package com.appiancorp.security.auth.saml;

import com.appiancorp.suite.cfg.FeatureToggleConfiguration;
import com.appiancorp.suite.cfg.SamlConfiguration;
import java.util.Optional;
import java.util.UUID;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml.saml2.core.impl.SessionIndexBuilder;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlRequestGenerator.class */
public class SamlRequestGenerator {
    private final IssuerGenerator issuerGenerator;
    private final SamlConfiguration samlConfiguration;
    private final XMLObjectBuilderFactory xmlObjectBuilderFactory;
    private SamlSpServiceUrlGenerator samlSpServiceUrlGenerator;
    private final FeatureToggleConfiguration featureToggleConfiguration;

    public SamlRequestGenerator(SamlConfiguration samlConfiguration, IssuerGenerator issuerGenerator, XMLObjectBuilderFactory xMLObjectBuilderFactory, SamlSpServiceUrlGenerator samlSpServiceUrlGenerator, FeatureToggleConfiguration featureToggleConfiguration) {
        this.issuerGenerator = issuerGenerator;
        this.samlConfiguration = samlConfiguration;
        this.xmlObjectBuilderFactory = xMLObjectBuilderFactory;
        this.samlSpServiceUrlGenerator = samlSpServiceUrlGenerator;
        this.featureToggleConfiguration = featureToggleConfiguration;
    }

    public AuthnRequest buildAuthnRequest(boolean z) {
        AuthnRequest buildObject = new AuthnRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", SamlUtils.getSamlProtocolPrefix(this.samlConfiguration));
        buildObject.setID("_" + UUID.randomUUID().toString());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(new DateTime());
        buildObject.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        buildObject.setAssertionConsumerServiceURL(this.samlSpServiceUrlGenerator.getAssertionConsumerUrl());
        buildObject.setIssuer(this.issuerGenerator.buildIssuer());
        if (SamlUtils.isLoginGov(this.samlConfiguration)) {
            buildObject.setNameIDPolicy(buildLoginGovNameIdPolicy());
        }
        setRequestedAuthnContext(buildObject);
        buildObject.setDestination(this.samlConfiguration.getIdpLoginUrl());
        buildObject.setProviderName(this.samlConfiguration.getSpName());
        if (z) {
            buildObject.setForceAuthn(true);
        }
        return buildObject;
    }

    public NameIDPolicy buildLoginGovNameIdPolicy() {
        NameIDPolicy buildObject = new NameIDPolicyBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "NameIDPolicy", SamlUtils.getSamlProtocolPrefix(this.samlConfiguration));
        buildObject.setAllowCreate(true);
        buildObject.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
        return buildObject;
    }

    public LogoutRequest buildLogoutRequest(String str, Optional<String> optional, NameIDType nameIDType) {
        Issuer buildIssuer = this.issuerGenerator.buildIssuer();
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "LogoutRequest", SamlUtils.getSamlProtocolPrefix(this.samlConfiguration));
        buildObject.setID("_" + UUID.randomUUID().toString());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(new DateTime());
        buildObject.setIssuer(buildIssuer);
        buildObject.setDestination(this.samlConfiguration.getIdpLogoutUrl());
        if (optional.isPresent()) {
            buildObject.getSessionIndexes().add(buildSessionIndex(optional.get()));
        }
        buildObject.setNameID(buildLogoutNameId(str, nameIDType));
        return buildObject;
    }

    private void setRequestedAuthnContext(AuthnRequest authnRequest) {
        String requestedAuthnContext = this.samlConfiguration.getRequestedAuthnContext();
        if (requestedAuthnContext.equals(SamlConfiguration.SamlProperty.RequestAuthnContext.getDisabledValue())) {
            return;
        }
        RequestedAuthnContext buildObject = this.xmlObjectBuilderFactory.getBuilder(RequestedAuthnContext.DEFAULT_ELEMENT_NAME).buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "RequestedAuthnContext", SamlUtils.getSamlProtocolPrefix(this.samlConfiguration));
        AuthnContextClassRefBuilder builder = this.xmlObjectBuilderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
        AuthnContextClassRef buildObject2 = builder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", SamlUtils.getSamlAssertionPrefix(this.samlConfiguration));
        buildObject2.setAuthnContextClassRef(requestedAuthnContext);
        buildObject.getAuthnContextClassRefs().add(buildObject2);
        if (SamlUtils.isLoginGov(this.samlConfiguration)) {
            if (requestedAuthnContext.equals(SamlConstants.LOGIN_GOV_LOA3_AUTHN_CONTEXT_VALUE)) {
                AuthnContextClassRef buildObject3 = builder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", SamlUtils.getSamlAssertionPrefix(this.samlConfiguration));
                buildObject3.setAuthnContextClassRef(String.format("%s/requested_attributes?ReqAttr=email,first_name,last_name", SamlConstants.LOGIN_GOV_IDP_MANAGEMENT_URL));
                buildObject.getAuthnContextClassRefs().add(buildObject3);
            }
            buildObject.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        } else {
            buildObject.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
        }
        authnRequest.setRequestedAuthnContext(buildObject);
    }

    private SessionIndex buildSessionIndex(String str) {
        SessionIndex buildObject = new SessionIndexBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "SessionIndex", SamlUtils.getSamlProtocolPrefix(this.samlConfiguration));
        buildObject.setSessionIndex(str);
        return buildObject;
    }

    private NameID buildLogoutNameId(String str, NameIDType nameIDType) {
        NameID buildObject = new NameIDBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "NameID", SamlUtils.getSamlAssertionPrefix(this.samlConfiguration));
        if (this.featureToggleConfiguration.shouldSamlLogoutUsingUsername()) {
            buildObject.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
            buildObject.setValue(str);
        } else {
            buildObject.setFormat(nameIDType.getFormat());
            buildObject.setValue(nameIDType.getValue());
        }
        buildObject.setNameQualifier(nameIDType.getNameQualifier());
        buildObject.setSPNameQualifier(nameIDType.getSPNameQualifier());
        return buildObject;
    }
}
