package org.springframework.security.saml2.provider.service.authentication;

import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.joda.time.DateTime;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestMarshaller;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.SignatureSigningConfiguration;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
import org.opensaml.xmlsec.signature.support.SignatureSupport;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.credentials.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.class */
public class OpenSamlAuthenticationRequestFactory implements Saml2AuthenticationRequestFactory {
    private AuthnRequestMarshaller marshaller;
    private AuthnRequestBuilder authnRequestBuilder;
    private IssuerBuilder issuerBuilder;
    private Clock clock = Clock.systemUTC();
    private Converter<Saml2AuthenticationRequestContext, String> protocolBindingResolver = saml2AuthenticationRequestContext -> {
        return saml2AuthenticationRequestContext == null ? "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" : saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertionConsumerServiceBinding().getUrn();
    };
    private Converter<Saml2AuthenticationRequestContext, AuthnRequest> authenticationRequestContextConverter = this::createAuthnRequest;

    public OpenSamlAuthenticationRequestFactory() {
        XMLObjectProviderRegistry xMLObjectProviderRegistry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
        this.marshaller = xMLObjectProviderRegistry.getMarshallerFactory().getMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME);
        this.authnRequestBuilder = xMLObjectProviderRegistry.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        this.issuerBuilder = xMLObjectProviderRegistry.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    @Deprecated
    public String createAuthenticationRequest(Saml2AuthenticationRequest saml2AuthenticationRequest) {
        AuthnRequest createAuthnRequest = createAuthnRequest(saml2AuthenticationRequest.getIssuer(), saml2AuthenticationRequest.getDestination(), saml2AuthenticationRequest.getAssertionConsumerServiceUrl(), (String) this.protocolBindingResolver.convert((Object) null));
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationRequest.getCredentials()) {
            if (saml2X509Credential.isSigningCredential()) {
                BasicX509Credential simpleCredential = CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey());
                simpleCredential.setEntityId(saml2AuthenticationRequest.getIssuer());
                simpleCredential.setUsageType(UsageType.SIGNING);
                SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
                signatureSigningParameters.setSigningCredential(simpleCredential);
                signatureSigningParameters.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
                signatureSigningParameters.setSignatureReferenceDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256");
                signatureSigningParameters.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
                return serialize(sign(createAuthnRequest, signatureSigningParameters));
            }
        }
        throw new IllegalArgumentException("No signing credential provided");
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        AuthnRequest authnRequest = (AuthnRequest) this.authenticationRequestContextConverter.convert(saml2AuthenticationRequestContext);
        return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext).samlRequest(Saml2Utils.samlEncode((saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned() ? serialize(sign(authnRequest, saml2AuthenticationRequestContext.getRelyingPartyRegistration())) : serialize(authnRequest)).getBytes(StandardCharsets.UTF_8))).build();
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        String serialize = serialize((AuthnRequest) this.authenticationRequestContextConverter.convert(saml2AuthenticationRequestContext));
        Saml2RedirectAuthenticationRequest.Builder withAuthenticationRequestContext = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext);
        String samlEncode = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize));
        withAuthenticationRequestContext.samlRequest(samlEncode).relayState(saml2AuthenticationRequestContext.getRelayState());
        if (!saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
            return withAuthenticationRequestContext.build();
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("SAMLRequest", samlEncode);
        if (StringUtils.hasText(saml2AuthenticationRequestContext.getRelayState())) {
            linkedHashMap.put("RelayState", saml2AuthenticationRequestContext.getRelayState());
        }
        sign(linkedHashMap, saml2AuthenticationRequestContext.getRelyingPartyRegistration());
        return withAuthenticationRequestContext.sigAlg(linkedHashMap.get("SigAlg")).signature(linkedHashMap.get("Signature")).build();
    }

    private AuthnRequest createAuthnRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        return createAuthnRequest(saml2AuthenticationRequestContext.getIssuer(), saml2AuthenticationRequestContext.getDestination(), saml2AuthenticationRequestContext.getAssertionConsumerServiceUrl(), (String) this.protocolBindingResolver.convert(saml2AuthenticationRequestContext));
    }

    private AuthnRequest createAuthnRequest(String str, String str2, String str3, String str4) {
        AuthnRequest buildObject = this.authnRequestBuilder.buildObject();
        buildObject.setID("ARQ" + UUID.randomUUID().toString().substring(1));
        buildObject.setIssueInstant(new DateTime(this.clock.millis()));
        buildObject.setForceAuthn(Boolean.FALSE);
        buildObject.setIsPassive(Boolean.FALSE);
        buildObject.setProtocolBinding(str4);
        Issuer buildObject2 = this.issuerBuilder.buildObject();
        buildObject2.setValue(str);
        buildObject.setIssuer(buildObject2);
        buildObject.setDestination(str2);
        buildObject.setAssertionConsumerServiceURL(str3);
        return buildObject;
    }

    public void setAuthenticationRequestContextConverter(Converter<Saml2AuthenticationRequestContext, AuthnRequest> converter) {
        Assert.notNull(converter, "authenticationRequestContextConverter cannot be null");
        this.authenticationRequestContextConverter = converter;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    @Deprecated
    public void setProtocolBinding(String str) {
        if (!("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(str) || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(str))) {
            throw new IllegalArgumentException("Invalid protocol binding: " + str);
        }
        this.protocolBindingResolver = saml2AuthenticationRequestContext -> {
            return str;
        };
    }

    private AuthnRequest sign(AuthnRequest authnRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return sign(authnRequest, resolveSigningParameters(relyingPartyRegistration));
    }

    private AuthnRequest sign(AuthnRequest authnRequest, SignatureSigningParameters signatureSigningParameters) {
        try {
            SignatureSupport.signObject(authnRequest, signatureSigningParameters);
            return authnRequest;
        } catch (Exception e) {
            throw new Saml2Exception(e);
        }
    }

    private void sign(Map<String, String> map, RelyingPartyRegistration relyingPartyRegistration) {
        sign(map, resolveSigningParameters(relyingPartyRegistration));
    }

    private void sign(Map<String, String> map, SignatureSigningParameters signatureSigningParameters) {
        Credential signingCredential = signatureSigningParameters.getSigningCredential();
        String signatureAlgorithm = signatureSigningParameters.getSignatureAlgorithm();
        map.put("SigAlg", signatureAlgorithm);
        UriComponentsBuilder newInstance = UriComponentsBuilder.newInstance();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            newInstance.queryParam(entry.getKey(), new Object[]{UriUtils.encode(entry.getValue(), StandardCharsets.ISO_8859_1)});
        }
        try {
            map.put("Signature", Saml2Utils.samlEncode(XMLSigningUtil.signWithURI(signingCredential, signatureAlgorithm, newInstance.build(true).toString().substring(1).getBytes(StandardCharsets.UTF_8))));
        } catch (SecurityException e) {
            throw new Saml2Exception((Throwable) e);
        }
    }

    private String serialize(AuthnRequest authnRequest) {
        try {
            return SerializeSupport.nodeToString(this.marshaller.marshall(authnRequest));
        } catch (MarshallingException e) {
            throw new Saml2Exception((Throwable) e);
        }
    }

    private SignatureSigningParameters resolveSigningParameters(RelyingPartyRegistration relyingPartyRegistration) {
        List<Credential> resolveSigningCredentials = resolveSigningCredentials(relyingPartyRegistration);
        List singletonList = Collections.singletonList("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        List singletonList2 = Collections.singletonList("http://www.w3.org/2001/04/xmlenc#sha256");
        SAMLMetadataSignatureSigningParametersResolver sAMLMetadataSignatureSigningParametersResolver = new SAMLMetadataSignatureSigningParametersResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        SignatureSigningConfiguration basicSignatureSigningConfiguration = new BasicSignatureSigningConfiguration();
        basicSignatureSigningConfiguration.setSigningCredentials(resolveSigningCredentials);
        basicSignatureSigningConfiguration.setSignatureAlgorithms(singletonList);
        basicSignatureSigningConfiguration.setSignatureReferenceDigestMethods(singletonList2);
        basicSignatureSigningConfiguration.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        criteriaSet.add(new SignatureSigningConfigurationCriterion(new SignatureSigningConfiguration[]{basicSignatureSigningConfiguration}));
        try {
            SignatureSigningParameters signatureSigningParameters = (SignatureSigningParameters) sAMLMetadataSignatureSigningParametersResolver.resolveSingle(criteriaSet);
            Assert.notNull(signatureSigningParameters, "Failed to resolve any signing credential");
            return signatureSigningParameters;
        } catch (Exception e) {
            throw new Saml2Exception(e);
        }
    }

    private List<Credential> resolveSigningCredentials(RelyingPartyRegistration relyingPartyRegistration) {
        ArrayList arrayList = new ArrayList();
        for (org.springframework.security.saml2.core.Saml2X509Credential saml2X509Credential : relyingPartyRegistration.getSigningX509Credentials()) {
            BasicX509Credential simpleCredential = CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey());
            simpleCredential.setEntityId(relyingPartyRegistration.getEntityId());
            simpleCredential.setUsageType(UsageType.SIGNING);
            arrayList.add(simpleCredential);
        }
        return arrayList;
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
