package org.springframework.security.saml2.provider.service.servlet.filter;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.function.Function;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationRequestFactory;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.HtmlUtils;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.class */
public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter {
    private final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
    private RequestMatcher redirectMatcher = new AntPathRequestMatcher("/saml2/authenticate/{registrationId}");
    private Saml2AuthenticationRequestFactory authenticationRequestFactory = new OpenSamlAuthenticationRequestFactory();

    public Saml2WebSsoAuthenticationRequestFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
        this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
    }

    public void setAuthenticationRequestFactory(Saml2AuthenticationRequestFactory saml2AuthenticationRequestFactory) {
        Assert.notNull(saml2AuthenticationRequestFactory, "authenticationRequestFactory cannot be null");
        this.authenticationRequestFactory = saml2AuthenticationRequestFactory;
    }

    public void setRedirectMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "redirectMatcher cannot be null");
        this.redirectMatcher = requestMatcher;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        RequestMatcher.MatchResult matcher = this.redirectMatcher.matcher(httpServletRequest);
        if (!matcher.isMatch()) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        RelyingPartyRegistration findByRegistrationId = this.relyingPartyRegistrationRepository.findByRegistrationId((String) matcher.getVariables().get("registrationId"));
        if (findByRegistrationId == null) {
            httpServletResponse.sendError(401);
            return;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(String.format("Creating SAML2 SP Authentication Request for IDP[%s]", findByRegistrationId.getRegistrationId()));
        }
        Saml2AuthenticationRequestContext createRedirectAuthenticationRequestContext = createRedirectAuthenticationRequestContext(findByRegistrationId, httpServletRequest);
        if (findByRegistrationId.getProviderDetails().getBinding() == Saml2MessageBinding.REDIRECT) {
            sendRedirect(httpServletResponse, createRedirectAuthenticationRequestContext);
        } else {
            sendPost(httpServletResponse, createRedirectAuthenticationRequestContext);
        }
    }

    private void sendRedirect(HttpServletResponse httpServletResponse, Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) throws IOException {
        httpServletResponse.sendRedirect(createSamlRequestRedirectUrl(saml2AuthenticationRequestContext));
    }

    private void sendPost(HttpServletResponse httpServletResponse, Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) throws IOException {
        String createSamlPostRequestFormData = createSamlPostRequestFormData(this.authenticationRequestFactory.createPostAuthenticationRequest(saml2AuthenticationRequestContext));
        httpServletResponse.setContentType("text/html");
        httpServletResponse.getWriter().write(createSamlPostRequestFormData);
    }

    private String createSamlRequestRedirectUrl(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest = this.authenticationRequestFactory.createRedirectAuthenticationRequest(saml2AuthenticationRequestContext);
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(createRedirectAuthenticationRequest.getAuthenticationRequestUri());
        addParameter("SAMLRequest", createRedirectAuthenticationRequest.getSamlRequest(), fromUriString);
        addParameter("RelayState", createRedirectAuthenticationRequest.getRelayState(), fromUriString);
        addParameter("SigAlg", createRedirectAuthenticationRequest.getSigAlg(), fromUriString);
        addParameter("Signature", createRedirectAuthenticationRequest.getSignature(), fromUriString);
        return fromUriString.build(true).toUriString();
    }

    private void addParameter(String str, String str2, UriComponentsBuilder uriComponentsBuilder) {
        Assert.hasText(str, "name cannot be empty or null");
        if (StringUtils.hasText(str2)) {
            uriComponentsBuilder.queryParam(UriUtils.encode(str, StandardCharsets.ISO_8859_1), new Object[]{UriUtils.encode(str2, StandardCharsets.ISO_8859_1)});
        }
    }

    private Saml2AuthenticationRequestContext createRedirectAuthenticationRequestContext(RelyingPartyRegistration relyingPartyRegistration, HttpServletRequest httpServletRequest) {
        Function<String, String> templateResolver = templateResolver(Saml2ServletUtils.getApplicationUri(httpServletRequest), relyingPartyRegistration);
        String apply = templateResolver.apply(relyingPartyRegistration.getLocalEntityIdTemplate());
        return Saml2AuthenticationRequestContext.builder().issuer(apply).relyingPartyRegistration(relyingPartyRegistration).assertionConsumerServiceUrl(templateResolver.apply(relyingPartyRegistration.getAssertionConsumerServiceUrlTemplate())).relayState(httpServletRequest.getParameter("RelayState")).build();
    }

    private Function<String, String> templateResolver(String str, RelyingPartyRegistration relyingPartyRegistration) {
        return str2 -> {
            return Saml2ServletUtils.resolveUrlTemplate(str2, str, relyingPartyRegistration);
        };
    }

    private String htmlEscape(String str) {
        return StringUtils.hasText(str) ? HtmlUtils.htmlEscape(str) : str;
    }

    private String createSamlPostRequestFormData(Saml2PostAuthenticationRequest saml2PostAuthenticationRequest) {
        String authenticationRequestUri = saml2PostAuthenticationRequest.getAuthenticationRequestUri();
        String htmlEscape = htmlEscape(saml2PostAuthenticationRequest.getRelayState());
        StringBuilder append = new StringBuilder().append("<!DOCTYPE html>\n").append("<html>\n").append("    <head>\n").append("        <meta charset=\"utf-8\" />\n").append("    </head>\n").append("    <body onload=\"document.forms[0].submit()\">\n").append("        <noscript>\n").append("            <p>\n").append("                <strong>Note:</strong> Since your browser does not support JavaScript,\n").append("                you must press the Continue button once to proceed.\n").append("            </p>\n").append("        </noscript>\n").append("        \n").append("        <form action=\"").append(authenticationRequestUri).append("\" method=\"post\">\n").append("            <div>\n").append("                <input type=\"hidden\" name=\"SAMLRequest\" value=\"").append(htmlEscape(saml2PostAuthenticationRequest.getSamlRequest())).append("\"/>\n");
        if (StringUtils.hasText(htmlEscape)) {
            append.append("                <input type=\"hidden\" name=\"RelayState\" value=\"").append(htmlEscape).append("\"/>\n");
        }
        append.append("            </div>\n").append("            <noscript>\n").append("                <div>\n").append("                    <input type=\"submit\" value=\"Continue\"/>\n").append("                </div>\n").append("            </noscript>\n").append("        </form>\n").append("        \n").append("    </body>\n").append("</html>");
        return append.toString();
    }
}
