package org.keycloak.broker.saml;

import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.keycloak.broker.provider.AbstractIdentityProvider;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.saml.SAML2AuthnRequestBuilder;
import org.keycloak.protocol.saml.SAML2LogoutRequestBuilder;
import org.keycloak.protocol.saml.SAML2NameIDPolicyBuilder;
import org.picketlink.common.constants.JBossSAMLURIConstants;

/* loaded from: input_file:org/keycloak/broker/saml/SAMLIdentityProvider.class */
public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityProviderConfig> {
    public SAMLIdentityProvider(SAMLIdentityProviderConfig sAMLIdentityProviderConfig) {
        super(sAMLIdentityProviderConfig);
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new SAMLEndpoint(realmModel, (SAMLIdentityProviderConfig) getConfig(), authenticationCallback);
    }

    public Response handleRequest(AuthenticationRequest authenticationRequest) {
        try {
            UriInfo uriInfo = authenticationRequest.getUriInfo();
            RealmModel realm = authenticationRequest.getRealm();
            String entityId = getEntityId(uriInfo, realm);
            String singleSignOnServiceUrl = ((SAMLIdentityProviderConfig) getConfig()).getSingleSignOnServiceUrl();
            String nameIDPolicyFormat = ((SAMLIdentityProviderConfig) getConfig()).getNameIDPolicyFormat();
            if (nameIDPolicyFormat == null) {
                nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
            }
            String str = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
            String redirectUri = authenticationRequest.getRedirectUri();
            if (((SAMLIdentityProviderConfig) getConfig()).isPostBindingResponse()) {
                str = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
            }
            SAML2AuthnRequestBuilder relayState = new SAML2AuthnRequestBuilder().assertionConsumerUrl(redirectUri).destination(singleSignOnServiceUrl).issuer(entityId).forceAuthn(((SAMLIdentityProviderConfig) getConfig()).isForceAuthn()).protocolBinding(str).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat)).relayState(authenticationRequest.getState());
            if (((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned()) {
                PrivateKey privateKey = realm.getPrivateKey();
                PublicKey publicKey = realm.getPublicKey();
                if (privateKey == null) {
                    throw new IdentityBrokerException("Identity Provider [" + ((SAMLIdentityProviderConfig) getConfig()).getAlias() + "] wants a signed authentication request. But the Realm [" + realm.getName() + "] does not have a private key.");
                }
                if (publicKey == null) {
                    throw new IdentityBrokerException("Identity Provider [" + ((SAMLIdentityProviderConfig) getConfig()).getAlias() + "] wants a signed authentication request. But the Realm [" + realm.getName() + "] does not have a public key.");
                }
                relayState.signWith(new KeyPair(publicKey, privateKey));
                relayState.signDocument();
            }
            return ((SAMLIdentityProviderConfig) getConfig()).isPostBindingAuthnRequest() ? relayState.postBinding().request() : relayState.redirectBinding().request();
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not create authentication request.", e);
        }
    }

    private String getEntityId(UriInfo uriInfo, RealmModel realmModel) {
        return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realmModel.getName()).build(new Object[0]).toString();
    }

    public Response retrieveToken(FederatedIdentityModel federatedIdentityModel) {
        return Response.ok(federatedIdentityModel.getToken()).build();
    }

    public Response keycloakInitiatedBrowserLogout(UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        if (((SAMLIdentityProviderConfig) getConfig()).getSingleLogoutServiceUrl() == null || ((SAMLIdentityProviderConfig) getConfig()).getSingleLogoutServiceUrl().trim().equals("")) {
            return null;
        }
        SAML2LogoutRequestBuilder destination = new SAML2LogoutRequestBuilder().issuer(getEntityId(uriInfo, realmModel)).sessionIndex(userSessionModel.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX)).userPrincipal(userSessionModel.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT), userSessionModel.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT)).destination(((SAMLIdentityProviderConfig) getConfig()).getSingleLogoutServiceUrl());
        if (((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned()) {
            destination.signWith(realmModel.getPrivateKey(), realmModel.getPublicKey(), realmModel.getCertificate()).signDocument();
        }
        try {
            return destination.relayState(userSessionModel.getId()).postBinding().request();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public Response export(UriInfo uriInfo, RealmModel realmModel, String str) {
        String str2 = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
        if (((SAMLIdentityProviderConfig) getConfig()).isPostBindingAuthnRequest()) {
            str2 = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }
        String uri = uriInfo.getBaseUriBuilder().path("realms").path(realmModel.getName()).path("broker").path(((SAMLIdentityProviderConfig) getConfig()).getAlias()).path("endpoint").build(new Object[0]).toString();
        String str3 = "<EntityDescriptor entityID=\"" + getEntityId(uriInfo, realmModel) + "\">\n    <SPSSODescriptor AuthnRequestsSigned=\"" + ((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned() + "\"\n            protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext\">\n        <NameIDFormat>" + ((SAMLIdentityProviderConfig) getConfig()).getNameIDPolicyFormat() + "\n        </NameIDFormat>\n        <SingleLogoutService Binding=\"" + str2 + "\" Location=\"" + uri + "\"/>\n        <AssertionConsumerService\n                Binding=\"" + str2 + "\" Location=\"" + uri + "\"\n                index=\"1\" isDefault=\"true\" />\n";
        if (((SAMLIdentityProviderConfig) getConfig()).isWantAuthnRequestsSigned()) {
            str3 = str3 + "        <KeyDescriptor use=\"signing\">\n            <dsig:KeyInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">\n                <dsig:X509Data>\n                    <dsig:X509Certificate>\n" + realmModel.getCertificatePem() + "\n                    </dsig:X509Certificate>\n                </dsig:X509Data>\n            </dsig:KeyInfo>\n        </KeyDescriptor>\n";
        }
        return Response.ok(str3 + "    </SPSSODescriptor>\n</EntityDescriptor>\n", MediaType.APPLICATION_XML_TYPE).build();
    }
}
