package org.apereo.cas.support.saml.authentication.principal;

import java.io.StringWriter;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.HashMap;
import org.apereo.cas.authentication.principal.AbstractWebApplicationServiceResponseBuilder;
import org.apereo.cas.authentication.principal.Response;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.util.GoogleSaml20ObjectBuilder;
import org.apereo.cas.util.ApplicationContextProvider;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

/* loaded from: input_file:org/apereo/cas/support/saml/authentication/principal/GoogleAccountsServiceResponseBuilder.class */
public class GoogleAccountsServiceResponseBuilder extends AbstractWebApplicationServiceResponseBuilder {
    private static final long serialVersionUID = -4584732364007702423L;
    private static final Logger LOGGER = LoggerFactory.getLogger(GoogleAccountsServiceResponseBuilder.class);
    private PrivateKey privateKey;
    private PublicKey publicKey;
    private GoogleSaml20ObjectBuilder samlObjectBuilder;
    private int skewAllowance;

    public GoogleAccountsServiceResponseBuilder(PrivateKey privateKey, PublicKey publicKey, GoogleSaml20ObjectBuilder googleSaml20ObjectBuilder) {
        Assert.notNull(privateKey);
        Assert.notNull(publicKey);
        Assert.notNull(googleSaml20ObjectBuilder);
        this.privateKey = privateKey;
        this.publicKey = publicKey;
        this.samlObjectBuilder = googleSaml20ObjectBuilder;
    }

    public Response build(WebApplicationService webApplicationService, String str) {
        GoogleAccountsService googleAccountsService = (GoogleAccountsService) webApplicationService;
        HashMap hashMap = new HashMap();
        hashMap.put("SAMLResponse", this.samlObjectBuilder.signSamlResponse(constructSamlResponse(googleAccountsService), this.privateKey, this.publicKey));
        hashMap.put("RelayState", googleAccountsService.getRelayState());
        return buildPost(googleAccountsService, hashMap);
    }

    protected String constructSamlResponse(GoogleAccountsService googleAccountsService) {
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        ZonedDateTime parse = ZonedDateTime.parse("2003-04-17T00:46:02Z");
        RegisteredService findServiceBy = ((ServicesManager) ApplicationContextProvider.getApplicationContext().getBean("servicesManager", ServicesManager.class)).findServiceBy(googleAccountsService);
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        String resolveUsername = findServiceBy.getUsernameAttributeProvider().resolveUsername(googleAccountsService.getPrincipal(), googleAccountsService);
        XMLObject newResponse = this.samlObjectBuilder.newResponse(this.samlObjectBuilder.generateSecureRandomId(), now, googleAccountsService.getId(), googleAccountsService);
        newResponse.setStatus(this.samlObjectBuilder.newStatus("urn:oasis:names:tc:SAML:2.0:status:Success", null));
        Assertion newAssertion = this.samlObjectBuilder.newAssertion(this.samlObjectBuilder.newAuthnStatement("urn:oasis:names:tc:SAML:2.0:ac:classes:Password", now), "https://www.opensaml.org/IDP", parse, this.samlObjectBuilder.generateSecureRandomId());
        newAssertion.setConditions(this.samlObjectBuilder.newConditions(parse, now.plusSeconds(this.skewAllowance), googleAccountsService.getId()));
        newAssertion.setSubject(this.samlObjectBuilder.newSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", resolveUsername, googleAccountsService.getId(), now.plusSeconds(this.skewAllowance), googleAccountsService.getRequestId()));
        newResponse.getAssertions().add(newAssertion);
        StringWriter stringWriter = new StringWriter();
        this.samlObjectBuilder.marshalSamlXmlObject(newResponse, stringWriter);
        String stringWriter2 = stringWriter.toString();
        LOGGER.debug("Generated Google SAML response: {}", stringWriter2);
        return stringWriter2;
    }

    public void setSkewAllowance(int i) {
        LOGGER.debug("Using {} seconds as skew allowance.", Integer.valueOf(i));
        this.skewAllowance = i;
    }
}
