package org.apereo.cas.support.saml.web.idp.profile.builders.assertion;

import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.model.TriStateBoolean;
import org.jooq.lambda.Unchecked;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-web-6.5.4.jar:org/apereo/cas/support/saml/web/idp/profile/builders/assertion/SamlProfileSamlAssertionBuilder.class */
public class SamlProfileSamlAssertionBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<Assertion> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlProfileSamlAssertionBuilder.class);
    private static final long serialVersionUID = -3945938960014421135L;
    private final SamlProfileObjectBuilder<AuthnStatement> samlProfileSamlAuthNStatementBuilder;
    private final SamlProfileObjectBuilder<AttributeStatement> samlProfileSamlAttributeStatementBuilder;
    private final SamlProfileObjectBuilder<Subject> samlProfileSamlSubjectBuilder;
    private final SamlProfileObjectBuilder<Conditions> samlProfileSamlConditionsBuilder;
    private final SamlIdPObjectSigner samlObjectSigner;
    private final MetadataResolver samlIdPMetadataResolver;

    public SamlProfileSamlAssertionBuilder(OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<AuthnStatement> samlProfileObjectBuilder, SamlProfileObjectBuilder<AttributeStatement> samlProfileObjectBuilder2, SamlProfileObjectBuilder<Subject> samlProfileObjectBuilder3, SamlProfileObjectBuilder<Conditions> samlProfileObjectBuilder4, SamlIdPObjectSigner samlIdPObjectSigner, MetadataResolver metadataResolver) {
        super(openSamlConfigBean);
        this.samlProfileSamlAuthNStatementBuilder = samlProfileObjectBuilder;
        this.samlProfileSamlAttributeStatementBuilder = samlProfileObjectBuilder2;
        this.samlProfileSamlSubjectBuilder = samlProfileObjectBuilder3;
        this.samlProfileSamlConditionsBuilder = samlProfileObjectBuilder4;
        this.samlObjectSigner = samlIdPObjectSigner;
        this.samlIdPMetadataResolver = metadataResolver;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    public Assertion build(RequestAbstractType requestAbstractType, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedAssertionContext authenticatedAssertionContext, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, MessageContext messageContext) throws SamlException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.samlProfileSamlAuthNStatementBuilder.build(requestAbstractType, httpServletRequest, httpServletResponse, authenticatedAssertionContext, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext));
        AttributeStatement build = this.samlProfileSamlAttributeStatementBuilder.build(requestAbstractType, httpServletRequest, httpServletResponse, authenticatedAssertionContext, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext);
        if (!build.getAttributes().isEmpty() || !build.getEncryptedAttributes().isEmpty()) {
            arrayList.add(build);
        }
        boolean isNotBlank = StringUtils.isNotBlank(samlRegisteredService.getIssuerEntityId());
        Objects.requireNonNull(samlRegisteredService);
        Assertion newAssertion = newAssertion(arrayList, (String) FunctionUtils.doIf(isNotBlank, samlRegisteredService::getIssuerEntityId, Unchecked.supplier(() -> {
            CriteriaSet criteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService));
            LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", samlRegisteredService.getName());
            return ((EntityDescriptor) Objects.requireNonNull(this.samlIdPMetadataResolver.resolveSingle(criteriaSet))).getEntityID();
        })).get(), ZonedDateTime.now(ZoneOffset.UTC), "_" + String.valueOf(RandomUtils.nextLong()));
        newAssertion.setSubject(this.samlProfileSamlSubjectBuilder.build(requestAbstractType, httpServletRequest, httpServletResponse, authenticatedAssertionContext, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext));
        newAssertion.setConditions(this.samlProfileSamlConditionsBuilder.build(requestAbstractType, httpServletRequest, httpServletResponse, authenticatedAssertionContext, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext));
        signAssertion(newAssertion, httpServletRequest, httpServletResponse, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, requestAbstractType, messageContext);
        return newAssertion;
    }

    protected void signAssertion(Assertion assertion, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, RequestAbstractType requestAbstractType, MessageContext messageContext) {
        if ((samlRegisteredService.getSignAssertions() == TriStateBoolean.UNDEFINED && samlRegisteredServiceServiceProviderMetadataFacade.isWantAssertionsSigned()) || samlRegisteredService.getSignAssertions().isTrue()) {
            LOGGER.debug("SAML registered service [{}] requires assertions to be signed", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            this.samlObjectSigner.encode(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, httpServletResponse, httpServletRequest, str, requestAbstractType, messageContext);
        } else {
            LOGGER.debug("SAML registered service [{}] does not require assertions to be signed", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
        }
    }
}
