package org.apache.cxf.fediz.core.saml;

import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.ClaimCollection;
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.TokenValidator;
import org.apache.cxf.fediz.core.TokenValidatorRequest;
import org.apache.cxf.fediz.core.TokenValidatorResponse;
import org.apache.cxf.fediz.core.config.CertificateValidationMethod;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.Protocol;
import org.apache.cxf.fediz.core.config.TrustManager;
import org.apache.cxf.fediz.core.config.TrustedIssuer;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.Attribute;
import org.opensaml.saml.saml1.core.AttributeStatement;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/fediz/core/saml/SAMLTokenValidator.class */
public class SAMLTokenValidator implements TokenValidator {
    private static final Logger LOG = LoggerFactory.getLogger(SAMLTokenValidator.class);

    @Override // org.apache.cxf.fediz.core.TokenValidator
    public boolean canHandleTokenType(String str) {
        return "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(str) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(str) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(str) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(str);
    }

    @Override // org.apache.cxf.fediz.core.TokenValidator
    public boolean canHandleToken(Element element) {
        String namespaceURI = element.getNamespaceURI();
        return "urn:oasis:names:tc:SAML:2.0:assertion".equals(namespaceURI) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(namespaceURI);
    }

    @Override // org.apache.cxf.fediz.core.TokenValidator
    public TokenValidatorResponse validateAndProcessToken(TokenValidatorRequest tokenValidatorRequest, FedizContext fedizContext) throws ProcessingException {
        List<Claim> emptyList;
        Element token = tokenValidatorRequest.getToken();
        try {
            RequestData requestData = new RequestData();
            requestData.setWssConfig(WSSConfig.getNewInstance());
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(token);
            if (!samlAssertionWrapper.isSigned()) {
                LOG.warn("Assertion is not signed");
                throw new ProcessingException(ProcessingException.TYPE.TOKEN_NO_SIGNATURE);
            }
            WSDocInfo wSDocInfo = new WSDocInfo(token.getOwnerDocument());
            SAMLKeyInfo credentialFromKeyInfo = org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromKeyInfo(samlAssertionWrapper.getSignature().getKeyInfo().getDOM(), new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto());
            samlAssertionWrapper.verifySignature(credentialFromKeyInfo);
            samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
            Credential credential = new Credential();
            credential.setPublicKey(credentialFromKeyInfo.getPublicKey());
            credential.setCertificates(credentialFromKeyInfo.getCerts());
            credential.setSamlAssertion(samlAssertionWrapper);
            SamlAssertionValidator samlAssertionValidator = new SamlAssertionValidator();
            samlAssertionValidator.setFutureTTL(fedizContext.getMaximumClockSkew().intValue());
            boolean z = false;
            String issuerString = samlAssertionWrapper.getIssuerString();
            for (TrustedIssuer trustedIssuer : fedizContext.getTrustedIssuers()) {
                Pattern compiledSubject = trustedIssuer.getCompiledSubject();
                ArrayList arrayList = new ArrayList(1);
                if (compiledSubject != null) {
                    arrayList.add(compiledSubject);
                }
                if (trustedIssuer.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
                    samlAssertionValidator.setSubjectConstraints(arrayList);
                    samlAssertionValidator.setSignatureTrustType(FedizSignatureTrustValidator.TrustType.CHAIN_TRUST_CONSTRAINTS);
                } else {
                    if (!trustedIssuer.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
                        throw new IllegalStateException("Unsupported certificate validation method: " + trustedIssuer.getCertificateValidationMethod());
                    }
                    samlAssertionValidator.setSignatureTrustType(FedizSignatureTrustValidator.TrustType.PEER_TRUST);
                }
                try {
                    for (TrustManager trustManager : fedizContext.getCertificateStores()) {
                        try {
                            requestData.setSigVerCrypto(trustManager.getCrypto());
                            samlAssertionValidator.validate(credential, requestData);
                            z = true;
                            break;
                        } catch (Exception e) {
                            LOG.debug("Issuer '{}' not validated in keystore '{}'", trustedIssuer.getName(), trustManager.getName());
                        }
                    }
                } catch (Exception e2) {
                    if (LOG.isInfoEnabled()) {
                        LOG.info("Issuer '" + issuerString + "' doesn't match trusted issuer '" + trustedIssuer.getName() + "': " + e2.getMessage());
                    }
                }
                if (z) {
                    break;
                }
            }
            if (!z) {
                if (isConditionValid(samlAssertionWrapper, fedizContext.getMaximumClockSkew().intValue())) {
                    LOG.warn("Issuer '" + issuerString + "' not trusted");
                    throw new ProcessingException(ProcessingException.TYPE.ISSUER_NOT_TRUSTED);
                }
                LOG.warn("Security token expired");
                throw new ProcessingException(ProcessingException.TYPE.TOKEN_EXPIRED);
            }
            if (!SAMLUtil.checkHolderOfKey(samlAssertionWrapper, tokenValidatorRequest.getCerts())) {
                LOG.warn("Assertion fails holder-of-key requirements");
                throw new ProcessingException(ProcessingException.TYPE.ISSUER_NOT_TRUSTED);
            }
            String str = null;
            if (samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
                emptyList = parseClaimsInAssertion(samlAssertionWrapper.getSaml2());
                str = getAudienceRestriction(samlAssertionWrapper.getSaml2());
            } else if (samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_11)) {
                emptyList = parseClaimsInAssertion(samlAssertionWrapper.getSaml1());
                str = getAudienceRestriction(samlAssertionWrapper.getSaml1());
            } else {
                emptyList = Collections.emptyList();
            }
            TokenValidatorResponse tokenValidatorResponse = new TokenValidatorResponse(samlAssertionWrapper.getId(), new SAMLTokenPrincipalImpl(samlAssertionWrapper).getName(), issuerString, parseRoles(fedizContext, emptyList), new ClaimCollection(emptyList), str);
            tokenValidatorResponse.setExpires(getExpires(samlAssertionWrapper));
            tokenValidatorResponse.setCreated(getCreated(samlAssertionWrapper));
            return tokenValidatorResponse;
        } catch (WSSecurityException e3) {
            LOG.error("Security token validation failed", e3);
            throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
        }
    }

    protected List<String> parseRoles(FedizContext fedizContext, List<Claim> list) {
        List<String> list2 = null;
        Protocol protocol = fedizContext.getProtocol();
        if (protocol.getRoleURI() != null) {
            URI create = URI.create(protocol.getRoleURI());
            String roleDelimiter = protocol.getRoleDelimiter();
            Iterator<Claim> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Claim next = it.next();
                if (create.equals(next.getClaimType())) {
                    Object value = next.getValue();
                    if ((value instanceof String) && !"".equals((String) value)) {
                        list2 = roleDelimiter == null ? Collections.singletonList((String) value) : parseRoles((String) value, roleDelimiter);
                    } else if ((value instanceof List) && !((List) value).isEmpty()) {
                        list2 = Collections.unmodifiableList((List) value);
                    } else if (!(value instanceof String) && !(value instanceof List)) {
                        LOG.error("Unsupported value type of Claim value");
                        throw new IllegalStateException("Unsupported value type of Claim value");
                    }
                    list.remove(next);
                }
            }
        }
        return list2;
    }

    protected List<Claim> parseClaimsInAssertion(Assertion assertion) {
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            LOG.debug("No attribute statements found");
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        for (AttributeStatement attributeStatement : attributeStatements) {
            LOG.debug("parsing statement: {}", attributeStatement.getElementQName());
            for (Attribute attribute : attributeStatement.getAttributes()) {
                LOG.debug("parsing attribute: {}", attribute.getAttributeName());
                Claim claim = new Claim();
                claim.setIssuer(assertion.getIssuer());
                if (attribute.getAttributeNamespace() != null) {
                    URI create = URI.create(attribute.getAttributeName());
                    if (create.isAbsolute()) {
                        claim.setClaimType(create);
                        if (attribute.getAttributeName().startsWith(attribute.getAttributeNamespace())) {
                            LOG.info("AttributeName fully qualified '" + attribute.getAttributeName() + "' but does match with AttributeNamespace '" + attribute.getAttributeNamespace() + "'");
                        } else {
                            LOG.warn("AttributeName fully qualified '" + attribute.getAttributeName() + "' but does NOT match with AttributeNamespace (ignored) '" + attribute.getAttributeNamespace() + "'");
                        }
                    } else if (attribute.getAttributeNamespace().endsWith("/")) {
                        claim.setClaimType(URI.create(attribute.getAttributeNamespace() + attribute.getAttributeName()));
                    } else {
                        claim.setClaimType(URI.create(attribute.getAttributeNamespace() + "/" + attribute.getAttributeName()));
                    }
                } else {
                    claim.setClaimType(URI.create(attribute.getAttributeName()));
                }
                ArrayList arrayList2 = new ArrayList();
                Iterator it = attribute.getAttributeValues().iterator();
                while (it.hasNext()) {
                    String textContent = ((XMLObject) it.next()).getDOM().getTextContent();
                    LOG.debug(" [{}]", textContent);
                    arrayList2.add(textContent);
                }
                mergeClaimToMap(hashMap, claim, arrayList2);
            }
        }
        arrayList.addAll(hashMap.values());
        return arrayList;
    }

    protected List<Claim> parseClaimsInAssertion(org.opensaml.saml.saml2.core.Assertion assertion) {
        List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            LOG.debug("No attribute statements found");
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement : attributeStatements) {
            LOG.debug("parsing statement: {}", attributeStatement.getElementQName());
            for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
                LOG.debug("parsing attribute: {}", attribute.getName());
                Claim claim = new Claim();
                URI create = URI.create(attribute.getName());
                if (!ClaimTypes.URI_BASE.toString().equals(attribute.getNameFormat()) || create.isAbsolute()) {
                    claim.setClaimType(URI.create(attribute.getName()));
                } else {
                    claim.setClaimType(URI.create(ClaimTypes.URI_BASE + "/" + attribute.getName()));
                }
                claim.setIssuer(assertion.getIssuer().getNameQualifier());
                ArrayList arrayList2 = new ArrayList();
                Iterator it = attribute.getAttributeValues().iterator();
                while (it.hasNext()) {
                    String textContent = ((XMLObject) it.next()).getDOM().getTextContent();
                    LOG.debug(" [{}]", textContent);
                    arrayList2.add(textContent);
                }
                mergeClaimToMap(hashMap, claim, arrayList2);
            }
        }
        arrayList.addAll(hashMap.values());
        return arrayList;
    }

    protected void mergeClaimToMap(Map<String, Claim> map, Claim claim, List<String> list) {
        Claim claim2 = map.get(claim.getClaimType().toString());
        if (claim2 == null) {
            if (list.size() == 1) {
                claim.setValue(list.get(0));
            } else {
                claim.setValue(list);
            }
            map.put(claim.getClaimType().toString(), claim);
            return;
        }
        Object value = claim2.getValue();
        if (value instanceof String) {
            ArrayList arrayList = new ArrayList();
            arrayList.add((String) value);
            arrayList.addAll(list);
            claim2.setValue(arrayList);
            return;
        }
        if (!(value instanceof List)) {
            LOG.error("Unsupported value type of Claim value");
            throw new IllegalStateException("Unsupported value type of Claim value");
        }
        List list2 = (List) value;
        list2.addAll(list);
        claim2.setValue(list2);
    }

    protected List<String> parseRoles(String str, String str2) {
        ArrayList arrayList = new ArrayList();
        StringTokenizer stringTokenizer = new StringTokenizer(str, str2);
        while (stringTokenizer.hasMoreTokens()) {
            arrayList.add(stringTokenizer.nextToken());
        }
        return arrayList;
    }

    protected String getAudienceRestriction(Assertion assertion) {
        String str = null;
        try {
            str = ((Audience) ((AudienceRestrictionCondition) assertion.getConditions().getAudienceRestrictionConditions().get(0)).getAudiences().get(0)).getUri();
        } catch (Exception e) {
            LOG.warn("Failed to read audience" + e.getMessage());
        }
        return str;
    }

    protected String getAudienceRestriction(org.opensaml.saml.saml2.core.Assertion assertion) {
        String str = null;
        try {
            str = ((org.opensaml.saml.saml2.core.Audience) ((AudienceRestriction) assertion.getConditions().getAudienceRestrictions().get(0)).getAudiences().get(0)).getAudienceURI();
        } catch (Exception e) {
            LOG.warn("Failed to read audience" + e.getMessage());
        }
        return str;
    }

    private Date getExpires(SamlAssertionWrapper samlAssertionWrapper) {
        DateTime notOnOrAfter = samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) ? samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter() : samlAssertionWrapper.getSaml1().getConditions().getNotOnOrAfter();
        if (notOnOrAfter == null) {
            return null;
        }
        return notOnOrAfter.toDate();
    }

    private Date getCreated(SamlAssertionWrapper samlAssertionWrapper) {
        DateTime notBefore = samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) ? samlAssertionWrapper.getSaml2().getConditions().getNotBefore() : samlAssertionWrapper.getSaml1().getConditions().getNotBefore();
        if (notBefore == null) {
            return null;
        }
        return notBefore.toDate();
    }

    protected boolean isConditionValid(SamlAssertionWrapper samlAssertionWrapper, int i) throws WSSecurityException {
        DateTime dateTime = null;
        DateTime dateTime2 = null;
        if (samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertionWrapper.getSaml2().getConditions() != null) {
            dateTime = samlAssertionWrapper.getSaml2().getConditions().getNotBefore();
            dateTime2 = samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter();
        } else if (samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_11) && samlAssertionWrapper.getSaml1().getConditions() != null) {
            dateTime = samlAssertionWrapper.getSaml1().getConditions().getNotBefore();
            dateTime2 = samlAssertionWrapper.getSaml1().getConditions().getNotOnOrAfter();
        }
        if (dateTime != null) {
            if (dateTime.isAfter(new DateTime().plusSeconds(i))) {
                LOG.debug("SAML Token condition (Not Before) not met");
                return false;
            }
        }
        if (dateTime2 == null || !dateTime2.isBeforeNow()) {
            return true;
        }
        LOG.debug("SAML Token condition (Not On Or After) not met");
        return false;
    }
}
