package com.atlassian.crowd.sso.saml;

import com.atlassian.crowd.embedded.spi.DcLicenseChecker;
import com.atlassian.crowd.exception.FeatureInaccessibleException;
import com.atlassian.crowd.manager.application.ApplicationService;
import com.atlassian.crowd.manager.authentication.AuthenticatedUserProvider;
import com.atlassian.crowd.manager.sso.ApplicationSamlConfigurationService;
import com.atlassian.crowd.manager.sso.CrowdSamlConfigurationServiceInternal;
import com.atlassian.crowd.service.CrowdRememberMeService;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.AddAssertionAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.AddAttributesAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.AddAudienceRestrictionToAssertions;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.AddNameIdAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.AddNotBeforeConditionToAssertionsWithTimeSkew;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.AddSubjectConfirmationAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.CreateResponseShellAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.PrepareApplicationContextAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.PrepareAuthorizationContextAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.PrepareConfigContextAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.PrepareResponseEndpointContextAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.PrepareSecurityContextAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.ResponseEncoderAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.SignAssertionsAction;
import com.atlassian.crowd.sso.saml.impl.opensaml.action.email.EmailIdentifierProvider;
import com.atlassian.crowd.sso.saml.impl.opensaml.util.InitalizableUtils;
import com.atlassian.crowd.sso.saml.impl.opensaml.util.SecureXMLParserPool;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.UrlMode;
import java.time.Duration;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.profile.action.AbstractProfileAction;
import org.opensaml.profile.context.EventContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.profile.impl.AddInResponseToToResponse;
import org.opensaml.saml.common.profile.impl.AddNotOnOrAfterConditionToAssertions;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder;
import org.opensaml.saml.saml2.core.AuthnRequest;

/* loaded from: input_file:com/atlassian/crowd/sso/saml/SamlService.class */
public class SamlService {
    public static final String RENDERED_LOGIN_PAGE_ATTRIBUTE = "SPRING_SECURITY_CROWD_RENDERED_LOGIN_PAGE";
    private final ApplicationProperties applicationProperties;
    private final AuthenticatedUserProvider authenticatedUserProvider;
    private final ApplicationService applicationService;
    private final ApplicationSamlConfigurationService applicationSamlConfigurationService;
    private final CrowdSamlConfigurationServiceInternal crowdSamlConfigurationService;
    private final CrowdRememberMeService rememberMeService;
    private final DcLicenseChecker dcLicenseChecker;
    private final EventPublisher eventPublisher;
    private final SamlProperties samlProperties;
    private final EmailIdentifierProvider emailIdentifierProvider;
    private XMLObjectProviderRegistry xmlObjectProviderRegistry;

    /* loaded from: input_file:com/atlassian/crowd/sso/saml/SamlService$ForceAuthnException.class */
    public static class ForceAuthnException extends Exception {
    }

    public SamlService(ApplicationProperties applicationProperties, AuthenticatedUserProvider authenticatedUserProvider, ApplicationService applicationService, ApplicationSamlConfigurationService applicationSamlConfigurationService, CrowdSamlConfigurationServiceInternal crowdSamlConfigurationServiceInternal, CrowdRememberMeService crowdRememberMeService, DcLicenseChecker dcLicenseChecker, EventPublisher eventPublisher, SamlProperties samlProperties, EmailIdentifierProvider emailIdentifierProvider) {
        this.applicationProperties = applicationProperties;
        this.authenticatedUserProvider = authenticatedUserProvider;
        this.applicationService = applicationService;
        this.applicationSamlConfigurationService = applicationSamlConfigurationService;
        this.crowdSamlConfigurationService = crowdSamlConfigurationServiceInternal;
        this.rememberMeService = crowdRememberMeService;
        this.dcLicenseChecker = dcLicenseChecker;
        this.eventPublisher = eventPublisher;
        this.samlProperties = samlProperties;
        this.emailIdentifierProvider = emailIdentifierProvider;
    }

    @PostConstruct
    public void init() throws InitializationException {
        InitializationService.initialize();
        this.xmlObjectProviderRegistry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
        this.xmlObjectProviderRegistry.setParserPool(createAndInitializeSecureXMLParserPool());
    }

    public SecureXMLParserPool createAndInitializeSecureXMLParserPool() throws InitializationException {
        SecureXMLParserPool secureXMLParserPool = new SecureXMLParserPool();
        try {
            secureXMLParserPool.initialize();
            return secureXMLParserPool;
        } catch (ComponentInitializationException e) {
            throw new InitializationException("Error while initializing parser pool", e);
        }
    }

    private MessageContext<SAMLObject> decodeRequest(HttpServletRequest httpServletRequest) throws ComponentInitializationException, MessageDecodingException {
        HTTPRedirectDeflateDecoder hTTPRedirectDeflateDecoder = new HTTPRedirectDeflateDecoder();
        hTTPRedirectDeflateDecoder.setParserPool(this.xmlObjectProviderRegistry.getParserPool());
        hTTPRedirectDeflateDecoder.setHttpServletRequest(httpServletRequest);
        try {
            hTTPRedirectDeflateDecoder.initialize();
            hTTPRedirectDeflateDecoder.decode();
            MessageContext<SAMLObject> messageContext = hTTPRedirectDeflateDecoder.getMessageContext();
            hTTPRedirectDeflateDecoder.destroy();
            return messageContext;
        } catch (Throwable th) {
            hTTPRedirectDeflateDecoder.destroy();
            throw th;
        }
    }

    private ProfileRequestContext prepareProfileRequestContext(HttpServletRequest httpServletRequest) throws ComponentInitializationException, MessageDecodingException, MessageHandlerException {
        MessageContext<SAMLObject> decodeRequest = decodeRequest(httpServletRequest);
        ProfileRequestContext profileRequestContext = new ProfileRequestContext();
        profileRequestContext.setInboundMessageContext(decodeRequest);
        profileRequestContext.setOutboundMessageContext(new MessageContext());
        return profileRequestContext;
    }

    public void handleAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws MessageDecodingException, ComponentInitializationException, MarshallingException, MessageHandlerException, MessageEncodingException, ForceAuthnException {
        if (!this.dcLicenseChecker.isDcLicense()) {
            throw new FeatureInaccessibleException("This feature is only available under Data Center License");
        }
        ProfileRequestContext prepareProfileRequestContext = prepareProfileRequestContext(httpServletRequest);
        AuthnRequest authnRequest = (AuthnRequest) prepareProfileRequestContext.getInboundMessageContext().getMessage();
        boolean andClearRenderedLoginPage = getAndClearRenderedLoginPage(httpServletRequest);
        if (authnRequest.isForceAuthn().booleanValue() && !andClearRenderedLoginPage) {
            throw new ForceAuthnException();
        }
        String baseUrl = this.applicationProperties.getBaseUrl(UrlMode.CANONICAL);
        AbstractProfileAction addNotOnOrAfterConditionToAssertions = new AddNotOnOrAfterConditionToAssertions();
        addNotOnOrAfterConditionToAssertions.setDefaultAssertionLifetime(this.samlProperties.getNotAfterDurationInMillis());
        Stream.of((Object[]) new AbstractProfileAction[]{new PrepareConfigContextAction(), new PrepareApplicationContextAction(this.applicationSamlConfigurationService), new PrepareSecurityContextAction(this.crowdSamlConfigurationService), new PrepareAuthorizationContextAction(this.authenticatedUserProvider, this.applicationService, this.rememberMeService, this.eventPublisher), new PrepareResponseEndpointContextAction(), new CreateResponseShellAction(baseUrl), new AddInResponseToToResponse(), new AddAssertionAction(baseUrl), new AddAttributesAction(this.samlProperties, this.applicationSamlConfigurationService), new AddAudienceRestrictionToAssertions(), new AddNotBeforeConditionToAssertionsWithTimeSkew(Duration.ofMillis(this.samlProperties.getSlopToleranceInMillis())), addNotOnOrAfterConditionToAssertions, new AddNameIdAction(this.applicationSamlConfigurationService, this.emailIdentifierProvider), new AddSubjectConfirmationAction(), new SignAssertionsAction(), new ResponseEncoderAction()}).forEachOrdered(abstractProfileAction -> {
            abstractProfileAction.setHttpServletRequest(httpServletRequest);
            abstractProfileAction.setHttpServletResponse(httpServletResponse);
            InitalizableUtils.runWithinLifecycle(abstractProfileAction, () -> {
                abstractProfileAction.execute(prepareProfileRequestContext);
            });
        });
        if (prepareProfileRequestContext.containsSubcontext(EventContext.class)) {
            throw new IllegalStateException("Failed to build assertion: " + prepareProfileRequestContext.getSubcontext(EventContext.class).getEvent());
        }
    }

    private boolean getAndClearRenderedLoginPage(HttpServletRequest httpServletRequest) {
        Boolean bool = (Boolean) httpServletRequest.getSession().getAttribute(RENDERED_LOGIN_PAGE_ATTRIBUTE);
        httpServletRequest.getSession().removeAttribute(RENDERED_LOGIN_PAGE_ATTRIBUTE);
        if (bool == null) {
            return false;
        }
        return bool.booleanValue();
    }
}
