package org.springframework.security.saml.websso;

import java.util.Collection;
import java.util.List;
import java.util.Set;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.IDPEntry;
import org.opensaml.saml2.core.IDPList;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.RequesterID;
import org.opensaml.saml2.core.Scoping;
import org.opensaml.saml2.core.impl.RequesterIDBuilder;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.processor.SAMLProcessor;
import org.springframework.security.saml.storage.SAMLMessageStorage;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.9.RELEASE.jar:org/springframework/security/saml/websso/WebSSOProfileImpl.class */
public class WebSSOProfileImpl extends AbstractProfileBase implements WebSSOProfile {
    public WebSSOProfileImpl() {
    }

    public WebSSOProfileImpl(SAMLProcessor sAMLProcessor, MetadataManager metadataManager) {
        super(sAMLProcessor, metadataManager);
    }

    @Override // org.springframework.security.saml.websso.AbstractProfileBase
    public String getProfileIdentifier() {
        return SAMLConstants.SAML2_WEBSSO_PROFILE_URI;
    }

    public void sendAuthenticationRequest(SAMLMessageContext sAMLMessageContext, WebSSOProfileOptions webSSOProfileOptions) throws SAMLException, MetadataProviderException, MessageEncodingException {
        if (!SPSSODescriptor.DEFAULT_ELEMENT_NAME.equals(sAMLMessageContext.getLocalEntityRole())) {
            throw new SAMLException("WebSSO can only be initialized for local SP, but localEntityRole is: " + sAMLMessageContext.getLocalEntityRole());
        }
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata();
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) sAMLMessageContext.getPeerEntityRoleMetadata();
        ExtendedMetadata peerExtendedMetadata = sAMLMessageContext.getPeerExtendedMetadata();
        if (sPSSODescriptor == null || iDPSSODescriptor == null || peerExtendedMetadata == null) {
            throw new SAMLException("SPSSODescriptor, IDPSSODescriptor or IDPExtendedMetadata are not present in the SAMLContext");
        }
        SingleSignOnService singleSignOnService = getSingleSignOnService(webSSOProfileOptions, iDPSSODescriptor, sPSSODescriptor);
        AuthnRequest authnRequest = getAuthnRequest(sAMLMessageContext, webSSOProfileOptions, getAssertionConsumerService(webSSOProfileOptions, iDPSSODescriptor, sPSSODescriptor), singleSignOnService);
        sAMLMessageContext.setCommunicationProfileId(getProfileIdentifier());
        sAMLMessageContext.setOutboundMessage(authnRequest);
        sAMLMessageContext.setOutboundSAMLMessage(authnRequest);
        sAMLMessageContext.setPeerEntityEndpoint(singleSignOnService);
        sAMLMessageContext.setPeerEntityRoleMetadata(iDPSSODescriptor);
        sAMLMessageContext.setPeerExtendedMetadata(peerExtendedMetadata);
        if (webSSOProfileOptions.getRelayState() != null) {
            sAMLMessageContext.setRelayState(webSSOProfileOptions.getRelayState());
        }
        sendMessage(sAMLMessageContext, sPSSODescriptor.isAuthnRequestsSigned().booleanValue() || iDPSSODescriptor.getWantAuthnRequestsSigned().booleanValue());
        SAMLMessageStorage messageStorage = sAMLMessageContext.getMessageStorage();
        if (messageStorage != null) {
            messageStorage.storeMessage(authnRequest.getID(), authnRequest);
        }
    }

    protected SingleSignOnService getSingleSignOnService(WebSSOProfileOptions webSSOProfileOptions, IDPSSODescriptor iDPSSODescriptor, SPSSODescriptor sPSSODescriptor) throws MetadataProviderException {
        String binding = webSSOProfileOptions.getBinding();
        for (SingleSignOnService singleSignOnService : iDPSSODescriptor.getSingleSignOnServices()) {
            if (isEndpointSupported(singleSignOnService)) {
                if (binding == null) {
                    return singleSignOnService;
                }
                if (isEndpointMatching(singleSignOnService, binding)) {
                    this.log.debug("Found user specified binding {}", binding);
                    return singleSignOnService;
                }
            }
        }
        if (binding != null) {
            throw new MetadataProviderException("User specified binding " + binding + " is not supported by the IDP using profile " + getProfileIdentifier());
        }
        throw new MetadataProviderException("No supported binding " + binding + " was found for profile " + getProfileIdentifier());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AssertionConsumerService getAssertionConsumerService(WebSSOProfileOptions webSSOProfileOptions, IDPSSODescriptor iDPSSODescriptor, SPSSODescriptor sPSSODescriptor) throws MetadataProviderException {
        List<AssertionConsumerService> assertionConsumerServices = sPSSODescriptor.getAssertionConsumerServices();
        if (webSSOProfileOptions.getAssertionConsumerIndex() != null) {
            for (AssertionConsumerService assertionConsumerService : assertionConsumerServices) {
                if (webSSOProfileOptions.getAssertionConsumerIndex().equals(assertionConsumerService.getIndex())) {
                    if (!isEndpointSupported(assertionConsumerService)) {
                        throw new MetadataProviderException("Endpoint designated by the value in the WebSSOProfileOptions is not supported by this profile");
                    }
                    this.log.debug("Using consumer service determined by user preference with binding {}", assertionConsumerService.getBinding());
                    return assertionConsumerService;
                }
            }
            throw new MetadataProviderException("AssertionConsumerIndex " + webSSOProfileOptions.getAssertionConsumerIndex() + " not found for spDescriptor " + sPSSODescriptor);
        }
        if (sPSSODescriptor.getDefaultAssertionConsumerService() != null && isEndpointSupported(sPSSODescriptor.getDefaultAssertionConsumerService())) {
            AssertionConsumerService defaultAssertionConsumerService = sPSSODescriptor.getDefaultAssertionConsumerService();
            this.log.debug("Using default consumer service with binding {}", defaultAssertionConsumerService.getBinding());
            return defaultAssertionConsumerService;
        }
        if (assertionConsumerServices.size() > 0) {
            for (AssertionConsumerService assertionConsumerService2 : assertionConsumerServices) {
                if (isEndpointSupported(assertionConsumerService2)) {
                    this.log.debug("Using first available consumer service with binding {}", assertionConsumerService2.getBinding());
                    return assertionConsumerService2;
                }
            }
        }
        throw new MetadataProviderException("Service provider has no assertion consumer service available for the selected profile " + sPSSODescriptor);
    }

    protected boolean isEndpointSupported(SingleSignOnService singleSignOnService) throws MetadataProviderException {
        return org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI.equals(singleSignOnService.getBinding()) || org.opensaml.common.xml.SAMLConstants.SAML2_ARTIFACT_BINDING_URI.equals(singleSignOnService.getBinding()) || org.opensaml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(singleSignOnService.getBinding());
    }

    protected boolean isEndpointSupported(AssertionConsumerService assertionConsumerService) throws MetadataProviderException {
        return org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI.equals(assertionConsumerService.getBinding()) | org.opensaml.common.xml.SAMLConstants.SAML2_ARTIFACT_BINDING_URI.equals(assertionConsumerService.getBinding());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthnRequest getAuthnRequest(SAMLMessageContext sAMLMessageContext, WebSSOProfileOptions webSSOProfileOptions, AssertionConsumerService assertionConsumerService, SingleSignOnService singleSignOnService) throws SAMLException, MetadataProviderException {
        AuthnRequest authnRequest = (AuthnRequest) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME)).mo15387buildObject();
        authnRequest.setIsPassive(webSSOProfileOptions.getPassive());
        authnRequest.setForceAuthn(webSSOProfileOptions.getForceAuthN());
        authnRequest.setProviderName(webSSOProfileOptions.getProviderName());
        authnRequest.setVersion(SAMLVersion.VERSION_20);
        buildCommonAttributes(sAMLMessageContext.getLocalEntityId(), authnRequest, singleSignOnService);
        buildScoping(authnRequest, singleSignOnService, webSSOProfileOptions);
        builNameIDPolicy(authnRequest, webSSOProfileOptions);
        buildAuthnContext(authnRequest, webSSOProfileOptions);
        buildReturnAddress(authnRequest, assertionConsumerService);
        return authnRequest;
    }

    protected void builNameIDPolicy(AuthnRequest authnRequest, WebSSOProfileOptions webSSOProfileOptions) {
        if (webSSOProfileOptions.getNameID() != null) {
            NameIDPolicy nameIDPolicy = (NameIDPolicy) ((SAMLObjectBuilder) this.builderFactory.getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME)).mo15387buildObject();
            nameIDPolicy.setFormat(webSSOProfileOptions.getNameID());
            nameIDPolicy.setAllowCreate(webSSOProfileOptions.isAllowCreate());
            nameIDPolicy.setSPNameQualifier(getSPNameQualifier());
            authnRequest.setNameIDPolicy(nameIDPolicy);
        }
    }

    protected String getSPNameQualifier() {
        return null;
    }

    protected void buildAuthnContext(AuthnRequest authnRequest, WebSSOProfileOptions webSSOProfileOptions) {
        Collection<String> authnContexts = webSSOProfileOptions.getAuthnContexts();
        if (authnContexts == null || authnContexts.size() <= 0) {
            return;
        }
        RequestedAuthnContext requestedAuthnContext = (RequestedAuthnContext) ((SAMLObjectBuilder) this.builderFactory.getBuilder(RequestedAuthnContext.DEFAULT_ELEMENT_NAME)).mo15387buildObject();
        requestedAuthnContext.setComparison(webSSOProfileOptions.getAuthnContextComparison());
        for (String str : authnContexts) {
            AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) ((SAMLObjectBuilder) this.builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME)).mo15387buildObject();
            authnContextClassRef.setAuthnContextClassRef(str);
            requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
        }
        authnRequest.setRequestedAuthnContext(requestedAuthnContext);
    }

    protected void buildReturnAddress(AuthnRequest authnRequest, AssertionConsumerService assertionConsumerService) throws MetadataProviderException {
        if (assertionConsumerService != null) {
            if (assertionConsumerService.getResponseLocation() != null) {
                authnRequest.setAssertionConsumerServiceURL(assertionConsumerService.getResponseLocation());
            } else {
                authnRequest.setAssertionConsumerServiceURL(assertionConsumerService.getLocation());
            }
            authnRequest.setProtocolBinding(getEndpointBinding(assertionConsumerService));
        }
    }

    protected void buildScoping(AuthnRequest authnRequest, SingleSignOnService singleSignOnService, WebSSOProfileOptions webSSOProfileOptions) {
        if (webSSOProfileOptions.isIncludeScoping() == null || !webSSOProfileOptions.isIncludeScoping().booleanValue()) {
            return;
        }
        IDPList buildIDPList = buildIDPList(webSSOProfileOptions.getAllowedIDPs(), singleSignOnService);
        Scoping scoping = (Scoping) ((SAMLObjectBuilder) this.builderFactory.getBuilder(Scoping.DEFAULT_ELEMENT_NAME)).mo15387buildObject();
        scoping.setIDPList(buildIDPList);
        scoping.setProxyCount(webSSOProfileOptions.getProxyCount());
        if (!CollectionUtils.isEmpty(webSSOProfileOptions.getRequesterIds())) {
            RequesterIDBuilder requesterIDBuilder = new RequesterIDBuilder();
            for (String str : webSSOProfileOptions.getRequesterIds()) {
                RequesterID mo15387buildObject = requesterIDBuilder.mo15387buildObject();
                mo15387buildObject.setRequesterID(str);
                scoping.getRequesterIDs().add(mo15387buildObject);
            }
        }
        authnRequest.setScoping(scoping);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IDPList buildIDPList(Set<String> set, SingleSignOnService singleSignOnService) {
        if (set == null) {
            return null;
        }
        SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) this.builderFactory.getBuilder(IDPEntry.DEFAULT_ELEMENT_NAME);
        IDPList iDPList = (IDPList) ((SAMLObjectBuilder) this.builderFactory.getBuilder(IDPList.DEFAULT_ELEMENT_NAME)).mo15387buildObject();
        for (String str : set) {
            IDPEntry iDPEntry = (IDPEntry) sAMLObjectBuilder.mo15387buildObject();
            iDPEntry.setProviderID(str);
            iDPList.getIDPEntrys().add(iDPEntry);
            if (singleSignOnService != null) {
                iDPEntry.setLoc(singleSignOnService.getLocation());
            }
        }
        return iDPList;
    }
}
