package org.cloudfoundry.identity.uaa.provider.saml.idp;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimUserProvisioning;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.impl.SignatureBuilder;
import org.opensaml.xml.signature.impl.SignatureImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/provider/saml/idp/IdpWebSsoProfileImpl.class */
public class IdpWebSsoProfileImpl extends WebSSOProfileImpl implements IdpWebSsoProfile {
    private JdbcSamlServiceProviderProvisioning samlServiceProviderProvisioning;
    private JdbcScimUserProvisioning scimUserProvisioning;

    @Override // org.cloudfoundry.identity.uaa.provider.saml.idp.IdpWebSsoProfile
    public void sendResponse(Authentication authentication, SAMLMessageContext sAMLMessageContext, IdpWebSSOProfileOptions idpWebSSOProfileOptions) throws SAMLException, MetadataProviderException, MessageEncodingException, SecurityException, MarshallingException, SignatureException {
        buildResponse(authentication, sAMLMessageContext, idpWebSSOProfileOptions);
        sendMessage(sAMLMessageContext, false);
    }

    @Override // org.cloudfoundry.identity.uaa.provider.saml.idp.IdpWebSsoProfile
    public AuthnRequest buildIdpInitiatedAuthnRequest(String str, String str2, String str3) {
        AuthnRequest authnRequest = (AuthnRequest) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        authnRequest.setVersion(SAMLVersion.VERSION_20);
        authnRequest.setID(generateID());
        authnRequest.setIssuer(getIssuer(str2));
        authnRequest.setVersion(SAMLVersion.VERSION_20);
        authnRequest.setIssueInstant(new DateTime());
        authnRequest.setID(null);
        authnRequest.setAssertionConsumerServiceURL(str3);
        if (null != str) {
            NameID nameID = (NameID) ((SAMLObjectBuilder) this.builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
            nameID.setFormat(str);
            Subject subject = (Subject) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
            subject.setNameID(nameID);
            authnRequest.setSubject(subject);
        }
        return authnRequest;
    }

    protected void buildResponse(Authentication authentication, SAMLMessageContext sAMLMessageContext, IdpWebSSOProfileOptions idpWebSSOProfileOptions) throws MetadataProviderException, SecurityException, MarshallingException, SignatureException, SAMLException {
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata();
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) sAMLMessageContext.getPeerEntityRoleMetadata();
        AuthnRequest authnRequest = (AuthnRequest) sAMLMessageContext.getInboundSAMLMessage();
        AssertionConsumerService assertionConsumerService = getAssertionConsumerService(idpWebSSOProfileOptions, iDPSSODescriptor, sPSSODescriptor);
        sAMLMessageContext.setPeerEntityEndpoint(assertionConsumerService);
        Assertion buildAssertion = buildAssertion(authentication, authnRequest, idpWebSSOProfileOptions, sAMLMessageContext.getPeerEntityId(), sAMLMessageContext.getLocalEntityId());
        if (idpWebSSOProfileOptions.isAssertionsSigned() || sPSSODescriptor.getWantAssertionsSigned().booleanValue()) {
            signAssertion(buildAssertion, sAMLMessageContext.getLocalSigningCredential());
        }
        Response createResponse = createResponse(sAMLMessageContext, assertionConsumerService, buildAssertion, authnRequest);
        sAMLMessageContext.setOutboundMessage(createResponse);
        sAMLMessageContext.setOutboundSAMLMessage(createResponse);
    }

    private Response createResponse(SAMLMessageContext sAMLMessageContext, AssertionConsumerService assertionConsumerService, Assertion assertion, AuthnRequest authnRequest) {
        Response response = (Response) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        buildCommonAttributes(sAMLMessageContext.getLocalEntityId(), response, assertionConsumerService, authnRequest);
        response.getAssertions().add(assertion);
        buildStatusSuccess(response);
        return response;
    }

    private void buildCommonAttributes(String str, Response response, Endpoint endpoint, AuthnRequest authnRequest) {
        response.setID(generateID());
        response.setIssuer(getIssuer(str));
        response.setInResponseTo(authnRequest.getID());
        response.setVersion(SAMLVersion.VERSION_20);
        response.setIssueInstant(new DateTime());
        if (endpoint != null) {
            response.setDestination(endpoint.getLocation());
        }
    }

    private Assertion buildAssertion(Authentication authentication, AuthnRequest authnRequest, IdpWebSSOProfileOptions idpWebSSOProfileOptions, String str, String str2) throws SAMLException {
        Assertion assertion = (Assertion) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        assertion.setID(generateID());
        assertion.setIssueInstant(new DateTime());
        assertion.setVersion(SAMLVersion.VERSION_20);
        assertion.setIssuer(getIssuer(str2));
        buildAssertionAuthnStatement(assertion);
        buildAssertionConditions(assertion, idpWebSSOProfileOptions.getAssertionTimeToLiveSeconds(), str);
        buildAssertionSubject(assertion, authnRequest, idpWebSSOProfileOptions.getAssertionTimeToLiveSeconds(), (UaaPrincipal) authentication.getPrincipal());
        buildAttributeStatement(assertion, authentication, str);
        return assertion;
    }

    private void buildAssertionAuthnStatement(Assertion assertion) {
        AuthnStatement authnStatement = (AuthnStatement) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        authnStatement.setAuthnInstant(new DateTime());
        authnStatement.setSessionIndex(generateID());
        AuthnContext authnContext = (AuthnContext) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        authnContextClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX);
        authnContext.setAuthnContextClassRef(authnContextClassRef);
        authnStatement.setAuthnContext(authnContext);
        assertion.getAuthnStatements().add(authnStatement);
    }

    private void buildAssertionConditions(Assertion assertion, int i, String str) {
        Conditions conditions = (Conditions) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Conditions.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        conditions.setNotBefore(new DateTime());
        conditions.setNotOnOrAfter(new DateTime().plusSeconds(i));
        AudienceRestriction audienceRestriction = (AudienceRestriction) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        Audience audience = (Audience) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        audience.setAudienceURI(str);
        audienceRestriction.getAudiences().add(audience);
        conditions.getAudienceRestrictions().add(audienceRestriction);
        assertion.setConditions(conditions);
    }

    private void buildAssertionSubject(Assertion assertion, AuthnRequest authnRequest, int i, UaaPrincipal uaaPrincipal) throws SAMLException {
        Subject subject = (Subject) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        NameID nameID = (NameID) ((SAMLObjectBuilder) this.builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        String str = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
        String name = uaaPrincipal.getName();
        if (null != authnRequest.getSubject() && null != authnRequest.getSubject().getNameID() && null != authnRequest.getSubject().getNameID().getFormat()) {
            str = authnRequest.getSubject().getNameID().getFormat();
            boolean z = -1;
            switch (str.hashCode()) {
                case -22700794:
                    if (str.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")) {
                        z = false;
                        break;
                    }
                    break;
                case 612154021:
                    if (str.equals(NameIDType.PERSISTENT)) {
                        z = true;
                        break;
                    }
                    break;
                case 1732775209:
                    if (str.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    name = uaaPrincipal.getEmail();
                    break;
                case true:
                    name = uaaPrincipal.getId();
                    break;
                case true:
                    name = uaaPrincipal.getName();
                    break;
                default:
                    throw new SAMLException("The NameIDType '" + str + "' is not supported.");
            }
        }
        nameID.setValue(name);
        nameID.setFormat(str);
        subject.setNameID(nameID);
        SubjectConfirmation subjectConfirmation = (SubjectConfirmation) ((SAMLObjectBuilder) this.builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
        SubjectConfirmationData subjectConfirmationData = (SubjectConfirmationData) ((SAMLObjectBuilder) this.builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        subjectConfirmationData.setNotOnOrAfter(new DateTime().plusSeconds(i));
        subjectConfirmationData.setInResponseTo(authnRequest.getID());
        subjectConfirmationData.setRecipient(authnRequest.getAssertionConsumerServiceURL());
        subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
        subject.getSubjectConfirmations().add(subjectConfirmation);
        assertion.setSubject(subject);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v137, types: [java.util.List] */
    protected void buildAttributeStatement(Assertion assertion, Authentication authentication, String str) {
        AttributeStatement attributeStatement = (AttributeStatement) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AttributeStatement.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        ArrayList arrayList = new ArrayList();
        Iterator<? extends GrantedAuthority> it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getAuthority());
        }
        attributeStatement.getAttributes().add(buildStringAttribute("authorities", arrayList));
        UaaPrincipal uaaPrincipal = (UaaPrincipal) authentication.getPrincipal();
        attributeStatement.getAttributes().add(buildStringAttribute("email", Collections.singletonList(uaaPrincipal.getEmail())));
        attributeStatement.getAttributes().add(buildStringAttribute("id", Collections.singletonList(uaaPrincipal.getId())));
        attributeStatement.getAttributes().add(buildStringAttribute("name", Collections.singletonList(uaaPrincipal.getName())));
        attributeStatement.getAttributes().add(buildStringAttribute("origin", Collections.singletonList(uaaPrincipal.getOrigin())));
        attributeStatement.getAttributes().add(buildStringAttribute("zoneId", Collections.singletonList(uaaPrincipal.getZoneId())));
        SamlServiceProviderDefinition config = this.samlServiceProviderProvisioning.retrieveByEntityId(str, IdentityZoneHolder.get().getId()).getConfig();
        for (Map.Entry entry : ((Map) Optional.ofNullable(config.getStaticCustomAttributes()).orElse(Collections.emptyMap())).entrySet()) {
            String str2 = (String) entry.getKey();
            Object value = entry.getValue();
            if (value != null) {
                LinkedList linkedList = new LinkedList();
                if (value instanceof List) {
                    linkedList = (List) value;
                } else {
                    linkedList.add(value);
                }
                attributeStatement.getAttributes().add(buildStringAttribute(str2, (List) linkedList.stream().map(obj -> {
                    return obj == null ? "null" : obj.toString();
                }).collect(Collectors.toList())));
            }
        }
        Map<String, Object> attributeMappings = config.getAttributeMappings();
        if (attributeMappings.size() > 0) {
            ScimUser retrieve = this.scimUserProvisioning.retrieve(uaaPrincipal.getId(), IdentityZoneHolder.get().getId());
            String givenName = retrieve.getGivenName();
            if (StringUtils.hasText(givenName) && attributeMappings.containsKey("given_name")) {
                attributeStatement.getAttributes().add(buildStringAttribute(attributeMappings.get("given_name").toString(), Collections.singletonList(givenName)));
            }
            String familyName = retrieve.getFamilyName();
            if (StringUtils.hasText(familyName) && attributeMappings.containsKey("family_name")) {
                attributeStatement.getAttributes().add(buildStringAttribute(attributeMappings.get("family_name").toString(), Collections.singletonList(familyName)));
            }
            String extractPhoneNumber = this.scimUserProvisioning.extractPhoneNumber(retrieve);
            if (StringUtils.hasText(extractPhoneNumber) && attributeMappings.containsKey("phone_number")) {
                attributeStatement.getAttributes().add(buildStringAttribute(attributeMappings.get("phone_number").toString(), Collections.singletonList(extractPhoneNumber)));
            }
            String primaryEmail = retrieve.getPrimaryEmail();
            if (StringUtils.hasText(primaryEmail) && attributeMappings.containsKey("email")) {
                attributeStatement.getAttributes().add(buildStringAttribute(attributeMappings.get("email").toString(), Collections.singletonList(primaryEmail)));
            }
        }
        assertion.getAttributeStatements().add(attributeStatement);
    }

    public Attribute buildStringAttribute(String str, List<String> list) {
        Attribute attribute = (Attribute) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        attribute.setName(str);
        XMLObjectBuilder builder = this.builderFactory.getBuilder(XSString.TYPE_NAME);
        for (String str2 : list) {
            XSString xSString = (XSString) builder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
            xSString.setValue(str2);
            attribute.getAttributeValues().add(xSString);
        }
        return attribute;
    }

    private void buildStatusSuccess(Response response) {
        buildStatus(response, StatusCode.SUCCESS_URI);
    }

    private void buildStatus(Response response, String str) {
        StatusCode statusCode = (StatusCode) ((SAMLObjectBuilder) this.builderFactory.getBuilder(StatusCode.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        statusCode.setValue(str);
        Status status = (Status) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Status.DEFAULT_ELEMENT_NAME)).mo5359buildObject();
        status.setStatusCode(statusCode);
        response.setStatus(status);
    }

    private void signAssertion(Assertion assertion, Credential credential) throws SecurityException, MarshallingException, SignatureException {
        SignatureImpl buildObject = ((SignatureBuilder) this.builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME)).buildObject();
        buildObject.setSigningCredential(credential);
        SecurityHelper.prepareSignatureParams(buildObject, credential, null, null);
        assertion.setSignature(buildObject);
        Configuration.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
        Signer.signObject(buildObject);
    }

    public void setSamlServiceProviderProvisioning(JdbcSamlServiceProviderProvisioning jdbcSamlServiceProviderProvisioning) {
        this.samlServiceProviderProvisioning = jdbcSamlServiceProviderProvisioning;
    }

    public void setScimUserProvisioning(JdbcScimUserProvisioning jdbcScimUserProvisioning) {
        this.scimUserProvisioning = jdbcScimUserProvisioning;
    }
}
