package org.cloudfoundry.identity.uaa.provider.saml.idp;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationJsonBase;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimUserProvisioning;
import org.cloudfoundry.identity.uaa.util.log.SyslogAppender;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.impl.SignatureImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/provider/saml/idp/IdpWebSsoProfileImpl.class */
public class IdpWebSsoProfileImpl extends WebSSOProfileImpl implements IdpWebSsoProfile {
    private JdbcSamlServiceProviderProvisioning samlServiceProviderProvisioning;
    private JdbcScimUserProvisioning scimUserProvisioning;

    @Override // org.cloudfoundry.identity.uaa.provider.saml.idp.IdpWebSsoProfile
    public void sendResponse(Authentication authentication, SAMLMessageContext sAMLMessageContext, IdpWebSSOProfileOptions idpWebSSOProfileOptions) throws SAMLException, MetadataProviderException, MessageEncodingException, SecurityException, MarshallingException, SignatureException {
        buildResponse(authentication, sAMLMessageContext, idpWebSSOProfileOptions);
        sendMessage(sAMLMessageContext, false);
    }

    @Override // org.cloudfoundry.identity.uaa.provider.saml.idp.IdpWebSsoProfile
    public AuthnRequest buildIdpInitiatedAuthnRequest(String str, String str2, String str3) {
        AuthnRequest buildObject = this.builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setID(generateID());
        buildObject.setIssuer(getIssuer(str2));
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(new DateTime());
        buildObject.setID((String) null);
        buildObject.setAssertionConsumerServiceURL(str3);
        if (null != str) {
            NameID buildObject2 = this.builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject2.setFormat(str);
            Subject buildObject3 = this.builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject3.setNameID(buildObject2);
            buildObject.setSubject(buildObject3);
        }
        return buildObject;
    }

    protected void buildResponse(Authentication authentication, SAMLMessageContext sAMLMessageContext, IdpWebSSOProfileOptions idpWebSSOProfileOptions) throws MetadataProviderException, SecurityException, MarshallingException, SignatureException, SAMLException {
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata();
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) sAMLMessageContext.getPeerEntityRoleMetadata();
        AuthnRequest authnRequest = (AuthnRequest) sAMLMessageContext.getInboundSAMLMessage();
        AssertionConsumerService assertionConsumerService = getAssertionConsumerService(idpWebSSOProfileOptions, iDPSSODescriptor, sPSSODescriptor);
        sAMLMessageContext.setPeerEntityEndpoint(assertionConsumerService);
        Assertion buildAssertion = buildAssertion(authentication, authnRequest, idpWebSSOProfileOptions, sAMLMessageContext.getPeerEntityId(), sAMLMessageContext.getLocalEntityId());
        if (idpWebSSOProfileOptions.isAssertionsSigned() || sPSSODescriptor.getWantAssertionsSigned().booleanValue()) {
            signAssertion(buildAssertion, sAMLMessageContext.getLocalSigningCredential());
        }
        Response createResponse = createResponse(sAMLMessageContext, assertionConsumerService, buildAssertion, authnRequest);
        sAMLMessageContext.setOutboundMessage(createResponse);
        sAMLMessageContext.setOutboundSAMLMessage(createResponse);
    }

    private Response createResponse(SAMLMessageContext sAMLMessageContext, AssertionConsumerService assertionConsumerService, Assertion assertion, AuthnRequest authnRequest) {
        Response response = (Response) this.builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME).buildObject();
        buildCommonAttributes(sAMLMessageContext.getLocalEntityId(), response, assertionConsumerService, authnRequest);
        response.getAssertions().add(assertion);
        buildStatusSuccess(response);
        return response;
    }

    private void buildCommonAttributes(String str, Response response, Endpoint endpoint, AuthnRequest authnRequest) {
        response.setID(generateID());
        response.setIssuer(getIssuer(str));
        response.setInResponseTo(authnRequest.getID());
        response.setVersion(SAMLVersion.VERSION_20);
        response.setIssueInstant(new DateTime());
        if (endpoint != null) {
            response.setDestination(endpoint.getLocation());
        }
    }

    private Assertion buildAssertion(Authentication authentication, AuthnRequest authnRequest, IdpWebSSOProfileOptions idpWebSSOProfileOptions, String str, String str2) throws SAMLException {
        Assertion assertion = (Assertion) this.builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME).buildObject();
        assertion.setID(generateID());
        assertion.setIssueInstant(new DateTime());
        assertion.setVersion(SAMLVersion.VERSION_20);
        assertion.setIssuer(getIssuer(str2));
        buildAssertionAuthnStatement(assertion);
        buildAssertionConditions(assertion, idpWebSSOProfileOptions.getAssertionTimeToLiveSeconds(), str);
        buildAssertionSubject(assertion, authnRequest, idpWebSSOProfileOptions.getAssertionTimeToLiveSeconds(), (UaaPrincipal) authentication.getPrincipal());
        buildAttributeStatement(assertion, authentication, str);
        return assertion;
    }

    private void buildAssertionAuthnStatement(Assertion assertion) {
        AuthnStatement buildObject = this.builderFactory.getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setAuthnInstant(new DateTime());
        buildObject.setSessionIndex(generateID());
        AuthnContext buildObject2 = this.builderFactory.getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME).buildObject();
        AuthnContextClassRef buildObject3 = this.builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password");
        buildObject2.setAuthnContextClassRef(buildObject3);
        buildObject.setAuthnContext(buildObject2);
        assertion.getAuthnStatements().add(buildObject);
    }

    private void buildAssertionConditions(Assertion assertion, int i, String str) {
        Conditions buildObject = this.builderFactory.getBuilder(Conditions.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setNotBefore(new DateTime());
        buildObject.setNotOnOrAfter(new DateTime().plusSeconds(i));
        AudienceRestriction buildObject2 = this.builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME).buildObject();
        Audience buildObject3 = this.builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setAudienceURI(str);
        buildObject2.getAudiences().add(buildObject3);
        buildObject.getAudienceRestrictions().add(buildObject2);
        assertion.setConditions(buildObject);
    }

    private void buildAssertionSubject(Assertion assertion, AuthnRequest authnRequest, int i, UaaPrincipal uaaPrincipal) throws SAMLException {
        Subject buildObject = this.builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME).buildObject();
        NameID buildObject2 = this.builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME).buildObject();
        String str = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
        String name = uaaPrincipal.getName();
        if (null != authnRequest.getSubject() && null != authnRequest.getSubject().getNameID() && null != authnRequest.getSubject().getNameID().getFormat()) {
            str = authnRequest.getSubject().getNameID().getFormat();
            boolean z = -1;
            switch (str.hashCode()) {
                case -22700794:
                    if (str.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")) {
                        z = false;
                        break;
                    }
                    break;
                case 612154021:
                    if (str.equals("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")) {
                        z = true;
                        break;
                    }
                    break;
                case 1732775209:
                    if (str.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case SyslogAppender.LOG_KERN /* 0 */:
                    name = uaaPrincipal.getEmail();
                    break;
                case true:
                    name = uaaPrincipal.getId();
                    break;
                case true:
                    name = uaaPrincipal.getName();
                    break;
                default:
                    throw new SAMLException("The NameIDType '" + str + "' is not supported.");
            }
        }
        buildObject2.setValue(name);
        buildObject2.setFormat(str);
        buildObject.setNameID(buildObject2);
        SubjectConfirmation buildObject3 = this.builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        SubjectConfirmationData buildObject4 = this.builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject4.setNotOnOrAfter(new DateTime().plusSeconds(i));
        buildObject4.setInResponseTo(authnRequest.getID());
        buildObject4.setRecipient(authnRequest.getAssertionConsumerServiceURL());
        buildObject3.setSubjectConfirmationData(buildObject4);
        buildObject.getSubjectConfirmations().add(buildObject3);
        assertion.setSubject(buildObject);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v126, types: [java.util.List] */
    protected void buildAttributeStatement(Assertion assertion, Authentication authentication, String str) {
        AttributeStatement buildObject = this.builderFactory.getBuilder(AttributeStatement.DEFAULT_ELEMENT_NAME).buildObject();
        ArrayList arrayList = new ArrayList();
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            arrayList.add(((GrantedAuthority) it.next()).getAuthority());
        }
        buildObject.getAttributes().add(buildStringAttribute(UaaAuthenticationJsonBase.AUTHORITIES, arrayList));
        UaaPrincipal uaaPrincipal = (UaaPrincipal) authentication.getPrincipal();
        buildObject.getAttributes().add(buildStringAttribute("email", Collections.singletonList(uaaPrincipal.getEmail())));
        buildObject.getAttributes().add(buildStringAttribute("id", Collections.singletonList(uaaPrincipal.getId())));
        buildObject.getAttributes().add(buildStringAttribute("name", Collections.singletonList(uaaPrincipal.getName())));
        buildObject.getAttributes().add(buildStringAttribute("origin", Collections.singletonList(uaaPrincipal.getOrigin())));
        buildObject.getAttributes().add(buildStringAttribute("zoneId", Collections.singletonList(uaaPrincipal.getZoneId())));
        SamlServiceProviderDefinition config = this.samlServiceProviderProvisioning.retrieveByEntityId(str, IdentityZoneHolder.get().getId()).getConfig();
        for (Map.Entry entry : ((Map) Optional.ofNullable(config.getStaticCustomAttributes()).orElse(Collections.emptyMap())).entrySet()) {
            String str2 = (String) entry.getKey();
            Object value = entry.getValue();
            if (value != null) {
                LinkedList linkedList = new LinkedList();
                if (value instanceof List) {
                    linkedList = (List) value;
                } else {
                    linkedList.add(value);
                }
                buildObject.getAttributes().add(buildStringAttribute(str2, (List) linkedList.stream().map(obj -> {
                    return obj == null ? UaaAuthenticationJsonBase.NULL_STRING : obj.toString();
                }).collect(Collectors.toList())));
            }
        }
        Map attributeMappings = config.getAttributeMappings();
        if (attributeMappings.size() > 0) {
            ScimUser retrieve = this.scimUserProvisioning.retrieve(uaaPrincipal.getId(), IdentityZoneHolder.get().getId());
            String givenName = retrieve.getGivenName();
            if (StringUtils.hasText(givenName) && attributeMappings.containsKey("given_name")) {
                buildObject.getAttributes().add(buildStringAttribute(attributeMappings.get("given_name").toString(), Collections.singletonList(givenName)));
            }
            String familyName = retrieve.getFamilyName();
            if (StringUtils.hasText(familyName) && attributeMappings.containsKey("family_name")) {
                buildObject.getAttributes().add(buildStringAttribute(attributeMappings.get("family_name").toString(), Collections.singletonList(familyName)));
            }
            String extractPhoneNumber = this.scimUserProvisioning.extractPhoneNumber(retrieve);
            if (StringUtils.hasText(extractPhoneNumber) && attributeMappings.containsKey("phone_number")) {
                buildObject.getAttributes().add(buildStringAttribute(attributeMappings.get("phone_number").toString(), Collections.singletonList(extractPhoneNumber)));
            }
        }
        assertion.getAttributeStatements().add(buildObject);
    }

    public Attribute buildStringAttribute(String str, List<String> list) {
        Attribute buildObject = this.builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setName(str);
        XMLObjectBuilder builder = this.builderFactory.getBuilder(XSString.TYPE_NAME);
        for (String str2 : list) {
            XSString buildObject2 = builder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
            buildObject2.setValue(str2);
            buildObject.getAttributeValues().add(buildObject2);
        }
        return buildObject;
    }

    private void buildStatusSuccess(Response response) {
        buildStatus(response, "urn:oasis:names:tc:SAML:2.0:status:Success");
    }

    private void buildStatus(Response response, String str) {
        StatusCode buildObject = this.builderFactory.getBuilder(StatusCode.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setValue(str);
        Status buildObject2 = this.builderFactory.getBuilder(Status.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setStatusCode(buildObject);
        response.setStatus(buildObject2);
    }

    private void signAssertion(Assertion assertion, Credential credential) throws SecurityException, MarshallingException, SignatureException {
        SignatureImpl buildObject = this.builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setSigningCredential(credential);
        SecurityHelper.prepareSignatureParams(buildObject, credential, (SecurityConfiguration) null, (String) null);
        assertion.setSignature(buildObject);
        Configuration.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
        Signer.signObject(buildObject);
    }

    public void setSamlServiceProviderProvisioning(JdbcSamlServiceProviderProvisioning jdbcSamlServiceProviderProvisioning) {
        this.samlServiceProviderProvisioning = jdbcSamlServiceProviderProvisioning;
    }

    public void setScimUserProvisioning(JdbcScimUserProvisioning jdbcScimUserProvisioning) {
        this.scimUserProvisioning = jdbcScimUserProvisioning;
    }
}
