package org.apereo.cas.support.saml.web.idp.profile.builders.subject;

import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectEncrypter;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/subject/SamlProfileSamlSubjectBuilder.class */
public class SamlProfileSamlSubjectBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<Subject> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlProfileSamlSubjectBuilder.class);
    private static final long serialVersionUID = 4782621942035583007L;
    private final transient SamlProfileObjectBuilder<NameID> ssoPostProfileSamlNameIdBuilder;
    private final int skewAllowance;
    private final transient SamlIdPObjectEncrypter samlObjectEncrypter;

    public SamlProfileSamlSubjectBuilder(OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<NameID> samlProfileObjectBuilder, int i, SamlIdPObjectEncrypter samlIdPObjectEncrypter) {
        super(openSamlConfigBean);
        this.ssoPostProfileSamlNameIdBuilder = samlProfileObjectBuilder;
        this.skewAllowance = i;
        this.samlObjectEncrypter = samlIdPObjectEncrypter;
    }

    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    /* renamed from: build, reason: avoid collision after fix types in other method and merged with bridge method [inline-methods] */
    public Subject mo19build(RequestAbstractType requestAbstractType, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, MessageContext messageContext) throws SamlException {
        return buildSubject(httpServletRequest, httpServletResponse, requestAbstractType, obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext);
    }

    private Subject buildSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestAbstractType requestAbstractType, Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, MessageContext messageContext) throws SamlException {
        Assertion assertion = (Assertion) Assertion.class.cast(obj);
        ZonedDateTime ofInstant = ZonedDateTime.ofInstant(assertion.getValidFromDate().toInstant(), ZoneOffset.UTC);
        LOGGER.debug("Locating the assertion consumer service url for binding [{}]", str);
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade, str);
        String location = StringUtils.isBlank(determineEndpointForRequest.getResponseLocation()) ? determineEndpointForRequest.getLocation() : determineEndpointForRequest.getResponseLocation();
        if (StringUtils.isBlank(location)) {
            LOGGER.warn("Subject recipient is not defined from either authentication request or metadata for [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
        }
        NameID nameIdForService = getNameIdForService(httpServletRequest, httpServletResponse, requestAbstractType, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, assertion, messageContext);
        NameID nameIdForService2 = samlRegisteredService.isSkipGeneratingSubjectConfirmationNameId() ? null : getNameIdForService(httpServletRequest, httpServletResponse, requestAbstractType, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, assertion, messageContext);
        Subject newSubject = newSubject(nameIdForService, nameIdForService2, samlRegisteredService.isSkipGeneratingSubjectConfirmationRecipient() ? null : location, samlRegisteredService.isSkipGeneratingSubjectConfirmationNotOnOrAfter() ? null : ofInstant.plusSeconds(this.skewAllowance), samlRegisteredService.isSkipGeneratingSubjectConfirmationInResponseTo() ? null : requestAbstractType.getID(), samlRegisteredService.isSkipGeneratingSubjectConfirmationNotBefore() ? null : ZonedDateTime.now());
        if ("urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted".equalsIgnoreCase(nameIdForService.getFormat())) {
            newSubject.setNameID((NameID) null);
            newSubject.getSubjectConfirmations().forEach(subjectConfirmation -> {
                subjectConfirmation.setNameID((NameID) null);
            });
            newSubject.setEncryptedID(this.samlObjectEncrypter.encode(nameIdForService, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade));
            if (nameIdForService2 != null) {
                EncryptedID encode = this.samlObjectEncrypter.encode(nameIdForService2, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
                newSubject.getSubjectConfirmations().forEach(subjectConfirmation2 -> {
                    subjectConfirmation2.setEncryptedID(encode);
                });
            }
        }
        LOGGER.debug("Created SAML subject [{}]", newSubject);
        return newSubject;
    }

    private NameID getNameIdForService(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestAbstractType requestAbstractType, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, String str, Assertion assertion, MessageContext messageContext) {
        if (!samlRegisteredService.isSkipGeneratingAssertionNameId()) {
            return this.ssoPostProfileSamlNameIdBuilder.mo19build(requestAbstractType, httpServletRequest, httpServletResponse, assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, str, messageContext);
        }
        LOGGER.warn("Assertion will skip assigning/generating a nameId based on service [{}]", samlRegisteredService);
        return null;
    }
}
