package org.keycloak.protocol.saml;

import java.util.Iterator;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClaimMask;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.resources.flows.Flows;
import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v1.SAML11Constants;
import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants;
import org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler;
import org.picketlink.idm.model.basic.Group;

/* loaded from: input_file:WEB-INF/lib/keycloak-saml-protocol-1.1.0.Beta1.jar:org/keycloak/protocol/saml/SamlProtocol.class */
public class SamlProtocol implements LoginProtocol {
    protected static final Logger logger = Logger.getLogger((Class<?>) SamlProtocol.class);
    public static final String ATTRIBUTE_TRUE_VALUE = "true";
    public static final String ATTRIBUTE_FALSE_VALUE = "false";
    public static final String SAML_SIGNING_CERTIFICATE_ATTRIBUTE = "saml.signing.certificate";
    public static final String SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE = "saml.encryption.certificate";
    public static final String SAML_CLIENT_SIGNATURE_ATTRIBUTE = "saml.client.signature";
    public static final String LOGIN_PROTOCOL = "saml";
    public static final String SAML_BINDING = "saml_binding";
    public static final String SAML_POST_BINDING = "post";
    public static final String SAML_GET_BINDING = "get";
    public static final String SAML_SERVER_SIGNATURE = "saml.server.signature";
    public static final String SAML_ASSERTION_SIGNATURE = "saml.assertion.signature";
    public static final String SAML_AUTHNSTATEMENT = "saml.authnstatement";
    public static final String SAML_MULTIVALUED_ROLES = "saml.multivalued.roles";
    public static final String SAML_SIGNATURE_ALGORITHM = "saml.signature.algorithm";
    public static final String SAML_ENCRYPT = "saml.encrypt";
    public static final String SAML_FORCE_POST_BINDING = "saml.force.post.binding";
    public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
    protected KeycloakSession session;
    protected RealmModel realm;
    protected UriInfo uriInfo;

    @Override // org.keycloak.protocol.LoginProtocol
    public SamlProtocol setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public SamlProtocol setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public SamlProtocol setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response cancelLogin(ClientSessionModel clientSessionModel) {
        return getErrorResponse(clientSessionModel, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response invalidSessionError(ClientSessionModel clientSessionModel) {
        return getErrorResponse(clientSessionModel, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get());
    }

    protected String getResponseIssuer(RealmModel realmModel) {
        return RealmsResource.realmBaseUrl(this.uriInfo).build(new Object[]{realmModel.getName()}).toString();
    }

    protected Response getErrorResponse(ClientSessionModel clientSessionModel, String str) {
        SAML2ErrorResponseBuilder status = new SAML2ErrorResponseBuilder().relayState(clientSessionModel.getNote("RelayState")).destination(clientSessionModel.getRedirectUri()).responseIssuer(getResponseIssuer(this.realm)).status(str);
        try {
            return isPostBinding(clientSessionModel) ? status.postBinding().response() : status.redirectBinding().response();
        } catch (Exception e) {
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Failed to process response");
        }
    }

    protected boolean isPostBinding(ClientSessionModel clientSessionModel) {
        return SAML_POST_BINDING.equals(clientSessionModel.getNote(SAML_BINDING)) || ATTRIBUTE_TRUE_VALUE.equals(clientSessionModel.getClient().getAttribute(SAML_FORCE_POST_BINDING));
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response authenticated(UserSessionModel userSessionModel, ClientSessionCode clientSessionCode) {
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        ClientModel client = clientSession.getClient();
        String note = clientSession.getNote(SAML_REQUEST_ID);
        String note2 = clientSession.getNote("RelayState");
        String redirectUri = clientSession.getRedirectUri();
        String responseIssuer = getResponseIssuer(this.realm);
        SALM2LoginResponseBuilder sALM2LoginResponseBuilder = new SALM2LoginResponseBuilder();
        sALM2LoginResponseBuilder.requestID(note).relayState(note2).destination(redirectUri).responseIssuer(responseIssuer).requestIssuer(clientSession.getClient().getClientId()).userPrincipal(userSessionModel.getUser().getUsername()).attribute(X500SAMLProfileConstants.USERID.getFriendlyName(), userSessionModel.getUser().getId()).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
        initClaims(sALM2LoginResponseBuilder, clientSession.getClient(), userSessionModel.getUser());
        if (clientSession.getRoles() != null) {
            if (multivaluedRoles(client)) {
                sALM2LoginResponseBuilder.multiValuedRoles(true);
            }
            Iterator<String> it = clientSession.getRoles().iterator();
            while (it.hasNext()) {
                sALM2LoginResponseBuilder.roles(clientSession.getRealm().getRoleById(it.next()).getName());
            }
        }
        if (requiresRealmSignature(client)) {
            sALM2LoginResponseBuilder.signatureAlgorithm(getSignatureAlgorithm(client)).signWith(this.realm.getPrivateKey(), this.realm.getPublicKey()).signDocument();
        }
        if (requiresAssertionSignature(client)) {
            sALM2LoginResponseBuilder.signatureAlgorithm(getSignatureAlgorithm(client)).signWith(this.realm.getPrivateKey(), this.realm.getPublicKey()).signAssertions();
        }
        if (!includeAuthnStatement(client)) {
            sALM2LoginResponseBuilder.disableAuthnStatement(true);
        }
        if (requiresEncryption(client)) {
            try {
                sALM2LoginResponseBuilder.encrypt(SamlProtocolUtils.getEncryptionValidationKey(client));
            } catch (Exception e) {
                logger.error("failed", e);
                return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Failed to process response");
            }
        }
        try {
            return isPostBinding(clientSession) ? sALM2LoginResponseBuilder.postBinding().response() : sALM2LoginResponseBuilder.redirectBinding().response();
        } catch (Exception e2) {
            logger.error("failed", e2);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Failed to process response");
        }
    }

    private boolean requiresRealmSignature(ClientModel clientModel) {
        return ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SAML_SERVER_SIGNATURE));
    }

    private boolean requiresAssertionSignature(ClientModel clientModel) {
        return ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SAML_ASSERTION_SIGNATURE));
    }

    private boolean includeAuthnStatement(ClientModel clientModel) {
        return ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SAML_AUTHNSTATEMENT));
    }

    private boolean multivaluedRoles(ClientModel clientModel) {
        return ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SAML_MULTIVALUED_ROLES));
    }

    public static SignatureAlgorithm getSignatureAlgorithm(ClientModel clientModel) {
        SignatureAlgorithm valueOf;
        String attribute = clientModel.getAttribute(SAML_SIGNATURE_ALGORITHM);
        return (attribute == null || (valueOf = SignatureAlgorithm.valueOf(attribute)) == null) ? SignatureAlgorithm.RSA_SHA256 : valueOf;
    }

    private boolean requiresEncryption(ClientModel clientModel) {
        return ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SAML_ENCRYPT));
    }

    public void initClaims(SALM2LoginResponseBuilder sALM2LoginResponseBuilder, ClientModel clientModel, UserModel userModel) {
        if (ClaimMask.hasEmail(clientModel.getAllowedClaimsMask())) {
            sALM2LoginResponseBuilder.attribute(X500SAMLProfileConstants.EMAIL_ADDRESS.getFriendlyName(), userModel.getEmail());
        }
        if (ClaimMask.hasName(clientModel.getAllowedClaimsMask())) {
            sALM2LoginResponseBuilder.attribute(X500SAMLProfileConstants.GIVEN_NAME.getFriendlyName(), userModel.getFirstName());
            sALM2LoginResponseBuilder.attribute(X500SAMLProfileConstants.SURNAME.getFriendlyName(), userModel.getLastName());
        }
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response consentDenied(ClientSessionModel clientSessionModel) {
        return getErrorResponse(clientSessionModel, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public void backchannelLogout(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        ClientModel client = clientSessionModel.getClient();
        if (client instanceof ApplicationModel) {
            ApplicationModel applicationModel = (ApplicationModel) client;
            if (applicationModel.getManagementUrl() == null) {
                return;
            }
            SAML2LogoutRequestBuilder destination = new SAML2LogoutRequestBuilder().userPrincipal(userSessionModel.getUser().getUsername()).destination(client.getClientId());
            if (requiresRealmSignature(client)) {
                destination.signatureAlgorithm(getSignatureAlgorithm(client)).signWith(this.realm.getPrivateKey(), this.realm.getPublicKey()).signDocument();
            }
            try {
                String encoded = destination.postBinding().encoded();
                String managementUrl = ResourceAdminManager.getManagementUrl(this.uriInfo.getRequestUri(), applicationModel);
                ApacheHttpClient4Executor createExecutor = ResourceAdminManager.createExecutor();
                try {
                    ClientRequest createRequest = createExecutor.createRequest(managementUrl);
                    createRequest.formParameter(GeneralConstants.SAML_REQUEST_KEY, encoded);
                    createRequest.formParameter(SAML2LogOutHandler.BACK_CHANNEL_LOGOUT, SAML2LogOutHandler.BACK_CHANNEL_LOGOUT);
                    try {
                        ClientResponse post = createRequest.post();
                        post.releaseConnection();
                        if (post.getStatus() == 302 && !managementUrl.endsWith(Group.PATH_SEPARATOR)) {
                            String str = (String) post.getHeaders().getFirst(SAML11Constants.LOCATION);
                            String str2 = managementUrl + Group.PATH_SEPARATOR;
                            if (str2.equals(str)) {
                                ClientRequest createRequest2 = createExecutor.createRequest(str2);
                                createRequest2.formParameter(GeneralConstants.SAML_REQUEST_KEY, encoded);
                                createRequest2.formParameter(SAML2LogOutHandler.BACK_CHANNEL_LOGOUT, SAML2LogOutHandler.BACK_CHANNEL_LOGOUT);
                                createRequest2.post().releaseConnection();
                            }
                        }
                    } catch (Exception e) {
                        logger.warn("failed to send saml logout", e);
                    }
                } finally {
                    createExecutor.getHttpClient().getConnectionManager().shutdown();
                }
            } catch (Exception e2) {
                logger.warn("failed to send saml logout", e2);
            }
        }
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }
}
