package com.atlassian.plugins.authentication.sso.web.saml.provider.impl;

import com.atlassian.plugin.classloader.DelegationClassLoader;
import com.atlassian.plugin.hostcontainer.HostContainer;
import com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil;
import com.atlassian.plugins.authentication.api.config.saml.SamlConfig;
import com.atlassian.plugins.authentication.sso.util.ValidationUtils;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandlerNotConfiguredException;
import com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet;
import com.atlassian.plugins.authentication.sso.web.saml.TrackingCompatibilityModeResponseHandler;
import com.atlassian.plugins.authentication.sso.web.saml.provider.InvalidSamlResponse;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlProvider;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlRequest;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlResponse;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.onelogin.saml2.Auth;
import com.onelogin.saml2.authn.AuthnRequest;
import com.onelogin.saml2.exception.SettingsException;
import com.onelogin.saml2.servlet.ServletUtils;
import com.onelogin.saml2.settings.Saml2Settings;
import java.io.IOException;
import java.net.URISyntaxException;
import java.net.URL;
import java.time.Instant;
import java.util.Enumeration;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;

@Named
/* loaded from: input_file:com/atlassian/plugins/authentication/sso/web/saml/provider/impl/OneloginJavaSamlProvider.class */
public class OneloginJavaSamlProvider implements SamlProvider {
    private final TrackingCompatibilityModeResponseHandler conditionlessResponseHandler;

    /* loaded from: input_file:com/atlassian/plugins/authentication/sso/web/saml/provider/impl/OneloginJavaSamlProvider$ServiceOverridingClassLoader.class */
    private static class ServiceOverridingClassLoader extends DelegationClassLoader {
        private static final Set<String> OVERRIDDEN_SERVICE_RESOURCES = ImmutableSet.of("META-INF/services/javax.xml.validation.SchemaFactory", "META-INF/services/javax.xml.xpath.XPathFactory", "META-INF/services/javax.xml.parsers.DocumentBuilderFactory");

        private ServiceOverridingClassLoader() {
            setDelegateClassLoader(HostContainer.class.getClassLoader());
        }

        public Enumeration<URL> getResources(String str) throws IOException {
            return OVERRIDDEN_SERVICE_RESOURCES.contains(str) ? findResources(str) : super.getResources(str);
        }
    }

    @Inject
    OneloginJavaSamlProvider(TrackingCompatibilityModeResponseHandler trackingCompatibilityModeResponseHandler) {
        this.conditionlessResponseHandler = trackingCompatibilityModeResponseHandler;
    }

    @Override // com.atlassian.plugins.authentication.sso.web.saml.provider.SamlProvider
    public SamlRequest createSamlSingleSignOnRequest(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull SamlProvider.ServiceProviderInfo serviceProviderInfo, boolean z, SamlConfig samlConfig) {
        try {
            Saml2Settings settings = createAuth(httpServletRequest, httpServletResponse, serviceProviderInfo, samlConfig).getSettings();
            AuthnRequest authnRequest = new AuthnRequest(settings, z, false, false);
            String encodedAuthnRequest = authnRequest.getEncodedAuthnRequest();
            try {
                UriBuilder fromUri = UriBuilder.fromUri(settings.getIdpSingleSignOnServiceUrl().toURI());
                if (!Strings.isNullOrEmpty(encodedAuthnRequest)) {
                    fromUri.queryParam("SAMLRequest", new Object[]{encodedAuthnRequest});
                }
                String uuid = UUID.randomUUID().toString();
                fromUri.queryParam(SamlConsumerServlet.RELAY_STATE_QUERY_PARAM, new Object[]{uuid});
                return new SamlRequest(authnRequest.getId(), fromUri.build(new Object[0]).toString(), uuid);
            } catch (URISyntaxException e) {
                throw new RuntimeException(e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    @Override // com.atlassian.plugins.authentication.sso.web.saml.provider.SamlProvider
    public SamlResponse extractSamlResponse(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull SamlProvider.ServiceProviderInfo serviceProviderInfo, @Nonnull SamlConfig samlConfig, @Nullable SamlRequest samlRequest) throws InvalidSamlResponse {
        try {
            return (SamlResponse) ContextClassLoaderSwitchingUtil.runInContext(new ServiceOverridingClassLoader(), () -> {
                String id;
                Auth createAuth = createAuth(httpServletRequest, httpServletResponse, serviceProviderInfo, samlConfig);
                if (samlRequest == null) {
                    id = null;
                } else {
                    try {
                        id = samlRequest.getId();
                    } catch (Exception e) {
                        throw new InvalidSamlResponse(e);
                    }
                }
                createAuth.processResponse(id);
                if (createAuth.isAuthenticated()) {
                    return new SamlResponse(createAuth.getNameId(), createAuth.getAttributes(), createAuth.getLastAssertionId(), (List) createAuth.getLastAssertionNotOnOrAfter().stream().map(instant -> {
                        return Instant.ofEpochMilli(instant.getMillis());
                    }).collect(Collectors.toList()));
                }
                throw new InvalidSamlResponse("Received invalid SAML response: " + createAuth.getLastErrorReason());
            });
        } catch (InvalidSamlResponse e) {
            throw e;
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    @Override // com.atlassian.plugins.authentication.sso.web.saml.provider.SamlProvider
    public List<String> getIssuers(HttpServletRequest httpServletRequest) {
        try {
            return (List) ContextClassLoaderSwitchingUtil.runInContext(new ServiceOverridingClassLoader(), () -> {
                return new com.onelogin.saml2.authn.SamlResponse(new Saml2Settings(), ServletUtils.makeHttpRequest(httpServletRequest)).getIssuers();
            });
        } catch (Exception e) {
            throw new InvalidSamlResponse("Received invalid SAML response", e);
        }
    }

    private Auth createAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlProvider.ServiceProviderInfo serviceProviderInfo, SamlConfig samlConfig) {
        try {
            return new Auth(createSettings(serviceProviderInfo, samlConfig), httpServletRequest, httpServletResponse);
        } catch (SettingsException e) {
            throw new AuthenticationHandlerNotConfiguredException("Invalid SAML configuration", e);
        }
    }

    @VisibleForTesting
    Saml2Settings createSettings(final SamlProvider.ServiceProviderInfo serviceProviderInfo, final SamlConfig samlConfig) {
        return new Saml2Settings() { // from class: com.atlassian.plugins.authentication.sso.web.saml.provider.impl.OneloginJavaSamlProvider.1
            {
                setStrict(true);
                setWantAssertionsSigned(true);
                setWantAssertionsEncrypted(false);
                setRejectUnsolicitedResponsesWithInResponseTo(true);
                setSpEntityId(serviceProviderInfo.getIssuerUrl());
                setSpAssertionConsumerServiceUrl(ValidationUtils.convertToUrl(serviceProviderInfo.getConsumerServiceUrl()));
                setIdpEntityId(samlConfig.getIssuer());
                setIdpSingleSignOnServiceUrl(ValidationUtils.convertToUrl(samlConfig.getSsoUrl()));
                setIdpx509cert(ValidationUtils.convertToCertificate(samlConfig.getCertificate()));
                setCompatibilityMode(true);
                setCompatibilityModeViolationHandler(OneloginJavaSamlProvider.this.conditionlessResponseHandler);
            }
        };
    }
}
