package org.keycloak.protocol.saml;

import java.io.InputStream;
import java.net.URI;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Objects;
import java.util.TreeSet;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.KeyStatus;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.assertion.SubjectType;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService;
import org.keycloak.rotation.HardcodedKeyLocator;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.SAMLRequestParser;
import org.keycloak.saml.SamlProtocolExtensionsAwareBuilder;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.saml.validators.DestinationValidator;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.utils.MediaType;
import org.w3c.dom.NodeList;
import org.wildfly.security.http.HttpConstants;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/saml/SamlService.class */
public class SamlService extends AuthorizationEndpointBase {
    protected static final Logger logger = Logger.getLogger((Class<?>) SamlService.class);
    private final DestinationValidator destinationValidator;

    /* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/saml/SamlService$BindingProtocol.class */
    public abstract class BindingProtocol {
        protected boolean redirectToAuthentication;

        public BindingProtocol() {
        }

        protected Response basicChecks(String str, String str2) {
            if (!checkSsl()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error(Errors.SSL_REQUIRED);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED, new Object[0]);
            }
            if (!SamlService.this.realm.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN_ERROR);
                SamlService.this.event.error(Errors.REALM_DISABLED);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED, new Object[0]);
            }
            if (str != null || str2 != null) {
                return null;
            }
            SamlService.this.event.event(EventType.LOGIN);
            SamlService.this.event.error(Errors.SAML_TOKEN_NOT_FOUND);
            return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }

        protected Response handleSamlResponse(String str, String str2) {
            SamlService.this.event.event(EventType.LOGOUT);
            SAMLDocumentHolder extractResponseDocument = extractResponseDocument(str);
            if (!(extractResponseDocument.getSamlObject() instanceof StatusResponseType)) {
                SamlService.this.event.detail("reason", Errors.INVALID_SAML_RESPONSE);
                SamlService.this.event.error(Errors.INVALID_SAML_RESPONSE);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            StatusResponseType statusResponseType = (StatusResponseType) extractResponseDocument.getSamlObject();
            if (statusResponseType.getDestination() == null && containsUnencryptedSignature(extractResponseDocument)) {
                SamlService.this.event.detail("reason", "missing_required_destination");
                SamlService.this.event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (!SamlService.this.destinationValidator.validate(getExpectedDestinationUri(SamlService.this.session), statusResponseType.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            AuthenticationManager unused = SamlService.this.authManager;
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, false);
            if (authenticateIdentityCookie == null) {
                SamlService.logger.warn("Unknown saml response.");
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            UserSessionModel session = authenticateIdentityCookie.getSession();
            if (session.getState() != UserSessionModel.State.LOGGING_OUT) {
                SamlService.logger.warn("Unknown saml response.");
                SamlService.logger.warn("UserSession is not tagged as logging out.");
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            String value = statusResponseType.getIssuer().getValue();
            ClientModel clientByClientId = SamlService.this.realm.getClientByClientId(value);
            if (clientByClientId == null) {
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.client(value);
                SamlService.this.event.error(Errors.CLIENT_NOT_FOUND);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]);
            }
            if (!SamlService.this.isClientProtocolCorrect(clientByClientId)) {
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error("invalid_client");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, "Wrong client protocol.", new Object[0]);
            }
            SamlService.this.session.getContext().setClient(clientByClientId);
            SamlService.logger.debug("logout response");
            AuthenticationManager unused2 = SamlService.this.authManager;
            Response browserLogout = AuthenticationManager.browserLogout(SamlService.this.session, SamlService.this.realm, session, SamlService.this.session.getContext().getUri(), SamlService.this.clientConnection, SamlService.this.headers, null);
            SamlService.this.event.success();
            return browserLogout;
        }

        protected Response handleSamlRequest(String str, String str2) {
            SAMLDocumentHolder extractRequestDocument = extractRequestDocument(str);
            if (extractRequestDocument == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            SAML2Object samlObject = extractRequestDocument.getSamlObject();
            if (samlObject instanceof AuthnRequestType) {
                SamlService.logger.debug("** login request");
                SamlService.this.event.event(EventType.LOGIN);
            } else {
                if (!(samlObject instanceof LogoutRequestType)) {
                    SamlService.this.event.event(EventType.LOGIN);
                    SamlService.this.event.error("invalid_token");
                    SamlService.this.event.detail("reason", "Unhandled SAML document type: " + (samlObject == null ? "<null>" : samlObject.getClass().getSimpleName()));
                    return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
                }
                SamlService.logger.debug("** logout request");
                SamlService.this.event.event(EventType.LOGOUT);
            }
            RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
            String value = requestAbstractType.getIssuer() == null ? null : requestAbstractType.getIssuer().getValue();
            ClientModel clientByClientId = SamlService.this.realm.getClientByClientId(value);
            if (clientByClientId == null) {
                SamlService.this.event.client(value);
                SamlService.this.event.error(Errors.CLIENT_NOT_FOUND);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.UNKNOWN_LOGIN_REQUESTER, new Object[0]);
            }
            if (!clientByClientId.isEnabled()) {
                SamlService.this.event.error(Errors.CLIENT_DISABLED);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.LOGIN_REQUESTER_NOT_ENABLED, new Object[0]);
            }
            if (clientByClientId.isBearerOnly()) {
                SamlService.this.event.error(Errors.NOT_ALLOWED);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.BEARER_ONLY, new Object[0]);
            }
            if (!clientByClientId.isStandardFlowEnabled()) {
                SamlService.this.event.error(Errors.NOT_ALLOWED);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.STANDARD_FLOW_DISABLED, new Object[0]);
            }
            if (!SamlService.this.isClientProtocolCorrect(clientByClientId)) {
                SamlService.this.event.error("invalid_client");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, "Wrong client protocol.", new Object[0]);
            }
            SamlService.this.session.getContext().setClient(clientByClientId);
            try {
                if (new SamlClient(clientByClientId).requiresClientSignature()) {
                    verifySignature(extractRequestDocument, clientByClientId);
                }
                SamlService.logger.debug("verified request");
                if (requestAbstractType.getDestination() == null && containsUnencryptedSignature(extractRequestDocument)) {
                    SamlService.this.event.detail("reason", "missing_required_destination");
                    SamlService.this.event.error("invalid_request");
                    return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
                }
                if (samlObject instanceof AuthnRequestType) {
                    return loginRequest(str2, (AuthnRequestType) samlObject, clientByClientId);
                }
                if (samlObject instanceof LogoutRequestType) {
                    return logoutRequest((LogoutRequestType) samlObject, clientByClientId, str2);
                }
                throw new IllegalStateException("Invalid SAML object");
            } catch (VerificationException e) {
                SamlService.logger.error("request validation failed", e);
                SamlService.this.event.error(Errors.INVALID_SIGNATURE);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER, new Object[0]);
            }
        }

        protected abstract void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException;

        protected abstract boolean containsUnencryptedSignature(SAMLDocumentHolder sAMLDocumentHolder);

        protected abstract SAMLDocumentHolder extractRequestDocument(String str);

        protected abstract SAMLDocumentHolder extractResponseDocument(String str);

        /* JADX INFO: Access modifiers changed from: protected */
        public Response loginRequest(String str, AuthnRequestType authnRequestType, ClientModel clientModel) {
            String attribute;
            SamlClient samlClient = new SamlClient(clientModel);
            if (!validateDestination(authnRequestType, samlClient, Errors.INVALID_SAML_AUTHN_REQUEST)) {
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            String bindingType = getBindingType(authnRequestType);
            if (samlClient.forcePostBinding()) {
                bindingType = SamlProtocol.SAML_POST_BINDING;
            }
            URI assertionConsumerServiceURL = authnRequestType.getAssertionConsumerServiceURL();
            if (assertionConsumerServiceURL == null || "null".equals(assertionConsumerServiceURL.toString())) {
                attribute = bindingType.equals(SamlProtocol.SAML_POST_BINDING) ? clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) : clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
                if (attribute == null || attribute.trim().isEmpty()) {
                    attribute = clientModel.getManagementUrl();
                }
            } else {
                attribute = RedirectUtils.verifyRedirectUri(SamlService.this.session, assertionConsumerServiceURL.toString(), clientModel);
            }
            if (attribute == null) {
                SamlService.this.event.error("invalid_redirect_uri");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
            }
            AuthenticationSessionModel createAuthenticationSession = SamlService.this.createAuthenticationSession(clientModel, str);
            createAuthenticationSession.setProtocol("saml");
            createAuthenticationSession.setRedirectUri(attribute);
            createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
            createAuthenticationSession.setClientNote(SamlProtocol.SAML_BINDING, bindingType);
            createAuthenticationSession.setClientNote(GeneralConstants.RELAY_STATE, str);
            createAuthenticationSession.setClientNote(SamlProtocol.SAML_REQUEST_ID, authnRequestType.getID());
            NameIDPolicyType nameIDPolicy = authnRequestType.getNameIDPolicy();
            URI format = nameIDPolicy == null ? null : nameIDPolicy.getFormat();
            if (format != null && !samlClient.forceNameIDFormat()) {
                String uri = format.toString();
                if (!isSupportedNameIdFormat(uri)) {
                    SamlService.this.event.detail("reason", "unsupported_nameid_format");
                    SamlService.this.event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
                    return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.UNSUPPORTED_NAME_ID_FORMAT, new Object[0]);
                }
                createAuthenticationSession.setClientNote(GeneralConstants.NAMEID_FORMAT, uri);
            }
            SubjectType subject = authnRequestType.getSubject();
            if (subject != null && subject.getSubType() != null) {
                BaseIDAbstractType baseID = subject.getSubType().getBaseID();
                if (baseID instanceof NameIDType) {
                    createAuthenticationSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, ((NameIDType) baseID).getValue());
                }
            }
            if (null != authnRequestType.isForceAuthn() && authnRequestType.isForceAuthn().booleanValue()) {
                createAuthenticationSession.setAuthNote(SamlProtocol.SAML_LOGIN_REQUEST_FORCEAUTHN, "true");
            }
            Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(SamlService.this.session);
            while (samlAuthenticationPreprocessorIterator.hasNext()) {
                authnRequestType = samlAuthenticationPreprocessorIterator.next().beforeProcessingLoginRequest(authnRequestType, createAuthenticationSession);
            }
            return SamlService.this.newBrowserAuthentication(createAuthenticationSession, null != authnRequestType.isIsPassive() && authnRequestType.isIsPassive().booleanValue(), this.redirectToAuthentication);
        }

        protected String getBindingType(AuthnRequestType authnRequestType) {
            URI protocolBinding = authnRequestType.getProtocolBinding();
            return protocolBinding != null ? JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get().equals(protocolBinding.toString()) ? SamlProtocol.SAML_POST_BINDING : "get" : getBindingType();
        }

        private boolean isSupportedNameIdFormat(String str) {
            return str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
        }

        protected abstract String getBindingType();

        protected Response logoutRequest(LogoutRequestType logoutRequestType, ClientModel clientModel, String str) {
            SamlClient samlClient = new SamlClient(clientModel);
            if (!validateDestination(logoutRequestType, samlClient, Errors.INVALID_SAML_LOGOUT_REQUEST)) {
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            AuthenticationManager unused = SamlService.this.authManager;
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, false);
            if (authenticateIdentityCookie != null) {
                String bindingType = getBindingType();
                String logoutServiceUrl = SamlProtocol.getLogoutServiceUrl(SamlService.this.session, clientModel, SamlProtocol.SAML_POST_BINDING);
                if (samlClient.forcePostBinding() && logoutServiceUrl != null && !logoutServiceUrl.trim().isEmpty()) {
                    bindingType = SamlProtocol.SAML_POST_BINDING;
                }
                boolean equals = Objects.equals(SamlProtocol.SAML_POST_BINDING, bindingType);
                String logoutServiceUrl2 = SamlProtocol.getLogoutServiceUrl(SamlService.this.session, clientModel, bindingType);
                UserSessionModel session = authenticateIdentityCookie.getSession();
                session.setNote(SamlProtocol.SAML_LOGOUT_BINDING_URI, logoutServiceUrl2);
                if (samlClient.requiresRealmSignature()) {
                    session.setNote(SamlProtocol.SAML_LOGOUT_SIGNATURE_ALGORITHM, samlClient.getSignatureAlgorithm().toString());
                }
                if (str != null) {
                    session.setNote(SamlProtocol.SAML_LOGOUT_RELAY_STATE, str);
                }
                session.setNote(SamlProtocol.SAML_LOGOUT_REQUEST_ID, logoutRequestType.getID());
                session.setNote(SamlProtocol.SAML_LOGOUT_BINDING, bindingType);
                session.setNote(SamlProtocol.SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO, Boolean.toString(!equals && samlClient.addExtensionsElementWithKeyInfo()));
                session.setNote(SamlProtocol.SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER, samlClient.getXmlSigKeyInfoKeyNameTransformer().name());
                session.setNote(SamlProtocol.SAML_LOGOUT_CANONICALIZATION, samlClient.getCanonicalizationMethod());
                session.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, "saml");
                AuthenticatedClientSessionModel authenticatedClientSessionByClient = session.getAuthenticatedClientSessionByClient(clientModel.getId());
                if (authenticatedClientSessionByClient != null) {
                    authenticatedClientSessionByClient.setAction(CommonClientSessionModel.Action.LOGGED_OUT.name());
                }
                Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(SamlService.this.session);
                while (samlAuthenticationPreprocessorIterator.hasNext()) {
                    logoutRequestType = samlAuthenticationPreprocessorIterator.next().beforeProcessingLogoutRequest(logoutRequestType, session, authenticatedClientSessionByClient);
                }
                SamlService.logger.debug("browser Logout");
                AuthenticationManager unused2 = SamlService.this.authManager;
                return AuthenticationManager.browserLogout(SamlService.this.session, SamlService.this.realm, session, SamlService.this.session.getContext().getUri(), SamlService.this.clientConnection, SamlService.this.headers, null);
            }
            if (logoutRequestType.getSessionIndex() != null) {
                Iterator<String> it = logoutRequestType.getSessionIndex().iterator();
                while (it.hasNext()) {
                    AuthenticatedClientSessionModel clientSession = SamlSessionUtils.getClientSession(SamlService.this.session, SamlService.this.realm, it.next());
                    if (clientSession != null) {
                        UserSessionModel userSession = clientSession.getUserSession();
                        if (clientSession.getClient().getClientId().equals(clientModel.getClientId())) {
                            clientSession.setAction(CommonClientSessionModel.Action.LOGGED_OUT.name());
                        }
                        Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator2 = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(SamlService.this.session);
                        while (samlAuthenticationPreprocessorIterator2.hasNext()) {
                            logoutRequestType = samlAuthenticationPreprocessorIterator2.next().beforeProcessingLogoutRequest(logoutRequestType, userSession, clientSession);
                        }
                        try {
                            AuthenticationManager unused3 = SamlService.this.authManager;
                            AuthenticationManager.backchannelLogout(SamlService.this.session, SamlService.this.realm, userSession, SamlService.this.session.getContext().getUri(), SamlService.this.clientConnection, SamlService.this.headers, true);
                        } catch (Exception e) {
                            SamlService.logger.warn("Failure with backchannel logout", e);
                        }
                    }
                }
            }
            String bindingType2 = getBindingType();
            String logoutServiceUrl3 = SamlProtocol.getLogoutServiceUrl(SamlService.this.session, clientModel, bindingType2);
            SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
            sAML2LogoutResponseBuilder.logoutRequestID(logoutRequestType.getID());
            sAML2LogoutResponseBuilder.destination(logoutServiceUrl3);
            sAML2LogoutResponseBuilder.issuer(RealmsResource.realmBaseUrl(SamlService.this.session.getContext().getUri()).build(SamlService.this.realm.getName()).toString());
            JaxrsSAML2BindingBuilder relayState = new JaxrsSAML2BindingBuilder(SamlService.this.session).relayState(str);
            boolean equals2 = SamlProtocol.SAML_POST_BINDING.equals(bindingType2);
            if (samlClient.requiresRealmSignature()) {
                SignatureAlgorithm signatureAlgorithm = samlClient.getSignatureAlgorithm();
                KeyManager.ActiveRsaKey activeRsaKey = SamlService.this.session.keys().getActiveRsaKey(SamlService.this.realm);
                relayState.signatureAlgorithm(signatureAlgorithm).signWith(activeRsaKey.getKid(), activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate()).signDocument();
                if (!equals2 && samlClient.addExtensionsElementWithKeyInfo()) {
                    sAML2LogoutResponseBuilder.addExtension((SamlProtocolExtensionsAwareBuilder.NodeGenerator) new KeycloakKeySamlExtensionGenerator(activeRsaKey.getKid()));
                }
            }
            try {
                return equals2 ? relayState.postBinding(sAML2LogoutResponseBuilder.buildDocument()).response(logoutServiceUrl3) : relayState.redirectBinding(sAML2LogoutResponseBuilder.buildDocument()).response(logoutServiceUrl3);
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        }

        private boolean validateDestination(RequestAbstractType requestAbstractType, SamlClient samlClient, String str) {
            if (requestAbstractType.getDestination() == null && samlClient.requiresClientSignature()) {
                SamlService.this.event.detail("reason", "missing_destination_required");
                SamlService.this.event.error(str);
                return false;
            }
            if (SamlService.this.destinationValidator.validate(getExpectedDestinationUri(SamlService.this.session), requestAbstractType.getDestination())) {
                return true;
            }
            SamlService.this.event.detail("reason", "invalid_destination");
            SamlService.this.event.error(str);
            return false;
        }

        private boolean checkSsl() {
            return SamlService.this.session.getContext().getUri().getBaseUri().getScheme().equals(HttpConstants.HTTPS) || !SamlService.this.realm.getSslRequired().isRequired(SamlService.this.clientConnection);
        }

        public Response execute(String str, String str2, String str3) {
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3);
        }

        protected URI getExpectedDestinationUri(KeycloakSession keycloakSession) {
            return Urls.samlRequestEndpoint(keycloakSession.getContext().getUri().getBaseUri(), keycloakSession.getContext().getRealm().getName());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/saml/SamlService$PostBindingProtocol.class */
    public class PostBindingProtocol extends BindingProtocol {
        /* JADX INFO: Access modifiers changed from: protected */
        public PostBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            SamlProtocolUtils.verifyDocumentSignature(clientModel, sAMLDocumentHolder.getSamlDocument());
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected boolean containsUnencryptedSignature(SAMLDocumentHolder sAMLDocumentHolder) {
            NodeList elementsByTagNameNS = sAMLDocumentHolder.getSamlDocument().getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            return elementsByTagNameNS != null && elementsByTagNameNS.getLength() > 0;
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestPostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponsePostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_POST_BINDING;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/saml/SamlService$RedirectBindingProtocol.class */
    protected class RedirectBindingProtocol extends BindingProtocol {
        protected RedirectBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            SamlProtocolUtils.verifyRedirectSignature(sAMLDocumentHolder, new HardcodedKeyLocator(SamlProtocolUtils.getSignatureValidationKey(clientModel)), SamlService.this.session.getContext().getUri(), GeneralConstants.SAML_REQUEST_KEY);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected boolean containsUnencryptedSignature(SAMLDocumentHolder sAMLDocumentHolder) {
            return SamlService.this.session.getContext().getUri().getQueryParameters(false).getFirst(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY) != null;
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponseRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return "get";
        }
    }

    public SamlService(RealmModel realmModel, EventBuilder eventBuilder, DestinationValidator destinationValidator) {
        super(realmModel, eventBuilder);
        this.destinationValidator = destinationValidator;
    }

    protected Response newBrowserAuthentication(AuthenticationSessionModel authenticationSessionModel, boolean z, boolean z2) {
        return newBrowserAuthentication(authenticationSessionModel, z, z2, new SamlProtocol().setEventBuilder(this.event).setHttpHeaders(this.headers).setRealm(this.realm).setSession(this.session).setUriInfo((UriInfo) this.session.getContext().getUri()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response newBrowserAuthentication(AuthenticationSessionModel authenticationSessionModel, boolean z, boolean z2, SamlProtocol samlProtocol) {
        return handleBrowserAuthenticationRequest(authenticationSessionModel, samlProtocol, z, z2);
    }

    @GET
    public Response redirectBinding(@QueryParam("SAMLRequest") String str, @QueryParam("SAMLResponse") String str2, @QueryParam("RelayState") String str3) {
        logger.debug("SAML GET");
        CacheControlUtil.noBackButtonCacheControlHeader();
        return new RedirectBindingProtocol().execute(str, str2, str3);
    }

    @POST
    @NoCache
    @Consumes({"application/x-www-form-urlencoded"})
    public Response postBinding(@FormParam("SAMLRequest") String str, @FormParam("SAMLResponse") String str2, @FormParam("RelayState") String str3) {
        logger.debug("SAML POST");
        PostBindingProtocol postBindingProtocol = new PostBindingProtocol();
        postBindingProtocol.redirectToAuthentication = true;
        return postBindingProtocol.execute(str, str2, str3);
    }

    @GET
    @Path("descriptor")
    @NoCache
    @Produces({"application/xml"})
    public String getDescriptor() throws Exception {
        return getIDPMetadataDescriptor(this.session.getContext().getUri(), this.session, this.realm);
    }

    public static String getIDPMetadataDescriptor(UriInfo uriInfo, KeycloakSession keycloakSession, RealmModel realmModel) {
        TreeSet<KeyWrapper> treeSet = new TreeSet((keyWrapper, keyWrapper2) -> {
            return keyWrapper.getStatus() == keyWrapper2.getStatus() ? (int) (keyWrapper2.getProviderPriority() - keyWrapper.getProviderPriority()) : keyWrapper.getStatus() == KeyStatus.PASSIVE ? 1 : -1;
        });
        treeSet.addAll(keycloakSession.keys().getKeys(realmModel, KeyUse.SIG, "RS256"));
        try {
            ArrayList arrayList = new ArrayList();
            for (KeyWrapper keyWrapper3 : treeSet) {
                arrayList.add(IDPMetadataDescriptor.buildKeyInfoElement(keyWrapper3.getKid(), PemUtils.encodeCertificate(keyWrapper3.getCertificate())));
            }
            return IDPMetadataDescriptor.getIDPDescriptor(RealmsResource.protocolUrl(uriInfo).build(realmModel.getName(), "saml"), RealmsResource.protocolUrl(uriInfo).build(realmModel.getName(), "saml"), RealmsResource.protocolUrl(uriInfo).build(realmModel.getName(), "saml"), RealmsResource.realmBaseUrl(uriInfo).build(realmModel.getName()).toString(), true, arrayList, null);
        } catch (Exception e) {
            logger.error("Cannot generate IdP metadata", e);
            return "";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isClientProtocolCorrect(ClientModel clientModel) {
        return "saml".equals(clientModel.getProtocol());
    }

    @GET
    @Produces({MediaType.TEXT_HTML_UTF_8})
    @Path("clients/{client}")
    public Response idpInitiatedSSO(@PathParam("client") String str, @QueryParam("RelayState") String str2) {
        this.event.event(EventType.LOGIN);
        CacheControlUtil.noBackButtonCacheControlHeader();
        ClientModel clientModel = null;
        Iterator<ClientModel> it = this.realm.getClients().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ClientModel next = it.next();
            String attribute = next.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME);
            if (attribute != null && attribute.equals(str)) {
                clientModel = next;
                break;
            }
        }
        if (clientModel == null) {
            this.event.error(Errors.CLIENT_NOT_FOUND);
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]);
        }
        if (!clientModel.isEnabled()) {
            this.event.error(Errors.CLIENT_DISABLED);
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED, new Object[0]);
        }
        if (!isClientProtocolCorrect(clientModel)) {
            this.event.error("invalid_client");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, "Wrong client protocol.", new Object[0]);
        }
        this.session.getContext().setClient(clientModel);
        AuthenticationSessionModel orCreateLoginSessionForIdpInitiatedSso = getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, clientModel, str2);
        if (orCreateLoginSessionForIdpInitiatedSso != null) {
            return newBrowserAuthentication(orCreateLoginSessionForIdpInitiatedSso, false, false);
        }
        logger.error("SAML assertion consumer url not set up");
        this.event.error("invalid_redirect_uri");
        return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
    }

    private String[] getUrlAndBindingForIdpInitiatedSso(ClientModel clientModel) {
        String attribute = clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
        String attribute2 = clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
        if (attribute != null && !attribute.trim().isEmpty()) {
            return new String[]{attribute.trim(), SamlProtocol.SAML_POST_BINDING};
        }
        if (clientModel.getManagementUrl() != null && !clientModel.getManagementUrl().trim().isEmpty()) {
            return new String[]{clientModel.getManagementUrl().trim(), SamlProtocol.SAML_POST_BINDING};
        }
        if (attribute2 == null || attribute2.trim().isEmpty()) {
            return null;
        }
        return new String[]{attribute2.trim(), "get"};
    }

    public AuthenticationSessionModel getOrCreateLoginSessionForIdpInitiatedSso(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, String str) {
        String[] urlAndBindingForIdpInitiatedSso = getUrlAndBindingForIdpInitiatedSso(clientModel);
        if (urlAndBindingForIdpInitiatedSso == null) {
            return null;
        }
        String str2 = urlAndBindingForIdpInitiatedSso[0];
        String str3 = urlAndBindingForIdpInitiatedSso[1];
        AuthenticationSessionModel createAuthenticationSession = createAuthenticationSession(clientModel, null);
        createAuthenticationSession.setProtocol("saml");
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setClientNote(SamlProtocol.SAML_BINDING, str3);
        createAuthenticationSession.setClientNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true");
        createAuthenticationSession.setRedirectUri(str2);
        if (str == null) {
            str = clientModel.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE);
        }
        if (str != null && !str.trim().equals("")) {
            createAuthenticationSession.setClientNote(GeneralConstants.RELAY_STATE, str);
        }
        return createAuthenticationSession;
    }

    @POST
    @NoCache
    @Consumes({"application/soap+xml", "text/xml"})
    public Response soapBinding(InputStream inputStream) {
        SamlEcpProfileService samlEcpProfileService = new SamlEcpProfileService(this.realm, this.event, this.destinationValidator);
        ResteasyProviderFactory.getInstance().injectProperties(samlEcpProfileService);
        return samlEcpProfileService.authenticate(inputStream);
    }
}
