package org.apereo.cas.support.saml.web.idp.profile.sso;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.media.Schema;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.Serializable;
import java.time.Clock;
import java.time.Instant;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import lombok.Generated;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.apache.commons.beanutils.BeanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.credential.BasicIdentifiableCredential;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.web.BaseCasRestActuatorEndpoint;
import org.jooq.lambda.Unchecked;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.ScratchContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.criterion.BindingCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@Endpoint(id = "samlPostProfileResponse", enableByDefault = false)
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/sso/SSOSamlIdPPostProfileHandlerEndpoint.class */
public class SSOSamlIdPPostProfileHandlerEndpoint extends BaseCasRestActuatorEndpoint {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SSOSamlIdPPostProfileHandlerEndpoint.class);
    private final ServicesManager servicesManager;
    private final AuthenticationSystemSupport authenticationSystemSupport;
    private final ServiceFactory<WebApplicationService> serviceFactory;
    private final PrincipalFactory principalFactory;
    private final SamlProfileObjectBuilder<? extends SAMLObject> responseBuilder;
    private final SamlRegisteredServiceCachingMetadataResolver defaultSamlRegisteredServiceCachingMetadataResolver;
    private final AbstractSaml20ObjectBuilder saml20ObjectBuilder;
    private final PrincipalResolver principalResolver;
    private final MetadataResolver samlIdPMetadataResolver;

    /* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/sso/SSOSamlIdPPostProfileHandlerEndpoint$SamlRequest.class */
    public static class SamlRequest implements Serializable {
        private static final long serialVersionUID = 9132411807103771828L;
        private String username;
        private String password;
        private String entityId;
        private boolean encrypt;

        @Generated
        public String getUsername() {
            return this.username;
        }

        @Generated
        public String getPassword() {
            return this.password;
        }

        @Generated
        public String getEntityId() {
            return this.entityId;
        }

        @Generated
        public boolean isEncrypt() {
            return this.encrypt;
        }

        @Generated
        public void setUsername(String str) {
            this.username = str;
        }

        @Generated
        public void setPassword(String str) {
            this.password = str;
        }

        @Generated
        public void setEntityId(String str) {
            this.entityId = str;
        }

        @Generated
        public void setEncrypt(boolean z) {
            this.encrypt = z;
        }

        @Generated
        public SamlRequest(String str, String str2, String str3, boolean z) {
            this.username = str;
            this.password = str2;
            this.entityId = str3;
            this.encrypt = z;
        }

        @Generated
        public SamlRequest() {
        }

        @Generated
        public SamlRequest withUsername(String str) {
            return this.username == str ? this : new SamlRequest(str, this.password, this.entityId, this.encrypt);
        }

        @Generated
        public SamlRequest withPassword(String str) {
            return this.password == str ? this : new SamlRequest(this.username, str, this.entityId, this.encrypt);
        }

        @Generated
        public SamlRequest withEntityId(String str) {
            return this.entityId == str ? this : new SamlRequest(this.username, this.password, str, this.encrypt);
        }

        @Generated
        public SamlRequest withEncrypt(boolean z) {
            return this.encrypt == z ? this : new SamlRequest(this.username, this.password, this.entityId, z);
        }
    }

    public SSOSamlIdPPostProfileHandlerEndpoint(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext, ServicesManager servicesManager, AuthenticationSystemSupport authenticationSystemSupport, ServiceFactory<WebApplicationService> serviceFactory, PrincipalFactory principalFactory, SamlProfileObjectBuilder<? extends SAMLObject> samlProfileObjectBuilder, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver, AbstractSaml20ObjectBuilder abstractSaml20ObjectBuilder, PrincipalResolver principalResolver, MetadataResolver metadataResolver) {
        super(casConfigurationProperties, configurableApplicationContext);
        this.servicesManager = servicesManager;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.serviceFactory = serviceFactory;
        this.principalFactory = principalFactory;
        this.responseBuilder = samlProfileObjectBuilder;
        this.defaultSamlRegisteredServiceCachingMetadataResolver = samlRegisteredServiceCachingMetadataResolver;
        this.saml20ObjectBuilder = abstractSaml20ObjectBuilder;
        this.principalResolver = principalResolver;
        this.samlIdPMetadataResolver = metadataResolver;
    }

    @PostMapping(produces = {"application/xml"})
    @ResponseBody
    @Operation(summary = "Produce SAML2 response entity", parameters = {@Parameter(name = "username", required = true, description = "The username to authenticate"), @Parameter(name = "password", required = false, description = "The password to authenticate"), @Parameter(name = "entityId", required = true, description = "The entity id"), @Parameter(name = "encrypt", schema = @Schema(type = "boolean"), description = "Whether to encrypt the response")})
    public ResponseEntity<Object> producePost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, @ModelAttribute SamlRequest samlRequest) {
        return produce(httpServletRequest, httpServletResponse, samlRequest);
    }

    @PostMapping(value = {"/logout/post"}, produces = {"text/html"})
    @Operation(summary = "Produce SAML2 logout request for the given SAML2 SP", parameters = {@Parameter(name = "entityId", required = true, description = "The entity id")})
    public ResponseEntity<Object> produceLogoutRequestPost(@RequestParam("entityId") String str, HttpServletResponse httpServletResponse) throws Exception {
        WebApplicationService createService = this.serviceFactory.createService(str);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(createService, this.servicesManager.findServiceBy(createService, SamlRegisteredService.class));
        LogoutRequest newSamlObject = this.saml20ObjectBuilder.newSamlObject(LogoutRequest.class);
        newSamlObject.setID(RandomUtils.randomAlphabetic(4));
        Issuer newSamlObject2 = this.saml20ObjectBuilder.newSamlObject(Issuer.class);
        newSamlObject2.setValue(str);
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIdCriterion(this.casProperties.getAuthn().getSamlIdp().getCore().getEntityId()));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new BindingCriterion(List.of("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")));
        String location = ((org.opensaml.saml.saml2.metadata.Endpoint) ((EntityDescriptor) this.samlIdPMetadataResolver.resolveSingle(criteriaSet)).getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getEndpoints(SingleLogoutService.DEFAULT_ELEMENT_NAME).stream().filter(endpoint -> {
            return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(endpoint.getBinding());
        }).findFirst().orElseThrow()).getLocation();
        NameID newSamlObject3 = this.saml20ObjectBuilder.newSamlObject(NameID.class);
        newSamlObject3.setValue(UUID.randomUUID().toString());
        newSamlObject.setNameID(newSamlObject3);
        newSamlObject.setIssuer(newSamlObject2);
        newSamlObject.setDestination(location);
        newSamlObject.setIssueInstant(Instant.now(Clock.systemUTC()).minusSeconds(10L));
        HTTPPostEncoder hTTPPostEncoder = new HTTPPostEncoder();
        hTTPPostEncoder.setVelocityEngine(this.saml20ObjectBuilder.getOpenSamlConfigBean().getVelocityEngine());
        hTTPPostEncoder.setHttpServletResponseSupplier(() -> {
            return httpServletResponse;
        });
        MessageContext messageContext = new MessageContext();
        SAMLBindingSupport.setRelayState(messageContext, UUID.randomUUID().toString());
        SAMLEndpointContext ensureSubcontext = messageContext.ensureSubcontext(SAMLPeerEntityContext.class).ensureSubcontext(SAMLEndpointContext.class);
        SingleSignOnService newSamlObject4 = this.saml20ObjectBuilder.newSamlObject(SingleSignOnService.class);
        newSamlObject4.setLocation(location);
        ensureSubcontext.setEndpoint(newSamlObject4);
        messageContext.setMessage(newSamlObject);
        hTTPPostEncoder.setMessageContext(messageContext);
        hTTPPostEncoder.initialize();
        hTTPPostEncoder.encode();
        return ResponseEntity.ok().build();
    }

    private ResponseEntity<Object> produce(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlRequest samlRequest) {
        try {
            WebApplicationService createService = this.serviceFactory.createService(samlRequest.getEntityId());
            SamlRegisteredService findServiceBy = this.servicesManager.findServiceBy(createService, SamlRegisteredService.class);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(createService, findServiceBy);
            SamlRegisteredService samlRegisteredService = (SamlRegisteredService) BeanUtils.cloneBean(findServiceBy);
            samlRegisteredService.setEncryptAssertions(samlRequest.isEncrypt());
            samlRegisteredService.setEncryptAttributes(samlRequest.isEncrypt());
            AuthnRequest buildObject = new AuthnRequestBuilder().buildObject();
            buildObject.setIssuer(this.saml20ObjectBuilder.newIssuer(samlRequest.getEntityId()));
            return (ResponseEntity) SamlRegisteredServiceMetadataAdaptor.get(this.defaultSamlRegisteredServiceCachingMetadataResolver, samlRegisteredService, samlRequest.getEntityId()).map(Unchecked.function(samlRegisteredServiceMetadataAdaptor -> {
                MessageContext messageContext = new MessageContext();
                ((ScratchContext) Objects.requireNonNull(messageContext.ensureSubcontext(ScratchContext.class))).getMap().put("encodeSamlResponse", Boolean.FALSE);
                return new ResponseEntity(SamlUtils.transformSamlObject(this.saml20ObjectBuilder.getOpenSamlConfigBean(), this.responseBuilder.mo26build(SamlProfileBuilderContext.builder().samlRequest(buildObject).httpRequest(httpServletRequest).httpResponse(httpServletResponse).authenticatedAssertion(Optional.of(getAssertion(samlRequest))).registeredService(samlRegisteredService).adaptor(samlRegisteredServiceMetadataAdaptor).binding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST").messageContext(messageContext).build()), true).toString(), HttpStatus.OK);
            })).orElseThrow(() -> {
                return new SamlException("Unable to locate " + samlRequest.getEntityId());
            });
        } catch (Throwable th) {
            LoggingUtils.error(LOGGER, th);
            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(th.getMessage()), HttpStatus.BAD_REQUEST);
        }
    }

    /* JADX WARN: Type inference failed for: r0v27, types: [org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext$AuthenticatedAssertionContextBuilder] */
    private AuthenticatedAssertionContext getAssertion(SamlRequest samlRequest) throws Throwable {
        WebApplicationService webApplicationService = (WebApplicationService) this.serviceFactory.createService(samlRequest.getEntityId());
        SamlRegisteredService findServiceBy = this.servicesManager.findServiceBy(webApplicationService, SamlRegisteredService.class);
        Authentication authenticateRequest = authenticateRequest(samlRequest, webApplicationService);
        RegisteredServiceAttributeReleasePolicyContext build = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).applicationContext(this.saml20ObjectBuilder.getOpenSamlConfigBean().getApplicationContext()).service(webApplicationService).principal(authenticateRequest.getPrincipal()).build();
        Authentication build2 = DefaultAuthenticationBuilder.of(build.getApplicationContext(), authenticateRequest.getPrincipal(), this.principalFactory, findServiceBy.getAttributeReleasePolicy().getAttributes(build), webApplicationService, findServiceBy, authenticateRequest).build();
        Principal principal = build2.getPrincipal();
        return AuthenticatedAssertionContext.builder().name(principal.getId()).attributes(CollectionUtils.merge(new Map[]{principal.getAttributes(), build2.getAttributes()})).build();
    }

    private Authentication authenticateRequest(SamlRequest samlRequest, WebApplicationService webApplicationService) throws Throwable {
        if (!StringUtils.isNotBlank(samlRequest.getPassword())) {
            return DefaultAuthenticationBuilder.newInstance().setPrincipal(this.principalResolver.resolve(new BasicIdentifiableCredential(samlRequest.getUsername()), Optional.of(this.principalFactory.createPrincipal(samlRequest.getUsername())), Optional.empty(), Optional.of(webApplicationService))).build();
        }
        return this.authenticationSystemSupport.finalizeAuthenticationTransaction(webApplicationService, new Credential[]{new UsernamePasswordCredential(samlRequest.getUsername(), samlRequest.getPassword())}).getAuthentication();
    }
}
