package org.springframework.security.saml;

import java.io.IOException;
import java.util.Iterator;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.spi.LocationInfo;
import org.opensaml.common.SAMLException;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.samlext.idpdisco.DiscoveryResponse;
import org.opensaml.util.URLBuilder;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.util.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.saml.context.SAMLContextProvider;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.1.RELEASE.jar:org/springframework/security/saml/SAMLDiscovery.class */
public class SAMLDiscovery extends GenericFilterBean {
    protected static final Logger logger = LoggerFactory.getLogger((Class<?>) SAMLDiscovery.class);
    public static final String RETURN_URL = "idpDiscoReturnURL";
    public static final String RETURN_PARAM = "idpDiscoReturnParam";
    public static final String ENTITY_ID_PARAM = "entityID";
    public static final String RETURN_URL_PARAM = "return";
    public static final String RETURN_ID_PARAM = "returnIDParam";
    public static final String POLICY_PARAM = "policy";
    public static final String PASSIVE_PARAM = "isPassive";
    protected String idpSelectionPath;
    protected MetadataManager metadata;
    protected SAMLContextProvider contextProvider;
    protected SAMLEntryPoint samlEntryPoint;
    protected String filterProcessesUrl = FILTER_URL;
    public static final String FILTER_URL = "/saml/discovery";
    public static final String IDP_DISCO_PROTOCOL_SINGLE = "urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single";

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        FilterInvocation filterInvocation = new FilterInvocation(servletRequest, servletResponse, filterChain);
        if (processFilter(filterInvocation.getRequest())) {
            processDiscoveryRequest(filterInvocation.getRequest(), filterInvocation.getResponse());
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    protected boolean processFilter(HttpServletRequest httpServletRequest) {
        return SAMLUtil.processFilter(this.filterProcessesUrl, httpServletRequest);
    }

    protected void processDiscoveryRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        logger.debug("Processing IDP Discovery Service request");
        String parameter = httpServletRequest.getParameter("entityID");
        if (parameter == null) {
            logger.debug("Received IDP Discovery request without entityId");
            throw new ServletException(new SAMLException("Entity ID parameter must be specified"));
        }
        try {
            httpServletRequest.setAttribute(SAMLConstants.LOCAL_ENTITY_ID, parameter);
            SAMLMessageContext localEntity = this.contextProvider.getLocalEntity(httpServletRequest, httpServletResponse);
            String parameter2 = httpServletRequest.getParameter(RETURN_URL_PARAM);
            if (parameter2 == null) {
                parameter2 = getDefaultReturnURL(localEntity);
            } else if (!isResponseURLValid(parameter2, localEntity)) {
                logger.debug("Return URL {} designated in IDP Discovery request for entity {} is not valid", parameter2, parameter);
                throw new ServletException(new SAMLException("Return URL designated in IDP Discovery request for entity is not valid"));
            }
            if (parameter2 == null) {
                throw new ServletException(new SAMLException("Can't determine IDP Discovery return URL for entity " + localEntity.getLocalEntityRoleMetadata().getID()));
            }
            String parameter3 = httpServletRequest.getParameter(POLICY_PARAM);
            if (parameter3 != null && !parameter3.equals(IDP_DISCO_PROTOCOL_SINGLE)) {
                logger.debug("Received IDP Discovery with unsupported policy {}", parameter3);
                throw new ServletException(new SAMLException("Unsupported IDP discovery profile was requested"));
            }
            String parameter4 = httpServletRequest.getParameter(RETURN_ID_PARAM);
            if (parameter4 == null) {
                parameter4 = "entityID";
            }
            String parameter5 = httpServletRequest.getParameter(PASSIVE_PARAM);
            if (parameter5 != null && "true".equals(parameter5)) {
                sendPassiveResponse(httpServletRequest, httpServletResponse, parameter2, parameter4, getPassiveIDP(httpServletRequest));
            } else {
                if (getIdpSelectionPath() != null) {
                    sendIDPSelection(httpServletRequest, httpServletResponse, parameter2, parameter4);
                    return;
                }
                logger.debug("No IDP selection path configured, sending passive response");
                sendPassiveResponse(httpServletRequest, httpServletResponse, parameter2, parameter4, getPassiveIDP(httpServletRequest));
            }
        } catch (MetadataProviderException e) {
            logger.debug("Error loading metadata", (Throwable) e);
            throw new ServletException(new SAMLException("Error loading metadata", e));
        }
    }

    protected void sendPassiveResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3) throws IOException, ServletException {
        String str4 = str;
        if (str3 != null) {
            URLBuilder uRLBuilder = new URLBuilder(str);
            uRLBuilder.getQueryParams().add(new Pair<>(str2, str3));
            str4 = uRLBuilder.buildURL();
        }
        logger.debug("Responding to a passive IDP Discovery request with URL {}", str4);
        httpServletResponse.sendRedirect(str4);
    }

    protected void sendIDPSelection(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws IOException, ServletException {
        httpServletRequest.setAttribute(RETURN_URL, str);
        httpServletRequest.setAttribute(RETURN_PARAM, str2);
        String idpSelectionPath = getIdpSelectionPath();
        logger.debug("Initializing IDP Discovery selection page at {} with return url {}", idpSelectionPath, str);
        httpServletRequest.getRequestDispatcher(idpSelectionPath).forward(httpServletRequest, httpServletResponse);
    }

    protected String getDefaultReturnURL(SAMLMessageContext sAMLMessageContext) {
        RoleDescriptor localEntityRoleMetadata = sAMLMessageContext.getLocalEntityRoleMetadata();
        ExtendedMetadata localExtendedMetadata = sAMLMessageContext.getLocalExtendedMetadata();
        if (localExtendedMetadata.isLocal() && localExtendedMetadata.getIdpDiscoveryResponseURL() != null) {
            return localExtendedMetadata.getIdpDiscoveryResponseURL();
        }
        if (localEntityRoleMetadata.getExtensions() != null) {
            Iterator<XMLObject> it = localEntityRoleMetadata.getExtensions().getUnknownXMLObjects(DiscoveryResponse.DEFAULT_ELEMENT_NAME).iterator();
            while (it.hasNext()) {
                DiscoveryResponse discoveryResponse = (DiscoveryResponse) it.next();
                if (discoveryResponse.getBinding().equals(DiscoveryResponse.IDP_DISCO_NS)) {
                    logger.debug("Using IDP Discovery response URL from metadata {}", discoveryResponse.getLocation());
                    return discoveryResponse.getLocation();
                }
            }
        }
        if (!localExtendedMetadata.isLocal()) {
            return null;
        }
        String str = SAMLEntryPoint.FILTER_URL;
        if (this.samlEntryPoint != null) {
            str = this.samlEntryPoint.getFilterProcessesUrl();
        }
        String str2 = ((String) sAMLMessageContext.getInboundMessageTransport().getAttribute(SAMLConstants.LOCAL_CONTEXT_PATH)) + str + (localExtendedMetadata.getAlias() != null ? "/alias/" + localExtendedMetadata.getAlias() : "") + LocationInfo.NA + SAMLEntryPoint.DISCOVERY_RESPONSE_PARAMETER + "=true";
        logger.debug("Using IDP Discovery response URL calculated for local entity {}", str2);
        return str2;
    }

    protected boolean isResponseURLValid(String str, SAMLMessageContext sAMLMessageContext) {
        return new URLBuilder(getDefaultReturnURL(sAMLMessageContext)).getHost().equals(new URLBuilder(str).getHost());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getPassiveIDP(HttpServletRequest httpServletRequest) {
        try {
            return this.metadata.getDefaultIDP();
        } catch (MetadataProviderException e) {
            return null;
        }
    }

    public String getIdpSelectionPath() {
        return this.idpSelectionPath;
    }

    public void setIdpSelectionPath(String str) {
        this.idpSelectionPath = str;
    }

    @Autowired
    public void setMetadata(MetadataManager metadataManager) {
        Assert.notNull(metadataManager, "MetadataManager can't be null");
        this.metadata = metadataManager;
    }

    @Autowired(required = false)
    public void setSamlEntryPoint(SAMLEntryPoint sAMLEntryPoint) {
        this.samlEntryPoint = sAMLEntryPoint;
    }

    @Autowired
    public void setContextProvider(SAMLContextProvider sAMLContextProvider) {
        Assert.notNull(sAMLContextProvider, "Context provider can't be null");
        this.contextProvider = sAMLContextProvider;
    }

    public String getFilterProcessesUrl() {
        return this.filterProcessesUrl;
    }

    public void setFilterProcessesUrl(String str) {
        this.filterProcessesUrl = str;
    }

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws ServletException {
        super.afterPropertiesSet();
        Assert.notNull(this.metadata, "Metadata must be set");
        Assert.notNull(this.contextProvider, "Context provider must be set");
    }
}
