package org.wso2.carbon.identity.sso.saml;

import java.math.BigInteger;
import java.util.Arrays;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.ArtifactResolve;
import org.opensaml.saml.saml2.core.ArtifactResponse;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.builders.ResponseBuilder;
import org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder;
import org.wso2.carbon.identity.sso.saml.dao.impl.SAML2ArtifactInfoDAOImpl;
import org.wso2.carbon.identity.sso.saml.dto.SAML2ArtifactInfo;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.exception.ArtifactBindingException;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/SAMLSSOArtifactResolver.class */
public class SAMLSSOArtifactResolver {
    private static final Log log = LogFactory.getLog(SAMLSSOArtifactResolver.class);

    public ArtifactResponse resolveArtifact(ArtifactResolve artifactResolve) throws ArtifactBindingException {
        Response response = null;
        String artifact = artifactResolve.getArtifact().getArtifact();
        try {
            try {
                byte[] decode = Base64.decode(artifact);
                SAML2ArtifactInfo sAMLArtifactInfo = new SAML2ArtifactInfoDAOImpl().getSAMLArtifactInfo(String.format("%040x", new BigInteger(1, Arrays.copyOfRange(decode, 4, 24))), String.format("%040x", new BigInteger(1, Arrays.copyOfRange(decode, 24, 44))));
                if (sAMLArtifactInfo == null || sAMLArtifactInfo.getAuthnReqDTO() == null) {
                    log.warn("Invalid artifact received to Artifact Resolution endpoint: " + artifact);
                } else {
                    startTenantFlow(sAMLArtifactInfo.getAuthnReqDTO().getTenantDomain());
                    if (validateArtifactResolve(artifactResolve, sAMLArtifactInfo)) {
                        ResponseBuilder responseBuilder = SAMLSSOUtil.getResponseBuilder();
                        if (responseBuilder == null) {
                            throw new ArtifactBindingException("Could not create a ResponseBuilder for SAML2 artifact resolution.");
                        }
                        response = responseBuilder.buildResponse(sAMLArtifactInfo.getAuthnReqDTO(), sAMLArtifactInfo.getSessionID(), sAMLArtifactInfo.getInitTimestamp(), sAMLArtifactInfo.getAssertionID());
                    }
                }
                ArtifactResponse buildArtifactResponse = buildArtifactResponse(response, artifactResolve, sAMLArtifactInfo);
                endTenantFlow();
                return buildArtifactResponse;
            } catch (Base64DecodingException e) {
                throw new ArtifactBindingException("Error while Base64 decoding SAML2 artifact: " + artifact, e);
            } catch (IdentityException e2) {
                throw new ArtifactBindingException("Error while building response for SAML2 artifact: " + artifact, e2);
            }
        } catch (Throwable th) {
            endTenantFlow();
            throw th;
        }
    }

    private boolean validateArtifactResolve(ArtifactResolve artifactResolve, SAML2ArtifactInfo sAML2ArtifactInfo) throws IdentityException, ArtifactBindingException {
        if (!sAML2ArtifactInfo.getExpTimestamp().isAfter(new DateTime())) {
            log.warn("Artifact validity period (" + sAML2ArtifactInfo.getExpTimestamp() + ") has been exceeded for artifact: " + artifactResolve.getArtifact().getArtifact());
            return false;
        }
        if (!StringUtils.equals(sAML2ArtifactInfo.getAuthnReqDTO().getIssuer(), artifactResolve.getIssuer().getValue())) {
            log.warn("Artifact Resolve Issuer: " + artifactResolve.getIssuer().getValue() + " is not valid.");
            return false;
        }
        SAMLSSOServiceProviderDO sPConfig = SAMLSSOUtil.getSPConfig(sAML2ArtifactInfo.getAuthnReqDTO().getTenantDomain(), SAMLSSOUtil.splitAppendedTenantDomain(artifactResolve.getIssuer().getValue()));
        if (sPConfig.isDoValidateSignatureInArtifactResolve()) {
            return validateArtifactResolveSignature(artifactResolve, sPConfig);
        }
        return true;
    }

    private boolean validateArtifactResolveSignature(ArtifactResolve artifactResolve, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO) throws ArtifactBindingException {
        if (log.isDebugEnabled()) {
            log.debug("Validating Artifact Resolve signature for artifact: " + artifactResolve.getArtifact().getArtifact() + ", issuer: " + artifactResolve.getIssuer().getValue());
        }
        if (artifactResolve.getSignature() == null) {
            log.warn("Signature was not found in the SAML2 Artifact Resolve with artifact: " + artifactResolve.getArtifact().getArtifact() + " issuer: " + artifactResolve.getIssuer().getValue());
            return false;
        }
        SignatureImpl signature = artifactResolve.getSignature();
        if (sAMLSSOServiceProviderDO.getX509Certificate() == null) {
            throw new ArtifactBindingException("Artifact resolve signature validation is enabled, but SP doesn't have a certificate");
        }
        try {
            SignatureValidator.validate(signature, new BasicX509Credential(sAMLSSOServiceProviderDO.getX509Certificate()));
            return true;
        } catch (SignatureException e) {
            String str = "Signature validation failed for SAML2 Artifact Resolve with artifact: " + artifactResolve.getArtifact().getArtifact() + " issuer: " + artifactResolve.getIssuer().getValue();
            log.warn(str);
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug(str, e);
            return false;
        }
    }

    private ArtifactResponse buildArtifactResponse(Response response, ArtifactResolve artifactResolve, SAML2ArtifactInfo sAML2ArtifactInfo) throws IdentityException {
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        ArtifactResponse buildObject = builderFactory.getBuilder(ArtifactResponse.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setID(UUID.randomUUID().toString());
        buildObject.setIssueInstant(artifactResolve.getIssueInstant());
        buildObject.setInResponseTo(artifactResolve.getID());
        buildObject.setIssuer(SAMLSSOUtil.getIssuer());
        StatusCode buildObject2 = builderFactory.getBuilder(StatusCode.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setValue(SAMLSSOConstants.StatusCodes.SUCCESS_CODE);
        Status buildObject3 = builderFactory.getBuilder(Status.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setStatusCode(buildObject2);
        buildObject.setStatus(buildObject3);
        buildObject.setMessage(response);
        if (sAML2ArtifactInfo != null) {
            SAMLSSOAuthnReqDTO authnReqDTO = sAML2ArtifactInfo.getAuthnReqDTO();
            SAMLSSOUtil.setSignature(buildObject, authnReqDTO.getSigningAlgorithmUri(), authnReqDTO.getDigestAlgorithmUri(), new SignKeyDataHolder(authnReqDTO.getUser().getAuthenticatedSubjectIdentifier()));
        }
        return buildObject;
    }

    private void startTenantFlow(String str) throws IdentityException {
        if (StringUtils.isBlank(str)) {
            return;
        }
        try {
            int tenantId = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(str);
            if (tenantId == -1) {
                String str2 = "Invalid Tenant Domain : " + str;
                if (log.isDebugEnabled()) {
                    log.debug(str2);
                }
                throw IdentityException.error(str2);
            }
            PrivilegedCarbonContext.startTenantFlow();
            PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
            threadLocalCarbonContext.setTenantId(tenantId);
            threadLocalCarbonContext.setTenantDomain(str);
        } catch (UserStoreException e) {
            throw IdentityException.error("Error occurred while getting tenant ID from tenantDomain " + str, e);
        }
    }

    private void endTenantFlow() {
        PrivilegedCarbonContext.endTenantFlow();
    }
}
