package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler;
import org.joda.time.DateTime;
import org.joda.time.chrono.ISOChronology;
import org.opensaml.Configuration;
import org.opensaml.common.IdentifierGenerator;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.BasicEndpointSelector;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/UnsolicitedSSODecoder.class */
public class UnsolicitedSSODecoder extends BaseSAML2MessageDecoder implements SAMLMessageDecoder {
    private final Logger log = LoggerFactory.getLogger(UnsolicitedSSODecoder.class);
    private String defaultBinding;
    private SAMLObjectBuilder<AuthnRequest> authnRequestBuilder;
    private SAMLObjectBuilder<Issuer> issuerBuilder;
    private SAMLObjectBuilder<NameIDPolicy> nipBuilder;
    private IdentifierGenerator idGenerator;

    public UnsolicitedSSODecoder(IdentifierGenerator identifierGenerator) {
        XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
        this.authnRequestBuilder = builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        this.issuerBuilder = builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
        this.nipBuilder = builderFactory.getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        this.idGenerator = identifierGenerator;
        this.defaultBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
    }

    public String getBindingURI() {
        return "urn:mace:shibboleth:2.0:profiles:AuthnRequest";
    }

    protected boolean isIntendedDestinationEndpointURIRequired(SAMLMessageContext sAMLMessageContext) {
        return false;
    }

    protected String getIntendedDestinationEndpointURI(SAMLMessageContext sAMLMessageContext) throws MessageDecodingException {
        return null;
    }

    public String getDefaultBinding() {
        return this.defaultBinding;
    }

    public void setDefaultBinding(String str) {
        this.defaultBinding = str;
    }

    protected void doDecode(MessageContext messageContext) throws MessageDecodingException {
        if (!(messageContext instanceof SSOProfileHandler.SSORequestContext)) {
            this.log.warn("Invalid message context type, this decoder only supports SSORequestContext");
            throw new MessageDecodingException("Invalid message context type, this decoder only supports SSORequestContext");
        }
        if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) {
            this.log.warn("Invalid inbound message transport type, this decoder only support HTTPInTransport");
            throw new MessageDecodingException("Invalid inbound message transport type, this decoder only support HTTPInTransport");
        }
        SSOProfileHandler.SSORequestContext sSORequestContext = (SSOProfileHandler.SSORequestContext) messageContext;
        HttpServletRequestAdapter httpServletRequestAdapter = (HTTPInTransport) messageContext.getInboundMessageTransport();
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(httpServletRequestAdapter.getParameterValue("providerId"));
        if (safeTrimOrNullString == null) {
            this.log.warn("No providerId parameter given in unsolicited SSO authentication request.");
            throw new MessageDecodingException("No providerId parameter given in unsolicited SSO authentication request.");
        }
        sSORequestContext.setRelayState(DatatypeHelper.safeTrimOrNullString(httpServletRequestAdapter.getParameterValue("target")));
        String safeTrimOrNullString2 = DatatypeHelper.safeTrimOrNullString(httpServletRequestAdapter.getParameterValue("time"));
        String requestedSessionId = httpServletRequestAdapter.getWrappedRequest().getRequestedSessionId();
        String str = null;
        String safeTrimOrNullString3 = DatatypeHelper.safeTrimOrNullString(httpServletRequestAdapter.getParameterValue("shire"));
        if (safeTrimOrNullString3 == null) {
            safeTrimOrNullString3 = lookupACSURL(sSORequestContext.getMetadataProvider(), safeTrimOrNullString);
            if (safeTrimOrNullString3 == null) {
                this.log.warn("Unable to resolve SP ACS URL for AuthnRequest construction for entityID: {}", safeTrimOrNullString);
                throw new MessageDecodingException("Unable to resolve SP ACS URL for AuthnRequest construction");
            }
            str = this.defaultBinding;
        }
        AuthnRequest buildAuthnRequest = buildAuthnRequest(safeTrimOrNullString, safeTrimOrNullString3, str, safeTrimOrNullString2, requestedSessionId);
        sSORequestContext.setInboundMessage(buildAuthnRequest);
        sSORequestContext.setInboundSAMLMessage(buildAuthnRequest);
        this.log.debug("Mocked up SAML message");
        populateMessageContext(sSORequestContext);
        sSORequestContext.setUnsolicited(true);
    }

    private AuthnRequest buildAuthnRequest(String str, String str2, String str3, String str4, String str5) {
        AuthnRequest buildObject = this.authnRequestBuilder.buildObject();
        buildObject.setAssertionConsumerServiceURL(str2);
        if (str3 != null) {
            buildObject.setProtocolBinding(str3);
        }
        Issuer buildObject2 = this.issuerBuilder.buildObject();
        buildObject2.setValue(str);
        buildObject.setIssuer(buildObject2);
        NameIDPolicy buildObject3 = this.nipBuilder.buildObject();
        buildObject3.setAllowCreate(true);
        buildObject.setNameIDPolicy(buildObject3);
        if (str4 != null) {
            buildObject.setIssueInstant(new DateTime(Long.parseLong(str4) * 1000, ISOChronology.getInstanceUTC()));
            if (str5 != null) {
                buildObject.setID('_' + str5 + '!' + str4);
            } else {
                buildObject.setID(this.idGenerator.generateIdentifier());
            }
        } else {
            buildObject.setID(this.idGenerator.generateIdentifier());
            buildObject.setIssueInstant(new DateTime());
        }
        return buildObject;
    }

    private String lookupACSURL(MetadataProvider metadataProvider, String str) throws MessageDecodingException {
        try {
            SPSSODescriptor role = metadataProvider.getRole(str, SPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol");
            if (role == null) {
                throw new MessageDecodingException("SAML 2 SPSSODescriptor could not be resolved from metadata for SP entityID: " + str);
            }
            BasicEndpointSelector basicEndpointSelector = new BasicEndpointSelector();
            basicEndpointSelector.setEntityRoleMetadata(role);
            basicEndpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            basicEndpointSelector.getSupportedIssuerBindings().add(this.defaultBinding);
            Endpoint selectEndpoint = basicEndpointSelector.selectEndpoint();
            if (selectEndpoint == null || selectEndpoint.getLocation() == null) {
                throw new MessageDecodingException("SAML 2 ACS endpoint could not be resolved from metadata for SP entityID and binding: " + str + " -- " + this.defaultBinding);
            }
            return selectEndpoint.getLocation();
        } catch (MetadataProviderException e) {
            throw new MessageDecodingException("Error resolving metadata role for SP entityId: " + str, e);
        }
    }
}
