package org.apereo.cas.support.saml.web.idp.profile.builders.nameid;

import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.PersistentIdGenerator;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectEncrypter;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.profile.SAML2NameIDGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/nameid/SamlProfileSamlNameIdBuilder.class */
public class SamlProfileSamlNameIdBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<SAMLObject> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlProfileSamlNameIdBuilder.class);
    private static final long serialVersionUID = -6231886395225437320L;
    private final PersistentIdGenerator persistentIdGenerator;
    private final MetadataResolver samlIdPMetadataResolver;
    private final SamlIdPObjectEncrypter samlIdPObjectEncrypter;

    public SamlProfileSamlNameIdBuilder(OpenSamlConfigBean openSamlConfigBean, PersistentIdGenerator persistentIdGenerator, MetadataResolver metadataResolver, SamlIdPObjectEncrypter samlIdPObjectEncrypter) {
        super(openSamlConfigBean);
        this.persistentIdGenerator = persistentIdGenerator;
        this.samlIdPMetadataResolver = metadataResolver;
        this.samlIdPObjectEncrypter = samlIdPObjectEncrypter;
    }

    protected static List<String> getSupportedNameIdFormats(SamlProfileBuilderContext samlProfileBuilderContext) {
        ArrayList arrayList = new ArrayList(samlProfileBuilderContext.getAdaptor().getSupportedNameIdFormats());
        LOGGER.debug("Metadata for [{}] declares the following NameIDs [{}]", samlProfileBuilderContext.getAdaptor().getEntityId(), arrayList);
        if (arrayList.isEmpty()) {
            arrayList.add("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
            LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
        }
        if (StringUtils.isNotBlank(samlProfileBuilderContext.getRegisteredService().getRequiredNameIdFormat())) {
            String parseAndBuildRequiredNameIdFormat = parseAndBuildRequiredNameIdFormat(samlProfileBuilderContext.getRegisteredService());
            arrayList.add(0, parseAndBuildRequiredNameIdFormat);
            LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", parseAndBuildRequiredNameIdFormat, samlProfileBuilderContext.getRegisteredService().getServiceId());
        }
        return arrayList;
    }

    private static String parseAndBuildRequiredNameIdFormat(SamlRegisteredService samlRegisteredService) {
        String trim = StringUtils.defaultString(samlRegisteredService.getRequiredNameIdFormat(), "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified").trim();
        LOGGER.debug("Required NameID format assigned to service [{}] is [{}]", samlRegisteredService.getName(), trim);
        return StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:entity", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted" : "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
    }

    protected static String getRequiredNameIdFormatIfAny(SamlProfileBuilderContext samlProfileBuilderContext) {
        String str = (String) SamlIdPUtils.getNameIDPolicy(samlProfileBuilderContext.getSamlRequest()).map((v0) -> {
            return v0.getFormat();
        }).orElse(null);
        LOGGER.debug("AuthN request indicates [{}] is the required NameID format", str);
        return str;
    }

    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    /* renamed from: build, reason: avoid collision after fix types in other method and merged with bridge method [inline-methods] */
    public SAMLObject mo25build(SamlProfileBuilderContext samlProfileBuilderContext) throws SamlException {
        return samlProfileBuilderContext.getSamlRequest() instanceof AttributeQuery ? determineNameIdForAttributeQuery(samlProfileBuilderContext) : buildNameId(samlProfileBuilderContext);
    }

    protected NameID buildNameId(SamlProfileBuilderContext samlProfileBuilderContext) throws SamlException {
        List<String> supportedNameIdFormats = getSupportedNameIdFormats(samlProfileBuilderContext);
        validateRequiredNameIdFormatIfAny(supportedNameIdFormats, getRequiredNameIdFormatIfAny(samlProfileBuilderContext), samlProfileBuilderContext);
        return finalizeNameId(determineNameId(supportedNameIdFormats, samlProfileBuilderContext), samlProfileBuilderContext);
    }

    protected NameID finalizeNameId(NameID nameID, SamlProfileBuilderContext samlProfileBuilderContext) {
        if (nameID != null) {
            if (StringUtils.isNotBlank(samlProfileBuilderContext.getRegisteredService().getNameIdQualifier())) {
                nameID.setNameQualifier(samlProfileBuilderContext.getRegisteredService().getNameIdQualifier());
            } else {
                nameID.setNameQualifier(SamlIdPUtils.determineNameIdNameQualifier(samlProfileBuilderContext.getRegisteredService(), this.samlIdPMetadataResolver));
                FunctionUtils.doIf(StringUtils.isNotBlank(samlProfileBuilderContext.getRegisteredService().getServiceProviderNameIdQualifier()), obj -> {
                    nameID.setSPNameQualifier(samlProfileBuilderContext.getRegisteredService().getServiceProviderNameIdQualifier());
                }, obj2 -> {
                    nameID.setSPNameQualifier(samlProfileBuilderContext.getAdaptor().getEntityId());
                }).accept(samlProfileBuilderContext.getRegisteredService());
            }
        }
        return nameID;
    }

    protected void validateRequiredNameIdFormatIfAny(List<String> list, String str, SamlProfileBuilderContext samlProfileBuilderContext) {
        if (!StringUtils.isNotBlank(str) || list.contains(str)) {
            return;
        }
        LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]. The requested NameID format may not be honored. You should consult the metadata for this service and ensure the requested NameID format is present in the collection of supported metadata formats in the metadata, which are the following: [{}]", new Object[]{str, SamlIdPUtils.getIssuerFromSamlObject(samlProfileBuilderContext.getSamlRequest()), samlProfileBuilderContext.getAdaptor().getEntityId(), samlProfileBuilderContext.getAdaptor().getSupportedNameIdFormats()});
    }

    protected NameID determineNameId(List<String> list, SamlProfileBuilderContext samlProfileBuilderContext) {
        for (String str : list) {
            LOGGER.debug("Evaluating NameID format [{}]", str);
            NameID encodeNameIdBasedOnNameFormat = encodeNameIdBasedOnNameFormat(samlProfileBuilderContext, str);
            if (encodeNameIdBasedOnNameFormat != null) {
                LOGGER.debug("Determined NameID based on format [{}] to be [{}]", str, encodeNameIdBasedOnNameFormat.getValue());
                return encodeNameIdBasedOnNameFormat;
            }
        }
        LOGGER.warn("No NameID could be determined based on the supported formats [{}]", list);
        return null;
    }

    protected NameID encodeNameIdBasedOnNameFormat(SamlProfileBuilderContext samlProfileBuilderContext, String str) {
        try {
            String prepareNameIdAttribute = prepareNameIdAttribute(samlProfileBuilderContext, str);
            SAML2NameIDGenerator sAML2NameIDGenerator = SamlAttributeBasedNameIdGenerator.get(Optional.of(samlProfileBuilderContext.getSamlRequest()), str, samlProfileBuilderContext.getRegisteredService(), prepareNameIdAttribute);
            samlProfileBuilderContext.getHttpRequest().setAttribute(NameID.class.getName(), prepareNameIdAttribute);
            LOGGER.debug("Encoding NameID based on [{}]", str);
            NameID nameID = (NameID) Objects.requireNonNull(sAML2NameIDGenerator.generate(new ProfileRequestContext(), str));
            LOGGER.debug("Final NameID encoded with format [{}] has value [{}]", nameID.getFormat(), nameID.getValue());
            return nameID;
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    protected String prepareNameIdAttribute(SamlProfileBuilderContext samlProfileBuilderContext, String str) {
        LOGGER.debug("Preparing NameID attribute for principal [{}]", samlProfileBuilderContext.getAuthenticatedAssertion().getName());
        String nameIdValueFromNameFormat = getNameIdValueFromNameFormat(str, samlProfileBuilderContext);
        LOGGER.debug("NameID attribute value is set to [{}]", nameIdValueFromNameFormat);
        return nameIdValueFromNameFormat;
    }

    private String getNameIdValueFromNameFormat(String str, SamlProfileBuilderContext samlProfileBuilderContext) {
        if (str.trim().equalsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:transient")) {
            String entityId = samlProfileBuilderContext.getAdaptor().getEntityId();
            if (!samlProfileBuilderContext.getRegisteredService().isSkipGeneratingTransientNameId()) {
                LOGGER.debug("Generating transient NameID value for principal [{}] and entity id [{}]", samlProfileBuilderContext.getAuthenticatedAssertion().getName(), entityId);
                return this.persistentIdGenerator.generate(samlProfileBuilderContext.getAuthenticatedAssertion().getName(), entityId);
            }
            LOGGER.debug("Generation of transient NameID value is skipped for [{}] and [{}] will be used instead", entityId, samlProfileBuilderContext.getAuthenticatedAssertion().getName());
        }
        return samlProfileBuilderContext.getAuthenticatedAssertion().getName();
    }

    private SAMLObject determineNameIdForAttributeQuery(SamlProfileBuilderContext samlProfileBuilderContext) {
        AttributeQuery samlRequest = samlProfileBuilderContext.getSamlRequest();
        NameID decode = samlRequest.getSubject().getNameID() == null ? this.samlIdPObjectEncrypter.decode(samlRequest.getSubject().getEncryptedID(), samlProfileBuilderContext.getRegisteredService(), samlProfileBuilderContext.getAdaptor()) : samlRequest.getSubject().getNameID();
        decode.detach();
        return decode;
    }
}
