package org.codice.ddf.security.common.jaxrs;

import ddf.security.Subject;
import ddf.security.assertion.SecurityAssertion;
import ddf.security.common.audit.SecurityLogger;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.client.Client;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:ddf-security-common-2.9.1.jar:org/codice/ddf/security/common/jaxrs/RestSecurity.class */
public final class RestSecurity {
    public static final String SAML_HEADER_PREFIX = "SAML ";
    public static final String BASIC_HEADER_PREFIX = "BASIC ";
    public static final String AUTH_HEADER = "Authorization";
    private static final Logger LOGGER = LoggerFactory.getLogger(RestSecurity.class);
    public static final boolean GZIP_COMPATIBLE = true;

    public static void setSubjectOnClient(Subject subject, Client client) {
        if (client == null || subject == null || !"https".equalsIgnoreCase(client.getCurrentURI().getScheme())) {
            return;
        }
        String createSamlHeader = createSamlHeader(subject);
        if (createSamlHeader == null) {
            LOGGER.debug("SAML Header was null. Unable to set the header for the client.");
        } else {
            client.header(AUTH_HEADER, new Object[]{createSamlHeader});
        }
    }

    public static void setUserOnClient(String str, String str2, Client client) throws UnsupportedEncodingException {
        if (client == null || str == null || str2 == null) {
            return;
        }
        if (!StringUtils.startsWithIgnoreCase(client.getCurrentURI().getScheme(), "https")) {
            if (!Boolean.valueOf(System.getProperty("org.codice.allowBasicAuthOverHttp", "false")).booleanValue()) {
                LOGGER.warn("Passing username & password is not allowed on an un-encrypted protocol [{}].", client.getCurrentURI());
                return;
            } else {
                LOGGER.warn("CAUTION: Passing username & password on an un-encrypted protocol [{}]. This is a security issue. ", client.getCurrentURI());
                SecurityLogger.auditWarn("Passing username & password on an un-encrypted protocol [" + client.getCurrentURI() + "].");
            }
        }
        client.header(AUTH_HEADER, new Object[]{BASIC_HEADER_PREFIX + Base64.getEncoder().encodeToString((str + ":" + str2).getBytes(StandardCharsets.UTF_8))});
    }

    private static String createSamlHeader(Subject subject) {
        String str = null;
        Element element = null;
        try {
            for (Object obj : subject.getPrincipals().asList()) {
                if (obj instanceof SecurityAssertion) {
                    element = ((SecurityAssertion) obj).getSecurityToken().getToken();
                }
            }
            if (element != null) {
                str = SAML_HEADER_PREFIX + deflateAndBase64Encode(new SamlAssertionWrapper(element).assertionToString());
            }
        } catch (WSSecurityException | IOException | ArithmeticException e) {
            LOGGER.error("Unable to parse SAML assertion from subject.", e);
        }
        return str;
    }

    public static String deflateAndBase64Encode(String str) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, new Deflater(8, true));
        Throwable th = null;
        try {
            deflaterOutputStream.write(str.getBytes(StandardCharsets.UTF_8));
            deflaterOutputStream.close();
            String encodeToString = Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray());
            if (deflaterOutputStream != null) {
                if (0 != 0) {
                    try {
                        deflaterOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    deflaterOutputStream.close();
                }
            }
            return encodeToString;
        } catch (Throwable th3) {
            if (deflaterOutputStream != null) {
                if (0 != 0) {
                    try {
                        deflaterOutputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    deflaterOutputStream.close();
                }
            }
            throw th3;
        }
    }

    public static String inflateBase64(String str) throws IOException {
        return IOUtils.toString(new InflaterInputStream(new ByteArrayInputStream(Base64.getMimeDecoder().decode(str)), new Inflater(true)), StandardCharsets.UTF_8.name());
    }
}
