package org.keycloak.protocol.saml.profile.ecp;

import java.io.IOException;
import java.io.InputStream;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeaderElement;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.protocol.saml.SamlService;
import org.keycloak.protocol.saml.profile.ecp.util.Soap;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.validators.DestinationValidator;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.w3c.dom.Document;

/* loaded from: input_file:org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.class */
public class SamlEcpProfileService extends SamlService {
    private static final String NS_PREFIX_PROFILE_ECP = "ecp";
    private static final String NS_PREFIX_SAML_PROTOCOL = "samlp";
    private static final String NS_PREFIX_SAML_ASSERTION = "saml";

    public SamlEcpProfileService(RealmModel realmModel, EventBuilder eventBuilder, DestinationValidator destinationValidator) {
        super(realmModel, eventBuilder, destinationValidator);
    }

    public Response authenticate(InputStream inputStream) {
        try {
            return new SamlService.PostBindingProtocol() { // from class: org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService.1
                @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
                protected String getBindingType(AuthnRequestType authnRequestType) {
                    return SamlProtocol.SAML_SOAP_BINDING;
                }

                /* JADX INFO: Access modifiers changed from: protected */
                @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
                public Response loginRequest(String str, AuthnRequestType authnRequestType, ClientModel clientModel) {
                    authnRequestType.setIsPassive(true);
                    authnRequestType.setDestination(SamlEcpProfileService.this.session.getContext().getUri().getAbsolutePath());
                    return super.loginRequest(str, authnRequestType, clientModel);
                }
            }.execute(Soap.toSamlHttpPostMessage(inputStream), null, null);
        } catch (Exception e) {
            String message = e.getMessage();
            if (message == null) {
                message = "Some error occurred while processing the AuthnRequest.";
            }
            return Soap.createFault().reason("Some error occurred while processing the AuthnRequest.").detail(message).build();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.protocol.saml.SamlService
    public Response newBrowserAuthentication(AuthenticationSessionModel authenticationSessionModel, boolean z, boolean z2, SamlProtocol samlProtocol) {
        return super.newBrowserAuthentication(authenticationSessionModel, z, z2, createEcpSamlProtocol());
    }

    private SamlProtocol createEcpSamlProtocol() {
        return new SamlProtocol() { // from class: org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService.2
            @Override // org.keycloak.protocol.saml.SamlProtocol
            protected Response buildAuthenticatedResponse(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str, Document document, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
                Document document2 = jaxrsSAML2BindingBuilder.m264postBinding(document).getDocument();
                try {
                    Soap.SoapMessageBuilder addNamespace = Soap.createMessage().addNamespace("saml", JBossSAMLURIConstants.ASSERTION_NSURI.get()).addNamespace(SamlEcpProfileService.NS_PREFIX_SAML_PROTOCOL, JBossSAMLURIConstants.PROTOCOL_NSURI.get()).addNamespace(SamlEcpProfileService.NS_PREFIX_PROFILE_ECP, JBossSAMLURIConstants.ECP_PROFILE.get());
                    createEcpResponseHeader(str, addNamespace);
                    createRequestAuthenticatedHeader(authenticatedClientSessionModel, addNamespace);
                    addNamespace.addToBody(document2);
                    return addNamespace.build();
                } catch (Exception e) {
                    throw new RuntimeException("Error while creating SAML response.", e);
                }
            }

            private void createRequestAuthenticatedHeader(AuthenticatedClientSessionModel authenticatedClientSessionModel, Soap.SoapMessageBuilder soapMessageBuilder) {
                if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(authenticatedClientSessionModel.getClient().getAttribute(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) {
                    SOAPHeaderElement addHeader = soapMessageBuilder.addHeader(JBossSAMLConstants.REQUEST_AUTHENTICATED.get(), SamlEcpProfileService.NS_PREFIX_PROFILE_ECP);
                    addHeader.setMustUnderstand(true);
                    addHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
                }
            }

            private void createEcpResponseHeader(String str, Soap.SoapMessageBuilder soapMessageBuilder) throws SOAPException {
                SOAPHeaderElement addHeader = soapMessageBuilder.addHeader(JBossSAMLConstants.RESPONSE__ECP.get(), SamlEcpProfileService.NS_PREFIX_PROFILE_ECP);
                addHeader.setMustUnderstand(true);
                addHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
                addHeader.addAttribute(soapMessageBuilder.createName(JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE_URL.get()), str);
            }

            @Override // org.keycloak.protocol.saml.SamlProtocol
            protected Response buildErrorResponse(boolean z, String str, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder, Document document) throws ConfigurationException, ProcessingException, IOException {
                return Soap.createMessage().addToBody(document).build();
            }

            @Override // org.keycloak.protocol.saml.SamlProtocol
            protected Response buildLogoutResponse(UserSessionModel userSessionModel, String str, SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
                return Soap.createFault().reason("Logout not supported.").build();
            }
        }.m268setEventBuilder(this.event).m269setHttpHeaders(this.headers).m271setRealm(this.realm).m272setSession(this.session).m270setUriInfo((UriInfo) this.session.getContext().getUri());
    }

    @Override // org.keycloak.protocol.AuthorizationEndpointBase
    protected AuthenticationFlowModel getAuthenticationFlow(AuthenticationSessionModel authenticationSessionModel) {
        for (AuthenticationFlowModel authenticationFlowModel : this.realm.getAuthenticationFlows()) {
            if (authenticationFlowModel.getAlias().equals("saml ecp")) {
                return authenticationFlowModel;
            }
        }
        throw new RuntimeException("Could not resolve authentication flow for SAML ECP Profile.");
    }
}
