package com.cloudseal.client.saml2;

import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.Charset;
import java.security.PublicKey;
import java.security.Signature;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.zip.DataFormatException;
import java.util.zip.Inflater;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;

/* loaded from: input_file:com/cloudseal/client/saml2/SamlValidatorImpl.class */
public class SamlValidatorImpl implements SamlValidator {
    private static Logger logger = Logger.getLogger(SamlBuilderImpl.class);

    @Override // com.cloudseal.client.saml2.SamlValidator
    public CloudsealPrincipal validateAuthResponse(PublicKey publicKey, String str, String str2, String str3) throws VerificationException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        XPath newXPath = XPathFactory.newInstance().newXPath();
        setXPathNamespace(newXPath);
        byte[] decodeBase64 = Base64.decodeBase64(str);
        if (decodeBase64.length < 1) {
            throw new VerificationException("Unable to decode SAML Response");
        }
        String str4 = new String(decodeBase64, Charset.forName("UTF-8"));
        if (str4 == null || decodeBase64.length < 1) {
            throw new VerificationException("Unable to reconstruct SAML Response");
        }
        if (logger.isDebugEnabled()) {
            logger.debug("SAML Response received: " + str4);
        }
        try {
            Document parse = newInstance.newDocumentBuilder().parse(new InputSource(new StringReader(str4)));
            verifyResponseSignature(publicKey, parse);
            verifyInResponseTo(newXPath, parse, str2);
            verifyAudience(newXPath, parse, str3);
            return authenticate(newXPath, parse);
        } catch (Exception e) {
            throw new VerificationException("Unable to marshall XML", e);
        }
    }

    @Override // com.cloudseal.client.saml2.SamlValidator
    public void validateLogoutRequest(PublicKey publicKey, String str) throws VerificationException {
        try {
            Matcher matcher = Pattern.compile("^(SAMLRequest=.*?)&Signature=([^&]+).*").matcher(str);
            if (!matcher.matches()) {
                throw new VerificationException("Invalid Logout request format according to the HTTP redirect binding format");
            }
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            byte[] bytes = group.getBytes("UTF-8");
            byte[] decodeBase64 = Base64.decodeBase64(URLDecoder.decode(group2, "UTF-8"));
            Signature signature = Signature.getInstance("SHA1withRSA");
            signature.initVerify(publicKey);
            signature.update(bytes);
            if (!signature.verify(decodeBase64)) {
                throw new VerificationException("Signature does not match public key");
            }
        } catch (Exception e) {
            throw new VerificationException("Unable to inflate SAML Request", e);
        }
    }

    protected String inflate(byte[] bArr) throws DataFormatException, UnsupportedEncodingException {
        Inflater inflater = new Inflater(true);
        inflater.setInput(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[1024];
        int inflate = inflater.inflate(bArr2);
        inflater.end();
        return new String(bArr2, 0, inflate, "UTF-8");
    }

    protected void setXPathNamespace(XPath xPath) {
        xPath.setNamespaceContext(new NamespaceContextMap("saml2p", SamlBuilderImpl.SAML_PROTOCOL_NAMESPACE, "saml2", SamlBuilderImpl.SAML_NAMESPACE));
    }

    protected void verifyInResponseTo(XPath xPath, Document document, String str) throws VerificationException {
        try {
            String evaluate = xPath.compile("//saml2:SubjectConfirmationData/@InResponseTo").evaluate(document);
            if (evaluate == null || !evaluate.equals(str)) {
                throw new VerificationException("Unable to verify inResponseTo, expected: " + str + " actual: " + evaluate);
            }
        } catch (XPathExpressionException e) {
            throw new RuntimeException(e);
        }
    }

    protected void verifyAudience(XPath xPath, Document document, String str) throws VerificationException {
        try {
            String evaluate = xPath.compile("//saml2:AudienceRestriction/saml2:Audience").evaluate(document);
            if (evaluate == null || !evaluate.equals(str)) {
                throw new VerificationException("Unable to verify Audience, expected: " + str + " actual: " + evaluate);
            }
        } catch (XPathExpressionException e) {
            throw new RuntimeException(e);
        }
    }

    protected void verifyResponseSignature(PublicKey publicKey, Document document) throws VerificationException {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new VerificationException("Cannot find Signature element");
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(new CloudsealKeySelector(publicKey), elementsByTagNameNS.item(0));
        try {
            if (!XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext)) {
                throw new VerificationException("Response verification failed");
            }
        } catch (XMLSignatureException e) {
            throw new VerificationException("Response verification failed");
        } catch (MarshalException e2) {
            throw new VerificationException("Response verification failed");
        }
    }

    protected CloudsealPrincipal authenticate(XPath xPath, Document document) throws VerificationException {
        CloudsealPrincipal cloudsealPrincipal = new CloudsealPrincipal();
        try {
            xPath.reset();
            String evaluate = xPath.compile("/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID").evaluate(document);
            if (evaluate == null || evaluate.length() < 1) {
                throw new VerificationException("Unable to retrieve Subject/NameID from SAML response");
            }
            cloudsealPrincipal.setUsername(evaluate);
            xPath.reset();
            NodeList nodeList = (NodeList) xPath.compile("//saml2:Attribute").evaluate(document, XPathConstants.NODESET);
            for (int i = 0; i < nodeList.getLength(); i++) {
                Element element = (Element) nodeList.item(i);
                String evaluate2 = xPath.compile("@Name").evaluate(element);
                if (evaluate2 != null && evaluate2 != "ROLES" && evaluate2 != "sex" && evaluate2 != "dateOfBirth") {
                    String evaluate3 = xPath.compile("saml2:AttributeValue").evaluate(element);
                    logger.debug("SAML attribute: " + evaluate2 + ": " + evaluate3);
                    cloudsealPrincipal.getAttributes().put(evaluate2, evaluate3);
                }
            }
            cloudsealPrincipal.setDateOfBirth(getAttribute(xPath, document, "birthday"));
            cloudsealPrincipal.setSex(getAttribute(xPath, document, "sex"));
            cloudsealPrincipal.setRoles(getRoles(xPath, document));
            return cloudsealPrincipal;
        } catch (XPathExpressionException e) {
            throw new RuntimeException(e);
        }
    }

    protected String getAttribute(XPath xPath, Document document, String str) throws XPathExpressionException {
        xPath.reset();
        return xPath.compile(String.format(Locale.US, "//saml2:Attribute[@Name='%s']/saml2:AttributeValue", str)).evaluate(document);
    }

    protected Set<String> getRoles(XPath xPath, Document document) throws XPathExpressionException {
        HashSet hashSet = new HashSet();
        xPath.reset();
        NodeList nodeList = (NodeList) xPath.compile(String.format(Locale.US, "//saml2:Attribute[@Name='roles']/saml2:AttributeValue", new Object[0])).evaluate(document, XPathConstants.NODESET);
        for (int i = 0; i < nodeList.getLength(); i++) {
            hashSet.add(nodeList.item(i).getTextContent());
        }
        return hashSet;
    }
}
