package otoroshi.auth;

import akka.http.scaladsl.util.FastFuture$;
import com.nimbusds.jose.util.X509CertUtils;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import org.apache.commons.codec.binary.Base64;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.ChainingKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.impl.SignatureBuilder;
import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.support.SignatureSupport;
import org.w3c.dom.Document;
import otoroshi.env.Env;
import otoroshi.security.IdGenerator$;
import otoroshi.ssl.DynamicSSLEngineProvider$;
import otoroshi.ssl.PemHeaders$;
import play.api.Logger;
import play.api.Logger$;
import play.api.MarkerContext$;
import scala.Array$;
import scala.Function1;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Serializable;
import scala.Some;
import scala.collection.Seq;
import scala.collection.immutable.List$;
import scala.collection.immutable.Map;
import scala.collection.immutable.Nil$;
import scala.collection.mutable.ArrayOps;
import scala.collection.mutable.Set;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.jdk.CollectionConverters$;
import scala.package$;
import scala.reflect.ClassTag$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;
import scala.util.Try$;

/* compiled from: SAMLClient.scala */
/* loaded from: input_file:otoroshi/auth/SAMLModule$.class */
public final class SAMLModule$ implements Serializable {
    public static SAMLModule$ MODULE$;
    private Logger logger;
    private volatile boolean bitmap$0;

    static {
        new SAMLModule$();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8, types: [otoroshi.auth.SAMLModule$] */
    private Logger logger$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (!this.bitmap$0) {
                this.logger = Logger$.MODULE$.apply("SAMLModule");
                r0 = this;
                r0.bitmap$0 = true;
            }
        }
        return this.logger;
    }

    public Logger logger() {
        return !this.bitmap$0 ? logger$lzycompute() : this.logger;
    }

    public SamlAuthModuleConfig defaultConfig() {
        String namedId = IdGenerator$.MODULE$.namedId("auth_mod", IdGenerator$.MODULE$.uuid());
        Seq seq = Nil$.MODULE$;
        Map empty = Predef$.MODULE$.Map().empty();
        return new SamlAuthModuleConfig(namedId, "New auth. module", "New auth. module", true, SamlAuthModuleConfig$.MODULE$.apply$default$5(), SamlAuthModuleConfig$.MODULE$.apply$default$6(), "", None$.MODULE$, SamlAuthModuleConfig$.MODULE$.apply$default$9(), SamlAuthModuleConfig$.MODULE$.apply$default$10(), SamlAuthModuleConfig$.MODULE$.apply$default$11(), SamlAuthModuleConfig$.MODULE$.apply$default$12(), SamlAuthModuleConfig$.MODULE$.apply$default$13(), seq, empty, "", SamlAuthModuleConfig$.MODULE$.apply$default$17(), SamlAuthModuleConfig$.MODULE$.apply$default$18(), SamlAuthModuleConfig$.MODULE$.apply$default$19(), SamlAuthModuleConfig$.MODULE$.apply$default$20(), SamlAuthModuleConfig$.MODULE$.apply$default$21(), SamlAuthModuleConfig$.MODULE$.apply$default$22(), new SessionCookieValues(SessionCookieValues$.MODULE$.apply$default$1(), SessionCookieValues$.MODULE$.apply$default$2()), SamlAuthModuleConfig$.MODULE$.apply$default$24());
    }

    public Future<Either<String, String>> getRequest(Env env, SamlAuthModuleConfig samlAuthModuleConfig) {
        ExecutionContext otoroshiExecutionContext = env.otoroshiExecutionContext();
        InitializationService.initialize();
        AuthnRequest buildObject = XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setProtocolBinding(samlAuthModuleConfig.ssoProtocolBinding().value());
        buildObject.setDestination(samlAuthModuleConfig.singleSignOnUrl());
        NameIDPolicy buildObject2 = buildObject(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        buildObject2.setFormat(samlAuthModuleConfig.nameIDFormat().value());
        buildObject.setNameIDPolicy(buildObject2);
        buildObject.setID(new StringBuilder(1).append("z").append(UUID.randomUUID().toString()).toString());
        Issuer buildObject3 = buildObject(Issuer.DEFAULT_ELEMENT_NAME);
        buildObject3.setValue(samlAuthModuleConfig.issuer());
        buildObject.setIssuer(buildObject3);
        Subject buildObject4 = buildObject(Subject.DEFAULT_ELEMENT_NAME);
        NameID buildObject5 = buildObject(NameID.DEFAULT_ELEMENT_NAME);
        buildObject5.setValue(new StringBuilder(1).append("z").append(UUID.randomUUID().toString()).toString());
        buildObject4.setNameID(buildObject5);
        buildObject.setSubject(buildObject4);
        buildObject.setIssueInstant(Instant.now());
        return signSAMLObject(env, samlAuthModuleConfig, buildObject).map(either -> {
            if (either instanceof Left) {
                return package$.MODULE$.Left().apply((String) ((Left) either).value());
            }
            if (!(either instanceof Right)) {
                throw new MatchError(either);
            }
            return package$.MODULE$.Right().apply(MODULE$.xmlToBase64Encoded((RequestAbstractType) ((Right) either).value()));
        }, otoroshiExecutionContext);
    }

    public Future<Either<String, String>> getLogoutRequest(Env env, SamlAuthModuleConfig samlAuthModuleConfig, Option<String> option) {
        ExecutionContext otoroshiExecutionContext = env.otoroshiExecutionContext();
        LogoutRequest buildObject = buildObject(LogoutRequest.DEFAULT_ELEMENT_NAME);
        buildObject.setID(new StringBuilder(1).append("z").append(UUID.randomUUID().toString()).toString());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(ZonedDateTime.now().toInstant());
        buildObject.setIssuer(buildObject(Issuer.DEFAULT_ELEMENT_NAME));
        NameID buildObject2 = buildObject(NameID.DEFAULT_ELEMENT_NAME);
        buildObject2.setFormat(samlAuthModuleConfig.nameIDFormat().value());
        option.foreach(str -> {
            buildObject2.setValue(str);
            return BoxedUnit.UNIT;
        });
        buildObject.setNameID(buildObject2);
        return signSAMLObject(env, samlAuthModuleConfig, buildObject).map(either -> {
            if (either instanceof Left) {
                return package$.MODULE$.Left().apply((String) ((Left) either).value());
            }
            if (!(either instanceof Right)) {
                throw new MatchError(either);
            }
            return package$.MODULE$.Right().apply(MODULE$.xmlToBase64Encoded((RequestAbstractType) ((Right) either).value()));
        }, otoroshiExecutionContext);
    }

    public String xmlToBase64Encoded(RequestAbstractType requestAbstractType) {
        StringWriter stringWriter = new StringWriter();
        XMLHelper$.MODULE$.writeNode(XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(requestAbstractType).marshall(requestAbstractType), stringWriter);
        return Base64.encodeBase64URLSafeString(doDeflate(stringWriter.toString().getBytes(StandardCharsets.UTF_8)));
    }

    public Either<String, List<Assertion>> decodeAndValidateSamlResponse(Env env, SamlAuthModuleConfig samlAuthModuleConfig, String str, String str2) {
        Response response = (Response) parseResponse(str, str2);
        decodeEncryptedAssertion(env, samlAuthModuleConfig, response);
        Left validate = ValidatorUtils$.MODULE$.validate(response, samlAuthModuleConfig.issuer(), (scala.collection.immutable.List) samlAuthModuleConfig.validatingCertificates().map(str3 -> {
            return new BasicX509Credential(MODULE$.encodedCertToX509Certificate(str3));
        }, List$.MODULE$.canBuildFrom()), samlAuthModuleConfig.validateSignature(), samlAuthModuleConfig.validateAssertions());
        if (validate instanceof Left) {
            return package$.MODULE$.Left().apply((String) validate.value());
        }
        if (validate instanceof Right) {
            return package$.MODULE$.Right().apply(response.getAssertions());
        }
        throw new MatchError(validate);
    }

    public Either<String, PrivateKey> getPrivateKey(String str) {
        return !DynamicSSLEngineProvider$.MODULE$.PRIVATE_KEY_PATTERN().matcher(str).find() ? DynamicSSLEngineProvider$.MODULE$.readPrivateKeyUniversal("id", new StringBuilder(2).append(PemHeaders$.MODULE$.BeginPrivateKey()).append("\n").append(str).append("\n").append(PemHeaders$.MODULE$.EndPrivateKey()).toString(), None$.MODULE$, DynamicSSLEngineProvider$.MODULE$.readPrivateKeyUniversal$default$4()) : DynamicSSLEngineProvider$.MODULE$.readPrivateKeyUniversal("id", str, None$.MODULE$, DynamicSSLEngineProvider$.MODULE$.readPrivateKeyUniversal$default$4());
    }

    public Seq<String> supportedKeyPairAlgorithms() {
        return new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps((Object[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps((Object[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps((Object[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(Security.getProviders())).flatMap(provider -> {
            return (Set) CollectionConverters$.MODULE$.asScalaSetConverter(provider.getServices()).asScala();
        }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(Provider.Service.class))))).filter(service -> {
            return BoxesRunTime.boxToBoolean($anonfun$supportedKeyPairAlgorithms$2(service));
        }))).map(service2 -> {
            return service2.getAlgorithm();
        }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(String.class))))).toSeq();
    }

    public X509Certificate encodedCertToX509Certificate(String str) {
        return X509CertUtils.parse(Base64.isBase64(str) ? java.util.Base64.getDecoder().decode(str.replace(PemHeaders$.MODULE$.BeginCertificate(), "").replace(PemHeaders$.MODULE$.EndCertificate(), "").replaceAll("\n", "")) : str.getBytes());
    }

    public Future<Either<String, Option<BasicX509Credential>>> credentialToCertificate(Env env, Credential credential) {
        Left apply;
        ExecutionContext otoroshiExecutionContext = env.otoroshiExecutionContext();
        if (credential != null) {
            Some certId = credential.certId();
            boolean useOtoroshiCertificate = credential.useOtoroshiCertificate();
            if (certId instanceof Some) {
                String str = (String) certId.value();
                if (true == useOtoroshiCertificate) {
                    return env.datastores().certificatesDataStore().findById(str, otoroshiExecutionContext, env).map(option -> {
                        return (Either) option.map(cert -> {
                            if (MODULE$.logger().isDebugEnabled(MarkerContext$.MODULE$.NoMarker())) {
                                MODULE$.logger().debug(() -> {
                                    return "Using certificate from store";
                                }, MarkerContext$.MODULE$.NoMarker());
                            }
                            Left privateKey = MODULE$.getPrivateKey(cert.privateKey());
                            if (privateKey instanceof Left) {
                                return package$.MODULE$.Left().apply((String) privateKey.value());
                            }
                            if (!(privateKey instanceof Right)) {
                                throw new MatchError(privateKey);
                            }
                            return package$.MODULE$.Right().apply(new Some(new BasicX509Credential((X509Certificate) cert.certificate().get(), (PrivateKey) ((Right) privateKey).value())));
                        }).getOrElse(() -> {
                            return package$.MODULE$.Left().apply("Certificate not found");
                        });
                    }, otoroshiExecutionContext);
                }
            }
        }
        if (credential != null) {
            Some certificate = credential.certificate();
            Some privateKey = credential.privateKey();
            boolean useOtoroshiCertificate2 = credential.useOtoroshiCertificate();
            if (certificate instanceof Some) {
                String str2 = (String) certificate.value();
                if (privateKey instanceof Some) {
                    String str3 = (String) privateKey.value();
                    if (false == useOtoroshiCertificate2) {
                        Function1 successful = FastFuture$.MODULE$.successful();
                        Left privateKey2 = getPrivateKey(str3);
                        if (privateKey2 instanceof Left) {
                            apply = package$.MODULE$.Left().apply((String) privateKey2.value());
                        } else {
                            if (!(privateKey2 instanceof Right)) {
                                throw new MatchError(privateKey2);
                            }
                            apply = package$.MODULE$.Right().apply(new Some(new BasicX509Credential(encodedCertToX509Certificate(str2), (PrivateKey) ((Right) privateKey2).value())));
                        }
                        return (Future) successful.apply(apply);
                    }
                }
            }
        }
        return (Future) FastFuture$.MODULE$.successful().apply(package$.MODULE$.Right().apply(None$.MODULE$));
    }

    public Future<Either<String, RequestAbstractType>> signSAMLObject(Env env, SamlAuthModuleConfig samlAuthModuleConfig, RequestAbstractType requestAbstractType) {
        return samlAuthModuleConfig.credentials().signedDocuments() ? credentialToCertificate(env, samlAuthModuleConfig.credentials().signingKey()).map(either -> {
            if (either instanceof Left) {
                return package$.MODULE$.Left().apply((String) ((Left) either).value());
            }
            if (!(either instanceof Right)) {
                throw new MatchError(either);
            }
            Some some = (Option) ((Right) either).value();
            if (some instanceof Some) {
                BasicX509Credential basicX509Credential = (BasicX509Credential) some.value();
                return (Either) Try$.MODULE$.apply(() -> {
                    SignatureImpl buildObject = new SignatureBuilder().buildObject(Signature.DEFAULT_ELEMENT_NAME);
                    buildObject.setKeyInfo(new X509KeyInfoGeneratorFactory().newInstance().generate(basicX509Credential));
                    buildObject.setCanonicalizationAlgorithm(samlAuthModuleConfig.signature().canocalizationMethod().value());
                    buildObject.setSignatureAlgorithm(samlAuthModuleConfig.signature().algorithm().value());
                    buildObject.setSigningCredential(basicX509Credential);
                    requestAbstractType.setSignature(buildObject);
                    SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
                    signatureSigningParameters.setSigningCredential(basicX509Credential);
                    signatureSigningParameters.setSignatureCanonicalizationAlgorithm(samlAuthModuleConfig.signature().canocalizationMethod().value());
                    signatureSigningParameters.setKeyInfoGenerator(new X509KeyInfoGeneratorFactory().newInstance());
                    signatureSigningParameters.setSignatureAlgorithm(samlAuthModuleConfig.signature().algorithm().value());
                    SignatureSupport.signObject(requestAbstractType, signatureSigningParameters);
                    return package$.MODULE$.Right().apply(requestAbstractType);
                }).recover(new SAMLModule$$anonfun$$nestedInanonfun$signSAMLObject$1$1()).get();
            }
            if (None$.MODULE$.equals(some)) {
                return package$.MODULE$.Right().apply(requestAbstractType);
            }
            throw new MatchError(some);
        }, env.otoroshiExecutionContext()) : (Future) FastFuture$.MODULE$.successful().apply(package$.MODULE$.Right().apply(requestAbstractType));
    }

    public XMLObject buildObject(QName qName) {
        return XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
    }

    public XMLObject parseResponse(String str, String str2) {
        Document parse = createDOMParser().parse(decodeAndInflate(str, str2));
        return XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(parse.getDocumentElement()).unmarshall(parse.getDocumentElement());
    }

    public Object decodeEncryptedAssertion(Env env, SamlAuthModuleConfig samlAuthModuleConfig, Response response) {
        ExecutionContext otoroshiExecutionContext = env.otoroshiExecutionContext();
        if (!samlAuthModuleConfig.credentials().encryptedAssertions() || response.getEncryptedAssertions().size() <= 0) {
            return BoxedUnit.UNIT;
        }
        Credential encryptionKey = samlAuthModuleConfig.credentials().encryptionKey();
        if (encryptionKey != null) {
            Some certificate = encryptionKey.certificate();
            Some privateKey = encryptionKey.privateKey();
            boolean useOtoroshiCertificate = encryptionKey.useOtoroshiCertificate();
            if (certificate instanceof Some) {
                String str = (String) certificate.value();
                if (privateKey instanceof Some) {
                    String str2 = (String) privateKey.value();
                    if (false == useOtoroshiCertificate) {
                        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(DynamicSSLEngineProvider$.MODULE$.base64Decode(str)));
                        Right privateKey2 = getPrivateKey(str2);
                        if (privateKey2 instanceof Right) {
                            return decodeAssertionWithCertificate(response, new BasicX509Credential(x509Certificate, (PrivateKey) privateKey2.value()));
                        }
                        if (privateKey2 instanceof Left) {
                            return (Future) FastFuture$.MODULE$.successful().apply(BoxedUnit.UNIT);
                        }
                        throw new MatchError(privateKey2);
                    }
                }
            }
        }
        if (encryptionKey != null) {
            Some certId = encryptionKey.certId();
            boolean useOtoroshiCertificate2 = encryptionKey.useOtoroshiCertificate();
            if (certId instanceof Some) {
                String str3 = (String) certId.value();
                if (true == useOtoroshiCertificate2) {
                    return env.datastores().certificatesDataStore().findById(str3, otoroshiExecutionContext, env).map(option -> {
                        return option.map(cert -> {
                            Left readPrivateKeyUniversal = DynamicSSLEngineProvider$.MODULE$.readPrivateKeyUniversal("test", cert.privateKey(), cert.password(), DynamicSSLEngineProvider$.MODULE$.readPrivateKeyUniversal$default$4());
                            if (readPrivateKeyUniversal instanceof Left) {
                                String str4 = (String) readPrivateKeyUniversal.value();
                                MODULE$.logger().error(() -> {
                                    return str4;
                                }, MarkerContext$.MODULE$.NoMarker());
                                return BoxedUnit.UNIT;
                            }
                            if (!(readPrivateKeyUniversal instanceof Right)) {
                                throw new MatchError(readPrivateKeyUniversal);
                            }
                            return MODULE$.decodeAssertionWithCertificate(response, new BasicX509Credential((X509Certificate) cert.certificate().get(), (PrivateKey) ((Right) readPrivateKeyUniversal).value()));
                        });
                    }, otoroshiExecutionContext);
                }
            }
        }
        return (Future) FastFuture$.MODULE$.successful().apply(BoxedUnit.UNIT);
    }

    public byte[] doDeflate(byte[] bArr) {
        int i = 655316;
        if (655316 < bArr.length + 5) {
            i = bArr.length + 5;
        }
        byte[] bArr2 = new byte[i];
        Deflater deflater = new Deflater(9, true);
        deflater.setInput(bArr);
        deflater.finish();
        int deflate = deflater.deflate(bArr2);
        byte[] bArr3 = new byte[deflate];
        System.arraycopy(bArr2, 0, bArr3, 0, deflate);
        return bArr3;
    }

    public Future<BoxedUnit> decodeAssertionWithCertificate(Response response, BasicX509Credential basicX509Credential) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new StaticKeyInfoCredentialResolver(basicX509Credential));
        response.getEncryptedAssertions().forEach(encryptedAssertion -> {
            Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new ChainingKeyInfoCredentialResolver(arrayList), new InlineEncryptedKeyResolver());
            decrypter.setRootInNewDocument(true);
            response.getAssertions().add(decrypter.decrypt(encryptedAssertion));
        });
        return (Future) FastFuture$.MODULE$.successful().apply(BoxedUnit.UNIT);
    }

    public BasicParserPool createDOMParser() {
        BasicParserPool basicParserPool = new BasicParserPool();
        basicParserPool.initialize();
        return basicParserPool;
    }

    public Reader decodeAndInflate(String str, String str2) {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.decodeBase64(str));
        return "GET".equals(str2) ? new InputStreamReader(new InflaterInputStream(byteArrayInputStream, new Inflater(true)), StandardCharsets.UTF_8) : new InputStreamReader(byteArrayInputStream, StandardCharsets.UTF_8);
    }

    public SAMLModule apply(SamlAuthModuleConfig samlAuthModuleConfig) {
        return new SAMLModule(samlAuthModuleConfig);
    }

    public Option<SamlAuthModuleConfig> unapply(SAMLModule sAMLModule) {
        return sAMLModule == null ? None$.MODULE$ : new Some(sAMLModule.authConfig());
    }

    private Object readResolve() {
        return MODULE$;
    }

    public static final /* synthetic */ boolean $anonfun$supportedKeyPairAlgorithms$2(Provider.Service service) {
        return service.getType().equals("KeyPairGenerator");
    }

    private SAMLModule$() {
        MODULE$ = this;
    }
}
