package org.wso2.carbon.identity.oauth2.token.handlers.grant.saml;

import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.core.config.InitializationException;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml.saml1.core.AuthenticationStatement;
import org.opensaml.saml.saml1.core.Conditions;
import org.opensaml.saml.saml1.core.ConfirmationMethod;
import org.opensaml.saml.saml1.core.Subject;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.util.X509CredentialImpl;
import org.wso2.carbon.identity.saml.common.util.SAMLInitializer;
import org.wso2.carbon.identity.saml.common.util.UnmarshallUtils;
import org.wso2.carbon.identity.saml.common.util.exception.IdentityUnmarshallingException;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML1BearerGrantHandler.class */
public class SAML1BearerGrantHandler extends AbstractAuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(SAML1BearerGrantHandler.class);
    SAMLSignatureProfileValidator profileValidator = null;
    private boolean audienceRestrictionValidationEnabled = false;
    private static final String SAML10_BEARER_GRANT_TYPE_CONFIG_FILE = "SAML10_BearerGrantType.properties";

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public void init() throws IdentityOAuth2Exception {
        super.init();
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        currentThread.setContextClassLoader(getClass().getClassLoader());
        try {
            try {
                SAMLInitializer.doBootstrap();
                currentThread.setContextClassLoader(contextClassLoader);
                this.profileValidator = new SAMLSignatureProfileValidator();
                Properties properties = new Properties();
                InputStream resourceAsStream = contextClassLoader.getResourceAsStream("repository/conf/SAML10_BearerGrantType.properties");
                try {
                    if (resourceAsStream != null) {
                        try {
                            properties.load(resourceAsStream);
                            this.audienceRestrictionValidationEnabled = Boolean.parseBoolean(properties.getProperty("audienceRestrictionValidationEnabled"));
                            if (log.isDebugEnabled()) {
                                log.debug("Audience restriction validation enabled is set to " + this.audienceRestrictionValidationEnabled);
                            }
                            try {
                                resourceAsStream.close();
                            } catch (IOException e) {
                                log.warn("Failed to close the input stream of SAML10_BearerGrantType.properties", e);
                            }
                        } catch (IOException e2) {
                            log.warn("Failed to load the SAML-1.0-BearerGrantType.properties stream. The default configurations are used instead of configurations defined in SAML10_BearerGrantType.properties file.");
                            try {
                                resourceAsStream.close();
                            } catch (IOException e3) {
                                log.warn("Failed to close the input stream of SAML10_BearerGrantType.properties", e3);
                            }
                        }
                    }
                } catch (Throwable th) {
                    try {
                        resourceAsStream.close();
                    } catch (IOException e4) {
                        log.warn("Failed to close the input stream of SAML10_BearerGrantType.properties", e4);
                    }
                    throw th;
                }
            } catch (InitializationException e5) {
                log.error("Error in bootstrapping the OpenSAML library", e5);
                throw new IdentityOAuth2Exception("Error in bootstrapping the OpenSAML library", e5);
            }
        } catch (Throwable th2) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th2;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        boolean validateGrant = super.validateGrant(oAuthTokenReqMessageContext);
        IdentityProvider identityProvider = null;
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (tenantDomain == null || "".equals(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals("assertion")) {
                oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().setAssertion(requestParameter.getValue()[0]);
                break;
            }
            i++;
        }
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Assertion")) {
            log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
        }
        try {
            Assertion unmarshall = UnmarshallUtils.unmarshall(new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
            if (unmarshall.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", SAML2BearerGrantHandler.ASSERTION_ELEMENT).getLength() > 0) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Invalid schema for SAML Assertion. Nested assertions detected.");
                return false;
            }
            if (!(unmarshall instanceof Assertion)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Only Assertion objects are validated in SAML1Bearer Grant Type");
                return false;
            }
            Assertion assertion = unmarshall;
            List authenticationStatements = assertion.getAuthenticationStatements();
            if (authenticationStatements == null || authenticationStatements.size() <= 0) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Authentication Statement cannot be empty");
                return false;
            }
            Subject subject = ((AuthenticationStatement) authenticationStatements.get(0)).getSubject();
            if (subject == null) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Subject element cannot be empty.");
                return false;
            }
            String nameIdentifier = subject.getNameIdentifier().getNameIdentifier();
            if (nameIdentifier == null || nameIdentifier.equals("")) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("NameID in Assertion cannot be empty");
                return false;
            }
            AuthenticatedUser userFromUserName = OAuth2Util.getUserFromUserName(nameIdentifier);
            userFromUserName.setAuthenticatedSubjectIdentifier(nameIdentifier);
            userFromUserName.setFederatedUser(true);
            oAuthTokenReqMessageContext.setAuthorizedUser(userFromUserName);
            if (log.isDebugEnabled()) {
                log.debug("Resource Owner User Name is set to " + nameIdentifier);
            }
            if (assertion.getIssuer() == null || assertion.getIssuer().isEmpty()) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Issuer is empty in the SAML assertion");
                return false;
            }
            try {
                if (log.isDebugEnabled()) {
                    log.debug("Issuer is :" + assertion.getIssuer());
                }
                identityProvider = IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue(SAML2BearerGrantHandler.IDP_ENTITY_ID, assertion.getIssuer(), tenantDomain, false);
            } catch (IdentityProviderManagementException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while getting Federated Identity Provider ", e);
                }
            }
            if (identityProvider == null) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("SAML Token Issuer verification failed or Issuer not registered");
                return false;
            }
            if ("LOCAL".equals(identityProvider.getIdentityProviderName())) {
                identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
                FederatedAuthenticatorConfig[] federatedAuthenticatorConfigs = identityProvider.getFederatedAuthenticatorConfigs();
                Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigs, "samlsso").getProperties(), SAML2BearerGrantHandler.IDP_ENTITY_ID);
                String value = property != null ? property.getValue() : null;
                if (value == null || !assertion.getIssuer().equals(value)) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Token Issuer verification failed or Issuer not registered");
                    return false;
                }
                Property property2 = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigs, "openidconnect").getProperties(), OAuthServerConfiguration.ConfigElements.OAUTH2_TOKEN_EP_URL);
                r12 = property2 != null ? property2.getValue() : null;
            } else {
                r12 = identityProvider.getAlias();
            }
            if (this.audienceRestrictionValidationEnabled) {
                if (r12 == null || r12.equals("")) {
                    String str = "Token Endpoint alias of the local Identity Provider has not been configured for " + identityProvider.getIdentityProviderName();
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug(str);
                    return false;
                }
                Conditions conditions = assertion.getConditions();
                if (conditions == null) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion doesn't contain Conditions");
                    return false;
                }
                List<AudienceRestrictionCondition> audienceRestrictionConditions = conditions.getAudienceRestrictionConditions();
                if (audienceRestrictionConditions == null || audienceRestrictionConditions.isEmpty()) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion doesn't contain AudienceRestrictions");
                    return false;
                }
                boolean z = false;
                for (AudienceRestrictionCondition audienceRestrictionCondition : audienceRestrictionConditions) {
                    if (audienceRestrictionCondition.getAudiences() != null && audienceRestrictionCondition.getAudiences().size() > 0) {
                        Iterator it = audienceRestrictionCondition.getAudiences().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (((Audience) it.next()).getUri().equals(r12)) {
                                z = true;
                                break;
                            }
                        }
                    }
                    if (z) {
                        break;
                    }
                }
                if (!z) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion Audience Restriction validation failed");
                    return false;
                }
            }
            DateTime dateTime = null;
            HashSet hashSet = new HashSet();
            boolean z2 = false;
            if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
                dateTime = assertion.getConditions().getNotOnOrAfter();
            }
            Iterator it2 = subject.getSubjectConfirmation().getConfirmationMethods().iterator();
            while (it2.hasNext()) {
                if ("urn:oasis:names:tc:SAML:1.0:cm:bearer".equals(((ConfirmationMethod) it2.next()).getConfirmationMethod())) {
                    z2 = true;
                }
            }
            if (!z2) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Cannot find a subject confirmation with method urn:oasis:names:tc:SAML:1.0:cm:bearer in subject confirmation " + subject.getSubjectConfirmation());
                return false;
            }
            if (subject.getSubjectConfirmation().getSubjectConfirmationData() == null) {
                log.warn("Subject confirmation data is missing.");
            }
            long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
            if (dateTime != null && dateTime.plus(timeStampSkewInSeconds).isBeforeNow()) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("NotOnOrAfter is having an expired timestamp in Conditions element");
                return false;
            }
            boolean z3 = false;
            if (!hashSet.isEmpty()) {
                Iterator it3 = hashSet.iterator();
                while (it3.hasNext()) {
                    if (((DateTime) it3.next()).plus(timeStampSkewInSeconds).isAfterNow()) {
                        z3 = true;
                    }
                }
            }
            if (dateTime == null && !z3) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("No valid NotOnOrAfter element found in SubjectConfirmations");
                return false;
            }
            try {
                this.profileValidator.validate(assertion.getSignature());
                try {
                    try {
                        SignatureValidator.validate(assertion.getSignature(), new X509CredentialImpl((X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate())));
                        if (log.isDebugEnabled()) {
                            log.debug("Signature validation successful");
                        }
                        oAuthTokenReqMessageContext.setScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope());
                        oAuthTokenReqMessageContext.addProperty("SAML2Assertion", assertion);
                        SAML2TokenCallbackHandler sAML2TokenCallbackHandler = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
                        if (sAML2TokenCallbackHandler != null) {
                            if (log.isDebugEnabled()) {
                                log.debug("Invoking the SAML2 Token callback handler");
                            }
                            sAML2TokenCallbackHandler.handleSAML2Token(oAuthTokenReqMessageContext);
                        }
                        return validateGrant;
                    } catch (SignatureException e2) {
                        if (!log.isDebugEnabled()) {
                            return false;
                        }
                        log.debug("Signature validation failure:" + e2.getMessage(), e2);
                        return false;
                    }
                } catch (CertificateException e3) {
                    throw new IdentityOAuth2Exception("Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain, e3);
                }
            } catch (SignatureException e4) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Signature did not conform to SAML1.0 Signature profile", e4);
                return false;
            }
        } catch (IdentityUnmarshallingException e5) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Error occurred while unmarshalling SAML1.0 assertion", e5);
            return false;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean issueRefreshToken() throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getValueForIsRefreshTokenAllowed("urn:oasis:names:tc:SAML:1.0:cm:bearer");
    }
}
