package net.shibboleth.idp.saml.saml2.profile.delegation.impl;

import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.saml2.profile.delegation.DelegationContext;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.openliberty.xmltooling.disco.MetadataAbstract;
import org.openliberty.xmltooling.disco.ProviderID;
import org.openliberty.xmltooling.disco.SecurityContext;
import org.openliberty.xmltooling.disco.SecurityMechID;
import org.openliberty.xmltooling.disco.ServiceType;
import org.openliberty.xmltooling.security.Token;
import org.openliberty.xmltooling.soapbinding.Framework;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.schema.XSAny;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventException;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AttributeValue;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.KeyInfoConfirmationDataType;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.profile.SAML2ActionSupport;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.soap.wsaddressing.Address;
import org.opensaml.soap.wsaddressing.EndpointReference;
import org.opensaml.soap.wsaddressing.Metadata;
import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager;
import org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.0.0.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/DecorateDelegatedAssertion.class */
public class DecorateDelegatedAssertion extends AbstractProfileAction {
    private String libertySSOSEndpointURL;

    @Nonnull
    private NamedKeyInfoGeneratorManager keyInfoGeneratorManager;
    private DelegationContext delegationContext;
    private List<Assertion> assertions;
    private RelyingPartyContext relyingPartyContext;
    private String responderId;
    private String relyingPartyId;
    private final Logger log = LoggerFactory.getLogger((Class<?>) DecorateDelegatedAssertion.class);

    @Nullable
    private Function<Pair<ProfileRequestContext, HttpServletRequest>, String> libertySSOSEndpointURLLookupStrategy = new LibertySSOSEndpointURLStrategy();

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<ProfileRequestContext, DelegationContext> delegationContextLookupStrategy = new ChildContextLookup(DelegationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, List<Assertion>> assertionLookupStrategy = new AssertionStrategy();

    /* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.0.0.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/DecorateDelegatedAssertion$AssertionStrategy.class */
    private class AssertionStrategy implements Function<ProfileRequestContext, List<Assertion>> {
        private AssertionStrategy() {
        }

        @Override // java.util.function.Function
        @Nullable
        public List<Assertion> apply(@Nullable ProfileRequestContext profileRequestContext) {
            if (profileRequestContext == null || profileRequestContext.getOutboundMessageContext() == null) {
                DecorateDelegatedAssertion.this.log.debug("Input ProfileRequestContext or outbound MessageContext was null");
                return null;
            }
            Object message = profileRequestContext.getOutboundMessageContext().getMessage();
            if (message == null) {
                DecorateDelegatedAssertion.this.log.debug("No outbound message found, nothing to decorate");
                return Collections.emptyList();
            }
            if (message instanceof Assertion) {
                DecorateDelegatedAssertion.this.log.debug("Found Assertion to decorate as outbound message");
                return Collections.singletonList((Assertion) message);
            }
            if (!(message instanceof Response)) {
                DecorateDelegatedAssertion.this.log.debug("Found no Assertion to decorate");
                return null;
            }
            Response response = (Response) message;
            if (response.getAssertions().isEmpty()) {
                DecorateDelegatedAssertion.this.log.debug("Outbound Response contained no Assertions, nothing to decorate");
                return Collections.emptyList();
            }
            for (Assertion assertion : response.getAssertions()) {
                if (!assertion.getAuthnStatements().isEmpty()) {
                    DecorateDelegatedAssertion.this.log.debug("Found Assertion with AuthnStatement to decorate in outbound Response");
                    return Collections.singletonList(assertion);
                }
            }
            DecorateDelegatedAssertion.this.log.debug("Found no Assertion with AuthnStatement in outbound Response, returning first");
            return Collections.singletonList(response.getAssertions().get(0));
        }
    }

    /* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.0.0.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/DecorateDelegatedAssertion$LibertySSOSEndpointURLStrategy.class */
    public static class LibertySSOSEndpointURLStrategy implements Function<Pair<ProfileRequestContext, HttpServletRequest>, String> {
        private Logger log = LoggerFactory.getLogger((Class<?>) LibertySSOSEndpointURLStrategy.class);

        @Override // java.util.function.Function
        @Nullable
        public String apply(@Nullable Pair<ProfileRequestContext, HttpServletRequest> pair) {
            if (pair == null) {
                this.log.debug("Input Pair<ProfileRequestContext,HttpServletRequest> was null");
                return null;
            }
            if (pair.getSecond() != null) {
                HttpServletRequest second = pair.getSecond();
                return String.format("https://%s:%s%s", second.getServerName(), LibertyConstants.DEFAULT_SSOS_ENDPOINT_URL_PORT, second.getServletContext().getContextPath() + "/profile/IDWSF/SSOS");
            }
            this.log.debug("Input HttpServletRequest was null");
            return null;
        }
    }

    public void setLibertySSOSEndpointURL(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.libertySSOSEndpointURL = StringSupport.trimOrNull(str);
    }

    public void setLibertySSOSEndpointURLLookupStrategy(@Nullable Function<Pair<ProfileRequestContext, HttpServletRequest>, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.libertySSOSEndpointURLLookupStrategy = function;
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy may not be null");
    }

    public void setDelegationContextLookupStrategy(@Nonnull Function<ProfileRequestContext, DelegationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.delegationContextLookupStrategy = (Function) Constraint.isNotNull(function, "DelegationContext lookup strategy may not be null");
    }

    public void setAssertionLookupStrategy(@Nonnull Function<ProfileRequestContext, List<Assertion>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionLookupStrategy = (Function) Constraint.isNotNull(function, "Assertion lookup strategy may not be null");
    }

    public void setKeyInfoGeneratorManager(@Nonnull NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.keyInfoGeneratorManager = (NamedKeyInfoGeneratorManager) Constraint.isNotNull(namedKeyInfoGeneratorManager, "NamedKeyInfoGeneratorManager may not be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.keyInfoGeneratorManager == null) {
            throw new ComponentInitializationException("KeyInfoGeneratorManager may not be null");
        }
        if (this.libertySSOSEndpointURL == null && this.libertySSOSEndpointURLLookupStrategy == null) {
            throw new ComponentInitializationException("Either Liberty SSOS endpoint URL or its lookup strategy must be non-null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.assertions = this.assertionLookupStrategy.apply(profileRequestContext);
        if (this.assertions != null && !this.assertions.isEmpty()) {
            return doPreExecuteDelegationInfo(profileRequestContext) && doPreExecuteRelyingParty(profileRequestContext);
        }
        this.log.debug("No Assertions found to decorate, skipping further processing");
        return false;
    }

    protected boolean doPreExecuteDelegationInfo(@Nonnull ProfileRequestContext profileRequestContext) {
        this.delegationContext = this.delegationContextLookupStrategy.apply(profileRequestContext);
        if (this.delegationContext == null || !this.delegationContext.isIssuingDelegatedAssertion()) {
            this.log.debug("Issuance of delegated was not indicated, skipping assertion decoration");
            return false;
        }
        if (this.delegationContext.getSubjectConfirmationCredentials() == null || this.delegationContext.getSubjectConfirmationCredentials().isEmpty()) {
            this.log.warn("No subject confirmation credentials available in delegation context");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        resolveLibertySSOSEndpointURL(profileRequestContext);
        if (this.libertySSOSEndpointURL != null) {
            return true;
        }
        this.log.warn("No Liberty SSOS endpoint URL was available");
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        return false;
    }

    protected boolean doPreExecuteRelyingParty(@Nonnull ProfileRequestContext profileRequestContext) {
        this.relyingPartyContext = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (this.relyingPartyContext == null) {
            this.log.warn("No RelyingPartyContext was available");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.relyingPartyId = this.relyingPartyContext.getRelyingPartyId();
        if (this.relyingPartyId != null) {
            this.responderId = this.relyingPartyContext.getConfiguration().getResponderId(profileRequestContext);
            return true;
        }
        this.log.warn("No relying party ID was available");
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        return false;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        try {
            this.log.debug("Decorating assertion for use as delegated token");
            decorateDelegatedAssertion(profileRequestContext);
        } catch (EventException e) {
            if (Objects.equals(EventIds.PROCEED_EVENT_ID, e.getEventID())) {
                this.log.debug("Decoration of Assertion for delegation terminated with explicit proceed signal");
            } else {
                this.log.warn("Decoration of Assertion for delegation terminated with explicit non-proceed signal", (Throwable) e);
                ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            }
        }
    }

    private void resolveLibertySSOSEndpointURL(ProfileRequestContext profileRequestContext) {
        if (this.libertySSOSEndpointURL != null) {
            this.log.debug("Using explicitly configured Liberty SSOS endpoint URL: {}", this.libertySSOSEndpointURL);
            return;
        }
        if (this.libertySSOSEndpointURLLookupStrategy != null) {
            this.libertySSOSEndpointURL = this.libertySSOSEndpointURLLookupStrategy.apply(new Pair<>(profileRequestContext, getHttpServletRequest()));
            if (this.libertySSOSEndpointURL != null) {
                this.log.debug("Using Liberty SSOS endpoint URL resolved via strategy: {}", this.libertySSOSEndpointURL);
                return;
            }
            this.log.debug("Liberty SSOS endpoint URL strategy was unable to resolve a value");
        }
        this.log.debug("No effective Liberty SSOS endpoint URL could be determined");
    }

    private void decorateDelegatedAssertion(@Nonnull ProfileRequestContext profileRequestContext) throws EventException {
        for (Assertion assertion : this.assertions) {
            addSAMLPeerSubjectConfirmation(profileRequestContext, assertion);
            addIdPAudienceRestriction(profileRequestContext, assertion);
            addLibertySSOSEPRAttribute(profileRequestContext, assertion);
        }
    }

    private void addLibertySSOSEPRAttribute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Assertion assertion) {
        AttributeStatement attributeStatement;
        Attribute attribute = (Attribute) XMLObjectSupport.buildXMLObject(Attribute.DEFAULT_ELEMENT_NAME);
        attribute.setName("urn:liberty:ssos:2006-08");
        attribute.setNameFormat(Attribute.URI_REFERENCE);
        attribute.getAttributeValues().add(buildLibertSSOSEPRAttributeValue(profileRequestContext, assertion));
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements.isEmpty()) {
            attributeStatement = (AttributeStatement) XMLObjectSupport.buildXMLObject(AttributeStatement.DEFAULT_ELEMENT_NAME);
            assertion.getAttributeStatements().add(attributeStatement);
        } else {
            attributeStatement = attributeStatements.get(0);
        }
        attributeStatement.getAttributes().add(attribute);
    }

    @Nonnull
    private XMLObject buildLibertSSOSEPRAttributeValue(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Assertion assertion) {
        Address address = (Address) XMLObjectSupport.buildXMLObject(Address.ELEMENT_NAME);
        address.setURI(this.libertySSOSEndpointURL);
        MetadataAbstract metadataAbstract = (MetadataAbstract) XMLObjectSupport.buildXMLObject(LibertyConstants.DISCO_ABSTRACT_ELEMENT_NAME);
        metadataAbstract.setValue(LibertyConstants.SSOS_EPR_METADATA_ABSTRACT);
        ServiceType serviceType = (ServiceType) XMLObjectSupport.buildXMLObject(LibertyConstants.DISCO_SERVICE_TYPE_ELEMENT_NAME);
        serviceType.setValue("urn:liberty:ssos:2006-08");
        ProviderID providerID = (ProviderID) XMLObjectSupport.buildXMLObject(LibertyConstants.DISCO_PROVIDERID_ELEMENT_NAME);
        providerID.setValue(this.responderId);
        Framework framework = (Framework) XMLObjectSupport.buildXMLObject(Framework.DEFAULT_ELEMENT_NAME);
        framework.setVersion("2.0");
        SecurityMechID securityMechID = (SecurityMechID) XMLObjectSupport.buildXMLObject(LibertyConstants.DISCO_SECURITY_MECH_ID_ELEMENT_NAME);
        securityMechID.setValue(LibertyConstants.SECURITY_MECH_ID_CLIENT_TLS_PEER_SAML_V2);
        Token token = (Token) XMLObjectSupport.buildXMLObject(LibertyConstants.SECURITY_TOKEN_ELEMENT_NAME);
        token.setUsage(LibertyConstants.TOKEN_USAGE_SECURITY_TOKEN);
        token.setRef("#" + assertion.getID());
        SecurityContext securityContext = (SecurityContext) XMLObjectSupport.buildXMLObject(LibertyConstants.DISCO_SECURITY_CONTEXT_ELEMENT_NAME);
        securityContext.getSecurityMechIDs().add(securityMechID);
        securityContext.getTokens().add(token);
        Metadata metadata = (Metadata) XMLObjectSupport.buildXMLObject(Metadata.ELEMENT_NAME);
        metadata.getUnknownXMLObjects().add(metadataAbstract);
        metadata.getUnknownXMLObjects().add(serviceType);
        metadata.getUnknownXMLObjects().add(providerID);
        metadata.getUnknownXMLObjects().add(framework);
        metadata.getUnknownXMLObjects().add(securityContext);
        EndpointReference endpointReference = (EndpointReference) XMLObjectSupport.buildXMLObject(EndpointReference.ELEMENT_NAME);
        endpointReference.setAddress(address);
        endpointReference.setMetadata(metadata);
        XSAny xSAny = (XSAny) XMLObjectSupport.getBuilder(XSAny.TYPE_NAME).buildObject(AttributeValue.DEFAULT_ELEMENT_NAME);
        xSAny.getUnknownXMLObjects().add(endpointReference);
        return xSAny;
    }

    private void addIdPAudienceRestriction(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Assertion assertion) {
        AudienceRestriction audienceRestriction;
        SAML2ActionSupport.addConditionsToAssertion(this, assertion);
        List<AudienceRestriction> audienceRestrictions = assertion.getConditions().getAudienceRestrictions();
        if (audienceRestrictions.isEmpty()) {
            audienceRestriction = (AudienceRestriction) XMLObjectSupport.buildXMLObject(AudienceRestriction.DEFAULT_ELEMENT_NAME);
            assertion.getConditions().getAudienceRestrictions().add(audienceRestriction);
        } else {
            audienceRestriction = audienceRestrictions.get(0);
        }
        Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
        while (it.hasNext()) {
            if (Objects.equals(this.responderId, StringSupport.trimOrNull(it.next().getURI()))) {
                this.log.debug("Local entity ID '{}' already present in assertion AudienceRestriction set, skipping", this.responderId);
                return;
            }
        }
        Audience audience = (Audience) XMLObjectSupport.buildXMLObject(Audience.DEFAULT_ELEMENT_NAME);
        audience.setURI(this.responderId);
        audienceRestriction.getAudiences().add(audience);
    }

    private void addSAMLPeerSubjectConfirmation(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Assertion assertion) throws EventException {
        KeyInfoConfirmationDataType keyInfoConfirmationDataType = (KeyInfoConfirmationDataType) XMLObjectSupport.getBuilder(KeyInfoConfirmationDataType.TYPE_NAME).buildObject(SubjectConfirmationData.DEFAULT_ELEMENT_NAME, KeyInfoConfirmationDataType.TYPE_NAME);
        KeyInfoGeneratorManager defaultManager = this.keyInfoGeneratorManager.getDefaultManager();
        for (Credential credential : this.delegationContext.getSubjectConfirmationCredentials()) {
            try {
                keyInfoConfirmationDataType.getKeyInfos().add(defaultManager.getFactory(credential).newInstance().generate(credential));
            } catch (SecurityException e) {
                this.log.warn("Error generating KeyInfo from peer credential: {}", e.getMessage());
                throw new EventException(EventIds.MESSAGE_PROC_ERROR, "Error generating KeyInfo from credential", e);
            }
        }
        NameID nameID = (NameID) XMLObjectSupport.buildXMLObject(NameID.DEFAULT_ELEMENT_NAME);
        nameID.setValue(this.relyingPartyId);
        nameID.setFormat(NameIDType.ENTITY);
        SubjectConfirmation subjectConfirmation = (SubjectConfirmation) XMLObjectSupport.buildXMLObject(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
        subjectConfirmation.setMethod(SubjectConfirmation.METHOD_HOLDER_OF_KEY);
        subjectConfirmation.setNameID(nameID);
        subjectConfirmation.setSubjectConfirmationData(keyInfoConfirmationDataType);
        Subject subject = assertion.getSubject();
        if (subject == null) {
            subject = (Subject) XMLObjectSupport.buildXMLObject(Subject.DEFAULT_ELEMENT_NAME);
            assertion.setSubject(subject);
        }
        subject.getSubjectConfirmations().add(subjectConfirmation);
    }
}
