package org.springframework.security.saml2.provider.service.web.authentication;

import jakarta.servlet.http.HttpServletRequest;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.UUID;
import java.util.function.BiConsumer;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestMarshaller;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSamlSigningUtils;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.3.7.jar:org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.class */
public class OpenSamlAuthenticationRequestResolver {
    private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
    private final AuthnRequestBuilder authnRequestBuilder;
    private final AuthnRequestMarshaller marshaller;
    private final IssuerBuilder issuerBuilder;
    private final NameIDBuilder nameIdBuilder;
    private final NameIDPolicyBuilder nameIdPolicyBuilder;
    private RequestMatcher requestMatcher = new AntPathRequestMatcher(Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI);
    private Converter<HttpServletRequest, String> relayStateResolver = httpServletRequest -> {
        return UUID.randomUUID().toString();
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpenSamlAuthenticationRequestResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
        Assert.notNull(relyingPartyRegistrationResolver, "relyingPartyRegistrationResolver cannot be null");
        this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
        XMLObjectProviderRegistry xMLObjectProviderRegistry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
        this.marshaller = (AuthnRequestMarshaller) xMLObjectProviderRegistry.getMarshallerFactory().getMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.marshaller, "authnRequestMarshaller must be configured in OpenSAML");
        this.authnRequestBuilder = (AuthnRequestBuilder) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.authnRequestBuilder, "authnRequestBuilder must be configured in OpenSAML");
        this.issuerBuilder = (IssuerBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.issuerBuilder, "issuerBuilder must be configured in OpenSAML");
        this.nameIdBuilder = (NameIDBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(NameID.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.nameIdBuilder, "nameIdBuilder must be configured in OpenSAML");
        this.nameIdPolicyBuilder = (NameIDPolicyBuilder) xMLObjectProviderRegistry.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.nameIdPolicyBuilder, "nameIdPolicyBuilder must be configured in OpenSAML");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setRelayStateResolver(Converter<HttpServletRequest, String> converter) {
        this.relayStateResolver = converter;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setRequestMatcher(RequestMatcher requestMatcher) {
        this.requestMatcher = requestMatcher;
    }

    <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest httpServletRequest) {
        return (T) resolve(httpServletRequest, (relyingPartyRegistration, authnRequest) -> {
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest httpServletRequest, BiConsumer<RelyingPartyRegistration, AuthnRequest> biConsumer) {
        RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(httpServletRequest);
        if (!matcher.isMatch()) {
            return null;
        }
        RelyingPartyRegistration resolve = this.relyingPartyRegistrationResolver.resolve(httpServletRequest, matcher.getVariables().get(DefaultServerOAuth2AuthorizationRequestResolver.DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME));
        if (resolve == null) {
            return null;
        }
        RelyingPartyRegistrationPlaceholderResolvers.UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(httpServletRequest, resolve);
        String resolve2 = uriResolver.resolve(resolve.getEntityId());
        String resolve3 = uriResolver.resolve(resolve.getAssertionConsumerServiceLocation());
        AuthnRequest mo18719buildObject = this.authnRequestBuilder.mo18719buildObject();
        mo18719buildObject.setForceAuthn(Boolean.FALSE);
        mo18719buildObject.setIsPassive(Boolean.FALSE);
        mo18719buildObject.setProtocolBinding(resolve.getAssertionConsumerServiceBinding().getUrn());
        Issuer mo18719buildObject2 = this.issuerBuilder.mo18719buildObject();
        mo18719buildObject2.setValue(resolve2);
        mo18719buildObject.setIssuer(mo18719buildObject2);
        mo18719buildObject.setDestination(resolve.getAssertingPartyDetails().getSingleSignOnServiceLocation());
        mo18719buildObject.setAssertionConsumerServiceURL(resolve3);
        if (resolve.getNameIdFormat() != null) {
            NameIDPolicy mo18719buildObject3 = this.nameIdPolicyBuilder.mo18719buildObject();
            mo18719buildObject3.setFormat(resolve.getNameIdFormat());
            mo18719buildObject.setNameIDPolicy(mo18719buildObject3);
        }
        biConsumer.accept(resolve, mo18719buildObject);
        if (mo18719buildObject.getID() == null) {
            mo18719buildObject.setID("ARQ" + UUID.randomUUID().toString().substring(1));
        }
        String convert = this.relayStateResolver.convert(httpServletRequest);
        if (resolve.getAssertingPartyDetails().getSingleSignOnServiceBinding() == Saml2MessageBinding.POST) {
            if (resolve.getAssertingPartyDetails().getWantAuthnRequestsSigned() || resolve.isAuthnRequestsSigned()) {
                OpenSamlSigningUtils.sign(mo18719buildObject, resolve);
            }
            return Saml2PostAuthenticationRequest.withRelyingPartyRegistration(resolve).samlRequest(Saml2Utils.samlEncode(serialize(mo18719buildObject).getBytes(StandardCharsets.UTF_8))).relayState(convert).id(mo18719buildObject.getID()).build();
        }
        String samlEncode = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize(mo18719buildObject)));
        Saml2RedirectAuthenticationRequest.Builder id = Saml2RedirectAuthenticationRequest.withRelyingPartyRegistration(resolve).samlRequest(samlEncode).relayState(convert).id(mo18719buildObject.getID());
        if (resolve.getAssertingPartyDetails().getWantAuthnRequestsSigned() || resolve.isAuthnRequestsSigned()) {
            OpenSamlSigningUtils.QueryParametersPartial param = OpenSamlSigningUtils.sign(resolve).param(Saml2ParameterNames.SAML_REQUEST, samlEncode);
            if (convert != null) {
                param = param.param("RelayState", convert);
            }
            Map<String, String> parameters = param.parameters();
            id.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG)).signature(parameters.get("Signature"));
        }
        return id.build();
    }

    private String serialize(AuthnRequest authnRequest) {
        try {
            return SerializeSupport.nodeToString(this.marshaller.marshall(authnRequest));
        } catch (MarshallingException e) {
            throw new Saml2Exception(e);
        }
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
