package org.wso2.carbon.identity.authenticator.saml2.sso;

import java.math.BigInteger;
import java.security.SecureRandom;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.core.xml.schema.impl.XSAnyImpl;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.osgi.framework.BundleContext;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
import org.wso2.carbon.core.services.authentication.CarbonServerAuthenticator;
import org.wso2.carbon.core.services.util.CarbonAuthenticationUtil;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.core.util.PermissionUpdateUtil;
import org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticatorBEConstants;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.SAML2SSOUIAuthenticatorException;
import org.wso2.carbon.identity.authenticator.saml2.sso.dto.AuthnReqDTO;
import org.wso2.carbon.identity.authenticator.saml2.sso.internal.SAML2SSOAuthBEDataHolder;
import org.wso2.carbon.identity.authenticator.saml2.sso.util.Util;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.AuthenticationObserver;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.class */
public class SAML2SSOAuthenticator implements CarbonServerAuthenticator {
    public static final Log log = LogFactory.getLog(SAML2SSOAuthenticator.class);
    private static final Log AUDIT_LOG = CarbonConstants.AUDIT_LOG;
    private static final int DEFAULT_PRIORITY_LEVEL = 3;
    private static final String AUTHENTICATOR_NAME = "SAML2SSOAuthenticator";
    private SAML2SSOAuthBEDataHolder dataHolder = SAML2SSOAuthBEDataHolder.getInstance();
    private SecureRandom random = new SecureRandom();
    private int timeStampSkewInSeconds = 300;

    public boolean login(AuthnReqDTO authnReqDTO) {
        String str = null;
        HttpSession httpSession = getHttpSession();
        try {
            try {
                XMLObject unmarshall = Util.unmarshall(org.wso2.carbon.identity.authenticator.saml2.sso.common.Util.decode(authnReqDTO.getResponse()));
                String username = org.wso2.carbon.identity.authenticator.saml2.sso.common.Util.getUsername(unmarshall);
                if (StringUtils.isBlank(username)) {
                    log.error("Authentication Request is rejected. SAMLResponse does not contain the username of the subject.");
                    CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, "", -1, "SAML2 SSO Authentication", "SAMLResponse does not contain the username of the subject");
                    if (username != null && username.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                        AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", username + "@" + ((String) null), "Login", "SAML2SSOAuthenticator", "", "Failed"));
                    }
                    return false;
                }
                try {
                    validateAssertionValidityPeriod(unmarshall);
                    if (!validateAudienceRestrictionInXML(unmarshall)) {
                        log.error("Authentication Request is rejected. SAMLResponse AudienceRestriction validation failed.");
                        CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, username, -1, "SAML2 SSO Authentication", "AudienceRestriction validation failed");
                        if (username != null && username.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                            AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", username + "@" + ((String) null), "Login", "SAML2SSOAuthenticator", "", "Failed"));
                        }
                        return false;
                    }
                    RegistryService registryService = this.dataHolder.getRegistryService();
                    RealmService realmService = this.dataHolder.getRealmService();
                    String tenantDomain = MultitenantUtils.getTenantDomain(username);
                    int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
                    handleAuthenticationStarted(tenantId);
                    if (!validateSignature(unmarshall, tenantDomain)) {
                        log.error("Authentication Request is rejected. Signature validation failed.");
                        CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, username, tenantId, "SAML2 SSO Authentication", "Invalid Signature");
                        handleAuthenticationCompleted(tenantId, false);
                        if (username != null && username.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                            AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", username + "@" + tenantDomain, "Login", "SAML2SSOAuthenticator", "", "Failed"));
                        }
                        return false;
                    }
                    String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(username);
                    UserRealm realmByTenantDomain = AnonymousSessionUtil.getRealmByTenantDomain(registryService, realmService, tenantDomain);
                    provisionUser(tenantAwareUsername, realmByTenantDomain, unmarshall);
                    PermissionUpdateUtil.updatePermissionTree(tenantId);
                    boolean z = false;
                    if (realmByTenantDomain != null) {
                        z = realmByTenantDomain.getAuthorizationManager().isUserAuthorized(tenantAwareUsername, "/permission/admin/login", "ui.execute");
                    }
                    if (z) {
                        UserCoreUtil.setDomainInThreadLocal((String) null);
                        CarbonAuthenticationUtil.onSuccessAdminLogin(httpSession, tenantAwareUsername, tenantId, tenantDomain, "SAML2 SSO Authentication");
                        handleAuthenticationCompleted(tenantId, true);
                        if (tenantAwareUsername != null && tenantAwareUsername.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                            AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", tenantAwareUsername + "@" + tenantDomain, "Login", "SAML2SSOAuthenticator", "", "Success"));
                        }
                        return true;
                    }
                    log.error("Authentication Request is rejected. Authorization Failure.");
                    CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, tenantAwareUsername, tenantId, "SAML2 SSO Authentication", "Authorization Failure");
                    handleAuthenticationCompleted(tenantId, false);
                    if (tenantAwareUsername != null && tenantAwareUsername.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                        AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", tenantAwareUsername + "@" + tenantDomain, "Login", "SAML2SSOAuthenticator", "", "Failed"));
                    }
                    return false;
                } catch (SAML2SSOAuthenticatorException e) {
                    log.error("Authentication Request is rejected. " + e.getMessage());
                    CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, username, -1, "SAML2 SSO Authentication", e.getMessage());
                    if (username != null && username.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                        AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", username + "@" + ((String) null), "Login", "SAML2SSOAuthenticator", "", "Failed"));
                    }
                    return false;
                }
            } catch (Exception e2) {
                log.error("System error while Authenticating/Authorizing User : " + e2.getMessage(), e2);
                if (0 != 0 && str.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                    AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", ((String) null) + "@" + ((String) null), "Login", "SAML2SSOAuthenticator", "", "Failed"));
                }
                return false;
            }
        } catch (Throwable th) {
            if (0 != 0 && str.trim().length() > 0 && AUDIT_LOG.isInfoEnabled()) {
                AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", ((String) null) + "@" + ((String) null), "Login", "SAML2SSOAuthenticator", "", "Failed"));
            }
            throw th;
        }
    }

    private void handleAuthenticationStarted(int i) {
        BundleContext bundleContext = this.dataHolder.getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).startedAuthentication(i);
                }
            }
            serviceTracker.close();
        }
    }

    private void handleAuthenticationCompleted(int i, boolean z) {
        BundleContext bundleContext = this.dataHolder.getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).completedAuthentication(i, z);
                }
            }
            serviceTracker.close();
        }
    }

    public void logout() {
        Date time = Calendar.getInstance().getTime();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("'['yyyy-MM-dd HH:mm:ss,SSSS']'");
        HttpSession httpSession = getHttpSession();
        if (httpSession != null) {
            String str = (String) httpSession.getAttribute("wso2carbon.admin.logged.in");
            String str2 = (String) httpSession.getAttribute("DELEGATED_BY");
            if (StringUtils.isNotBlank(str)) {
                String str3 = "'" + str + "' logged out at " + simpleDateFormat.format(time);
                if (str2 != null) {
                    str3 = str3 + " delegated by " + str2;
                }
                log.info(str3);
            }
            httpSession.invalidate();
            if (str == null || !AUDIT_LOG.isInfoEnabled()) {
                return;
            }
            AUDIT_LOG.info(String.format("Initiator : %s | Action : %s | Target : %s | Data : { %s } | Result : %s ", str + "@" + PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(), "Logout", "SAML2SSOAuthenticator", str2 != null ? "Delegated By : " + str2 : "", "Success"));
        }
    }

    public boolean isHandle(MessageContext messageContext) {
        return true;
    }

    public boolean isAuthenticated(MessageContext messageContext) {
        return ((String) ((HttpServletRequest) messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST)).getSession().getAttribute("wso2carbon.admin.logged.in")) != null;
    }

    public boolean authenticateWithRememberMe(MessageContext messageContext) {
        return false;
    }

    public int getPriority() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        return (authenticatorConfig == null || authenticatorConfig.getPriority() <= 0) ? DEFAULT_PRIORITY_LEVEL : authenticatorConfig.getPriority();
    }

    public String getAuthenticatorName() {
        return "SAML2SSOAuthenticator";
    }

    public boolean isDisabled() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig != null) {
            return authenticatorConfig.isDisabled();
        }
        return false;
    }

    private boolean isResponseSignatureValidationEnabled() {
        String str;
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig == null || (str = (String) authenticatorConfig.getParameters().get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.RESPONSE_SIGNATURE_VALIDATION_ENABLED)) == null || !str.equalsIgnoreCase("false")) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Response signature validation is enabled in the configuration");
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Response signature validation is disabled in the configuration");
        return false;
    }

    private boolean isAssertionSignatureValidationEnabled() {
        String str;
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig == null || (str = (String) authenticatorConfig.getParameters().get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.ASSERTION_SIGNATURE_VALIDATION_ENABLED)) == null || Boolean.parseBoolean(str)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Assertion signature validation is enabled in the configuration");
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Assertion signature validation is disabled in the configuration");
        return false;
    }

    private boolean isVerifySignWithUserDomain() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig == null || !"true".equalsIgnoreCase((String) authenticatorConfig.getParameters().get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.VALIDATE_SIGNATURE_WITH_USER_DOMAIN))) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature validation is done with super tenant domain");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Signature validation is done based on user tenant domain");
        return true;
    }

    private int getTimeStampSkewInSeconds() {
        String str;
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig != null && (str = (String) authenticatorConfig.getParameters().get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.TIME_STAMP_SKEW)) != null) {
            this.timeStampSkewInSeconds = Integer.parseInt(str);
        }
        if (log.isDebugEnabled()) {
            log.debug("TimestampSkew is set to " + this.timeStampSkewInSeconds + " s.");
        }
        return this.timeStampSkewInSeconds;
    }

    private boolean validateSignature(XMLObject xMLObject, String str) {
        if (!(xMLObject instanceof Response)) {
            if (xMLObject instanceof Assertion) {
                return !isAssertionSignatureValidationEnabled() || validateSignature((Assertion) xMLObject, str);
            }
            log.error("Only Response and Assertion objects are validated in this authenticator");
            return false;
        }
        Response response = (Response) xMLObject;
        if (!isResponseSignatureValidationEnabled() || validateSignature(response, str)) {
            return !isAssertionSignatureValidationEnabled() || validateSignature(getAssertionFromResponse(response), str);
        }
        return false;
    }

    private boolean validateSignature(Response response, String str) {
        boolean z = false;
        if (response == null || response.getSignature() == null) {
            log.error("SAML Response is not signed or response not available. Authentication process will be terminated.");
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Validating SAML Response Signature.");
            }
            z = validateSignature(response.getSignature(), str);
        }
        return z;
    }

    private boolean validateSignature(Assertion assertion, String str) {
        boolean z = false;
        if (assertion == null || assertion.getSignature() == null) {
            log.error("SAML Assertion is not signed or assertion not available. Authentication process will be terminated.");
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Validating SAML Assertion Signature.");
            }
            z = validateSignature(assertion.getSignature(), str);
        }
        return z;
    }

    private boolean validateSignature(Signature signature, String str) {
        boolean z = false;
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            try {
                if (isVerifySignWithUserDomain()) {
                    SignatureValidator.validate(signature, Util.getX509CredentialImplForTenant(str));
                } else {
                    SignatureValidator.validate(signature, Util.getX509CredentialImplForTenant("carbon.super"));
                }
                z = true;
            } catch (SAML2SSOAuthenticatorException e) {
                log.error("Error when creating an X509CredentialImpl instance", e);
            } catch (SignatureException e2) {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Signature validation failed from domain : " + str, e2);
                }
            }
            return z;
        } catch (SignatureException e3) {
            AUDIT_LOG.warn("Signature do not confirm to SAML signature profile. Possible XML Signature Wrapping Attack!");
            if (log.isDebugEnabled()) {
                log.debug("Signature do not confirm to SAML signature profile. Possible XML Signature Wrapping Attack!", e3);
            }
            return false;
        }
    }

    private Assertion getAssertionFromResponse(Response response) {
        Assertion assertion = null;
        List assertions = response.getAssertions();
        if (assertions == null || assertions.isEmpty()) {
            List encryptedAssertions = response.getEncryptedAssertions();
            if (encryptedAssertions.size() > 0) {
                try {
                    assertion = org.wso2.carbon.identity.authenticator.saml2.sso.common.Util.getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(0), PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain());
                } catch (SAML2SSOUIAuthenticatorException e) {
                    log.error("Error while obtaining the assertion from saml response.", e);
                }
            }
        } else {
            assertion = (Assertion) assertions.get(0);
        }
        return assertion;
    }

    private boolean validateAudienceRestrictionInXML(XMLObject xMLObject) {
        if (xMLObject instanceof Response) {
            return validateAudienceRestrictionInResponse((Response) xMLObject);
        }
        if (xMLObject instanceof Assertion) {
            return validateAudienceRestrictionInAssertion((Assertion) xMLObject);
        }
        log.error("Only Response and Assertion objects are validated in this authendicator");
        return false;
    }

    public boolean validateAudienceRestrictionInResponse(Response response) {
        return validateAudienceRestrictionInAssertion(getAssertionFromResponse(response));
    }

    public boolean validateAudienceRestrictionInAssertion(Assertion assertion) {
        if (assertion == null) {
            return false;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            log.error("SAML2 Response doesn't contain Conditions");
            return false;
        }
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
            log.error("SAML2 Response doesn't contain AudienceRestrictions");
            return false;
        }
        for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (audienceRestriction.getAudiences() == null || audienceRestriction.getAudiences().size() <= 0) {
                log.warn("SAML2 Response's AudienceRestriction doesn't contain Audiences");
            } else {
                for (Audience audience : audienceRestriction.getAudiences()) {
                    String serviceProviderId = org.wso2.carbon.identity.authenticator.saml2.sso.common.Util.getServiceProviderId();
                    if (serviceProviderId == null) {
                        org.wso2.carbon.identity.authenticator.saml2.sso.common.Util.initSSOConfigParams();
                        serviceProviderId = org.wso2.carbon.identity.authenticator.saml2.sso.common.Util.getServiceProviderId();
                    }
                    if (serviceProviderId == null) {
                        log.warn("No SAML2 service provider ID defined.");
                    } else if (serviceProviderId.equals(audience.getAudienceURI())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private HttpSession getHttpSession() {
        MessageContext currentMessageContext = MessageContext.getCurrentMessageContext();
        HttpSession httpSession = null;
        if (currentMessageContext != null) {
            httpSession = ((HttpServletRequest) currentMessageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST)).getSession();
        }
        return httpSession;
    }

    private void provisionUser(String str, UserRealm userRealm, XMLObject xMLObject) throws UserStoreException, SAML2SSOAuthenticatorException {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig == null) {
            if (log.isDebugEnabled()) {
                log.debug("Cannot find authenticator config for authenticator : SAML2SSOAuthenticator");
            }
            throw new SAML2SSOAuthenticatorException("Cannot find authenticator config for authenticator : SAML2SSOAuthenticator");
        }
        Map parameters = authenticatorConfig.getParameters();
        boolean z = false;
        if (parameters.containsKey(SAML2SSOAuthenticatorBEConstants.PropertyConfig.JIT_USER_PROVISIONING_ENABLED)) {
            z = Boolean.parseBoolean((String) parameters.get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.JIT_USER_PROVISIONING_ENABLED));
        }
        if (!z) {
            if (log.isDebugEnabled()) {
                log.debug("User provisioning diabled");
                return;
            }
            return;
        }
        String str2 = null;
        if (parameters.containsKey(SAML2SSOAuthenticatorBEConstants.PropertyConfig.PROVISIONING_DEFAULT_USERSTORE)) {
            str2 = (String) parameters.get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.PROVISIONING_DEFAULT_USERSTORE);
        }
        UserStoreManager userStoreManager = null;
        if (str2 != null && !str2.isEmpty()) {
            userStoreManager = userRealm.getUserStoreManager().getSecondaryUserStoreManager(str2);
        }
        if (userStoreManager == null) {
            userStoreManager = userRealm.getUserStoreManager();
        }
        String[] roles = getRoles(xMLObject);
        if ((roles == null || roles.length == 0) && parameters.containsKey(SAML2SSOAuthenticatorBEConstants.PropertyConfig.PROVISIONING_DEFAULT_ROLE)) {
            roles = new String[]{(String) parameters.get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.PROVISIONING_DEFAULT_ROLE)};
        }
        if (roles == null) {
            roles = new String[0];
        }
        if (log.isDebugEnabled()) {
            log.debug("User " + str + " contains roles : " + Arrays.toString(roles) + " as per response and (default role) config");
        }
        ArrayList arrayList = new ArrayList();
        Collections.addAll(arrayList, roles);
        arrayList.retainAll(Arrays.asList(userStoreManager.getRoleNames()));
        if (!userStoreManager.isExistingUser(str)) {
            userStoreManager.addUser(str, generatePassword(str), (String[]) arrayList.toArray(new String[0]), (Map) null, (String) null);
            if (log.isDebugEnabled()) {
                log.debug("User: " + str + " is provisioned via SAML authenticator with roles : " + Arrays.toString(arrayList.toArray(new String[0])));
                return;
            }
            return;
        }
        List asList = Arrays.asList(userStoreManager.getRoleListOfUser(str));
        arrayList.removeAll(asList);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.addAll(asList);
        arrayList2.removeAll(Arrays.asList(roles));
        arrayList2.remove(userRealm.getRealmConfiguration().getEveryOneRoleName());
        if (userStoreManager.getRealmConfiguration().isPrimary() && str.equals(userRealm.getRealmConfiguration().getAdminUserName())) {
            boolean z2 = false;
            if (parameters.containsKey(SAML2SSOAuthenticatorBEConstants.PropertyConfig.IS_SUPER_ADMIN_ROLE_REQUIRED)) {
                z2 = Boolean.parseBoolean((String) parameters.get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.IS_SUPER_ADMIN_ROLE_REQUIRED));
            }
            if (!z2 && arrayList2.contains(userRealm.getRealmConfiguration().getAdminRoleName())) {
                arrayList2.remove(userRealm.getRealmConfiguration().getAdminRoleName());
                log.warn("Proceeding with allowing super admin to be logged in, eventhough response doesn't include superadmin role assiged for the superadmin user.");
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Deleting roles : " + Arrays.toString(arrayList2.toArray(new String[0])) + " and Adding roles : " + Arrays.toString(arrayList.toArray(new String[0])));
        }
        userStoreManager.updateRoleListOfUser(str, (String[]) arrayList2.toArray(new String[0]), (String[]) arrayList.toArray(new String[0]));
        if (log.isDebugEnabled()) {
            log.debug("User: " + str + " is updated via SAML authenticator with roles : " + Arrays.toString(roles));
        }
    }

    private String generatePassword(String str) {
        return new BigInteger(130, this.random).toString(32);
    }

    private String[] getRoles(XMLObject xMLObject) {
        return xMLObject instanceof Response ? getRolesFromResponse((Response) xMLObject) : xMLObject instanceof Assertion ? getRolesFromAssertion((Assertion) xMLObject) : new String[0];
    }

    private String[] getRolesFromResponse(Response response) {
        List assertions = response.getAssertions();
        if (assertions == null || assertions.size() <= 0) {
            return null;
        }
        return getRolesFromAssertion((Assertion) assertions.get(0));
    }

    private String[] getRolesFromAssertion(Assertion assertion) {
        ArrayList arrayList = new ArrayList();
        String roleClaim = getRoleClaim();
        List attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements != null) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    String name = attribute.getName();
                    if (name != null && roleClaim.equals(name)) {
                        List<XMLObject> attributeValues = attribute.getAttributeValues();
                        if (attributeValues != null && attributeValues.size() == 1) {
                            String[] split = getAttributeValue((XMLObject) attributeValues.get(0)).split(getAttributeSeperator());
                            if (log.isDebugEnabled()) {
                                log.debug("Adding attributes for Assertion: " + assertion + " AttributeName : " + name + ", AttributeValue : " + Arrays.toString(split));
                            }
                            arrayList.addAll(Arrays.asList(split));
                        } else if (attributeValues != null && attributeValues.size() > 1) {
                            for (XMLObject xMLObject : attributeValues) {
                                String attributeValue = getAttributeValue(xMLObject);
                                if (log.isDebugEnabled()) {
                                    log.debug("Adding attributes for Assertion: " + assertion + " AttributeName : " + name + ", AttributeValue : " + xMLObject);
                                }
                                arrayList.add(attributeValue);
                            }
                        }
                    }
                }
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Role list found for assertion: " + assertion + ", roles: " + arrayList);
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    private String getAttributeValue(XMLObject xMLObject) {
        if (xMLObject == null) {
            return null;
        }
        return xMLObject instanceof XSString ? getStringAttributeValue((XSString) xMLObject) : xMLObject instanceof XSAnyImpl ? getAnyAttributeValue((XSAnyImpl) xMLObject) : xMLObject.toString();
    }

    private String getStringAttributeValue(XSString xSString) {
        return xSString.getValue();
    }

    private String getAnyAttributeValue(XSAnyImpl xSAnyImpl) {
        return xSAnyImpl.getTextContent();
    }

    private String getRoleClaim() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig == null) {
            return SAML2SSOAuthenticatorBEConstants.ROLE_ATTRIBUTE_NAME;
        }
        Map parameters = authenticatorConfig.getParameters();
        return parameters.containsKey(SAML2SSOAuthenticatorBEConstants.PropertyConfig.ROLE_CLAIM_ATTRIBUTE) ? (String) parameters.get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.ROLE_CLAIM_ATTRIBUTE) : SAML2SSOAuthenticatorBEConstants.ROLE_ATTRIBUTE_NAME;
    }

    private String getAttributeSeperator() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("SAML2SSOAuthenticator");
        if (authenticatorConfig == null) {
            return SAML2SSOAuthenticatorBEConstants.ATTRIBUTE_VALUE_SEPERATER;
        }
        Map parameters = authenticatorConfig.getParameters();
        return parameters.containsKey(SAML2SSOAuthenticatorBEConstants.PropertyConfig.ATTRIBUTE_VALUE_SEPARATOR) ? (String) parameters.get(SAML2SSOAuthenticatorBEConstants.PropertyConfig.ATTRIBUTE_VALUE_SEPARATOR) : SAML2SSOAuthenticatorBEConstants.ATTRIBUTE_VALUE_SEPERATER;
    }

    private void validateAssertionValidityPeriod(XMLObject xMLObject) throws SAML2SSOAuthenticatorException {
        Assertion assertion;
        if (xMLObject instanceof Response) {
            assertion = getAssertionFromResponse((Response) xMLObject);
        } else {
            if (!(xMLObject instanceof Assertion)) {
                throw new SAML2SSOAuthenticatorException("Only Response and Assertion objects are validated in this authenticator");
            }
            assertion = (Assertion) xMLObject;
        }
        if (assertion == null) {
            throw new SAML2SSOAuthenticatorException("Cannot find a SAML Assertion");
        }
        if (assertion.getConditions() != null) {
            DateTime notBefore = assertion.getConditions().getNotBefore();
            DateTime notOnOrAfter = assertion.getConditions().getNotOnOrAfter();
            int timeStampSkewInSeconds = getTimeStampSkewInSeconds();
            if (notBefore != null && notBefore.minusSeconds(timeStampSkewInSeconds).isAfterNow()) {
                throw new SAML2SSOAuthenticatorException("Failed to meet SAML Assertion Condition 'Not Before'");
            }
            if (notOnOrAfter != null && notOnOrAfter.plusSeconds(timeStampSkewInSeconds).isBeforeNow()) {
                throw new SAML2SSOAuthenticatorException("Failed to meet SAML Assertion Condition 'Not On Or After'");
            }
            if (notBefore != null && notOnOrAfter != null && notBefore.isAfter(notOnOrAfter)) {
                throw new SAML2SSOAuthenticatorException("SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'");
            }
        }
    }
}
