package org.wso2.carbon.appmgt.gateway.handlers.security.saml2;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.joda.time.DateTime;
import org.json.simple.JSONArray;
import org.json.simple.JSONObject;
import org.json.simple.JSONValue;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.core.impl.ResponseImpl;
import org.opensaml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.util.Base64;
import org.wso2.carbon.appmgt.api.model.AuthenticatedIDP;
import org.wso2.carbon.appmgt.api.model.WebApp;
import org.wso2.carbon.appmgt.gateway.handlers.security.Session;
import org.wso2.carbon.appmgt.gateway.handlers.security.authentication.AuthenticationContext;
import org.wso2.carbon.appmgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/appmgt/gateway/handlers/security/saml2/SAMLUtils.class */
public class SAMLUtils {
    private static final Log log = LogFactory.getLog(SAMLUtils.class);
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE = "SAMLResponse";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_SAML_REQUEST = "SAMLRequest";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_AUTHENTICATED_IDPS = "AuthenticatedIdPs";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_RELAY_STATE = "RelayState";
    public static final String SESSION_ATTRIBUTE_SAML_SESSION_INDEX = "samlSessionIndex";
    public static final String SESSION_ATTRIBUTE_RAW_SAML_RESPONSES = "rawSAMLResponses";

    public static AuthnRequest buildAuthenticationRequest(MessageContext messageContext, WebApp webApp) {
        Issuer buildObject = new IssuerBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
        buildObject.setValue(webApp.getSaml2SsoIssuer());
        NameIDPolicy buildObject2 = new NameIDPolicyBuilder().buildObject();
        buildObject2.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
        buildObject2.setSPNameQualifier("Issuer");
        buildObject2.setAllowCreate(true);
        AuthnContextClassRef buildObject3 = new AuthnContextClassRefBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml");
        buildObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
        RequestedAuthnContext buildObject4 = new RequestedAuthnContextBuilder().buildObject();
        buildObject4.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        buildObject4.getAuthnContextClassRefs().add(buildObject3);
        DateTime dateTime = new DateTime();
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        String valueOf = String.valueOf(Hex.encodeHex(bArr));
        AuthnRequest buildObject5 = new AuthnRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
        buildObject5.setForceAuthn(false);
        buildObject5.setIsPassive(false);
        buildObject5.setIssueInstant(dateTime);
        buildObject5.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        buildObject5.setAssertionConsumerServiceURL(getAssertionConsumerUrl(messageContext));
        buildObject5.setIssuer(buildObject);
        buildObject5.setNameIDPolicy(buildObject2);
        buildObject5.setRequestedAuthnContext(buildObject4);
        buildObject5.setID(valueOf);
        buildObject5.setDestination(GatewayUtils.getIDPUrl());
        buildObject5.setVersion(SAMLVersion.VERSION_20);
        return buildObject5;
    }

    public static String marshallAndEncodeSAMLRequest(RequestAbstractType requestAbstractType) throws SAMLException {
        try {
            String marshall = SAMLSSOUtil.marshall(requestAbstractType);
            Deflater deflater = new Deflater(8, true);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
            deflaterOutputStream.write(marshall.getBytes("UTF-8"));
            deflaterOutputStream.close();
            return URLEncoder.encode(Base64.encodeBytes(byteArrayOutputStream.toByteArray(), 8), "UTF-8").trim();
        } catch (IOException e) {
            throw new SAMLException("Can't marshall and encode SAML response", e);
        } catch (IdentityException e2) {
            throw new SAMLException("Can't marshall and encode SAML response", e2);
        }
    }

    public static IDPMessage processIDPMessage(MessageContext messageContext) throws SAMLException {
        IDPMessage iDPMessage = new IDPMessage();
        Iterator childElements = messageContext.getEnvelope().getBody().getChildElements();
        if (childElements.hasNext()) {
            OMElement oMElement = (OMElement) childElements.next();
            OMElement firstChildWithName = oMElement.getFirstChildWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE));
            if (firstChildWithName != null) {
                iDPMessage.setSAMLResponse((StatusResponseType) decodeAndUnmarshallSAMLRequestOrResponse(firstChildWithName.getText()));
                iDPMessage.setRawSAMLResponse(firstChildWithName.getText());
            }
            OMElement firstChildWithName2 = oMElement.getFirstChildWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_REQUEST));
            if (firstChildWithName2 != null) {
                iDPMessage.setSAMLRequest((RequestAbstractType) decodeAndUnmarshallSAMLRequestOrResponse(firstChildWithName2.getText()));
                iDPMessage.setRawSAMLRequest(firstChildWithName2.getText());
            }
            OMElement firstChildWithName3 = oMElement.getFirstChildWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_AUTHENTICATED_IDPS));
            if (firstChildWithName3 != null) {
                iDPMessage.setAuthenticatedIDPs(getAuthenticatedIDPs(firstChildWithName3.getText()));
            }
            OMElement firstChildWithName4 = oMElement.getFirstChildWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_RELAY_STATE));
            if (firstChildWithName4 != null) {
                iDPMessage.setRelayState(firstChildWithName4.getText());
            }
        }
        return iDPMessage;
    }

    private static List<AuthenticatedIDP> getAuthenticatedIDPs(String str) throws SAMLException {
        ArrayList arrayList = new ArrayList();
        if (str == null) {
            return null;
        }
        try {
            JSONArray jSONArray = (JSONArray) ((JSONObject) JSONValue.parse(new String(Base64.decode(URLDecoder.decode(str.split("\\.")[1], "UTF-8"))))).get("idps");
            for (int i = 0; i < jSONArray.size(); i++) {
                JSONObject jSONObject = (JSONObject) jSONArray.get(i);
                AuthenticatedIDP authenticatedIDP = new AuthenticatedIDP();
                authenticatedIDP.setIdpName(jSONObject.get("idp").toString());
                arrayList.add(authenticatedIDP);
            }
            return arrayList;
        } catch (UnsupportedEncodingException e) {
            throw new SAMLException("Can't decode authenticated IDPs");
        }
    }

    public static XMLObject decodeAndUnmarshallSAMLRequestOrResponse(String str) throws SAMLException {
        try {
            return SAMLSSOUtil.unmarshall(new String(Base64.decode(str), "UTF-8"));
        } catch (IdentityException e) {
            throw new SAMLException("Can't decode and unmarshall SAML response", e);
        } catch (UnsupportedEncodingException e2) {
            throw new SAMLException("Can't decode and unmarshall SAML response", e2);
        }
    }

    public static AuthenticationContext getAuthenticationContext(IDPMessage iDPMessage) {
        Assertion assertion = (Assertion) iDPMessage.getSAMLResponse().getAssertions().get(0);
        AuthenticationContext authenticationContext = new AuthenticationContext();
        if (assertion == null || assertion.getSubject() == null) {
            authenticationContext.setAuthenticated(false);
            return authenticationContext;
        }
        String value = assertion.getSubject().getNameID().getValue();
        authenticationContext.setSubject(value);
        authenticationContext.setTenantDomain(MultitenantUtils.getTenantDomain(value));
        authenticationContext.setAuthenticatedIDPs(iDPMessage.getAuthenticatedIDPs());
        return authenticationContext;
    }

    private static String getAssertionConsumerUrl(MessageContext messageContext) {
        return GatewayUtils.getAppRootURL(messageContext) + GatewayUtils.getACSURLPostfix();
    }

    public static LogoutRequest buildLogoutRequest(String str, Session session) {
        String subject = session.getAuthenticationContext().getSubject();
        String str2 = (String) session.getAttribute(SESSION_ATTRIBUTE_SAML_SESSION_INDEX);
        if (log.isDebugEnabled()) {
            log.debug(String.format("{%s} - Building logout request for subject : '%s' & sessionIndex : '%s'", session.getUuid(), subject, str2));
        }
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        buildObject.setID(UUID.randomUUID().toString());
        buildObject.setDestination(GatewayUtils.getIDPUrl());
        DateTime dateTime = new DateTime();
        buildObject.setIssueInstant(dateTime);
        buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        Issuer buildObject2 = new IssuerBuilder().buildObject();
        buildObject2.setValue(str);
        buildObject.setIssuer(buildObject2);
        NameID buildObject3 = new NameIDBuilder().buildObject();
        buildObject3.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        buildObject3.setValue(subject);
        buildObject.setNameID(buildObject3);
        SessionIndex buildObject4 = new SessionIndexBuilder().buildObject();
        buildObject4.setSessionIndex(str2);
        buildObject.getSessionIndexes().add(buildObject4);
        buildObject.setReason("Single Logout");
        return buildObject;
    }

    public static Object getSessionIndex(ResponseImpl responseImpl) {
        return ((AuthnStatement) ((Assertion) responseImpl.getAssertions().get(0)).getAuthnStatements().get(0)).getSessionIndex();
    }
}
