package org.keycloak.broker.saml;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.assertion.SubjectType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
import org.keycloak.protocol.saml.SamlPrincipalType;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.protocol.saml.SamlProtocolUtils;
import org.keycloak.protocol.saml.SamlService;
import org.keycloak.protocol.saml.SamlSessionUtils;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.rotation.HardcodedKeyLocator;
import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.SAMLRequestParser;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
import org.keycloak.saml.processing.web.util.PostBindingUtil;
import org.keycloak.saml.validators.DestinationValidator;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.utils.MediaType;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/keycloak/broker/saml/SAMLEndpoint.class */
public class SAMLEndpoint {
    protected static final Logger logger = Logger.getLogger(SAMLEndpoint.class);
    public static final String SAML_FEDERATED_SESSION_INDEX = "SAML_FEDERATED_SESSION_INDEX";

    @Deprecated
    public static final String SAML_FEDERATED_SUBJECT = "SAML_FEDERATED_SUBJECT";

    @Deprecated
    public static final String SAML_FEDERATED_SUBJECT_NAMEFORMAT = "SAML_FEDERATED_SUBJECT_NAMEFORMAT";
    public static final String SAML_FEDERATED_SUBJECT_NAMEID = "SAML_FEDERATED_SUBJECT_NAME_ID";
    public static final String SAML_LOGIN_RESPONSE = "SAML_LOGIN_RESPONSE";
    public static final String SAML_ASSERTION = "SAML_ASSERTION";
    public static final String SAML_AUTHN_STATEMENT = "SAML_AUTHN_STATEMENT";
    protected RealmModel realm;
    protected EventBuilder event;
    protected SAMLIdentityProviderConfig config;
    protected IdentityProvider.AuthenticationCallback callback;
    protected SAMLIdentityProvider provider;
    private final DestinationValidator destinationValidator;

    @Context
    private KeycloakSession session;

    @Context
    private ClientConnection clientConnection;

    @Context
    private HttpHeaders headers;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.broker.saml.SAMLEndpoint$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/broker/saml/SAMLEndpoint$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$saml$SamlPrincipalType = new int[SamlPrincipalType.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$saml$SamlPrincipalType[SamlPrincipalType.SUBJECT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$saml$SamlPrincipalType[SamlPrincipalType.ATTRIBUTE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$saml$SamlPrincipalType[SamlPrincipalType.FRIENDLY_ATTRIBUTE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/broker/saml/SAMLEndpoint$Binding.class */
    protected abstract class Binding {
        protected Binding() {
        }

        private boolean checkSsl() {
            return SAMLEndpoint.this.session.getContext().getUri().getBaseUri().getScheme().equals("https") || !SAMLEndpoint.this.realm.getSslRequired().isRequired(SAMLEndpoint.this.clientConnection);
        }

        protected Response basicChecks(String str, String str2) {
            if (!checkSsl()) {
                SAMLEndpoint.this.event.event(EventType.LOGIN);
                SAMLEndpoint.this.event.error("ssl_required");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED, new Object[0]);
            }
            if (!SAMLEndpoint.this.realm.isEnabled()) {
                SAMLEndpoint.this.event.event(EventType.LOGIN_ERROR);
                SAMLEndpoint.this.event.error("realm_disabled");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED, new Object[0]);
            }
            if (str != null || str2 != null) {
                return null;
            }
            SAMLEndpoint.this.event.event(EventType.LOGIN);
            SAMLEndpoint.this.event.error("invalid_request");
            return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }

        protected abstract String getBindingType();

        protected abstract boolean containsUnencryptedSignature(SAMLDocumentHolder sAMLDocumentHolder);

        protected abstract void verifySignature(String str, SAMLDocumentHolder sAMLDocumentHolder) throws VerificationException;

        protected abstract SAMLDocumentHolder extractRequestDocument(String str);

        protected abstract SAMLDocumentHolder extractResponseDocument(String str);

        protected boolean isDestinationRequired() {
            return true;
        }

        protected KeyLocator getIDPKeyLocator() {
            LinkedList linkedList = new LinkedList();
            for (String str : SAMLEndpoint.this.config.getSigningCertificates()) {
                X509Certificate x509Certificate = null;
                try {
                    x509Certificate = XMLSignatureUtil.getX509CertificateFromKeyInfoString(str.replaceAll("\\s", ""));
                    x509Certificate.checkValidity();
                    linkedList.add(x509Certificate.getPublicKey());
                } catch (CertificateException e) {
                    SAMLEndpoint.logger.warnf("Ignoring invalid certificate: %s", x509Certificate);
                } catch (ProcessingException e2) {
                    throw new RuntimeException((Throwable) e2);
                }
            }
            return new HardcodedKeyLocator(linkedList);
        }

        public Response execute(String str, String str2, String str3, String str4) {
            SAMLEndpoint.this.event = new EventBuilder(SAMLEndpoint.this.realm, SAMLEndpoint.this.session, SAMLEndpoint.this.clientConnection);
            Response basicChecks = basicChecks(str, str2);
            return basicChecks != null ? basicChecks : str != null ? handleSamlRequest(str, str3) : handleSamlResponse(str2, str3, str4);
        }

        protected Response handleSamlRequest(String str, String str2) {
            SAMLDocumentHolder extractRequestDocument = extractRequestDocument(str);
            RequestAbstractType samlObject = extractRequestDocument.getSamlObject();
            if (isDestinationRequired() && samlObject.getDestination() == null && containsUnencryptedSignature(extractRequestDocument)) {
                SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                SAMLEndpoint.this.event.detail("reason", "missing_required_destination");
                SAMLEndpoint.this.event.error("invalid_request");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (!SAMLEndpoint.this.destinationValidator.validate(getExpectedDestination(SAMLEndpoint.this.config.getAlias(), null), samlObject.getDestination())) {
                SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                SAMLEndpoint.this.event.detail("reason", "invalid_destination");
                SAMLEndpoint.this.event.error("invalid_saml_response");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (SAMLEndpoint.this.config.isValidateSignature()) {
                try {
                    verifySignature("SAMLRequest", extractRequestDocument);
                } catch (VerificationException e) {
                    SAMLEndpoint.logger.error("validation failed", e);
                    SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                    SAMLEndpoint.this.event.error("invalid_signature");
                    return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER, new Object[0]);
                }
            }
            if (samlObject instanceof LogoutRequestType) {
                SAMLEndpoint.logger.debug("** logout request");
                SAMLEndpoint.this.event.event(EventType.LOGOUT);
                return logoutRequest((LogoutRequestType) samlObject, str2);
            }
            SAMLEndpoint.this.event.event(EventType.LOGIN);
            SAMLEndpoint.this.event.error("invalid_token");
            return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }

        protected Response logoutRequest(LogoutRequestType logoutRequestType, String str) {
            String str2 = SAMLEndpoint.this.config.getAlias() + "." + logoutRequestType.getNameID().getValue();
            if (logoutRequestType.getSessionIndex() == null || logoutRequestType.getSessionIndex().isEmpty()) {
                AtomicReference<LogoutRequestType> atomicReference = new AtomicReference<>(logoutRequestType);
                ((List) SAMLEndpoint.this.session.sessions().getUserSessionByBrokerUserIdStream(SAMLEndpoint.this.realm, str2).filter(userSessionModel -> {
                    return (userSessionModel.getState() == UserSessionModel.State.LOGGING_OUT || userSessionModel.getState() == UserSessionModel.State.LOGGED_OUT) ? false : true;
                }).collect(Collectors.toList())).forEach(processLogout(atomicReference));
                logoutRequestType = atomicReference.get();
            } else {
                Iterator it = logoutRequestType.getSessionIndex().iterator();
                while (it.hasNext()) {
                    UserSessionModel userSessionByBrokerSessionId = SAMLEndpoint.this.session.sessions().getUserSessionByBrokerSessionId(SAMLEndpoint.this.realm, str2 + "." + ((String) it.next()));
                    if (userSessionByBrokerSessionId != null && userSessionByBrokerSessionId.getState() != UserSessionModel.State.LOGGING_OUT && userSessionByBrokerSessionId.getState() != UserSessionModel.State.LOGGED_OUT) {
                        Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(SAMLEndpoint.this.session);
                        while (samlAuthenticationPreprocessorIterator.hasNext()) {
                            logoutRequestType = samlAuthenticationPreprocessorIterator.next().beforeProcessingLogoutRequest(logoutRequestType, userSessionByBrokerSessionId, null);
                        }
                        try {
                            AuthenticationManager.backchannelLogout(SAMLEndpoint.this.session, SAMLEndpoint.this.realm, userSessionByBrokerSessionId, SAMLEndpoint.this.session.getContext().getUri(), SAMLEndpoint.this.clientConnection, SAMLEndpoint.this.headers, false);
                        } catch (Exception e) {
                            SAMLEndpoint.logger.warn("failed to do backchannel logout for userSession", e);
                        }
                    }
                }
            }
            String entityId = getEntityId(SAMLEndpoint.this.session.getContext().getUri(), SAMLEndpoint.this.realm);
            SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
            sAML2LogoutResponseBuilder.logoutRequestID(logoutRequestType.getID());
            sAML2LogoutResponseBuilder.destination(SAMLEndpoint.this.config.getSingleLogoutServiceUrl());
            sAML2LogoutResponseBuilder.issuer(entityId);
            JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = (JaxrsSAML2BindingBuilder) new JaxrsSAML2BindingBuilder(SAMLEndpoint.this.session).relayState(str);
            boolean isPostBindingLogout = SAMLEndpoint.this.config.isPostBindingLogout();
            if (SAMLEndpoint.this.config.isWantAuthnRequestsSigned()) {
                KeyManager.ActiveRsaKey activeRsaKey = SAMLEndpoint.this.session.keys().getActiveRsaKey(SAMLEndpoint.this.realm);
                String keyName = SAMLEndpoint.this.config.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
                ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signatureAlgorithm(SAMLEndpoint.this.provider.getSignatureAlgorithm())).signDocument();
                if (!isPostBindingLogout && SAMLEndpoint.this.config.isAddExtensionsElementWithKeyInfo()) {
                    sAML2LogoutResponseBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                }
            }
            try {
                return isPostBindingLogout ? jaxrsSAML2BindingBuilder.m393postBinding(sAML2LogoutResponseBuilder.buildDocument()).response(SAMLEndpoint.this.config.getSingleLogoutServiceUrl()) : jaxrsSAML2BindingBuilder.m394redirectBinding(sAML2LogoutResponseBuilder.buildDocument()).response(SAMLEndpoint.this.config.getSingleLogoutServiceUrl());
            } catch (IOException e2) {
                throw new RuntimeException(e2);
            } catch (ProcessingException e3) {
                throw new RuntimeException((Throwable) e3);
            } catch (ConfigurationException e4) {
                throw new RuntimeException((Throwable) e4);
            }
        }

        private Consumer<UserSessionModel> processLogout(AtomicReference<LogoutRequestType> atomicReference) {
            return userSessionModel -> {
                Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(SAMLEndpoint.this.session);
                while (samlAuthenticationPreprocessorIterator.hasNext()) {
                    atomicReference.set(samlAuthenticationPreprocessorIterator.next().beforeProcessingLogoutRequest((LogoutRequestType) atomicReference.get(), userSessionModel, null));
                }
                try {
                    AuthenticationManager.backchannelLogout(SAMLEndpoint.this.session, SAMLEndpoint.this.realm, userSessionModel, SAMLEndpoint.this.session.getContext().getUri(), SAMLEndpoint.this.clientConnection, SAMLEndpoint.this.headers, false);
                } catch (Exception e) {
                    SAMLEndpoint.logger.warn("failed to do backchannel logout for userSession", e);
                }
            };
        }

        private String getEntityId(UriInfo uriInfo, RealmModel realmModel) {
            String entityId = SAMLEndpoint.this.config.getEntityId();
            return (entityId == null || entityId.isEmpty()) ? UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realmModel.getName()).build(new Object[0]).toString() : entityId;
        }

        /* JADX WARN: Removed duplicated region for block: B:13:0x0084 A[Catch: WebApplicationException -> 0x0455, Exception -> 0x045d, TRY_ENTER, TryCatch #3 {Exception -> 0x045d, WebApplicationException -> 0x0455, blocks: (B:107:0x0005, B:109:0x0010, B:4:0x002b, B:6:0x0060, B:9:0x0073, B:12:0x006c, B:13:0x0084, B:15:0x008b, B:17:0x00a6, B:21:0x00be, B:25:0x00fb, B:26:0x0120, B:33:0x0145, B:35:0x0152, B:40:0x016a, B:42:0x0177, B:51:0x01cd, B:53:0x01fa, B:55:0x0239, B:57:0x0274, B:59:0x027c, B:61:0x0290, B:62:0x029a, B:64:0x02a7, B:65:0x02ad, B:67:0x02d8, B:69:0x030f, B:72:0x0328, B:74:0x0333, B:76:0x036b, B:77:0x037a, B:79:0x0384, B:83:0x0395, B:84:0x03b1, B:86:0x03b9, B:88:0x03cc, B:89:0x03d3, B:91:0x041a, B:93:0x0422, B:94:0x0446, B:98:0x0195, B:103:0x010a, B:104:0x0097, B:3:0x001b), top: B:106:0x0005 }] */
        /* JADX WARN: Removed duplicated region for block: B:6:0x0060 A[Catch: WebApplicationException -> 0x0455, Exception -> 0x045d, TryCatch #3 {Exception -> 0x045d, WebApplicationException -> 0x0455, blocks: (B:107:0x0005, B:109:0x0010, B:4:0x002b, B:6:0x0060, B:9:0x0073, B:12:0x006c, B:13:0x0084, B:15:0x008b, B:17:0x00a6, B:21:0x00be, B:25:0x00fb, B:26:0x0120, B:33:0x0145, B:35:0x0152, B:40:0x016a, B:42:0x0177, B:51:0x01cd, B:53:0x01fa, B:55:0x0239, B:57:0x0274, B:59:0x027c, B:61:0x0290, B:62:0x029a, B:64:0x02a7, B:65:0x02ad, B:67:0x02d8, B:69:0x030f, B:72:0x0328, B:74:0x0333, B:76:0x036b, B:77:0x037a, B:79:0x0384, B:83:0x0395, B:84:0x03b1, B:86:0x03b9, B:88:0x03cc, B:89:0x03d3, B:91:0x041a, B:93:0x0422, B:94:0x0446, B:98:0x0195, B:103:0x010a, B:104:0x0097, B:3:0x001b), top: B:106:0x0005 }] */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        protected javax.ws.rs.core.Response handleLoginResponse(java.lang.String r7, org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder r8, org.keycloak.dom.saml.v2.protocol.ResponseType r9, java.lang.String r10, java.lang.String r11) {
            /*
                Method dump skipped, instructions count: 1131
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: org.keycloak.broker.saml.SAMLEndpoint.Binding.handleLoginResponse(java.lang.String, org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder, org.keycloak.dom.saml.v2.protocol.ResponseType, java.lang.String, java.lang.String):javax.ws.rs.core.Response");
        }

        private AuthenticationSessionModel samlIdpInitiatedSSO(String str) {
            SAMLEndpoint.this.event.event(EventType.LOGIN);
            CacheControlUtil.noBackButtonCacheControlHeader();
            Optional findFirst = SAMLEndpoint.this.realm.getClientsStream().filter(clientModel -> {
                return Objects.equals(clientModel.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), str);
            }).findFirst();
            if (!findFirst.isPresent()) {
                SAMLEndpoint.this.event.error("client_not_found");
                throw new WebApplicationException(ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]));
            }
            SamlService samlService = (SamlService) SAMLEndpoint.this.session.getKeycloakSessionFactory().getProviderFactory(LoginProtocol.class, "saml").createProtocolEndpoint(SAMLEndpoint.this.realm, SAMLEndpoint.this.event);
            ResteasyProviderFactory.getInstance().injectProperties(samlService);
            AuthenticationSessionModel orCreateLoginSessionForIdpInitiatedSso = samlService.getOrCreateLoginSessionForIdpInitiatedSso(SAMLEndpoint.this.session, SAMLEndpoint.this.realm, (ClientModel) findFirst.get(), null);
            if (orCreateLoginSessionForIdpInitiatedSso != null) {
                return orCreateLoginSessionForIdpInitiatedSso;
            }
            SAMLEndpoint.this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
            throw new WebApplicationException(ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]));
        }

        private boolean isSuccessfulSamlResponse(ResponseType responseType) {
            return (responseType == null || responseType.getStatus() == null || responseType.getStatus().getStatusCode() == null || responseType.getStatus().getStatusCode().getValue() == null || !Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get())) ? false : true;
        }

        public Response handleSamlResponse(String str, String str2, String str3) {
            SAMLDocumentHolder extractResponseDocument = extractResponseDocument(str);
            if (extractResponseDocument == null) {
                SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                SAMLEndpoint.this.event.detail("reason", "invalid_saml_document");
                SAMLEndpoint.this.event.error("invalid_saml_response");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_FEDERATED_IDENTITY_ACTION, new Object[0]);
            }
            StatusResponseType samlObject = extractResponseDocument.getSamlObject();
            if (isDestinationRequired() && samlObject.getDestination() == null && containsUnencryptedSignature(extractResponseDocument)) {
                SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                SAMLEndpoint.this.event.detail("reason", "missing_required_destination");
                SAMLEndpoint.this.event.error("invalid_logout_response");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (!SAMLEndpoint.this.destinationValidator.validate(getExpectedDestination(SAMLEndpoint.this.config.getAlias(), str3), samlObject.getDestination())) {
                SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                SAMLEndpoint.this.event.detail("reason", "invalid_destination");
                SAMLEndpoint.this.event.error("invalid_saml_response");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
            }
            if (SAMLEndpoint.this.config.isValidateSignature()) {
                try {
                    verifySignature("SAMLResponse", extractResponseDocument);
                } catch (VerificationException e) {
                    SAMLEndpoint.logger.error("validation failed", e);
                    SAMLEndpoint.this.event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                    SAMLEndpoint.this.event.error("invalid_signature");
                    return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_FEDERATED_IDENTITY_ACTION, new Object[0]);
                }
            }
            return samlObject instanceof ResponseType ? handleLoginResponse(str, extractResponseDocument, (ResponseType) samlObject, str2, str3) : handleLogoutResponse(extractResponseDocument, samlObject, str2);
        }

        protected Response handleLogoutResponse(SAMLDocumentHolder sAMLDocumentHolder, StatusResponseType statusResponseType, String str) {
            if (str == null) {
                SAMLEndpoint.logger.error("no valid user session");
                SAMLEndpoint.this.event.event(EventType.LOGOUT);
                SAMLEndpoint.this.event.error("user_session_not_found");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
            }
            UserSessionModel userSession = SAMLEndpoint.this.session.sessions().getUserSession(SAMLEndpoint.this.realm, str);
            if (userSession == null) {
                SAMLEndpoint.logger.error("no valid user session");
                SAMLEndpoint.this.event.event(EventType.LOGOUT);
                SAMLEndpoint.this.event.error("user_session_not_found");
                return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
            }
            if (userSession.getState() == UserSessionModel.State.LOGGING_OUT) {
                return AuthenticationManager.finishBrowserLogout(SAMLEndpoint.this.session, SAMLEndpoint.this.realm, userSession, SAMLEndpoint.this.session.getContext().getUri(), SAMLEndpoint.this.clientConnection, SAMLEndpoint.this.headers);
            }
            SAMLEndpoint.logger.error("usersession in different state");
            SAMLEndpoint.this.event.event(EventType.LOGOUT);
            SAMLEndpoint.this.event.error("user_session_not_found");
            return ErrorPage.error(SAMLEndpoint.this.session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE, new Object[0]);
        }

        private String getExpectedDestination(String str, String str2) {
            return str2 != null ? SAMLEndpoint.this.session.getContext().getUri().getAbsolutePath().toString() : Urls.identityProviderAuthnResponse(SAMLEndpoint.this.session.getContext().getUri().getBaseUri(), str, SAMLEndpoint.this.realm.getName()).toString();
        }
    }

    /* loaded from: input_file:org/keycloak/broker/saml/SAMLEndpoint$PostBinding.class */
    protected class PostBinding extends Binding {
        protected PostBinding() {
            super();
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected boolean containsUnencryptedSignature(SAMLDocumentHolder sAMLDocumentHolder) {
            NodeList elementsByTagNameNS = sAMLDocumentHolder.getSamlDocument().getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            return elementsByTagNameNS != null && elementsByTagNameNS.getLength() > 0;
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected void verifySignature(String str, SAMLDocumentHolder sAMLDocumentHolder) throws VerificationException {
            if (containsUnencryptedSignature(sAMLDocumentHolder) || !(sAMLDocumentHolder.getSamlObject() instanceof ResponseType) || sAMLDocumentHolder.getSamlObject().getAssertions().isEmpty()) {
                SamlProtocolUtils.verifyDocumentSignature(sAMLDocumentHolder.getSamlDocument(), getIDPKeyLocator());
            }
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestPostBinding(str);
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponseDocument(PostBindingUtil.base64Decode(str));
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected String getBindingType() {
            return SamlProtocol.SAML_POST_BINDING;
        }
    }

    /* loaded from: input_file:org/keycloak/broker/saml/SAMLEndpoint$RedirectBinding.class */
    protected class RedirectBinding extends Binding {
        protected RedirectBinding() {
            super();
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected boolean containsUnencryptedSignature(SAMLDocumentHolder sAMLDocumentHolder) {
            MultivaluedMap queryParameters = SAMLEndpoint.this.session.getContext().getUri().getQueryParameters(false);
            return (((String) queryParameters.getFirst("SigAlg")) == null || ((String) queryParameters.getFirst("Signature")) == null) ? false : true;
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected void verifySignature(String str, SAMLDocumentHolder sAMLDocumentHolder) throws VerificationException {
            SamlProtocolUtils.verifyRedirectSignature(sAMLDocumentHolder, getIDPKeyLocator(), (UriInfo) SAMLEndpoint.this.session.getContext().getUri(), str);
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected SAMLDocumentHolder extractRequestDocument(String str) {
            return SAMLRequestParser.parseRequestRedirectBinding(str);
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected SAMLDocumentHolder extractResponseDocument(String str) {
            return SAMLRequestParser.parseResponseRedirectBinding(str);
        }

        @Override // org.keycloak.broker.saml.SAMLEndpoint.Binding
        protected String getBindingType() {
            return SamlProtocol.SAML_REDIRECT_BINDING;
        }
    }

    public SAMLEndpoint(RealmModel realmModel, SAMLIdentityProvider sAMLIdentityProvider, SAMLIdentityProviderConfig sAMLIdentityProviderConfig, IdentityProvider.AuthenticationCallback authenticationCallback, DestinationValidator destinationValidator) {
        this.realm = realmModel;
        this.config = sAMLIdentityProviderConfig;
        this.callback = authenticationCallback;
        this.provider = sAMLIdentityProvider;
        this.destinationValidator = destinationValidator;
    }

    @GET
    @NoCache
    @Path("descriptor")
    public Response getSPDescriptor() {
        return this.provider.export(this.session.getContext().getUri(), this.realm, null);
    }

    @GET
    public Response redirectBinding(@QueryParam("SAMLRequest") String str, @QueryParam("SAMLResponse") String str2, @QueryParam("RelayState") String str3) {
        return new RedirectBinding().execute(str, str2, str3, null);
    }

    @POST
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response postBinding(@FormParam("SAMLRequest") String str, @FormParam("SAMLResponse") String str2, @FormParam("RelayState") String str3) {
        return new PostBinding().execute(str, str2, str3, null);
    }

    @GET
    @Path("clients/{client_id}")
    public Response redirectBinding(@QueryParam("SAMLRequest") String str, @QueryParam("SAMLResponse") String str2, @QueryParam("RelayState") String str3, @PathParam("client_id") String str4) {
        return new RedirectBinding().execute(str, str2, str3, str4);
    }

    @POST
    @Path("clients/{client_id}")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response postBinding(@FormParam("SAMLRequest") String str, @FormParam("SAMLResponse") String str2, @FormParam("RelayState") String str3, @PathParam("client_id") String str4) {
        return new PostBinding().execute(str, str2, str3, str4);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getX500Attribute(AssertionType assertionType, X500SAMLProfileConstants x500SAMLProfileConstants) {
        x500SAMLProfileConstants.getClass();
        return getFirstMatchingAttribute(assertionType, x500SAMLProfileConstants::correspondsTo);
    }

    private String getAttributeByName(AssertionType assertionType, String str) {
        return getFirstMatchingAttribute(assertionType, attributeType -> {
            return Objects.equals(attributeType.getName(), str);
        });
    }

    private String getAttributeByFriendlyName(AssertionType assertionType, String str) {
        return getFirstMatchingAttribute(assertionType, attributeType -> {
            return Objects.equals(attributeType.getFriendlyName(), str);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getPrincipal(AssertionType assertionType) {
        SamlPrincipalType principalType = this.config.getPrincipalType();
        if (principalType != null && !principalType.equals(SamlPrincipalType.SUBJECT)) {
            return principalType.equals(SamlPrincipalType.ATTRIBUTE) ? getAttributeByName(assertionType, this.config.getPrincipalAttribute()) : getAttributeByFriendlyName(assertionType, this.config.getPrincipalAttribute());
        }
        NameIDType subjectNameID = getSubjectNameID(assertionType);
        if (subjectNameID != null) {
            return subjectNameID.getValue();
        }
        return null;
    }

    private String getFirstMatchingAttribute(AssertionType assertionType, Predicate<AttributeType> predicate) {
        return (String) assertionType.getAttributeStatements().stream().map((v0) -> {
            return v0.getAttributes();
        }).flatMap((v0) -> {
            return v0.stream();
        }).map((v0) -> {
            return v0.getAttribute();
        }).filter(predicate).map((v0) -> {
            return v0.getAttributeValue();
        }).flatMap((v0) -> {
            return v0.stream();
        }).findFirst().map((v0) -> {
            return v0.toString();
        }).orElse(null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String expectedPrincipalType() {
        SamlPrincipalType principalType = this.config.getPrincipalType();
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$saml$SamlPrincipalType[principalType.ordinal()]) {
            case 1:
                return principalType.name();
            case 2:
            case AuthenticationSessionManager.AUTH_SESSION_LIMIT /* 3 */:
                return String.format("%s(%s)", principalType.name(), this.config.getPrincipalAttribute());
            default:
                return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public NameIDType getSubjectNameID(AssertionType assertionType) {
        SubjectType.STSubType subType = assertionType.getSubject().getSubType();
        if (subType != null) {
            return subType.getBaseID();
        }
        return null;
    }
}
