package org.apereo.cas.support.saml.web.idp.profile.builders.subject;

import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectEncrypter;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/subject/SamlProfileSamlSubjectBuilder.class */
public class SamlProfileSamlSubjectBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<Subject> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlProfileSamlSubjectBuilder.class);
    private static final long serialVersionUID = 4782621942035583007L;
    private final SamlProfileObjectBuilder<SAMLObject> ssoPostProfileSamlNameIdBuilder;
    private final CasConfigurationProperties casProperties;
    private final transient SamlIdPObjectEncrypter samlObjectEncrypter;

    public SamlProfileSamlSubjectBuilder(OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<SAMLObject> samlProfileObjectBuilder, CasConfigurationProperties casConfigurationProperties, SamlIdPObjectEncrypter samlIdPObjectEncrypter) {
        super(openSamlConfigBean);
        this.ssoPostProfileSamlNameIdBuilder = samlProfileObjectBuilder;
        this.samlObjectEncrypter = samlIdPObjectEncrypter;
        this.casProperties = casConfigurationProperties;
    }

    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    /* renamed from: build, reason: avoid collision after fix types in other method and merged with bridge method [inline-methods] */
    public Subject mo25build(SamlProfileBuilderContext samlProfileBuilderContext) throws Exception {
        return buildSubject(samlProfileBuilderContext);
    }

    private Subject buildSubject(SamlProfileBuilderContext samlProfileBuilderContext) throws Exception {
        ZonedDateTime plusSeconds;
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        LOGGER.trace("Locating the assertion consumer service url for binding [{}]", samlProfileBuilderContext.getBinding());
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(samlProfileBuilderContext.getSamlRequest(), samlProfileBuilderContext.getMessageContext()), samlProfileBuilderContext.getAdaptor(), samlProfileBuilderContext.getBinding());
        String location = StringUtils.isBlank(determineEndpointForRequest.getResponseLocation()) ? determineEndpointForRequest.getLocation() : determineEndpointForRequest.getResponseLocation();
        SAMLObject nameIdForService = getNameIdForService(samlProfileBuilderContext);
        SAMLObject nameIdForService2 = samlProfileBuilderContext.getRegisteredService().isSkipGeneratingSubjectConfirmationNameId() ? null : getNameIdForService(samlProfileBuilderContext);
        if (samlProfileBuilderContext.getRegisteredService().isSkipGeneratingSubjectConfirmationNotOnOrAfter()) {
            plusSeconds = null;
        } else {
            plusSeconds = now.plusSeconds(samlProfileBuilderContext.getRegisteredService().getSkewAllowance() > 0 ? samlProfileBuilderContext.getRegisteredService().getSkewAllowance() : Beans.newDuration(this.casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance()).toSeconds());
        }
        Subject newSubject = newSubject(encryptNameIdIfNecessary(nameIdForService, samlProfileBuilderContext), encryptNameIdIfNecessary(nameIdForService2, samlProfileBuilderContext), samlProfileBuilderContext.getRegisteredService().isSkipGeneratingSubjectConfirmationRecipient() ? null : location, plusSeconds, samlProfileBuilderContext.getRegisteredService().isSkipGeneratingSubjectConfirmationInResponseTo() ? null : samlProfileBuilderContext.getSamlRequest().getID(), samlProfileBuilderContext.getRegisteredService().isSkipGeneratingSubjectConfirmationNotBefore() ? null : ZonedDateTime.now(ZoneOffset.UTC));
        LOGGER.debug("Created SAML subject [{}]", newSubject);
        return newSubject;
    }

    private SAMLObject getNameIdForService(SamlProfileBuilderContext samlProfileBuilderContext) throws Exception {
        if (!samlProfileBuilderContext.getRegisteredService().isSkipGeneratingAssertionNameId()) {
            return this.ssoPostProfileSamlNameIdBuilder.mo25build(samlProfileBuilderContext);
        }
        LOGGER.warn("Assertion will skip assigning/generating a nameId based on service [{}]", samlProfileBuilderContext.getRegisteredService());
        return null;
    }

    private SAMLObject encryptNameIdIfNecessary(SAMLObject sAMLObject, SamlProfileBuilderContext samlProfileBuilderContext) {
        return (!(sAMLObject instanceof EncryptedID) && (sAMLObject instanceof NameID) && "urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted".equalsIgnoreCase(((NameID) sAMLObject).getFormat())) ? this.samlObjectEncrypter.encode((NameID) sAMLObject, samlProfileBuilderContext.getRegisteredService(), samlProfileBuilderContext.getAdaptor()) : sAMLObject;
    }
}
