package org.apache.cxf.fediz.core.processor;

import java.io.IOException;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.cert.Certificate;
import java.text.ParseException;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.servlet.http.HttpServletRequest;
import net.bytebuddy.description.type.TypeDescription;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.TokenValidator;
import org.apache.cxf.fediz.core.TokenValidatorRequest;
import org.apache.cxf.fediz.core.TokenValidatorResponse;
import org.apache.cxf.fediz.core.config.Claim;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.KeyManager;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.metadata.MetadataWriter;
import org.apache.cxf.fediz.core.spi.FreshnessCallback;
import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
import org.apache.cxf.fediz.core.spi.ReplyCallback;
import org.apache.cxf.fediz.core.spi.ReplyConstraintCallback;
import org.apache.cxf.fediz.core.spi.SignInQueryCallback;
import org.apache.cxf.fediz.core.spi.SignOutQueryCallback;
import org.apache.cxf.fediz.core.spi.WAuthCallback;
import org.apache.cxf.fediz.core.spi.WReqCallback;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.processor.EncryptedDataProcessor;
import org.apache.wss4j.dom.processor.Processor;
import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
import org.joda.time.DateTime;
import org.opensaml.soap.wstrust.Lifetime;
import org.opensaml.soap.wstrust.RequestSecurityTokenResponseCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/fediz-core-1.4.2.jar:org/apache/cxf/fediz/core/processor/FederationProcessorImpl.class */
public class FederationProcessorImpl extends AbstractFedizProcessor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) FederationProcessorImpl.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/fediz-core-1.4.2.jar:org/apache/cxf/fediz/core/processor/FederationProcessorImpl$DecryptionCallbackHandler.class */
    public static class DecryptionCallbackHandler implements CallbackHandler {
        private final String password;

        DecryptionCallbackHandler(String str) {
            this.password = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof WSPasswordCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i], "Unrecognized Callback");
                }
                ((WSPasswordCallback) callbackArr[i]).setPassword(this.password);
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/fediz-core-1.4.2.jar:org/apache/cxf/fediz/core/processor/FederationProcessorImpl$LifeTime.class */
    public static class LifeTime {
        private final Date created;
        private final Date expires;

        public LifeTime(Date date, Date date2) {
            if (date != null) {
                this.created = new Date(date.getTime());
            } else {
                this.created = null;
            }
            if (date2 != null) {
                this.expires = new Date(date2.getTime());
            } else {
                this.expires = null;
            }
        }

        public Date getCreated() {
            if (this.created != null) {
                return new Date(this.created.getTime());
            }
            return null;
        }

        public Date getExpires() {
            if (this.expires != null) {
                return new Date(this.expires.getTime());
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/fediz-core-1.4.2.jar:org/apache/cxf/fediz/core/processor/FederationProcessorImpl$NOOpProcessor.class */
    public static class NOOpProcessor implements Processor {
        private NOOpProcessor() {
        }

        public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
            return Collections.emptyList();
        }
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public FedizResponse processRequest(FedizRequest fedizRequest, FedizContext fedizContext) throws ProcessingException {
        if (!(fedizContext.getProtocol() instanceof FederationProtocol)) {
            LOG.error("Unsupported protocol");
            throw new IllegalStateException("Unsupported protocol");
        }
        if ("wsignin1.0".equals(fedizRequest.getAction())) {
            return processSignInRequest(fedizRequest, fedizContext);
        }
        LOG.error("Invalid action '" + fedizRequest.getAction() + "'");
        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public Document getMetaData(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws ProcessingException {
        return new MetadataWriter().getMetaData(httpServletRequest, fedizContext);
    }

    protected FedizResponse processSignInRequest(FedizRequest fedizRequest, FedizContext fedizContext) throws ProcessingException {
        Element decryptEncryptedRST;
        try {
            Element documentElement = DOMUtils.readXml(new StringReader(fedizRequest.getResponseToken())).getDocumentElement();
            if (RequestSecurityTokenResponseCollection.ELEMENT_LOCAL_NAME.equals(documentElement.getLocalName())) {
                documentElement = DOMUtils.getFirstElement(documentElement);
            }
            if (!"RequestSecurityTokenResponse".equals(documentElement.getLocalName())) {
                LOG.warn("Unexpected root element of wresult: '" + documentElement.getLocalName() + "'");
                throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
            }
            Element element = null;
            Element element2 = null;
            String str = null;
            for (Element firstElement = DOMUtils.getFirstElement(documentElement); firstElement != null; firstElement = DOMUtils.getNextElement(firstElement)) {
                String localName = firstElement.getLocalName();
                if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512".equals(firstElement.getNamespaceURI()) || "http://schemas.xmlsoap.org/ws/2005/02/trust".equals(firstElement.getNamespaceURI())) {
                    if (Lifetime.ELEMENT_LOCAL_NAME.equals(localName)) {
                        element2 = firstElement;
                    } else if ("RequestedSecurityToken".equals(localName)) {
                        element = DOMUtils.getFirstElement(firstElement);
                    } else if ("TokenType".equals(localName)) {
                        str = DOMUtils.getContent(firstElement);
                    }
                }
            }
            if (LOG.isDebugEnabled()) {
                if (element != null) {
                    LOG.debug("RST: {}", DOM2Writer.nodeToString(element));
                }
                if (element2 != null) {
                    LOG.debug("Lifetime: {}", DOM2Writer.nodeToString(element2));
                }
            }
            LOG.debug("Tokentype: {}", str);
            if (element == null) {
                LOG.warn("RequestedSecurityToken element not found in wresult");
                throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
            }
            LifeTime processLifeTime = element2 != null ? processLifeTime(element2) : null;
            if (processLifeTime != null) {
                if (new Date().after(processLifeTime.getExpires())) {
                    LOG.warn("RSTR Lifetime expired");
                    throw new ProcessingException(ProcessingException.TYPE.TOKEN_EXPIRED);
                }
                if (new DateTime(processLifeTime.created).isAfter(new DateTime().plusSeconds(fedizContext.getMaximumClockSkew().intValue()))) {
                    LOG.debug("RSTR Lifetime not yet valid");
                    throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
                }
            }
            if ("EncryptedData".equals(element.getLocalName()) && "http://www.w3.org/2001/04/xmlenc#".equals(element.getNamespaceURI()) && (decryptEncryptedRST = decryptEncryptedRST(element, fedizContext)) != null) {
                element = decryptEncryptedRST;
            }
            TokenValidatorResponse validateToken = validateToken(element, str, fedizContext, fedizRequest.getCerts());
            Date expires = (processLifeTime == null || processLifeTime.getExpires() == null) ? validateToken.getExpires() : processLifeTime.getExpires();
            testForReplayAttack(validateToken.getUniqueTokenId(), fedizContext, expires);
            testForMandatoryClaims(((FederationProtocol) fedizContext.getProtocol()).getRoleURI(), ((FederationProtocol) fedizContext.getProtocol()).getClaimTypesRequested(), validateToken.getClaims(), (validateToken.getRoles() == null || validateToken.getRoles().isEmpty()) ? false : true);
            Date created = validateToken.getCreated();
            if (processLifeTime != null && processLifeTime.getCreated() != null) {
                created = processLifeTime.getCreated();
            }
            return new FedizResponse(validateToken.getUsername(), validateToken.getIssuer(), validateToken.getRoles(), validateToken.getClaims(), validateToken.getAudience(), created, expires, element, validateToken.getUniqueTokenId());
        } catch (Exception e) {
            LOG.warn("Failed to parse wresult: " + e.getMessage(), (Throwable) e);
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    private TokenValidatorResponse validateToken(Element element, String str, FedizContext fedizContext, Certificate[] certificateArr) throws ProcessingException {
        TokenValidatorResponse tokenValidatorResponse = null;
        Iterator<TokenValidator> it = ((FederationProtocol) fedizContext.getProtocol()).getTokenValidators().iterator();
        if (it.hasNext()) {
            TokenValidator next = it.next();
            if (!(str != null ? next.canHandleTokenType(str) : next.canHandleToken(element))) {
                LOG.warn("No security token validator found for '" + str + "'");
                throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
            }
            try {
                tokenValidatorResponse = next.validateAndProcessToken(new TokenValidatorRequest(element, certificateArr), fedizContext);
            } catch (ProcessingException e) {
                throw e;
            } catch (Exception e2) {
                LOG.warn("Failed to validate token", (Throwable) e2);
                throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
            }
        }
        return tokenValidatorResponse;
    }

    private Element decryptEncryptedRST(Element element, FedizContext fedizContext) throws ProcessingException {
        List list;
        KeyManager decryptionKey = fedizContext.getDecryptionKey();
        if (decryptionKey == null || decryptionKey.getCrypto() == null) {
            LOG.debug("We must have a decryption Crypto instance configured to decrypt encrypted tokens");
            throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
        }
        String keyPassword = decryptionKey.getKeyPassword();
        if (keyPassword == null) {
            LOG.debug("We must have a decryption key password to decrypt encrypted tokens");
            throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
        }
        EncryptedDataProcessor encryptedDataProcessor = new EncryptedDataProcessor();
        WSDocInfo wSDocInfo = new WSDocInfo(element.getOwnerDocument());
        RequestData requestData = new RequestData();
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setProcessor(WSConstants.SAML_TOKEN, new NOOpProcessor());
        newInstance.setProcessor(WSConstants.SAML2_TOKEN, new NOOpProcessor());
        requestData.setWssConfig(newInstance);
        requestData.setDecCrypto(decryptionKey.getCrypto());
        requestData.setCallbackHandler(new DecryptionCallbackHandler(keyPassword));
        try {
            List handleToken = encryptedDataProcessor.handleToken(element, requestData, wSDocInfo);
            if (handleToken.isEmpty() || (list = (List) ((WSSecurityEngineResult) handleToken.get(handleToken.size() - 1)).get(WSSecurityEngineResult.TAG_DATA_REF_URIS)) == null || list.isEmpty()) {
                return null;
            }
            return ((WSDataRef) list.get(0)).getProtectedElement();
        } catch (WSSecurityException e) {
            LOG.debug(e.getMessage(), (Throwable) e);
            throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
        }
    }

    private LifeTime processLifeTime(Element element) throws ProcessingException {
        try {
            Element firstChildWithName = DOMUtils.getFirstChildWithName(element, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Created");
            XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
            return new LifeTime(xmlSchemaDateFormat.parse(DOMUtils.getContent(firstChildWithName)), xmlSchemaDateFormat.parse(DOMUtils.getContent(DOMUtils.getFirstChildWithName(element, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Expires"))));
        } catch (ParseException e) {
            LOG.error("Failed to parse lifetime element in wresult: {}", e.getMessage());
            throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
        }
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public RedirectionResponse createSignInRequest(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws ProcessingException {
        String str = null;
        try {
            if (!(fedizContext.getProtocol() instanceof FederationProtocol)) {
                LOG.error("Unsupported protocol");
                throw new IllegalStateException("Unsupported protocol");
            }
            String resolveIssuer = resolveIssuer(httpServletRequest, fedizContext);
            LOG.debug("Issuer url: {}", resolveIssuer);
            if (resolveIssuer != null && resolveIssuer.length() > 0) {
                str = resolveIssuer;
            }
            String resolveAuthenticationType = resolveAuthenticationType(httpServletRequest, fedizContext);
            LOG.debug("WAuth: {}", resolveAuthenticationType);
            String resolveRequest = resolveRequest(httpServletRequest, fedizContext);
            LOG.debug("WReq: {}", resolveRequest);
            String resolveHomeRealm = resolveHomeRealm(httpServletRequest, fedizContext);
            LOG.debug("HomeRealm: {}", resolveHomeRealm);
            String resolveFreshness = resolveFreshness(httpServletRequest, fedizContext);
            LOG.debug("Freshness: {}", resolveFreshness);
            String resolveSignInQuery = resolveSignInQuery(httpServletRequest, fedizContext);
            LOG.debug("SignIn Query: {}", resolveSignInQuery);
            String encode = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            String queryString = httpServletRequest.getQueryString();
            if (queryString != null && !queryString.isEmpty()) {
                requestURL.append(TypeDescription.Generic.OfWildcardType.SYMBOL).append(queryString);
            }
            RequestState requestState = new RequestState();
            requestState.setTargetAddress(requestURL.toString());
            requestState.setIdpServiceAddress(str);
            requestState.setState(encode);
            requestState.setCreatedAt(System.currentTimeMillis());
            StringBuilder sb = new StringBuilder();
            sb.append("wa").append('=').append("wsignin1.0");
            String resolveReply = resolveReply(httpServletRequest, fedizContext);
            if (resolveReply == null || resolveReply.length() == 0) {
                resolveReply = httpServletRequest.getRequestURL().toString();
            } else {
                try {
                    new URL(resolveReply);
                } catch (MalformedURLException e) {
                    resolveReply = resolveReply.startsWith("/") ? extractFullContextPath(httpServletRequest).concat(resolveReply.substring(1)) : extractFullContextPath(httpServletRequest).concat(resolveReply);
                }
            }
            LOG.debug("wreply={}", resolveReply);
            sb.append('&').append("wreply").append('=');
            sb.append(URLEncoder.encode(resolveReply, "UTF-8"));
            String resolveWTRealm = resolveWTRealm(httpServletRequest, fedizContext);
            LOG.debug("wtrealm={}", resolveWTRealm);
            sb.append('&').append("wtrealm").append('=').append(URLEncoder.encode(resolveWTRealm, "UTF-8"));
            if (resolveAuthenticationType != null && resolveAuthenticationType.length() > 0) {
                sb.append('&').append("wauth").append('=').append(URLEncoder.encode(resolveAuthenticationType, "UTF-8"));
            }
            if (resolveRequest != null && resolveRequest.length() > 0) {
                sb.append('&').append("wreq").append('=').append(URLEncoder.encode(resolveRequest, "UTF-8"));
            }
            if (resolveHomeRealm != null && resolveHomeRealm.length() > 0) {
                sb.append('&').append("whr").append('=').append(URLEncoder.encode(resolveHomeRealm, "UTF-8"));
            }
            if (resolveFreshness != null && resolveFreshness.length() > 0) {
                sb.append('&').append("wfresh").append('=').append(URLEncoder.encode(resolveFreshness, "UTF-8"));
            }
            sb.append('&').append(FederationConstants.PARAM_CURRENT_TIME).append('=').append(URLEncoder.encode(new XmlSchemaDateFormat().format(new Date()), "UTF-8"));
            LOG.debug("wctx={}", encode);
            sb.append('&').append("wctx").append('=');
            sb.append(URLEncoder.encode(encode, "UTF-8"));
            if (resolveSignInQuery != null && resolveSignInQuery.length() > 0) {
                sb.append('&').append(resolveSignInQuery);
            }
            String str2 = str + TypeDescription.Generic.OfWildcardType.SYMBOL + sb.toString();
            RedirectionResponse redirectionResponse = new RedirectionResponse();
            redirectionResponse.setRedirectionURL(str2);
            redirectionResponse.setRequestState(requestState);
            return redirectionResponse;
        } catch (Exception e2) {
            LOG.error("Failed to create SignInRequest", (Throwable) e2);
            throw new ProcessingException("Failed to create SignInRequest", e2);
        }
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public RedirectionResponse createSignOutRequest(HttpServletRequest httpServletRequest, SamlAssertionWrapper samlAssertionWrapper, FedizContext fedizContext) throws ProcessingException {
        String str = null;
        try {
            if (!(fedizContext.getProtocol() instanceof FederationProtocol)) {
                LOG.error("Unsupported protocol");
                throw new IllegalStateException("Unsupported protocol");
            }
            String resolveIssuer = resolveIssuer(httpServletRequest, fedizContext);
            LOG.debug("Issuer url: {}", resolveIssuer);
            if (resolveIssuer != null && resolveIssuer.length() > 0) {
                str = resolveIssuer;
            }
            StringBuilder sb = new StringBuilder();
            sb.append("wa").append('=').append("wsignout1.0");
            String str2 = null;
            if (httpServletRequest.getParameter("wreply") != null) {
                Pattern resolveLogoutRedirectToConstraint = resolveLogoutRedirectToConstraint(httpServletRequest, fedizContext);
                if (resolveLogoutRedirectToConstraint == null) {
                    LOG.debug("No regular expression constraint configured for logout. Ignoring wreply parameter");
                } else if (resolveLogoutRedirectToConstraint.matcher(httpServletRequest.getParameter("wreply")).matches()) {
                    str2 = httpServletRequest.getParameter("wreply");
                } else {
                    LOG.warn("The received wreply address {} does not match the configured constraint {}", (Object) null, resolveLogoutRedirectToConstraint);
                }
            }
            if (str2 == null || str2.isEmpty()) {
                str2 = fedizContext.getLogoutRedirectTo();
            }
            if (str2 != null && !str2.isEmpty()) {
                if (str2.startsWith("/")) {
                    str2 = extractFullContextPath(httpServletRequest).concat(str2.substring(1));
                } else if (!str2.startsWith("http") && !str2.startsWith("https")) {
                    str2 = extractFullContextPath(httpServletRequest).concat(str2);
                }
                LOG.debug("wreply={}", str2);
                sb.append('&').append("wreply").append('=');
                sb.append(URLEncoder.encode(str2, "UTF-8"));
            }
            String resolveWTRealm = resolveWTRealm(httpServletRequest, fedizContext);
            LOG.debug("wtrealm={}", resolveWTRealm);
            sb.append('&').append("wtrealm").append('=').append(URLEncoder.encode(resolveWTRealm, "UTF-8"));
            String resolveSignOutQuery = resolveSignOutQuery(httpServletRequest, fedizContext);
            LOG.debug("SignIn Query: {}", resolveSignOutQuery);
            if (resolveSignOutQuery != null && resolveSignOutQuery.length() > 0) {
                sb.append('&').append(resolveSignOutQuery);
            }
            String str3 = str + TypeDescription.Generic.OfWildcardType.SYMBOL + sb.toString();
            RedirectionResponse redirectionResponse = new RedirectionResponse();
            redirectionResponse.setRedirectionURL(str3);
            return redirectionResponse;
        } catch (Exception e) {
            LOG.error("Failed to create SignInRequest", (Throwable) e);
            throw new ProcessingException("Failed to create SignInRequest");
        }
    }

    private String resolveSignInQuery(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException, UnsupportedEncodingException {
        Object signInQuery = ((FederationProtocol) fedizContext.getProtocol()).getSignInQuery();
        String str = null;
        if (signInQuery != null) {
            if (signInQuery instanceof String) {
                str = (String) signInQuery;
            } else if (signInQuery instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) signInQuery;
                SignInQueryCallback signInQueryCallback = new SignInQueryCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{signInQueryCallback});
                Map<String, String> signInQueryParamMap = signInQueryCallback.getSignInQueryParamMap();
                if (signInQueryParamMap != null) {
                    StringBuilder sb = new StringBuilder();
                    for (Map.Entry<String, String> entry : signInQueryParamMap.entrySet()) {
                        if (sb.length() > 0) {
                            sb.append(BeanFactory.FACTORY_BEAN_PREFIX);
                        }
                        sb.append(entry.getKey()).append('=').append(URLEncoder.encode(entry.getValue(), "UTF-8"));
                    }
                    str = sb.toString();
                }
            }
        }
        return str;
    }

    private Pattern resolveLogoutRedirectToConstraint(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException {
        Object logoutRedirectToConstraint = fedizContext.getLogoutRedirectToConstraint();
        if (logoutRedirectToConstraint instanceof Pattern) {
            return (Pattern) logoutRedirectToConstraint;
        }
        if (!(logoutRedirectToConstraint instanceof CallbackHandler)) {
            return null;
        }
        CallbackHandler callbackHandler = (CallbackHandler) logoutRedirectToConstraint;
        ReplyConstraintCallback replyConstraintCallback = new ReplyConstraintCallback(httpServletRequest);
        callbackHandler.handle(new Callback[]{replyConstraintCallback});
        return replyConstraintCallback.getReplyConstraint();
    }

    private String resolveSignOutQuery(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException {
        Object signOutQuery = ((FederationProtocol) fedizContext.getProtocol()).getSignOutQuery();
        String str = null;
        if (signOutQuery != null) {
            if (signOutQuery instanceof String) {
                str = (String) signOutQuery;
            } else if (signOutQuery instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) signOutQuery;
                SignOutQueryCallback signOutQueryCallback = new SignOutQueryCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{signOutQueryCallback});
                Map<String, String> signOutQueryParamMap = signOutQueryCallback.getSignOutQueryParamMap();
                if (signOutQueryParamMap != null) {
                    StringBuilder sb = new StringBuilder();
                    for (Map.Entry<String, String> entry : signOutQueryParamMap.entrySet()) {
                        if (sb.length() > 0) {
                            sb.append(BeanFactory.FACTORY_BEAN_PREFIX);
                        }
                        sb.append(entry.getKey()).append('=').append(URLEncoder.encode(entry.getValue(), "UTF-8"));
                    }
                    str = sb.toString();
                }
            }
        }
        return str;
    }

    private String resolveFreshness(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException {
        Object freshness = ((FederationProtocol) fedizContext.getProtocol()).getFreshness();
        String str = null;
        if (freshness != null) {
            if (freshness instanceof String) {
                str = (String) freshness;
            } else if (freshness instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) freshness;
                FreshnessCallback freshnessCallback = new FreshnessCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{freshnessCallback});
                str = freshnessCallback.getFreshness();
            }
        }
        return str;
    }

    private String resolveHomeRealm(HttpServletRequest httpServletRequest, FedizContext fedizContext) {
        String parameter = httpServletRequest.getParameter("whr");
        if (parameter == null || parameter.isEmpty()) {
            Object homeRealm = ((FederationProtocol) fedizContext.getProtocol()).getHomeRealm();
            if (homeRealm != null) {
                if (homeRealm instanceof String) {
                    parameter = (String) homeRealm;
                } else if (homeRealm instanceof CallbackHandler) {
                    parameter = resolveHomeRealm(homeRealm, httpServletRequest);
                } else if (homeRealm instanceof List) {
                    Iterator it = ((List) homeRealm).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Object next = it.next();
                        parameter = resolveHomeRealm(next, httpServletRequest);
                        if (parameter != null) {
                            LOG.debug("Home realm was found by {}", next.getClass());
                            break;
                        }
                    }
                }
            }
        } else {
            LOG.debug("HomeRealm was defined as 'whr' request parameter and will be used for IDP redirect");
        }
        LOG.debug("Users home realm will be set to {}", parameter);
        return parameter;
    }

    private String resolveHomeRealm(Object obj, HttpServletRequest httpServletRequest) {
        if (!(obj instanceof CallbackHandler)) {
            LOG.warn("Callback Handler was not an instanceof CallbackHandler: {}", obj);
            return null;
        }
        CallbackHandler callbackHandler = (CallbackHandler) obj;
        HomeRealmCallback homeRealmCallback = new HomeRealmCallback(httpServletRequest);
        try {
            callbackHandler.handle(new Callback[]{homeRealmCallback});
        } catch (IOException | UnsupportedCallbackException e) {
            LOG.warn("Home Realm Callbackhandler caused an exception", e);
        }
        return homeRealmCallback.getHomeRealm();
    }

    private String resolveAuthenticationType(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException {
        Object authenticationType = ((FederationProtocol) fedizContext.getProtocol()).getAuthenticationType();
        String str = null;
        if (authenticationType != null) {
            if (authenticationType instanceof String) {
                str = (String) authenticationType;
            } else if (authenticationType instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) authenticationType;
                WAuthCallback wAuthCallback = new WAuthCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{wAuthCallback});
                str = wAuthCallback.getWauth();
            }
        }
        return str;
    }

    private String resolveRequest(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException {
        Object request = ((FederationProtocol) fedizContext.getProtocol()).getRequest();
        String str = null;
        if (request != null) {
            if (request instanceof String) {
                str = (String) request;
            } else if (request instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) request;
                WReqCallback wReqCallback = new WReqCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{wReqCallback});
                str = wReqCallback.getWreq();
            }
        }
        return str;
    }

    private String resolveReply(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws IOException, UnsupportedCallbackException {
        Object reply = ((FederationProtocol) fedizContext.getProtocol()).getReply();
        String str = null;
        if (reply != null) {
            if (reply instanceof String) {
                str = (String) reply;
            } else if (reply instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) reply;
                ReplyCallback replyCallback = new ReplyCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{replyCallback});
                str = replyCallback.getReply();
            }
        }
        return str;
    }

    private void testForMandatoryClaims(String str, List<Claim> list, List<org.apache.cxf.fediz.core.Claim> list2, boolean z) throws ProcessingException {
        if (list != null) {
            for (Claim claim : list) {
                if (!claim.isOptional()) {
                    boolean z2 = false;
                    Iterator<org.apache.cxf.fediz.core.Claim> it = list2.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (claim.getType().equals(it.next().getClaimType().toString())) {
                            z2 = true;
                            break;
                        }
                    }
                    if (!z2 && z && str != null && str.equals(claim.getType())) {
                        z2 = true;
                    }
                    if (!z2) {
                        LOG.warn("Mandatory claim {} not found in token", claim.getType());
                        throw new ProcessingException("Mandatory claim not found in token", ProcessingException.TYPE.INVALID_REQUEST);
                    }
                }
            }
        }
    }

    static {
        WSSConfig.init();
    }
}
