package org.pac4j.saml.client;

import java.io.ByteArrayInputStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Timer;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.EncryptedAttribute;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.AbstractMetadataProvider;
import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
import org.opensaml.saml2.metadata.provider.DOMMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider;
import org.opensaml.util.resource.ClasspathResource;
import org.opensaml.util.resource.FilesystemResource;
import org.opensaml.util.resource.ResourceException;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Mechanism;
import org.pac4j.core.client.RedirectAction;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.RequiresHttpAction;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.saml.context.ExtendedSAMLMessageContext;
import org.pac4j.saml.context.Saml2ContextProvider;
import org.pac4j.saml.credentials.Saml2Credentials;
import org.pac4j.saml.crypto.CredentialProvider;
import org.pac4j.saml.crypto.EncryptionProvider;
import org.pac4j.saml.crypto.SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SamlException;
import org.pac4j.saml.metadata.Saml2MetadataGenerator;
import org.pac4j.saml.profile.Saml2Profile;
import org.pac4j.saml.sso.Saml2AuthnRequestBuilder;
import org.pac4j.saml.sso.Saml2ResponseValidator;
import org.pac4j.saml.sso.Saml2WebSSOProfileHandler;
import org.pac4j.saml.transport.Pac4jHTTPPostDecoder;
import org.pac4j.saml.util.VelocityEngineFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/saml/client/Saml2Client.class */
public class Saml2Client extends BaseClient<Saml2Credentials, Saml2Profile> {
    protected static final Logger logger = LoggerFactory.getLogger(Saml2Client.class);
    public static final String SAML_METADATA_KEY_INFO_GENERATOR = "MetadataKeyInfoGenerator";
    public static final String SAML_RELAY_STATE_ATTRIBUTE = "samlRelayState";
    private String keystorePath;
    private String keystorePassword;
    private String privateKeyPassword;
    private String idpMetadata;
    private String idpMetadataPath;
    private String idpEntityId;
    private String spEntityId;
    private Integer maximumAuthenticationLifetime;
    private CredentialProvider credentialProvider;
    private Saml2ContextProvider contextProvider;
    private Saml2AuthnRequestBuilder authnRequestBuilder;
    private Saml2WebSSOProfileHandler handler;
    private Saml2ResponseValidator responseValidator;
    private SignatureTrustEngineProvider signatureTrustEngineProvider;
    private Decrypter decrypter;
    private String spMetadata;
    private boolean forceAuth = false;
    private String comparisonType = null;
    private String destinationBindingType = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
    private String authnContextClassRef = null;
    private String nameIdPolicyFormat = null;

    protected void internalInit() {
        HTTPPostEncoder hTTPRedirectDeflateEncoder;
        CommonHelper.assertTrue(CommonHelper.isNotBlank(this.idpMetadata) || CommonHelper.isNotBlank(this.idpMetadataPath), "Either idpMetadata or idpMetadataPath must be provided");
        CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
        if (!this.callbackUrl.startsWith("http")) {
            throw new TechnicalException("SAML callbackUrl must be absolute");
        }
        if (CommonHelper.isNotBlank(this.keystorePath) || CommonHelper.isNotBlank(this.keystorePassword) || CommonHelper.isNotBlank(this.privateKeyPassword)) {
            CommonHelper.assertNotBlank("keystorePath", this.keystorePath);
            CommonHelper.assertNotBlank("keystorePassword", this.keystorePassword);
            CommonHelper.assertNotBlank("privateKeyPassword", this.privateKeyPassword);
            this.credentialProvider = new CredentialProvider(this.keystorePath, this.keystorePassword, this.privateKeyPassword);
            this.decrypter = new EncryptionProvider(this.credentialProvider).buildDecrypter();
        }
        try {
            DefaultBootstrap.bootstrap();
            NamedKeyInfoGeneratorManager keyInfoGeneratorManager = Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager();
            X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
            x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
            x509KeyInfoGeneratorFactory.setEmitEntityCertificateChain(true);
            keyInfoGeneratorManager.registerFactory(SAML_METADATA_KEY_INFO_GENERATOR, x509KeyInfoGeneratorFactory);
            StaticBasicParserPool newStaticBasicParserPool = newStaticBasicParserPool();
            AbstractMetadataProvider idpMetadataProvider = idpMetadataProvider(newStaticBasicParserPool);
            try {
                XMLObject metadata = idpMetadataProvider.getMetadata();
                if (this.idpEntityId == null) {
                    this.idpEntityId = getIdpEntityId(metadata);
                }
                Saml2MetadataGenerator saml2MetadataGenerator = new Saml2MetadataGenerator();
                if (this.credentialProvider != null) {
                    saml2MetadataGenerator.setCredentialProvider(this.credentialProvider);
                    saml2MetadataGenerator.setAuthnRequestSigned(true);
                }
                if (CommonHelper.isBlank(this.spEntityId)) {
                    this.spEntityId = getCallbackUrl();
                }
                saml2MetadataGenerator.setEntityId(this.spEntityId);
                saml2MetadataGenerator.setAssertionConsumerServiceUrl(getCallbackUrl());
                saml2MetadataGenerator.setSingleLogoutServiceUrl(getCallbackUrl());
                AbstractMetadataProvider buildMetadataProvider = saml2MetadataGenerator.buildMetadataProvider();
                try {
                    buildMetadataProvider.initialize();
                    this.spMetadata = saml2MetadataGenerator.printMetadata();
                } catch (MetadataProviderException e) {
                    throw new TechnicalException("Error initializing spMetadataProvider", e);
                } catch (MarshallingException e2) {
                    logger.warn("Unable to print SP metadata", e2);
                }
                ChainingMetadataProvider chainingMetadataProvider = new ChainingMetadataProvider();
                try {
                    chainingMetadataProvider.addMetadataProvider(idpMetadataProvider);
                    chainingMetadataProvider.addMetadataProvider(buildMetadataProvider);
                    this.contextProvider = new Saml2ContextProvider(chainingMetadataProvider, this.idpEntityId, this.spEntityId);
                    this.authnRequestBuilder = new Saml2AuthnRequestBuilder(this.forceAuth, this.comparisonType, this.destinationBindingType, this.authnContextClassRef, this.nameIdPolicyFormat);
                    if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(this.destinationBindingType)) {
                        hTTPRedirectDeflateEncoder = new HTTPPostEncoder(VelocityEngineFactory.getEngine(), "/templates/saml2-post-binding.vm");
                    } else {
                        if (!"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(this.destinationBindingType)) {
                            throw new UnsupportedOperationException("Binding type - " + this.destinationBindingType + " is not supported");
                        }
                        hTTPRedirectDeflateEncoder = new HTTPRedirectDeflateEncoder();
                    }
                    this.handler = new Saml2WebSSOProfileHandler(this.credentialProvider, hTTPRedirectDeflateEncoder, new Pac4jHTTPPostDecoder(newStaticBasicParserPool), newStaticBasicParserPool, this.destinationBindingType);
                    this.signatureTrustEngineProvider = new SignatureTrustEngineProvider(chainingMetadataProvider);
                    this.responseValidator = new Saml2ResponseValidator();
                    if (this.maximumAuthenticationLifetime != null) {
                        this.responseValidator.setMaximumAuthenticationLifetime(this.maximumAuthenticationLifetime.intValue());
                    }
                } catch (MetadataProviderException e3) {
                    throw new TechnicalException("Error adding idp or sp metadatas to manager", e3);
                }
            } catch (MetadataProviderException e4) {
                throw new SamlException("Error initializing idpMetadataProvider", e4);
            }
        } catch (ConfigurationException e5) {
            throw new SamlException("Error bootstrapping OpenSAML", e5);
        }
    }

    protected BaseClient<Saml2Credentials, Saml2Profile> newClient() {
        Saml2Client saml2Client = new Saml2Client();
        saml2Client.setKeystorePath(this.keystorePath);
        saml2Client.setKeystorePassword(this.keystorePassword);
        saml2Client.setPrivateKeyPassword(this.privateKeyPassword);
        saml2Client.setIdpMetadata(this.idpMetadata);
        saml2Client.setIdpMetadataPath(this.idpMetadataPath);
        saml2Client.setIdpEntityId(this.idpEntityId);
        saml2Client.setSpEntityId(this.spEntityId);
        saml2Client.setMaximumAuthenticationLifetime(this.maximumAuthenticationLifetime);
        saml2Client.setCallbackUrl(this.callbackUrl);
        saml2Client.setDestinationBindingType(this.destinationBindingType);
        saml2Client.setComparisonType(this.comparisonType);
        saml2Client.setAuthnContextClassRef(this.authnContextClassRef);
        saml2Client.setNameIdPolicyFormat(this.nameIdPolicyFormat);
        return saml2Client;
    }

    protected boolean isDirectRedirection() {
        return false;
    }

    protected RedirectAction retrieveRedirectAction(WebContext webContext) {
        SAMLMessageContext buildSpAndIdpContext = this.contextProvider.buildSpAndIdpContext(webContext);
        this.handler.sendMessage(buildSpAndIdpContext, this.authnRequestBuilder.build(buildSpAndIdpContext), getStateParameter(webContext));
        return this.destinationBindingType.equalsIgnoreCase("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") ? RedirectAction.success(buildSpAndIdpContext.getOutboundMessageTransport().getOutgoingContent()) : RedirectAction.redirect(buildSpAndIdpContext.getOutboundMessageTransport().getRedirectUrl());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: retrieveCredentials, reason: merged with bridge method [inline-methods] */
    public Saml2Credentials m1retrieveCredentials(WebContext webContext) throws RequiresHttpAction {
        ExtendedSAMLMessageContext buildSpContext = this.contextProvider.buildSpContext(webContext);
        buildSpContext.setAssertionConsumerUrl(getCallbackUrl());
        SignatureTrustEngine build = this.signatureTrustEngineProvider.build();
        this.handler.receiveMessage(buildSpContext, build);
        this.responseValidator.validateSamlResponse(buildSpContext, build, this.decrypter);
        return buildSaml2Credentials(buildSpContext);
    }

    protected StaticBasicParserPool newStaticBasicParserPool() {
        StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool();
        try {
            staticBasicParserPool.initialize();
            return staticBasicParserPool;
        } catch (XMLParserException e) {
            throw new SamlException("Error initializing parserPool", e);
        }
    }

    protected AbstractMetadataProvider idpMetadataProvider(ParserPool parserPool) {
        ResourceBackedMetadataProvider dOMMetadataProvider;
        ClasspathResource filesystemResource;
        try {
            if (this.idpMetadataPath != null) {
                if (this.idpMetadataPath.startsWith("resource:")) {
                    String substring = this.idpMetadataPath.substring("resource:".length());
                    if (!substring.startsWith("/")) {
                        substring = "/" + substring;
                    }
                    filesystemResource = new ClasspathResource(substring);
                } else {
                    filesystemResource = new FilesystemResource(this.idpMetadataPath);
                }
                dOMMetadataProvider = new ResourceBackedMetadataProvider(new Timer(true), filesystemResource);
            } else {
                dOMMetadataProvider = new DOMMetadataProvider(parserPool.parse(new ByteArrayInputStream(this.idpMetadata.getBytes())).getDocumentElement());
            }
            dOMMetadataProvider.setParserPool(parserPool);
            dOMMetadataProvider.initialize();
            return dOMMetadataProvider;
        } catch (ResourceException e) {
            throw new TechnicalException("Error getting idp Metadata resource", e);
        } catch (XMLParserException e2) {
            throw new TechnicalException("Error parsing idp Metadata", e2);
        } catch (MetadataProviderException e3) {
            throw new SamlException("Error initializing idpMetadataProvider", e3);
        }
    }

    protected XMLObject getXmlObject(AbstractMetadataProvider abstractMetadataProvider) {
        try {
            return abstractMetadataProvider.getMetadata();
        } catch (MetadataProviderException e) {
            throw new SamlException("Error initializing idpMetadataProvider", e);
        }
    }

    protected String getIdpEntityId(XMLObject xMLObject) {
        if (xMLObject instanceof EntitiesDescriptor) {
            Iterator it = ((EntitiesDescriptor) xMLObject).getEntityDescriptors().iterator();
            if (it.hasNext()) {
                return ((EntityDescriptor) it.next()).getEntityID();
            }
        } else if (xMLObject instanceof EntityDescriptor) {
            return ((EntityDescriptor) xMLObject).getEntityID();
        }
        throw new SamlException("No idp entityId found");
    }

    private Saml2Credentials buildSaml2Credentials(ExtendedSAMLMessageContext extendedSAMLMessageContext) {
        NameID subjectNameIdentifier = extendedSAMLMessageContext.getSubjectNameIdentifier();
        Assertion subjectAssertion = extendedSAMLMessageContext.getSubjectAssertion();
        ArrayList arrayList = new ArrayList();
        for (AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
            Iterator it = attributeStatement.getAttributes().iterator();
            while (it.hasNext()) {
                arrayList.add((Attribute) it.next());
            }
            if (attributeStatement.getEncryptedAttributes().size() > 0) {
                if (this.decrypter == null) {
                    logger.warn("Encrypted attributes returned, but no keystore was provided.");
                } else {
                    Iterator it2 = attributeStatement.getEncryptedAttributes().iterator();
                    while (it2.hasNext()) {
                        try {
                            arrayList.add(this.decrypter.decrypt((EncryptedAttribute) it2.next()));
                        } catch (DecryptionException e) {
                            logger.warn("Decryption of attribute failed, continue with the next one", e);
                        }
                    }
                }
            }
        }
        return new Saml2Credentials(subjectNameIdentifier, arrayList, subjectAssertion.getConditions(), getName());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Saml2Profile retrieveUserProfile(Saml2Credentials saml2Credentials, WebContext webContext) {
        Saml2Profile saml2Profile = new Saml2Profile();
        saml2Profile.setId(saml2Credentials.getNameId().getValue());
        for (Attribute attribute : saml2Credentials.getAttributes()) {
            ArrayList arrayList = new ArrayList();
            Iterator it = attribute.getAttributeValues().iterator();
            while (it.hasNext()) {
                arrayList.add(((XMLObject) it.next()).getDOM().getTextContent());
            }
            saml2Profile.addAttribute(attribute.getName(), arrayList);
        }
        return saml2Profile;
    }

    protected String getStateParameter(WebContext webContext) {
        String str = (String) webContext.getSessionAttribute(SAML_RELAY_STATE_ATTRIBUTE);
        return str == null ? getContextualCallbackUrl(webContext) : str;
    }

    public Mechanism getMechanism() {
        return Mechanism.SAML_PROTOCOL;
    }

    public void setIdpMetadata(String str) {
        this.idpMetadata = str;
    }

    public void setIdpMetadataPath(String str) {
        this.idpMetadataPath = str;
    }

    public void setIdpEntityId(String str) {
        this.idpEntityId = str;
    }

    public void setSpEntityId(String str) {
        this.spEntityId = str;
    }

    public void setKeystorePath(String str) {
        this.keystorePath = str;
    }

    public void setKeystorePassword(String str) {
        this.keystorePassword = str;
    }

    public void setPrivateKeyPassword(String str) {
        this.privateKeyPassword = str;
    }

    public void setMaximumAuthenticationLifetime(Integer num) {
        this.maximumAuthenticationLifetime = num;
    }

    public String printClientMetadata() {
        init();
        return this.spMetadata;
    }

    public boolean isForceAuth() {
        return this.forceAuth;
    }

    public void setForceAuth(boolean z) {
        this.forceAuth = z;
    }

    public String getComparisonType() {
        return this.comparisonType;
    }

    public void setComparisonType(String str) {
        this.comparisonType = str;
    }

    public String getDestinationBindingType() {
        return this.destinationBindingType;
    }

    public void setDestinationBindingType(String str) {
        this.destinationBindingType = str;
    }

    public String getAuthnContextClassRef() {
        return this.authnContextClassRef;
    }

    public void setAuthnContextClassRef(String str) {
        this.authnContextClassRef = str;
    }

    public String getNameIdPolicyFormat() {
        return this.nameIdPolicyFormat;
    }

    public void setNameIdPolicyFormat(String str) {
        this.nameIdPolicyFormat = str;
    }
}
