package org.elasticsearch.xpack.idp.saml.authn;

import java.time.Clock;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.idp.authc.AuthenticationMethod;
import org.elasticsearch.xpack.idp.authc.NetworkControl;
import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
import org.elasticsearch.xpack.idp.saml.support.SamlInit;
import org.elasticsearch.xpack.idp.saml.support.SamlObjectSigner;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AttributeValue;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;

/* loaded from: input_file:org/elasticsearch/xpack/idp/saml/authn/SuccessfulAuthenticationResponseMessageBuilder.class */
public class SuccessfulAuthenticationResponseMessageBuilder {
    private final Logger logger = LogManager.getLogger();
    private final Clock clock;
    private final SamlIdentityProvider idp;
    private final SamlFactory samlFactory;

    public SuccessfulAuthenticationResponseMessageBuilder(SamlFactory samlFactory, Clock clock, SamlIdentityProvider samlIdentityProvider) {
        SamlInit.initialize();
        this.samlFactory = samlFactory;
        this.clock = clock;
        this.idp = samlIdentityProvider;
    }

    public Response build(UserServiceAuthentication userServiceAuthentication, @Nullable SamlAuthenticationState samlAuthenticationState) {
        this.logger.debug("Building success response for [{}] from [{}]", userServiceAuthentication, samlAuthenticationState);
        DateTime now = now();
        SamlServiceProvider serviceProvider = userServiceAuthentication.getServiceProvider();
        Response response = (Response) this.samlFactory.object(Response.class, Response.DEFAULT_ELEMENT_NAME);
        response.setID(this.samlFactory.secureIdentifier());
        if (samlAuthenticationState != null && samlAuthenticationState.getAuthnRequestId() != null) {
            response.setInResponseTo(samlAuthenticationState.getAuthnRequestId());
        }
        response.setIssuer(buildIssuer());
        response.setIssueInstant(now);
        response.setStatus(buildStatus());
        response.setDestination(serviceProvider.getAssertionConsumerService().toString());
        Assertion object = this.samlFactory.object(Assertion.class, Assertion.DEFAULT_ELEMENT_NAME);
        object.setID(this.samlFactory.secureIdentifier());
        object.setIssuer(buildIssuer());
        object.setIssueInstant(now);
        object.setConditions(buildConditions(now, serviceProvider));
        object.setSubject(buildSubject(now, userServiceAuthentication, samlAuthenticationState));
        object.getAuthnStatements().add(buildAuthnStatement(now, userServiceAuthentication));
        AttributeStatement buildAttributes = buildAttributes(userServiceAuthentication);
        if (buildAttributes != null) {
            object.getAttributeStatements().add(buildAttributes);
        }
        response.getAssertions().add(object);
        return sign(response);
    }

    private Response sign(Response response) {
        return this.samlFactory.buildXmlObject(new SamlObjectSigner(this.samlFactory, this.idp).sign(response), Response.class);
    }

    private Conditions buildConditions(DateTime dateTime, SamlServiceProvider samlServiceProvider) {
        Audience object = this.samlFactory.object(Audience.class, Audience.DEFAULT_ELEMENT_NAME);
        object.setAudienceURI(samlServiceProvider.getEntityId());
        AudienceRestriction object2 = this.samlFactory.object(AudienceRestriction.class, AudienceRestriction.DEFAULT_ELEMENT_NAME);
        object2.getAudiences().add(object);
        Conditions object3 = this.samlFactory.object(Conditions.class, Conditions.DEFAULT_ELEMENT_NAME);
        object3.setNotBefore(dateTime);
        object3.setNotOnOrAfter(dateTime.plus(samlServiceProvider.getAuthnExpiry()));
        object3.getAudienceRestrictions().add(object2);
        return object3;
    }

    private DateTime now() {
        return new DateTime(this.clock.millis(), DateTimeZone.UTC);
    }

    private Subject buildSubject(DateTime dateTime, UserServiceAuthentication userServiceAuthentication, SamlAuthenticationState samlAuthenticationState) {
        SamlServiceProvider serviceProvider = userServiceAuthentication.getServiceProvider();
        NameID buildNameId = buildNameId(userServiceAuthentication, samlAuthenticationState);
        Subject object = this.samlFactory.object(Subject.class, Subject.DEFAULT_ELEMENT_NAME);
        object.setNameID(buildNameId);
        SubjectConfirmationData object2 = this.samlFactory.object(SubjectConfirmationData.class, SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
        if (samlAuthenticationState != null && samlAuthenticationState.getAuthnRequestId() != null) {
            object2.setInResponseTo(samlAuthenticationState.getAuthnRequestId());
        }
        object2.setNotBefore(dateTime);
        object2.setNotOnOrAfter(dateTime.plus(serviceProvider.getAuthnExpiry()));
        object2.setRecipient(serviceProvider.getAssertionConsumerService().toString());
        SubjectConfirmation object3 = this.samlFactory.object(SubjectConfirmation.class, SubjectConfirmation.DEFAULT_ELEMENT_NAME);
        object3.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        object3.setSubjectConfirmationData(object2);
        object.getSubjectConfirmations().add(object3);
        return object;
    }

    private AuthnStatement buildAuthnStatement(DateTime dateTime, UserServiceAuthentication userServiceAuthentication) {
        SamlServiceProvider serviceProvider = userServiceAuthentication.getServiceProvider();
        AuthnStatement object = this.samlFactory.object(AuthnStatement.class, AuthnStatement.DEFAULT_ELEMENT_NAME);
        object.setAuthnInstant(dateTime);
        object.setSessionNotOnOrAfter(dateTime.plus(serviceProvider.getAuthnExpiry()));
        AuthnContext object2 = this.samlFactory.object(AuthnContext.class, AuthnContext.DEFAULT_ELEMENT_NAME);
        AuthnContextClassRef object3 = this.samlFactory.object(AuthnContextClassRef.class, AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
        object3.setAuthnContextClassRef(resolveAuthnClass(userServiceAuthentication.getAuthenticationMethods(), userServiceAuthentication.getNetworkControls()));
        object2.setAuthnContextClassRef(object3);
        object.setAuthnContext(object2);
        return object;
    }

    private String resolveAuthnClass(Set<AuthenticationMethod> set, Set<NetworkControl> set2) {
        return set.contains(AuthenticationMethod.PASSWORD) ? set2.contains(NetworkControl.IP_FILTER) ? "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword" : set2.contains(NetworkControl.TLS) ? "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" : "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" : set.contains(AuthenticationMethod.KERBEROS) ? "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" : (set.contains(AuthenticationMethod.TLS_CLIENT_AUTH) && set2.contains(NetworkControl.TLS)) ? "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" : set.contains(AuthenticationMethod.PRIOR_SESSION) ? "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession" : set2.contains(NetworkControl.IP_FILTER) ? "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" : "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified";
    }

    private AttributeStatement buildAttributes(UserServiceAuthentication userServiceAuthentication) {
        SamlServiceProvider serviceProvider = userServiceAuthentication.getServiceProvider();
        AttributeStatement object = this.samlFactory.object(AttributeStatement.class, AttributeStatement.DEFAULT_ELEMENT_NAME);
        ArrayList arrayList = new ArrayList();
        Attribute buildAttribute = buildAttribute(serviceProvider.getAttributeNames().roles, "roles", userServiceAuthentication.getRoles());
        if (buildAttribute != null) {
            arrayList.add(buildAttribute);
        }
        Attribute buildAttribute2 = buildAttribute(serviceProvider.getAttributeNames().principal, "principal", userServiceAuthentication.getPrincipal());
        if (buildAttribute2 != null) {
            arrayList.add(buildAttribute2);
        }
        Attribute buildAttribute3 = buildAttribute(serviceProvider.getAttributeNames().email, "email", userServiceAuthentication.getEmail());
        if (buildAttribute3 != null) {
            arrayList.add(buildAttribute3);
        }
        Attribute buildAttribute4 = buildAttribute(serviceProvider.getAttributeNames().name, "name", userServiceAuthentication.getName());
        if (buildAttribute4 != null) {
            arrayList.add(buildAttribute4);
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        object.getAttributes().addAll(arrayList);
        return object;
    }

    private Attribute buildAttribute(String str, String str2, String str3) {
        if (Strings.isNullOrEmpty(str3)) {
            return null;
        }
        return buildAttribute(str, str2, Collections.singletonList(str3));
    }

    private Attribute buildAttribute(String str, String str2, Collection<String> collection) {
        if (collection.isEmpty() || Strings.isNullOrEmpty(str)) {
            return null;
        }
        Attribute object = this.samlFactory.object(Attribute.class, Attribute.DEFAULT_ELEMENT_NAME);
        object.setName(str);
        object.setFriendlyName(str2);
        object.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
        for (String str3 : collection) {
            XSString object2 = this.samlFactory.object(XSString.class, AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
            object2.setValue(str3);
            object.getAttributeValues().add(object2);
        }
        return object;
    }

    private Issuer buildIssuer() {
        Issuer object = this.samlFactory.object(Issuer.class, Issuer.DEFAULT_ELEMENT_NAME);
        object.setValue(this.idp.getEntityId());
        return object;
    }

    private Status buildStatus() {
        StatusCode object = this.samlFactory.object(StatusCode.class, StatusCode.DEFAULT_ELEMENT_NAME);
        object.setValue("urn:oasis:names:tc:SAML:2.0:status:Success");
        Status object2 = this.samlFactory.object(Status.class, Status.DEFAULT_ELEMENT_NAME);
        object2.setStatusCode(object);
        return object2;
    }

    private NameID buildNameId(UserServiceAuthentication userServiceAuthentication, @Nullable SamlAuthenticationState samlAuthenticationState) {
        String allowedNameIdFormat;
        SamlServiceProvider serviceProvider = userServiceAuthentication.getServiceProvider();
        NameID object = this.samlFactory.object(NameID.class, NameID.DEFAULT_ELEMENT_NAME);
        if (samlAuthenticationState == null || samlAuthenticationState.getRequestedNameidFormat() == null) {
            allowedNameIdFormat = serviceProvider.getAllowedNameIdFormat() != null ? serviceProvider.getAllowedNameIdFormat() : this.idp.getServiceProviderDefaults().nameIdFormat;
        } else {
            allowedNameIdFormat = samlAuthenticationState.getRequestedNameidFormat();
        }
        object.setFormat(allowedNameIdFormat);
        object.setValue(getNameIdValueForFormat(allowedNameIdFormat, userServiceAuthentication));
        return object;
    }

    private String getNameIdValueForFormat(String str, UserServiceAuthentication userServiceAuthentication) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1022247748:
                if (str.equals("urn:oasis:names:tc:SAML:2.0:nameid-format:transient")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return this.samlFactory.secureIdentifier();
            default:
                throw new IllegalStateException("Unsupported NameID Format: " + str);
        }
    }
}
