package org.opensaml.saml.saml2.binding.encoding.impl;

import com.google.common.collect.Lists;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.codec.EncodingException;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.net.HttpServletSupport;
import net.shibboleth.utilities.java.support.net.URLBuilder;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.saml.saml2.ecp.RelayState;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opensaml/saml/saml2/binding/encoding/impl/HTTPRedirectDeflateEncoder.class */
public class HTTPRedirectDeflateEncoder extends BaseSAML2MessageEncoder {

    @NonnullElements
    @Nonnull
    private static final Set<String> DISALLOWED_ENDPOINT_QUERY_PARAMS = Set.of("SAMLEncoding", "SAMLRequest", "SAMLResponse", RelayState.DEFAULT_ELEMENT_LOCAL_NAME, "SigAlg", "Signature");
    private final Logger log = LoggerFactory.getLogger((Class<?>) HTTPRedirectDeflateEncoder.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensaml/saml/saml2/binding/encoding/impl/HTTPRedirectDeflateEncoder$NoWrapAutoEndDeflaterOutputStream.class */
    public class NoWrapAutoEndDeflaterOutputStream extends DeflaterOutputStream {
        public NoWrapAutoEndDeflaterOutputStream(OutputStream outputStream, int i) {
            super(outputStream, new Deflater(i, true));
        }

        @Override // java.util.zip.DeflaterOutputStream, java.io.FilterOutputStream, java.io.OutputStream, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            if (this.def != null) {
                this.def.end();
            }
            super.close();
        }
    }

    @Override // org.opensaml.saml.common.binding.encoding.SAMLMessageEncoder
    public String getBindingURI() {
        return SAMLConstants.SAML2_REDIRECT_BINDING_URI;
    }

    protected void doEncode() throws MessageEncodingException {
        MessageContext messageContext = getMessageContext();
        Object message = messageContext.getMessage();
        if (message == null || !(message instanceof SAMLObject)) {
            throw new MessageEncodingException("No outbound SAML message contained in message context");
        }
        String uri = getEndpointURL(messageContext).toString();
        removeSignature((SAMLObject) message);
        String buildRedirectURL = buildRedirectURL(messageContext, uri, deflateAndBase64Encode((SAMLObject) message));
        HttpServletResponse httpServletResponse = getHttpServletResponse();
        HttpServletSupport.addNoCacheHeaders(httpServletResponse);
        HttpServletSupport.setUTF8Encoding(httpServletResponse);
        try {
            httpServletResponse.sendRedirect(buildRedirectURL);
        } catch (IOException e) {
            throw new MessageEncodingException("Problem sending HTTP redirect", e);
        }
    }

    protected void removeSignature(SAMLObject sAMLObject) {
        if (sAMLObject instanceof SignableSAMLObject) {
            SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
            if (signableSAMLObject.isSigned()) {
                this.log.debug("Removing SAML protocol message signature");
                signableSAMLObject.setSignature(null);
            }
        }
    }

    protected String deflateAndBase64Encode(SAMLObject sAMLObject) throws MessageEncodingException {
        this.log.debug("Deflating and Base64 encoding SAML message");
        try {
            String nodeToString = SerializeSupport.nodeToString(marshallMessage(sAMLObject));
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                NoWrapAutoEndDeflaterOutputStream noWrapAutoEndDeflaterOutputStream = new NoWrapAutoEndDeflaterOutputStream(byteArrayOutputStream, 8);
                try {
                    noWrapAutoEndDeflaterOutputStream.write(nodeToString.getBytes("UTF-8"));
                    noWrapAutoEndDeflaterOutputStream.finish();
                    String encode = Base64Support.encode(byteArrayOutputStream.toByteArray(), false);
                    noWrapAutoEndDeflaterOutputStream.close();
                    byteArrayOutputStream.close();
                    return encode;
                } catch (Throwable th) {
                    try {
                        noWrapAutoEndDeflaterOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (IOException | EncodingException e) {
            throw new MessageEncodingException("Unable to DEFLATE and Base64 encode SAML message", e);
        }
    }

    protected String buildRedirectURL(MessageContext messageContext, String str, String str2) throws MessageEncodingException {
        this.log.debug("Building URL to redirect client to");
        try {
            URLBuilder uRLBuilder = new URLBuilder(str);
            List<Pair<String, String>> queryParams = uRLBuilder.getQueryParams();
            removeDisallowedQueryParams(queryParams);
            ArrayList arrayList = new ArrayList(queryParams);
            queryParams.clear();
            SAMLObject sAMLObject = (SAMLObject) messageContext.getMessage();
            if (sAMLObject instanceof RequestAbstractType) {
                queryParams.add(new Pair<>("SAMLRequest", str2));
            } else {
                if (!(sAMLObject instanceof StatusResponseType)) {
                    throw new MessageEncodingException("SAML message is neither a SAML RequestAbstractType or StatusResponseType");
                }
                queryParams.add(new Pair<>("SAMLResponse", str2));
            }
            String relayState = SAMLBindingSupport.getRelayState(messageContext);
            if (SAMLBindingSupport.checkRelayState(relayState)) {
                queryParams.add(new Pair<>(RelayState.DEFAULT_ELEMENT_LOCAL_NAME, relayState));
            }
            SignatureSigningParameters contextSigningParameters = SAMLMessageSecuritySupport.getContextSigningParameters(messageContext);
            if (contextSigningParameters == null || contextSigningParameters.getSigningCredential() == null) {
                this.log.debug("No signing credential was supplied, skipping HTTP-Redirect DEFLATE signing");
                queryParams.addAll(arrayList);
            } else {
                String signatureAlgorithmURI = getSignatureAlgorithmURI(contextSigningParameters);
                queryParams.add(new Pair<>("SigAlg", signatureAlgorithmURI));
                queryParams.add(new Pair<>("Signature", generateSignature(contextSigningParameters.getSigningCredential(), signatureAlgorithmURI, uRLBuilder.buildQueryString())));
                if (!arrayList.isEmpty()) {
                    Iterator it = Lists.reverse(arrayList).iterator();
                    while (it.hasNext()) {
                        queryParams.add(0, (Pair) it.next());
                    }
                }
            }
            return uRLBuilder.buildURL();
        } catch (MalformedURLException e) {
            throw new MessageEncodingException("Endpoint URL " + str + " is not a valid URL", e);
        }
    }

    protected void removeDisallowedQueryParams(@Nonnull List<Pair<String, String>> list) {
        Iterator<Pair<String, String>> it = list.iterator();
        while (it.hasNext()) {
            String trimOrNull = StringSupport.trimOrNull(it.next().getFirst());
            if (DISALLOWED_ENDPOINT_QUERY_PARAMS.contains(trimOrNull)) {
                this.log.debug("Removing disallowed query param '{}' from endpoint URL", trimOrNull);
                it.remove();
            }
        }
    }

    protected String getSignatureAlgorithmURI(SignatureSigningParameters signatureSigningParameters) throws MessageEncodingException {
        if (signatureSigningParameters.getSignatureAlgorithm() != null) {
            return signatureSigningParameters.getSignatureAlgorithm();
        }
        throw new MessageEncodingException("The signing algorithm URI could not be determined");
    }

    protected String generateSignature(Credential credential, String str, String str2) throws MessageEncodingException {
        this.log.debug(String.format("Generating signature with key type '%s', algorithm URI '%s' over query string '%s'", CredentialSupport.extractSigningKey(credential).getAlgorithm(), str, str2));
        String str3 = null;
        try {
            str3 = Base64Support.encode(XMLSigningUtil.signWithURI(credential, str, str2.getBytes("UTF-8")), false);
            this.log.debug("Generated digital signature value (base64-encoded) {}", str3);
        } catch (UnsupportedEncodingException e) {
        } catch (EncodingException e2) {
            this.log.error("Error during URL signing process: {}", e2.getMessage());
            throw new MessageEncodingException("Unable to base64 encode signature of URL query string", e2);
        } catch (SecurityException e3) {
            this.log.error("Error during URL signing process: {}", e3.getMessage());
            throw new MessageEncodingException("Unable to sign URL query string", e3);
        }
        return str3;
    }
}
