package org.apache.syncope.core.logic;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.lang.reflect.Method;
import java.text.ParseException;
import java.time.OffsetDateTime;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.syncope.common.lib.Attr;
import org.apache.syncope.common.lib.SyncopeClientException;
import org.apache.syncope.common.lib.saml2.SAML2LoginResponse;
import org.apache.syncope.common.lib.saml2.SAML2Request;
import org.apache.syncope.common.lib.saml2.SAML2Response;
import org.apache.syncope.common.lib.to.EntityTO;
import org.apache.syncope.common.lib.to.Item;
import org.apache.syncope.common.lib.to.UserTO;
import org.apache.syncope.common.lib.types.CipherAlgorithm;
import org.apache.syncope.common.lib.types.ClientExceptionType;
import org.apache.syncope.common.lib.types.SAML2BindingType;
import org.apache.syncope.core.logic.init.SAML2SP4UILoader;
import org.apache.syncope.core.logic.saml2.NoOpSessionStore;
import org.apache.syncope.core.logic.saml2.SAML2ClientCache;
import org.apache.syncope.core.logic.saml2.SAML2SP4UIContext;
import org.apache.syncope.core.logic.saml2.SAML2SP4UIUserManager;
import org.apache.syncope.core.persistence.api.dao.NotFoundException;
import org.apache.syncope.core.persistence.api.dao.SAML2SP4UIIdPDAO;
import org.apache.syncope.core.persistence.api.entity.SAML2SP4UIIdP;
import org.apache.syncope.core.provisioning.api.RequestedAuthnContextProvider;
import org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
import org.apache.syncope.core.spring.ImplementationManager;
import org.apache.syncope.core.spring.security.AuthContextUtils;
import org.apache.syncope.core.spring.security.AuthDataAccessor;
import org.apache.syncope.core.spring.security.Encryptor;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.exception.http.RedirectionAction;
import org.pac4j.core.exception.http.WithContentAction;
import org.pac4j.core.exception.http.WithLocationAction;
import org.pac4j.core.logout.NoLogoutActionBuilder;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver;
import org.pac4j.saml.profile.SAML2Profile;
import org.pac4j.saml.redirect.SAML2RedirectionActionBuilder;
import org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder;
import org.springframework.beans.BeanUtils;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.util.ResourceUtils;

/* loaded from: input_file:org/apache/syncope/core/logic/SAML2SP4UILogic.class */
public class SAML2SP4UILogic extends AbstractTransactionalLogic<EntityTO> {
    protected static final String JWT_CLAIM_IDP_ENTITYID = "IDP_ENTITYID";
    protected static final String JWT_CLAIM_NAMEID_FORMAT = "NAMEID_FORMAT";
    protected static final String JWT_CLAIM_NAMEID_VALUE = "NAMEID_VALUE";
    protected static final String JWT_CLAIM_SESSIONINDEX = "SESSIONINDEX";
    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
    protected final SAML2SP4UILoader loader;
    protected final AccessTokenDataBinder accessTokenDataBinder;
    protected final SAML2ClientCache saml2ClientCache;
    protected final SAML2SP4UIUserManager userManager;
    protected final SAML2SP4UIIdPDAO idpDAO;
    protected final AuthDataAccessor authDataAccessor;
    protected final Map<String, String> metadataCache = new ConcurrentHashMap();

    public SAML2SP4UILogic(SAML2SP4UILoader sAML2SP4UILoader, AccessTokenDataBinder accessTokenDataBinder, SAML2ClientCache sAML2ClientCache, SAML2SP4UIUserManager sAML2SP4UIUserManager, SAML2SP4UIIdPDAO sAML2SP4UIIdPDAO, AuthDataAccessor authDataAccessor) {
        this.loader = sAML2SP4UILoader;
        this.accessTokenDataBinder = accessTokenDataBinder;
        this.saml2ClientCache = sAML2ClientCache;
        this.userManager = sAML2SP4UIUserManager;
        this.idpDAO = sAML2SP4UIIdPDAO;
        this.authDataAccessor = authDataAccessor;
    }

    protected static String validateUrl(String str) {
        boolean z = true;
        if (str.contains("..")) {
            z = false;
        }
        if (z) {
            z = ResourceUtils.isUrl(str);
        }
        if (z) {
            return str;
        }
        SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
        build.getElements().add("Invalid URL: " + str);
        throw build;
    }

    protected static String getCallbackUrl(String str, String str2) {
        return validateUrl(str + str2 + "/assertion-consumer");
    }

    @PreAuthorize("isAuthenticated()")
    public void getMetadata(String str, String str2, OutputStream outputStream) {
        String str3 = this.metadataCache.get(str + str2);
        if (str3 == null) {
            SAML2Configuration newSAML2Configuration = this.loader.newSAML2Configuration();
            newSAML2Configuration.setServiceProviderEntityId(str);
            newSAML2Configuration.setCallbackUrl(getCallbackUrl(str, str2));
            Optional<String> sPMetadataPath = SAML2ClientCache.getSPMetadataPath(str);
            Objects.requireNonNull(newSAML2Configuration);
            sPMetadataPath.ifPresent(newSAML2Configuration::setServiceProviderMetadataResourceFilepath);
            EntityDescriptor entityDescriptorElement = new SAML2ServiceProviderMetadataResolver(newSAML2Configuration).getEntityDescriptorElement();
            AssertionConsumerService assertionConsumerService = (AssertionConsumerService) entityDescriptorElement.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getAssertionConsumerServices().get(0);
            AssertionConsumerService buildObject = new AssertionConsumerServiceBuilder().buildObject();
            BeanUtils.copyProperties(assertionConsumerService, buildObject);
            assertionConsumerService.setBinding(SAML2BindingType.REDIRECT.getUri());
            assertionConsumerService.setIndex(1);
            entityDescriptorElement.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getAssertionConsumerServices().add(buildObject);
            entityDescriptorElement.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getSingleLogoutServices().removeIf(singleLogoutService -> {
                return (SAML2BindingType.POST.getUri().equals(singleLogoutService.getBinding()) || SAML2BindingType.REDIRECT.getUri().equals(singleLogoutService.getBinding())) ? false : true;
            });
            entityDescriptorElement.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getSingleLogoutServices().forEach(singleLogoutService2 -> {
                singleLogoutService2.setLocation(getCallbackUrl(str, str2).replace("/assertion-consumer", "/logout"));
            });
            try {
                str3 = newSAML2Configuration.toMetadataGenerator().getMetadata(entityDescriptorElement);
                this.metadataCache.put(str + str2, str3);
            } catch (Exception e) {
                LOG.error("While generating SP metadata", e);
                SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
                build.getElements().add(e.getMessage());
                throw build;
            }
        }
        try {
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream);
            try {
                outputStreamWriter.write(str3);
                outputStreamWriter.close();
            } finally {
            }
        } catch (Exception e2) {
            LOG.error("While getting SP metadata", e2);
            SyncopeClientException build2 = SyncopeClientException.build(ClientExceptionType.Unknown);
            build2.getElements().add(e2.getMessage());
            throw build2;
        }
    }

    protected SAML2Client getSAML2Client(SAML2SP4UIIdP sAML2SP4UIIdP, String str, String str2) {
        return this.saml2ClientCache.get(sAML2SP4UIIdP.getEntityID(), str).orElseGet(() -> {
            return this.saml2ClientCache.add(sAML2SP4UIIdP, this.loader.newSAML2Configuration(), str, getCallbackUrl(str, str2));
        });
    }

    protected SAML2Client getSAML2Client(String str, String str2, String str3) {
        SAML2SP4UIIdP findByEntityID = this.idpDAO.findByEntityID(str);
        if (findByEntityID == null) {
            throw new NotFoundException("SAML 2.0 IdP '" + str + "'");
        }
        return getSAML2Client(findByEntityID, str2, str3);
    }

    protected static SAML2Request buildRequest(String str, RedirectionAction redirectionAction) {
        SAML2Request sAML2Request = new SAML2Request();
        sAML2Request.setIdpEntityID(str);
        if (redirectionAction instanceof WithLocationAction) {
            sAML2Request.setBindingType(SAML2BindingType.REDIRECT);
            sAML2Request.setContent(((WithLocationAction) redirectionAction).getLocation());
        } else if (redirectionAction instanceof WithContentAction) {
            sAML2Request.setBindingType(SAML2BindingType.POST);
            sAML2Request.setContent(Base64.getMimeEncoder().encodeToString(((WithContentAction) redirectionAction).getContent().getBytes()));
        }
        return sAML2Request;
    }

    @PreAuthorize("hasRole('ANONYMOUS')")
    public SAML2Request createLoginRequest(String str, String str2, String str3) {
        SAML2SP4UIIdP findByEntityID = this.idpDAO.findByEntityID(str3);
        if (findByEntityID == null) {
            throw new NotFoundException("SAML 2.0 IdP '" + str3 + "'");
        }
        SAML2Client sAML2Client = getSAML2Client(findByEntityID, str, str2);
        if (findByEntityID.getRequestedAuthnContextProvider() != null) {
            RequestedAuthnContextProvider requestedAuthnContextProvider = null;
            try {
                requestedAuthnContextProvider = (RequestedAuthnContextProvider) ImplementationManager.build(findByEntityID.getRequestedAuthnContextProvider());
            } catch (Exception e) {
                LOG.warn("Cannot instantiate '{}', reverting to default behavior", findByEntityID.getRequestedAuthnContextProvider(), e);
            }
            if (requestedAuthnContextProvider != null) {
                final RequestedAuthnContext requestedAuthnContext = (RequestedAuthnContext) requestedAuthnContextProvider.get();
                sAML2Client.setRedirectionActionBuilder(new SAML2RedirectionActionBuilder(sAML2Client) { // from class: org.apache.syncope.core.logic.SAML2SP4UILogic.1
                    public Optional<RedirectionAction> getRedirectionAction(WebContext webContext, SessionStore sessionStore) {
                        this.saml2ObjectBuilder = new SAML2AuthnRequestBuilder() { // from class: org.apache.syncope.core.logic.SAML2SP4UILogic.1.1
                            /* renamed from: build, reason: merged with bridge method [inline-methods] */
                            public AuthnRequest m2build(SAML2MessageContext sAML2MessageContext) {
                                AuthnRequest build = super.build(sAML2MessageContext);
                                build.setRequestedAuthnContext(requestedAuthnContext);
                                return build;
                            }
                        };
                        return super.getRedirectionAction(webContext, sessionStore);
                    }
                });
            }
        }
        return buildRequest(str3, (RedirectionAction) sAML2Client.getRedirectionAction(new SAML2SP4UIContext(sAML2Client.getConfiguration().getAuthnRequestBindingType(), null), NoOpSessionStore.INSTANCE).orElseThrow(() -> {
            SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
            build.getElements().add("No RedirectionAction generated for AuthnRequest");
            return build;
        }));
    }

    @PreAuthorize("hasRole('ANONYMOUS')")
    public SAML2LoginResponse validateLoginResponse(SAML2Response sAML2Response) {
        String str;
        SAML2SP4UIIdP findByEntityID = this.idpDAO.findByEntityID(sAML2Response.getIdpEntityID());
        if (findByEntityID == null) {
            throw new NotFoundException("SAML 2.0 IdP '" + sAML2Response.getIdpEntityID() + "'");
        }
        SAML2Client sAML2Client = getSAML2Client(findByEntityID, sAML2Response.getSpEntityID(), sAML2Response.getUrlContext());
        try {
            SAML2SP4UIContext sAML2SP4UIContext = new SAML2SP4UIContext(sAML2Client.getConfiguration().getAuthnRequestBindingType(), sAML2Response);
            SAML2Credentials sAML2Credentials = (SAML2Credentials) sAML2Client.getCredentialsExtractor().extract(sAML2SP4UIContext, NoOpSessionStore.INSTANCE).orElseThrow(() -> {
                return new IllegalStateException("No AuthnResponse found");
            });
            sAML2Client.getAuthenticator().validate(sAML2Credentials, sAML2SP4UIContext, NoOpSessionStore.INSTANCE);
            SAML2LoginResponse sAML2LoginResponse = new SAML2LoginResponse();
            sAML2LoginResponse.setIdp(sAML2Client.getIdentityProviderResolvedEntityId());
            sAML2LoginResponse.setSloSupported(!(sAML2Client.getLogoutActionBuilder() instanceof NoLogoutActionBuilder));
            SAML2Credentials.SAMLNameID nameId = sAML2Credentials.getNameId();
            Item item = (Item) findByEntityID.getConnObjectKeyItem().orElse(null);
            String str2 = null;
            if (StringUtils.isNotBlank(nameId.getValue()) && item != null && item.getExtAttrName().equals("NameID")) {
                str2 = nameId.getValue();
            }
            sAML2LoginResponse.setNotOnOrAfter(new Date(sAML2Credentials.getConditions().getNotOnOrAfter().toInstant().toEpochMilli()));
            sAML2LoginResponse.setSessionIndex(sAML2Credentials.getSessionIndex());
            for (SAML2Credentials.SAMLAttribute sAMLAttribute : sAML2Credentials.getAttributes()) {
                if (!sAMLAttribute.getAttributeValues().isEmpty()) {
                    String name = sAMLAttribute.getFriendlyName() == null ? sAMLAttribute.getName() : sAMLAttribute.getFriendlyName();
                    if (item != null && name.equals(item.getExtAttrName())) {
                        str2 = (String) sAMLAttribute.getAttributeValues().get(0);
                    }
                    sAML2LoginResponse.getAttrs().add(new Attr.Builder(name).values(sAMLAttribute.getAttributeValues()).build());
                }
            }
            List<String> of = str2 == null ? List.of() : this.userManager.findMatchingUser(str2, findByEntityID.getKey());
            LOG.debug("Found {} matching users for {}", Integer.valueOf(of.size()), str2);
            if (of.isEmpty()) {
                if (!findByEntityID.isCreateUnmatching()) {
                    if (!findByEntityID.isSelfRegUnmatching()) {
                        throw new NotFoundException("User matching the provided value " + str2);
                    }
                    sAML2LoginResponse.setNameID(nameId.getValue());
                    UserTO userTO = new UserTO();
                    this.userManager.fill(findByEntityID.getKey(), sAML2LoginResponse, userTO);
                    sAML2LoginResponse.getAttrs().clear();
                    sAML2LoginResponse.getAttrs().addAll(userTO.getPlainAttrs());
                    if (StringUtils.isNotBlank(userTO.getUsername())) {
                        sAML2LoginResponse.setUsername(userTO.getUsername());
                    } else {
                        sAML2LoginResponse.setUsername(str2);
                    }
                    sAML2LoginResponse.setSelfReg(true);
                    return sAML2LoginResponse;
                }
                LOG.debug("No user matching {}, about to create", str2);
                str = (String) AuthContextUtils.callAsAdmin(AuthContextUtils.getDomain(), () -> {
                    return this.userManager.create(findByEntityID, sAML2LoginResponse, nameId.getValue());
                });
            } else {
                if (of.size() > 1) {
                    throw new IllegalArgumentException("Several users match the provided value " + str2);
                }
                if (findByEntityID.isUpdateMatching()) {
                    LOG.debug("About to update {} for {}", of.get(0), str2);
                    str = (String) AuthContextUtils.callAsAdmin(AuthContextUtils.getDomain(), () -> {
                        return this.userManager.update((String) of.get(0), findByEntityID, sAML2LoginResponse);
                    });
                } else {
                    str = of.get(0);
                }
            }
            sAML2LoginResponse.setUsername(str);
            sAML2LoginResponse.setNameID(nameId.getValue());
            HashMap hashMap = new HashMap();
            hashMap.put(JWT_CLAIM_IDP_ENTITYID, findByEntityID.getEntityID());
            hashMap.put(JWT_CLAIM_NAMEID_FORMAT, nameId.getFormat());
            hashMap.put(JWT_CLAIM_NAMEID_VALUE, nameId.getValue());
            hashMap.put(JWT_CLAIM_SESSIONINDEX, sAML2LoginResponse.getSessionIndex());
            byte[] bArr = null;
            try {
                bArr = ENCRYPTOR.encode(POJOHelper.serialize(this.authDataAccessor.getAuthorities(sAML2LoginResponse.getUsername(), (String) null)), CipherAlgorithm.AES).getBytes();
            } catch (Exception e) {
                LOG.error("Could not fetch authorities", e);
            }
            Pair create = this.accessTokenDataBinder.create(sAML2LoginResponse.getUsername(), hashMap, bArr, true);
            sAML2LoginResponse.setAccessToken((String) create.getLeft());
            sAML2LoginResponse.setAccessTokenExpiryTime((OffsetDateTime) create.getRight());
            return sAML2LoginResponse;
        } catch (Exception e2) {
            LOG.error("While validating AuthnResponse", e2);
            SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
            build.getElements().add(e2.getMessage());
            throw build;
        }
    }

    @PreAuthorize("isAuthenticated() and not(hasRole('ANONYMOUS'))")
    public SAML2Request createLogoutRequest(String str, String str2, String str3) {
        try {
            JWTClaimsSet jWTClaimsSet = SignedJWT.parse(str).getJWTClaimsSet();
            String str4 = (String) jWTClaimsSet.getClaim(JWT_CLAIM_IDP_ENTITYID);
            if (str4 == null) {
                throw new NotFoundException("No SAML 2.0 IdP information found in the access token");
            }
            SAML2Client sAML2Client = getSAML2Client(str4, str2, str3);
            if (sAML2Client.getLogoutActionBuilder() instanceof NoLogoutActionBuilder) {
                throw new IllegalArgumentException("No SingleLogoutService available for " + sAML2Client.getIdentityProviderResolvedEntityId());
            }
            SAML2Profile sAML2Profile = new SAML2Profile();
            sAML2Profile.setId((String) jWTClaimsSet.getClaim(JWT_CLAIM_NAMEID_VALUE));
            sAML2Profile.addAuthenticationAttribute("samlNameIdFormat", jWTClaimsSet.getClaim(JWT_CLAIM_NAMEID_FORMAT));
            sAML2Profile.addAuthenticationAttribute("sessionindex", jWTClaimsSet.getClaim(JWT_CLAIM_SESSIONINDEX));
            return buildRequest(str4, (RedirectionAction) sAML2Client.getLogoutAction(new SAML2SP4UIContext(sAML2Client.getConfiguration().getSpLogoutRequestBindingType(), null), NoOpSessionStore.INSTANCE, sAML2Profile, (String) null).orElseThrow(() -> {
                SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
                build.getElements().add("No RedirectionAction generated for LogoutRequest");
                return build;
            }));
        } catch (ParseException e) {
            SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.InvalidAccessToken);
            build.getElements().add(e.getMessage());
            throw build;
        }
    }

    @PreAuthorize("hasRole('ANONYMOUS')")
    public void validateLogoutResponse(SAML2Response sAML2Response) {
        if (sAML2Response.getIdpEntityID() == null) {
            LOG.error("No SAML 2.0 IdP entityID provided, ignoring");
            return;
        }
        SAML2Client sAML2Client = getSAML2Client(sAML2Response.getIdpEntityID(), sAML2Response.getSpEntityID(), sAML2Response.getUrlContext());
        if (this.idpDAO.findByEntityID(sAML2Client.getIdentityProviderResolvedEntityId()) == null) {
            throw new NotFoundException("SAML 2.0 IdP '" + sAML2Client.getIdentityProviderResolvedEntityId() + "'");
        }
        try {
            SAML2MessageContext buildContext = sAML2Client.getContextProvider().buildContext(sAML2Client, new SAML2SP4UIContext(sAML2Client.getConfiguration().getSpLogoutRequestBindingType(), sAML2Response), NoOpSessionStore.INSTANCE);
            sAML2Client.getLogoutProfileHandler().receive(buildContext);
            if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(((LogoutResponse) buildContext.getMessageContext().getMessage()).getStatus().getStatusCode().getValue())) {
                return;
            }
            LOG.warn("Logout from SAML 2.0 IdP '{}' was not successful", sAML2Client.getIdentityProviderResolvedEntityId());
        } catch (Exception e) {
            LOG.error("Could not validate LogoutResponse", e);
        }
    }

    protected EntityTO resolveReference(Method method, Object... objArr) throws UnresolvedReferenceException {
        throw new UnresolvedReferenceException();
    }
}
