package org.keycloak.protocol.saml;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.TreeSet;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.common.util.StringPropertyReplacer;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.assertion.SubjectType;
import org.keycloak.dom.saml.v2.metadata.KeyTypes;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.keys.KeyMetadata;
import org.keycloak.keys.RsaKeyMetadata;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService;
import org.keycloak.rotation.HardcodedKeyLocator;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.SAMLRequestParser;
import org.keycloak.saml.SPMetadataDescriptor;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlService.class */
public class SamlService extends AuthorizationEndpointBase {
    protected static final Logger logger = Logger.getLogger(SamlService.class);
    private final Map<String, Integer> knownPorts;
    private final Map<Integer, String> knownProtocols;

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$BindingProtocol.class */
    public abstract class BindingProtocol {
        protected boolean redirectToAuthentication;

        public BindingProtocol() {
        }

        protected Response basicChecks(String str, String str2) {
            if (!checkSsl()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("ssl_required");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED, new Object[0]);
            }
            if (!SamlService.this.realm.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN_ERROR);
                SamlService.this.event.error("realm_disabled");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED, new Object[0]);
            }
            if (str != null || str2 != null) {
                return null;
            }
            SamlService.this.event.event(EventType.LOGIN);
            SamlService.this.event.error("invalid_token");
            return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }

        protected Response handleSamlResponse(String str, String str2) {
            SamlService.this.event.event(EventType.LOGOUT);
            SAMLDocumentHolder extractResponseDocument = extractResponseDocument(str);
            if (!(extractResponseDocument.getSamlObject() instanceof StatusResponseType)) {
                SamlService.this.event.detail("reason", "invalid_saml_response");
                SamlService.this.event.error("invalid_saml_response");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            StatusResponseType samlObject = extractResponseDocument.getSamlObject();
            if (samlObject.getDestination() != null && !SamlService.this.uriInfo.getAbsolutePath().toString().equals(samlObject.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_logout_response");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            AuthenticationManager unused = SamlService.this.authManager;
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, false);
            if (authenticateIdentityCookie == null) {
                SamlService.logger.warn("Unknown saml response.");
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            UserSessionModel session = authenticateIdentityCookie.getSession();
            if (session.getState() != UserSessionModel.State.LOGGING_OUT) {
                SamlService.logger.warn("Unknown saml response.");
                SamlService.logger.warn("UserSession is not tagged as logging out.");
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error("invalid_logout_response");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            String value = samlObject.getIssuer().getValue();
            ClientModel clientByClientId = SamlService.this.realm.getClientByClientId(value);
            if (clientByClientId == null) {
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.client(value);
                SamlService.this.event.error("client_not_found");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]);
            }
            SamlService.this.session.getContext().setClient(clientByClientId);
            SamlService.logger.debug("logout response");
            AuthenticationManager unused2 = SamlService.this.authManager;
            Response browserLogout = AuthenticationManager.browserLogout(SamlService.this.session, SamlService.this.realm, session, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers);
            SamlService.this.event.success();
            return browserLogout;
        }

        protected Response handleSamlRequest(String str, String str2) {
            SAMLDocumentHolder extractRequestDocument = extractRequestDocument(str);
            if (extractRequestDocument == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            RequestAbstractType samlObject = extractRequestDocument.getSamlObject();
            if (!(samlObject instanceof RequestAbstractType)) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_authn_request");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            String value = samlObject.getIssuer().getValue();
            ClientModel clientByClientId = SamlService.this.realm.getClientByClientId(value);
            if (clientByClientId == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.client(value);
                SamlService.this.event.error("client_not_found");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.UNKNOWN_LOGIN_REQUESTER, new Object[0]);
            }
            if (!clientByClientId.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("client_disabled");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.LOGIN_REQUESTER_NOT_ENABLED, new Object[0]);
            }
            if (clientByClientId.isBearerOnly()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("not_allowed");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.BEARER_ONLY, new Object[0]);
            }
            if (!clientByClientId.isStandardFlowEnabled()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("not_allowed");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.STANDARD_FLOW_DISABLED, new Object[0]);
            }
            SamlService.this.session.getContext().setClient(clientByClientId);
            try {
                verifySignature(extractRequestDocument, clientByClientId);
                SamlService.logger.debug("verified request");
                if (samlObject instanceof AuthnRequestType) {
                    SamlService.logger.debug("** login request");
                    SamlService.this.event.event(EventType.LOGIN);
                    return loginRequest(str2, (AuthnRequestType) samlObject, clientByClientId);
                }
                if (samlObject instanceof LogoutRequestType) {
                    SamlService.logger.debug("** logout request");
                    SamlService.this.event.event(EventType.LOGOUT);
                    return logoutRequest((LogoutRequestType) samlObject, clientByClientId, str2);
                }
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            } catch (VerificationException e) {
                SamlService.logger.error("request validation failed", e);
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_signature");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER, new Object[0]);
            }
        }

        protected abstract void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException;

        protected abstract SAMLDocumentHolder extractRequestDocument(String str);

        protected abstract SAMLDocumentHolder extractResponseDocument(String str);

        /* JADX INFO: Access modifiers changed from: protected */
        public Response loginRequest(String str, AuthnRequestType authnRequestType, ClientModel clientModel) {
            String attribute;
            NameIDType baseID;
            SamlClient samlClient = new SamlClient(clientModel);
            if (authnRequestType.getDestination() == null && samlClient.requiresClientSignature()) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_authn_request");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (!SamlService.this.isValidDestination(authnRequestType.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_authn_request");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            String bindingType = getBindingType(authnRequestType);
            if (samlClient.forcePostBinding()) {
                bindingType = SamlProtocol.SAML_POST_BINDING;
            }
            URI assertionConsumerServiceURL = authnRequestType.getAssertionConsumerServiceURL();
            if (assertionConsumerServiceURL == null || "null".equals(assertionConsumerServiceURL.toString())) {
                attribute = bindingType.equals(SamlProtocol.SAML_POST_BINDING) ? clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) : clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
                if (attribute == null) {
                    attribute = clientModel.getManagementUrl();
                }
            } else {
                attribute = RedirectUtils.verifyRedirectUri(SamlService.this.uriInfo, assertionConsumerServiceURL.toString(), SamlService.this.realm, clientModel);
            }
            if (attribute == null) {
                SamlService.this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
            }
            AuthenticationSessionModel createAuthenticationSession = SamlService.this.createAuthenticationSession(clientModel, str);
            createAuthenticationSession.setProtocol("saml");
            createAuthenticationSession.setRedirectUri(attribute);
            createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
            createAuthenticationSession.setClientNote(SamlProtocol.SAML_BINDING, bindingType);
            createAuthenticationSession.setClientNote("RelayState", str);
            createAuthenticationSession.setClientNote(SamlProtocol.SAML_REQUEST_ID, authnRequestType.getID());
            NameIDPolicyType nameIDPolicy = authnRequestType.getNameIDPolicy();
            URI format = nameIDPolicy == null ? null : nameIDPolicy.getFormat();
            if (format != null && !samlClient.forceNameIDFormat()) {
                String uri = format.toString();
                if (!isSupportedNameIdFormat(uri)) {
                    SamlService.this.event.detail("reason", "unsupported_nameid_format");
                    SamlService.this.event.error("invalid_authn_request");
                    return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.UNSUPPORTED_NAME_ID_FORMAT, new Object[0]);
                }
                createAuthenticationSession.setClientNote("NAMEID_FORMAT", uri);
            }
            SubjectType subject = authnRequestType.getSubject();
            if (subject != null && subject.getSubType() != null && (baseID = subject.getSubType().getBaseID()) != null && (baseID instanceof NameIDType)) {
                createAuthenticationSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, baseID.getValue());
            }
            return SamlService.this.newBrowserAuthentication(createAuthenticationSession, authnRequestType.isIsPassive().booleanValue(), this.redirectToAuthentication);
        }

        protected String getBindingType(AuthnRequestType authnRequestType) {
            URI protocolBinding = authnRequestType.getProtocolBinding();
            return protocolBinding != null ? JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get().equals(protocolBinding.toString()) ? SamlProtocol.SAML_POST_BINDING : SamlProtocol.SAML_REDIRECT_BINDING : getBindingType();
        }

        private boolean isSupportedNameIdFormat(String str) {
            return str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
        }

        protected abstract String getBindingType();

        protected Response logoutRequest(LogoutRequestType logoutRequestType, ClientModel clientModel, String str) {
            SamlClient samlClient = new SamlClient(clientModel);
            if (logoutRequestType.getDestination() == null && samlClient.requiresClientSignature()) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_logout_request");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (!SamlService.this.isValidDestination(logoutRequestType.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_logout_request");
                return ErrorPage.error(SamlService.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            AuthenticationManager unused = SamlService.this.authManager;
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, false);
            if (authenticateIdentityCookie != null) {
                String bindingType = getBindingType();
                String logoutServiceUrl = SamlProtocol.getLogoutServiceUrl(SamlService.this.uriInfo, clientModel, SamlProtocol.SAML_POST_BINDING);
                if (samlClient.forcePostBinding() && logoutServiceUrl != null && !logoutServiceUrl.trim().isEmpty()) {
                    bindingType = SamlProtocol.SAML_POST_BINDING;
                }
                boolean equals = Objects.equals(SamlProtocol.SAML_POST_BINDING, bindingType);
                String logoutServiceUrl2 = SamlProtocol.getLogoutServiceUrl(SamlService.this.uriInfo, clientModel, bindingType);
                UserSessionModel session = authenticateIdentityCookie.getSession();
                session.setNote(SamlProtocol.SAML_LOGOUT_BINDING_URI, logoutServiceUrl2);
                if (samlClient.requiresRealmSignature()) {
                    session.setNote(SamlProtocol.SAML_LOGOUT_SIGNATURE_ALGORITHM, samlClient.getSignatureAlgorithm().toString());
                }
                if (str != null) {
                    session.setNote(SamlProtocol.SAML_LOGOUT_RELAY_STATE, str);
                }
                session.setNote(SamlProtocol.SAML_LOGOUT_REQUEST_ID, logoutRequestType.getID());
                session.setNote(SamlProtocol.SAML_LOGOUT_BINDING, bindingType);
                session.setNote(SamlProtocol.SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO, Boolean.toString(!equals && samlClient.addExtensionsElementWithKeyInfo()));
                session.setNote(SamlProtocol.SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER, samlClient.getXmlSigKeyInfoKeyNameTransformer().name());
                session.setNote(SamlProtocol.SAML_LOGOUT_CANONICALIZATION, samlClient.getCanonicalizationMethod());
                session.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, "saml");
                AuthenticatedClientSessionModel authenticatedClientSessionByClient = session.getAuthenticatedClientSessionByClient(clientModel.getId());
                if (authenticatedClientSessionByClient != null) {
                    authenticatedClientSessionByClient.setAction(CommonClientSessionModel.Action.LOGGED_OUT.name());
                }
                SamlService.logger.debug("browser Logout");
                AuthenticationManager unused2 = SamlService.this.authManager;
                return AuthenticationManager.browserLogout(SamlService.this.session, SamlService.this.realm, session, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers);
            }
            if (logoutRequestType.getSessionIndex() != null) {
                Iterator it = logoutRequestType.getSessionIndex().iterator();
                while (it.hasNext()) {
                    AuthenticatedClientSessionModel clientSession = SamlSessionUtils.getClientSession(SamlService.this.session, SamlService.this.realm, (String) it.next());
                    if (clientSession != null) {
                        UserSessionModel userSession = clientSession.getUserSession();
                        if (clientSession.getClient().getClientId().equals(clientModel.getClientId())) {
                            clientSession.setAction(CommonClientSessionModel.Action.LOGGED_OUT.name());
                        }
                        try {
                            AuthenticationManager unused3 = SamlService.this.authManager;
                            AuthenticationManager.backchannelLogout(SamlService.this.session, SamlService.this.realm, userSession, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers, true);
                        } catch (Exception e) {
                            SamlService.logger.warn("Failure with backchannel logout", e);
                        }
                    }
                }
            }
            String bindingType2 = getBindingType();
            String logoutServiceUrl3 = SamlProtocol.getLogoutServiceUrl(SamlService.this.uriInfo, clientModel, bindingType2);
            SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
            sAML2LogoutResponseBuilder.logoutRequestID(logoutRequestType.getID());
            sAML2LogoutResponseBuilder.destination(logoutServiceUrl3);
            sAML2LogoutResponseBuilder.issuer(RealmsResource.realmBaseUrl(SamlService.this.uriInfo).build(new Object[]{SamlService.this.realm.getName()}).toString());
            JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = (JaxrsSAML2BindingBuilder) new JaxrsSAML2BindingBuilder().relayState(str);
            boolean equals2 = SamlProtocol.SAML_POST_BINDING.equals(bindingType2);
            if (samlClient.requiresRealmSignature()) {
                SignatureAlgorithm signatureAlgorithm = samlClient.getSignatureAlgorithm();
                KeyManager.ActiveRsaKey activeRsaKey = SamlService.this.session.keys().getActiveRsaKey(SamlService.this.realm);
                ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(signatureAlgorithm)).signWith(activeRsaKey.getKid(), activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
                if (!equals2 && samlClient.addExtensionsElementWithKeyInfo()) {
                    sAML2LogoutResponseBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(activeRsaKey.getKid()));
                }
            }
            try {
                return equals2 ? jaxrsSAML2BindingBuilder.m249postBinding(sAML2LogoutResponseBuilder.buildDocument()).response(logoutServiceUrl3) : jaxrsSAML2BindingBuilder.m250redirectBinding(sAML2LogoutResponseBuilder.buildDocument()).response(logoutServiceUrl3);
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        }

        private boolean checkSsl() {
            return SamlService.this.uriInfo.getBaseUri().getScheme().equals("https") || !SamlService.this.realm.getSslRequired().isRequired(SamlService.this.clientConnection);
        }

        public Response execute(String str, String str2, String str3) {
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3);
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$PostBindingProtocol.class */
    protected class PostBindingProtocol extends BindingProtocol {
        /* JADX INFO: Access modifiers changed from: protected */
        public PostBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            SamlProtocolUtils.verifyDocumentSignature(clientModel, sAMLDocumentHolder.getSamlDocument());
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestPostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponsePostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_POST_BINDING;
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$RedirectBindingProtocol.class */
    protected class RedirectBindingProtocol extends BindingProtocol {
        protected RedirectBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            if (new SamlClient(clientModel).requiresClientSignature()) {
                SamlProtocolUtils.verifyRedirectSignature(sAMLDocumentHolder, new HardcodedKeyLocator(SamlProtocolUtils.getSignatureValidationKey(clientModel)), SamlService.this.uriInfo, "SAMLRequest");
            }
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponseRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_REDIRECT_BINDING;
        }
    }

    public SamlService(RealmModel realmModel, EventBuilder eventBuilder, Map<String, Integer> map, Map<Integer, String> map2) {
        super(realmModel, eventBuilder);
        this.knownPorts = map;
        this.knownProtocols = map2;
    }

    protected Response newBrowserAuthentication(AuthenticationSessionModel authenticationSessionModel, boolean z, boolean z2) {
        return newBrowserAuthentication(authenticationSessionModel, z, z2, new SamlProtocol().m253setEventBuilder(this.event).m254setHttpHeaders(this.headers).m256setRealm(this.realm).m257setSession(this.session).m255setUriInfo(this.uriInfo));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response newBrowserAuthentication(AuthenticationSessionModel authenticationSessionModel, boolean z, boolean z2, SamlProtocol samlProtocol) {
        return handleBrowserAuthenticationRequest(authenticationSessionModel, samlProtocol, z, z2);
    }

    @GET
    public Response redirectBinding(@QueryParam("SAMLRequest") String str, @QueryParam("SAMLResponse") String str2, @QueryParam("RelayState") String str3) {
        logger.debug("SAML GET");
        CacheControlUtil.noBackButtonCacheControlHeader();
        return new RedirectBindingProtocol().execute(str, str2, str3);
    }

    @POST
    @NoCache
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response postBinding(@FormParam("SAMLRequest") String str, @FormParam("SAMLResponse") String str2, @FormParam("RelayState") String str3) {
        logger.debug("SAML POST");
        PostBindingProtocol postBindingProtocol = new PostBindingProtocol();
        postBindingProtocol.redirectToAuthentication = true;
        return postBindingProtocol.execute(str, str2, str3);
    }

    @GET
    @Path("descriptor")
    @NoCache
    @Produces({MediaType.APPLICATION_XML})
    public String getDescriptor() throws Exception {
        return getIDPMetadataDescriptor(this.uriInfo, this.session, this.realm);
    }

    public static String getIDPMetadataDescriptor(UriInfo uriInfo, KeycloakSession keycloakSession, RealmModel realmModel) throws IOException {
        String readString = StreamUtil.readString(SamlService.class.getResourceAsStream("/idp-metadata-template.xml"));
        Properties properties = new Properties();
        properties.put("idp.entityID", RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getName()}).toString());
        properties.put("idp.sso.HTTP-POST", RealmsResource.protocolUrl(uriInfo).build(new Object[]{realmModel.getName(), "saml"}).toString());
        properties.put("idp.sso.HTTP-Redirect", RealmsResource.protocolUrl(uriInfo).build(new Object[]{realmModel.getName(), "saml"}).toString());
        properties.put("idp.sls.HTTP-POST", RealmsResource.protocolUrl(uriInfo).build(new Object[]{realmModel.getName(), "saml"}).toString());
        StringBuilder sb = new StringBuilder();
        TreeSet treeSet = new TreeSet((rsaKeyMetadata, rsaKeyMetadata2) -> {
            return rsaKeyMetadata.getStatus() == rsaKeyMetadata2.getStatus() ? (int) (rsaKeyMetadata2.getProviderPriority() - rsaKeyMetadata.getProviderPriority()) : rsaKeyMetadata.getStatus() == KeyMetadata.Status.PASSIVE ? 1 : -1;
        });
        treeSet.addAll(keycloakSession.keys().getRsaKeys(realmModel, false));
        Iterator it = treeSet.iterator();
        while (it.hasNext()) {
            addKeyInfo(sb, (RsaKeyMetadata) it.next(), KeyTypes.SIGNING.value());
        }
        properties.put("idp.signing.certificates", sb.toString());
        return StringPropertyReplacer.replaceProperties(readString, properties);
    }

    private static void addKeyInfo(StringBuilder sb, RsaKeyMetadata rsaKeyMetadata, String str) {
        if (rsaKeyMetadata == null) {
            return;
        }
        sb.append(SPMetadataDescriptor.xmlKeyInfo("                        ", rsaKeyMetadata.getKid(), PemUtils.encodeCertificate(rsaKeyMetadata.getCertificate()), str, false));
    }

    @GET
    @Produces({MediaType.TEXT_HTML_UTF_8})
    @Path("clients/{client}")
    public Response idpInitiatedSSO(@PathParam("client") String str, @QueryParam("RelayState") String str2) {
        this.event.event(EventType.LOGIN);
        CacheControlUtil.noBackButtonCacheControlHeader();
        ClientModel clientModel = null;
        Iterator it = this.realm.getClients().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ClientModel clientModel2 = (ClientModel) it.next();
            String attribute = clientModel2.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME);
            if (attribute != null && attribute.equals(str)) {
                clientModel = clientModel2;
                break;
            }
        }
        if (clientModel == null) {
            this.event.error("client_not_found");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]);
        }
        if (!clientModel.isEnabled()) {
            this.event.error("client_disabled");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED, new Object[0]);
        }
        if (clientModel.getManagementUrl() != null || clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) != null || clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) {
            return newBrowserAuthentication(getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, clientModel, str2), false, false);
        }
        logger.error("SAML assertion consumer url not set up");
        this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
        return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
    }

    public AuthenticationSessionModel getOrCreateLoginSessionForIdpInitiatedSso(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, String str) {
        String str2 = SamlProtocol.SAML_POST_BINDING;
        if (clientModel.getManagementUrl() == null && clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) {
            str2 = SamlProtocol.SAML_REDIRECT_BINDING;
        }
        String attribute = str2.equals(SamlProtocol.SAML_REDIRECT_BINDING) ? clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) : clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
        if (attribute == null) {
            attribute = clientModel.getManagementUrl();
        }
        AuthenticationSessionModel createAuthenticationSession = createAuthenticationSession(clientModel, null);
        createAuthenticationSession.setProtocol("saml");
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setClientNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING);
        createAuthenticationSession.setClientNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
        createAuthenticationSession.setRedirectUri(attribute);
        if (str == null) {
            str = clientModel.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE);
        }
        if (str != null && !str.trim().equals(StackoverflowIdentityProvider.DEFAULT_SCOPE)) {
            createAuthenticationSession.setClientNote("RelayState", str);
        }
        return createAuthenticationSession;
    }

    @POST
    @NoCache
    @Consumes({"application/soap+xml", MediaType.TEXT_XML})
    public Response soapBinding(InputStream inputStream) {
        SamlEcpProfileService samlEcpProfileService = new SamlEcpProfileService(this.realm, this.event, this.knownPorts, this.knownProtocols);
        ResteasyProviderFactory.getInstance().injectProperties(samlEcpProfileService);
        return samlEcpProfileService.authenticate(inputStream);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isValidDestination(URI uri) {
        if (uri == null) {
            return true;
        }
        URI absolutePath = this.uriInfo.getAbsolutePath();
        if (Objects.equals(absolutePath, uri)) {
            return true;
        }
        Integer num = this.knownPorts.get(absolutePath.getScheme());
        if (absolutePath.getPort() < 0 && num != null) {
            return Objects.equals(this.uriInfo.getRequestUriBuilder().port(num.intValue()).build(new Object[0]), uri);
        }
        String str = this.knownProtocols.get(Integer.valueOf(absolutePath.getPort()));
        if (absolutePath.getPort() < 0 || !Objects.equals(str, absolutePath.getScheme())) {
            return false;
        }
        return Objects.equals(this.uriInfo.getRequestUriBuilder().port(-1).build(new Object[0]), uri);
    }
}
