package net.shibboleth.idp.saml.saml2.profile.impl;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.AbstractInitializableComponent;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.decoder.MessageDecoder;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.messaging.handler.MessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.EventContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.binding.BindingDescriptor;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLMessageReceivedEndpointContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.ecp.RelayState;
import org.slf4j.Logger;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;

@RequestMapping({"%{idp.authn.SAML.externalAuthnPath:/Authn/SAML2}"})
@Controller
/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-5.0.0.jar:net/shibboleth/idp/saml/saml2/profile/impl/SAMLAuthnController.class */
public class SAMLAuthnController extends AbstractInitializableComponent {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) SAMLAuthnController.class);

    @Nonnull
    private Function<ProfileRequestContext, ProfileRequestContext> profileRequestContextLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, SAMLAuthnContext> samlContextLookupStrategy;

    @Nonnull
    private Map<String, BindingDescriptor> bindingMap;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SAMLAuthnController() {
        Function<ProfileRequestContext, ProfileRequestContext> compose = new ChildContextLookup(ProfileRequestContext.class).compose(new ChildContextLookup(AuthenticationContext.class));
        if (!$assertionsDisabled && compose == null) {
            throw new AssertionError();
        }
        this.profileRequestContextLookupStrategy = compose;
        Function<ProfileRequestContext, SAMLAuthnContext> compose2 = new ChildContextLookup(SAMLAuthnContext.class).compose(new ChildContextLookup(AuthenticationContext.class));
        if (!$assertionsDisabled && compose2 == null) {
            throw new AssertionError();
        }
        this.samlContextLookupStrategy = compose2;
        this.bindingMap = CollectionSupport.emptyMap();
    }

    public void setProfileRequestContextLookupStrategy(@Nonnull Function<ProfileRequestContext, ProfileRequestContext> function) {
        checkSetterPreconditions();
        this.profileRequestContextLookupStrategy = (Function) Constraint.isNotNull(function, "ProfileRequestContext lookup strategy cannot be null");
    }

    public void setSAMLAuthnContextLookupStrategy(@Nonnull Function<ProfileRequestContext, SAMLAuthnContext> function) {
        checkSetterPreconditions();
        this.samlContextLookupStrategy = (Function) Constraint.isNotNull(function, "SAMLAuthnContext lookup strategy cannot be null");
    }

    public void setInboundBindings(@Nullable Collection<BindingDescriptor> collection) {
        checkSetterPreconditions();
        if (collection == null) {
            this.bindingMap = CollectionSupport.emptyMap();
        } else {
            this.bindingMap = new HashMap(collection.size());
            collection.forEach(bindingDescriptor -> {
                this.bindingMap.put(bindingDescriptor.getShortName(), bindingDescriptor);
            });
        }
    }

    @GetMapping({"/{binding}/SSO/start"})
    public void startSAML(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @PathVariable @Nonnull @NotEmpty String str) throws ExternalAuthenticationException, IOException {
        String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest);
        ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(startExternalAuthentication, httpServletRequest);
        SAMLAuthnContext apply = this.samlContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("SAMLAuthnContext not found");
            httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.INVALID_PROFILE_CTX);
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
            return;
        }
        ProfileRequestContext apply2 = this.profileRequestContextLookupStrategy.apply(profileRequestContext);
        if (apply2 == null) {
            this.log.error("Nested ProfileRequestContext not found");
            httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.INVALID_PROFILE_CTX);
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
            return;
        }
        MessageContext outboundMessageContext = apply2.getOutboundMessageContext();
        if (outboundMessageContext != null) {
            Object message = outboundMessageContext.getMessage();
            if (message instanceof AuthnRequest) {
                AuthnRequest authnRequest = (AuthnRequest) message;
                SAMLBindingSupport.setRelayState(outboundMessageContext, startExternalAuthentication);
                StringBuffer requestURL = httpServletRequest.getRequestURL();
                authnRequest.setAssertionConsumerServiceURL(requestURL.substring(0, requestURL.lastIndexOf("/start")));
                BindingDescriptor bindingDescriptor = this.bindingMap.get(str);
                if (bindingDescriptor != null) {
                    authnRequest.setProtocolBinding(bindingDescriptor.ensureId());
                }
                try {
                    MessageHandler outboundMessageHandler = apply.getOutboundMessageHandler();
                    if (outboundMessageHandler != null) {
                        outboundMessageHandler.invoke(outboundMessageContext);
                    }
                    apply.getEncodeMessageAction().execute(apply2);
                    EventContext eventContext = (EventContext) apply2.getSubcontext(EventContext.class);
                    Object event = eventContext != null ? eventContext.getEvent() : null;
                    if (event == null || EventIds.PROCEED_EVENT_ID.equals(event)) {
                        return;
                    }
                    this.log.error("Message encoding action signaled non-proceed event {}", event);
                    httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, event.toString());
                    ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                    return;
                } catch (MessageHandlerException e) {
                    this.log.error("Caught message handling exception", (Throwable) e);
                    httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.MESSAGE_PROC_ERROR);
                    ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                    return;
                }
            }
        }
        this.log.error("Outbound AuthnContext message not found");
        httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.INVALID_MESSAGE);
        ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
    }

    @RequestMapping({"/{binding}/SSO"})
    public void finishSAML(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @PathVariable @Nonnull @NotEmpty String str) throws ExternalAuthenticationException, IOException {
        MessageDecoder apply;
        String parameter = httpServletRequest.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        if (parameter == null) {
            throw new ExternalAuthenticationException("No RelayState parameter, unable to resume flow execution");
        }
        ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(parameter, httpServletRequest);
        SAMLAuthnContext apply2 = this.samlContextLookupStrategy.apply(profileRequestContext);
        if (apply2 == null) {
            this.log.error("SAMLAuthnContext not found");
            httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.INVALID_PROFILE_CTX);
            ExternalAuthentication.finishExternalAuthentication(parameter, httpServletRequest, httpServletResponse);
            return;
        }
        ProfileRequestContext apply3 = this.profileRequestContextLookupStrategy.apply(profileRequestContext);
        if (apply3 == null) {
            this.log.error("Nested ProfileRequestContext not found");
            httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.INVALID_PROFILE_CTX);
            ExternalAuthentication.finishExternalAuthentication(parameter, httpServletRequest, httpServletResponse);
            return;
        }
        try {
            apply = apply2.getMessageDecoderFactory().apply(str);
        } catch (ComponentInitializationException | MessageDecodingException e) {
            this.log.error("Unable to decode SAML response", e);
            httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, EventIds.UNABLE_TO_DECODE);
        }
        if (apply == null) {
            throw new MessageDecodingException("Unable to obtain MessageDecoder for binding key: " + str);
        }
        try {
            apply.initialize();
            apply.decode();
            MessageContext messageContext = apply.getMessageContext();
            if (!$assertionsDisabled && messageContext == null) {
                throw new AssertionError();
            }
            messageContext.addSubcontext(new SAMLMessageReceivedEndpointContext(httpServletRequest));
            apply3.setInboundMessageContext(messageContext);
            apply.destroy();
            ExternalAuthentication.finishExternalAuthentication(parameter, httpServletRequest, httpServletResponse);
        } catch (Throwable th) {
            apply.destroy();
            throw th;
        }
    }

    static {
        $assertionsDisabled = !SAMLAuthnController.class.desiredAssertionStatus();
    }
}
