package org.springframework.security.saml.websso;

import java.util.Collection;
import java.util.List;
import java.util.Set;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.IDPEntry;
import org.opensaml.saml2.core.IDPList;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.RequesterID;
import org.opensaml.saml2.core.Scoping;
import org.opensaml.saml2.core.impl.RequesterIDBuilder;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.processor.SAMLProcessor;
import org.springframework.security.saml.storage.SAMLMessageStorage;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:org/springframework/security/saml/websso/WebSSOProfileImpl.class */
public class WebSSOProfileImpl extends AbstractProfileBase implements WebSSOProfile {
    public WebSSOProfileImpl() {
    }

    public WebSSOProfileImpl(SAMLProcessor sAMLProcessor, MetadataManager metadataManager) {
        super(sAMLProcessor, metadataManager);
    }

    @Override // org.springframework.security.saml.websso.AbstractProfileBase
    public String getProfileIdentifier() {
        return SAMLConstants.SAML2_WEBSSO_PROFILE_URI;
    }

    public void sendAuthenticationRequest(SAMLMessageContext sAMLMessageContext, WebSSOProfileOptions webSSOProfileOptions) throws SAMLException, MetadataProviderException, MessageEncodingException {
        if (!SPSSODescriptor.DEFAULT_ELEMENT_NAME.equals(sAMLMessageContext.getLocalEntityRole())) {
            throw new SAMLException("WebSSO can only be initialized for local SP, but localEntityRole is: " + sAMLMessageContext.getLocalEntityRole());
        }
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata();
        IDPSSODescriptor peerEntityRoleMetadata = sAMLMessageContext.getPeerEntityRoleMetadata();
        ExtendedMetadata peerExtendedMetadata = sAMLMessageContext.getPeerExtendedMetadata();
        if (sPSSODescriptor == null || peerEntityRoleMetadata == null || peerExtendedMetadata == null) {
            throw new SAMLException("SPSSODescriptor, IDPSSODescriptor or IDPExtendedMetadata are not present in the SAMLContext");
        }
        SingleSignOnService singleSignOnService = getSingleSignOnService(webSSOProfileOptions, peerEntityRoleMetadata, sPSSODescriptor);
        AuthnRequest authnRequest = getAuthnRequest(sAMLMessageContext, webSSOProfileOptions, getAssertionConsumerService(webSSOProfileOptions, peerEntityRoleMetadata, sPSSODescriptor), singleSignOnService);
        sAMLMessageContext.setCommunicationProfileId(getProfileIdentifier());
        sAMLMessageContext.setOutboundMessage(authnRequest);
        sAMLMessageContext.setOutboundSAMLMessage(authnRequest);
        sAMLMessageContext.setPeerEntityEndpoint(singleSignOnService);
        sAMLMessageContext.setPeerEntityRoleMetadata(peerEntityRoleMetadata);
        sAMLMessageContext.setPeerExtendedMetadata(peerExtendedMetadata);
        if (webSSOProfileOptions.getRelayState() != null) {
            sAMLMessageContext.setRelayState(webSSOProfileOptions.getRelayState());
        }
        sendMessage(sAMLMessageContext, sPSSODescriptor.isAuthnRequestsSigned().booleanValue() || peerEntityRoleMetadata.getWantAuthnRequestsSigned().booleanValue());
        SAMLMessageStorage messageStorage = sAMLMessageContext.getMessageStorage();
        if (messageStorage != null) {
            messageStorage.storeMessage(authnRequest.getID(), authnRequest);
        }
    }

    protected SingleSignOnService getSingleSignOnService(WebSSOProfileOptions webSSOProfileOptions, IDPSSODescriptor iDPSSODescriptor, SPSSODescriptor sPSSODescriptor) throws MetadataProviderException {
        String binding = webSSOProfileOptions.getBinding();
        for (SingleSignOnService singleSignOnService : iDPSSODescriptor.getSingleSignOnServices()) {
            if (isEndpointSupported(singleSignOnService)) {
                if (binding == null) {
                    return singleSignOnService;
                }
                if (isEndpointMatching(singleSignOnService, binding)) {
                    this.log.debug("Found user specified binding {}", binding);
                    return singleSignOnService;
                }
            }
        }
        if (binding != null) {
            throw new MetadataProviderException("User specified binding " + binding + " is not supported by the IDP using profile " + getProfileIdentifier());
        }
        throw new MetadataProviderException("No supported binding " + binding + " was found for profile " + getProfileIdentifier());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AssertionConsumerService getAssertionConsumerService(WebSSOProfileOptions webSSOProfileOptions, IDPSSODescriptor iDPSSODescriptor, SPSSODescriptor sPSSODescriptor) throws MetadataProviderException {
        List<AssertionConsumerService> assertionConsumerServices = sPSSODescriptor.getAssertionConsumerServices();
        if (webSSOProfileOptions.getAssertionConsumerIndex() != null) {
            for (AssertionConsumerService assertionConsumerService : assertionConsumerServices) {
                if (webSSOProfileOptions.getAssertionConsumerIndex().equals(assertionConsumerService.getIndex())) {
                    if (!isEndpointSupported(assertionConsumerService)) {
                        throw new MetadataProviderException("Endpoint designated by the value in the WebSSOProfileOptions is not supported by this profile");
                    }
                    this.log.debug("Using consumer service determined by user preference with binding {}", assertionConsumerService.getBinding());
                    return assertionConsumerService;
                }
            }
            throw new MetadataProviderException("AssertionConsumerIndex " + webSSOProfileOptions.getAssertionConsumerIndex() + " not found for spDescriptor " + sPSSODescriptor);
        }
        if (sPSSODescriptor.getDefaultAssertionConsumerService() != null && isEndpointSupported(sPSSODescriptor.getDefaultAssertionConsumerService())) {
            AssertionConsumerService defaultAssertionConsumerService = sPSSODescriptor.getDefaultAssertionConsumerService();
            this.log.debug("Using default consumer service with binding {}", defaultAssertionConsumerService.getBinding());
            return defaultAssertionConsumerService;
        }
        if (assertionConsumerServices.size() > 0) {
            for (AssertionConsumerService assertionConsumerService2 : assertionConsumerServices) {
                if (isEndpointSupported(assertionConsumerService2)) {
                    this.log.debug("Using first available consumer service with binding {}", assertionConsumerService2.getBinding());
                    return assertionConsumerService2;
                }
            }
        }
        throw new MetadataProviderException("Service provider has no assertion consumer service available for the selected profile " + sPSSODescriptor);
    }

    protected boolean isEndpointSupported(SingleSignOnService singleSignOnService) throws MetadataProviderException {
        return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(singleSignOnService.getBinding()) || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact".equals(singleSignOnService.getBinding()) || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(singleSignOnService.getBinding());
    }

    protected boolean isEndpointSupported(AssertionConsumerService assertionConsumerService) throws MetadataProviderException {
        return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(assertionConsumerService.getBinding()) | "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact".equals(assertionConsumerService.getBinding());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthnRequest getAuthnRequest(SAMLMessageContext sAMLMessageContext, WebSSOProfileOptions webSSOProfileOptions, AssertionConsumerService assertionConsumerService, SingleSignOnService singleSignOnService) throws SAMLException, MetadataProviderException {
        AuthnRequest buildObject = this.builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setIsPassive(webSSOProfileOptions.getPassive());
        buildObject.setForceAuthn(webSSOProfileOptions.getForceAuthN());
        buildObject.setProviderName(webSSOProfileOptions.getProviderName());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildCommonAttributes(sAMLMessageContext.getLocalEntityId(), buildObject, singleSignOnService);
        buildScoping(buildObject, singleSignOnService, webSSOProfileOptions);
        builNameIDPolicy(buildObject, webSSOProfileOptions);
        buildAuthnContext(buildObject, webSSOProfileOptions);
        buildReturnAddress(buildObject, assertionConsumerService);
        return buildObject;
    }

    protected void builNameIDPolicy(AuthnRequest authnRequest, WebSSOProfileOptions webSSOProfileOptions) {
        if (webSSOProfileOptions.getNameID() != null) {
            NameIDPolicy buildObject = this.builderFactory.getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject.setFormat(webSSOProfileOptions.getNameID());
            buildObject.setAllowCreate(webSSOProfileOptions.isAllowCreate());
            buildObject.setSPNameQualifier(getSPNameQualifier());
            authnRequest.setNameIDPolicy(buildObject);
        }
    }

    protected String getSPNameQualifier() {
        return null;
    }

    protected void buildAuthnContext(AuthnRequest authnRequest, WebSSOProfileOptions webSSOProfileOptions) {
        Collection<String> authnContexts = webSSOProfileOptions.getAuthnContexts();
        if (authnContexts == null || authnContexts.size() <= 0) {
            return;
        }
        RequestedAuthnContext buildObject = this.builderFactory.getBuilder(RequestedAuthnContext.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setComparison(webSSOProfileOptions.getAuthnContextComparison());
        for (String str : authnContexts) {
            AuthnContextClassRef buildObject2 = this.builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject2.setAuthnContextClassRef(str);
            buildObject.getAuthnContextClassRefs().add(buildObject2);
        }
        authnRequest.setRequestedAuthnContext(buildObject);
    }

    protected void buildReturnAddress(AuthnRequest authnRequest, AssertionConsumerService assertionConsumerService) throws MetadataProviderException {
        if (assertionConsumerService != null) {
            if (assertionConsumerService.getResponseLocation() != null) {
                authnRequest.setAssertionConsumerServiceURL(assertionConsumerService.getResponseLocation());
            } else {
                authnRequest.setAssertionConsumerServiceURL(assertionConsumerService.getLocation());
            }
            authnRequest.setProtocolBinding(getEndpointBinding(assertionConsumerService));
        }
    }

    protected void buildScoping(AuthnRequest authnRequest, SingleSignOnService singleSignOnService, WebSSOProfileOptions webSSOProfileOptions) {
        if (webSSOProfileOptions.isIncludeScoping() == null || !webSSOProfileOptions.isIncludeScoping().booleanValue()) {
            return;
        }
        IDPList buildIDPList = buildIDPList(webSSOProfileOptions.getAllowedIDPs(), singleSignOnService);
        Scoping buildObject = this.builderFactory.getBuilder(Scoping.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setIDPList(buildIDPList);
        buildObject.setProxyCount(webSSOProfileOptions.getProxyCount());
        if (!CollectionUtils.isEmpty(webSSOProfileOptions.getRequesterIds())) {
            RequesterIDBuilder requesterIDBuilder = new RequesterIDBuilder();
            for (String str : webSSOProfileOptions.getRequesterIds()) {
                RequesterID buildObject2 = requesterIDBuilder.buildObject();
                buildObject2.setRequesterID(str);
                buildObject.getRequesterIDs().add(buildObject2);
            }
        }
        authnRequest.setScoping(buildObject);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IDPList buildIDPList(Set<String> set, SingleSignOnService singleSignOnService) {
        if (set == null) {
            return null;
        }
        SAMLObjectBuilder builder = this.builderFactory.getBuilder(IDPEntry.DEFAULT_ELEMENT_NAME);
        IDPList buildObject = this.builderFactory.getBuilder(IDPList.DEFAULT_ELEMENT_NAME).buildObject();
        for (String str : set) {
            IDPEntry buildObject2 = builder.buildObject();
            buildObject2.setProviderID(str);
            buildObject.getIDPEntrys().add(buildObject2);
            if (singleSignOnService != null) {
                buildObject2.setLoc(singleSignOnService.getLocation());
            }
        }
        return buildObject;
    }
}
