package org.wso2.carbon.identity.authenticator.saml2.sso.common;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xerces.util.SecurityManager;
import org.apache.xml.security.Init;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.Response;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data;
import org.opensaml.xml.util.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;
import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.builders.SignKeyDataHolder;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.util.CarbonEntityResolver;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/saml2/sso/common/Util.class */
public class Util {
    private static final String SECURITY_MANAGER_PROPERTY = "http://apache.org/xml/properties/security-manager";
    private static final int ENTITY_EXPANSION_LIMIT = 0;
    private static final char[] charMapping = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p'};
    private static boolean bootStrapped = false;
    private static Log log = LogFactory.getLog(Util.class);
    private static Random random = new Random();
    private static String serviceProviderId = null;
    private static String identityProviderSSOServiceURL = null;
    private static Map<String, String> parameters = new HashMap();
    private static String identityProviderSLOServiceURL = parameters.get(SAML2SSOAuthenticatorConstants.IDENTITY_PROVIDER_SLO_SERVICE_URL);
    private static String loginPage = "/carbon/admin/login.jsp";
    private static String landingPage = null;
    private static String externalLogoutPage = null;
    private static boolean logoutSupportedIDP = false;
    private static String assertionConsumerServiceUrl = null;
    private static boolean initSuccess = false;
    private static Properties saml2IdpProperties = new Properties();
    private static Map<String, String> cachedIdps = new ConcurrentHashMap();

    private Util() {
    }

    public static XMLObject unmarshall(String str) throws SAML2SSOUIAuthenticatorException {
        try {
            doBootstrap();
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            Document document = getDocument(newInstance, str);
            if (isSignedWithComments(document)) {
                newInstance.setIgnoringComments(false);
                document = getDocument(newInstance, str);
            }
            Element documentElement = document.getDocumentElement();
            return Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (Exception e) {
            log.error("Error in constructing AuthRequest from the encoded String", e);
            throw new SAML2SSOUIAuthenticatorException("Error in constructing AuthRequest from the encoded String ", e);
        }
    }

    private static boolean isSignedWithComments(Document document) {
        NodeList nodeList;
        XPath newXPath = XPathFactory.newInstance().newXPath();
        try {
            String str = (String) newXPath.compile("//*[local-name()='Assertion']/@ID").evaluate(document, XPathConstants.STRING);
            if (!StringUtils.isBlank(str) && (nodeList = (NodeList) newXPath.compile("//*[local-name()='Assertion']/*[local-name()='Signature']/*[local-name()='SignedInfo']/*[local-name()='Reference'][@URI='#" + str + "']/*[local-name()='Transforms']/*[local-name()='Transform'][@Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#WithComments']").evaluate(document, XPathConstants.NODESET)) != null) {
                if (nodeList.getLength() > 0) {
                    return true;
                }
            }
            return false;
        } catch (XPathExpressionException e) {
            log.warn("Failed to find the canonicalization algorithm of the assertion. Defaulting to: http://www.w3.org/2001/10/xml-exc-c14n#");
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Failed to find the canonicalization algorithm of the assertion. Defaulting to: http://www.w3.org/2001/10/xml-exc-c14n#", e);
            return false;
        }
    }

    private static Document getDocument(DocumentBuilderFactory documentBuilderFactory, String str) throws IOException, SAXException, ParserConfigurationException {
        documentBuilderFactory.setNamespaceAware(true);
        documentBuilderFactory.setExpandEntityReferences(false);
        documentBuilderFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        SecurityManager securityManager = new SecurityManager();
        securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
        documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
        DocumentBuilder newDocumentBuilder = documentBuilderFactory.newDocumentBuilder();
        newDocumentBuilder.setEntityResolver(new CarbonEntityResolver());
        return newDocumentBuilder.parse(new ByteArrayInputStream(str.trim().getBytes()));
    }

    public static String marshall(XMLObject xMLObject) throws SAML2SSOUIAuthenticatorException {
        try {
            doBootstrap();
            System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
            Element marshall = org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DOMImplementationLS dOMImplementationLS = (DOMImplementationLS) DOMImplementationRegistry.newInstance().getDOMImplementation("LS");
            LSSerializer createLSSerializer = dOMImplementationLS.createLSSerializer();
            LSOutput createLSOutput = dOMImplementationLS.createLSOutput();
            createLSOutput.setByteStream(byteArrayOutputStream);
            createLSSerializer.write(marshall, createLSOutput);
            return byteArrayOutputStream.toString();
        } catch (Exception e) {
            log.error("Error Serializing the SAML Response");
            throw new SAML2SSOUIAuthenticatorException("Error Serializing the SAML Response", e);
        }
    }

    public static String encode(String str) throws Exception {
        return Base64.encodeBytes(str.getBytes(), 8).trim();
    }

    public static String decode(String str) throws SAML2SSOUIAuthenticatorException {
        try {
            byte[] decode = new org.apache.commons.codec.binary.Base64().decode(str.getBytes("UTF-8"));
            return new String(decode, ENTITY_EXPANSION_LIMIT, decode.length, "UTF-8");
        } catch (IOException e) {
            throw new SAML2SSOUIAuthenticatorException("Error when decoding the SAML Request.", e);
        }
    }

    public static void doBootstrap() {
        if (bootStrapped) {
            return;
        }
        try {
            DefaultBootstrap.bootstrap();
            bootStrapped = true;
        } catch (ConfigurationException e) {
            log.error("Error in bootstrapping the OpenSAML2 library", e);
        }
    }

    public static AuthnRequest setSignature(AuthnRequest authnRequest, String str, X509Credential x509Credential) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug("Signing the AuthnRequest");
        }
        doBootstrap();
        try {
            Signature buildXMLObject = buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
            buildXMLObject.setSigningCredential(x509Credential);
            buildXMLObject.setSignatureAlgorithm(str);
            buildXMLObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
            try {
                KeyInfo buildXMLObject2 = buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
                X509Data buildXMLObject3 = buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
                X509Certificate buildXMLObject4 = buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
                buildXMLObject4.setValue(org.apache.xml.security.utils.Base64.encode(x509Credential.getEntityCertificate().getEncoded()));
                buildXMLObject3.getX509Certificates().add(buildXMLObject4);
                buildXMLObject2.getX509Datas().add(buildXMLObject3);
                buildXMLObject.setKeyInfo(buildXMLObject2);
                authnRequest.setSignature(buildXMLObject);
                ArrayList arrayList = new ArrayList();
                arrayList.add(buildXMLObject);
                org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(authnRequest).marshall(authnRequest);
                Init.init();
                Signer.signObjects(arrayList);
                return authnRequest;
            } catch (CertificateEncodingException e) {
                throw new SAML2SSOUIAuthenticatorException("errorGettingCert ", e);
            }
        } catch (Exception e2) {
            throw new Exception("Error While signing the assertion.", e2);
        }
    }

    public static LogoutRequest setSignature(LogoutRequest logoutRequest, String str, SignKeyDataHolder signKeyDataHolder) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug("Signing the AuthnRequest");
        }
        doBootstrap();
        try {
            Signature buildXMLObject = buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
            buildXMLObject.setSigningCredential(signKeyDataHolder);
            buildXMLObject.setSignatureAlgorithm(str);
            buildXMLObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
            try {
                KeyInfo buildXMLObject2 = buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
                X509Data buildXMLObject3 = buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
                X509Certificate buildXMLObject4 = buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
                buildXMLObject4.setValue(org.apache.xml.security.utils.Base64.encode(signKeyDataHolder.getEntityCertificate().getEncoded()));
                buildXMLObject3.getX509Certificates().add(buildXMLObject4);
                buildXMLObject2.getX509Datas().add(buildXMLObject3);
                buildXMLObject.setKeyInfo(buildXMLObject2);
                logoutRequest.setSignature(buildXMLObject);
                ArrayList arrayList = new ArrayList();
                arrayList.add(buildXMLObject);
                org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(logoutRequest).marshall(logoutRequest);
                Init.init();
                Signer.signObjects(arrayList);
                return logoutRequest;
            } catch (CertificateEncodingException e) {
                throw new Exception("errorGettingCert ", e);
            }
        } catch (Exception e2) {
            throw new Exception("Error While signing the assertion.", e2);
        }
    }

    public static XMLObject buildXMLObject(QName qName) throws Exception {
        XMLObjectBuilder builder = org.opensaml.xml.Configuration.getBuilderFactory().getBuilder(qName);
        if (builder == null) {
            throw new Exception("Unable to retrieve builder for object QName " + qName);
        }
        return builder.buildObject(qName.getNamespaceURI(), qName.getLocalPart(), qName.getPrefix());
    }

    public static String createID() throws Exception {
        try {
            return new SecureRandomIdentifierGenerator().generateIdentifier();
        } catch (NoSuchAlgorithmException e) {
            throw new Exception("Error while building Secure Random ID.", e);
        }
    }

    public static boolean initSSOConfigParams() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(SAML2SSOAuthenticatorConstants.AUTHENTICATOR_NAME);
        if (authenticatorConfig != null) {
            parameters = authenticatorConfig.getParameters();
            serviceProviderId = parameters.get(SAML2SSOAuthenticatorConstants.SERVICE_PROVIDER_ID);
            identityProviderSSOServiceURL = parameters.get(SAML2SSOAuthenticatorConstants.IDENTITY_PROVIDER_SSO_SERVICE_URL);
            identityProviderSLOServiceURL = parameters.get(SAML2SSOAuthenticatorConstants.IDENTITY_PROVIDER_SLO_SERVICE_URL);
            loginPage = parameters.get(SAML2SSOAuthenticatorConstants.LOGIN_PAGE);
            landingPage = parameters.get(SAML2SSOAuthenticatorConstants.LANDING_PAGE);
            externalLogoutPage = parameters.get(SAML2SSOAuthenticatorConstants.EXTERNAL_LOGOUT_PAGE);
            logoutSupportedIDP = Boolean.parseBoolean(parameters.get(SAML2SSOAuthenticatorConstants.LOGOUT_SUPPORTED_IDP));
            assertionConsumerServiceUrl = parameters.get("AssertionConsumerServiceURL");
            initSuccess = true;
        }
        return initSuccess;
    }

    public static boolean isAuthenticatorEnabled() {
        return !AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(SAML2SSOAuthenticatorConstants.AUTHENTICATOR_NAME).isDisabled();
    }

    public static String getServiceProviderId() {
        if (!initSuccess) {
            initSSOConfigParams();
        }
        return serviceProviderId;
    }

    public static String getIdentityProviderSSOServiceURL() {
        if (!initSuccess) {
            initSSOConfigParams();
        }
        return identityProviderSSOServiceURL;
    }

    public static String getIdentityProviderSLOServiceURL() {
        if (!initSuccess) {
            initSSOConfigParams();
        }
        return identityProviderSLOServiceURL;
    }

    public static String getAssertionConsumerServiceURL() {
        if (!initSuccess) {
            initSSOConfigParams();
        }
        return assertionConsumerServiceUrl;
    }

    public static String getIdentityProviderSSOServiceURL(String str) {
        if (!initSuccess) {
            initSSOConfigParams();
        }
        if (str == null) {
            return null;
        }
        String str2 = parameters.get("IdpSelfDomain");
        String upperCase = str.trim().toUpperCase();
        if (str2 != null && str2.trim().toUpperCase().equals(upperCase)) {
            return null;
        }
        String str3 = cachedIdps.get(upperCase);
        if (str3 == null) {
            str3 = saml2IdpProperties.getProperty(upperCase);
        }
        if (log.isDebugEnabled()) {
            log.debug("Federated domain : " + str3);
        }
        if (str3 != null) {
            cachedIdps.put(upperCase, str3);
        }
        return str3;
    }

    public static String getLoginPage() {
        return loginPage;
    }

    public static String getLandingPage() {
        return landingPage;
    }

    public static String getExternalLogoutPage() {
        return externalLogoutPage;
    }

    public static boolean isLogoutSupportedIDP() {
        return logoutSupportedIDP;
    }

    public static String getLoginAttributeName() {
        if (!initSuccess) {
            initSSOConfigParams();
        }
        return parameters.get(SAML2SSOAuthenticatorConstants.LOGIN_ATTRIBUTE_NAME);
    }

    public static String getUsername(XMLObject xMLObject) {
        if (xMLObject instanceof Response) {
            return getUsernameFromResponse((Response) xMLObject);
        }
        if (xMLObject instanceof Assertion) {
            return getUsernameFromAssertion((Assertion) xMLObject);
        }
        return null;
    }

    public static String getUsernameFromResponse(Response response) {
        List assertions = response.getAssertions();
        if (assertions == null || assertions.size() <= 0) {
            return null;
        }
        return getUsernameFromAssertion((Assertion) assertions.get(ENTITY_EXPANSION_LIMIT));
    }

    public static String getUsernameFromAssertion(Assertion assertion) {
        List attributeStatements;
        String loginAttributeName = getLoginAttributeName();
        if (loginAttributeName != null && (attributeStatements = assertion.getAttributeStatements()) != null) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                List<Attribute> attributes = ((AttributeStatement) it.next()).getAttributes();
                if (attributes != null) {
                    for (Attribute attribute : attributes) {
                        if (attribute.getDOM().getAttribute("Name").equals(loginAttributeName)) {
                            return ((XMLObject) attribute.getAttributeValues().get(ENTITY_EXPANSION_LIMIT)).getDOM().getTextContent();
                        }
                    }
                }
            }
        }
        return assertion.getSubject().getNameID().getValue();
    }
}
