package io.jans.saml;

import io.jans.configapi.plugin.keycloak.idp.broker.util.Constants;
import io.jans.zip.CompressionHelper;
import jakarta.xml.bind.DatatypeConverter;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.net.URLEncoder;
import java.security.Signature;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;
import java.util.UUID;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.codec.binary.Base64;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.keycloak.representations.docker.DockerAccess;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;

/* loaded from: input_file:io/jans/saml/AuthRequest.class */
public class AuthRequest {
    private static final Logger LOG = LoggerFactory.getLogger(AuthRequest.class);
    private static final SimpleDateFormat SIMPLE_DATA_FORMAT = new SimpleDateFormat("yyyy-MM-dd'T'H:mm:ss");
    private String id = "_" + UUID.randomUUID().toString();
    private String issueInstant = SIMPLE_DATA_FORMAT.format(new Date());
    private SamlConfiguration samlSettings;

    public AuthRequest(SamlConfiguration samlConfiguration) {
        this.samlSettings = samlConfiguration;
    }

    public String getRequest(boolean z, String str) throws ParserConfigurationException, XMLStreamException, IOException, TransformerException {
        Document newDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
        Element createElementNS = newDocument.createElementNS(SAMLConstants.SAML20P_NS, "samlp:AuthnRequest");
        createElementNS.setAttribute("ID", this.id);
        createElementNS.setAttribute("Version", "2.0");
        createElementNS.setAttribute("IssueInstant", this.issueInstant);
        createElementNS.setAttribute(AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME, SAMLConstants.SAML2_POST_BINDING_URI);
        createElementNS.setAttribute("Destination", this.samlSettings.getIdpSsoTargetUrl());
        createElementNS.setAttribute("AssertionConsumerServiceURL", str);
        newDocument.appendChild(createElementNS);
        Element createElementNS2 = newDocument.createElementNS(SAMLConstants.SAML20_NS, "saml:Issuer");
        createElementNS2.appendChild(newDocument.createTextNode(this.samlSettings.getIssuer()));
        createElementNS.appendChild(createElementNS2);
        Element createElementNS3 = newDocument.createElementNS(SAMLConstants.SAML20P_NS, "samlp:NameIDPolicy");
        createElementNS3.setAttribute("Format", this.samlSettings.getNameIdentifierFormat());
        createElementNS3.setAttribute(NameIDPolicy.ALLOW_CREATE_ATTRIB_NAME, "true");
        createElementNS.appendChild(createElementNS3);
        if (this.samlSettings.isUseRequestedAuthnContext()) {
            Element createElementNS4 = newDocument.createElementNS(SAMLConstants.SAML20P_NS, "samlp:RequestedAuthnContext");
            createElementNS4.setAttribute(RequestedAuthnContext.COMPARISON_ATTRIB_NAME, "exact");
            createElementNS.appendChild(createElementNS4);
            Element createElementNS5 = newDocument.createElementNS(SAMLConstants.SAML20_NS, "saml:AuthnContextClassRef");
            createElementNS5.appendChild(newDocument.createTextNode(AuthnContext.PPT_AUTHN_CTX));
            createElementNS4.appendChild(createElementNS5);
        }
        Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
        newTransformer.setOutputProperty("omit-xml-declaration", "yes");
        DOMSource dOMSource = new DOMSource(newDocument);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        newTransformer.transform(dOMSource, new StreamResult(byteArrayOutputStream));
        if (LOG.isDebugEnabled()) {
            LOG.debug("Genereated Saml Request " + new String(byteArrayOutputStream.toByteArray(), DockerAccess.DECODE_ENCODING));
        }
        return z ? URLEncoder.encode(Base64.encodeBase64String(CompressionHelper.deflate(byteArrayOutputStream.toByteArray(), true)), DockerAccess.DECODE_ENCODING) : new String(byteArrayOutputStream.toByteArray(), DockerAccess.DECODE_ENCODING);
    }

    public String getRequest(boolean z) throws ParserConfigurationException, XMLStreamException, IOException, TransformerException {
        return getRequest(z, this.samlSettings.getAssertionConsumerServiceUrl());
    }

    public String getStreamedRequest(boolean z) throws XMLStreamException, IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        XMLStreamWriter createXMLStreamWriter = XMLOutputFactory.newInstance().createXMLStreamWriter(byteArrayOutputStream);
        createXMLStreamWriter.writeStartElement("samlp", AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20P_NS);
        createXMLStreamWriter.writeNamespace("samlp", SAMLConstants.SAML20P_NS);
        createXMLStreamWriter.writeAttribute("ID", this.id);
        createXMLStreamWriter.writeAttribute("Version", "2.0");
        createXMLStreamWriter.writeAttribute("IssueInstant", this.issueInstant);
        createXMLStreamWriter.writeAttribute(AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME, SAMLConstants.SAML2_POST_BINDING_URI);
        createXMLStreamWriter.writeAttribute("AssertionConsumerServiceURL", this.samlSettings.getAssertionConsumerServiceUrl());
        createXMLStreamWriter.writeStartElement(Constants.SAML, "Issuer", SAMLConstants.SAML20_NS);
        createXMLStreamWriter.writeNamespace(Constants.SAML, SAMLConstants.SAML20_NS);
        createXMLStreamWriter.writeCharacters(this.samlSettings.getIssuer());
        createXMLStreamWriter.writeEndElement();
        createXMLStreamWriter.writeStartElement("samlp", NameIDPolicy.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20P_NS);
        createXMLStreamWriter.writeNamespace("samlp", SAMLConstants.SAML20P_NS);
        createXMLStreamWriter.writeAttribute("Format", this.samlSettings.getNameIdentifierFormat());
        createXMLStreamWriter.writeAttribute(NameIDPolicy.ALLOW_CREATE_ATTRIB_NAME, "true");
        createXMLStreamWriter.writeEndElement();
        createXMLStreamWriter.writeStartElement("samlp", RequestedAuthnContext.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20P_NS);
        createXMLStreamWriter.writeNamespace("samlp", SAMLConstants.SAML20P_NS);
        createXMLStreamWriter.writeAttribute(RequestedAuthnContext.COMPARISON_ATTRIB_NAME, "exact");
        createXMLStreamWriter.writeStartElement(Constants.SAML, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20_NS);
        createXMLStreamWriter.writeNamespace(Constants.SAML, SAMLConstants.SAML20_NS);
        createXMLStreamWriter.writeCharacters(AuthnContext.PPT_AUTHN_CTX);
        createXMLStreamWriter.writeEndElement();
        createXMLStreamWriter.writeEndElement();
        createXMLStreamWriter.writeEndElement();
        createXMLStreamWriter.flush();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Genereated Saml Request " + new String(byteArrayOutputStream.toByteArray(), DockerAccess.DECODE_ENCODING));
        }
        return z ? URLEncoder.encode(Base64.encodeBase64String(CompressionHelper.deflate(byteArrayOutputStream.toByteArray(), true)), DockerAccess.DECODE_ENCODING) : new String(byteArrayOutputStream.toByteArray(), DockerAccess.DECODE_ENCODING);
    }

    private String generateQueryString(String str, String str2) throws Exception {
        if (null == str || null == this.samlSettings.getSigAlgUrl()) {
            throw new Exception("SAMLRequest or sigAlgUrl cannot be null");
        }
        StringBuilder sb = new StringBuilder();
        sb.append("SAMLRequest=").append(str);
        if (null != str2 && 0 < str2.length()) {
            sb.append("&RelayState=").append(URLEncoder.encode(str2, DockerAccess.DECODE_ENCODING));
        }
        sb.append("&SigAlg=").append(URLEncoder.encode(this.samlSettings.getSigAlgUrl(), DockerAccess.DECODE_ENCODING).trim());
        String sb2 = sb.toString();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Generated Query: " + sb2);
        }
        return sb2;
    }

    public String signRequest(String str, String str2) throws Exception {
        String generateQueryString = generateQueryString(str, str2);
        if (null == generateQueryString || 0 >= generateQueryString.length()) {
            return null;
        }
        byte[] bytes = generateQueryString.getBytes();
        Signature signature = Signature.getInstance(this.samlSettings.getSigAlg());
        signature.initSign(this.samlSettings.getPrivateKey());
        signature.update(bytes);
        return org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8);
    }

    public String getRedirectRequestSignedQueryParams(String str, String str2) throws Exception {
        String request = getRequest(true, str);
        return generateQueryString(request, str2) + "&Signature=" + URLEncoder.encode(signRequest(request, str2), DockerAccess.DECODE_ENCODING).trim();
    }

    public boolean verifyRedirectSignature(String str, String str2, String str3) throws Exception {
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(str3);
        String generateQueryString = generateQueryString(str, str2);
        Signature signature = Signature.getInstance(this.samlSettings.getSigAlg());
        signature.initVerify(this.samlSettings.getCertificate().getPublicKey());
        signature.update(generateQueryString.getBytes());
        return signature.verify(parseBase64Binary);
    }

    public String getEnvelopedSignatureRequest(String str, String str2) throws WSSecurityException, SecurityException, MarshallingException, SignatureException, IOException, TransformerException, XMLStreamException, ParserConfigurationException {
        XMLObject xMLObject = (org.opensaml.saml2.core.AuthnRequest) string2XMLObject(getRequest(false, str));
        Credential credential = this.samlSettings.getCredential();
        org.opensaml.xml.signature.Signature signature = (org.opensaml.xml.signature.Signature) Configuration.getBuilderFactory().getBuilder(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME).buildObject(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME);
        signature.setSigningCredential(credential);
        signature.setSignatureAlgorithm(this.samlSettings.getSigAlgUrl());
        signature.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        SecurityHelper.prepareSignatureParams(signature, credential, Configuration.getGlobalSecurityConfiguration(), null);
        xMLObject.setSignature(signature);
        Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
        Signer.signObject(signature);
        String convertDocumentToString = convertDocumentToString(xMLObject.getDOM().getOwnerDocument());
        LOG.info("\n\n**************************\nSigned Post AuthnRequest:\n" + convertDocumentToString + "\n**************************\n\n");
        return convertDocumentToString;
    }

    protected static XMLObject string2XMLObject(String str) throws WSSecurityException {
        Element documentElement = convertStringToDocument(str).getDocumentElement();
        if (null != documentElement) {
            LOG.debug("AuthnRequest: \n" + convertDocumentToString(documentElement.getOwnerDocument()));
        } else {
            LOG.error("XML Object element is null!");
        }
        return OpenSAMLUtil.fromDom(documentElement);
    }

    protected static String convertDocumentToString(Document document) {
        try {
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            newTransformer.setOutputProperty("omit-xml-declaration", "yes");
            StringWriter stringWriter = new StringWriter();
            newTransformer.transform(new DOMSource(document), new StreamResult(stringWriter));
            return stringWriter.getBuffer().toString();
        } catch (TransformerException e) {
            e.printStackTrace();
            return null;
        }
    }

    protected static Document convertStringToDocument(String str) {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        try {
            newInstance.setNamespaceAware(true);
            return newInstance.newDocumentBuilder().parse(new InputSource(new StringReader(str)));
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    protected static String b64compressed(boolean z, byte[] bArr) throws IOException {
        if (z) {
            bArr = CompressionHelper.deflate(bArr, true);
        }
        return Base64.encodeBase64String(bArr);
    }

    static {
        SIMPLE_DATA_FORMAT.setTimeZone(TimeZone.getTimeZone("UTC"));
    }
}
