package org.wso2.carbon.identity.oauth2.token.handlers.grant.saml;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.X509CredentialImpl;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.class */
public class SAML2BearerGrantHandler extends AbstractAuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(SAML2BearerGrantHandler.class);
    SAMLSignatureProfileValidator profileValidator = null;

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public void init() throws IdentityOAuth2Exception {
        super.init();
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        currentThread.setContextClassLoader(getClass().getClassLoader());
        try {
            try {
                DefaultBootstrap.bootstrap();
                currentThread.setContextClassLoader(contextClassLoader);
                this.profileValidator = new SAMLSignatureProfileValidator();
            } catch (ConfigurationException e) {
                log.error("Error in bootstrapping the OpenSAML2 library", e);
                throw new IdentityOAuth2Exception("Error in bootstrapping the OpenSAML2 library");
            }
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String alias;
        if (!super.validateGrant(oAuthTokenReqMessageContext)) {
            return false;
        }
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (tenantDomain == null || "".equals(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Assertion")) {
            log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion())));
        }
        try {
            Assertion unmarshall = IdentityUtil.unmarshall(new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion())));
            if (unmarshall.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").getLength() > 0) {
                log.error("Invalid schema for SAML2 Assertion. Nested assertions detected.");
                return false;
            }
            if (!(unmarshall instanceof Assertion)) {
                log.error("Only Assertion objects are validated in SAML2Bearer Grant Type");
                return false;
            }
            Assertion assertion = unmarshall;
            if (assertion == null) {
                log.debug("Assertion is null, cannot continue");
                return false;
            }
            if (assertion.getSubject() == null) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Cannot find a Subject in the Assertion");
                return false;
            }
            String value = assertion.getSubject().getNameID().getValue();
            if (StringUtils.isBlank(value)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("NameID in Assertion cannot be empty");
                return false;
            }
            AuthenticatedUser createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(value);
            createFederateAuthenticatedUserFromSubjectIdentifier.setUserName(value);
            createFederateAuthenticatedUserFromSubjectIdentifier.setTenantDomain(tenantDomain);
            oAuthTokenReqMessageContext.setAuthorizedUser(createFederateAuthenticatedUserFromSubjectIdentifier);
            if (assertion.getIssuer() == null || "".equals(assertion.getIssuer().getValue())) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Issuer is empty in the SAML assertion");
                return false;
            }
            try {
                IdentityProvider idPByAuthenticatorPropertyValue = IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue("IdPEntityId", assertion.getIssuer().getValue(), tenantDomain, false);
                if (idPByAuthenticatorPropertyValue == null) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Token Issuer : " + assertion.getIssuer().getValue() + " not registered as a local Identity Provider in tenant : " + tenantDomain);
                    return false;
                }
                if ("LOCAL".equals(idPByAuthenticatorPropertyValue.getIdentityProviderName())) {
                    idPByAuthenticatorPropertyValue = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
                    FederatedAuthenticatorConfig[] federatedAuthenticatorConfigs = idPByAuthenticatorPropertyValue.getFederatedAuthenticatorConfigs();
                    Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigs, "samlsso").getProperties(), "IdPEntityId");
                    String value2 = property != null ? property.getValue() : null;
                    if (value2 == null || !assertion.getIssuer().getValue().equals(value2)) {
                        if (!log.isDebugEnabled()) {
                            return false;
                        }
                        log.debug("SAML Token Issuer verification failed against resident Identity Provider in tenant : " + tenantDomain + ". Received : " + assertion.getIssuer().getValue() + ", Expected : " + value2);
                        return false;
                    }
                    Property property2 = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigs, "openidconnect").getProperties(), OAuthServerConfiguration.ConfigElements.OAUTH2_TOKEN_EP_URL);
                    alias = property2 != null ? property2.getValue() : null;
                } else {
                    alias = idPByAuthenticatorPropertyValue.getAlias();
                }
                if (StringUtils.isBlank(alias)) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("Token Endpoint alias has not been configured in the Identity Provider : " + idPByAuthenticatorPropertyValue.getIdentityProviderName() + " in tenant : " + tenantDomain);
                    return false;
                }
                Conditions conditions = assertion.getConditions();
                if (conditions == null) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion doesn't contain Conditions");
                    return false;
                }
                oAuthTokenReqMessageContext.setValidityPeriod(conditions.getNotOnOrAfter().getMillis() - Calendar.getInstance().getTimeInMillis());
                List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
                if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion doesn't contain AudienceRestrictions");
                    return false;
                }
                boolean z = false;
                for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                    if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                        Iterator it = audienceRestriction.getAudiences().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (((Audience) it.next()).getAudienceURI().equals(alias)) {
                                z = true;
                                break;
                            }
                        }
                    }
                    if (z) {
                        break;
                    }
                }
                if (!z) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion Audience Restriction validation failed against the Audience : " + alias + " of Identity Provider : " + idPByAuthenticatorPropertyValue.getIdentityProviderName() + " in tenant : " + tenantDomain);
                    return false;
                }
                DateTime dateTime = null;
                HashMap hashMap = new HashMap();
                boolean z2 = false;
                ArrayList arrayList = new ArrayList();
                if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
                    dateTime = assertion.getConditions().getNotOnOrAfter();
                }
                DateTime dateTime2 = null;
                if (assertion.getConditions() != null && assertion.getConditions().getNotBefore() != null) {
                    dateTime2 = assertion.getConditions().getNotBefore();
                }
                List<SubjectConfirmation> subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
                if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("No SubjectConfirmation exist in Assertion");
                    return false;
                }
                for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
                    if (subjectConfirmation.getMethod() == null) {
                        if (!log.isDebugEnabled()) {
                            return false;
                        }
                        log.debug("Cannot find Method attribute in SubjectConfirmation " + subjectConfirmation.toString());
                        return false;
                    }
                    if (subjectConfirmation.getMethod().equals(OAuthConstants.OAUTH_SAML2_BEARER_METHOD)) {
                        z2 = true;
                    }
                    if (subjectConfirmation.getSubjectConfirmationData() != null) {
                        if (subjectConfirmation.getSubjectConfirmationData().getRecipient() != null) {
                            arrayList.add(subjectConfirmation.getSubjectConfirmationData().getRecipient());
                        }
                        if (subjectConfirmation.getSubjectConfirmationData().getNotOnOrAfter() != null || subjectConfirmation.getSubjectConfirmationData().getNotBefore() != null) {
                            hashMap.put(subjectConfirmation.getSubjectConfirmationData().getNotOnOrAfter(), subjectConfirmation.getSubjectConfirmationData().getNotBefore());
                        } else if (log.isDebugEnabled()) {
                            log.debug("Cannot find NotOnOrAfter and NotBefore attributes in SubjectConfirmationData " + subjectConfirmation.getSubjectConfirmationData().toString());
                        }
                    } else {
                        if (subjectConfirmation.getSubjectConfirmationData() == null && dateTime == null) {
                            if (!log.isDebugEnabled()) {
                                return false;
                            }
                            log.debug("Neither can find NotOnOrAfter attribute in Conditions nor SubjectConfirmationDatain SubjectConfirmation " + subjectConfirmation.toString());
                            return false;
                        }
                        if (subjectConfirmation.getSubjectConfirmationData() == null && dateTime2 == null) {
                            if (!log.isDebugEnabled()) {
                                return false;
                            }
                            log.debug("Neither can find NotBefore attribute in Conditions nor SubjectConfirmationDatain SubjectConfirmation " + subjectConfirmation.toString());
                            return false;
                        }
                    }
                }
                if (!z2) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("Failed to find a SubjectConfirmation with a Method attribute having : urn:oasis:names:tc:SAML:2.0:cm:bearer");
                    return false;
                }
                if (CollectionUtils.isNotEmpty(arrayList) && !arrayList.contains(alias)) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("None of the recipient URLs match against the token endpoint alias : " + alias + " of Identity Provider " + idPByAuthenticatorPropertyValue.getIdentityProviderName() + " in tenant : " + tenantDomain);
                    return false;
                }
                if (dateTime != null && dateTime.compareTo(new DateTime()) < 1) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("NotOnOrAfter is having an expired timestamp in Conditions element");
                    return false;
                }
                if (dateTime2 != null && dateTime2.compareTo(new DateTime()) >= 1) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("NotBefore is having an early timestamp in Conditions element");
                    return false;
                }
                boolean z3 = false;
                if (!hashMap.isEmpty()) {
                    for (Map.Entry entry : hashMap.entrySet()) {
                        if (entry.getKey() != null && ((DateTime) entry.getKey()).compareTo(new DateTime()) >= 1) {
                            z3 = true;
                        }
                        if (entry.getValue() != null && ((DateTime) entry.getValue()).compareTo(new DateTime()) < 1) {
                            z3 = true;
                        }
                    }
                }
                if (dateTime == null && !z3) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("No valid NotOnOrAfter element found in SubjectConfirmations");
                    return false;
                }
                if (dateTime2 == null && !z3) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("No valid NotBefore element found in SubjectConfirmations");
                    return false;
                }
                try {
                    this.profileValidator.validate(assertion.getSignature());
                    try {
                        try {
                            new SignatureValidator(new X509CredentialImpl((X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(idPByAuthenticatorPropertyValue.getCertificate()))).validate(assertion.getSignature());
                            if (log.isDebugEnabled()) {
                                log.debug("Signature validation successful");
                            }
                            oAuthTokenReqMessageContext.setScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope());
                            oAuthTokenReqMessageContext.addProperty(OAuthConstants.OAUTH_SAML2_ASSERTION, assertion);
                            SAML2TokenCallbackHandler sAML2TokenCallbackHandler = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
                            if (sAML2TokenCallbackHandler == null) {
                                return true;
                            }
                            if (log.isDebugEnabled()) {
                                log.debug("Invoking the SAML2 Token callback handler ");
                            }
                            sAML2TokenCallbackHandler.handleSAML2Token(oAuthTokenReqMessageContext);
                            return true;
                        } catch (ValidationException e) {
                            log.error("Error while validating the signature.", e);
                            return false;
                        }
                    } catch (CertificateException e2) {
                        throw new IdentityOAuth2Exception("Error occurred while decoding public certificate of Identity Provider " + idPByAuthenticatorPropertyValue.getIdentityProviderName() + " for tenant domain " + tenantDomain, e2);
                    }
                } catch (ValidationException e3) {
                    log.error("Signature do not confirm to SAML signature profile.", e3);
                    return false;
                }
            } catch (IdentityProviderManagementException e4) {
                throw new IdentityOAuth2Exception("Error while getting an Identity Provider for issuer value : " + assertion.getIssuer().getValue(), e4);
            }
        } catch (IdentityException e5) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Error while unmashalling the assertion", e5);
            return false;
        }
    }
}
