package org.keycloak.protocol.saml;

import java.net.URI;
import java.util.Iterator;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.keycloak.ClientConnection;
import org.keycloak.VerificationException;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.util.StreamUtil;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlService.class */
public class SamlService {
    protected static final Logger logger = Logger.getLogger(SamlService.class);
    protected RealmModel realm;
    private EventBuilder event;
    protected AuthenticationManager authManager;

    @Context
    protected Providers providers;

    @Context
    protected SecurityContext securityContext;

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    protected HttpRequest request;

    @Context
    protected HttpResponse response;

    @Context
    protected KeycloakSession session;

    @Context
    protected ClientConnection clientConnection;

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$BindingProtocol.class */
    public abstract class BindingProtocol {
        public BindingProtocol() {
        }

        protected Response basicChecks(String str, String str2) {
            if (!checkSsl()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("ssl_required");
                return ErrorPage.error(SamlService.this.session, "httpsRequiredMessage", new Object[0]);
            }
            if (!SamlService.this.realm.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN_ERROR);
                SamlService.this.event.error("realm_disabled");
                return ErrorPage.error(SamlService.this.session, "realmNotEnabledMessage", new Object[0]);
            }
            if (str != null || str2 != null) {
                return null;
            }
            SamlService.this.event.event(EventType.LOGIN);
            SamlService.this.event.error("invalid_token");
            return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
        }

        protected Response handleSamlResponse(String str, String str2) {
            SamlService.this.event.event(EventType.LOGOUT);
            StatusResponseType samlObject = extractResponseDocument(str).getSamlObject();
            if (samlObject.getDestination() != null && !SamlService.this.uriInfo.getAbsolutePath().toString().equals(samlObject.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_logout_response");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            }
            AuthenticationManager authenticationManager = SamlService.this.authManager;
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, false);
            if (authenticateIdentityCookie == null) {
                SamlService.logger.warn("Unknown saml response.");
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            }
            UserSessionModel session = authenticateIdentityCookie.getSession();
            if (session.getState() != UserSessionModel.State.LOGGING_OUT) {
                SamlService.logger.warn("Unknown saml response.");
                SamlService.logger.warn("UserSession is not tagged as logging out.");
                SamlService.this.event.event(EventType.LOGOUT);
                SamlService.this.event.error("invalid_logout_response");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            }
            SamlService.logger.debug("logout response");
            AuthenticationManager authenticationManager2 = SamlService.this.authManager;
            Response browserLogout = AuthenticationManager.browserLogout(SamlService.this.session, SamlService.this.realm, session, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers);
            SamlService.this.event.success();
            return browserLogout;
        }

        protected Response handleSamlRequest(String str, String str2) {
            SAMLDocumentHolder extractRequestDocument = extractRequestDocument(str);
            if (extractRequestDocument == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            }
            RequestAbstractType samlObject = extractRequestDocument.getSamlObject();
            ClientModel clientByClientId = SamlService.this.realm.getClientByClientId(samlObject.getIssuer().getValue());
            if (clientByClientId == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("client_not_found");
                return ErrorPage.error(SamlService.this.session, "unknownLoginRequesterMessage", new Object[0]);
            }
            if (!clientByClientId.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("client_disabled");
                return ErrorPage.error(SamlService.this.session, "loginRequesterNotEnabledMessage", new Object[0]);
            }
            if ((clientByClientId instanceof ClientModel) && clientByClientId.isBearerOnly()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("not_allowed");
                return ErrorPage.error(SamlService.this.session, "bearerOnlyMessage", new Object[0]);
            }
            if (clientByClientId.isDirectGrantsOnly()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("not_allowed");
                return ErrorPage.error(SamlService.this.session, "directGrantsOnlyMessage", new Object[0]);
            }
            SamlService.this.session.getContext().setClient(clientByClientId);
            try {
                verifySignature(extractRequestDocument, clientByClientId);
                SamlService.logger.debug("verified request");
                if (samlObject instanceof AuthnRequestType) {
                    SamlService.logger.debug("** login request");
                    SamlService.this.event.event(EventType.LOGIN);
                    return loginRequest(str2, (AuthnRequestType) samlObject, clientByClientId);
                }
                if (samlObject instanceof LogoutRequestType) {
                    SamlService.logger.debug("** logout request");
                    SamlService.this.event.event(EventType.LOGOUT);
                    return logoutRequest((LogoutRequestType) samlObject, clientByClientId, str2);
                }
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            } catch (VerificationException e) {
                SamlService.logger.error("request validation failed", e);
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_signature");
                return ErrorPage.error(SamlService.this.session, "invalidRequesterMessage", new Object[0]);
            }
        }

        protected abstract void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException;

        protected abstract SAMLDocumentHolder extractRequestDocument(String str);

        protected abstract SAMLDocumentHolder extractResponseDocument(String str);

        protected Response loginRequest(String str, AuthnRequestType authnRequestType, ClientModel clientModel) {
            String attribute;
            if (authnRequestType.getDestination() != null && !SamlService.this.uriInfo.getAbsolutePath().equals(authnRequestType.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_authn_request");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            }
            String bindingType = getBindingType(authnRequestType);
            if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SamlProtocol.SAML_FORCE_POST_BINDING))) {
                bindingType = SamlProtocol.SAML_POST_BINDING;
            }
            URI assertionConsumerServiceURL = authnRequestType.getAssertionConsumerServiceURL();
            if (assertionConsumerServiceURL == null || "null".equals(assertionConsumerServiceURL)) {
                attribute = bindingType.equals(SamlProtocol.SAML_POST_BINDING) ? clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) : clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
                if (attribute == null) {
                    attribute = clientModel.getManagementUrl();
                }
            } else {
                attribute = RedirectUtils.verifyRedirectUri(SamlService.this.uriInfo, assertionConsumerServiceURL.toString(), SamlService.this.realm, clientModel);
            }
            if (attribute == null) {
                SamlService.this.event.error("invalid_redirect_uri");
                return ErrorPage.error(SamlService.this.session, "invalidRedirectUriMessage", new Object[0]);
            }
            ClientSessionModel createClientSession = SamlService.this.session.sessions().createClientSession(SamlService.this.realm, clientModel);
            createClientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL);
            createClientSession.setRedirectUri(attribute);
            createClientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
            createClientSession.setNote("action_key", KeycloakModelUtils.generateCodeSecret());
            createClientSession.setNote(SamlProtocol.SAML_BINDING, bindingType);
            createClientSession.setNote(SAML2BindingBuilder.RELAY_STATE, str);
            createClientSession.setNote(SamlProtocol.SAML_REQUEST_ID, authnRequestType.getID());
            NameIDPolicyType nameIDPolicy = authnRequestType.getNameIDPolicy();
            if (nameIDPolicy != null && !SamlProtocol.forceNameIdFormat(clientModel)) {
                String uri = nameIDPolicy.getFormat().toString();
                if (!isSupportedNameIdFormat(uri)) {
                    SamlService.this.event.detail("reason", "unsupported_nameid_format");
                    SamlService.this.event.error("invalid_authn_request");
                    return ErrorPage.error(SamlService.this.session, "unsupportedNameIdFormatMessage", new Object[0]);
                }
                createClientSession.setNote("NAMEID_FORMAT", uri);
            }
            return SamlService.this.newBrowserAuthentication(createClientSession);
        }

        private String getBindingType(AuthnRequestType authnRequestType) {
            URI protocolBinding = authnRequestType.getProtocolBinding();
            return protocolBinding != null ? JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get().equals(protocolBinding.toString()) ? SamlProtocol.SAML_POST_BINDING : SamlProtocol.SAML_REDIRECT_BINDING : getBindingType();
        }

        private boolean isSupportedNameIdFormat(String str) {
            return str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) || str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
        }

        protected abstract String getBindingType();

        protected Response logoutRequest(LogoutRequestType logoutRequestType, ClientModel clientModel, String str) {
            if (logoutRequestType.getDestination() != null && !SamlService.this.uriInfo.getAbsolutePath().equals(logoutRequestType.getDestination())) {
                SamlService.this.event.detail("reason", "invalid_destination");
                SamlService.this.event.error("invalid_logout_request");
                return ErrorPage.error(SamlService.this.session, "invalidRequestMessage", new Object[0]);
            }
            AuthenticationManager authenticationManager = SamlService.this.authManager;
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, false);
            if (authenticateIdentityCookie != null) {
                String bindingType = getBindingType();
                if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SamlProtocol.SAML_FORCE_POST_BINDING))) {
                    bindingType = SamlProtocol.SAML_POST_BINDING;
                }
                String logoutServiceUrl = SamlProtocol.getLogoutServiceUrl(SamlService.this.uriInfo, clientModel, bindingType);
                UserSessionModel session = authenticateIdentityCookie.getSession();
                session.setNote(SamlProtocol.SAML_LOGOUT_BINDING_URI, logoutServiceUrl);
                if (SamlProtocol.requiresRealmSignature(clientModel)) {
                    session.setNote(SamlProtocol.SAML_LOGOUT_SIGNATURE_ALGORITHM, SamlProtocol.getSignatureAlgorithm(clientModel).toString());
                }
                if (str != null) {
                    session.setNote(SamlProtocol.SAML_LOGOUT_RELAY_STATE, str);
                }
                session.setNote(SamlProtocol.SAML_LOGOUT_REQUEST_ID, logoutRequestType.getID());
                session.setNote(SamlProtocol.SAML_LOGOUT_BINDING, bindingType);
                session.setNote(SamlProtocol.SAML_LOGOUT_CANONICALIZATION, clientModel.getAttribute(SamlProtocol.SAML_CANONICALIZATION_METHOD_ATTRIBUTE));
                session.setNote("KEYCLOAK_LOGOUT_PROTOCOL", SamlProtocol.LOGIN_PROTOCOL);
                for (ClientSessionModel clientSessionModel : session.getClientSessions()) {
                    if (clientSessionModel.getClient().getId().equals(clientModel.getId())) {
                        clientSessionModel.setAction(ClientSessionModel.Action.LOGGED_OUT.name());
                    }
                }
                SamlService.logger.debug("browser Logout");
                AuthenticationManager authenticationManager2 = SamlService.this.authManager;
                return AuthenticationManager.browserLogout(SamlService.this.session, SamlService.this.realm, session, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers);
            }
            if (logoutRequestType.getSessionIndex() != null) {
                Iterator it = logoutRequestType.getSessionIndex().iterator();
                while (it.hasNext()) {
                    ClientSessionModel clientSession = SamlService.this.session.sessions().getClientSession(SamlService.this.realm, (String) it.next());
                    if (clientSession != null) {
                        UserSessionModel userSession = clientSession.getUserSession();
                        if (clientSession.getClient().getClientId().equals(clientModel.getClientId())) {
                            clientSession.setAction(ClientSessionModel.Action.LOGGED_OUT.name());
                            if (userSession != null) {
                                for (ClientSessionModel clientSessionModel2 : userSession.getClientSessions()) {
                                    if (clientSessionModel2.getClient().getId().equals(clientModel.getId())) {
                                        clientSessionModel2.setAction(ClientSessionModel.Action.LOGGED_OUT.name());
                                    }
                                }
                            }
                        }
                        try {
                            AuthenticationManager authenticationManager3 = SamlService.this.authManager;
                            AuthenticationManager.backchannelLogout(SamlService.this.session, SamlService.this.realm, userSession, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers, true);
                        } catch (Exception e) {
                            SamlService.logger.warn("Failure with backchannel logout", e);
                        }
                    }
                }
            }
            String bindingType2 = getBindingType();
            String logoutServiceUrl2 = SamlProtocol.getLogoutServiceUrl(SamlService.this.uriInfo, clientModel, bindingType2);
            SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
            sAML2LogoutResponseBuilder.logoutRequestID(logoutRequestType.getID());
            sAML2LogoutResponseBuilder.destination(logoutServiceUrl2);
            sAML2LogoutResponseBuilder.issuer(RealmsResource.realmBaseUrl(SamlService.this.uriInfo).build(new Object[]{SamlService.this.realm.getName()}).toString());
            sAML2LogoutResponseBuilder.relayState(str);
            if (SamlProtocol.requiresRealmSignature(clientModel)) {
                sAML2LogoutResponseBuilder.signatureAlgorithm(SamlProtocol.getSignatureAlgorithm(clientModel)).signWith(SamlService.this.realm.getPrivateKey(), SamlService.this.realm.getPublicKey(), SamlService.this.realm.getCertificate()).signDocument();
            }
            try {
                return SamlProtocol.SAML_POST_BINDING.equals(bindingType2) ? sAML2LogoutResponseBuilder.postBinding().response(logoutServiceUrl2) : sAML2LogoutResponseBuilder.redirectBinding().response(logoutServiceUrl2);
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        }

        private boolean checkSsl() {
            return SamlService.this.uriInfo.getBaseUri().getScheme().equals("https") || !SamlService.this.realm.getSslRequired().isRequired(SamlService.this.clientConnection);
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$PostBindingProtocol.class */
    protected class PostBindingProtocol extends BindingProtocol {
        protected PostBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            SamlProtocolUtils.verifyDocumentSignature(clientModel, sAMLDocumentHolder.getSamlDocument());
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestPostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponsePostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_POST_BINDING;
        }

        public Response execute(String str, String str2, String str3) {
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3);
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$RedirectBindingProtocol.class */
    protected class RedirectBindingProtocol extends BindingProtocol {
        protected RedirectBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SamlProtocol.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) {
                SamlProtocolUtils.verifyRedirectSignature(SamlProtocolUtils.getSignatureValidationKey(clientModel), SamlService.this.uriInfo);
            }
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseRequestRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_REDIRECT_BINDING;
        }

        public Response execute(String str, String str2, String str3) {
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3);
        }
    }

    public SamlService(RealmModel realmModel, EventBuilder eventBuilder, AuthenticationManager authenticationManager) {
        this.realm = realmModel;
        this.event = eventBuilder;
        this.authManager = authenticationManager;
    }

    private Response buildRedirectToIdentityProvider(String str, String str2) {
        logger.debug("Automatically redirect to identity provider: " + str);
        return Response.temporaryRedirect(Urls.identityProviderAuthnRequest(this.uriInfo.getBaseUri(), str, this.realm.getName(), str2)).build();
    }

    protected Response newBrowserAuthentication(ClientSessionModel clientSessionModel) {
        for (IdentityProviderModel identityProviderModel : this.realm.getIdentityProviders()) {
            if (identityProviderModel.isAuthenticateByDefault()) {
                return buildRedirectToIdentityProvider(identityProviderModel.getAlias(), new ClientSessionCode(this.realm, clientSessionModel).getCode());
            }
        }
        String id = this.realm.getBrowserFlow().getId();
        AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor();
        authenticationProcessor.setClientSession(clientSessionModel).setFlowPath("authenticate").setFlowId(id).setConnection(this.clientConnection).setEventBuilder(this.event).setProtector(this.authManager.getProtector()).setRealm(this.realm).setSession(this.session).setUriInfo(this.uriInfo).setRequest(this.request);
        try {
            RestartLoginCookie.setRestartCookie(this.realm, this.clientConnection, this.uriInfo, clientSessionModel);
            return authenticationProcessor.authenticate();
        } catch (Exception e) {
            return authenticationProcessor.handleBrowserException(e);
        }
    }

    @GET
    public Response redirectBinding(@QueryParam("SAMLRequest") String str, @QueryParam("SAMLResponse") String str2, @QueryParam("RelayState") String str3) {
        logger.debug("SAML GET");
        return new RedirectBindingProtocol().execute(str, str2, str3);
    }

    @POST
    @Consumes({"application/x-www-form-urlencoded"})
    public Response postBinding(@FormParam("SAMLRequest") String str, @FormParam("SAMLResponse") String str2, @FormParam("RelayState") String str3) {
        logger.debug("SAML POST");
        return new PostBindingProtocol().execute(str, str2, str3);
    }

    @GET
    @Produces({"application/xml"})
    @Path("descriptor")
    public String getDescriptor() throws Exception {
        return StreamUtil.readString(getClass().getResourceAsStream("/idp-metadata-template.xml")).replace("${idp.entityID}", RealmsResource.realmBaseUrl(this.uriInfo).build(new Object[]{this.realm.getName()}).toString()).replace("${idp.sso.HTTP-POST}", RealmsResource.protocolUrl(this.uriInfo).build(new Object[]{this.realm.getName(), SamlProtocol.LOGIN_PROTOCOL}).toString()).replace("${idp.sso.HTTP-Redirect}", RealmsResource.protocolUrl(this.uriInfo).build(new Object[]{this.realm.getName(), SamlProtocol.LOGIN_PROTOCOL}).toString()).replace("${idp.sls.HTTP-POST}", RealmsResource.protocolUrl(this.uriInfo).build(new Object[]{this.realm.getName(), SamlProtocol.LOGIN_PROTOCOL}).toString()).replace("${idp.signing.certificate}", this.realm.getCertificatePem());
    }

    @GET
    @Produces({"text/html"})
    @Path("clients/{client}")
    public Response idpInitiatedSSO(@PathParam("client") String str, @QueryParam("RelayState") String str2) {
        this.event.event(EventType.LOGIN);
        ClientModel clientModel = null;
        Iterator it = this.realm.getClients().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ClientModel clientModel2 = (ClientModel) it.next();
            String attribute = clientModel2.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME);
            if (attribute != null && attribute.equals(str)) {
                clientModel = clientModel2;
                break;
            }
        }
        if (clientModel == null) {
            this.event.error("client_not_found");
            return ErrorPage.error(this.session, "clientNotFoundMessage", new Object[0]);
        }
        if (clientModel.getManagementUrl() == null && clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) == null) {
            logger.error("SAML assertion consumer url not set up");
            this.event.error("invalid_redirect_uri");
            return ErrorPage.error(this.session, "invalidRedirectUriMessage", new Object[0]);
        }
        String str3 = SamlProtocol.SAML_POST_BINDING;
        if (clientModel.getManagementUrl() == null && clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) {
            str3 = SamlProtocol.SAML_REDIRECT_BINDING;
        }
        String attribute2 = str3.equals(SamlProtocol.SAML_REDIRECT_BINDING) ? clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) : clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
        if (attribute2 == null) {
            attribute2 = clientModel.getManagementUrl();
        }
        ClientSessionModel createClientSession = this.session.sessions().createClientSession(this.realm, clientModel);
        createClientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL);
        createClientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
        createClientSession.setNote("action_key", KeycloakModelUtils.generateCodeSecret());
        createClientSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING);
        createClientSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
        createClientSession.setRedirectUri(attribute2);
        if (str2 == null) {
            str2 = clientModel.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE);
        }
        if (str2 != null && !str2.trim().equals("")) {
            createClientSession.setNote(SAML2BindingBuilder.RELAY_STATE, str2);
        }
        return newBrowserAuthentication(createClientSession);
    }
}
