package org.apache.cxf.fediz.core;

import java.io.ByteArrayInputStream;
import java.net.URL;
import java.net.URLEncoder;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.servlet.http.HttpServletRequest;
import org.apache.cxf.fediz.core.config.FederationContext;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.metadata.MetadataWriter;
import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
import org.apache.cxf.fediz.core.spi.IDPCallback;
import org.apache.cxf.fediz.core.spi.WAuthCallback;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/fediz/core/FederationProcessorImpl.class */
public class FederationProcessorImpl implements FederationProcessor {
    private static final Logger LOG = LoggerFactory.getLogger(FederationProcessorImpl.class);

    /* loaded from: input_file:org/apache/cxf/fediz/core/FederationProcessorImpl$LifeTime.class */
    public class LifeTime {
        private Date created;
        private Date expires;

        public LifeTime(Date date, Date date2) {
            this.created = date;
            this.expires = date2;
        }

        public Date getCreated() {
            return this.created;
        }

        public Date getExpires() {
            return this.expires;
        }
    }

    @Override // org.apache.cxf.fediz.core.FederationProcessor
    public FederationResponse processRequest(FederationRequest federationRequest, FederationContext federationContext) throws ProcessingException {
        if (FederationConstants.ACTION_SIGNIN.equals(federationRequest.getWa())) {
            return processSignInRequest(federationRequest, federationContext);
        }
        LOG.error("Invalid action '" + federationRequest.getWa() + "'");
        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
    }

    @Override // org.apache.cxf.fediz.core.FederationProcessor
    public Document getMetaData(FederationContext federationContext) throws ProcessingException {
        return new MetadataWriter().getMetaData(federationContext);
    }

    protected FederationResponse processSignInRequest(FederationRequest federationRequest, FederationContext federationContext) throws ProcessingException {
        try {
            Element documentElement = DOMUtils.readXml(new ByteArrayInputStream(federationRequest.getWresult().getBytes())).getDocumentElement();
            if ("RequestSecurityTokenResponseCollection".equals(documentElement.getLocalName())) {
                documentElement = DOMUtils.getFirstElement(documentElement);
            }
            if (!"RequestSecurityTokenResponse".equals(documentElement.getLocalName())) {
                LOG.warn("Unexpected root element of wresult: '" + documentElement.getLocalName() + "'");
                throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
            }
            Element element = null;
            Element element2 = null;
            String str = null;
            for (Element firstElement = DOMUtils.getFirstElement(documentElement); firstElement != null; firstElement = DOMUtils.getNextElement(firstElement)) {
                String localName = firstElement.getLocalName();
                if (FederationConstants.WS_TRUST_13_NS.equals(firstElement.getNamespaceURI()) || FederationConstants.WS_TRUST_2005_02_NS.equals(firstElement.getNamespaceURI())) {
                    if ("Lifetime".equals(localName)) {
                        element2 = firstElement;
                    } else if ("RequestedSecurityToken".equals(localName)) {
                        element = DOMUtils.getFirstElement(firstElement);
                    } else if ("TokenType".equals(localName)) {
                        str = DOMUtils.getContent(firstElement);
                    }
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("RST: " + (element != null ? element.toString() : "null"));
                LOG.debug("Lifetime: " + (element2 != null ? element2.toString() : "null"));
                LOG.debug("Tokentype: " + (str != null ? str.toString() : "null"));
            }
            if (element == null) {
                LOG.warn("RequestedSecurityToken element not found in wresult");
                throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
            }
            LifeTime processLifeTime = element2 != null ? processLifeTime(element2) : null;
            if (federationContext.isDetectExpiredTokens() && processLifeTime != null) {
                if (new Date().after(processLifeTime.getExpires())) {
                    LOG.warn("RSTR Lifetime expired");
                    throw new ProcessingException(ProcessingException.TYPE.TOKEN_EXPIRED);
                }
                if (new DateTime(processLifeTime.created).isAfter(new DateTime().plusSeconds(federationContext.getMaximumClockSkew().intValue()))) {
                    LOG.debug("RSTR Lifetime not yet valid");
                    throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
                }
            }
            TokenValidatorResponse tokenValidatorResponse = null;
            Iterator<TokenValidator> it = ((FederationProtocol) federationContext.getProtocol()).getTokenValidators().iterator();
            if (it.hasNext()) {
                TokenValidator next = it.next();
                if (!(str != null ? next.canHandleTokenType(str) : next.canHandleToken(element))) {
                    LOG.warn("No security token validator found for '" + str + "'");
                    throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
                }
                try {
                    tokenValidatorResponse = next.validateAndProcessToken(element, federationContext);
                } catch (ProcessingException e) {
                    throw e;
                } catch (Exception e2) {
                    LOG.warn("Failed to validate token", e2);
                    throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
                }
            }
            if (tokenValidatorResponse.getUniqueTokenId() != null && federationContext.isDetectReplayedTokens()) {
                if (federationContext.getTokenReplayCache().getId(tokenValidatorResponse.getUniqueTokenId()) != null) {
                    LOG.error("Replay attack with token id: " + tokenValidatorResponse.getUniqueTokenId());
                    throw new ProcessingException("Replay attack with token id: " + tokenValidatorResponse.getUniqueTokenId(), ProcessingException.TYPE.TOKEN_REPLAY);
                }
                Date expires = (processLifeTime == null || processLifeTime.getExpires() == null) ? tokenValidatorResponse.getExpires() : processLifeTime.getExpires();
                if (expires != null) {
                    federationContext.getTokenReplayCache().putId(tokenValidatorResponse.getUniqueTokenId(), (expires.getTime() - new Date().getTime()) / 1000);
                } else {
                    federationContext.getTokenReplayCache().putId(tokenValidatorResponse.getUniqueTokenId());
                }
            }
            return new FederationResponse(tokenValidatorResponse.getUsername(), tokenValidatorResponse.getIssuer(), tokenValidatorResponse.getRoles(), tokenValidatorResponse.getClaims(), tokenValidatorResponse.getAudience(), processLifeTime != null ? processLifeTime.getCreated() : null, processLifeTime != null ? processLifeTime.getExpires() : null, element, tokenValidatorResponse.getUniqueTokenId());
        } catch (Exception e3) {
            LOG.warn("Failed to parse wresult: " + e3.getMessage());
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    private LifeTime processLifeTime(Element element) throws ProcessingException {
        try {
            Element firstChildWithName = DOMUtils.getFirstChildWithName(element, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Created");
            XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
            return new LifeTime(xmlSchemaDateFormat.parse(DOMUtils.getContent(firstChildWithName)), xmlSchemaDateFormat.parse(DOMUtils.getContent(DOMUtils.getFirstChildWithName(element, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Expires"))));
        } catch (ParseException e) {
            LOG.error("Failed to parse lifetime element in wresult: " + e.getMessage());
            throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
        }
    }

    @Override // org.apache.cxf.fediz.core.FederationProcessor
    public String createSignInRequest(HttpServletRequest httpServletRequest, FederationContext federationContext) throws ProcessingException {
        String str;
        String str2 = null;
        try {
            Object issuer = ((FederationProtocol) federationContext.getProtocol()).getIssuer();
            String str3 = null;
            if (issuer instanceof String) {
                str3 = (String) issuer;
            } else if (issuer instanceof CallbackHandler) {
                CallbackHandler callbackHandler = (CallbackHandler) issuer;
                IDPCallback iDPCallback = new IDPCallback(httpServletRequest);
                callbackHandler.handle(new Callback[]{iDPCallback});
                str3 = iDPCallback.getIssuerUrl().toString();
            }
            LOG.info("Issuer url: " + str3);
            if (str3 != null && str3.length() > 0) {
                str2 = str3;
            }
            Object authenticationType = ((FederationProtocol) federationContext.getProtocol()).getAuthenticationType();
            String str4 = null;
            if (authenticationType != null) {
                if (authenticationType instanceof String) {
                    str4 = (String) authenticationType;
                } else if (authenticationType instanceof CallbackHandler) {
                    CallbackHandler callbackHandler2 = (CallbackHandler) authenticationType;
                    WAuthCallback wAuthCallback = new WAuthCallback(httpServletRequest);
                    callbackHandler2.handle(new Callback[]{wAuthCallback});
                    str4 = wAuthCallback.getWauth();
                }
            }
            LOG.info("WAuth: " + str4);
            Object homeRealm = ((FederationProtocol) federationContext.getProtocol()).getHomeRealm();
            String str5 = null;
            if (homeRealm != null) {
                if (homeRealm instanceof String) {
                    str5 = (String) homeRealm;
                } else if (homeRealm instanceof CallbackHandler) {
                    CallbackHandler callbackHandler3 = (CallbackHandler) homeRealm;
                    HomeRealmCallback homeRealmCallback = new HomeRealmCallback(httpServletRequest);
                    callbackHandler3.handle(new Callback[]{homeRealmCallback});
                    str5 = homeRealmCallback.getHomeRealm();
                }
            }
            LOG.info("HomeRealm: " + str5);
            StringBuilder sb = new StringBuilder();
            sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNIN);
            sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
            sb.append(URLEncoder.encode(httpServletRequest.getRequestURL().toString(), "UTF-8"));
            if (!(federationContext.getProtocol() instanceof FederationProtocol)) {
                LOG.error("Unsupported protocol");
                throw new IllegalStateException("Unsupported protocol");
            }
            FederationProtocol federationProtocol = (FederationProtocol) federationContext.getProtocol();
            if (federationProtocol.getRealm() != null) {
                str = federationProtocol.getRealm();
            } else {
                String contextPath = httpServletRequest.getContextPath();
                String stringBuffer = httpServletRequest.getRequestURL().toString();
                String path = new URL(stringBuffer).getPath();
                String substring = (path == null || path.length() <= 0) ? stringBuffer : stringBuffer.substring(0, stringBuffer.lastIndexOf(path));
                str = (contextPath == null || contextPath.length() <= 0) ? substring + "/" : substring + contextPath + "/";
            }
            LOG.debug("wtrealm=" + str);
            sb.append('&').append(FederationConstants.PARAM_TREALM).append('=').append(URLEncoder.encode(str, "UTF-8"));
            if (str4 != null && str4.length() > 0) {
                sb.append('&').append(FederationConstants.PARAM_AUTH_TYPE).append('=').append(URLEncoder.encode(str4, "UTF-8"));
            }
            if (str5 != null && str5.length() > 0) {
                sb.append('&').append(FederationConstants.PARAM_HOME_REALM).append('=').append(URLEncoder.encode(str5, "UTF-8"));
            }
            sb.append('&').append(FederationConstants.PARAM_CURRENT_TIME).append('=').append(URLEncoder.encode(new XmlSchemaDateFormat().format(new Date()), "UTF-8"));
            return str2 + "?" + sb.toString();
        } catch (Exception e) {
            LOG.error("Failed to create SignInRequest", e);
            throw new ProcessingException("Failed to create SignInRequest");
        }
    }
}
