package org.springframework.security.saml2.provider.service.authentication;

import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.util.Map;
import java.util.UUID;
import org.joda.time.DateTime;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.class */
public class OpenSamlAuthenticationRequestFactory implements Saml2AuthenticationRequestFactory {
    private Clock clock = Clock.systemUTC();
    private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
    private String protocolBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    @Deprecated
    public String createAuthenticationRequest(Saml2AuthenticationRequest saml2AuthenticationRequest) {
        return this.saml.serialize(createAuthnRequest(saml2AuthenticationRequest.getIssuer(), saml2AuthenticationRequest.getDestination(), saml2AuthenticationRequest.getAssertionConsumerServiceUrl()), saml2AuthenticationRequest.getCredentials());
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        AuthnRequest createAuthnRequest = createAuthnRequest(saml2AuthenticationRequestContext);
        return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext).samlRequest(Saml2Utils.samlEncode((saml2AuthenticationRequestContext.getRelyingPartyRegistration().getProviderDetails().isSignAuthNRequest() ? this.saml.serialize(createAuthnRequest, saml2AuthenticationRequestContext.getRelyingPartyRegistration().getSigningCredentials()) : this.saml.serialize(createAuthnRequest)).getBytes(StandardCharsets.UTF_8))).build();
    }

    @Override // org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory
    public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        String serialize = this.saml.serialize(createAuthnRequest(saml2AuthenticationRequestContext));
        Saml2RedirectAuthenticationRequest.Builder withAuthenticationRequestContext = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(saml2AuthenticationRequestContext);
        String samlEncode = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize));
        withAuthenticationRequestContext.samlRequest(samlEncode).relayState(saml2AuthenticationRequestContext.getRelayState());
        if (saml2AuthenticationRequestContext.getRelyingPartyRegistration().getProviderDetails().isSignAuthNRequest()) {
            Map<String, String> signQueryParameters = this.saml.signQueryParameters(saml2AuthenticationRequestContext.getRelyingPartyRegistration().getSigningCredentials(), samlEncode, saml2AuthenticationRequestContext.getRelayState());
            withAuthenticationRequestContext.samlRequest(signQueryParameters.get("SAMLRequest")).relayState(signQueryParameters.get("RelayState")).sigAlg(signQueryParameters.get("SigAlg")).signature(signQueryParameters.get("Signature"));
        }
        return withAuthenticationRequestContext.build();
    }

    private AuthnRequest createAuthnRequest(Saml2AuthenticationRequestContext saml2AuthenticationRequestContext) {
        return createAuthnRequest(saml2AuthenticationRequestContext.getIssuer(), saml2AuthenticationRequestContext.getDestination(), saml2AuthenticationRequestContext.getAssertionConsumerServiceUrl());
    }

    private AuthnRequest createAuthnRequest(String str, String str2, String str3) {
        AuthnRequest authnRequest = (AuthnRequest) this.saml.buildSamlObject(AuthnRequest.DEFAULT_ELEMENT_NAME);
        authnRequest.setID("ARQ" + UUID.randomUUID().toString().substring(1));
        authnRequest.setIssueInstant(new DateTime(this.clock.millis()));
        authnRequest.setForceAuthn(Boolean.FALSE);
        authnRequest.setIsPassive(Boolean.FALSE);
        authnRequest.setProtocolBinding(this.protocolBinding);
        Issuer issuer = (Issuer) this.saml.buildSamlObject(Issuer.DEFAULT_ELEMENT_NAME);
        issuer.setValue(str);
        authnRequest.setIssuer(issuer);
        authnRequest.setDestination(str2);
        authnRequest.setAssertionConsumerServiceURL(str3);
        return authnRequest;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    public void setProtocolBinding(String str) {
        if (!("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(str) || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(str))) {
            throw new IllegalArgumentException("Invalid protocol binding: " + str);
        }
        this.protocolBinding = str;
    }
}
