package org.springframework.security.saml2.provider.service.web.authentication;

import jakarta.servlet.http.HttpServletRequest;
import java.time.Clock;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.function.Consumer;
import org.jgroups.protocols.INJECT_VIEW;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestMarshaller;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.ParameterRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;
import org.springframework.util.Assert;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.5.0.jar:org/springframework/security/saml2/provider/service/web/authentication/BaseOpenSamlAuthenticationRequestResolver.class */
public class BaseOpenSamlAuthenticationRequestResolver implements Saml2AuthenticationRequestResolver {
    private final OpenSamlOperations saml;
    private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
    private final AuthnRequestBuilder authnRequestBuilder;
    private final AuthnRequestMarshaller marshaller;
    private final IssuerBuilder issuerBuilder;
    private final NameIDBuilder nameIdBuilder;
    private final NameIDPolicyBuilder nameIdPolicyBuilder;
    private RequestMatcher requestMatcher = RequestMatchers.anyOf(PathPatternRequestMatcher.withDefaults().matcher(Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI), new PathPatternQueryRequestMatcher("/saml2/authenticate", "registrationId={registrationId}"));
    private Clock clock = Clock.systemUTC();
    private Converter<HttpServletRequest, String> relayStateResolver = httpServletRequest -> {
        return UUID.randomUUID().toString();
    };
    private Consumer<AuthnRequestParameters> parametersConsumer = authnRequestParameters -> {
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.5.0.jar:org/springframework/security/saml2/provider/service/web/authentication/BaseOpenSamlAuthenticationRequestResolver$AuthnRequestParameters.class */
    public static final class AuthnRequestParameters {
        private final HttpServletRequest request;
        private final RelyingPartyRegistration registration;
        private final AuthnRequest authnRequest;

        AuthnRequestParameters(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration, AuthnRequest authnRequest) {
            this.request = httpServletRequest;
            this.registration = relyingPartyRegistration;
            this.authnRequest = authnRequest;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public HttpServletRequest getRequest() {
            return this.request;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public RelyingPartyRegistration getRelyingPartyRegistration() {
            return this.registration;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public AuthnRequest getAuthnRequest() {
            return this.authnRequest;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.5.0.jar:org/springframework/security/saml2/provider/service/web/authentication/BaseOpenSamlAuthenticationRequestResolver$PathPatternQueryRequestMatcher.class */
    private static final class PathPatternQueryRequestMatcher implements RequestMatcher {
        private final RequestMatcher matcher;

        PathPatternQueryRequestMatcher(String str, String... strArr) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(PathPatternRequestMatcher.withDefaults().matcher(str));
            for (String str2 : strArr) {
                String[] split = str2.split(INJECT_VIEW.VIEW_SEPARATOR);
                if (split.length == 1) {
                    arrayList.add(new ParameterRequestMatcher(split[0]));
                } else {
                    arrayList.add(new ParameterRequestMatcher(split[0], split[1]));
                }
            }
            this.matcher = new AndRequestMatcher(arrayList);
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            return matcher(httpServletRequest).isMatch();
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public RequestMatcher.MatchResult matcher(HttpServletRequest httpServletRequest) {
            return this.matcher.matcher(httpServletRequest);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BaseOpenSamlAuthenticationRequestResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver, OpenSamlOperations openSamlOperations) {
        this.saml = openSamlOperations;
        Assert.notNull(relyingPartyRegistrationResolver, "relyingPartyRegistrationResolver cannot be null");
        this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
        XMLObjectProviderRegistry xMLObjectProviderRegistry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
        this.marshaller = (AuthnRequestMarshaller) xMLObjectProviderRegistry.getMarshallerFactory().getMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.marshaller, "authnRequestMarshaller must be configured in OpenSAML");
        this.authnRequestBuilder = (AuthnRequestBuilder) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.authnRequestBuilder, "authnRequestBuilder must be configured in OpenSAML");
        this.issuerBuilder = (IssuerBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.issuerBuilder, "issuerBuilder must be configured in OpenSAML");
        this.nameIdBuilder = (NameIDBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(NameID.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.nameIdBuilder, "nameIdBuilder must be configured in OpenSAML");
        this.nameIdPolicyBuilder = (NameIDPolicyBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.nameIdPolicyBuilder, "nameIdPolicyBuilder must be configured in OpenSAML");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setClock(Clock clock) {
        this.clock = clock;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setRelayStateResolver(Converter<HttpServletRequest, String> converter) {
        this.relayStateResolver = converter;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setRequestMatcher(RequestMatcher requestMatcher) {
        this.requestMatcher = requestMatcher;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setParametersConsumer(Consumer<AuthnRequestParameters> consumer) {
        this.parametersConsumer = consumer;
    }

    /* JADX WARN: Type inference failed for: r0v71, types: [org.springframework.security.saml2.provider.service.web.authentication.OpenSamlOperations$SignatureConfigurer] */
    /* JADX WARN: Type inference failed for: r0v88, types: [org.springframework.security.saml2.provider.service.web.authentication.OpenSamlOperations$SignatureConfigurer] */
    @Override // org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver
    public <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest httpServletRequest) {
        RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(httpServletRequest);
        if (!matcher.isMatch()) {
            return null;
        }
        RelyingPartyRegistration resolve = this.relyingPartyRegistrationResolver.resolve(httpServletRequest, matcher.getVariables().get(DefaultServerOAuth2AuthorizationRequestResolver.DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME));
        if (resolve == null) {
            return null;
        }
        RelyingPartyRegistrationPlaceholderResolvers.UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(httpServletRequest, resolve);
        String resolve2 = uriResolver.resolve(resolve.getEntityId());
        String resolve3 = uriResolver.resolve(resolve.getAssertionConsumerServiceLocation());
        AuthnRequest mo18930buildObject = this.authnRequestBuilder.mo18930buildObject();
        mo18930buildObject.setForceAuthn(Boolean.FALSE);
        mo18930buildObject.setIsPassive(Boolean.FALSE);
        mo18930buildObject.setProtocolBinding(resolve.getAssertionConsumerServiceBinding().getUrn());
        Issuer mo18930buildObject2 = this.issuerBuilder.mo18930buildObject();
        mo18930buildObject2.setValue(resolve2);
        mo18930buildObject.setIssuer(mo18930buildObject2);
        mo18930buildObject.setDestination(resolve.getAssertingPartyMetadata().getSingleSignOnServiceLocation());
        mo18930buildObject.setAssertionConsumerServiceURL(resolve3);
        if (resolve.getNameIdFormat() != null) {
            NameIDPolicy mo18930buildObject3 = this.nameIdPolicyBuilder.mo18930buildObject();
            mo18930buildObject3.setFormat(resolve.getNameIdFormat());
            mo18930buildObject.setNameIDPolicy(mo18930buildObject3);
        }
        mo18930buildObject.setIssueInstant(Instant.now(this.clock));
        this.parametersConsumer.accept(new AuthnRequestParameters(httpServletRequest, resolve, mo18930buildObject));
        if (mo18930buildObject.getID() == null) {
            mo18930buildObject.setID("ARQ" + UUID.randomUUID().toString().substring(1));
        }
        String convert = this.relayStateResolver.convert(httpServletRequest);
        if (resolve.getAssertingPartyMetadata().getSingleSignOnServiceBinding() == Saml2MessageBinding.POST) {
            if (resolve.getAssertingPartyMetadata().getWantAuthnRequestsSigned() || resolve.isAuthnRequestsSigned()) {
                this.saml.withSigningKeys(resolve.getSigningX509Credentials()).algorithms(resolve.getAssertingPartyMetadata().getSigningAlgorithms()).sign(mo18930buildObject);
            }
            return Saml2PostAuthenticationRequest.withRelyingPartyRegistration(resolve).samlRequest(Saml2Utils.withDecoded(serialize(mo18930buildObject)).encode()).relayState(convert).id(mo18930buildObject.getID()).build();
        }
        String encode = Saml2Utils.withDecoded(serialize(mo18930buildObject)).deflate(true).encode();
        Saml2RedirectAuthenticationRequest.Builder id = Saml2RedirectAuthenticationRequest.withRelyingPartyRegistration(resolve).samlRequest(encode).relayState(convert).id(mo18930buildObject.getID());
        if (resolve.getAssertingPartyMetadata().getWantAuthnRequestsSigned() || resolve.isAuthnRequestsSigned()) {
            HashMap hashMap = new HashMap();
            hashMap.put(Saml2ParameterNames.SAML_REQUEST, encode);
            if (convert != null) {
                hashMap.put("RelayState", convert);
            }
            Map<String, String> sign = this.saml.withSigningKeys(resolve.getSigningX509Credentials()).algorithms(resolve.getAssertingPartyMetadata().getSigningAlgorithms()).sign(hashMap);
            id.sigAlg(sign.get(Saml2ParameterNames.SIG_ALG)).signature(sign.get("Signature"));
        }
        return id.build();
    }

    private String serialize(AuthnRequest authnRequest) {
        return this.saml.serialize(authnRequest).serialize();
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
