package org.keycloak.protocol.saml;

import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.message.BasicNameValuePair;
import org.jboss.logging.Logger;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper;
import org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper;
import org.keycloak.protocol.saml.mappers.SAMLRoleListMapper;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.saml.SAML2ErrorResponseBuilder;
import org.keycloak.saml.SAML2LoginResponseBuilder;
import org.keycloak.saml.SAML2LogoutRequestBuilder;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.SamlProtocolExtensionsAwareBuilder;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.XmlKeyInfoKeyNameTransformer;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.w3c.dom.Document;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol.class */
public class SamlProtocol implements LoginProtocol {
    public static final String ATTRIBUTE_TRUE_VALUE = "true";
    public static final String ATTRIBUTE_FALSE_VALUE = "false";
    public static final String SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE = "saml_assertion_consumer_url_post";
    public static final String SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE = "saml_assertion_consumer_url_redirect";
    public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE = "saml_single_logout_service_url_post";
    public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE = "saml_single_logout_service_url_redirect";
    public static final String LOGIN_PROTOCOL = "saml";
    public static final String SAML_BINDING = "saml_binding";
    public static final String SAML_IDP_INITIATED_LOGIN = "saml_idp_initiated_login";
    public static final String SAML_POST_BINDING = "post";
    public static final String SAML_SOAP_BINDING = "soap";
    public static final String SAML_REDIRECT_BINDING = "get";
    public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
    public static final String SAML_LOGOUT_BINDING = "saml.logout.binding";
    public static final String SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO = "saml.logout.addExtensionsElementWithKeyInfo";
    public static final String SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER = "SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER";
    public static final String SAML_LOGOUT_REQUEST_ID = "SAML_LOGOUT_REQUEST_ID";
    public static final String SAML_LOGOUT_RELAY_STATE = "SAML_LOGOUT_RELAY_STATE";
    public static final String SAML_LOGOUT_CANONICALIZATION = "SAML_LOGOUT_CANONICALIZATION";
    public static final String SAML_LOGOUT_BINDING_URI = "SAML_LOGOUT_BINDING_URI";
    public static final String SAML_LOGOUT_SIGNATURE_ALGORITHM = "saml.logout.signature.algorithm";
    public static final String SAML_NAME_ID = "SAML_NAME_ID";
    public static final String SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT";
    public static final String SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for";
    public static final String SAML_IDP_INITIATED_SSO_RELAY_STATE = "saml_idp_initiated_sso_relay_state";
    public static final String SAML_IDP_INITIATED_SSO_URL_NAME = "saml_idp_initiated_sso_url_name";
    public static final String SAML_LOGIN_REQUEST_FORCEAUTHN = "SAML_LOGIN_REQUEST_FORCEAUTHN";
    public static final String SAML_FORCEAUTHN_REQUIREMENT = "true";
    protected KeycloakSession session;
    protected RealmModel realm;
    protected UriInfo uriInfo;
    protected HttpHeaders headers;
    protected EventBuilder event;
    protected static final Logger logger = Logger.getLogger(SamlProtocol.class);
    public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.protocol.saml.SamlProtocol$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$LoginProtocol$Error = new int[LoginProtocol.Error.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CANCELLED_BY_USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CANCELLED_AIA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CONSENT_DENIED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.PASSIVE_INTERACTION_REQUIRED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.PASSIVE_LOGIN_REQUIRED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol$ProtocolMapperProcessor.class */
    public static class ProtocolMapperProcessor<T> {
        public final T mapper;
        public final ProtocolMapperModel model;

        public ProtocolMapperProcessor(T t, ProtocolMapperModel protocolMapperModel) {
            this.mapper = t;
            this.model = protocolMapperModel;
        }
    }

    /* renamed from: setSession, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m371setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    /* renamed from: setRealm, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m370setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    /* renamed from: setUriInfo, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m369setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    /* renamed from: setHttpHeaders, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m368setHttpHeaders(HttpHeaders httpHeaders) {
        this.headers = httpHeaders;
        return this;
    }

    /* renamed from: setEventBuilder, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m367setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    public Response sendError(AuthenticationSessionModel authenticationSessionModel, LoginProtocol.Error error) {
        try {
            ClientModel client = authenticationSessionModel.getClient();
            if (!"true".equals(authenticationSessionModel.getClientNote(SAML_IDP_INITIATED_LOGIN))) {
                Response samlErrorMessage = samlErrorMessage(authenticationSessionModel, new SamlClient(client), isPostBinding(authenticationSessionModel), authenticationSessionModel.getRedirectUri(), translateErrorToSAMLStatus(error), authenticationSessionModel.getClientNote("RelayState"));
                new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, authenticationSessionModel, true);
                return samlErrorMessage;
            }
            if (error != LoginProtocol.Error.CANCELLED_BY_USER) {
                Response error2 = ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, translateErrorToIdpInitiatedErrorMessage(error), new Object[0]);
                new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, authenticationSessionModel, true);
                return error2;
            }
            UriBuilder path = RealmsResource.protocolUrl(this.uriInfo).path(SamlService.class, "idpInitiatedSSO");
            HashMap hashMap = new HashMap();
            hashMap.put("realm", this.realm.getName());
            hashMap.put("protocol", "saml");
            hashMap.put("client", client.getAttribute(SAML_IDP_INITIATED_SSO_URL_NAME));
            Response build = Response.status(302).location(path.buildFromMap(hashMap)).build();
            new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, authenticationSessionModel, true);
            return build;
        } catch (Throwable th) {
            new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, authenticationSessionModel, true);
            throw th;
        }
    }

    private Response samlErrorMessage(AuthenticationSessionModel authenticationSessionModel, SamlClient samlClient, boolean z, String str, JBossSAMLURIConstants jBossSAMLURIConstants, String str2) {
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = (JaxrsSAML2BindingBuilder) new JaxrsSAML2BindingBuilder(this.session).relayState(str2);
        SAML2ErrorResponseBuilder status = new SAML2ErrorResponseBuilder().destination(str).issuer(getResponseIssuer(this.realm)).status(jBossSAMLURIConstants.get());
        KeyManager keys = this.session.keys();
        if (samlClient.requiresRealmSignature()) {
            KeyManager.ActiveRsaKey activeRsaKey = keys.getActiveRsaKey(this.realm);
            String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
            String canonicalizationMethod = samlClient.getCanonicalizationMethod();
            if (canonicalizationMethod != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(canonicalizationMethod);
            }
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
        }
        try {
            return buildErrorResponse(z, str, jaxrsSAML2BindingBuilder, status.buildDocument());
        } catch (Exception e) {
            return ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
        }
    }

    protected Response buildErrorResponse(boolean z, String str, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder, Document document) throws ConfigurationException, ProcessingException, IOException {
        return z ? jaxrsSAML2BindingBuilder.m362postBinding(document).response(str) : jaxrsSAML2BindingBuilder.m363redirectBinding(document).response(str);
    }

    private JBossSAMLURIConstants translateErrorToSAMLStatus(LoginProtocol.Error error) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$LoginProtocol$Error[error.ordinal()]) {
            case 1:
            case 2:
            case AuthenticationSessionManager.AUTH_SESSION_LIMIT /* 3 */:
                return JBossSAMLURIConstants.STATUS_REQUEST_DENIED;
            case 4:
            case AuthzEndpointRequestParser.ADDITIONAL_REQ_PARAMS_MAX_MUMBER /* 5 */:
                return JBossSAMLURIConstants.STATUS_NO_PASSIVE;
            default:
                logger.warn("Untranslated protocol Error: " + error.name() + " so we return default SAML error");
                return JBossSAMLURIConstants.STATUS_REQUEST_DENIED;
        }
    }

    private String translateErrorToIdpInitiatedErrorMessage(LoginProtocol.Error error) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$LoginProtocol$Error[error.ordinal()]) {
            case AuthenticationSessionManager.AUTH_SESSION_LIMIT /* 3 */:
                return Messages.CONSENT_DENIED;
            case 4:
            case AuthzEndpointRequestParser.ADDITIONAL_REQ_PARAMS_MAX_MUMBER /* 5 */:
                return Messages.UNEXPECTED_ERROR_HANDLING_REQUEST;
            default:
                logger.warn("Untranslated protocol Error: " + error.name() + " so we return default error message");
                return Messages.UNEXPECTED_ERROR_HANDLING_REQUEST;
        }
    }

    protected String getResponseIssuer(RealmModel realmModel) {
        return RealmsResource.realmBaseUrl(this.uriInfo).build(new Object[]{realmModel.getName()}).toString();
    }

    protected boolean isPostBinding(AuthenticationSessionModel authenticationSessionModel) {
        return SAML_POST_BINDING.equals(authenticationSessionModel.getClientNote(SAML_BINDING)) || new SamlClient(authenticationSessionModel.getClient()).forcePostBinding();
    }

    protected boolean isPostBinding(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return SAML_POST_BINDING.equals(authenticatedClientSessionModel.getNote(SAML_BINDING)) || new SamlClient(authenticatedClientSessionModel.getClient()).forcePostBinding();
    }

    public static boolean isLogoutPostBindingForInitiator(UserSessionModel userSessionModel) {
        return SAML_POST_BINDING.equals(userSessionModel.getNote(SAML_LOGOUT_BINDING));
    }

    protected boolean isLogoutPostBindingForClient(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        ClientModel client = authenticatedClientSessionModel.getClient();
        SamlClient samlClient = new SamlClient(client);
        String attribute = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
        String attribute2 = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
        return (attribute == null || attribute.trim().isEmpty()) ? attribute2 == null || attribute2.trim().isEmpty() : samlClient.forcePostBinding() || SAML_POST_BINDING.equals(authenticatedClientSessionModel.getNote(SAML_BINDING)) || attribute2 == null || attribute2.trim().isEmpty();
    }

    protected String getNameIdFormat(SamlClient samlClient, AuthenticationSessionModel authenticationSessionModel) {
        String clientNote = authenticationSessionModel.getClientNote("NAMEID_FORMAT");
        boolean forceNameIDFormat = samlClient.forceNameIDFormat();
        String nameIDFormat = samlClient.getNameIDFormat();
        if ((clientNote == null || forceNameIDFormat) && nameIDFormat != null) {
            clientNote = nameIDFormat;
        }
        return clientNote == null ? SAML_DEFAULT_NAMEID_FORMAT : clientNote;
    }

    protected String getNameId(String str, CommonClientSessionModel commonClientSessionModel, UserSessionModel userSessionModel) {
        if (!str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
            return str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) ? "G-" + UUID.randomUUID().toString() : str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) ? getPersistentNameId(commonClientSessionModel, userSessionModel) : str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get()) ? userSessionModel.getUser().getUsername() : userSessionModel.getUser().getUsername();
        }
        String email = userSessionModel.getUser().getEmail();
        if (email == null) {
            logger.debugf("E-mail of the user %s has to be set for %s NameIDFormat", userSessionModel.getUser().getUsername(), JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get());
        }
        return email;
    }

    protected String getPersistentNameId(CommonClientSessionModel commonClientSessionModel, UserSessionModel userSessionModel) {
        UserModel user = userSessionModel.getUser();
        String format = String.format("%s.%s", SAML_PERSISTENT_NAME_ID_FOR, commonClientSessionModel.getClient().getClientId());
        String firstAttribute = user.getFirstAttribute(format);
        if (firstAttribute != null) {
            return firstAttribute;
        }
        String firstAttribute2 = user.getFirstAttribute(String.format("%s.*", SAML_PERSISTENT_NAME_ID_FOR));
        if (firstAttribute2 != null) {
            return firstAttribute2;
        }
        String str = "G-" + UUID.randomUUID().toString();
        user.setSingleAttribute(format, str);
        return str;
    }

    public Response authenticated(AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        AuthenticatedClientSessionModel clientSession = clientSessionContext.getClientSession();
        ClientModel client = clientSession.getClient();
        SamlClient samlClient = new SamlClient(client);
        String clientNote = authenticationSessionModel.getClientNote(SAML_REQUEST_ID);
        String clientNote2 = authenticationSessionModel.getClientNote("RelayState");
        String redirectUri = authenticationSessionModel.getRedirectUri();
        String responseIssuer = getResponseIssuer(this.realm);
        String nameIdFormat = getNameIdFormat(samlClient, authenticationSessionModel);
        String nameId = getNameId(nameIdFormat, authenticationSessionModel, userSessionModel);
        if (nameId == null) {
            return samlErrorMessage(null, samlClient, isPostBinding(authenticationSessionModel), redirectUri, JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY, clientNote2);
        }
        clientSession.setNote(SAML_NAME_ID, nameId);
        clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
        int assertionLifespan = samlClient.getAssertionLifespan();
        SAML2LoginResponseBuilder sAML2LoginResponseBuilder = new SAML2LoginResponseBuilder();
        sAML2LoginResponseBuilder.requestID(clientNote).destination(redirectUri).issuer(responseIssuer).assertionExpiration(assertionLifespan <= 0 ? this.realm.getAccessCodeLifespan() : assertionLifespan).subjectExpiration(assertionLifespan <= 0 ? this.realm.getAccessTokenLifespan() : assertionLifespan).sessionExpiration(this.realm.getSsoSessionMaxLifespan()).requestIssuer(clientSession.getClient().getClientId()).nameIdentifier(nameIdFormat, nameId).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
        sAML2LoginResponseBuilder.sessionIndex(SamlSessionUtils.getSessionIndex(clientSession));
        if (!samlClient.includeAuthnStatement()) {
            sAML2LoginResponseBuilder.disableAuthnStatement(true);
        }
        sAML2LoginResponseBuilder.includeOneTimeUseCondition(samlClient.includeOneTimeUseCondition());
        LinkedList linkedList = new LinkedList();
        LinkedList linkedList2 = new LinkedList();
        ProtocolMapperProcessor<SAMLRoleListMapper> protocolMapperProcessor = null;
        for (Map.Entry<ProtocolMapperModel, ProtocolMapper> entry : ProtocolMapperUtils.getSortedProtocolMappers(this.session, clientSessionContext)) {
            ProtocolMapperModel key = entry.getKey();
            SAMLRoleListMapper sAMLRoleListMapper = (ProtocolMapper) entry.getValue();
            if (sAMLRoleListMapper instanceof SAMLAttributeStatementMapper) {
                linkedList.add(new ProtocolMapperProcessor<>((SAMLAttributeStatementMapper) sAMLRoleListMapper, key));
            }
            if (sAMLRoleListMapper instanceof SAMLLoginResponseMapper) {
                linkedList2.add(new ProtocolMapperProcessor<>((SAMLLoginResponseMapper) sAMLRoleListMapper, key));
            }
            if (sAMLRoleListMapper instanceof SAMLRoleListMapper) {
                protocolMapperProcessor = new ProtocolMapperProcessor<>(sAMLRoleListMapper, key);
            }
        }
        KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
        boolean isPostBinding = isPostBinding(authenticationSessionModel);
        String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
        if (!isPostBinding) {
            try {
                if (samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
                    sAML2LoginResponseBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                }
            } catch (Exception e) {
                logger.error("failed", e);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
            }
        }
        ResponseType buildModel = sAML2LoginResponseBuilder.buildModel();
        AttributeStatementType populateAttributeStatements = populateAttributeStatements(linkedList, this.session, userSessionModel, clientSession);
        populateRoles(protocolMapperProcessor, this.session, userSessionModel, clientSessionContext, populateAttributeStatements);
        if (populateAttributeStatements.getAttributes().size() > 0) {
            ((ResponseType.RTChoiceType) buildModel.getAssertions().get(0)).getAssertion().addStatement(populateAttributeStatements);
        }
        Document buildDocument = sAML2LoginResponseBuilder.buildDocument(transformLoginResponse(linkedList2, buildModel, this.session, userSessionModel, clientSessionContext));
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(this.session);
        jaxrsSAML2BindingBuilder.relayState(clientNote2);
        if (samlClient.requiresRealmSignature()) {
            String canonicalizationMethod = samlClient.getCanonicalizationMethod();
            if (canonicalizationMethod != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(canonicalizationMethod);
            }
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
        }
        if (samlClient.requiresAssertionSignature()) {
            String canonicalizationMethod2 = samlClient.getCanonicalizationMethod();
            if (canonicalizationMethod2 != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(canonicalizationMethod2);
            }
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signAssertions();
        }
        if (samlClient.requiresEncryption()) {
            try {
                jaxrsSAML2BindingBuilder.encrypt(SamlProtocolUtils.getEncryptionKey(client));
            } catch (Exception e2) {
                logger.error("failed", e2);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
            }
        }
        try {
            return buildAuthenticatedResponse(clientSession, redirectUri, buildDocument, jaxrsSAML2BindingBuilder);
        } catch (Exception e3) {
            logger.error("failed", e3);
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
        }
    }

    protected Response buildAuthenticatedResponse(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str, Document document, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
        return isPostBinding(authenticatedClientSessionModel) ? jaxrsSAML2BindingBuilder.m362postBinding(document).response(str) : jaxrsSAML2BindingBuilder.m363redirectBinding(document).response(str);
    }

    public AttributeStatementType populateAttributeStatements(List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> list, KeycloakSession keycloakSession, UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        AttributeStatementType attributeStatementType = new AttributeStatementType();
        for (ProtocolMapperProcessor<SAMLAttributeStatementMapper> protocolMapperProcessor : list) {
            protocolMapperProcessor.mapper.transformAttributeStatement(attributeStatementType, protocolMapperProcessor.model, keycloakSession, userSessionModel, authenticatedClientSessionModel);
        }
        return attributeStatementType;
    }

    public ResponseType transformLoginResponse(List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> list, ResponseType responseType, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        for (ProtocolMapperProcessor<SAMLLoginResponseMapper> protocolMapperProcessor : list) {
            responseType = protocolMapperProcessor.mapper.transformLoginResponse(responseType, protocolMapperProcessor.model, keycloakSession, userSessionModel, clientSessionContext);
        }
        Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(keycloakSession);
        while (samlAuthenticationPreprocessorIterator.hasNext()) {
            responseType = (ResponseType) samlAuthenticationPreprocessorIterator.next().beforeSendingResponse(responseType, clientSessionContext.getClientSession());
        }
        return responseType;
    }

    public void populateRoles(ProtocolMapperProcessor<SAMLRoleListMapper> protocolMapperProcessor, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, AttributeStatementType attributeStatementType) {
        if (protocolMapperProcessor == null) {
            return;
        }
        protocolMapperProcessor.mapper.mapRoles(attributeStatementType, protocolMapperProcessor.model, keycloakSession, userSessionModel, clientSessionContext);
    }

    public static String getLogoutServiceUrl(KeycloakSession keycloakSession, ClientModel clientModel, String str) {
        String attribute = SAML_POST_BINDING.equals(str) ? clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE) : clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
        if (attribute == null) {
            attribute = clientModel.getManagementUrl();
        }
        if (attribute == null || attribute.trim().equals("")) {
            return null;
        }
        return ResourceAdminManager.resolveUri(keycloakSession, clientModel.getRootUrl(), attribute);
    }

    public Response frontchannelLogout(UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        SamlProtocolExtensionsAwareBuilder.NodeGenerator[] nodeGeneratorArr;
        ClientModel client = authenticatedClientSessionModel.getClient();
        SamlClient samlClient = new SamlClient(client);
        try {
            boolean isLogoutPostBindingForClient = isLogoutPostBindingForClient(authenticatedClientSessionModel);
            String logoutServiceUrl = getLogoutServiceUrl(this.session, client, isLogoutPostBindingForClient ? SAML_POST_BINDING : SAML_REDIRECT_BINDING);
            if (logoutServiceUrl == null) {
                logger.warnf("Failed to logout client %s, skipping this client.  Please configure the logout service url in the admin console for your client applications.", client.getClientId());
                return null;
            }
            if (isLogoutPostBindingForClient) {
                return createBindingBuilder(samlClient).m362postBinding(SAML2Request.convert(createLogoutRequest(logoutServiceUrl, authenticatedClientSessionModel, client, new SamlProtocolExtensionsAwareBuilder.NodeGenerator[0]))).request(logoutServiceUrl);
            }
            logger.debug("frontchannel redirect binding");
            if (samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
                KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
                nodeGeneratorArr = new SamlProtocolExtensionsAwareBuilder.NodeGenerator[]{new KeycloakKeySamlExtensionGenerator(samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate()))};
            } else {
                nodeGeneratorArr = new SamlProtocolExtensionsAwareBuilder.NodeGenerator[0];
            }
            return createBindingBuilder(samlClient).m363redirectBinding(SAML2Request.convert(createLogoutRequest(logoutServiceUrl, authenticatedClientSessionModel, client, nodeGeneratorArr))).request(logoutServiceUrl);
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (ConfigurationException e2) {
            throw new RuntimeException((Throwable) e2);
        } catch (ParsingException e3) {
            throw new RuntimeException((Throwable) e3);
        } catch (ProcessingException e4) {
            throw new RuntimeException((Throwable) e4);
        }
    }

    public Response finishLogout(UserSessionModel userSessionModel) {
        logger.debug("finishLogout");
        String note = userSessionModel.getNote(SAML_LOGOUT_BINDING_URI);
        if (note == null) {
            logger.error("Can't finish SAML logout as there is no logout binding set.  Please configure the logout service url in the admin console for your client applications.");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT, new Object[0]);
        }
        String note2 = userSessionModel.getNote(SAML_LOGOUT_RELAY_STATE);
        SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
        sAML2LogoutResponseBuilder.logoutRequestID(userSessionModel.getNote(SAML_LOGOUT_REQUEST_ID));
        sAML2LogoutResponseBuilder.destination(note);
        sAML2LogoutResponseBuilder.issuer(getResponseIssuer(this.realm));
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(this.session);
        jaxrsSAML2BindingBuilder.relayState(note2);
        String note3 = userSessionModel.getNote(SAML_LOGOUT_SIGNATURE_ALGORITHM);
        boolean isLogoutPostBindingForInitiator = isLogoutPostBindingForInitiator(userSessionModel);
        if (note3 != null) {
            SignatureAlgorithm valueOf = SignatureAlgorithm.valueOf(note3);
            String note4 = userSessionModel.getNote(SAML_LOGOUT_CANONICALIZATION);
            if (note4 != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(note4);
            }
            KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
            String keyName = XmlKeyInfoKeyNameTransformer.from(userSessionModel.getNote(SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER), SamlClient.DEFAULT_XML_KEY_INFO_KEY_NAME_TRANSFORMER).getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(valueOf)).signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
            if (!isLogoutPostBindingForInitiator && Objects.equals("true", userSessionModel.getNote(SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO))) {
                sAML2LogoutResponseBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
            }
        }
        try {
            Response buildLogoutResponse = buildLogoutResponse(userSessionModel, note, sAML2LogoutResponseBuilder, jaxrsSAML2BindingBuilder);
            if (note != null) {
                this.event.detail("redirect_uri", note);
            }
            this.event.event(EventType.LOGOUT).detail("auth_method", userSessionModel.getAuthMethod()).client(this.session.getContext().getClient()).user(userSessionModel.getUser()).session(userSessionModel).detail("username", userSessionModel.getLoginUsername()).detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, isLogoutPostBindingForInitiator ? SAML_POST_BINDING : SAML_REDIRECT_BINDING).detail(SAML_LOGOUT_REQUEST_ID, userSessionModel.getNote(SAML_LOGOUT_REQUEST_ID)).success();
            return buildLogoutResponse;
        } catch (ConfigurationException | ProcessingException | IOException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    protected Response buildLogoutResponse(UserSessionModel userSessionModel, String str, SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
        return isLogoutPostBindingForInitiator(userSessionModel) ? jaxrsSAML2BindingBuilder.m362postBinding(sAML2LogoutResponseBuilder.buildDocument()).response(str) : jaxrsSAML2BindingBuilder.m363redirectBinding(sAML2LogoutResponseBuilder.buildDocument()).response(str);
    }

    public void backchannelLogout(UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        InputStream content;
        InputStream content2;
        ClientModel client = authenticatedClientSessionModel.getClient();
        SamlClient samlClient = new SamlClient(client);
        String logoutServiceUrl = getLogoutServiceUrl(this.session, client, SAML_POST_BINDING);
        if (logoutServiceUrl == null) {
            logger.warnf("Can't do backchannel logout. No SingleLogoutService POST Binding registered for client: %s", client.getClientId());
            return;
        }
        try {
            String encoded = createBindingBuilder(samlClient).m362postBinding(SAML2Request.convert(createLogoutRequest(logoutServiceUrl, authenticatedClientSessionModel, client, new SamlProtocolExtensionsAwareBuilder.NodeGenerator[0]))).encoded();
            HttpClient httpClient = this.session.getProvider(HttpClientProvider.class).getHttpClient();
            for (int i = 0; i < 2; i++) {
                try {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(new BasicNameValuePair("SAMLRequest", encoded));
                    arrayList.add(new BasicNameValuePair("BACK_CHANNEL_LOGOUT", "BACK_CHANNEL_LOGOUT"));
                    UrlEncodedFormEntity urlEncodedFormEntity = new UrlEncodedFormEntity(arrayList, "UTF-8");
                    HttpPost httpPost = new HttpPost(logoutServiceUrl);
                    httpPost.setEntity(urlEncodedFormEntity);
                    HttpResponse execute = httpClient.execute(httpPost);
                    try {
                        if (execute.getStatusLine().getStatusCode() == 302 && !logoutServiceUrl.endsWith("/")) {
                            String value = execute.getFirstHeader("Location").getValue();
                            String str = logoutServiceUrl + "/";
                            if (str.equals(value)) {
                                logoutServiceUrl = str;
                                HttpEntity entity = execute.getEntity();
                                if (entity != null && (content2 = entity.getContent()) != null) {
                                    content2.close();
                                }
                            }
                        }
                        return;
                    } finally {
                        HttpEntity entity2 = execute.getEntity();
                        if (entity2 != null && (content = entity2.getContent()) != null) {
                            content.close();
                        }
                    }
                } catch (IOException e) {
                    logger.warn("failed to send saml logout", e);
                    return;
                }
            }
        } catch (Exception e2) {
            logger.warn("failed to send saml logout", e2);
        }
    }

    protected LogoutRequestType createLogoutRequest(String str, AuthenticatedClientSessionModel authenticatedClientSessionModel, ClientModel clientModel, SamlProtocolExtensionsAwareBuilder.NodeGenerator... nodeGeneratorArr) throws ConfigurationException {
        SAML2LogoutRequestBuilder destination = new SAML2LogoutRequestBuilder().assertionExpiration(this.realm.getAccessCodeLifespan()).issuer(getResponseIssuer(this.realm)).userPrincipal(authenticatedClientSessionModel.getNote(SAML_NAME_ID), authenticatedClientSessionModel.getNote(SAML_NAME_ID_FORMAT)).destination(str);
        destination.sessionIndex(SamlSessionUtils.getSessionIndex(authenticatedClientSessionModel));
        for (SamlProtocolExtensionsAwareBuilder.NodeGenerator nodeGenerator : nodeGeneratorArr) {
            destination.addExtension(nodeGenerator);
        }
        LogoutRequestType createLogoutRequest = destination.createLogoutRequest();
        Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(this.session);
        while (samlAuthenticationPreprocessorIterator.hasNext()) {
            createLogoutRequest = samlAuthenticationPreprocessorIterator.next().beforeSendingLogoutRequest(createLogoutRequest, authenticatedClientSessionModel.getUserSession(), authenticatedClientSessionModel);
        }
        return createLogoutRequest;
    }

    public boolean requireReauthentication(UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        return Objects.equals("true", authenticationSessionModel.getAuthNote(SAML_LOGIN_REQUEST_FORCEAUTHN));
    }

    private JaxrsSAML2BindingBuilder createBindingBuilder(SamlClient samlClient) {
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(this.session);
        if (samlClient.requiresRealmSignature()) {
            KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate()), activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
        }
        return jaxrsSAML2BindingBuilder;
    }

    public void close() {
    }
}
