package org.apereo.cas.support.saml.web.idp.profile.builders;

import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.attribute.StringAttributeValue;
import net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringNameIDEncoder;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/SamlProfileSamlNameIdBuilder.class */
public class SamlProfileSamlNameIdBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<NameID> {
    private static final long serialVersionUID = -6231886395225437320L;
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlProfileSamlNameIdBuilder.class);

    public SamlProfileSamlNameIdBuilder(OpenSamlConfigBean openSamlConfigBean) {
        super(openSamlConfigBean);
    }

    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    /* renamed from: build, reason: avoid collision after fix types in other method and merged with bridge method [inline-methods] */
    public NameID mo25build(AuthnRequest authnRequest, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws SamlException {
        return buildNameId(authnRequest, assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
    }

    private NameID buildNameId(AuthnRequest authnRequest, Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws SamlException {
        List<String> supportedNameIdFormats = samlRegisteredServiceServiceProviderMetadataFacade.getSupportedNameIdFormats();
        LOGGER.debug("Metadata for [{}] declares support for the following NameIDs [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId(), supportedNameIdFormats);
        if (supportedNameIdFormats.isEmpty()) {
            supportedNameIdFormats.add("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
            LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
        }
        if (StringUtils.isNotBlank(samlRegisteredService.getRequiredNameIdFormat())) {
            String parseAndBuildRequiredNameIdFormat = parseAndBuildRequiredNameIdFormat(samlRegisteredService);
            supportedNameIdFormats.add(0, parseAndBuildRequiredNameIdFormat);
            LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", parseAndBuildRequiredNameIdFormat, samlRegisteredService.getServiceId());
        }
        String str = null;
        if (authnRequest.getNameIDPolicy() != null) {
            str = authnRequest.getNameIDPolicy().getFormat();
            LOGGER.debug("AuthN request indicates [{}] is the required NameID format", str);
            if ("urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted".equals(str)) {
                LOGGER.warn("Encrypted NameID formats are not supported");
                str = null;
            }
        }
        if (StringUtils.isNotBlank(str) && !supportedNameIdFormats.contains(str)) {
            LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]", new Object[]{str, SamlIdPUtils.getIssuerFromSamlRequest(authnRequest), samlRegisteredServiceServiceProviderMetadataFacade.getEntityId()});
            throw new SamlException("Required NameID format cannot be provided because it is not supported");
        }
        for (String str2 : supportedNameIdFormats) {
            try {
                LOGGER.debug("Evaluating NameID format [{}]", str2);
                SAML2StringNameIDEncoder sAML2StringNameIDEncoder = new SAML2StringNameIDEncoder();
                sAML2StringNameIDEncoder.setNameFormat(str2);
                if (authnRequest.getNameIDPolicy() != null) {
                    String sPNameQualifier = authnRequest.getNameIDPolicy().getSPNameQualifier();
                    LOGGER.debug("NameID qualifier is set to [{}]", sPNameQualifier);
                    sAML2StringNameIDEncoder.setNameQualifier(sPNameQualifier);
                }
                IdPAttribute idPAttribute = new IdPAttribute(AttributePrincipal.class.getName());
                StringAttributeValue stringAttributeValue = new StringAttributeValue(assertion.getPrincipal().getName());
                LOGGER.debug("NameID attribute value is set to [{}]", assertion.getPrincipal().getName());
                idPAttribute.setValues(Collections.singletonList(stringAttributeValue));
                LOGGER.debug("Encoding NameID based on [{}]", str2);
                NameID encode = sAML2StringNameIDEncoder.encode(idPAttribute);
                LOGGER.debug("Final NameID encoded is [{}] with value [{}]", encode.getFormat(), encode.getValue());
                return encode;
            } catch (Exception e) {
                LOGGER.error(e.getMessage(), e);
            }
        }
        return null;
    }

    private String parseAndBuildRequiredNameIdFormat(SamlRegisteredService samlRegisteredService) {
        String trim = samlRegisteredService.getRequiredNameIdFormat().trim();
        return StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:entity", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", trim) ? "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos" : StringUtils.containsIgnoreCase("urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted", trim) ? "urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted" : trim;
    }
}
