package org.springframework.security.saml2.provider.service.authentication;

import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Function;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.joda.time.DateTime;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestMarshaller;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureSupport;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.credentials.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.class */
public class OpenSamlAuthenticationRequestFactory implements Saml2AuthenticationRequestFactory {
    private AuthnRequestMarshaller marshaller;
    private AuthnRequestBuilder authnRequestBuilder;
    private IssuerBuilder issuerBuilder;
    private Clock clock = Clock.systemUTC();
    private Converter<Saml2AuthenticationRequestContext, String> protocolBindingResolver = saml2AuthenticationRequestContext -> {
        return saml2AuthenticationRequestContext == null ? "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" : saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertionConsumerServiceBinding().getUrn();
    };
    private Function<Saml2AuthenticationRequestContext, Consumer<AuthnRequest>> authnRequestConsumerResolver = saml2AuthenticationRequestContext -> {
        return authnRequest -> {
        };
    };

    public OpenSamlAuthenticationRequestFactory() {
        XMLObjectProviderRegistry xMLObjectProviderRegistry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
        this.marshaller = xMLObjectProviderRegistry.getMarshallerFactory().getMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME);
        this.authnRequestBuilder = xMLObjectProviderRegistry.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        this.issuerBuilder = xMLObjectProviderRegistry.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    @Deprecated
    public String createAuthenticationRequest(Saml2AuthenticationRequest saml2AuthenticationRequest) {
        AuthnRequest createAuthnRequest = createAuthnRequest(saml2AuthenticationRequest.getIssuer(), saml2AuthenticationRequest.getDestination(), saml2AuthenticationRequest.getAssertionConsumerServiceUrl(), (String) this.protocolBindingResolver.convert((Object) null));
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationRequest.getCredentials()) {
            if (saml2X509Credential.isSigningCredential()) {
                return serialize(sign(createAuthnRequest, getSigningCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey(), saml2AuthenticationRequest.getIssuer())));
            }
        }
        throw new IllegalArgumentException("No signing credential provided");
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        AuthnRequest createAuthnRequest = createAuthnRequest(saml2AuthenticationRequestContext);
        return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext).samlRequest(Saml2Utils.samlEncode((saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned() ? serialize(sign(createAuthnRequest, saml2AuthenticationRequestContext.getRelyingPartyRegistration())) : serialize(createAuthnRequest)).getBytes(StandardCharsets.UTF_8))).build();
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        String serialize = serialize(createAuthnRequest(saml2AuthenticationRequestContext));
        Saml2RedirectAuthenticationRequest.Builder withAuthenticationRequestContext = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext);
        String samlEncode = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize));
        withAuthenticationRequestContext.samlRequest(samlEncode).relayState(saml2AuthenticationRequestContext.getRelayState());
        if (!saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
            return withAuthenticationRequestContext.build();
        }
        Iterator<org.springframework.security.saml2.core.Saml2X509Credential> it = saml2AuthenticationRequestContext.getRelyingPartyRegistration().getSigningX509Credentials().iterator();
        if (!it.hasNext()) {
            throw new Saml2Exception("No signing credential provided");
        }
        org.springframework.security.saml2.core.Saml2X509Credential next = it.next();
        Map<String, String> signQueryParameters = signQueryParameters(getSigningCredential(next.getCertificate(), next.getPrivateKey(), ""), samlEncode, saml2AuthenticationRequestContext.getRelayState());
        return withAuthenticationRequestContext.samlRequest(signQueryParameters.get("SAMLRequest")).relayState(signQueryParameters.get("RelayState")).sigAlg(signQueryParameters.get("SigAlg")).signature(signQueryParameters.get("Signature")).build();
    }

    private AuthnRequest createAuthnRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        AuthnRequest createAuthnRequest = createAuthnRequest(saml2AuthenticationRequestContext.getIssuer(), saml2AuthenticationRequestContext.getDestination(), saml2AuthenticationRequestContext.getAssertionConsumerServiceUrl(), (String) this.protocolBindingResolver.convert(saml2AuthenticationRequestContext));
        this.authnRequestConsumerResolver.apply(saml2AuthenticationRequestContext).accept(createAuthnRequest);
        return createAuthnRequest;
    }

    private AuthnRequest createAuthnRequest(String str, String str2, String str3, String str4) {
        AuthnRequest buildObject = this.authnRequestBuilder.buildObject();
        buildObject.setID("ARQ" + UUID.randomUUID().toString().substring(1));
        buildObject.setIssueInstant(new DateTime(this.clock.millis()));
        buildObject.setForceAuthn(Boolean.FALSE);
        buildObject.setIsPassive(Boolean.FALSE);
        buildObject.setProtocolBinding(str4);
        Issuer buildObject2 = this.issuerBuilder.buildObject();
        buildObject2.setValue(str);
        buildObject.setIssuer(buildObject2);
        buildObject.setDestination(str2);
        buildObject.setAssertionConsumerServiceURL(str3);
        return buildObject;
    }

    public void setAuthnRequestConsumerResolver(Function<Saml2AuthenticationRequestContext, Consumer<AuthnRequest>> function) {
        Assert.notNull(function, "authnRequestConsumerResolver cannot be null");
        this.authnRequestConsumerResolver = function;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    @Deprecated
    public void setProtocolBinding(String str) {
        if (!("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(str) || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(str))) {
            throw new IllegalArgumentException("Invalid protocol binding: " + str);
        }
        this.protocolBindingResolver = saml2AuthenticationRequestContext -> {
            return str;
        };
    }

    private AuthnRequest sign(AuthnRequest authnRequest, RelyingPartyRegistration relyingPartyRegistration) {
        Iterator<org.springframework.security.saml2.core.Saml2X509Credential> it = relyingPartyRegistration.getSigningX509Credentials().iterator();
        if (!it.hasNext()) {
            throw new IllegalArgumentException("No signing credential provided");
        }
        org.springframework.security.saml2.core.Saml2X509Credential next = it.next();
        return sign(authnRequest, getSigningCredential(next.getCertificate(), next.getPrivateKey(), relyingPartyRegistration.getEntityId()));
    }

    private AuthnRequest sign(AuthnRequest authnRequest, Credential credential) {
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(credential);
        signatureSigningParameters.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        signatureSigningParameters.setSignatureReferenceDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256");
        signatureSigningParameters.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        try {
            SignatureSupport.signObject(authnRequest, signatureSigningParameters);
            return authnRequest;
        } catch (MarshallingException | SignatureException | SecurityException e) {
            throw new Saml2Exception((Throwable) e);
        }
    }

    private Credential getSigningCredential(X509Certificate x509Certificate, PrivateKey privateKey, String str) {
        BasicX509Credential simpleCredential = CredentialSupport.getSimpleCredential(x509Certificate, privateKey);
        simpleCredential.setEntityId(str);
        simpleCredential.setUsageType(UsageType.SIGNING);
        return simpleCredential;
    }

    private Map<String, String> signQueryParameters(Credential credential, String str, String str2) {
        Assert.notNull(str, "samlRequest cannot be null");
        StringBuilder sb = new StringBuilder();
        sb.append("SAMLRequest").append("=").append(UriUtils.encode(str, StandardCharsets.ISO_8859_1)).append("&");
        if (StringUtils.hasText(str2)) {
            sb.append("RelayState").append("=").append(UriUtils.encode(str2, StandardCharsets.ISO_8859_1)).append("&");
        }
        sb.append("SigAlg").append("=").append(UriUtils.encode("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", StandardCharsets.ISO_8859_1));
        try {
            String samlEncode = Saml2Utils.samlEncode(XMLSigningUtil.signWithURI(credential, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", sb.toString().getBytes(StandardCharsets.UTF_8)));
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("SAMLRequest", str);
            if (StringUtils.hasText(str2)) {
                linkedHashMap.put("RelayState", str2);
            }
            linkedHashMap.put("SigAlg", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
            linkedHashMap.put("Signature", samlEncode);
            return linkedHashMap;
        } catch (SecurityException e) {
            throw new Saml2Exception((Throwable) e);
        }
    }

    private String serialize(AuthnRequest authnRequest) {
        try {
            return SerializeSupport.nodeToString(this.marshaller.marshall(authnRequest));
        } catch (MarshallingException e) {
            throw new Saml2Exception((Throwable) e);
        }
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
