package org.springframework.security.saml2.provider.service.web;

import jakarta.servlet.http.HttpServletRequest;
import org.springframework.http.HttpMethod;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/web/BaseOpenSamlAuthenticationTokenConverter.class */
final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationConverter {
    private final OpenSamlOperations saml;
    private final RelyingPartyRegistrationRepository registrations;
    private RequestMatcher requestMatcher = new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher(Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI), new AntPathRequestMatcher("/login/saml2/sso")});
    private Saml2AuthenticationRequestRepository<?> authenticationRequests = new HttpSessionSaml2AuthenticationRequestRepository();

    /* JADX INFO: Access modifiers changed from: package-private */
    public BaseOpenSamlAuthenticationTokenConverter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository, OpenSamlOperations openSamlOperations) {
        Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
        this.registrations = relyingPartyRegistrationRepository;
        this.saml = openSamlOperations;
    }

    /* renamed from: convert, reason: merged with bridge method [inline-methods] */
    public Saml2AuthenticationToken m55convert(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
            return null;
        }
        RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(httpServletRequest);
        if (!matcher.isMatch()) {
            return null;
        }
        Saml2AuthenticationToken saml2AuthenticationToken = tokenByAuthenticationRequest(httpServletRequest);
        if (saml2AuthenticationToken == null) {
            saml2AuthenticationToken = tokenByRegistrationId(httpServletRequest, matcher);
        }
        if (saml2AuthenticationToken == null) {
            saml2AuthenticationToken = tokenByEntityId(httpServletRequest);
        }
        return saml2AuthenticationToken;
    }

    private Saml2AuthenticationToken tokenByAuthenticationRequest(HttpServletRequest httpServletRequest) {
        AbstractSaml2AuthenticationRequest loadAuthenticationRequest = this.authenticationRequests.loadAuthenticationRequest(httpServletRequest);
        if (loadAuthenticationRequest == null) {
            return null;
        }
        return tokenByRegistration(httpServletRequest, this.registrations.findByRegistrationId(loadAuthenticationRequest.getRelyingPartyRegistrationId()), loadAuthenticationRequest);
    }

    private Saml2AuthenticationToken tokenByRegistrationId(HttpServletRequest httpServletRequest, RequestMatcher.MatchResult matchResult) {
        String str = (String) matchResult.getVariables().get("registrationId");
        if (str == null) {
            return null;
        }
        return tokenByRegistration(httpServletRequest, this.registrations.findByRegistrationId(str), null);
    }

    private Saml2AuthenticationToken tokenByEntityId(HttpServletRequest httpServletRequest) {
        return tokenByRegistration(httpServletRequest, this.registrations.findUniqueByAssertingPartyEntityId(this.saml.deserialize(decode(httpServletRequest)).getIssuer().getValue()), null);
    }

    private Saml2AuthenticationToken tokenByRegistration(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration, AbstractSaml2AuthenticationRequest abstractSaml2AuthenticationRequest) {
        if (relyingPartyRegistration == null) {
            return null;
        }
        String decode = decode(httpServletRequest);
        RelyingPartyRegistrationPlaceholderResolvers.UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(httpServletRequest, relyingPartyRegistration);
        return new Saml2AuthenticationToken(relyingPartyRegistration.mutate().entityId(uriResolver.resolve(relyingPartyRegistration.getEntityId())).assertionConsumerServiceLocation(uriResolver.resolve(relyingPartyRegistration.getAssertionConsumerServiceLocation())).build(), decode, abstractSaml2AuthenticationRequest);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setAuthenticationRequestRepository(Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> saml2AuthenticationRequestRepository) {
        Assert.notNull(saml2AuthenticationRequestRepository, "authenticationRequestRepository cannot be null");
        this.authenticationRequests = saml2AuthenticationRequestRepository;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setRequestMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "requestMatcher cannot be null");
        this.requestMatcher = requestMatcher;
    }

    private String decode(HttpServletRequest httpServletRequest) {
        try {
            return Saml2Utils.withEncoded(httpServletRequest.getParameter(Saml2ParameterNames.SAML_RESPONSE)).requireBase64(true).inflate(HttpMethod.GET.matches(httpServletRequest.getMethod())).decode();
        } catch (Exception e) {
            throw new Saml2AuthenticationException(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, e.getMessage()), e);
        }
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
