package org.keycloak.protocol.saml;

import java.security.PublicKey;
import java.security.Signature;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.keycloak.ClientConnection;
import org.keycloak.VerificationException;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OpenIDConnectService;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.util.StreamUtil;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlService.class */
public class SamlService {
    protected static final Logger logger = Logger.getLogger(SamlService.class);
    protected RealmModel realm;
    private EventBuilder event;
    protected AuthenticationManager authManager;

    @Context
    protected Providers providers;

    @Context
    protected SecurityContext securityContext;

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    protected HttpRequest request;

    @Context
    protected HttpResponse response;

    @Context
    protected KeycloakSession session;

    @Context
    protected ClientConnection clientConnection;

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$BindingProtocol.class */
    public abstract class BindingProtocol {
        public BindingProtocol() {
        }

        protected Response basicChecks(String str, String str2) {
            if (!checkSsl()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("ssl_required");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "HTTPS required");
            }
            if (!SamlService.this.realm.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN_ERROR);
                SamlService.this.event.error("realm_disabled");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Realm not enabled");
            }
            if (str != null || str2 != null) {
                return null;
            }
            SamlService.this.event.event(EventType.LOGIN);
            SamlService.this.event.error("invalid_token");
            return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid Request");
        }

        protected Response handleSamlResponse(String str, String str2) {
            SamlService.this.event.event(EventType.LOGIN);
            SamlService.this.event.error("invalid_token");
            return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid Request");
        }

        protected Response handleSamlRequest(String str, String str2) {
            SAMLDocumentHolder extractDocument = extractDocument(str);
            if (extractDocument == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid Request");
            }
            RequestAbstractType samlObject = extractDocument.getSamlObject();
            ApplicationModel findClient = SamlService.this.realm.findClient(samlObject.getIssuer().getValue());
            if (findClient == null) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("client_not_found");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Unknown login requester.");
            }
            if (!findClient.isEnabled()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("client_disabled");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Login requester not enabled.");
            }
            if ((findClient instanceof ApplicationModel) && findClient.isBearerOnly()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("not_allowed");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Bearer-only applications are not allowed to initiate browser login");
            }
            if (findClient.isDirectGrantsOnly()) {
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("not_allowed");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "direct-grants-only clients are not allowed to initiate browser login");
            }
            try {
                verifySignature(extractDocument, findClient);
                if (samlObject instanceof AuthnRequestType) {
                    SamlService.this.event.event(EventType.LOGIN);
                    return loginRequest(str2, (AuthnRequestType) samlObject, findClient);
                }
                if (samlObject instanceof LogoutRequestType) {
                    SamlService.this.event.event(EventType.LOGOUT);
                    return logoutRequest((LogoutRequestType) samlObject, findClient);
                }
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_token");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid Request");
            } catch (VerificationException e) {
                SamlService.logger.error("request validation failed", e);
                SamlService.this.event.event(EventType.LOGIN);
                SamlService.this.event.error("invalid_signature");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid requester.");
            }
        }

        protected abstract void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException;

        protected abstract SAMLDocumentHolder extractDocument(String str);

        protected Response loginRequest(String str, AuthnRequestType authnRequestType, ClientModel clientModel) {
            String verifyRedirectUri = OpenIDConnectService.verifyRedirectUri(SamlService.this.uriInfo, authnRequestType.getAssertionConsumerServiceURL().toString(), SamlService.this.realm, clientModel);
            if (verifyRedirectUri == null) {
                SamlService.this.event.error("invalid_redirect_uri");
                return Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid redirect_uri.");
            }
            ClientSessionModel createClientSession = SamlService.this.session.sessions().createClientSession(SamlService.this.realm, clientModel);
            createClientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL);
            createClientSession.setRedirectUri(verifyRedirectUri);
            createClientSession.setAction(ClientSessionModel.Action.AUTHENTICATE);
            createClientSession.setNote("action_key", KeycloakModelUtils.generateCodeSecret());
            createClientSession.setNote(SamlProtocol.SAML_BINDING, getBindingType());
            createClientSession.setNote("RelayState", str);
            createClientSession.setNote(SamlProtocol.SAML_REQUEST_ID, authnRequestType.getID());
            Response checkNonFormAuthentication = SamlService.this.authManager.checkNonFormAuthentication(SamlService.this.session, createClientSession, SamlService.this.realm, SamlService.this.uriInfo, SamlService.this.request, SamlService.this.clientConnection, SamlService.this.headers, SamlService.this.event);
            if (checkNonFormAuthentication != null) {
                return checkNonFormAuthentication;
            }
            LoginFormsProvider clientSessionCode = Flows.forms(SamlService.this.session, SamlService.this.realm, createClientSession.getClient(), SamlService.this.uriInfo).setClientSessionCode(new ClientSessionCode(SamlService.this.realm, createClientSession).getCode());
            String rememberMeUsername = AuthenticationManager.getRememberMeUsername(SamlService.this.realm, SamlService.this.headers);
            if (rememberMeUsername != null) {
                MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
                multivaluedMapImpl.add("username", rememberMeUsername);
                multivaluedMapImpl.add("rememberMe", "on");
                clientSessionCode.setFormData(multivaluedMapImpl);
            }
            return clientSessionCode.createLogin();
        }

        protected abstract String getBindingType();

        protected Response logoutRequest(LogoutRequestType logoutRequestType, ClientModel clientModel) {
            AuthenticationManager.AuthResult authenticateIdentityCookie = SamlService.this.authManager.authenticateIdentityCookie(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, SamlService.this.clientConnection, SamlService.this.headers, false);
            if (authenticateIdentityCookie != null) {
                logout(authenticateIdentityCookie.getSession());
            }
            String str = null;
            if (clientModel instanceof ApplicationModel) {
                str = ((ApplicationModel) clientModel).getBaseUrl();
            }
            if (str == null) {
                return Response.ok().build();
            }
            String verifyRedirectUri = OpenIDConnectService.verifyRedirectUri(SamlService.this.uriInfo, str, SamlService.this.realm, clientModel);
            return verifyRedirectUri == null ? Flows.forwardToSecurityFailurePage(SamlService.this.session, SamlService.this.realm, SamlService.this.uriInfo, "Invalid redirect uri.") : Response.status(302).location(UriBuilder.fromUri(verifyRedirectUri).build(new Object[0])).build();
        }

        private void logout(UserSessionModel userSessionModel) {
            AuthenticationManager authenticationManager = SamlService.this.authManager;
            AuthenticationManager.logout(SamlService.this.session, SamlService.this.realm, userSessionModel, SamlService.this.uriInfo, SamlService.this.clientConnection);
            SamlService.this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
        }

        private boolean checkSsl() {
            return SamlService.this.uriInfo.getBaseUri().getScheme().equals("https") || !SamlService.this.realm.getSslRequired().isRequired(SamlService.this.clientConnection);
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$PostBindingProtocol.class */
    protected class PostBindingProtocol extends BindingProtocol {
        protected PostBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            SamlProtocolUtils.verifyDocumentSignature(clientModel, sAMLDocumentHolder.getSamlDocument());
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractDocument(String str) {
            return SAMLRequestParser.parsePostBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_POST_BINDING;
        }

        public Response execute(String str, String str2, String str3) {
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3);
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlService$RedirectBindingProtocol.class */
    protected class RedirectBindingProtocol extends BindingProtocol {
        protected RedirectBindingProtocol() {
            super();
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected void verifySignature(SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) throws VerificationException {
            if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SamlProtocol.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) {
                MultivaluedMap queryParameters = SamlService.this.uriInfo.getQueryParameters(false);
                String str = (String) queryParameters.getFirst("SAMLRequest");
                String str2 = (String) queryParameters.getFirst("SigAlg");
                String str3 = (String) queryParameters.getFirst("Signature");
                if (str == null) {
                    throw new VerificationException("SAMLRequest as null");
                }
                if (str2 == null) {
                    throw new VerificationException("SigAlg as null");
                }
                if (str3 == null) {
                    throw new VerificationException("Signature as null");
                }
                PublicKey signatureValidationKey = SamlProtocolUtils.getSignatureValidationKey(clientModel);
                UriBuilder queryParam = UriBuilder.fromPath("/").queryParam("SAMLRequest", new Object[]{str});
                if (queryParameters.containsKey("RelayState")) {
                    queryParam.queryParam("RelayState", new Object[]{queryParameters.getFirst("RelayState")});
                }
                queryParam.queryParam("SigAlg", new Object[]{str2});
                String rawQuery = queryParam.build(new Object[0]).getRawQuery();
                try {
                    byte[] urlBase64Decode = RedirectBindingUtil.urlBase64Decode(str3);
                    Signature createSignature = SamlProtocol.getSignatureAlgorithm(clientModel).createSignature();
                    createSignature.initVerify(signatureValidationKey);
                    createSignature.update(rawQuery.getBytes("UTF-8"));
                    if (createSignature.verify(urlBase64Decode)) {
                    } else {
                        throw new VerificationException("Invalid query param signature");
                    }
                } catch (Exception e) {
                    throw new VerificationException(e);
                }
            }
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected SAMLDocumentHolder extractDocument(String str) {
            return SAMLRequestParser.parseRedirectBinding(str);
        }

        @Override // org.keycloak.protocol.saml.SamlService.BindingProtocol
        protected String getBindingType() {
            return SamlProtocol.SAML_GET_BINDING;
        }

        public Response execute(String str, String str2, String str3) {
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3);
        }
    }

    public SamlService(RealmModel realmModel, EventBuilder eventBuilder, AuthenticationManager authenticationManager) {
        this.realm = realmModel;
        this.event = eventBuilder;
        this.authManager = authenticationManager;
    }

    @GET
    @Consumes({"application/x-www-form-urlencoded"})
    public Response redirectBinding(@QueryParam("SAMLRequest") String str, @QueryParam("SAMLResponse") String str2, @QueryParam("RelayState") String str3) {
        return new RedirectBindingProtocol().execute(str, str2, str3);
    }

    @POST
    @Consumes({"application/x-www-form-urlencoded"})
    public Response postBinding(@FormParam("SAMLRequest") String str, @FormParam("SAMLResponse") String str2, @FormParam("RelayState") String str3) {
        return new PostBindingProtocol().execute(str, str2, str3);
    }

    @GET
    @Produces({"application/xml"})
    @Path("descriptor")
    public String getDescriptor() throws Exception {
        return StreamUtil.readString(getClass().getResourceAsStream("/idp-metadata-template.xml")).replace("${idp.entityID}", RealmsResource.realmBaseUrl(this.uriInfo).build(new Object[]{this.realm.getName()}).toString()).replace("${idp.sso.HTTP-POST}", RealmsResource.protocolUrl(this.uriInfo).build(new Object[]{this.realm.getName(), SamlProtocol.LOGIN_PROTOCOL}).toString()).replace("${idp.sso.HTTP-Redirect}", RealmsResource.protocolUrl(this.uriInfo).build(new Object[]{this.realm.getName(), SamlProtocol.LOGIN_PROTOCOL}).toString()).replace("${idp.sls.HTTP-POST}", RealmsResource.protocolUrl(this.uriInfo).build(new Object[]{this.realm.getName(), SamlProtocol.LOGIN_PROTOCOL}).toString()).replace("${idp.signing.certificate}", this.realm.getCertificatePem());
    }
}
