package se.litsec.opensaml.saml2.authentication.build;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.shibboleth.utilities.java.support.security.impl.RandomIdentifierGenerationStrategy;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.core.SAMLObjectBuilderRuntimeException;
import se.litsec.opensaml.saml2.attribute.AttributeUtils;
import se.litsec.opensaml.saml2.core.build.AbstractAuthnRequestBuilder;
import se.litsec.opensaml.saml2.core.build.NameIDPolicyBuilder;
import se.litsec.opensaml.saml2.core.build.RequestedAuthnContextBuilder;
import se.litsec.opensaml.saml2.metadata.MetadataUtils;
import se.litsec.opensaml.saml2.metadata.build.IdpEntityDescriptorBuilder;

/* loaded from: input_file:se/litsec/opensaml/saml2/authentication/build/ExtendedAuthnRequestBuilder.class */
public class ExtendedAuthnRequestBuilder extends AbstractAuthnRequestBuilder<ExtendedAuthnRequestBuilder> {
    public static final String DEFAULT_REQUEST_BINDING = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
    public static final int DEFAULT_ID_SIZE = 24;
    private Logger log = LoggerFactory.getLogger(ExtendedAuthnRequestBuilder.class);
    final EntityDescriptor spMetadata;
    final EntityDescriptor idpMetadata;
    private String binding;

    public ExtendedAuthnRequestBuilder(EntityDescriptor entityDescriptor, EntityDescriptor entityDescriptor2) {
        if (entityDescriptor == null) {
            throw new IllegalArgumentException("spMetadata must not be null");
        }
        if (entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol") == null) {
            throw new IllegalArgumentException("spMetadata does not contain a SPSSODescriptor");
        }
        this.spMetadata = entityDescriptor;
        if (entityDescriptor2 == null) {
            throw new IllegalArgumentException("idpMetadata must not be null");
        }
        if (entityDescriptor2.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol") == null) {
            throw new IllegalArgumentException("idpMetadata does not contain a IDPSSODescriptor");
        }
        this.idpMetadata = entityDescriptor2;
    }

    public ExtendedAuthnRequestBuilder assignDefaults() {
        SPSSODescriptor sPSSODescriptor = this.spMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        IDPSSODescriptor iDPSSODescriptor = this.idpMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        version(SAMLVersion.VERSION_20.getMajorVersion(), SAMLVersion.VERSION_20.getMinorVersion());
        if (((AuthnRequest) object()).getID() == null) {
            this.log.debug("Generated an ID attribute and assigned it");
            id(24);
        }
        postProtocolBinding();
        if (((AuthnRequest) object()).getIssuer() == null) {
            this.log.debug("Assigning entityID '{}' to the Issuer element", this.spMetadata.getEntityID());
            issuer(this.spMetadata.getEntityID());
        }
        if (this.binding == null) {
            binding(DEFAULT_REQUEST_BINDING);
        }
        if (((AuthnRequest) object()).getAssertionConsumerServiceURL() == null) {
            Optional findFirst = sPSSODescriptor.getAssertionConsumerServices().stream().filter(assertionConsumerService -> {
                return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(assertionConsumerService.getBinding());
            }).filter((v0) -> {
                return v0.isDefault();
            }).map((v0) -> {
                return v0.getLocation();
            }).findFirst();
            if (!findFirst.isPresent()) {
                findFirst = sPSSODescriptor.getAssertionConsumerServices().stream().filter(assertionConsumerService2 -> {
                    return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(assertionConsumerService2.getBinding());
                }).sorted((assertionConsumerService3, assertionConsumerService4) -> {
                    if (assertionConsumerService3.getIndex() == null) {
                        return assertionConsumerService4.getIndex() != null ? 1 : 0;
                    }
                    if (assertionConsumerService4.getIndex() != null) {
                        return assertionConsumerService3.getIndex().compareTo(assertionConsumerService4.getIndex());
                    }
                    return -1;
                }).map((v0) -> {
                    return v0.getLocation();
                }).findFirst();
            }
            if (findFirst.isPresent()) {
                this.log.debug("Assigning URL '{}' to the AssertionConsumerServiceURL attribute", findFirst.get());
                ((AuthnRequest) object()).setAssertionConsumerServiceURL((String) findFirst.get());
            } else {
                this.log.info("The AssertionConsumerServiceURL attribute could not be assigned automatically. - Could not find a AssertionConsumerService element in the SP metadata that has the POST binding");
            }
        }
        if (((AuthnRequest) object()).getNameIDPolicy() == null) {
            Optional findFirst2 = sPSSODescriptor.getNameIDFormats().stream().filter(nameIDFormat -> {
                return iDPSSODescriptor.getNameIDFormats().stream().anyMatch(nameIDFormat -> {
                    return nameIDFormat.getURI().equals(nameIDFormat.getURI());
                });
            }).map((v0) -> {
                return v0.getURI();
            }).findFirst();
            if (findFirst2.isPresent()) {
                this.log.debug("Assigning the '{}' Format to the NameIDPolicy element", findFirst2.get());
                nameIDPolicy(NameIDPolicyBuilder.builder().allowCreate(true).format((String) findFirst2.get()).mo1build());
            } else {
                this.log.info("Could not assign the NameIDPolicy element automatically - no matching formats between SP and IdP");
            }
        }
        return this;
    }

    public ExtendedAuthnRequestBuilder id(int i) {
        super.id(new RandomIdentifierGenerationStrategy(i).generateIdentifier());
        return this;
    }

    @Override // se.litsec.opensaml.saml2.core.build.AbstractRequestBuilder
    public ExtendedAuthnRequestBuilder destination(String str) {
        if (str == null) {
            return (ExtendedAuthnRequestBuilder) super.destination((String) null);
        }
        Optional findFirst = this.idpMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getSingleSignOnServices().stream().filter(singleSignOnService -> {
            return str.equals(singleSignOnService.getLocation());
        }).findFirst();
        if (findFirst.isPresent()) {
            this.log.debug("Assigning the Destination attribute to '{}' the setting the binding to '{}'", str, ((SingleSignOnService) findFirst.get()).getBinding());
            this.binding = ((SingleSignOnService) findFirst.get()).getBinding();
            return (ExtendedAuthnRequestBuilder) super.destination(str);
        }
        String format = String.format("Metadata for IdP '%s' does not declare a SingleSignService element having its Location attribute set to '%s'", this.idpMetadata.getEntityID(), str);
        this.log.error(format);
        throw new SAMLObjectBuilderRuntimeException(format);
    }

    public String binding() {
        return this.binding;
    }

    public ExtendedAuthnRequestBuilder binding(String str) throws SAMLObjectBuilderRuntimeException {
        if (str == null) {
            throw new IllegalArgumentException("binding must not be null");
        }
        Optional findFirst = this.idpMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getSingleSignOnServices().stream().filter(singleSignOnService -> {
            return str.equals(singleSignOnService.getBinding());
        }).map((v0) -> {
            return v0.getLocation();
        }).findFirst();
        if (!findFirst.isPresent()) {
            String format = String.format("Metadata for IdP '%s' does not declare a SingleSignOnService element having the '%s' binding", this.idpMetadata.getEntityID(), str);
            this.log.error(format);
            throw new SAMLObjectBuilderRuntimeException(format);
        }
        this.log.debug("Assigning the '{}' binding and setting the Destination attribute to '{}'", str, findFirst.get());
        this.binding = str;
        super.destination((String) findFirst.get());
        return this;
    }

    public ExtendedAuthnRequestBuilder nameIDPolicyFormat(String str) throws SAMLObjectBuilderRuntimeException {
        if (str == null) {
            return nameIDPolicy(null);
        }
        if (this.idpMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getNameIDFormats().stream().anyMatch(nameIDFormat -> {
            return nameIDFormat.getURI().equals(str);
        })) {
            nameIDPolicy(NameIDPolicyBuilder.builder().allowCreate(true).format(str).mo1build());
            return this;
        }
        String format = String.format("IdP '%s' does not support NameID of format '%s'", this.idpMetadata.getEntityID(), str);
        this.log.error(format);
        throw new SAMLObjectBuilderRuntimeException(format);
    }

    public ExtendedAuthnRequestBuilder authnContextClassRefs(boolean z, boolean z2, List<String> list) throws SAMLObjectBuilderRuntimeException {
        List<String> list2;
        if (list == null || list.isEmpty()) {
            clearAuthnContextClassRefs();
            return this;
        }
        List list3 = (List) MetadataUtils.getEntityAttributes(this.idpMetadata).flatMap(entityAttributes -> {
            return entityAttributes.getAttributes().stream().filter(attribute -> {
                return IdpEntityDescriptorBuilder.ASSURANCE_CERTIFICATION_ATTRIBUTE_NAME.equals(attribute.getName());
            }).findFirst();
        }).map(AttributeUtils::getAttributeStringValues).orElseGet(Collections::emptyList);
        if (z) {
            Stream<String> stream = list.stream();
            Objects.requireNonNull(list3);
            list2 = (List) stream.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toList());
        } else {
            list2 = list;
        }
        List<String> list4 = list2;
        if (list4.isEmpty()) {
            String format = list3.isEmpty() ? "IdP metadata does not specify any assuranceCertification URIs - failing to assign authentication context refs" : String.format("IdP metadata specified assurance URIs %s - call contained %s - no match", list3, list);
            if (z2) {
                this.log.error(format);
                throw new SAMLObjectBuilderRuntimeException(format);
            }
            if (z) {
                this.log.warn(format);
                clearAuthnContextClassRefs();
                return this;
            }
        }
        if (((AuthnRequest) object()).getRequestedAuthnContext() == null) {
            requestedAuthnContext(RequestedAuthnContextBuilder.builder().comparison(AuthnContextComparisonTypeEnumeration.EXACT).mo1build());
        }
        ((AuthnRequest) object()).getRequestedAuthnContext().getAuthnContextClassRefs().clear();
        this.log.debug("Adding URI(s) %s as AuthnContextClassRef elements to RequestedAuthnContext", list4);
        for (String str : list4) {
            AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) AuthnContextClassRef.class.cast(XMLObjectSupport.buildXMLObject(AuthnContextClassRef.DEFAULT_ELEMENT_NAME));
            authnContextClassRef.setURI(str);
            ((AuthnRequest) object()).getRequestedAuthnContext().getAuthnContextClassRefs().add(authnContextClassRef);
        }
        return this;
    }

    public ExtendedAuthnRequestBuilder authnContextClassRefs(boolean z, boolean z2, String... strArr) throws SAMLObjectBuilderRuntimeException {
        return authnContextClassRefs(z, z2, strArr != null ? Arrays.asList(strArr) : null);
    }

    private void clearAuthnContextClassRefs() {
        if (((AuthnRequest) object()).getRequestedAuthnContext() != null) {
            if (((AuthnRequest) object()).getRequestedAuthnContext().getAuthnContextDeclRefs().isEmpty()) {
                ((AuthnRequest) object()).setRequestedAuthnContext((RequestedAuthnContext) null);
            } else {
                ((AuthnRequest) object()).getRequestedAuthnContext().getAuthnContextClassRefs().clear();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // se.litsec.opensaml.saml2.core.build.AbstractRequestBuilder
    public ExtendedAuthnRequestBuilder getThis() {
        return this;
    }
}
