package org.opensaml.saml.saml2.binding.decoding.impl;

import com.google.common.base.Strings;
import jakarta.servlet.http.HttpServletRequest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.codec.Base64Support;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.collection.Pair;
import net.shibboleth.shared.net.URISupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.NonnullSupplier;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.common.binding.BindingDescriptor;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml.common.binding.impl.BaseSAMLHttpServletRequestDecoder;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.slf4j.Logger;

/* loaded from: input_file:org/opensaml/saml/saml2/binding/decoding/impl/HTTPRedirectDeflateDecoder.class */
public class HTTPRedirectDeflateDecoder extends BaseSAMLHttpServletRequestDecoder implements SAMLMessageDecoder {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(HTTPRedirectDeflateDecoder.class);

    @Nullable
    private BindingDescriptor bindingDescriptor;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensaml/saml/saml2/binding/decoding/impl/HTTPRedirectDeflateDecoder$NoWrapAutoEndInflaterInputStream.class */
    public class NoWrapAutoEndInflaterInputStream extends InflaterInputStream {
        public NoWrapAutoEndInflaterInputStream(@Nonnull InputStream inputStream) {
            super(inputStream, new Inflater(true));
        }

        @Override // java.util.zip.InflaterInputStream, java.io.FilterInputStream, java.io.InputStream, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            if (this.inf != null) {
                this.inf.end();
            }
            super.close();
        }
    }

    @Nonnull
    @NotEmpty
    public String getBindingURI() {
        return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
    }

    @Nullable
    public BindingDescriptor getBindingDescriptor() {
        return this.bindingDescriptor;
    }

    public void setBindingDescriptor(@Nullable BindingDescriptor bindingDescriptor) {
        this.bindingDescriptor = bindingDescriptor;
    }

    protected void doDecode() throws MessageDecodingException {
        MessageContext messageContext = new MessageContext();
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if (!"GET".equalsIgnoreCase(httpServletRequest.getMethod())) {
            throw new MessageDecodingException("This message decoder only supports the HTTP GET method");
        }
        String trimOrNull = StringSupport.trimOrNull(httpServletRequest.getParameter("SAMLEncoding"));
        if (trimOrNull != null && !"urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE".equals(trimOrNull)) {
            throw new MessageDecodingException("Request indicated an unsupported SAMLEncoding: " + trimOrNull);
        }
        String parameter = httpServletRequest.getParameter("RelayState");
        this.log.debug("Decoded RelayState: {}", parameter);
        SAMLBindingSupport.setRelayState(messageContext, parameter);
        String str = null;
        String str2 = null;
        if (!Strings.isNullOrEmpty(httpServletRequest.getParameter("SAMLRequest"))) {
            str2 = "SAMLRequest";
            str = httpServletRequest.getParameter("SAMLRequest");
        } else if (!Strings.isNullOrEmpty(httpServletRequest.getParameter("SAMLResponse"))) {
            str2 = "SAMLResponse";
            str = httpServletRequest.getParameter("SAMLResponse");
        }
        if (!$assertionsDisabled && str2 == null) {
            throw new AssertionError();
        }
        if (str == null) {
            throw new MessageDecodingException("No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message");
        }
        try {
            InputStream decodeMessage = decodeMessage(str);
            try {
                messageContext.setMessage(unmarshallMessage(decodeMessage));
                this.log.debug("Decoded SAML message");
                if (decodeMessage != null) {
                    decodeMessage.close();
                }
                populateSimpleSignatureContext(messageContext, str2, str);
                populateBindingContext(messageContext);
                setMessageContext(messageContext);
            } finally {
            }
        } catch (IOException e) {
            throw new MessageDecodingException("InputStream exception decoding SAML message", e);
        }
    }

    protected void populateSimpleSignatureContext(@Nonnull MessageContext messageContext, @Nonnull String str, @Nonnull String str2) throws MessageDecodingException {
        ((SimpleSignatureContext) messageContext.ensureSubcontext(SimpleSignatureContext.class)).setSignedContent(getSignedContent(str, str2));
    }

    @Nullable
    private byte[] getSignedContent(@Nonnull String str, @Nonnull String str2) throws MessageDecodingException {
        String queryString = getHttpServletRequest().getQueryString();
        this.log.debug("Constructing signed content string from URL query string {}", queryString);
        String buildSignedContentString = buildSignedContentString(queryString, str, str2);
        if (Strings.isNullOrEmpty(buildSignedContentString)) {
            this.log.warn("Could not extract signed content string from query string");
            return null;
        }
        if (!$assertionsDisabled && buildSignedContentString == null) {
            throw new AssertionError();
        }
        this.log.debug("Constructed signed content string for HTTP-Redirect DEFLATE {}", buildSignedContentString);
        try {
            return buildSignedContentString.getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            this.log.error("UTF-8 encoding is not supported, this VM is not Java compliant");
            throw new MessageDecodingException("Unable to process message, UTF-8 encoding is not supported");
        }
    }

    @NotEmpty
    @Nullable
    private String buildSignedContentString(@Nullable String str, @Nonnull String str2, @Nonnull String str3) throws MessageDecodingException {
        StringBuilder sb = new StringBuilder();
        if (!appendSAMLMessageParameter(sb, str, str2, str3)) {
            this.log.warn("Could not extract SAML message '{}' from the query string, cannot build simple signature content", str2);
            return null;
        }
        appendParameter(sb, str, "RelayState");
        if (appendParameter(sb, str, "SigAlg")) {
            return sb.toString();
        }
        this.log.warn("Signature algorithm could not be extracted from request, cannot build simple signature content");
        return null;
    }

    private boolean appendSAMLMessageParameter(@Nonnull StringBuilder sb, @Nullable String str, @Nonnull String str2, @Nonnull String str3) {
        List list = (List) ((NonnullSupplier) URISupport.getRawQueryStringParameters(str, str2).stream().filter(pair -> {
            return Objects.equals(str3, URISupport.doURLDecode((String) pair.getSecond()));
        }).collect(CollectionSupport.nonnullCollector(Collectors.toList()))).get();
        if (list.isEmpty() || list.size() > 1) {
            this.log.debug("SAML message raw params extraction resulted in an invalid # of params: {}", Integer.valueOf(list.size()));
            return false;
        }
        Pair pair2 = (Pair) list.get(0);
        if (sb.length() > 0) {
            sb.append('&');
        }
        sb.append(((String) pair2.getFirst()) + "=" + ((String) pair2.getSecond()));
        return true;
    }

    private boolean appendParameter(@Nonnull StringBuilder sb, @Nullable String str, @Nullable String str2) {
        String rawQueryStringParameter = URISupport.getRawQueryStringParameter(str, str2);
        if (rawQueryStringParameter == null) {
            return false;
        }
        if (sb.length() > 0) {
            sb.append('&');
        }
        sb.append(rawQueryStringParameter);
        return true;
    }

    @Nonnull
    protected InputStream decodeMessage(@Nonnull String str) throws MessageDecodingException {
        this.log.debug("Base64 decoding and inflating SAML message");
        try {
            return new NoWrapAutoEndInflaterInputStream(new ByteArrayInputStream(Base64Support.decode(str)));
        } catch (Exception e) {
            this.log.error("Unable to Base64 decode and inflate SAML message: {}", e.getMessage());
            throw new MessageDecodingException("Unable to Base64 decode and inflate SAML message", e);
        }
    }

    protected void populateBindingContext(@Nonnull MessageContext messageContext) {
        SAMLBindingContext ensureSubcontext = messageContext.ensureSubcontext(SAMLBindingContext.class);
        ensureSubcontext.setBindingUri(getBindingURI());
        ensureSubcontext.setBindingDescriptor(this.bindingDescriptor);
        ensureSubcontext.setHasBindingSignature(!Strings.isNullOrEmpty(getHttpServletRequest().getParameter("Signature")));
        ensureSubcontext.setIntendedDestinationEndpointURIRequired(SAMLBindingSupport.isMessageSigned(messageContext));
    }

    static {
        $assertionsDisabled = !HTTPRedirectDeflateDecoder.class.desiredAssertionStatus();
    }
}
