package org.springframework.security.saml2.provider.service.authentication;

import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.util.Map;
import java.util.UUID;
import org.joda.time.DateTime;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-service-provider-5.6.6.jar:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.class */
public class OpenSamlAuthenticationRequestFactory implements Saml2AuthenticationRequestFactory {
    private AuthnRequestBuilder authnRequestBuilder;
    private IssuerBuilder issuerBuilder;
    private Clock clock = Clock.systemUTC();
    private Converter<Saml2AuthenticationRequestContext, Saml2MessageBinding> protocolBindingResolver = saml2AuthenticationRequestContext -> {
        return saml2AuthenticationRequestContext == null ? Saml2MessageBinding.POST : saml2AuthenticationRequestContext.getRelyingPartyRegistration().getAssertionConsumerServiceBinding();
    };
    private Converter<Saml2AuthenticationRequestContext, AuthnRequest> authenticationRequestContextConverter = this::createAuthnRequest;

    public OpenSamlAuthenticationRequestFactory() {
        XMLObjectProviderRegistry xMLObjectProviderRegistry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
        this.authnRequestBuilder = (AuthnRequestBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        this.issuerBuilder = (IssuerBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    @Deprecated
    public String createAuthenticationRequest(Saml2AuthenticationRequest saml2AuthenticationRequest) {
        RelyingPartyRegistration build = RelyingPartyRegistration.withRegistrationId("noId").assertionConsumerServiceBinding(this.protocolBindingResolver.convert(null)).assertionConsumerServiceLocation(saml2AuthenticationRequest.getAssertionConsumerServiceUrl()).entityId(saml2AuthenticationRequest.getIssuer()).remoteIdpEntityId("noIssuer").idpWebSsoUrl("noUrl").credentials(collection -> {
            collection.addAll(saml2AuthenticationRequest.getCredentials());
        }).build();
        return OpenSamlSigningUtils.serialize(OpenSamlSigningUtils.sign(this.authenticationRequestContextConverter.convert(Saml2AuthenticationRequestContext.builder().relyingPartyRegistration(build).issuer(saml2AuthenticationRequest.getIssuer()).assertionConsumerServiceUrl(saml2AuthenticationRequest.getAssertionConsumerServiceUrl()).build()), build));
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        AuthnRequest convert = this.authenticationRequestContextConverter.convert(saml2AuthenticationRequestContext);
        RelyingPartyRegistration relyingPartyRegistration = saml2AuthenticationRequestContext.getRelyingPartyRegistration();
        if (relyingPartyRegistration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
            OpenSamlSigningUtils.sign(convert, relyingPartyRegistration);
        }
        return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext).samlRequest(Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(convert).getBytes(StandardCharsets.UTF_8))).build();
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        AuthnRequest convert = this.authenticationRequestContextConverter.convert(saml2AuthenticationRequestContext);
        RelyingPartyRegistration relyingPartyRegistration = saml2AuthenticationRequestContext.getRelyingPartyRegistration();
        String serialize = OpenSamlSigningUtils.serialize(convert);
        Saml2RedirectAuthenticationRequest.Builder withAuthenticationRequestContext = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext);
        String samlEncode = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize));
        withAuthenticationRequestContext.samlRequest(samlEncode).relayState(saml2AuthenticationRequestContext.getRelayState());
        if (!relyingPartyRegistration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
            return withAuthenticationRequestContext.build();
        }
        OpenSamlSigningUtils.QueryParametersPartial param = OpenSamlSigningUtils.sign(relyingPartyRegistration).param(Saml2ParameterNames.SAML_REQUEST, samlEncode);
        if (StringUtils.hasText(saml2AuthenticationRequestContext.getRelayState())) {
            param.param("RelayState", saml2AuthenticationRequestContext.getRelayState());
        }
        Map<String, String> parameters = param.parameters();
        return withAuthenticationRequestContext.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG)).signature(parameters.get("Signature")).build();
    }

    private AuthnRequest createAuthnRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        String issuer = saml2AuthenticationRequestContext.getIssuer();
        String destination = saml2AuthenticationRequestContext.getDestination();
        String assertionConsumerServiceUrl = saml2AuthenticationRequestContext.getAssertionConsumerServiceUrl();
        Saml2MessageBinding convert = this.protocolBindingResolver.convert(saml2AuthenticationRequestContext);
        AuthnRequest mo14705buildObject = this.authnRequestBuilder.mo14705buildObject();
        if (mo14705buildObject.getID() == null) {
            mo14705buildObject.setID("ARQ" + UUID.randomUUID().toString().substring(1));
        }
        if (mo14705buildObject.getIssueInstant() == null) {
            mo14705buildObject.setIssueInstant(new DateTime(this.clock.millis()));
        }
        if (mo14705buildObject.isForceAuthn() == null) {
            mo14705buildObject.setForceAuthn(Boolean.FALSE);
        }
        if (mo14705buildObject.isPassive() == null) {
            mo14705buildObject.setIsPassive(Boolean.FALSE);
        }
        if (mo14705buildObject.getProtocolBinding() == null) {
            mo14705buildObject.setProtocolBinding(convert.getUrn());
        }
        Issuer mo14705buildObject2 = this.issuerBuilder.mo14705buildObject();
        mo14705buildObject2.setValue(issuer);
        mo14705buildObject.setIssuer(mo14705buildObject2);
        mo14705buildObject.setDestination(destination);
        mo14705buildObject.setAssertionConsumerServiceURL(assertionConsumerServiceUrl);
        return mo14705buildObject;
    }

    public void setAuthenticationRequestContextConverter(Converter<Saml2AuthenticationRequestContext, AuthnRequest> converter) {
        Assert.notNull(converter, "authenticationRequestContextConverter cannot be null");
        this.authenticationRequestContextConverter = converter;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    @Deprecated
    public void setProtocolBinding(String str) {
        Saml2MessageBinding from = Saml2MessageBinding.from(str);
        Assert.notNull(from, "Invalid protocol binding: " + str);
        this.protocolBindingResolver = saml2AuthenticationRequestContext -> {
            return from;
        };
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
