package org.apereo.cas.support.saml.web.idp.profile.builders.enc;

import com.google.common.collect.Sets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPAlgorithmsProperties;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPResponseProperties;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataLocator;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.crypto.CertUtils;
import org.apereo.cas.util.crypto.PrivateKeyFactoryBean;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.impl.SAMLOutboundDestinationHandler;
import org.opensaml.saml.common.binding.security.impl.EndpointURLSchemeSecurityHandler;
import org.opensaml.saml.common.binding.security.impl.SAMLOutboundProtocolMessageSigningHandler;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver;
import org.opensaml.security.credential.AbstractCredential;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.MutableCredential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.SignatureSigningConfiguration;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlIdPObjectSigner.class */
public class SamlIdPObjectSigner {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlIdPObjectSigner.class);
    private final MetadataResolver casSamlIdPMetadataResolver;
    private final CasConfigurationProperties casProperties;
    private final SamlIdPMetadataLocator samlIdPMetadataLocator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlIdPObjectSigner$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$support$saml$idp$SamlIdPResponseProperties$SignatureCredentialTypes = new int[SamlIdPResponseProperties.SignatureCredentialTypes.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$saml$idp$SamlIdPResponseProperties$SignatureCredentialTypes[SamlIdPResponseProperties.SignatureCredentialTypes.BASIC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$saml$idp$SamlIdPResponseProperties$SignatureCredentialTypes[SamlIdPResponseProperties.SignatureCredentialTypes.X509.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public <T extends SAMLObject> T encode(T t, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, String str, RequestAbstractType requestAbstractType) throws SamlException {
        LOGGER.trace("Attempting to encode [{}] for [{}]", t.getClass().getName(), samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
        MessageContext<T> messageContext = new MessageContext<>();
        prepareOutboundContext(t, samlRegisteredServiceServiceProviderMetadataFacade, messageContext, str, requestAbstractType);
        prepareSecurityParametersContext(samlRegisteredServiceServiceProviderMetadataFacade, messageContext, samlRegisteredService);
        prepareEndpointURLSchemeSecurityHandler(messageContext);
        prepareSamlOutboundDestinationHandler(messageContext);
        prepareSamlOutboundProtocolMessageSigningHandler(messageContext);
        return t;
    }

    protected <T extends SAMLObject> void prepareSamlOutboundProtocolMessageSigningHandler(MessageContext<T> messageContext) throws Exception {
        LOGGER.trace("Attempting to sign the outbound SAML message...");
        SAMLOutboundProtocolMessageSigningHandler sAMLOutboundProtocolMessageSigningHandler = new SAMLOutboundProtocolMessageSigningHandler();
        sAMLOutboundProtocolMessageSigningHandler.setSignErrorResponses(this.casProperties.getAuthn().getSamlIdp().getResponse().isSignError());
        sAMLOutboundProtocolMessageSigningHandler.invoke(messageContext);
        LOGGER.debug("Signed SAML message successfully");
    }

    protected <T extends SAMLObject> void prepareSamlOutboundDestinationHandler(MessageContext<T> messageContext) throws Exception {
        SAMLOutboundDestinationHandler sAMLOutboundDestinationHandler = new SAMLOutboundDestinationHandler();
        sAMLOutboundDestinationHandler.initialize();
        sAMLOutboundDestinationHandler.invoke(messageContext);
    }

    protected <T extends SAMLObject> void prepareEndpointURLSchemeSecurityHandler(MessageContext<T> messageContext) throws Exception {
        EndpointURLSchemeSecurityHandler endpointURLSchemeSecurityHandler = new EndpointURLSchemeSecurityHandler();
        endpointURLSchemeSecurityHandler.initialize();
        endpointURLSchemeSecurityHandler.invoke(messageContext);
    }

    protected <T extends SAMLObject> void prepareSecurityParametersContext(SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, MessageContext<T> messageContext, SamlRegisteredService samlRegisteredService) {
        messageContext.getSubcontext(SecurityParametersContext.class, true).setSignatureSigningParameters(buildSignatureSigningParameters(samlRegisteredServiceServiceProviderMetadataFacade.getSsoDescriptor(), samlRegisteredService));
    }

    protected <T extends SAMLObject> void prepareOutboundContext(T t, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, MessageContext<T> messageContext, String str, RequestAbstractType requestAbstractType) throws SamlException {
        LOGGER.trace("Outbound saml object to use is [{}]", t.getClass().getName());
        messageContext.setMessage(t);
        SamlIdPUtils.preparePeerEntitySamlEndpointContext(requestAbstractType, messageContext, samlRegisteredServiceServiceProviderMetadataFacade, str);
    }

    protected SignatureSigningParameters buildSignatureSigningParameters(RoleDescriptor roleDescriptor, SamlRegisteredService samlRegisteredService) {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new SignatureSigningConfigurationCriterion(new SignatureSigningConfiguration[]{getSignatureSigningConfiguration(roleDescriptor, samlRegisteredService)}));
        criteriaSet.add(new RoleDescriptorCriterion(roleDescriptor));
        SAMLMetadataSignatureSigningParametersResolver sAMLMetadataSignatureSigningParametersResolver = new SAMLMetadataSignatureSigningParametersResolver();
        LOGGER.trace("Resolving signature signing parameters for [{}]", roleDescriptor.getElementQName().getLocalPart());
        SignatureSigningParameters resolveSingle = sAMLMetadataSignatureSigningParametersResolver.resolveSingle(criteriaSet);
        if (resolveSingle != null) {
            LOGGER.trace("Created signature signing parameters.\nSignature algorithm: [{}]\nSignature canonicalization algorithm: [{}]\nSignature reference digest methods: [{}]", new Object[]{resolveSingle.getSignatureAlgorithm(), resolveSingle.getSignatureCanonicalizationAlgorithm(), resolveSingle.getSignatureReferenceDigestMethod()});
        } else {
            LOGGER.warn("Unable to resolve SignatureSigningParameters, response signing will fail. Make sure domain names in IDP metadata URLs and certificates match CAS domain name");
        }
        return resolveSingle;
    }

    protected SignatureSigningConfiguration getSignatureSigningConfiguration(RoleDescriptor roleDescriptor, SamlRegisteredService samlRegisteredService) throws Exception {
        SignatureSigningConfiguration buildDefaultSignatureSigningConfiguration = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
        SamlIdPProperties samlIdp = this.casProperties.getAuthn().getSamlIdp();
        SamlIdPAlgorithmsProperties algs = samlIdp.getAlgs();
        List overrideSignatureReferenceDigestMethods = algs.getOverrideSignatureReferenceDigestMethods();
        List overrideSignatureAlgorithms = algs.getOverrideSignatureAlgorithms();
        List overrideBlackListedSignatureSigningAlgorithms = algs.getOverrideBlackListedSignatureSigningAlgorithms();
        List overrideWhiteListedSignatureSigningAlgorithms = algs.getOverrideWhiteListedSignatureSigningAlgorithms();
        if (overrideBlackListedSignatureSigningAlgorithms != null && !overrideBlackListedSignatureSigningAlgorithms.isEmpty()) {
            buildDefaultSignatureSigningConfiguration.setBlacklistedAlgorithms(overrideBlackListedSignatureSigningAlgorithms);
        }
        if (overrideSignatureAlgorithms != null && !overrideSignatureAlgorithms.isEmpty()) {
            buildDefaultSignatureSigningConfiguration.setSignatureAlgorithms(overrideSignatureAlgorithms);
        }
        if (overrideSignatureReferenceDigestMethods != null && !overrideSignatureReferenceDigestMethods.isEmpty()) {
            buildDefaultSignatureSigningConfiguration.setSignatureReferenceDigestMethods(overrideSignatureReferenceDigestMethods);
        }
        if (overrideWhiteListedSignatureSigningAlgorithms != null && !overrideWhiteListedSignatureSigningAlgorithms.isEmpty()) {
            buildDefaultSignatureSigningConfiguration.setWhitelistedAlgorithms(overrideWhiteListedSignatureSigningAlgorithms);
        }
        if (StringUtils.isNotBlank(algs.getOverrideSignatureCanonicalizationAlgorithm())) {
            buildDefaultSignatureSigningConfiguration.setSignatureCanonicalizationAlgorithm(algs.getOverrideSignatureCanonicalizationAlgorithm());
        }
        LOGGER.trace("Signature signing blacklisted algorithms: [{}]", buildDefaultSignatureSigningConfiguration.getBlacklistedAlgorithms());
        LOGGER.trace("Signature signing signature algorithms: [{}]", buildDefaultSignatureSigningConfiguration.getSignatureAlgorithms());
        LOGGER.trace("Signature signing signature canonicalization algorithm: [{}]", buildDefaultSignatureSigningConfiguration.getSignatureCanonicalizationAlgorithm());
        LOGGER.trace("Signature signing whitelisted algorithms: [{}]", buildDefaultSignatureSigningConfiguration.getWhitelistedAlgorithms());
        LOGGER.trace("Signature signing reference digest methods: [{}]", buildDefaultSignatureSigningConfiguration.getSignatureReferenceDigestMethods());
        PrivateKey signingPrivateKey = getSigningPrivateKey();
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        metadataCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(this.casSamlIdPMetadataResolver, samlIdp.getMetadata().isRequireValidMetadata()));
        metadataCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        metadataCredentialResolver.initialize();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new SignatureSigningConfigurationCriterion(new SignatureSigningConfiguration[]{buildDefaultSignatureSigningConfiguration}));
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        criteriaSet.add(new EntityIdCriterion(samlIdp.getEntityId()));
        criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
        LinkedHashSet newLinkedHashSet = Sets.newLinkedHashSet(metadataCredentialResolver.resolve(criteriaSet));
        ArrayList arrayList = new ArrayList();
        newLinkedHashSet.forEach(credential -> {
            AbstractCredential resolvedSigningCredential = getResolvedSigningCredential(credential, signingPrivateKey, samlRegisteredService);
            if (resolvedSigningCredential == null || !doesCredentialFingerprintMatch(resolvedSigningCredential, samlRegisteredService)) {
                return;
            }
            arrayList.add(resolvedSigningCredential);
        });
        if (arrayList.isEmpty()) {
            LOGGER.error("Unable to locate any signing credentials for service [{}]", samlRegisteredService.getName());
            throw new IllegalArgumentException("Unable to locate signing credentials");
        }
        buildDefaultSignatureSigningConfiguration.setSigningCredentials(arrayList);
        LOGGER.trace("Signature signing credentials configured with [{}] credentials", Integer.valueOf(arrayList.size()));
        return buildDefaultSignatureSigningConfiguration;
    }

    private AbstractCredential getResolvedSigningCredential(Credential credential, PrivateKey privateKey, SamlRegisteredService samlRegisteredService) {
        try {
            SamlIdPResponseProperties.SignatureCredentialTypes valueOf = SamlIdPResponseProperties.SignatureCredentialTypes.valueOf(((String) StringUtils.defaultIfBlank(samlRegisteredService.getSigningCredentialType(), this.casProperties.getAuthn().getSamlIdp().getResponse().getCredentialType().name())).toUpperCase());
            LOGGER.trace("Requested credential type [{}] is found for service [{}]", valueOf, samlRegisteredService.getName());
            switch (AnonymousClass1.$SwitchMap$org$apereo$cas$configuration$model$support$saml$idp$SamlIdPResponseProperties$SignatureCredentialTypes[valueOf.ordinal()]) {
                case 1:
                    LOGGER.debug("Building credential signing key [{}] based on requested credential type", valueOf);
                    if (credential.getPublicKey() == null) {
                        throw new IllegalArgumentException("Unable to identify the public key from the signing credential");
                    }
                    return finalizeSigningCredential(new BasicCredential(credential.getPublicKey(), privateKey), credential);
                case 2:
                default:
                    if (credential instanceof BasicX509Credential) {
                        X509Certificate entityCertificate = ((BasicX509Credential) BasicX509Credential.class.cast(credential)).getEntityCertificate();
                        LOGGER.debug("Locating signature signing certificate from credential [{}]", CertUtils.toString(entityCertificate));
                        return finalizeSigningCredential(new BasicX509Credential(entityCertificate, privateKey), credential);
                    }
                    Resource signingCertificate = this.samlIdPMetadataLocator.getSigningCertificate();
                    LOGGER.debug("Locating signature signing certificate file from [{}]", signingCertificate);
                    return finalizeSigningCredential(new BasicX509Credential(SamlUtils.readCertificate(signingCertificate), privateKey), credential);
            }
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return null;
        }
    }

    private static boolean doesCredentialFingerprintMatch(AbstractCredential abstractCredential, SamlRegisteredService samlRegisteredService) {
        String signingCredentialFingerprint = samlRegisteredService.getSigningCredentialFingerprint();
        if (!StringUtils.isNotBlank(signingCredentialFingerprint)) {
            return true;
        }
        String digest = DigestUtils.digest("SHA-1", abstractCredential.getPublicKey().getEncoded());
        Pattern createPattern = RegexUtils.createPattern(signingCredentialFingerprint, 2);
        LOGGER.debug("Matching credential fingerprint [{}] against filter [{}] for service [{}]", new Object[]{digest, signingCredentialFingerprint, samlRegisteredService.getName()});
        return createPattern.matcher(digest).find();
    }

    private static AbstractCredential finalizeSigningCredential(MutableCredential mutableCredential, Credential credential) {
        mutableCredential.setEntityId(credential.getEntityId());
        mutableCredential.setUsageType(credential.getUsageType());
        credential.getCredentialContextSet().forEach(credentialContext -> {
            mutableCredential.getCredentialContextSet().add(credentialContext);
        });
        return (AbstractCredential) mutableCredential;
    }

    protected PrivateKey getSigningPrivateKey() throws Exception {
        SamlIdPProperties samlIdp = this.casProperties.getAuthn().getSamlIdp();
        Resource signingKey = this.samlIdPMetadataLocator.getSigningKey();
        PrivateKeyFactoryBean privateKeyFactoryBean = new PrivateKeyFactoryBean();
        privateKeyFactoryBean.setLocation(signingKey);
        privateKeyFactoryBean.setAlgorithm(samlIdp.getMetadata().getPrivateKeyAlgName());
        privateKeyFactoryBean.setSingleton(false);
        LOGGER.debug("Locating signature signing key from [{}]", signingKey);
        return (PrivateKey) privateKeyFactoryBean.getObject();
    }

    @Generated
    public SamlIdPObjectSigner(MetadataResolver metadataResolver, CasConfigurationProperties casConfigurationProperties, SamlIdPMetadataLocator samlIdPMetadataLocator) {
        this.casSamlIdPMetadataResolver = metadataResolver;
        this.casProperties = casConfigurationProperties;
        this.samlIdPMetadataLocator = samlIdPMetadataLocator;
    }
}
