package org.mule.extension.salesforce.internal.connection.provider;

import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.util.UUID;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.apache.commons.codec.binary.Base64;
import org.joda.time.DateTime;
import org.mule.extension.helpers.logger.ConnectorLogger;
import org.mule.extension.helpers.logger.ConnectorLoggerImpl;
import org.mule.extension.salesforce.internal.connection.SalesforceConnection;
import org.mule.extension.salesforce.internal.connection.pooling.PartnerConnectionPool;
import org.mule.extension.salesforce.internal.error.exception.service.SalesforceException;
import org.mule.extension.salesforce.internal.service.connection.oauth.SignerService;
import org.mule.extension.salesforce.internal.service.util.SalesforceUtils;
import org.mule.runtime.api.connection.CachedConnectionProvider;
import org.mule.runtime.api.meta.model.display.PathModel;
import org.mule.runtime.extension.api.annotation.Alias;
import org.mule.runtime.extension.api.annotation.param.Optional;
import org.mule.runtime.extension.api.annotation.param.Parameter;
import org.mule.runtime.extension.api.annotation.param.display.DisplayName;
import org.mule.runtime.extension.api.annotation.param.display.Example;
import org.mule.runtime.extension.api.annotation.param.display.Password;
import org.mule.runtime.extension.api.annotation.param.display.Path;
import org.mule.runtime.extension.api.annotation.param.display.Placement;
import org.mule.runtime.extension.api.annotation.param.display.Summary;
import org.mule.sdk.api.annotation.semantics.connectivity.ExcludeFromConnectivitySchema;
import org.mule.sdk.api.annotation.semantics.connectivity.Url;
import org.mule.sdk.api.annotation.semantics.security.ClientId;
import org.mule.sdk.api.annotation.semantics.security.Username;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;

@DisplayName("OAuth SAML")
@Alias("saml")
/* loaded from: input_file:repository/com/mulesoft/connectors/mule-salesforce-connector/10.18.2/mule-salesforce-connector-10.18.2-mule-plugin.jar:org/mule/extension/salesforce/internal/connection/provider/SAMLConnectionProvider.class */
public class SAMLConnectionProvider extends AbstractOAuthConnectionProvider implements CachedConnectionProvider<SalesforceConnection> {
    private static final ConnectorLogger connectorLogger = ConnectorLoggerImpl.newInstance(SAMLConnectionProvider.class);

    @Placement(order = 1)
    @ClientId
    @Parameter
    private String consumerKey;

    @Path(type = PathModel.Type.FILE)
    @Parameter
    @Placement(order = 2)
    @Example("keyStoreFile.jks")
    @ExcludeFromConnectivitySchema
    private String keyStore;

    @Parameter
    @Placement(order = 3)
    @ExcludeFromConnectivitySchema
    @Password
    private String storePassword;

    @Optional
    @Parameter
    @Placement(order = 4)
    @ExcludeFromConnectivitySchema
    private String certificateAlias;

    @Placement(order = 5)
    @Username
    @Parameter
    private String principal;

    @Optional(defaultValue = "https://login.salesforce.com/services/oauth2/token")
    @Parameter
    @Summary("URL pointing to the server responsible for providing the authentication token")
    @Placement(order = 6)
    @Example("https://host:port/other1/other2")
    @Url
    private String tokenEndpoint;

    @Override // org.mule.extension.salesforce.internal.connection.provider.AbstractOAuthConnectionProvider
    protected void onPreAuthorization() {
        connectorLogger.trace(ConnectorLogger.TraceKeywords.ENTERING, "pre-authorization");
        try {
            InputStream keyStoreResourceStream = getKeyStoreResourceStream(this.keyStore);
            Throwable th = null;
            try {
                InitializationService.initialize();
                XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
                NameID nameID = (NameID) ((SAMLObjectBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)).buildObject();
                nameID.setValue(this.principal);
                nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
                SubjectConfirmationData subjectConfirmationData = (SubjectConfirmationData) ((SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME)).buildObject();
                DateTime minusMinutes = new DateTime().minusMinutes(1);
                DateTime plusMinutes = minusMinutes.plusMinutes(5);
                subjectConfirmationData.setNotOnOrAfter(plusMinutes);
                subjectConfirmationData.setRecipient(SalesforceUtils.computeBaseUrl(this.tokenEndpoint));
                SubjectConfirmation subjectConfirmation = (SubjectConfirmation) ((SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME)).buildObject();
                subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
                subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
                Subject subject = (Subject) ((SAMLObjectBuilder) builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)).buildObject();
                subject.setNameID(nameID);
                subject.getSubjectConfirmations().add(subjectConfirmation);
                AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) ((SAMLObjectBuilder) builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME)).buildObject();
                authnContextClassRef.setAuthnContextClassRef(AuthnContext.UNSPECIFIED_AUTHN_CTX);
                AuthnContext authnContext = (AuthnContext) ((SAMLObjectBuilder) builderFactory.getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME)).buildObject();
                authnContext.setAuthnContextClassRef(authnContextClassRef);
                AuthnStatement authnStatement = (AuthnStatement) ((SAMLObjectBuilder) builderFactory.getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME)).buildObject();
                authnStatement.setAuthnInstant(minusMinutes);
                authnStatement.setAuthnContext(authnContext);
                Audience audience = (Audience) ((SAMLObjectBuilder) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME)).buildObject();
                audience.setAudienceURI(this.tokenEndpoint);
                AudienceRestriction audienceRestriction = (AudienceRestriction) ((SAMLObjectBuilder) builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME)).buildObject();
                audienceRestriction.getAudiences().add(audience);
                Conditions conditions = (Conditions) ((SAMLObjectBuilder) builderFactory.getBuilder(Conditions.DEFAULT_ELEMENT_NAME)).buildObject();
                conditions.setNotBefore(minusMinutes);
                conditions.setNotOnOrAfter(plusMinutes);
                conditions.getConditions().add(audienceRestriction);
                Issuer issuer = (Issuer) ((SAMLObjectBuilder) builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME)).buildObject();
                issuer.setFormat(NameIDType.ENTITY);
                issuer.setValue(this.consumerKey);
                Assertion assertion = (Assertion) ((SAMLObjectBuilder) builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME)).buildObject();
                assertion.setIssuer(issuer);
                assertion.setIssueInstant(minusMinutes);
                assertion.setVersion(SAMLVersion.VERSION_20);
                assertion.setSubject(subject);
                assertion.getAuthnStatements().add(authnStatement);
                assertion.setConditions(conditions);
                assertion.setID(UUID.randomUUID().toString());
                new SignerService().signSAMLObject(assertion, keyStoreResourceStream, KeyStore.getDefaultType(), this.storePassword.toCharArray(), this.certificateAlias);
                sendAuthorizationRequestAndParseResponse(getHttpClient(), this.tokenEndpoint, "urn:ietf:params:oauth:grant-type:saml2-bearer", Base64.encodeBase64URLSafeString(SerializeSupport.nodeToString(XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(assertion).marshall(assertion)).getBytes(StandardCharsets.UTF_8)));
                if (keyStoreResourceStream != null) {
                    if (0 != 0) {
                        try {
                            keyStoreResourceStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        keyStoreResourceStream.close();
                    }
                }
                connectorLogger.trace(ConnectorLogger.TraceKeywords.EXITING, "pre-authorization");
            } finally {
            }
        } catch (IOException | KeyManagementException | NoSuchAlgorithmException | InitializationException | MarshallingException e) {
            connectorLogger.warn("generate a SAML token", "an exception has occurred", "Check credentials", e);
            throw new SalesforceException("Failed generating SAML token", e);
        }
    }

    @Override // org.mule.extension.salesforce.internal.connection.provider.AbstractConnectionProvider
    public String getUsername(PartnerConnectionPool partnerConnectionPool) {
        return this.principal;
    }
}
