package org.apereo.cas.support.saml.web.idp.profile.builders;

import java.security.SecureRandom;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectEncrypter;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSigner;
import org.apereo.inspektr.aspect.TraceLogAspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.reflect.Factory;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.stereotype.Component;
import org.springframework.ui.velocity.VelocityEngineFactory;

@RefreshScope
@Component("samlProfileSamlResponseBuilder")
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/SamlProfileSamlResponseBuilder.class */
public class SamlProfileSamlResponseBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<Response> {
    private static final long serialVersionUID = -1891703354216174875L;

    @Autowired
    @Qualifier("samlObjectSigner")
    protected SamlObjectSigner samlObjectSigner;

    @Autowired
    protected VelocityEngineFactory velocityEngineFactory;

    @Value("${cas.samlidp.entityid:}")
    private String entityId;

    @Autowired
    @Qualifier("samlProfileSamlAssertionBuilder")
    private SamlProfileSamlAssertionBuilder samlProfileSamlAssertionBuilder;

    @Autowired
    @Qualifier("samlObjectEncrypter")
    private SamlObjectEncrypter samlObjectEncrypter;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;

    /* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/SamlProfileSamlResponseBuilder$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return SamlProfileSamlResponseBuilder.build_aroundBody0((SamlProfileSamlResponseBuilder) objArr2[0], (AuthnRequest) objArr2[1], (HttpServletRequest) objArr2[2], (HttpServletResponse) objArr2[3], (Assertion) objArr2[4], (SamlRegisteredService) objArr2[5], (SamlRegisteredServiceServiceProviderMetadataFacade) objArr2[6], (JoinPoint) objArr2[7]);
        }
    }

    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    public Response build(AuthnRequest authnRequest, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws SamlException {
        return (Response) TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, authnRequest, httpServletRequest, httpServletResponse, assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, Factory.makeJP(ajc$tjp_0, this, this, new Object[]{authnRequest, httpServletRequest, httpServletResponse, assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade})}).linkClosureAndJoinPoint(69648));
    }

    protected Response buildResponse(org.opensaml.saml.saml2.core.Assertion assertion, AuthnRequest authnRequest, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws SamlException {
        Response newResponse = newResponse(String.valueOf(Math.abs(new SecureRandom().nextLong())), ZonedDateTime.now(ZoneOffset.UTC), authnRequest.getID(), null);
        newResponse.setVersion(SAMLVersion.VERSION_20);
        newResponse.setIssuer(buildEntityIssuer());
        newResponse.setConsent("urn:oasis:names:tc:SAML:2.0:consent:unspecified");
        SAMLObject encryptAssertion = encryptAssertion(assertion, httpServletRequest, httpServletResponse, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
        if (encryptAssertion instanceof EncryptedAssertion) {
            this.logger.debug("Built assertion is encrypted, so the response will add it to the encrypted assertions collection");
            newResponse.getEncryptedAssertions().add((EncryptedAssertion) EncryptedAssertion.class.cast(encryptAssertion));
        } else {
            this.logger.debug("Built assertion is not encrypted, so the response will add it to the assertions collection");
            newResponse.getAssertions().add((org.opensaml.saml.saml2.core.Assertion) org.opensaml.saml.saml2.core.Assertion.class.cast(encryptAssertion));
        }
        newResponse.setStatus(newStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:Success"));
        SamlUtils.logSamlObject(this.configBean, newResponse);
        if (samlRegisteredService.isSignResponses()) {
            this.logger.debug("SAML entity id [{}] indicates that SAML responses should be signed", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            newResponse = (Response) this.samlObjectSigner.encode(newResponse, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, httpServletResponse, httpServletRequest);
        }
        return newResponse;
    }

    protected Issuer buildEntityIssuer() {
        Issuer newIssuer = newIssuer(this.entityId);
        newIssuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        return newIssuer;
    }

    protected Response encode(SamlRegisteredService samlRegisteredService, Response response, HttpServletResponse httpServletResponse, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws SamlException {
        try {
            HTTPPostEncoder hTTPPostEncoder = new HTTPPostEncoder();
            hTTPPostEncoder.setHttpServletResponse(httpServletResponse);
            hTTPPostEncoder.setVelocityEngine(this.velocityEngineFactory.createVelocityEngine());
            MessageContext messageContext = new MessageContext();
            SamlIdPUtils.preparePeerEntitySamlEndpointContext(messageContext, samlRegisteredServiceServiceProviderMetadataFacade);
            messageContext.setMessage(response);
            hTTPPostEncoder.setMessageContext(messageContext);
            hTTPPostEncoder.initialize();
            hTTPPostEncoder.encode();
            return response;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected SAMLObject encryptAssertion(org.opensaml.saml.saml2.core.Assertion assertion, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws SamlException {
        try {
            if (samlRegisteredService.isEncryptAssertions()) {
                this.logger.info("SAML service [{}] requires assertions to be encrypted", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
                return this.samlObjectEncrypter.encode(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, httpServletResponse, httpServletRequest);
            }
            this.logger.info("SAML registered service [{}] does not require assertions to be encrypted", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            return assertion;
        } catch (Exception e) {
            throw new SamlException("Unable to marshall assertion for encryption", e);
        }
    }

    static {
        ajc$preClinit();
    }

    static final Response build_aroundBody0(SamlProfileSamlResponseBuilder samlProfileSamlResponseBuilder, AuthnRequest authnRequest, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, JoinPoint joinPoint) {
        return samlProfileSamlResponseBuilder.encode(samlRegisteredService, samlProfileSamlResponseBuilder.buildResponse(samlProfileSamlResponseBuilder.samlProfileSamlAssertionBuilder.build(authnRequest, httpServletRequest, httpServletResponse, assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade), authnRequest, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, httpServletRequest, httpServletResponse), httpServletResponse, samlRegisteredServiceServiceProviderMetadataFacade);
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("SamlProfileSamlResponseBuilder.java", SamlProfileSamlResponseBuilder.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "build", "org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileSamlResponseBuilder", "org.opensaml.saml.saml2.core.AuthnRequest:javax.servlet.http.HttpServletRequest:javax.servlet.http.HttpServletResponse:org.jasig.cas.client.validation.Assertion:org.apereo.cas.support.saml.services.SamlRegisteredService:org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade", "authnRequest:request:response:casAssertion:service:adaptor", "org.apereo.cas.support.saml.SamlException", "org.opensaml.saml.saml2.core.Response"), 73);
    }
}
