package org.apache.cxf.rs.security.saml.sso;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.callback.CallbackHandler;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.jaxrs.ext.MessageContextImpl;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.util.DOM2Writer;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.security.SecurityException;
import org.opensaml.security.crypto.JCAConstants;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.Signature;
import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-rs-security-sso-saml-3.5.3.jar:org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.class */
public class SamlPostBindingFilter extends AbstractServiceProviderFilter {
    private boolean useDeflateEncoding;

    public void setUseDeflateEncoding(boolean z) {
        this.useDeflateEncoding = z;
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        if (checkSecurityContext(currentMessage)) {
            return;
        }
        try {
            SamlRequestInfo createSamlRequestInfo = createSamlRequestInfo(currentMessage);
            createSamlRequestInfo.setIdpServiceAddress(getIdpServiceAddress());
            new MessageContextImpl(currentMessage).getHttpServletResponse().addHeader("Set-Cookie", createCookie("RelayState", createSamlRequestInfo.getRelayState(), createSamlRequestInfo.getWebAppContext(), createSamlRequestInfo.getWebAppDomain()));
            containerRequestContext.abortWith(Response.ok(createSamlRequestInfo).type("text/html").header("Cache-Control", "no-cache, no-store").header("Pragma", CacheControlServerHttpHeadersWriter.PRAGMA_VALUE).build());
        } catch (Exception e) {
            throw ExceptionUtils.toInternalServerErrorException(e, null);
        }
    }

    @Override // org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter
    protected String encodeAuthnRequest(Element element) throws IOException {
        String nodeToString = DOM2Writer.nodeToString(element);
        return Base64Utility.encode(this.useDeflateEncoding ? new DeflateEncoderDecoder().deflateToken(nodeToString.getBytes(StandardCharsets.UTF_8)) : nodeToString.getBytes(StandardCharsets.UTF_8));
    }

    @Override // org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter
    protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception {
        Crypto signatureCrypto = getSignatureCrypto();
        if (signatureCrypto == null) {
            LOG.warning("No crypto instance of properties file configured for signature");
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        String signatureUsername = getSignatureUsername();
        if (signatureUsername == null) {
            LOG.warning("No user configured for signature");
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        CallbackHandler callbackHandler = getCallbackHandler();
        if (callbackHandler == null) {
            LOG.warning("No CallbackHandler configured to supply a password for signature");
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(signatureUsername);
        X509Certificate[] x509Certificates = signatureCrypto.getX509Certificates(cryptoType);
        if (x509Certificates == null) {
            throw new Exception("No issuer certs were found to sign the request using name: " + signatureUsername);
        }
        String signatureAlgorithm = getSignatureAlgorithm();
        String algorithm = x509Certificates[0].getPublicKey().getAlgorithm();
        LOG.fine("automatic sig algo detection: " + algorithm);
        if (JCAConstants.KEY_ALGO_DSA.equalsIgnoreCase(algorithm)) {
            signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
        }
        LOG.fine("Using Signature algorithm " + signatureAlgorithm);
        WSPasswordCallback[] wSPasswordCallbackArr = {new WSPasswordCallback(signatureUsername, 3)};
        callbackHandler.handle(wSPasswordCallbackArr);
        PrivateKey privateKey = signatureCrypto.getPrivateKey(signatureUsername, wSPasswordCallbackArr[0].getPassword());
        Signature buildSignature = OpenSAMLUtil.buildSignature();
        buildSignature.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        buildSignature.setSignatureAlgorithm(signatureAlgorithm);
        BasicX509Credential basicX509Credential = new BasicX509Credential(x509Certificates[0], privateKey);
        buildSignature.setSigningCredential(basicX509Credential);
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
        try {
            buildSignature.setKeyInfo(x509KeyInfoGeneratorFactory.newInstance().generate(basicX509Credential));
            authnRequest.setSignature(buildSignature);
            authnRequest.releaseDOM();
            authnRequest.releaseChildrenDOM(true);
            try {
                privateKey.destroy();
            } catch (DestroyFailedException e) {
            }
        } catch (SecurityException e2) {
            throw new Exception("Error generating KeyInfo from signing credential", e2);
        }
    }
}
