package org.keycloak.broker.saml;

import java.security.KeyPair;
import java.util.TreeSet;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.broker.provider.AbstractIdentityProvider;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.IdentityProviderDataMarshaller;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.util.PemUtils;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.metadata.KeyTypes;
import org.keycloak.events.EventBuilder;
import org.keycloak.keys.KeyMetadata;
import org.keycloak.keys.RsaKeyMetadata;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
import org.keycloak.saml.SAML2AuthnRequestBuilder;
import org.keycloak.saml.SAML2LogoutRequestBuilder;
import org.keycloak.saml.SAML2NameIDPolicyBuilder;
import org.keycloak.saml.SPMetadataDescriptor;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;

/* loaded from: input_file:org/keycloak/broker/saml/SAMLIdentityProvider.class */
public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityProviderConfig> {
    protected static final Logger logger = Logger.getLogger(SAMLIdentityProvider.class);

    public SAMLIdentityProvider(KeycloakSession keycloakSession, SAMLIdentityProviderConfig sAMLIdentityProviderConfig) {
        super(keycloakSession, sAMLIdentityProviderConfig);
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new SAMLEndpoint(realmModel, this, (SAMLIdentityProviderConfig) getConfig(), authenticationCallback);
    }

    public Response performLogin(AuthenticationRequest authenticationRequest) {
        try {
            UriInfo uriInfo = authenticationRequest.getUriInfo();
            RealmModel realm = authenticationRequest.getRealm();
            String entityId = getEntityId(uriInfo, realm);
            String singleSignOnServiceUrl = ((SAMLIdentityProviderConfig) getConfig()).getSingleSignOnServiceUrl();
            String nameIDPolicyFormat = ((SAMLIdentityProviderConfig) getConfig()).getNameIDPolicyFormat();
            if (nameIDPolicyFormat == null) {
                nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
            }
            String str = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
            String redirectUri = authenticationRequest.getRedirectUri();
            if (((SAMLIdentityProviderConfig) getConfig()).isPostBindingResponse()) {
                str = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
            }
            SAML2AuthnRequestBuilder nameIdPolicy = new SAML2AuthnRequestBuilder().assertionConsumerUrl(redirectUri).destination(singleSignOnServiceUrl).issuer(entityId).forceAuthn(((SAMLIdentityProviderConfig) getConfig()).isForceAuthn()).protocolBinding(str).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
            JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = (JaxrsSAML2BindingBuilder) new JaxrsSAML2BindingBuilder().relayState(authenticationRequest.getState().getEncoded());
            boolean isPostBindingAuthnRequest = ((SAMLIdentityProviderConfig) getConfig()).isPostBindingAuthnRequest();
            if (((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned()) {
                KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(realm);
                KeyPair keyPair = new KeyPair(activeRsaKey.getPublicKey(), activeRsaKey.getPrivateKey());
                String keyName = ((SAMLIdentityProviderConfig) getConfig()).getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
                jaxrsSAML2BindingBuilder.signWith(keyName, keyPair);
                jaxrsSAML2BindingBuilder.signatureAlgorithm(getSignatureAlgorithm());
                jaxrsSAML2BindingBuilder.signDocument();
                if (!isPostBindingAuthnRequest && ((SAMLIdentityProviderConfig) getConfig()).isAddExtensionsElementWithKeyInfo()) {
                    nameIdPolicy.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                }
            }
            return isPostBindingAuthnRequest ? jaxrsSAML2BindingBuilder.m262postBinding(nameIdPolicy.toDocument()).request(singleSignOnServiceUrl) : jaxrsSAML2BindingBuilder.m263redirectBinding(nameIdPolicy.toDocument()).request(singleSignOnServiceUrl);
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not create authentication request.", e);
        }
    }

    private String getEntityId(UriInfo uriInfo, RealmModel realmModel) {
        return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realmModel.getName()).build(new Object[0]).toString();
    }

    public void authenticationFinished(AuthenticationSessionModel authenticationSessionModel, BrokeredIdentityContext brokeredIdentityContext) {
        NameIDType baseID = ((AssertionType) brokeredIdentityContext.getContextData().get(SAMLEndpoint.SAML_ASSERTION)).getSubject().getSubType().getBaseID();
        authenticationSessionModel.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT, baseID.getValue());
        if (baseID.getFormat() != null) {
            authenticationSessionModel.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT, baseID.getFormat().toString());
        }
        AuthnStatementType authnStatementType = (AuthnStatementType) brokeredIdentityContext.getContextData().get(SAMLEndpoint.SAML_AUTHN_STATEMENT);
        if (authnStatementType == null || authnStatementType.getSessionIndex() == null) {
            return;
        }
        authenticationSessionModel.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX, authnStatementType.getSessionIndex());
    }

    public Response retrieveToken(KeycloakSession keycloakSession, FederatedIdentityModel federatedIdentityModel) {
        return Response.ok(federatedIdentityModel.getToken()).build();
    }

    public void backchannelLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        String singleLogoutServiceUrl = ((SAMLIdentityProviderConfig) getConfig()).getSingleLogoutServiceUrl();
        if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals(StackoverflowIdentityProvider.DEFAULT_SCOPE) || !((SAMLIdentityProviderConfig) getConfig()).isBackchannelSupported()) {
            return;
        }
        try {
            int asStatus = SimpleHttp.doPost(singleLogoutServiceUrl, keycloakSession).param("SAMLRequest", buildLogoutBinding(keycloakSession, userSessionModel, realmModel).m262postBinding(buildLogoutRequest(userSessionModel, uriInfo, realmModel, singleLogoutServiceUrl).buildDocument()).encoded()).param("RelayState", userSessionModel.getId()).asStatus();
            if (!(asStatus >= 200 && asStatus < 400)) {
                logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl);
            }
        } catch (Exception e) {
            logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl, e);
        }
    }

    public Response keycloakInitiatedBrowserLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        String singleLogoutServiceUrl = ((SAMLIdentityProviderConfig) getConfig()).getSingleLogoutServiceUrl();
        if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals(StackoverflowIdentityProvider.DEFAULT_SCOPE)) {
            return null;
        }
        if (((SAMLIdentityProviderConfig) getConfig()).isBackchannelSupported()) {
            backchannelLogout(keycloakSession, userSessionModel, uriInfo, realmModel);
            return null;
        }
        try {
            SAML2LogoutRequestBuilder buildLogoutRequest = buildLogoutRequest(userSessionModel, uriInfo, realmModel, singleLogoutServiceUrl);
            JaxrsSAML2BindingBuilder buildLogoutBinding = buildLogoutBinding(keycloakSession, userSessionModel, realmModel);
            return ((SAMLIdentityProviderConfig) getConfig()).isPostBindingLogout() ? buildLogoutBinding.m262postBinding(buildLogoutRequest.buildDocument()).request(singleLogoutServiceUrl) : buildLogoutBinding.m263redirectBinding(buildLogoutRequest.buildDocument()).request(singleLogoutServiceUrl);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected SAML2LogoutRequestBuilder buildLogoutRequest(UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel, String str) {
        return new SAML2LogoutRequestBuilder().assertionExpiration(realmModel.getAccessCodeLifespan()).issuer(getEntityId(uriInfo, realmModel)).sessionIndex(userSessionModel.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX)).userPrincipal(userSessionModel.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT), userSessionModel.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT)).destination(str);
    }

    private JaxrsSAML2BindingBuilder buildLogoutBinding(KeycloakSession keycloakSession, UserSessionModel userSessionModel, RealmModel realmModel) {
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = (JaxrsSAML2BindingBuilder) new JaxrsSAML2BindingBuilder().relayState(userSessionModel.getId());
        if (((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned()) {
            KeyManager.ActiveRsaKey activeRsaKey = keycloakSession.keys().getActiveRsaKey(realmModel);
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signWith(((SAMLIdentityProviderConfig) getConfig()).getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate()), activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signatureAlgorithm(getSignatureAlgorithm())).signDocument();
        }
        return jaxrsSAML2BindingBuilder;
    }

    public Response export(UriInfo uriInfo, RealmModel realmModel, String str) {
        String str2 = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
        if (((SAMLIdentityProviderConfig) getConfig()).isPostBindingAuthnRequest()) {
            str2 = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }
        String uri = uriInfo.getBaseUriBuilder().path("realms").path(realmModel.getName()).path("broker").path(((SAMLIdentityProviderConfig) getConfig()).getAlias()).path("endpoint").build(new Object[0]).toString();
        boolean isWantAuthnRequestsSigned = ((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned();
        boolean isWantAssertionsSigned = ((SAMLIdentityProviderConfig) getConfig()).isWantAssertionsSigned();
        boolean isWantAssertionsEncrypted = ((SAMLIdentityProviderConfig) getConfig()).isWantAssertionsEncrypted();
        String entityId = getEntityId(uriInfo, realmModel);
        String nameIDPolicyFormat = ((SAMLIdentityProviderConfig) getConfig()).getNameIDPolicyFormat();
        StringBuilder sb = new StringBuilder();
        StringBuilder sb2 = new StringBuilder();
        TreeSet<RsaKeyMetadata> treeSet = new TreeSet((rsaKeyMetadata, rsaKeyMetadata2) -> {
            return rsaKeyMetadata.getStatus() == rsaKeyMetadata2.getStatus() ? (int) (rsaKeyMetadata2.getProviderPriority() - rsaKeyMetadata.getProviderPriority()) : rsaKeyMetadata.getStatus() == KeyMetadata.Status.PASSIVE ? 1 : -1;
        });
        treeSet.addAll(this.session.keys().getRsaKeys(realmModel, false));
        for (RsaKeyMetadata rsaKeyMetadata3 : treeSet) {
            addKeyInfo(sb, rsaKeyMetadata3, KeyTypes.SIGNING.value());
            if (rsaKeyMetadata3.getStatus() == KeyMetadata.Status.ACTIVE) {
                addKeyInfo(sb2, rsaKeyMetadata3, KeyTypes.ENCRYPTION.value());
            }
        }
        return Response.ok(SPMetadataDescriptor.getSPDescriptor(str2, uri, uri, isWantAuthnRequestsSigned, isWantAssertionsSigned, isWantAssertionsEncrypted, entityId, nameIDPolicyFormat, sb.toString(), sb2.toString()), MediaType.APPLICATION_XML_TYPE).build();
    }

    private static void addKeyInfo(StringBuilder sb, RsaKeyMetadata rsaKeyMetadata, String str) {
        if (rsaKeyMetadata == null) {
            return;
        }
        sb.append(SPMetadataDescriptor.xmlKeyInfo("        ", rsaKeyMetadata.getKid(), PemUtils.encodeCertificate(rsaKeyMetadata.getCertificate()), str, true));
    }

    public SignatureAlgorithm getSignatureAlgorithm() {
        SignatureAlgorithm valueOf;
        String signatureAlgorithm = ((SAMLIdentityProviderConfig) getConfig()).getSignatureAlgorithm();
        return (signatureAlgorithm == null || (valueOf = SignatureAlgorithm.valueOf(signatureAlgorithm)) == null) ? SignatureAlgorithm.RSA_SHA256 : valueOf;
    }

    public IdentityProviderDataMarshaller getMarshaller() {
        return new SAMLDataMarshaller();
    }
}
