package com.digiwin.dap.middleware.iam.api;

import com.alibaba.nacos.common.utils.CollectionUtils;
import com.digiwin.dap.middleware.cache.RedisUtils;
import com.digiwin.dap.middleware.commons.core.codec.Base64;
import com.digiwin.dap.middleware.exception.BusinessException;
import com.digiwin.dap.middleware.iam.constant.I18nError;
import com.digiwin.dap.middleware.iam.constant.IamConstants;
import com.digiwin.dap.middleware.iam.constant.RedisConstants;
import com.digiwin.dap.middleware.iam.constant.enums.SsoTypeEnum;
import com.digiwin.dap.middleware.iam.domain.EnvProperties;
import com.digiwin.dap.middleware.iam.domain.cache.UserTempTokenCacheVO;
import com.digiwin.dap.middleware.iam.domain.tenant.metadata.TenantMetadataSAMLVO;
import com.digiwin.dap.middleware.iam.domain.usermapping.UserMappingQueryResultVO;
import com.digiwin.dap.middleware.iam.entity.SysSsoUrlConfig;
import com.digiwin.dap.middleware.iam.entity.Tenant;
import com.digiwin.dap.middleware.iam.service.sso.SysSsoUrlConfigCrudService;
import com.digiwin.dap.middleware.iam.service.tenant.TenantCrudService;
import com.digiwin.dap.middleware.iam.service.tenantmetadata.TenantMetadataCrudService;
import com.digiwin.dap.middleware.iam.service.usermapping.UserMappingService;
import com.digiwin.dap.middleware.iam.util.IDPCredentialsUtil;
import com.digiwin.dap.middleware.iam.util.SAMLUtil;
import com.digiwin.dap.middleware.iam.util.SPCredentialsUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.Objects;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.parsers.DocumentBuilderFactory;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeConstants;
import org.joda.time.DateTime;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.NameIDFormat;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.config.JavaCryptoValidationInitializer;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/api/iam/v2/saml"})
@RestController
/* loaded from: input_file:WEB-INF/classes/com/digiwin/dap/middleware/iam/api/SAMLController.class */
public class SAMLController {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SAMLController.class);

    @Autowired
    private TenantMetadataCrudService tenantMetadataCrudService;

    @Autowired
    private TenantCrudService tenantCrudService;

    @Autowired
    private EnvProperties envProperties;

    @Autowired
    private UserMappingService userMappingService;

    @Autowired
    private SysSsoUrlConfigCrudService sysSsoUrlConfigCrudService;

    @GetMapping({DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL})
    public void login(@RequestParam(value = "tenantId", required = false) String str, @RequestParam(value = "sysId", required = false) String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            if (!StringUtils.hasText(str) || !StringUtils.hasText(str2)) {
                throw new BusinessException(I18nError.PARAM_ERROR);
            }
            SysSsoUrlConfig findBySysIdAndSsoType = this.sysSsoUrlConfigCrudService.findBySysIdAndSsoType(str2, SsoTypeEnum.SAML.getCode());
            if (Objects.isNull(findBySysIdAndSsoType)) {
                throw new BusinessException(I18nError.IAM_SAML_SYS_NOT_EXIST);
            }
            try {
                TenantMetadataSAMLVO tenantMetadataSAMLVO = getTenantMetadataSAMLVO(str);
                AuthnRequest buildAuthnRequest = SAMLUtil.buildAuthnRequest(str, tenantMetadataSAMLVO, findBySysIdAndSsoType, this.envProperties.getIamUri());
                MessageContext messageContext = new MessageContext();
                messageContext.setMessage(buildAuthnRequest);
                ((SAMLEndpointContext) ((SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class, true)).getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(SAMLUtil.getIDPEndpoint(tenantMetadataSAMLVO, true));
                if ("REDIRECT".equals(tenantMetadataSAMLVO.getBindType())) {
                    HTTPRedirectDeflateEncoder hTTPRedirectDeflateEncoder = new HTTPRedirectDeflateEncoder();
                    hTTPRedirectDeflateEncoder.setMessageContext(messageContext);
                    hTTPRedirectDeflateEncoder.setHttpServletResponse(httpServletResponse);
                    try {
                        hTTPRedirectDeflateEncoder.initialize();
                        try {
                            hTTPRedirectDeflateEncoder.encode();
                        } catch (MessageEncodingException e) {
                            logger.error("【saml】 编码异常", (Throwable) e);
                            throw new BusinessException(I18nError.IAM_SAML_ENCODE_ERROR);
                        }
                    } catch (ComponentInitializationException e2) {
                        logger.error("【saml】 SAML编码初始化异常", (Throwable) e2);
                        throw new BusinessException(I18nError.IAM_SAML_ENCODE_ERROR);
                    }
                }
                VelocityEngine velocityEngine = new VelocityEngine();
                velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
                velocityEngine.setProperty("classpath.resource.loader.class", "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
                velocityEngine.init();
                HTTPPostEncoder hTTPPostEncoder = new HTTPPostEncoder();
                hTTPPostEncoder.setMessageContext(messageContext);
                hTTPPostEncoder.setHttpServletResponse(httpServletResponse);
                hTTPPostEncoder.setVelocityEngine(velocityEngine);
                try {
                    hTTPPostEncoder.initialize();
                    logger.info("Sending auto-sumbitting form to receiver with AuthnRequest");
                    try {
                        hTTPPostEncoder.encode();
                    } catch (MessageEncodingException e3) {
                        logger.error("【saml】 编码异常", (Throwable) e3);
                        throw new BusinessException(I18nError.IAM_SAML_ENCODE_ERROR);
                    }
                } catch (ComponentInitializationException e4) {
                    logger.error("【saml】 SAML编码初始化异常", (Throwable) e4);
                    throw new BusinessException(I18nError.IAM_SAML_ENCODE_ERROR);
                }
            } catch (BusinessException e5) {
                logger.error("【saml】 登录异常", (Throwable) e5);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), e5.getMessage()));
            } catch (Exception e6) {
                logger.error("【saml】 登录异常", (Throwable) e6);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), "系统异常"));
            }
        } catch (Exception e7) {
            logger.error("【saml】 登录异常", (Throwable) e7);
            sendResponse(httpServletResponse, e7.getMessage());
        }
    }

    @PostMapping({"/acs/{tenantId:.+}/{sysId}"})
    public void consumerAssertion(@PathVariable("tenantId") String str, @PathVariable("sysId") String str2, @RequestParam("SAMLResponse") String str3, HttpServletResponse httpServletResponse) {
        try {
            SysSsoUrlConfig findBySysIdAndSsoType = this.sysSsoUrlConfigCrudService.findBySysIdAndSsoType(str2, SsoTypeEnum.SAML.getCode());
            if (Objects.isNull(findBySysIdAndSsoType)) {
                throw new BusinessException(I18nError.IAM_SAML_SYS_NOT_EXIST);
            }
            try {
                Tenant findById = this.tenantCrudService.findById(str);
                if (Objects.isNull(findById)) {
                    throw new BusinessException(I18nError.TENANT_NOT_EXISTED, new Object[]{str});
                }
                TenantMetadataSAMLVO tenantMetadataSAMLVO = new TenantMetadataSAMLVO(this.tenantMetadataCrudService.getTenantMetadataValue(findById.getSid(), IamConstants.TENANT_METADATA_CATALOG_ID_SAML, IamConstants.SAML_KEY_LIST));
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.decode(str3.getBytes(StandardCharsets.UTF_8)));
                DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
                newInstance.setNamespaceAware(true);
                Response response = (Response) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(Response.DEFAULT_ELEMENT_NAME).unmarshall(newInstance.newDocumentBuilder().parse(byteArrayInputStream).getDocumentElement());
                if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
                    logger.error("IDP认证未通过,tenantId:{},sysId:{},samlResponse:{}", findById, str2, str3);
                    throw new BusinessException(I18nError.IAM_SAML_IDP_VALIDATE_ERROR);
                }
                Assertion assertion = response.getAssertions().get(0);
                if (!assertion.isSigned()) {
                    throw new BusinessException(I18nError.IAM_SAML_UNSIGNED_ASSERTION);
                }
                Signature signature = assertion.getSignature();
                try {
                    new SAMLSignatureProfileValidator().validate(signature);
                    SignatureValidator.validate(signature, IDPCredentialsUtil.getBasicX509CredentialFromString(tenantMetadataSAMLVO.getCredentials()));
                    String id = response.getID();
                    logger.info("【saml】 id:{}", id);
                    DateTime issueInstant = response.getIssueInstant();
                    logger.info("【saml】 issueInstant:{}", issueInstant);
                    if (issueInstant.isBefore(new DateTime().minusMinutes(5))) {
                        throw new BusinessException(I18nError.IAM_SAML_EXPIRED_ASSERTION);
                    }
                    if (!RedisUtils.setIfAbsent(String.format(RedisConstants.REDIS_IAM_SAML_LOCK, id), Long.valueOf(System.currentTimeMillis()), Duration.ofMinutes(5L))) {
                        throw new BusinessException(I18nError.IAM_SAML_DUPLICATE_ASSERTION);
                    }
                    String sessionIndex = CollectionUtils.isNotEmpty(assertion.getAuthnStatements()) ? assertion.getAuthnStatements().get(0).getSessionIndex() : null;
                    logger.info("【saml】 sessionIndex:{}", sessionIndex);
                    String value = assertion.getSubject().getNameID().getValue();
                    logger.info("【saml】 nameId:{}", value);
                    String str4 = null;
                    if ("NameID".equals(tenantMetadataSAMLVO.getUserId())) {
                        str4 = value;
                    } else {
                        for (Attribute attribute : assertion.getAttributeStatements().get(0).getAttributes()) {
                            logger.info("【saml】 Attribute name: " + attribute.getName());
                            if (Objects.equals(attribute.getName(), tenantMetadataSAMLVO.getUserId())) {
                                str4 = ((XSString) attribute.getAttributeValues().get(0)).getValue();
                            }
                        }
                    }
                    if (Objects.isNull(str4)) {
                        throw new BusinessException(I18nError.IAM_USER_ID_MAPPING_ATTRIBUTE_NOT_EXIST);
                    }
                    UserMappingQueryResultVO userByMapping = this.userMappingService.getUserByMapping(Long.valueOf(findById.getSid()), tenantMetadataSAMLVO.getMappingAppId(), null, str4);
                    if (Objects.isNull(userByMapping)) {
                        throw new BusinessException(I18nError.IAM_USER_MAPPING_NOT_EXIST);
                    }
                    UserTempTokenCacheVO userTempTokenCacheVO = new UserTempTokenCacheVO();
                    userTempTokenCacheVO.setValue(String.join(":_", userByMapping.getUserId(), str, str2));
                    userTempTokenCacheVO.setCreateTime(Long.valueOf(System.currentTimeMillis()));
                    String lowerCase = UUID.randomUUID().toString().toLowerCase();
                    RedisUtils.set(String.format(RedisConstants.REDIS_IAM_SSO_TOKEN, IamConstants.TENANT_METADATA_CATALOG_ID_SAML, lowerCase), userTempTokenCacheVO, Duration.ofMinutes(3L));
                    redirect(httpServletResponse, SAMLUtil.getSuccessCallbackUrl(findBySysIdAndSsoType.getSuccessCallbackUrl(), lowerCase, value, sessionIndex));
                } catch (Exception e) {
                    logger.error("签名验证不通过", (Throwable) e);
                    throw new BusinessException(I18nError.IAM_SAML_SIGNATURE_VALIDATE_ERROR);
                }
            } catch (BusinessException e2) {
                logger.error("【saml】 消费断言异常", (Throwable) e2);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), e2.getMessage()));
            } catch (Exception e3) {
                logger.error("【saml】 消费断言异常", (Throwable) e3);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), "系统异常"));
            }
        } catch (Exception e4) {
            logger.error("【saml】 登录异常", (Throwable) e4);
            sendResponse(httpServletResponse, e4.getMessage());
        }
    }

    @GetMapping({"/sp/metadata"})
    public void getSpMetadata(@RequestParam(value = "tenantId", required = false) String str, @RequestParam(value = "sysId", required = false) String str2, HttpServletResponse httpServletResponse) throws MarshallingException, SecurityException {
        try {
            if (!StringUtils.hasText(str) || !StringUtils.hasText(str2)) {
                throw new BusinessException(I18nError.PARAM_ERROR);
            }
            EntityDescriptor entityDescriptor = (EntityDescriptor) SAMLUtil.buildSAMLObject(EntityDescriptor.class);
            entityDescriptor.setEntityID(this.envProperties.getIamUri() + "/sp/" + str2);
            entityDescriptor.setID(SAMLUtil.generateSecureRandomId());
            entityDescriptor.setValidUntil(new DateTime().plusYears(1));
            entityDescriptor.setCacheDuration(86400000L);
            Credential credential = SPCredentialsUtil.getCredential();
            XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor).marshall(entityDescriptor);
            SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) SAMLUtil.buildSAMLObject(SPSSODescriptor.class);
            sPSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
            sPSSODescriptor.setWantAssertionsSigned((Boolean) true);
            sPSSODescriptor.setAuthnRequestsSigned((Boolean) false);
            NameIDFormat nameIDFormat = (NameIDFormat) SAMLUtil.buildSAMLObject(NameIDFormat.class);
            nameIDFormat.setFormat(NameIDType.PERSISTENT);
            sPSSODescriptor.getNameIDFormats().add(nameIDFormat);
            AssertionConsumerService assertionConsumerService = (AssertionConsumerService) SAMLUtil.buildSAMLObject(AssertionConsumerService.class);
            assertionConsumerService.setLocation(String.format("%s/api/iam/v2/saml/acs/%s/%s", this.envProperties.getIamUri(), str, str2));
            assertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
            assertionConsumerService.setIndex(1);
            sPSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
            SingleLogoutService singleLogoutService = (SingleLogoutService) SAMLUtil.buildSAMLObject(SingleLogoutService.class);
            singleLogoutService.setLocation(String.format("%s/api/iam/v2/saml/logout/acs/%s/%s", this.envProperties.getIamUri(), str, str2));
            singleLogoutService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
            sPSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
            X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
            x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
            KeyInfoGenerator newInstance = x509KeyInfoGeneratorFactory.newInstance();
            KeyDescriptor keyDescriptor = (KeyDescriptor) SAMLUtil.buildSAMLObject(KeyDescriptor.class);
            keyDescriptor.setUse(UsageType.SIGNING);
            keyDescriptor.setKeyInfo(newInstance.generate(credential));
            sPSSODescriptor.getKeyDescriptors().add(keyDescriptor);
            entityDescriptor.getRoleDescriptors().add(sPSSODescriptor);
            postResponse(httpServletResponse, "UTF-8", "application/xml", writeEntityDescriptor(entityDescriptor));
        } catch (Exception e) {
            logger.error("【saml】 查询元数据异常", (Throwable) e);
            sendResponse(httpServletResponse, e.getMessage());
        }
    }

    @GetMapping({"/logout"})
    public void logout(@RequestParam(value = "tenantId", required = false) String str, @RequestParam(value = "sysId", required = false) String str2, @RequestParam(value = "nameId", required = false) String str3, @RequestParam(value = "sessionIndex", required = false) String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            if (!StringUtils.hasText(str) || !StringUtils.hasText(str2)) {
                throw new BusinessException(I18nError.PARAM_ERROR);
            }
            SysSsoUrlConfig findBySysIdAndSsoType = this.sysSsoUrlConfigCrudService.findBySysIdAndSsoType(str2, SsoTypeEnum.SAML.getCode());
            if (Objects.isNull(findBySysIdAndSsoType)) {
                throw new BusinessException(I18nError.IAM_SAML_SYS_NOT_EXIST);
            }
            try {
                TenantMetadataSAMLVO tenantMetadataSAMLVO = getTenantMetadataSAMLVO(str);
                if (!StringUtils.hasText(tenantMetadataSAMLVO.getLogoutUrl()) || !StringUtils.hasText(str3)) {
                    redirect(httpServletResponse, findBySysIdAndSsoType.getLogoutCallbackUrl());
                    return;
                }
                LogoutRequest buildLogoutRequest = SAMLUtil.buildLogoutRequest(tenantMetadataSAMLVO, this.envProperties.getIamUri(), str3, str4);
                MessageContext messageContext = new MessageContext();
                messageContext.setMessage(buildLogoutRequest);
                ((SAMLEndpointContext) ((SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class, true)).getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(SAMLUtil.getIDPEndpoint(tenantMetadataSAMLVO, false));
                SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
                signatureSigningParameters.setSigningCredential(SPCredentialsUtil.getCredential());
                signatureSigningParameters.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
                signatureSigningParameters.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
                ((SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class, true)).setSignatureSigningParameters(signatureSigningParameters);
                HTTPRedirectDeflateEncoder hTTPRedirectDeflateEncoder = new HTTPRedirectDeflateEncoder();
                hTTPRedirectDeflateEncoder.setMessageContext(messageContext);
                hTTPRedirectDeflateEncoder.setHttpServletResponse(httpServletResponse);
                try {
                    hTTPRedirectDeflateEncoder.initialize();
                    try {
                        hTTPRedirectDeflateEncoder.encode();
                    } catch (MessageEncodingException e) {
                        logger.error("【saml】 编码异常", (Throwable) e);
                        throw new BusinessException(I18nError.IAM_SAML_ENCODE_ERROR);
                    }
                } catch (ComponentInitializationException e2) {
                    logger.error("【saml】 SAML编码初始化异常", (Throwable) e2);
                    throw new BusinessException(I18nError.IAM_SAML_ENCODE_ERROR);
                }
            } catch (BusinessException e3) {
                logger.error("【saml】 登出异常", (Throwable) e3);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), e3.getMessage()));
            } catch (Exception e4) {
                logger.error("【saml】 登出异常", (Throwable) e4);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), "系统异常"));
            }
        } catch (Exception e5) {
            logger.error("【saml】 登出异常", (Throwable) e5);
            sendResponse(httpServletResponse, e5.getMessage());
        }
    }

    @RequestMapping({"/logout/acs/{tenantId:.+}/{sysId}"})
    public void consumerLogout(@PathVariable("tenantId") String str, @PathVariable("sysId") String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            SysSsoUrlConfig findBySysIdAndSsoType = this.sysSsoUrlConfigCrudService.findBySysIdAndSsoType(str2, SsoTypeEnum.SAML.getCode());
            if (Objects.isNull(findBySysIdAndSsoType)) {
                throw new BusinessException(I18nError.IAM_SAML_SYS_NOT_EXIST);
            }
            try {
                Tenant findById = this.tenantCrudService.findById(str);
                if (Objects.isNull(findById)) {
                    throw new BusinessException(I18nError.TENANT_NOT_EXISTED, new Object[]{str});
                }
                HTTPRedirectDeflateDecoder hTTPRedirectDeflateDecoder = new HTTPRedirectDeflateDecoder();
                hTTPRedirectDeflateDecoder.setHttpServletRequest(httpServletRequest);
                hTTPRedirectDeflateDecoder.setParserPool(SAMLUtil.getParserPool());
                try {
                    hTTPRedirectDeflateDecoder.initialize();
                    hTTPRedirectDeflateDecoder.decode();
                } catch (Exception e) {
                    logger.error("解析异常", (Throwable) e);
                }
                LogoutResponse logoutResponse = (LogoutResponse) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(LogoutResponse.DEFAULT_ELEMENT_NAME).unmarshall(((SAMLObject) hTTPRedirectDeflateDecoder.getMessageContext().getMessage()).getDOM());
                if (!StatusCode.SUCCESS.equals(logoutResponse.getStatus().getStatusCode().getValue())) {
                    logger.error("IDP退出未成功,tenantId:{},sysId:{}", findById, str2);
                    throw new BusinessException(I18nError.IAM_SAML_IDP_VALIDATE_ERROR);
                }
                String id = logoutResponse.getID();
                logger.info("【saml】 id:{}", id);
                DateTime issueInstant = logoutResponse.getIssueInstant();
                logger.info("【saml】 issueInstant:{}", issueInstant);
                if (issueInstant.isBefore(new DateTime().minusMinutes(5))) {
                    throw new BusinessException(I18nError.IAM_SAML_EXPIRED_ASSERTION);
                }
                if (!RedisUtils.setIfAbsent(String.format(RedisConstants.REDIS_IAM_SAML_LOCK, id), Long.valueOf(System.currentTimeMillis()), Duration.ofMinutes(5L))) {
                    throw new BusinessException(I18nError.IAM_SAML_DUPLICATE_ASSERTION);
                }
                redirect(httpServletResponse, findBySysIdAndSsoType.getLogoutCallbackUrl());
            } catch (BusinessException e2) {
                logger.error("【saml】 消费断言异常", (Throwable) e2);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), e2.getMessage()));
            } catch (Exception e3) {
                logger.error("【saml】 消费断言异常", (Throwable) e3);
                redirect(httpServletResponse, SAMLUtil.getFailCallbackUrl(findBySysIdAndSsoType.getFailCallbackUrl(), "系统异常"));
            }
        } catch (Exception e4) {
            logger.error("【saml】 登录异常", (Throwable) e4);
            sendResponse(httpServletResponse, e4.getMessage());
        }
    }

    private String writeEntityDescriptor(EntityDescriptor entityDescriptor) throws MarshallingException {
        return SerializeSupport.prettyPrintXML(XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor).marshall(entityDescriptor));
    }

    private void postResponse(HttpServletResponse httpServletResponse, String str, String str2, String str3) {
        try {
            httpServletResponse.reset();
            httpServletResponse.setCharacterEncoding(str);
            httpServletResponse.setContentType(str2);
            PrintWriter writer = httpServletResponse.getWriter();
            writer.write(str3);
            writer.flush();
            writer.close();
        } catch (Exception e) {
            logger.error("【saml】 返回错误信息异常", (Throwable) e);
        }
    }

    private TenantMetadataSAMLVO getTenantMetadataSAMLVO(String str) {
        Tenant findById = this.tenantCrudService.findById(str);
        if (Objects.isNull(findById)) {
            throw new BusinessException(I18nError.TENANT_NOT_EXISTED, new Object[]{str});
        }
        return new TenantMetadataSAMLVO(this.tenantMetadataCrudService.getTenantMetadataValue(findById.getSid(), IamConstants.TENANT_METADATA_CATALOG_ID_SAML, IamConstants.SAML_KEY_LIST));
    }

    private void redirect(HttpServletResponse httpServletResponse, String str) {
        try {
            httpServletResponse.sendRedirect(str);
        } catch (IOException e) {
            logger.error("【saml】 跳转失败页面异常", (Throwable) e);
        }
    }

    private void sendResponse(HttpServletResponse httpServletResponse, String str) {
        try {
            httpServletResponse.reset();
            httpServletResponse.setCharacterEncoding("UTF-8");
            httpServletResponse.setContentType("text/plain; charset=UTF-8");
            PrintWriter writer = httpServletResponse.getWriter();
            writer.write(str);
            writer.flush();
            writer.close();
        } catch (Exception e) {
            logger.error("【saml】 返回错误信息异常", (Throwable) e);
        }
    }

    static {
        JavaCryptoValidationInitializer javaCryptoValidationInitializer = new JavaCryptoValidationInitializer();
        try {
            logger.info("javaCryptoValidationInitializer.init");
            javaCryptoValidationInitializer.init();
        } catch (InitializationException e) {
            logger.error("【saml】 初始化配置失败", (Throwable) e);
        }
        try {
            logger.info("InitializationService.initialize");
            InitializationService.initialize();
        } catch (InitializationException e2) {
            logger.error("【saml】 初始化配置失败", (Throwable) e2);
        }
    }
}
