDP specified, using default {}", str);
                sAMLMessageContext.setPeerUserSelected(false);
            }
        }
        sAMLMessageContext.setPeerEntityId(str);
        sAMLMessageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
    }

    protected void populatePeerContext(SAMLMessageContext sAMLMessageContext) throws MetadataProviderException {
        String peerEntityId = sAMLMessageContext.getPeerEntityId();
        QName peerEntityRole = sAMLMessageContext.getPeerEntityRole();
        if (peerEntityId == null) {
            throw new MetadataProviderException("Peer entity ID wasn't specified, but is requested");
        }
        EntityDescriptor entityDescriptor = this.metadata.getEntityDescriptor(peerEntityId);
        RoleDescriptor role = this.metadata.getRole(peerEntityId, peerEntityRole, org.opensaml.common.xml.SAMLConstants.SAML20P_NS);
        ExtendedMetadata extendedMetadata = this.metadata.getExtendedMetadata(peerEntityId);
        if (entityDescriptor == null || role == null) {
            throw new MetadataProviderException("Metadata for entity " + peerEntityId + " and role " + peerEntityRole + " wasn't found");
        }
        sAMLMessageContext.setPeerEntityMetadata(entityDescriptor);
        sAMLMessageContext.setPeerEntityRoleMetadata(role);
        sAMLMessageContext.setPeerExtendedMetadata(extendedMetadata);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void populateGenericContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLMessageContext sAMLMessageContext) throws MetadataProviderException {
        HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(httpServletRequest);
        HttpServletResponseAdapter httpServletResponseAdapter = new HttpServletResponseAdapter(httpServletResponse, httpServletRequest.isSecure());
        httpServletRequest.setAttribute(SAMLConstants.LOCAL_CONTEXT_PATH, httpServletRequest.getContextPath());
        sAMLMessageContext.setMetadataProvider(this.metadata);
        sAMLMessageContext.setInboundMessageTransport(httpServletRequestAdapter);
        sAMLMessageContext.setOutboundMessageTransport(httpServletResponseAdapter);
        sAMLMessageContext.setMessageStorage(this.storageFactory.getMessageStorage(httpServletRequest));
    }

    protected void populateLocalContext(SAMLMessageContext sAMLMessageContext) throws MetadataProviderException {
        populateLocalEntity(sAMLMessageContext);
        populateDecrypter(sAMLMessageContext);
        populateSSLCredential(sAMLMessageContext);
        populatePeerSSLCredential(sAMLMessageContext);
        populateTrustEngine(sAMLMessageContext);
        populateSSLTrustEngine(sAMLMessageContext);
        populateSSLHostnameVerifier(sAMLMessageContext);
    }

    protected void populateLocalEntityId(SAMLMessageContext sAMLMessageContext, String str) throws MetadataProviderException {
        QName qName;
        String str2 = (String) ((HTTPInTransport) sAMLMessageContext.getInboundMessageTransport()).getAttribute(SAMLConstants.LOCAL_ENTITY_ID);
        if (str2 != null) {
            log.debug("Using protocol specified SP {}", str2);
            sAMLMessageContext.setLocalEntityId(str2);
            sAMLMessageContext.setLocalEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            return;
        }
        if (str == null) {
            str = "";
        }
        int indexOf = str.indexOf("/alias/");
        if (indexOf == -1) {
            sAMLMessageContext.setLocalEntityId(getDefaultLocalEntityId(sAMLMessageContext, str));
            sAMLMessageContext.setLocalEntityRole(getDefaultLocalEntityRole(sAMLMessageContext, str));
            return;
        }
        String substring = str.substring(indexOf + 7);
        int lastIndexOf = substring.lastIndexOf(47);
        if (lastIndexOf != -1) {
            qName = SAMLEntryPoint.IDP_PARAMETER.equalsIgnoreCase(substring.substring(lastIndexOf + 1)) ? IDPSSODescriptor.DEFAULT_ELEMENT_NAME : SPSSODescriptor.DEFAULT_ELEMENT_NAME;
            substring = substring.substring(0, lastIndexOf);
        } else {
            qName = SPSSODescriptor.DEFAULT_ELEMENT_NAME;
        }
        String entityIdForAlias = this.metadata.getEntityIdForAlias(substring);
        if (entityIdForAlias == null) {
            throw new MetadataProviderException("No local entity found for alias " + substring + ", verify your configuration.");
        }
        log.debug("Using SP {} specified in request with alias {}", entityIdForAlias, substring);
        sAMLMessageContext.setLocalEntityId(entityIdForAlias);
        sAMLMessageContext.setLocalEntityRole(qName);
    }

    protected String getDefaultLocalEntityId(SAMLMessageContext sAMLMessageContext, String str) throws MetadataProviderException {
        return this.metadata.getHostedSPName();
    }

    protected QName getDefaultLocalEntityRole(SAMLMessageContext sAMLMessageContext, String str) throws MetadataProviderException {
        return SPSSODescriptor.DEFAULT_ELEMENT_NAME;
    }

    protected void populateLocalEntity(SAMLMessageContext sAMLMessageContext) throws MetadataProviderException {
        String localEntityId = sAMLMessageContext.getLocalEntityId();
        QName localEntityRole = sAMLMessageContext.getLocalEntityRole();
        if (localEntityId == null) {
            throw new MetadataProviderException("No hosted service provider is configured and no alias was selected");
        }
        EntityDescriptor entityDescriptor = this.metadata.getEntityDescriptor(localEntityId);
        RoleDescriptor role = this.metadata.getRole(localEntityId, localEntityRole, org.opensaml.common.xml.SAMLConstants.SAML20P_NS);
        ExtendedMetadata extendedMetadata = this.metadata.getExtendedMetadata(localEntityId);
        if (entityDescriptor == null || role == null) {
            throw new MetadataProviderException("Metadata for entity " + localEntityId + " and role " + localEntityRole + " wasn't found");
        }
        sAMLMessageContext.setLocalEntityMetadata(entityDescriptor);
        sAMLMessageContext.setLocalEntityRoleMetadata(role);
        sAMLMessageContext.setLocalExtendedMetadata(extendedMetadata);
        if (extendedMetadata.getSigningKey() != null) {
            sAMLMessageContext.setLocalSigningCredential(this.keyManager.getCredential(extendedMetadata.getSigningKey()));
        } else {
            sAMLMessageContext.setLocalSigningCredential(this.keyManager.getDefaultCredential());
        }
    }

    protected void populateSSLCredential(SAMLMessageContext sAMLMessageContext) {
        sAMLMessageContext.setLocalSSLCredential(sAMLMessageContext.getLocalExtendedMetadata().getTlsKey() != null ? (X509Credential) this.keyManager.getCredential(sAMLMessageContext.getLocalExtendedMetadata().getTlsKey()) : null);
    }

    protected void populateSSLHostnameVerifier(SAMLMessageContext sAMLMessageContext) {
        sAMLMessageContext.setGetLocalSSLHostnameVerifier(SAMLUtil.getHostnameVerifier(sAMLMessageContext.getLocalExtendedMetadata().getSslHostnameVerification()));
    }

    protected void populatePeerSSLCredential(SAMLMessageContext sAMLMessageContext) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) sAMLMessageContext.getInboundMessageTransport().getAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE);
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            return;
        }
        log.debug("Found certificate chain from request {}", x509CertificateArr[0]);
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setEntityCertificate(x509CertificateArr[0]);
        basicX509Credential.setEntityCertificateChain(Arrays.asList(x509CertificateArr));
        sAMLMessageContext.setPeerSSLCredential(basicX509Credential);
    }

    protected void populateDecrypter(SAMLMessageContext sAMLMessageContext) {
        Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(sAMLMessageContext.getLocalExtendedMetadata().getEncryptionKey() != null ? this.keyManager.getCredential(sAMLMessageContext.getLocalExtendedMetadata().getEncryptionKey()) : this.keyManager.getDefaultCredential()), encryptedKeyResolver);
        decrypter.setRootInNewDocument(true);
        sAMLMessageContext.setLocalDecrypter(decrypter);
    }

    protected void populateTrustEngine(SAMLMessageContext sAMLMessageContext) {
        sAMLMessageContext.setLocalTrustEngine("pkix".equalsIgnoreCase(sAMLMessageContext.getLocalExtendedMetadata().getSecurityProfile()) ? new PKIXSignatureTrustEngine(this.pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), this.pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()) : new ExplicitKeySignatureTrustEngine(this.metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()));
    }

    protected void populateSSLTrustEngine(SAMLMessageContext sAMLMessageContext) {
        sAMLMessageContext.setLocalSSLTrustEngine("pkix".equalsIgnoreCase(sAMLMessageContext.getLocalExtendedMetadata().getSslSecurityProfile()) ? new PKIXX509CredentialTrustEngine(this.pkixResolver, this.pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()) : new ExplicitX509CertificateTrustEngine(this.metadataResolver));
    }

    @Autowired
    public void setMetadata(MetadataManager metadataManager) {
        this.metadata = metadataManager;
    }

    @Autowired
    public void setKeyManager(KeyManager keyManager) {
        this.keyManager = keyManager;
    }

    public void setPkixResolver(PKIXValidationInformationResolver pKIXValidationInformationResolver) {
        this.pkixResolver = pKIXValidationInformationResolver;
    }

    public void setPkixTrustEvaluator(PKIXTrustEvaluator pKIXTrustEvaluator) {
        this.pkixTrustEvaluator = pKIXTrustEvaluator;
    }

    public void setMetadataResolver(MetadataCredentialResolver metadataCredentialResolver) {
        this.metadataResolver = metadataCredentialResolver;
    }

    @Autowired(required = false)
    public void setStorageFactory(SAMLMessageStorageFactory sAMLMessageStorageFactory) {
        this.storageFactory = sAMLMessageStorageFactory;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws ServletException {
        Assert.notNull(this.keyManager, "Key manager must be set");
        Assert.notNull(this.metadata, "Metadata must be set");
        Assert.notNull(this.storageFactory, "MessageStorageFactory must be set");
        if (this.metadataResolver == null) {
            org.springframework.security.saml.trust.MetadataCredentialResolver metadataCredentialResolver = new org.springframework.security.saml.trust.MetadataCredentialResolver(this.metadata, this.keyManager);
            metadataCredentialResolver.setMeetAllCriteria(false);
            metadataCredentialResolver.setUnevaluableSatisfies(true);
            this.metadataResolver = metadataCredentialResolver;
        }
        if (this.pkixResolver == null) {
            this.pkixResolver = new PKIXInformationResolver(this.metadataResolver, this.metadata, this.keyManager);
        }
        if (this.pkixTrustEvaluator == null) {
            this.pkixTrustEvaluator = new CertPathPKIXTrustEvaluator();
        }
    }

    static {
        encryptedKeyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
        encryptedKeyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
        encryptedKeyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());
    }
}
