package org.apache.cxf.rs.security.saml.sso;

import java.io.IOException;
import java.io.StringReader;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PreDestroy;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.cxf.common.i18n.BundleUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
import org.apache.cxf.jaxrs.impl.UriInfoImpl;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.saml.SAMLUtils;
import org.apache.cxf.rs.security.saml.sso.state.RequestState;
import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

@Priority(1001)
@PreMatching
/* loaded from: input_file:org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.class */
public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler implements ContainerRequestFilter {
    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractServiceProviderFilter.class);
    protected static final ResourceBundle BUNDLE = BundleUtils.getBundle(AbstractServiceProviderFilter.class);
    private String assertionConsumerServiceAddress;
    private boolean signRequest;
    private String webAppDomain;
    private boolean addEndpointAddressToContext;
    private AuthnRequestBuilder authnRequestBuilder = new DefaultAuthnRequestBuilder();
    private boolean addWebAppContext = true;
    private String signatureAlgorithm = SSOConstants.RSA_SHA1;

    public void setAddEndpointAddressToContext(boolean z) {
        this.addEndpointAddressToContext = z;
    }

    public void setSignRequest(boolean z) {
        this.signRequest = z;
    }

    public boolean isSignRequest() {
        return this.signRequest;
    }

    public void setAuthnRequestBuilder(AuthnRequestBuilder authnRequestBuilder) {
        this.authnRequestBuilder = authnRequestBuilder;
    }

    public void setAssertionConsumerServiceAddress(String str) {
        this.assertionConsumerServiceAddress = str;
    }

    @Override // org.apache.cxf.rs.security.saml.sso.AbstractSSOSpHandler
    @PreDestroy
    public void close() {
        super.close();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkSecurityContext(Message message) {
        Map cookies = new HttpHeadersImpl(message).getCookies();
        ResponseState validResponseState = getValidResponseState((Cookie) cookies.get(SSOConstants.SECURITY_CONTEXT_TOKEN), message);
        if (validResponseState == null) {
            return false;
        }
        if (!isSupportUnsolicited()) {
            Cookie cookie = (Cookie) cookies.get(SSOConstants.RELAY_STATE);
            if (cookie == null) {
                reportError("MISSING_RELAY_COOKIE");
                return false;
            }
            if (!validResponseState.getRelayState().equals(cookie.getValue())) {
                reportError("INVALID_RELAY_STATE");
                return false;
            }
        }
        try {
            setSecurityContext(message, new SamlAssertionWrapper(StaxUtils.read(new StringReader(validResponseState.getAssertion())).getDocumentElement()));
            return true;
        } catch (Exception e) {
            reportError("INVALID_RESPONSE_STATE");
            return false;
        }
    }

    protected void setSecurityContext(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        String name = SAMLUtils.getSubject(message, samlAssertionWrapper).getName();
        if (name != null) {
            String str = (String) SecurityUtils.getSecurityPropertyValue("security.saml-role-attributename", message);
            if (str == null || str.length() == 0) {
                str = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
            }
            ClaimCollection claims = org.apache.cxf.rt.security.saml.utils.SAMLUtils.getClaims(samlAssertionWrapper);
            SAMLSecurityContext sAMLSecurityContext = new SAMLSecurityContext(new SimplePrincipal(name), org.apache.cxf.rt.security.saml.utils.SAMLUtils.parseRolesFromClaims(claims, str, (String) null), claims);
            sAMLSecurityContext.setIssuer(org.apache.cxf.rt.security.saml.utils.SAMLUtils.getIssuer(samlAssertionWrapper));
            sAMLSecurityContext.setAssertionElement(org.apache.cxf.rt.security.saml.utils.SAMLUtils.getAssertionElement(samlAssertionWrapper));
            message.put(SecurityContext.class, sAMLSecurityContext);
        }
    }

    protected ResponseState getValidResponseState(Cookie cookie, Message message) {
        if (cookie == null) {
            reportTrace("MISSING_RESPONSE_STATE");
            return null;
        }
        String value = cookie.getValue();
        ResponseState responseState = getStateProvider().getResponseState(value);
        if (responseState == null) {
            reportError("MISSING_RESPONSE_STATE");
            return null;
        }
        if (isStateExpired(responseState.getCreatedAt(), responseState.getExpiresAt())) {
            reportError("EXPIRED_RESPONSE_STATE");
            getStateProvider().removeResponseState(value);
            return null;
        }
        String webAppContext = getWebAppContext(message);
        if ((this.webAppDomain != null && (responseState.getWebAppDomain() == null || !this.webAppDomain.equals(responseState.getWebAppDomain()))) || responseState.getWebAppContext() == null || !webAppContext.equals(responseState.getWebAppContext())) {
            getStateProvider().removeResponseState(value);
            reportError("INVALID_RESPONSE_STATE");
            return null;
        }
        if (responseState.getAssertion() != null) {
            return responseState;
        }
        reportError("INVALID_RESPONSE_STATE");
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SamlRequestInfo createSamlRequestInfo(Message message) throws Exception {
        Document createDocument = DOMUtils.createDocument();
        createDocument.appendChild(createDocument.createElement("root"));
        AuthnRequest createAuthnRequest = this.authnRequestBuilder.createAuthnRequest(message, getIssuerId(message), getAbsoluteAssertionServiceAddress(message));
        if (isSignRequest()) {
            createAuthnRequest.setDestination(getIdpServiceAddress());
            signAuthnRequest(createAuthnRequest);
        }
        String encodeAuthnRequest = encodeAuthnRequest(OpenSAMLUtil.toDom(createAuthnRequest, createDocument));
        SamlRequestInfo samlRequestInfo = new SamlRequestInfo();
        samlRequestInfo.setSamlRequest(encodeAuthnRequest);
        String webAppContext = getWebAppContext(message);
        RequestState requestState = new RequestState(new UriInfoImpl(message).getRequestUri().toString(), getIdpServiceAddress(), createAuthnRequest.getID(), getIssuerId(message), webAppContext, getWebAppDomain(), System.currentTimeMillis());
        String encode = URLEncoder.encode(UUID.randomUUID().toString(), StandardCharsets.UTF_8.name());
        getStateProvider().setRequestState(encode, requestState);
        samlRequestInfo.setRelayState(encode);
        samlRequestInfo.setWebAppContext(webAppContext);
        samlRequestInfo.setWebAppDomain(getWebAppDomain());
        return samlRequestInfo;
    }

    protected abstract String encodeAuthnRequest(Element element) throws IOException;

    protected abstract void signAuthnRequest(AuthnRequest authnRequest) throws Exception;

    private String getAbsoluteAssertionServiceAddress(Message message) {
        if (this.assertionConsumerServiceAddress == null) {
            if (!Boolean.TRUE.equals(JAXRSUtils.getCurrentMessage().get(SSOConstants.RACS_IS_COLLOCATED))) {
                reportError("MISSING_ASSERTION_SERVICE_URL");
                throw ExceptionUtils.toInternalServerErrorException((Throwable) null, (Response) null);
            }
            this.assertionConsumerServiceAddress = new UriInfoImpl(message).getAbsolutePath().toString();
        }
        return !this.assertionConsumerServiceAddress.startsWith("http") ? UriBuilder.fromUri((String) message.get("http.base.path")).path(this.assertionConsumerServiceAddress).build(new Object[0]).toString() : this.assertionConsumerServiceAddress;
    }

    protected void reportError(String str) {
        LOG.warning(new org.apache.cxf.common.i18n.Message(str, BUNDLE, new Object[0]).toString());
    }

    protected void reportTrace(String str) {
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(new org.apache.cxf.common.i18n.Message(str, BUNDLE, new Object[0]).toString());
        }
    }

    private String getWebAppContext(Message message) {
        return this.addWebAppContext ? this.addEndpointAddressToContext ? new UriInfoImpl(message).getBaseUri().getRawPath() : URI.create((String) message.get("http.base.path")).getRawPath() : "/";
    }

    public String getWebAppDomain() {
        return this.webAppDomain;
    }

    public void setWebAppDomain(String str) {
        this.webAppDomain = str;
    }

    public void setAddWebAppContext(boolean z) {
        this.addWebAppContext = z;
    }

    public String getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    public void setSignatureAlgorithm(String str) {
        this.signatureAlgorithm = str;
    }
}
