package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute;
import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AttributeQueryConfiguration;
import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
import edu.internet2.middleware.shibboleth.idp.session.Session;
import java.util.ArrayList;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.BasicEndpointSelector;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.xml.security.SecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/AttributeQueryProfileHandler.class */
public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
    private static Logger log = LoggerFactory.getLogger(AttributeQueryProfileHandler.class);
    private SAMLObjectBuilder<NameID> nameIDBuilder = getBuilderFactory().getBuilder(NameID.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AssertionConsumerService> acsEndpointBuilder = getBuilderFactory().getBuilder(AssertionConsumerService.DEFAULT_ELEMENT_NAME);

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/AttributeQueryProfileHandler$AttributeQueryContext.class */
    public class AttributeQueryContext extends BaseSAML2ProfileRequestContext<AttributeQuery, Response, AttributeQueryConfiguration> {
        protected AttributeQueryContext() {
        }
    }

    public String getProfileId() {
        return "urn:mace:shibboleth:2.0:profiles:saml2:query:attribute";
    }

    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        SAMLObject buildErrorResponse;
        AttributeQueryContext attributeQueryContext = new AttributeQueryContext();
        try {
            decodeRequest(attributeQueryContext, hTTPInTransport, hTTPOutTransport);
            if (attributeQueryContext.getProfileConfiguration() == null) {
                String str = "SAML 2 Attribute Query profile is not configured for relying party " + attributeQueryContext.getInboundMessageIssuer();
                attributeQueryContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", str));
                log.warn(str);
                buildErrorResponse = buildErrorResponse(attributeQueryContext);
            } else {
                checkSamlVersion(attributeQueryContext);
                AttributeQuery attributeQuery = (AttributeQuery) attributeQueryContext.getInboundSAMLMessage();
                if (attributeQuery.getAttributes() != null) {
                    for (Attribute attribute : attributeQuery.getAttributes()) {
                        if (attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty()) {
                            log.warn("Specific attribute values requested in query from '{}'. This functionality is not supported", attributeQueryContext.getInboundMessageIssuer());
                            attributeQueryContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported", "Request of specific attribute values during an attribute query is not supported"));
                            throw new ProfileException();
                        }
                    }
                }
                resolvePrincipal(attributeQueryContext);
                Session session = (Session) getSessionManager().getSession(attributeQueryContext.getPrincipalName());
                if (session != null) {
                    attributeQueryContext.setUserSession(session);
                    AuthenticationMethodInformation authenticationMethodInformation = session.getAuthenticationMethods().get(attributeQueryContext.getInboundMessageIssuer());
                    if (authenticationMethodInformation != null) {
                        attributeQueryContext.setPrincipalAuthenticationMethod(authenticationMethodInformation.getAuthenticationMethod());
                    }
                }
                resolveAttributes(attributeQueryContext);
                ArrayList arrayList = new ArrayList();
                AttributeStatement buildAttributeStatement = buildAttributeStatement(attributeQueryContext);
                if (buildAttributeStatement != null) {
                    attributeQueryContext.setReleasedAttributes(attributeQueryContext.getAttributes().keySet());
                    arrayList.add(buildAttributeStatement);
                }
                buildErrorResponse = buildResponse(attributeQueryContext, "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches", arrayList);
            }
        } catch (ProfileException e) {
            buildErrorResponse = buildErrorResponse(attributeQueryContext);
        }
        attributeQueryContext.setOutboundSAMLMessage(buildErrorResponse);
        attributeQueryContext.setOutboundSAMLMessageId(buildErrorResponse.getID());
        attributeQueryContext.setOutboundSAMLMessageIssueInstant(buildErrorResponse.getIssueInstant());
        encodeResponse(attributeQueryContext);
        writeAuditLogEntry(attributeQueryContext);
    }

    protected void decodeRequest(AttributeQueryContext attributeQueryContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (log.isDebugEnabled()) {
            log.debug("Decoding message with decoder binding '{}'", getInboundMessageDecoder(attributeQueryContext).getBindingURI());
        }
        attributeQueryContext.setCommunicationProfileId(getProfileId());
        attributeQueryContext.setMetadataProvider(getMetadataProvider());
        attributeQueryContext.setInboundMessageTransport(hTTPInTransport);
        attributeQueryContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        attributeQueryContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        attributeQueryContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        attributeQueryContext.setOutboundMessageTransport(hTTPOutTransport);
        attributeQueryContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        try {
            try {
                try {
                    SAMLMessageDecoder inboundMessageDecoder = getInboundMessageDecoder(attributeQueryContext);
                    attributeQueryContext.setMessageDecoder(inboundMessageDecoder);
                    inboundMessageDecoder.decode(attributeQueryContext);
                    log.debug("Decoded request from relying party '{}'", attributeQueryContext.getInboundMessageIssuer());
                    if (attributeQueryContext.getInboundSAMLMessage() instanceof AttributeQuery) {
                        return;
                    }
                    log.warn("Incoming message was not a AttributeQuery, it was a {}", attributeQueryContext.getInboundSAMLMessage().getClass().getName());
                    attributeQueryContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", null, "Invalid SAML AttributeQuery message."));
                    throw new ProfileException("Invalid SAML AttributeQuery message.");
                } catch (SecurityException e) {
                    log.warn("Message did not meet security requirements", e);
                    attributeQueryContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", "Message did not meet security requirements"));
                    throw new ProfileException("Message did not meet security requirements", e);
                }
            } catch (MessageDecodingException e2) {
                log.warn("Error decoding attribute query message", e2);
                attributeQueryContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Error decoding attribute query message"));
                throw new ProfileException("Error decoding attribute query message");
            }
        } finally {
            populateRequestContext(attributeQueryContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRelyingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateRelyingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor peerEntityMetadata = baseSAMLProfileRequestContext.getPeerEntityMetadata();
        if (peerEntityMetadata != null) {
            baseSAMLProfileRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setPeerEntityRoleMetadata(peerEntityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateAssertingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateAssertingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor localEntityMetadata = baseSAMLProfileRequestContext.getLocalEntityMetadata();
        if (localEntityMetadata != null) {
            baseSAMLProfileRequestContext.setLocalEntityRole(AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setLocalEntityRoleMetadata(localEntityMetadata.getAttributeAuthorityDescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        AttributeQuery inboundSAMLMessage = baseSAMLProfileRequestContext.getInboundSAMLMessage();
        if (inboundSAMLMessage != null) {
            Subject subject = inboundSAMLMessage.getSubject();
            if (subject != null) {
                baseSAMLProfileRequestContext.setSubjectNameIdentifier(subject.getNameID());
            } else {
                log.warn("Attribute query did not contain a proper subject");
                ((AttributeQueryContext) baseSAMLProfileRequestContext).setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", null, "Attribute query did not contain a proper subject"));
                throw new ProfileException("Attribute query did not contain a proper subject");
            }
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        Endpoint selectEndpoint;
        if (getInboundBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            selectEndpoint = (Endpoint) this.acsEndpointBuilder.buildObject();
            selectEndpoint.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:SOAP");
        } else {
            BasicEndpointSelector basicEndpointSelector = new BasicEndpointSelector();
            basicEndpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            basicEndpointSelector.setMetadataProvider(getMetadataProvider());
            basicEndpointSelector.setEntityMetadata(baseSAMLProfileRequestContext.getPeerEntityMetadata());
            basicEndpointSelector.setEntityRoleMetadata(baseSAMLProfileRequestContext.getPeerEntityRoleMetadata());
            basicEndpointSelector.setSamlRequest(baseSAMLProfileRequestContext.getInboundSAMLMessage());
            basicEndpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
            selectEndpoint = basicEndpointSelector.selectEndpoint();
        }
        return selectEndpoint;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler
    public NameID buildNameId(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) throws ProfileException {
        log.debug("Reusing NameID supplied in query");
        NameID subjectNameIdentifier = baseSAML2ProfileRequestContext.getSubjectNameIdentifier();
        if (subjectNameIdentifier == null) {
            return null;
        }
        NameID buildObject = this.nameIDBuilder.buildObject();
        buildObject.setValue(subjectNameIdentifier.getValue());
        buildObject.setNameQualifier(subjectNameIdentifier.getNameQualifier());
        buildObject.setSPNameQualifier(subjectNameIdentifier.getSPNameQualifier());
        buildObject.setFormat(subjectNameIdentifier.getFormat());
        buildObject.setSPProvidedID(subjectNameIdentifier.getSPProvidedID());
        if (buildObject.getValue() != null) {
            BasicAttribute basicAttribute = new BasicAttribute();
            basicAttribute.setId("outboundQueryNameID");
            basicAttribute.getValues().add(buildObject.getValue());
            baseSAML2ProfileRequestContext.setNameIdentifierAttribute(basicAttribute);
        }
        return buildObject;
    }
}
