package org.cloudfoundry.identity.uaa.provider.saml.idp;

import java.util.List;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.opensaml.common.SAMLException;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.signature.SignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.saml.context.SAMLContextProvider;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.8.3.jar:org/cloudfoundry/identity/uaa/provider/saml/idp/IdpInitiatedLoginController.class */
public class IdpInitiatedLoginController {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) IdpInitiatedLoginController.class);
    private IdpWebSsoProfile idpWebSsoProfile;
    private MetadataManager metadataManager;
    private SamlServiceProviderConfigurator configurator;
    private SAMLContextProvider contextProvider;
    private IdpSamlAuthenticationSuccessHandler idpSamlAuthenticationSuccessHandler;

    @RequestMapping({"/saml/idp/initiate"})
    public void initiate(@RequestParam(value = "sp", required = false) String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!StringUtils.hasText(str)) {
            throw new ProviderNotFoundException("Missing sp request parameter. sp parameter must be a valid and configured entity ID");
        }
        log.debug(String.format("IDP is initiating authentication request to SP[%s]", str));
        Optional<SamlServiceProviderHolder> findFirst = this.configurator.getSamlServiceProviders().stream().filter(samlServiceProviderHolder -> {
            return str.equals(samlServiceProviderHolder.getSamlServiceProvider().getEntityId());
        }).findFirst();
        if (!findFirst.isPresent()) {
            log.debug(String.format("SP[%s] was not found, aborting saml response", str));
            throw new ProviderNotFoundException("Invalid sp entity ID. sp parameter must be a valid and configured entity ID");
        }
        if (!findFirst.get().getSamlServiceProvider().isActive()) {
            log.debug(String.format("SP[%s] is disabled, aborting saml response", str));
            throw new ProviderNotFoundException("Service provider is disabled.");
        }
        if (!findFirst.get().getSamlServiceProvider().getConfig().isEnableIdpInitiatedSso()) {
            log.debug(String.format("SP[%s] initiated login is disabled, aborting saml response", str));
            throw new ProviderNotFoundException("IDP initiated login is disabled for this service provider.");
        }
        try {
            String assertionConsumerURL = getAssertionConsumerURL(str);
            log.debug(String.format("IDP is sending assertion for SP[%s] to %s", str, assertionConsumerURL));
            this.idpWebSsoProfile.sendResponse(SecurityContextHolder.getContext().getAuthentication(), getSamlContext(str, this.idpWebSsoProfile.buildIdpInitiatedAuthnRequest("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", str, assertionConsumerURL), httpServletRequest, httpServletResponse), getIdpIniatedOptions());
            log.debug(String.format("IDP initiated authentication and responded to SP[%s]", str));
        } catch (SAMLException | MetadataProviderException | MessageEncodingException | MarshallingException | SecurityException | SignatureException e) {
            log.debug(String.format("IDP is unable to process assertion for SP[%s]", str), e);
            throw new ProviderNotFoundException("Unable to process SAML assertion. Response not sent.");
        }
    }

    public String getAssertionConsumerURL(String str) throws MetadataProviderException {
        List<AssertionConsumerService> assertionConsumerServices = this.metadataManager.getEntityDescriptor(str).getSPSSODescriptor(SAMLConstants.SAML20P_NS).getAssertionConsumerServices();
        Optional<AssertionConsumerService> findFirst = assertionConsumerServices.stream().filter(assertionConsumerService -> {
            return assertionConsumerService.isDefault().booleanValue();
        }).findFirst();
        return findFirst.isPresent() ? findFirst.get().getLocation() : assertionConsumerServices.get(0).getLocation();
    }

    protected SAMLMessageContext getSamlContext(String str, AuthnRequest authnRequest, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws MetadataProviderException {
        SAMLMessageContext localAndPeerEntity = this.contextProvider.getLocalAndPeerEntity(httpServletRequest, httpServletResponse);
        localAndPeerEntity.setPeerEntityId(str);
        localAndPeerEntity.setPeerEntityRole(new QName(SAMLConstants.SAML20MD_NS, SPSSODescriptor.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20MD_PREFIX));
        this.idpSamlAuthenticationSuccessHandler.populatePeerContext(localAndPeerEntity);
        localAndPeerEntity.setInboundSAMLMessage(authnRequest);
        return localAndPeerEntity;
    }

    protected IdpWebSSOProfileOptions getIdpIniatedOptions() {
        IdpWebSSOProfileOptions idpWebSSOProfileOptions = new IdpWebSSOProfileOptions();
        idpWebSSOProfileOptions.setAssertionsSigned(false);
        return idpWebSSOProfileOptions;
    }

    public void setIdpWebSsoProfile(IdpWebSsoProfile idpWebSsoProfile) {
        this.idpWebSsoProfile = idpWebSsoProfile;
    }

    public void setMetadataManager(MetadataManager metadataManager) {
        this.metadataManager = metadataManager;
    }

    public void setConfigurator(SamlServiceProviderConfigurator samlServiceProviderConfigurator) {
        this.configurator = samlServiceProviderConfigurator;
    }

    public void setContextProvider(SAMLContextProvider sAMLContextProvider) {
        this.contextProvider = sAMLContextProvider;
    }

    public void setIdpSamlAuthenticationSuccessHandler(IdpSamlAuthenticationSuccessHandler idpSamlAuthenticationSuccessHandler) {
        this.idpSamlAuthenticationSuccessHandler = idpSamlAuthenticationSuccessHandler;
    }

    @ExceptionHandler
    public String handleException(AuthenticationException authenticationException, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(400);
        httpServletRequest.setAttribute("saml_error", authenticationException.getMessage());
        return "external_auth_error";
    }
}
