package org.wso2.carbon.identity.application.authenticator.samlsso.manager;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.crypto.SecretKey;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.ArtifactResponse;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Extensions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.ExtensionsBuilder;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.saml.saml2.core.impl.StatusCodeImpl;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.encryption.EncryptedKey;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.application.authentication.framework.config.builder.FileBasedConfigurationBuilder;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator;
import org.wso2.carbon.identity.application.authenticator.samlsso.artifact.SAMLSSOArtifactResolutionService;
import org.wso2.carbon.identity.application.authenticator.samlsso.exception.ArtifactResolutionException;
import org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException;
import org.wso2.carbon.identity.application.authenticator.samlsso.internal.SAMLSSOAuthenticatorServiceDataHolder;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.SSOConstants;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.SSOErrorConstants;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.SSOUtils;
import org.wso2.carbon.identity.application.common.model.CertificateInfo;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.ServiceURLBuilder;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.saml.common.util.SAMLInitializer;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.class */
public class DefaultSAML2SSOManager implements SAML2SSOManager {
    private static final String SIGN_AUTH2_SAML_USING_SUPER_TENANT = "SignAuth2SAMLUsingSuperTenant";
    private static final String NAME_ID_TYPE = "NameIDType";
    private static final Log log = LogFactory.getLog(DefaultSAML2SSOManager.class);
    private static boolean bootStrapped = false;
    private static String DEFAULT_MULTI_ATTRIBUTE_SEPARATOR = ",";
    private static String MULTI_ATTRIBUTE_SEPARATOR = "MultiAttributeSeparator";
    private static final String VERIFY_ASSERTION_ISSUER = "VerifyAssertionIssuer";
    private static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----";
    private static final String END_CERTIFICATE = "-----END CERTIFICATE-----";
    private IdentityProvider identityProvider = null;
    private Map<String, String> properties;
    private String tenantDomain;

    public static void doBootstrap() {
        if (bootStrapped) {
            return;
        }
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        currentThread.setContextClassLoader(new DefaultSAML2SSOManager().getClass().getClassLoader());
        try {
            SAMLInitializer.doBootstrap();
            bootStrapped = true;
        } catch (InitializationException e) {
            log.error("Error in bootstrapping the OpenSAML3 library", e);
        } finally {
            currentThread.setContextClassLoader(contextClassLoader);
        }
    }

    @Override // org.wso2.carbon.identity.application.authenticator.samlsso.manager.SAML2SSOManager
    public void init(String str, Map<String, String> map, IdentityProvider identityProvider) throws SAMLSSOException {
        this.tenantDomain = str;
        this.identityProvider = identityProvider;
        this.properties = map;
    }

    @Override // org.wso2.carbon.identity.application.authenticator.samlsso.manager.SAML2SSOManager
    public String buildRequest(HttpServletRequest httpServletRequest, boolean z, boolean z2, String str, AuthenticationContext authenticationContext) throws SAMLSSOException {
        String queryParams;
        doBootstrap();
        String contextIdentifier = authenticationContext.getContextIdentifier();
        if (httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) == null && (queryParams = authenticationContext.getQueryParams()) != null) {
            String[] split = queryParams.split("&");
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String[] split2 = split[i].split("=");
                if (split2.length == 2 && SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ.equals(split2[0])) {
                    httpServletRequest.setAttribute(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ, split2[1]);
                    break;
                }
                i++;
            }
        }
        boolean z3 = false;
        StringBuilder sb = new StringBuilder("SAMLRequest=" + encodeRequestMessage(!z ? buildAuthnRequest(httpServletRequest, z2, str, authenticationContext) : buildLogoutRequest((String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_USERNAME), (String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_SESSION_INDEX), str, (String) httpServletRequest.getSession().getAttribute(SSOConstants.NAME_QUALIFIER), (String) httpServletRequest.getSession().getAttribute(SSOConstants.SP_NAME_QUALIFIER), (String) httpServletRequest.getSession().getAttribute(SSOConstants.NAME_ID_FORMAT), authenticationContext)));
        try {
            sb.append("&RelayState=" + URLEncoder.encode(contextIdentifier, "UTF-8").trim());
            if (!z ? SSOUtils.isAuthnRequestSigned(this.properties) : SSOUtils.isLogoutRequestSigned(this.properties)) {
                String str2 = this.properties.get("SignatureAlgorithm");
                if (StringUtils.isEmpty(str2)) {
                    str2 = "RSA with SHA1";
                }
                String str3 = (String) IdentityApplicationManagementUtil.getXMLSignatureAlgorithms().get(str2);
                Map parameterMap = FileBasedConfigurationBuilder.getInstance().getAuthenticatorBean(SSOConstants.AUTHENTICATOR_NAME).getParameterMap();
                if (parameterMap.size() > 0) {
                    z3 = Boolean.parseBoolean((String) parameterMap.get(SIGN_AUTH2_SAML_USING_SUPER_TENANT));
                }
                if (z3) {
                    SSOUtils.addSignatureToHTTPQueryString(sb, str3, new X509CredentialImpl("carbon.super", (String) null));
                } else {
                    SSOUtils.addSignatureToHTTPQueryString(sb, str3, new X509CredentialImpl(authenticationContext.getTenantDomain(), (String) null));
                }
            }
            return str.indexOf("?") > -1 ? str.concat("&").concat(sb.toString()) : str.concat("?").concat(sb.toString());
        } catch (UnsupportedEncodingException e) {
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.URL_ENCODING_RELAY_STATE.getCode(), SSOErrorConstants.ErrorMessages.URL_ENCODING_RELAY_STATE.getMessage(), e);
        }
    }

    public String buildPostRequest(HttpServletRequest httpServletRequest, boolean z, boolean z2, String str, AuthenticationContext authenticationContext) throws SAMLSSOException {
        RequestAbstractType buildLogoutRequest;
        doBootstrap();
        boolean z3 = false;
        String str2 = this.properties.get("SignatureAlgorithm");
        if (StringUtils.isEmpty(str2)) {
            str2 = "RSA with SHA1";
        }
        String str3 = (String) IdentityApplicationManagementUtil.getXMLSignatureAlgorithms().get(str2);
        String str4 = this.properties.get("DigestAlgorithm");
        if (StringUtils.isEmpty(str4)) {
            str4 = "SHA1";
        }
        String str5 = (String) IdentityApplicationManagementUtil.getXMLDigestAlgorithms().get(str4);
        String str6 = this.properties.get("IncludeCert");
        if (StringUtils.isEmpty(str6) || Boolean.parseBoolean(str6)) {
            z3 = true;
        }
        if (z) {
            buildLogoutRequest = buildLogoutRequest((String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_USERNAME), (String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_SESSION_INDEX), str, (String) httpServletRequest.getSession().getAttribute(SSOConstants.NAME_QUALIFIER), (String) httpServletRequest.getSession().getAttribute(SSOConstants.SP_NAME_QUALIFIER), (String) httpServletRequest.getSession().getAttribute(SSOConstants.NAME_ID_FORMAT), authenticationContext);
            if (SSOUtils.isLogoutRequestSigned(this.properties)) {
                SSOUtils.setSignature(buildLogoutRequest, str3, str5, z3, new X509CredentialImpl(authenticationContext.getTenantDomain(), (String) null));
            }
        } else {
            buildLogoutRequest = buildAuthnRequest(httpServletRequest, z2, str, authenticationContext);
            if (SSOUtils.isAuthnRequestSigned(this.properties)) {
                SSOUtils.setSignature(buildLogoutRequest, str3, str5, z3, new X509CredentialImpl(authenticationContext.getTenantDomain(), (String) null));
            }
        }
        return SSOUtils.encode(SSOUtils.marshall(buildLogoutRequest));
    }

    @Override // org.wso2.carbon.identity.application.authenticator.samlsso.manager.SAML2SSOManager
    public void processResponse(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        doBootstrap();
        if (isSAMLArtifactResponse(httpServletRequest)) {
            processArtifactResponse(httpServletRequest);
        } else {
            processSAMLResponse(httpServletRequest);
        }
    }

    private void processArtifactResponse(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        try {
            ArtifactResponse sAMLArtifactResponse = new SAMLSSOArtifactResolutionService(this.properties, this.tenantDomain).getSAMLArtifactResponse(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_ARTIFACT_ID));
            validateSignature(sAMLArtifactResponse);
            for (XMLObject xMLObject : sAMLArtifactResponse.getOrderedChildren()) {
                if ((xMLObject instanceof Response) || (xMLObject instanceof LogoutResponse)) {
                    validateResponseFormat(xMLObject);
                    for (XMLObject xMLObject2 : xMLObject.getOrderedChildren()) {
                        if (xMLObject2 instanceof Status) {
                            Iterator it = xMLObject2.getOrderedChildren().iterator();
                            while (it.hasNext()) {
                                if (!SSOConstants.StatusCodes.SUCCESS_CODE.equals(getStatusCode((XMLObject) it.next()))) {
                                    throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SAML_RESPONSE_STATUS_CODE_MISMATCHED_WITH_SUCCESS_CODE.getCode(), SSOErrorConstants.ErrorMessages.SAML_RESPONSE_STATUS_CODE_MISMATCHED_WITH_SUCCESS_CODE.getMessage());
                                }
                                executeSAMLReponse(httpServletRequest, xMLObject);
                            }
                        }
                    }
                }
            }
        } catch (ArtifactResolutionException e) {
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.ARTIFACT_RESPONSE_RESOLUTION_FAILED.getCode(), SSOErrorConstants.ErrorMessages.ARTIFACT_RESPONSE_RESOLUTION_FAILED.getMessage(), e);
        }
    }

    private void processSAMLResponse(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        XMLObject unmarshall = SSOUtils.unmarshall(new String(Base64.decodeBase64(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP).getBytes())));
        validateResponseFormat(unmarshall);
        executeSAMLReponse(httpServletRequest, unmarshall);
    }

    private void executeSAMLReponse(HttpServletRequest httpServletRequest, XMLObject xMLObject) throws SAMLSSOException {
        if (xMLObject instanceof LogoutResponse) {
            doSLO(httpServletRequest);
        } else {
            if (!(xMLObject instanceof Response)) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.UNABLE_TO_PROCESS_SAML_OBJECT_TYPE.getCode(), SSOErrorConstants.ErrorMessages.UNABLE_TO_PROCESS_SAML_OBJECT_TYPE.getMessage());
            }
            processSSOResponse(httpServletRequest, (Response) xMLObject);
        }
    }

    private String getStatusCode(XMLObject xMLObject) {
        return xMLObject.hasChildren() ? ((StatusCodeImpl) xMLObject.getOrderedChildren().get(0)).getValue() : ((StatusCode) xMLObject).getValue();
    }

    private boolean isSAMLArtifactResponse(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_ARTIFACT_ID) != null;
    }

    protected AuthnRequest getAuthnRequest(AuthenticationContext authenticationContext) throws SAMLSSOException {
        AuthnRequest authnRequest = null;
        AuthenticationRequest authenticationRequest = authenticationContext.getAuthenticationRequest();
        String[] requestQueryParam = authenticationRequest.getRequestQueryParam(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
        if (requestQueryParam != null && requestQueryParam.length > 0) {
            String str = requestQueryParam[0];
            XMLObject unmarshall = authenticationRequest.isPost() ? SSOUtils.unmarshall(SSOUtils.decodeForPost(str)) : SSOUtils.unmarshall(SSOUtils.decode(str));
            validateResponseFormat(unmarshall);
            if (unmarshall instanceof AuthnRequest) {
                authnRequest = (AuthnRequest) unmarshall;
            }
        }
        return authnRequest;
    }

    protected Extensions getSAMLExtensions(HttpServletRequest httpServletRequest) {
        Extensions extensions;
        try {
            String parameter = httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
            if (parameter == null) {
                parameter = (String) httpServletRequest.getAttribute(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
            }
            if (parameter == null) {
                return null;
            }
            XMLObject unmarshall = "POST".equals(httpServletRequest.getMethod()) ? SSOUtils.unmarshall(SSOUtils.decodeForPost(parameter)) : SSOUtils.unmarshall(SSOUtils.decode(parameter));
            validateResponseFormat(unmarshall);
            if (!(unmarshall instanceof AuthnRequest) || (extensions = ((AuthnRequest) unmarshall).getExtensions()) == null) {
                return null;
            }
            Extensions buildObject = new ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "saml2p");
            buildObject.setDOM(extensions.getDOM());
            return buildObject;
        } catch (Exception e) {
            log.debug("Error while loading SAML Extensions", e);
            return null;
        }
    }

    protected Extensions getSAMLExtensions(AuthnRequest authnRequest) {
        Extensions extensions = null;
        Extensions extensions2 = authnRequest.getExtensions();
        if (extensions2 != null) {
            extensions = new ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "saml2p");
            extensions.setDOM(extensions2.getDOM());
        }
        return extensions;
    }

    public void doSLO(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        doBootstrap();
        XMLObject xMLObject = null;
        if (httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) {
            xMLObject = SSOUtils.unmarshall(new String(Base64.decodeBase64(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ).getBytes())));
        }
        if (xMLObject == null) {
            xMLObject = SSOUtils.unmarshall(new String(Base64.decodeBase64(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP).getBytes())));
        }
        validateResponseFormat(xMLObject);
        if (xMLObject instanceof LogoutRequest) {
            ((SessionIndex) ((LogoutRequest) xMLObject).getSessionIndexes().get(0)).getSessionIndex();
        } else {
            if (!(xMLObject instanceof LogoutResponse)) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.INVALID_SINGLE_LOGOUT_SAML_REQUEST.getCode(), SSOErrorConstants.ErrorMessages.INVALID_SINGLE_LOGOUT_SAML_REQUEST.getMessage());
            }
            httpServletRequest.getSession().invalidate();
        }
    }

    private void processSSOResponse(HttpServletRequest httpServletRequest, Response response) throws SAMLSSOException {
        Assertion assertion = null;
        if (SSOUtils.isAssertionEncryptionEnabled(this.properties)) {
            List encryptedAssertions = response.getEncryptedAssertions();
            if (CollectionUtils.isNotEmpty(encryptedAssertions)) {
                try {
                    assertion = getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(0));
                } catch (Exception e) {
                    throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.UNABLE_TO_DECRYPT_THE_SAML_ASSERTION.getCode(), SSOErrorConstants.ErrorMessages.UNABLE_TO_DECRYPT_THE_SAML_ASSERTION.getMessage(), e);
                }
            }
        } else {
            List assertions = response.getAssertions();
            if (CollectionUtils.isNotEmpty(assertions)) {
                assertion = (Assertion) assertions.get(0);
            }
        }
        if (assertion == null) {
            if (response.getStatus() == null || response.getStatus().getStatusCode() == null) {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Response status or the status code is null.");
                }
            } else if (response.getStatus().getStatusCode().getValue().equals(SSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR)) {
                if (response.getStatus().getStatusCode().getStatusCode() != null) {
                    if (response.getStatus().getStatusCode().getStatusCode().getValue().equals(SSOConstants.StatusCodes.NO_PASSIVE)) {
                        return;
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("SAML Response status code object value is: " + response.getStatus().getStatusCode().getStatusCode().getValue() + ".");
                        throw new SAMLSSOException("SAML Response status code object value is notequal to: urn:oasis:names:tc:SAML:2.0:status:NoPassive.");
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("SAML Response status code object is null.");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("SAML Response status code value is: " + response.getStatus().getStatusCode().getValue() + ".");
                throw new SAMLSSOException("SAML Response status code value is not equal to: urn:oasis:names:tc:SAML:2.0:status:Responder.");
            }
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SAML_ASSERTION_NOT_FOUND_IN_RESPONSE.getCode(), SSOErrorConstants.ErrorMessages.SAML_ASSERTION_NOT_FOUND_IN_RESPONSE.getMessage());
        }
        validateAssertionIssuer(assertion);
        validateAssertionValidityPeriod(assertion);
        validateAudienceRestriction(assertion, getIssuer((AuthenticationContext) httpServletRequest.getAttribute(SAMLSSOAuthenticator.AUTHENTICATION_CONTEXT)));
        validateSignature(response, assertion);
        String str = null;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            str = assertion.getSubject().getNameID().getValue();
        }
        if (str == null) {
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SUBJECT_NAME_NOT_FOUND_IN_RESPONSE.getCode(), SSOErrorConstants.ErrorMessages.SUBJECT_NAME_NOT_FOUND_IN_RESPONSE.getMessage());
        }
        httpServletRequest.getSession().setAttribute("username", str);
        String nameQualifier = assertion.getSubject().getNameID().getNameQualifier();
        String sPNameQualifier = assertion.getSubject().getNameID().getSPNameQualifier();
        String format = assertion.getSubject().getNameID().getFormat();
        httpServletRequest.getSession(false).setAttribute("samlssoAttributes", getAssertionStatements(assertion));
        if (assertion.getAuthnStatements() != null) {
            ArrayList arrayList = new ArrayList();
            for (AuthnStatement authnStatement : assertion.getAuthnStatements()) {
                if (authnStatement.getAuthnContext() != null && authnStatement.getAuthnContext().getAuthnContextClassRef() != null && StringUtils.isNotBlank(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef())) {
                    if (log.isDebugEnabled()) {
                        log.debug("Received AuthnContextClassRef: " + authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
                    }
                    arrayList.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
                }
            }
            if (!arrayList.isEmpty()) {
                HashMap hashMap = new HashMap();
                hashMap.put(SSOConstants.AUTHN_CONTEXT_CLASS_REF, arrayList);
                hashMap.put("IdPEntityId", assertion.getIssuer().getValue());
                httpServletRequest.getSession().setAttribute(SSOConstants.AUTHN_CONTEXT_CLASS_REF, hashMap);
            }
        }
        if (SSOUtils.isLogoutEnabled(this.properties)) {
            String sessionIndex = ((AuthnStatement) assertion.getAuthnStatements().get(0)).getSessionIndex();
            if (sessionIndex == null) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.IDP_SESSION_ID_NOT_FOUND_FOR_SLO.getCode(), SSOErrorConstants.ErrorMessages.IDP_SESSION_ID_NOT_FOUND_FOR_SLO.getMessage());
            }
            httpServletRequest.getSession().setAttribute(SSOConstants.IDP_SESSION, sessionIndex);
            httpServletRequest.getSession().setAttribute(SSOConstants.NAME_QUALIFIER, nameQualifier);
            httpServletRequest.getSession().setAttribute(SSOConstants.SP_NAME_QUALIFIER, sPNameQualifier);
            httpServletRequest.getSession().setAttribute(SSOConstants.NAME_ID_FORMAT, format);
        }
    }

    protected LogoutRequest buildLogoutRequest(String str, String str2, String str3, String str4, String str5, String str6, AuthenticationContext authenticationContext) throws SAMLSSOException {
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        buildObject.setID(SSOUtils.createID());
        buildObject.setDestination(str3);
        DateTime dateTime = new DateTime();
        buildObject.setIssueInstant(dateTime);
        buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        Issuer buildObject2 = new IssuerBuilder().buildObject();
        String issuer = getIssuer(authenticationContext);
        if (issuer == null || issuer.isEmpty()) {
            buildObject2.setValue("carbonServer");
        } else {
            buildObject2.setValue(issuer);
        }
        buildObject.setIssuer(buildObject2);
        NameID buildObject3 = new NameIDBuilder().buildObject();
        if (StringUtils.isNotBlank(str6)) {
            buildObject3.setFormat(str6);
        } else {
            String str7 = this.properties.get("IncludeNameIDPolicy");
            if (StringUtils.isBlank(str7) || Boolean.parseBoolean(str7)) {
                buildObject3.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
            }
        }
        buildObject3.setValue(str);
        buildObject3.setNameQualifier(str4);
        buildObject3.setSPNameQualifier(str5);
        buildObject.setNameID(buildObject3);
        SessionIndex buildObject4 = new SessionIndexBuilder().buildObject();
        if (str2 != null) {
            buildObject4.setSessionIndex(str2);
        } else {
            buildObject4.setSessionIndex(UUID.randomUUID().toString());
        }
        buildObject.getSessionIndexes().add(buildObject4);
        buildObject.setReason("Single Logout");
        return buildObject;
    }

    protected AuthnRequest buildAuthnRequest(HttpServletRequest httpServletRequest, boolean z, String str, AuthenticationContext authenticationContext) throws SAMLSSOException {
        boolean parseBoolean;
        Issuer buildObject = new IssuerBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
        String issuer = getIssuer(authenticationContext);
        if (issuer == null || issuer.isEmpty()) {
            buildObject.setValue("carbonServer");
        } else {
            buildObject.setValue(issuer);
        }
        DateTime dateTime = new DateTime();
        AuthnRequest buildObject2 = new AuthnRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
        buildObject2.setForceAuthn(Boolean.valueOf(isForceAuthenticate(authenticationContext)));
        buildObject2.setIsPassive(Boolean.valueOf(z));
        buildObject2.setIssueInstant(dateTime);
        String str2 = this.properties.get("IncludeProtocolBinding");
        if (StringUtils.isEmpty(str2) || Boolean.parseBoolean(str2)) {
            buildObject2.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        }
        AuthenticatorConfig authenticatorConfig = (AuthenticatorConfig) FileBasedConfigurationBuilder.getInstance().getAuthenticatorConfigMap().get(SSOConstants.AUTHENTICATOR_NAME);
        buildObject2.setAssertionConsumerServiceURL(getAcsUrl(authenticatorConfig));
        buildObject2.setIssuer(buildObject);
        buildObject2.setID(SSOUtils.createID());
        buildObject2.setVersion(SAMLVersion.VERSION_20);
        buildObject2.setDestination(str);
        String str3 = this.properties.get("AttributeConsumingServiceIndex");
        if (StringUtils.isNotEmpty(str3)) {
            try {
                buildObject2.setAttributeConsumingServiceIndex(Integer.valueOf(str3));
            } catch (NumberFormatException e) {
                log.error("Error while populating SAMLRequest with AttributeConsumingServiceIndex: " + str3, e);
            }
        }
        String str4 = this.properties.get("IncludeNameIDPolicy");
        if (Boolean.parseBoolean(IdentityUtil.getProperty("SSOService.SAML2AuthnRequestNameIdPolicyDefinedIfUnspecified"))) {
            parseBoolean = StringUtils.isEmpty(str4) || Boolean.parseBoolean(str4);
        } else {
            parseBoolean = Boolean.parseBoolean(str4);
        }
        if (parseBoolean) {
            NameIDPolicy buildObject3 = new NameIDPolicyBuilder().buildObject();
            String str5 = this.properties.get(NAME_ID_TYPE);
            if (StringUtils.isBlank(str5) && authenticatorConfig != null) {
                str5 = (String) authenticatorConfig.getParameterMap().get(NAME_ID_TYPE);
                if (StringUtils.isBlank(str5)) {
                    str5 = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
                }
            }
            buildObject3.setFormat(str5);
            if (issuer != null && !issuer.isEmpty()) {
                buildObject3.setSPNameQualifier(issuer);
            }
            buildObject3.setAllowCreate(true);
            buildObject2.setNameIDPolicy(buildObject3);
        }
        RequestedAuthnContext buildRequestedAuthnContext = buildRequestedAuthnContext(getAuthnRequest(authenticationContext));
        if (buildRequestedAuthnContext != null) {
            buildObject2.setRequestedAuthnContext(buildRequestedAuthnContext);
        }
        Extensions sAMLExtensions = getSAMLExtensions(httpServletRequest);
        if (sAMLExtensions != null) {
            buildObject2.setExtensions(sAMLExtensions);
        }
        return buildObject2;
    }

    private String getAcsUrl(AuthenticatorConfig authenticatorConfig) throws SAMLSSOException {
        String str = this.properties.get("ACSUrl");
        if (StringUtils.isNotEmpty(str) && log.isDebugEnabled()) {
            log.debug("Picking SAML acs URL from " + this.identityProvider.getIdentityProviderName() + " IDP's configuration: " + str);
        }
        if (StringUtils.isEmpty(str) && authenticatorConfig != null) {
            String str2 = (String) authenticatorConfig.getParameterMap().get(SSOConstants.ServerConfig.SAML_SSO_ACS_URL);
            if (StringUtils.isNotBlank(str2)) {
                str = str2;
                if (log.isDebugEnabled()) {
                    log.debug("Picking SAML acs URL from application-authentication.xml: " + str);
                }
            }
        }
        if (StringUtils.isEmpty(str)) {
            try {
                str = ServiceURLBuilder.create().addPath(new String[]{"commonauth"}).build().getAbsolutePublicURL();
                if (log.isDebugEnabled()) {
                    log.debug("Falling back to default SAML acs URL of the server: " + str);
                }
            } catch (URLBuilderException e) {
                throw new SAMLSSOException("Error while building the acs url.", (Throwable) e);
            }
        }
        return str;
    }

    protected RequestedAuthnContext buildRequestedAuthnContext(AuthnRequest authnRequest) throws SAMLSSOException {
        RequestedAuthnContext requestedAuthnContext;
        RequestedAuthnContext requestedAuthnContext2 = null;
        String str = this.properties.get("IncludeAuthnContext");
        if (StringUtils.isNotEmpty(str) && "as_request".equalsIgnoreCase(str)) {
            if (authnRequest != null && (requestedAuthnContext = authnRequest.getRequestedAuthnContext()) != null) {
                requestedAuthnContext2 = new RequestedAuthnContextBuilder().buildObject();
                requestedAuthnContext2.setDOM(requestedAuthnContext.getDOM());
            }
        } else if (StringUtils.isEmpty(str) || "yes".equalsIgnoreCase(str)) {
            requestedAuthnContext2 = new RequestedAuthnContextBuilder().buildObject();
            AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
            String str2 = this.properties.get(SSOConstants.AUTHN_CONTEXT_CLASS_REF);
            if (StringUtils.isNotBlank(str2)) {
                for (String str3 : str2.split(DEFAULT_MULTI_ATTRIBUTE_SEPARATOR)) {
                    if (str3.equals("Custom Authentication Context Class")) {
                        String str4 = this.properties.get("CustomAuthnContextClassRef");
                        if (StringUtils.isNotEmpty(str4)) {
                            for (String str5 : str4.split(DEFAULT_MULTI_ATTRIBUTE_SEPARATOR)) {
                                requestedAuthnContext2.getAuthnContextClassRefs().add(buildAuthnContextClassRef(authnContextClassRefBuilder, str5));
                            }
                        }
                    } else {
                        String str6 = (String) IdentityApplicationManagementUtil.getSAMLAuthnContextClasses().get(str3);
                        if (StringUtils.isNotBlank(str6)) {
                            requestedAuthnContext2.getAuthnContextClassRefs().add(buildAuthnContextClassRef(authnContextClassRefBuilder, str6));
                        } else {
                            requestedAuthnContext2.getAuthnContextClassRefs().add(buildAuthnContextClassRef(authnContextClassRefBuilder, str3));
                        }
                    }
                }
            } else {
                AuthnContextClassRef buildObject = authnContextClassRefBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", SSOConstants.AUTHN_CONTEXT_CLASS_REF, "saml2");
                buildObject.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
                requestedAuthnContext2.getAuthnContextClassRefs().add(buildObject);
            }
            String str7 = this.properties.get("AuthnContextComparisonLevel");
            if (!StringUtils.isNotEmpty(str7)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
            } else if (AuthnContextComparisonTypeEnumeration.EXACT.toString().equalsIgnoreCase(str7)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
            } else if (AuthnContextComparisonTypeEnumeration.MINIMUM.toString().equalsIgnoreCase(str7)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
            } else if (AuthnContextComparisonTypeEnumeration.MAXIMUM.toString().equalsIgnoreCase(str7)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.MAXIMUM);
            } else if (AuthnContextComparisonTypeEnumeration.BETTER.toString().equalsIgnoreCase(str7)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.BETTER);
            }
        }
        return requestedAuthnContext2;
    }

    private AuthnContextClassRef buildAuthnContextClassRef(AuthnContextClassRefBuilder authnContextClassRefBuilder, String str) {
        AuthnContextClassRef buildObject = authnContextClassRefBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", SSOConstants.AUTHN_CONTEXT_CLASS_REF, "saml2");
        buildObject.setAuthnContextClassRef(str);
        return buildObject;
    }

    protected boolean isForceAuthenticate(AuthenticationContext authenticationContext) {
        boolean z = false;
        String str = this.properties.get("ForceAuthentication");
        if ("yes".equalsIgnoreCase(str)) {
            z = true;
        } else if ("as_request".equalsIgnoreCase(str)) {
            z = authenticationContext.isForceAuthenticate();
        }
        return z;
    }

    protected String encodeRequestMessage(RequestAbstractType requestAbstractType) throws SAMLSSOException {
        try {
            Element marshall = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(requestAbstractType).marshall(requestAbstractType);
            Deflater deflater = new Deflater(8, true);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
            SerializeSupport.writeNode(marshall, deflaterOutputStream);
            deflaterOutputStream.close();
            String str = new String(Base64.encodeBase64(byteArrayOutputStream.toByteArray(), false));
            byteArrayOutputStream.write(byteArrayOutputStream.toByteArray());
            byteArrayOutputStream.toString();
            if (log.isDebugEnabled()) {
                log.debug("SAML Request  :  " + deflaterOutputStream.toString());
            }
            return URLEncoder.encode(str, "UTF-8").trim();
        } catch (MarshallingException | IOException e) {
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.IO_ERROR.getCode(), "Error occurred while encoding SAML request", e);
        }
    }

    protected void validateResponseFormat(XMLObject xMLObject) throws SAMLSSOException {
        NodeList elementsByTagNameNS = xMLObject.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:protocol", "Response");
        if (elementsByTagNameNS != null && elementsByTagNameNS.getLength() > 0) {
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.INVALID_SCHEMA_FOR_THE_SAML_2_RESPONSE.getCode(), SSOErrorConstants.ErrorMessages.INVALID_SCHEMA_FOR_THE_SAML_2_RESPONSE.getMessage());
        }
        NodeList elementsByTagNameNS2 = xMLObject.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
        if (elementsByTagNameNS2 != null && elementsByTagNameNS2.getLength() > 1) {
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.PROCESSING_SAML2_MULTIPLE_ASSERTION_ELEMENT_FOUND.getCode(), SSOErrorConstants.ErrorMessages.PROCESSING_SAML2_MULTIPLE_ASSERTION_ELEMENT_FOUND.getMessage());
        }
    }

    private Map<ClaimMapping, String> getAssertionStatements(Assertion assertion) {
        List attributeStatements;
        HashMap hashMap = new HashMap();
        String str = DEFAULT_MULTI_ATTRIBUTE_SEPARATOR;
        try {
            str = SAMLSSOAuthenticatorServiceDataHolder.getInstance().getRealmService().getTenantUserRealm(-1234).getUserStoreManager().getRealmConfiguration().getUserStoreProperty(MULTI_ATTRIBUTE_SEPARATOR);
        } catch (UserStoreException e) {
            log.warn("Error while reading MultiAttributeSeparator valaue from primary user store ", e);
        }
        if (assertion != null && (attributeStatements = assertion.getAttributeStatements()) != null) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    List attributeValues = attribute.getAttributeValues();
                    String str2 = null;
                    if (attributeValues != null) {
                        for (int i = 0; i < attributeValues.size(); i++) {
                            String textContent = ((XMLObject) attribute.getAttributeValues().get(i)).getDOM().getTextContent();
                            str2 = StringUtils.isBlank(str2) ? textContent : str2 + str + textContent;
                        }
                    }
                    hashMap.put(ClaimMapping.build(attribute.getName(), attribute.getName(), (String) null, false), str2);
                }
            }
        }
        return hashMap;
    }

    protected void validateAudienceRestriction(Assertion assertion, String str) throws SAMLSSOException {
        if (assertion != null) {
            Conditions conditions = assertion.getConditions();
            if (conditions == null) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SAML_CONDITIONS_NOT_FOUND.getCode(), SSOErrorConstants.ErrorMessages.SAML_CONDITIONS_NOT_FOUND.getMessage());
            }
            List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
            if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.AUDIENCE_RESTRICTION_NOT_FOUND.getCode(), SSOErrorConstants.ErrorMessages.AUDIENCE_RESTRICTION_NOT_FOUND.getMessage());
            }
            for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                if (!CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                    throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.AUDIENCES_NOT_FOUND.getCode(), SSOErrorConstants.ErrorMessages.AUDIENCES_NOT_FOUND.getMessage());
                }
                boolean z = false;
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Audience audience = (Audience) it.next();
                    if (str != null && str.equals(audience.getAudienceURI())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.AUDIENCE_RESTRICTION_VALIDATION_FAILED.getCode(), SSOErrorConstants.ErrorMessages.AUDIENCE_RESTRICTION_VALIDATION_FAILED.getMessage());
                }
            }
        }
    }

    protected void validateSignature(Response response, Assertion assertion) throws SAMLSSOException {
        if (SSOUtils.isAuthnResponseSigned(this.properties)) {
            Signature signature = response.getSignature();
            if (signature == null) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SIGNATURE_ELEMENT_NOT_FOUND_WHILE_ENABLED.getCode(), SSOErrorConstants.ErrorMessages.SIGNATURE_ELEMENT_NOT_FOUND_WHILE_ENABLED.getMessage());
            }
            validateSignature((XMLObject) signature);
        }
        if (SSOUtils.isAssertionSigningEnabled(this.properties)) {
            Signature signature2 = assertion.getSignature();
            if (assertion.getSignature() == null) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SIGNATURE_ELEMENT_NOT_FOUND_IN_SAML_ASSERTION_WHILE_SIGNING_ENABLED.getCode(), SSOErrorConstants.ErrorMessages.SIGNATURE_ELEMENT_NOT_FOUND_IN_SAML_ASSERTION_WHILE_SIGNING_ENABLED.getMessage());
            }
            validateSignature((XMLObject) signature2);
        }
    }

    protected void validateSignature(ArtifactResponse artifactResponse) throws SAMLSSOException {
        if (SSOUtils.isArtifactResponseSigningEnabled(this.properties)) {
            Signature signature = artifactResponse.getSignature();
            if (signature == null) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SIGNATURE_ELEMENT_NOT_FOUND_IN_ARTIFACT_RESPONSE_WHILE_ENABLED.getCode(), SSOErrorConstants.ErrorMessages.SIGNATURE_ELEMENT_NOT_FOUND_IN_ARTIFACT_RESPONSE_WHILE_ENABLED.getMessage());
            }
            validateSignature((XMLObject) signature);
        }
    }

    protected void validateSignature(XMLObject xMLObject) throws SAMLSSOException {
        SignatureImpl signatureImpl = (SignatureImpl) xMLObject;
        boolean z = false;
        SignatureException signatureException = null;
        try {
            new SAMLSignatureProfileValidator().validate(signatureImpl);
            if (ArrayUtils.isEmpty(this.identityProvider.getCertificateInfoArray())) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED_FOR_SAML_RESPONSE.getCode(), SSOErrorConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED_FOR_SAML_RESPONSE.getMessage(), null);
            }
            CertificateInfo[] certificateInfoArray = this.identityProvider.getCertificateInfoArray();
            if (log.isDebugEnabled()) {
                log.debug("The number of certificates has been found is: " + certificateInfoArray.length);
            }
            int i = 0;
            for (CertificateInfo certificateInfo : certificateInfoArray) {
                X509CredentialImpl x509CredentialImpl = new X509CredentialImpl(this.tenantDomain, certificateInfo.getCertValue());
                try {
                    if (log.isDebugEnabled()) {
                        log.debug("Validating the SAML signature with certificate at index: " + i);
                    }
                    SignatureValidator.validate(signatureImpl, x509CredentialImpl);
                    z = false;
                    break;
                } catch (SignatureException e) {
                    z = true;
                    if (signatureException == null) {
                        signatureException = e;
                    } else {
                        signatureException.addSuppressed(e);
                    }
                    i++;
                }
            }
            if (z) {
                throw new SAMLSSOException("Signature validation failed for SAML Response", (Throwable) signatureException);
            }
        } catch (SignatureException e2) {
            String message = SSOErrorConstants.ErrorMessages.SIGNATURE_NOT_CONFIRM_TO_SAML_SIGNATURE_PROFILE.getMessage();
            CarbonConstants.AUDIT_LOG.warn(message);
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.SIGNATURE_NOT_CONFIRM_TO_SAML_SIGNATURE_PROFILE.getCode(), message, e2);
        }
    }

    protected void validateAssertionValidityPeriod(Assertion assertion) throws SAMLSSOException {
        if (assertion.getConditions() != null) {
            DateTime notBefore = assertion.getConditions().getNotBefore();
            DateTime notOnOrAfter = assertion.getConditions().getNotOnOrAfter();
            int clockSkewInSeconds = IdentityUtil.getClockSkewInSeconds();
            if (notBefore != null && notBefore.minusSeconds(clockSkewInSeconds).isAfterNow()) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.NOT_BEFORE_CONDITION_NOT_MET.getCode(), SSOErrorConstants.ErrorMessages.NOT_BEFORE_CONDITION_NOT_MET.getMessage());
            }
            if (notOnOrAfter != null && notOnOrAfter.plusSeconds(clockSkewInSeconds).isBeforeNow()) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.NOT_ON_OR_BEFORE_CONDITION_NOT_MET.getCode(), SSOErrorConstants.ErrorMessages.NOT_ON_OR_BEFORE_CONDITION_NOT_MET.getMessage());
            }
            if (notBefore != null && notOnOrAfter != null && notBefore.isAfter(notOnOrAfter)) {
                throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.NOT_ON_OR_BEFORE_CONDITION_NOT_MET.getCode(), "SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'");
            }
        }
    }

    protected Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) throws Exception {
        StaticKeyInfoCredentialResolver staticKeyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(new X509CredentialImpl(this.tenantDomain, (String) null));
        Decrypter decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(CredentialSupport.getSimpleCredential((SecretKey) new Decrypter((KeyInfoCredentialResolver) null, staticKeyInfoCredentialResolver, (EncryptedKeyResolver) null).decryptKey(getEncryptedKey(encryptedAssertion), encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm()))), (KeyInfoCredentialResolver) null, (EncryptedKeyResolver) null);
        decrypter.setRootInNewDocument(true);
        return decrypter.decrypt(encryptedAssertion);
    }

    protected void validateAssertionIssuer(Assertion assertion) throws SAMLSSOException {
        if (isAssertionIssuerVerificationEnabled()) {
            if (log.isDebugEnabled()) {
                log.debug("Assertion issuer verification is enabled.");
            }
            String str = this.properties.get("IdPEntityId");
            if (str.equals(assertion.getIssuer().getValue())) {
                return;
            }
            log.warn("Issuer value in the assertion is invalid. Expected value is '" + str + "', but received value in the assertion is '" + assertion.getIssuer().getValue() + "'.");
            throw new SAMLSSOException(SSOErrorConstants.ErrorMessages.INVALID_IDP_ID.getCode(), String.format(SSOErrorConstants.ErrorMessages.INVALID_IDP_ID.getMessage(), assertion.getIssuer().getValue()));
        }
    }

    private boolean isAssertionIssuerVerificationEnabled() {
        AuthenticatorConfig authenticatorConfig = (AuthenticatorConfig) FileBasedConfigurationBuilder.getInstance().getAuthenticatorConfigMap().get(SSOConstants.AUTHENTICATOR_NAME);
        if (authenticatorConfig == null || authenticatorConfig.getParameterMap() == null) {
            return false;
        }
        String str = (String) authenticatorConfig.getParameterMap().get(VERIFY_ASSERTION_ISSUER);
        if (StringUtils.isNotEmpty(str)) {
            return Boolean.parseBoolean(str);
        }
        return false;
    }

    protected String getIssuer(AuthenticationContext authenticationContext) {
        return this.properties.get("SPEntityId");
    }

    private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception {
        List encryptedKeys = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys();
        if (CollectionUtils.isNotEmpty(encryptedKeys)) {
            if (log.isDebugEnabled()) {
                log.debug("EncryptedKey obtain from the encrypted data element.");
            }
            return (EncryptedKey) encryptedKeys.get(0);
        }
        List encryptedKeys2 = encryptedAssertion.getEncryptedKeys();
        if (!CollectionUtils.isNotEmpty(encryptedKeys2)) {
            throw new Exception("Could not obtain the encrypted key from the encrypted assertion.");
        }
        if (log.isDebugEnabled()) {
            log.debug("EncryptedKey obtained from the Assertion.");
        }
        return (EncryptedKey) encryptedKeys2.get(0);
    }
}
