package org.pac4j.saml.transport;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URI;
import java.util.List;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.net.URLBuilder;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.encoder.AbstractMessageEncoder;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.BindingException;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.pac4j.core.exception.TechnicalException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/pac4j-saml-2.1.0.jar:org/pac4j/saml/transport/Pac4jHTTPRedirectDeflateEncoder.class */
public class Pac4jHTTPRedirectDeflateEncoder extends AbstractMessageEncoder<SAMLObject> {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) Pac4jHTTPPostEncoder.class);
    private final Pac4jSAMLResponse responseAdapter;
    private final boolean forceSignRedirectBindingAuthnRequest;

    public Pac4jHTTPRedirectDeflateEncoder(Pac4jSAMLResponse pac4jSAMLResponse, boolean z) {
        this.responseAdapter = pac4jSAMLResponse;
        this.forceSignRedirectBindingAuthnRequest = z;
    }

    @Override // org.opensaml.messaging.encoder.AbstractMessageEncoder
    protected void doEncode() throws MessageEncodingException {
        MessageContext<SAMLObject> messageContext = getMessageContext();
        SAMLObject message = messageContext.getMessage();
        String uri = getEndpointURL(messageContext).toString();
        if (!this.forceSignRedirectBindingAuthnRequest) {
            removeSignature(message);
        }
        String buildRedirectURL = buildRedirectURL(messageContext, uri, deflateAndBase64Encode(message));
        this.responseAdapter.init();
        this.responseAdapter.setRedirectUrl(buildRedirectURL);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.messaging.encoder.AbstractMessageEncoder, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        log.debug("Initialized {}", getClass().getSimpleName());
    }

    protected URI getEndpointURL(MessageContext<SAMLObject> messageContext) throws MessageEncodingException {
        try {
            return SAMLBindingSupport.getEndpointURL(messageContext);
        } catch (BindingException e) {
            throw new MessageEncodingException("Could not obtain message endpoint URL", e);
        }
    }

    protected void removeSignature(SAMLObject sAMLObject) {
        if (sAMLObject instanceof SignableSAMLObject) {
            SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
            if (signableSAMLObject.isSigned()) {
                log.debug("Removing SAML protocol message signature");
                signableSAMLObject.setSignature(null);
            }
        }
    }

    protected String deflateAndBase64Encode(SAMLObject sAMLObject) throws MessageEncodingException {
        log.debug("Deflating and Base64 encoding SAML message");
        try {
            String nodeToString = SerializeSupport.nodeToString(marshallMessage(sAMLObject));
            log.trace("Output XML message: {}", nodeToString);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, new Deflater(8, true));
            deflaterOutputStream.write(nodeToString.getBytes("UTF-8"));
            deflaterOutputStream.finish();
            return Base64Support.encode(byteArrayOutputStream.toByteArray(), false);
        } catch (IOException e) {
            throw new MessageEncodingException("Unable to DEFLATE and Base64 encode SAML message", e);
        }
    }

    protected Element marshallMessage(XMLObject xMLObject) throws MessageEncodingException {
        log.debug("Marshalling message");
        try {
            return XMLObjectSupport.marshall(xMLObject);
        } catch (MarshallingException e) {
            throw new MessageEncodingException("Error marshalling message", e);
        }
    }

    protected String buildRedirectURL(MessageContext<SAMLObject> messageContext, String str, String str2) throws MessageEncodingException {
        log.debug("Building URL to redirect client to");
        try {
            URLBuilder uRLBuilder = new URLBuilder(str);
            List<Pair<String, String>> queryParams = uRLBuilder.getQueryParams();
            queryParams.clear();
            SAMLObject message = messageContext.getMessage();
            if (message instanceof RequestAbstractType) {
                queryParams.add(new Pair<>("SAMLRequest", str2));
            } else {
                if (!(message instanceof StatusResponseType)) {
                    throw new MessageEncodingException("SAML message is neither a SAML RequestAbstractType or StatusResponseType");
                }
                queryParams.add(new Pair<>("SAMLResponse", str2));
            }
            String relayState = SAMLBindingSupport.getRelayState(messageContext);
            if (SAMLBindingSupport.checkRelayState(relayState)) {
                queryParams.add(new Pair<>("RelayState", relayState));
            }
            SignatureSigningParameters contextSigningParameters = SAMLMessageSecuritySupport.getContextSigningParameters(messageContext);
            if (contextSigningParameters == null || contextSigningParameters.getSigningCredential() == null) {
                log.debug("No signing credential was supplied, skipping HTTP-Redirect DEFLATE signing");
            } else {
                String signatureAlgorithmURI = getSignatureAlgorithmURI(contextSigningParameters);
                queryParams.add(new Pair<>("SigAlg", signatureAlgorithmURI));
                queryParams.add(new Pair<>("Signature", generateSignature(contextSigningParameters.getSigningCredential(), signatureAlgorithmURI, uRLBuilder.buildQueryString())));
            }
            return uRLBuilder.buildURL();
        } catch (MalformedURLException e) {
            throw new MessageEncodingException("Endpoint URL " + str + " is not a valid URL", e);
        }
    }

    protected String getSignatureAlgorithmURI(SignatureSigningParameters signatureSigningParameters) throws MessageEncodingException {
        if (signatureSigningParameters.getSignatureAlgorithm() != null) {
            return signatureSigningParameters.getSignatureAlgorithm();
        }
        throw new MessageEncodingException("The signing algorithm URI could not be determined");
    }

    protected String generateSignature(Credential credential, String str, String str2) throws MessageEncodingException {
        log.debug(String.format("Generating signature with key type '%s', algorithm URI '%s' over query string '%s'", CredentialSupport.extractSigningKey(credential).getAlgorithm(), str, str2));
        try {
            String encode = Base64Support.encode(XMLSigningUtil.signWithURI(credential, str, str2.getBytes("UTF-8")), false);
            log.debug("Generated digital signature value (base64-encoded) {}", encode);
            return encode;
        } catch (UnsupportedEncodingException e) {
            throw new TechnicalException(e);
        } catch (SecurityException e2) {
            throw new MessageEncodingException("Unable to sign URL query string", e2);
        }
    }
}
