package org.apereo.cas.support.saml;

import java.io.ByteArrayInputStream;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import lombok.Generated;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.authentication.SamlIdPAuthenticationContext;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.ChainingMetadataResolver;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-core-6.5.4.jar:org/apereo/cas/support/saml/SamlIdPUtils.class */
public final class SamlIdPUtils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlIdPUtils.class);

    public static Optional<Pair<? extends RequestAbstractType, MessageContext>> retrieveSamlRequest(WebContext webContext, SessionStore sessionStore, OpenSamlConfigBean openSamlConfigBean, Class<? extends RequestAbstractType> cls) {
        LOGGER.trace("Retrieving authentication request from scope");
        Optional<Object> optional = sessionStore.get(webContext, "SAMLRequest");
        Class<String> cls2 = String.class;
        Objects.requireNonNull(String.class);
        return optional.map(cls2::cast).map(str -> {
            return retrieveSamlRequest(openSamlConfigBean, cls, str);
        }).flatMap(requestAbstractType -> {
            Optional<Object> optional2 = sessionStore.get(webContext, MessageContext.class.getName());
            Class<String> cls3 = String.class;
            Objects.requireNonNull(String.class);
            return optional2.map(cls3::cast).map(str2 -> {
                return SamlIdPAuthenticationContext.decode(str2).toMessageContext(requestAbstractType);
            });
        }).map(messageContext -> {
            return Pair.of((AuthnRequest) messageContext.getMessage(), messageContext);
        });
    }

    public static <T extends RequestAbstractType> T retrieveSamlRequest(OpenSamlConfigBean openSamlConfigBean, Class<T> cls, String str) {
        try {
            LOGGER.trace("Retrieving SAML request from [{}]", str);
            InflaterInputStream inflaterInputStream = new InflaterInputStream(new ByteArrayInputStream(Base64Support.decode(str)), new Inflater(true));
            try {
                T cast = cls.cast(XMLObjectSupport.unmarshallFromInputStream(openSamlConfigBean.getParserPool(), inflaterInputStream));
                inflaterInputStream.close();
                return cast;
            } catch (Throwable th) {
                try {
                    inflaterInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (Exception e) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(EncodingUtils.decodeBase64(str.getBytes(StandardCharsets.UTF_8)));
            try {
                T cast2 = cls.cast(XMLObjectSupport.unmarshallFromInputStream(openSamlConfigBean.getParserPool(), byteArrayInputStream));
                byteArrayInputStream.close();
                return cast2;
            } finally {
            }
        }
    }

    public static void preparePeerEntitySamlEndpointContext(Pair<? extends RequestAbstractType, MessageContext> pair, MessageContext messageContext, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str) throws SamlException {
        String entityId = samlRegisteredServiceServiceProviderMetadataFacade.getEntityId();
        if (!samlRegisteredServiceServiceProviderMetadataFacade.containsAssertionConsumerServices()) {
            throw new SamlException("No assertion consumer service could be found for entity " + entityId);
        }
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class, true);
        sAMLPeerEntityContext.setEntityId(entityId);
        SAMLEndpointContext sAMLEndpointContext = (SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
        Endpoint determineEndpointForRequest = determineEndpointForRequest(pair, samlRegisteredServiceServiceProviderMetadataFacade, str);
        LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", determineEndpointForRequest.getLocation(), determineEndpointForRequest.getBinding());
        sAMLEndpointContext.setEndpoint(determineEndpointForRequest);
    }

    public static Endpoint determineEndpointForRequest(Pair<? extends RequestAbstractType, MessageContext> pair, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str) {
        RequestAbstractType left = pair.getLeft();
        Endpoint singleLogoutService = left instanceof LogoutRequest ? samlRegisteredServiceServiceProviderMetadataFacade.getSingleLogoutService(str) : determineEndpointForRequest(left, samlRegisteredServiceServiceProviderMetadataFacade, str, getAssertionConsumerServiceFromRequest(left, str, samlRegisteredServiceServiceProviderMetadataFacade), samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerService(str), pair.getRight());
        if (singleLogoutService == null) {
            throw new SamlException("Endpoint for " + left.getSchemaType() + " is not available or does not define a binding for " + str);
        }
        boolean z = StringUtils.isBlank(singleLogoutService.getResponseLocation()) && StringUtils.isBlank(singleLogoutService.getLocation());
        if (StringUtils.isBlank(singleLogoutService.getBinding()) || z) {
            throw new SamlException("Endpoint for " + left.getSchemaType() + " does not define a binding or location for binding " + str);
        }
        return singleLogoutService;
    }

    private static AssertionConsumerService determineEndpointForRequest(RequestAbstractType requestAbstractType, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, AssertionConsumerService assertionConsumerService, AssertionConsumerService assertionConsumerService2, MessageContext messageContext) {
        LOGGER.trace("ACS from authentication request is [{}], ACS from metadata is [{}] with binding [{}]", assertionConsumerService, assertionConsumerService2, str);
        if (assertionConsumerService == null) {
            return assertionConsumerService2;
        }
        if (requestAbstractType.isSigned() || SAMLBindingSupport.isMessageSigned(messageContext)) {
            return assertionConsumerService;
        }
        List<String> assertionConsumerServiceLocations = StringUtils.isNotBlank(str) ? samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerServiceLocations(str) : samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerServiceLocations();
        String str2 = (String) StringUtils.defaultIfBlank(assertionConsumerService.getResponseLocation(), assertionConsumerService.getLocation());
        Integer assertionConsumerServiceIndex = requestAbstractType instanceof AuthnRequest ? ((AuthnRequest) AuthnRequest.class.cast(requestAbstractType)).getAssertionConsumerServiceIndex() : null;
        if (StringUtils.isNotBlank(str2) && assertionConsumerServiceLocations.contains(str2)) {
            return buildAssertionConsumerService(str, str2, assertionConsumerServiceIndex);
        }
        if (assertionConsumerServiceIndex != null) {
            Optional<String> assertionConsumerServiceFor = samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerServiceFor(str, assertionConsumerServiceIndex);
            if (assertionConsumerServiceFor.isPresent()) {
                return buildAssertionConsumerService(str, assertionConsumerServiceFor.get(), assertionConsumerServiceIndex);
            }
        }
        throw new SamlException(String.format("Assertion consumer service [%s] cannot be located in metadata [%s]", str2, assertionConsumerServiceLocations));
    }

    private static AssertionConsumerService buildAssertionConsumerService(String str, String str2, Integer num) {
        AssertionConsumerService mo9176buildObject = new AssertionConsumerServiceBuilder().mo9176buildObject();
        mo9176buildObject.setBinding(str);
        mo9176buildObject.setLocation(str2);
        mo9176buildObject.setResponseLocation(str2);
        mo9176buildObject.setIndex(num);
        mo9176buildObject.setIsDefault(Boolean.TRUE);
        return mo9176buildObject;
    }

    public static MetadataResolver getMetadataResolverForAllSamlServices(ServicesManager servicesManager, String str, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver) {
        Class<SamlRegisteredService> cls = SamlRegisteredService.class;
        Objects.requireNonNull(SamlRegisteredService.class);
        Collection<RegisteredService> findServiceBy = servicesManager.findServiceBy((v1) -> {
            return r1.isInstance(v1);
        });
        ChainingMetadataResolver chainingMetadataResolver = new ChainingMetadataResolver();
        Stream<RegisteredService> stream = findServiceBy.stream();
        Class<SamlRegisteredService> cls2 = SamlRegisteredService.class;
        Objects.requireNonNull(SamlRegisteredService.class);
        Stream<RegisteredService> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<SamlRegisteredService> cls3 = SamlRegisteredService.class;
        Objects.requireNonNull(SamlRegisteredService.class);
        List<? extends MetadataResolver> list = (List) filter.map((v1) -> {
            return r1.cast(v1);
        }).map(samlRegisteredService -> {
            return SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, str);
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.getMetadataResolver();
        }).collect(Collectors.toList());
        LOGGER.debug("Located [{}] metadata resolvers to match against [{}]", list, str);
        chainingMetadataResolver.setResolvers(list);
        chainingMetadataResolver.setId(str);
        chainingMetadataResolver.initialize();
        return chainingMetadataResolver;
    }

    public static String getIssuerFromSamlObject(SAMLObject sAMLObject) {
        if (sAMLObject instanceof RequestAbstractType) {
            return ((RequestAbstractType) RequestAbstractType.class.cast(sAMLObject)).getIssuer().getValue();
        }
        if (sAMLObject instanceof StatusResponseType) {
            return ((StatusResponseType) StatusResponseType.class.cast(sAMLObject)).getIssuer().getValue();
        }
        if (sAMLObject instanceof Assertion) {
            return ((Assertion) Assertion.class.cast(sAMLObject)).getIssuer().getValue();
        }
        return null;
    }

    public static RoleDescriptorResolver getRoleDescriptorResolver(SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, boolean z) throws Exception {
        return getRoleDescriptorResolver(samlRegisteredServiceServiceProviderMetadataFacade.getMetadataResolver(), z);
    }

    public static RoleDescriptorResolver getRoleDescriptorResolver(MetadataResolver metadataResolver, boolean z) throws Exception {
        PredicateRoleDescriptorResolver predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(metadataResolver);
        predicateRoleDescriptorResolver.setSatisfyAnyPredicates(true);
        predicateRoleDescriptorResolver.setUseDefaultPredicateRegistry(true);
        predicateRoleDescriptorResolver.setRequireValidMetadata(z);
        predicateRoleDescriptorResolver.initialize();
        return predicateRoleDescriptorResolver;
    }

    public static Optional<NameIDPolicy> getNameIDPolicy(RequestAbstractType requestAbstractType) {
        return requestAbstractType instanceof AuthnRequest ? Optional.ofNullable(((AuthnRequest) AuthnRequest.class.cast(requestAbstractType)).getNameIDPolicy()) : Optional.empty();
    }

    private static AssertionConsumerService getAssertionConsumerServiceFromRequest(RequestAbstractType requestAbstractType, String str, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        if (!(requestAbstractType instanceof AuthnRequest)) {
            return null;
        }
        AuthnRequest authnRequest = (AuthnRequest) AuthnRequest.class.cast(requestAbstractType);
        String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
        Integer assertionConsumerServiceIndex = authnRequest.getAssertionConsumerServiceIndex();
        if (StringUtils.isBlank(assertionConsumerServiceURL) && assertionConsumerServiceIndex == null) {
            LOGGER.debug("No assertion consumer service url or index is supplied in the authentication request");
            return null;
        }
        if (StringUtils.isBlank(assertionConsumerServiceURL) && assertionConsumerServiceIndex != null) {
            LOGGER.debug("Locating assertion consumer service url for binding [{}] and index [{}]", assertionConsumerServiceURL, assertionConsumerServiceIndex);
            assertionConsumerServiceURL = samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerServiceFor(str, assertionConsumerServiceIndex).orElseGet(() -> {
                LOGGER.warn("Unable to locate acs url in for entity [{}] and binding [{}] with index [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId(), str, assertionConsumerServiceIndex);
                return null;
            });
        }
        if (!StringUtils.isNotBlank(assertionConsumerServiceURL)) {
            return null;
        }
        LOGGER.debug("Fetched assertion consumer service url [{}] with binding [{}] from authentication request", assertionConsumerServiceURL, str);
        AssertionConsumerService assertionConsumerService = (AssertionConsumerService) new AssertionConsumerServiceBuilder().buildObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
        assertionConsumerService.setBinding(str);
        assertionConsumerService.setResponseLocation(assertionConsumerServiceURL);
        assertionConsumerService.setLocation(assertionConsumerServiceURL);
        assertionConsumerService.setIndex(assertionConsumerServiceIndex);
        return assertionConsumerService;
    }

    public static void storeSamlRequest(JEEContext jEEContext, OpenSamlConfigBean openSamlConfigBean, SessionStore sessionStore, Pair<? extends SignableSAMLObject, MessageContext> pair) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getLeft();
        MessageContext value = pair.getValue();
        StringWriter transformSamlObject = SamlUtils.transformSamlObject(openSamlConfigBean, authnRequest);
        try {
            sessionStore.set(jEEContext, "SAMLRequest", EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8)));
            sessionStore.set(jEEContext, "RelayState", SAMLBindingSupport.getRelayState(value));
            sessionStore.set(jEEContext, MessageContext.class.getName(), SamlIdPAuthenticationContext.from(value).encode());
            if (transformSamlObject != null) {
                transformSamlObject.close();
            }
        } catch (Throwable th) {
            if (transformSamlObject != null) {
                try {
                    transformSamlObject.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static String determineNameIdNameQualifier(SamlRegisteredService samlRegisteredService, MetadataResolver metadataResolver) {
        if (StringUtils.isNotBlank(samlRegisteredService.getNameIdQualifier())) {
            return samlRegisteredService.getNameIdQualifier();
        }
        boolean isNotBlank = StringUtils.isNotBlank(samlRegisteredService.getIssuerEntityId());
        Objects.requireNonNull(samlRegisteredService);
        String str = (String) FunctionUtils.doIf(isNotBlank, samlRegisteredService::getIssuerEntityId, Unchecked.supplier(() -> {
            CriteriaSet criteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService));
            LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", samlRegisteredService.getName());
            return ((EntityDescriptor) Objects.requireNonNull(metadataResolver.resolveSingle(criteriaSet))).getEntityID();
        })).get();
        LOGGER.debug("Using name qualifier [{}] for the Name ID", str);
        return str;
    }

    @Generated
    private SamlIdPUtils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }
}
