package org.apereo.cas.support.saml.web.idp.profile.builders.subject;

import java.time.Clock;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectEncrypter;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-web-6.3.7.4.jar:org/apereo/cas/support/saml/web/idp/profile/builders/subject/SamlProfileSamlSubjectBuilder.class */
public class SamlProfileSamlSubjectBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<Subject> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlProfileSamlSubjectBuilder.class);
    private static final long serialVersionUID = 4782621942035583007L;
    private final transient SamlProfileObjectBuilder<NameID> ssoPostProfileSamlNameIdBuilder;
    private final CasConfigurationProperties casProperties;
    private final transient SamlIdPObjectEncrypter samlObjectEncrypter;

    public SamlProfileSamlSubjectBuilder(OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<NameID> samlProfileObjectBuilder, CasConfigurationProperties casConfigurationProperties, SamlIdPObjectEncrypter samlIdPObjectEncrypter) {
        super(openSamlConfigBean);
        this.ssoPostProfileSamlNameIdBuilder = samlProfileObjectBuilder;
        this.samlObjectEncrypter = samlIdPObjectEncrypter;
        this.casProperties = casConfigurationProperties;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    public Subject build(RequestAbstractType requestAbstractType, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, MessageContext messageContext) throws SamlException {
        return buildSubject(httpServletRequest, httpServletResponse, requestAbstractType, obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext);
    }

    private Subject buildSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestAbstractType requestAbstractType, Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, MessageContext messageContext) throws SamlException {
        ZonedDateTime plusSeconds;
        Assertion assertion = (Assertion) Assertion.class.cast(obj);
        ZonedDateTime now = ZonedDateTime.now(Clock.systemUTC());
        LOGGER.trace("Locating the assertion consumer service url for binding [{}]", str);
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext);
        String location = StringUtils.isBlank(determineEndpointForRequest.getResponseLocation()) ? determineEndpointForRequest.getLocation() : determineEndpointForRequest.getResponseLocation();
        if (StringUtils.isBlank(location)) {
            LOGGER.warn("Subject recipient is not defined from either authentication request or metadata for [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
        }
        NameID nameIdForService = getNameIdForService(httpServletRequest, httpServletResponse, requestAbstractType, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, assertion, messageContext);
        NameID nameIdForService2 = samlRegisteredService.isSkipGeneratingSubjectConfirmationNameId() ? null : getNameIdForService(httpServletRequest, httpServletResponse, requestAbstractType, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, assertion, messageContext);
        if (samlRegisteredService.isSkipGeneratingSubjectConfirmationNotOnOrAfter()) {
            plusSeconds = null;
        } else {
            plusSeconds = now.plusSeconds(samlRegisteredService.getSkewAllowance() > 0 ? samlRegisteredService.getSkewAllowance() : this.casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance());
        }
        Subject newSubject = newSubject(nameIdForService, nameIdForService2, samlRegisteredService.isSkipGeneratingSubjectConfirmationRecipient() ? null : location, plusSeconds, samlRegisteredService.isSkipGeneratingSubjectConfirmationInResponseTo() ? null : requestAbstractType.getID(), samlRegisteredService.isSkipGeneratingSubjectConfirmationNotBefore() ? null : ZonedDateTime.now(ZoneOffset.UTC));
        if (nameIdForService != null && NameIDType.ENCRYPTED.equalsIgnoreCase(nameIdForService.getFormat())) {
            newSubject.setNameID(null);
            newSubject.getSubjectConfirmations().forEach(subjectConfirmation -> {
                subjectConfirmation.setNameID(null);
            });
            EncryptedID encode = this.samlObjectEncrypter.encode(nameIdForService, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            if (encode != null) {
                newSubject.setEncryptedID(encode);
            } else {
                LOGGER.debug("Unable to encrypt subject Name ID for [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            }
            if (nameIdForService2 != null) {
                EncryptedID encode2 = this.samlObjectEncrypter.encode(nameIdForService2, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
                if (encode2 != null) {
                    newSubject.getSubjectConfirmations().forEach(subjectConfirmation2 -> {
                        subjectConfirmation2.setEncryptedID(encode2);
                    });
                } else {
                    LOGGER.debug("Unable to encrypt subject confirmation Name ID for [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
                }
            }
        }
        LOGGER.debug("Created SAML subject [{}]", newSubject);
        return newSubject;
    }

    private NameID getNameIdForService(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestAbstractType requestAbstractType, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, Assertion assertion, MessageContext messageContext) {
        if (!samlRegisteredService.isSkipGeneratingAssertionNameId()) {
            return this.ssoPostProfileSamlNameIdBuilder.build(requestAbstractType, httpServletRequest, httpServletResponse, assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext);
        }
        LOGGER.warn("Assertion will skip assigning/generating a nameId based on service [{}]", samlRegisteredService);
        return null;
    }
}
