package org.wso2.carbon.identity.application.authenticator.samlsso.manager;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.crypto.SecretKey;
import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xerces.util.SecurityManager;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.common.Extensions;
import org.opensaml.saml2.common.impl.ExtensionsBuilder;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.EncryptedKey;
import org.opensaml.xml.encryption.EncryptedKeyResolver;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.wso2.carbon.identity.application.authentication.framework.config.builder.FileBasedConfigurationBuilder;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.CarbonEntityResolver;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.SSOConstants;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.SSOUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.class */
public class DefaultSAML2SSOManager implements SAML2SSOManager {
    private static final String SECURITY_MANAGER_PROPERTY = "http://apache.org/xml/properties/security-manager";
    private static final int ENTITY_EXPANSION_LIMIT = 0;
    private static final String SIGN_AUTH2_SAML_USING_SUPER_TENANT = "SignAuth2SAMLUsingSuperTenant";
    private static Log log = LogFactory.getLog(DefaultSAML2SSOManager.class);
    private static boolean bootStrapped = false;
    private IdentityProvider identityProvider = null;
    private Map<String, String> properties;
    private String tenantDomain;

    public static void doBootstrap() {
        if (bootStrapped) {
            return;
        }
        try {
            DefaultBootstrap.bootstrap();
            bootStrapped = true;
        } catch (ConfigurationException e) {
            log.error("Error in bootstrapping the OpenSAML2 library", e);
        }
    }

    @Override // org.wso2.carbon.identity.application.authenticator.samlsso.manager.SAML2SSOManager
    public void init(String str, Map<String, String> map, IdentityProvider identityProvider) throws SAMLSSOException {
        this.tenantDomain = str;
        this.identityProvider = identityProvider;
        this.properties = map;
    }

    @Override // org.wso2.carbon.identity.application.authenticator.samlsso.manager.SAML2SSOManager
    public String buildRequest(HttpServletRequest httpServletRequest, boolean z, boolean z2, String str, AuthenticationContext authenticationContext) throws SAMLSSOException {
        String queryParams;
        doBootstrap();
        String contextIdentifier = authenticationContext.getContextIdentifier();
        if (httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) == null && (queryParams = authenticationContext.getQueryParams()) != null) {
            String[] split = queryParams.split("&");
            int length = split.length;
            int i = ENTITY_EXPANSION_LIMIT;
            while (true) {
                if (i >= length) {
                    break;
                }
                String[] split2 = split[i].split("=");
                if (split2.length == 2 && SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ.equals(split2[ENTITY_EXPANSION_LIMIT])) {
                    httpServletRequest.setAttribute(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ, split2[1]);
                    break;
                }
                i++;
            }
        }
        AuthnRequest buildAuthnRequest = !z ? buildAuthnRequest(httpServletRequest, z2, str, authenticationContext) : buildLogoutRequest((String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_USERNAME), (String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_SESSION_INDEX), str, (String) httpServletRequest.getSession().getAttribute(SSOConstants.NAME_QUALIFIER), (String) httpServletRequest.getSession().getAttribute(SSOConstants.SP_NAME_QUALIFIER));
        boolean z3 = ENTITY_EXPANSION_LIMIT;
        StringBuilder sb = new StringBuilder("SAMLRequest=" + encodeRequestMessage(buildAuthnRequest));
        try {
            sb.append("&RelayState=" + URLEncoder.encode(contextIdentifier, "UTF-8").trim());
            if (SSOUtils.isAuthnRequestSigned(this.properties)) {
                String str2 = this.properties.get("SignatureAlgorithm");
                if (StringUtils.isEmpty(str2)) {
                    str2 = "RSA with SHA1";
                }
                String str3 = (String) IdentityApplicationManagementUtil.getXMLSignatureAlgorithms().get(str2);
                Map parameterMap = FileBasedConfigurationBuilder.getInstance().getAuthenticatorBean(SSOConstants.AUTHENTICATOR_NAME).getParameterMap();
                if (parameterMap.size() > 0) {
                    z3 = Boolean.parseBoolean((String) parameterMap.get(SIGN_AUTH2_SAML_USING_SUPER_TENANT));
                }
                if (z3) {
                    SSOUtils.addSignatureToHTTPQueryString(sb, str3, new X509CredentialImpl("carbon.super", null));
                } else {
                    SSOUtils.addSignatureToHTTPQueryString(sb, str3, new X509CredentialImpl(authenticationContext.getTenantDomain(), null));
                }
            }
            return str.indexOf("?") > -1 ? str.concat("&").concat(sb.toString()) : str.concat("?").concat(sb.toString());
        } catch (UnsupportedEncodingException e) {
            throw new SAMLSSOException("Error occurred while url encoding RelayState", e);
        }
    }

    public String buildPostRequest(HttpServletRequest httpServletRequest, boolean z, boolean z2, String str, AuthenticationContext authenticationContext) throws SAMLSSOException {
        RequestAbstractType buildLogoutRequest;
        doBootstrap();
        boolean z3 = ENTITY_EXPANSION_LIMIT;
        String str2 = this.properties.get("SignatureAlgorithm");
        if (StringUtils.isEmpty(str2)) {
            str2 = "RSA with SHA1";
        }
        String str3 = (String) IdentityApplicationManagementUtil.getXMLSignatureAlgorithms().get(str2);
        String str4 = this.properties.get("DigestAlgorithm");
        if (StringUtils.isEmpty(str4)) {
            str4 = "SHA1";
        }
        String str5 = (String) IdentityApplicationManagementUtil.getXMLDigestAlgorithms().get(str4);
        String str6 = this.properties.get("IncludeCert");
        if (StringUtils.isEmpty(str6) || Boolean.parseBoolean(str6)) {
            z3 = true;
        }
        if (z) {
            buildLogoutRequest = buildLogoutRequest((String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_USERNAME), (String) httpServletRequest.getSession().getAttribute(SSOConstants.LOGOUT_SESSION_INDEX), str, (String) httpServletRequest.getSession().getAttribute(SSOConstants.NAME_QUALIFIER), (String) httpServletRequest.getSession().getAttribute(SSOConstants.SP_NAME_QUALIFIER));
            if (SSOUtils.isLogoutRequestSigned(this.properties)) {
                SSOUtils.setSignature(buildLogoutRequest, str3, str5, z3, new X509CredentialImpl(authenticationContext.getTenantDomain(), null));
            }
        } else {
            buildLogoutRequest = buildAuthnRequest(httpServletRequest, z2, str, authenticationContext);
            if (SSOUtils.isAuthnRequestSigned(this.properties)) {
                SSOUtils.setSignature(buildLogoutRequest, str3, str5, z3, new X509CredentialImpl(authenticationContext.getTenantDomain(), null));
            }
        }
        return SSOUtils.encode(SSOUtils.marshall(buildLogoutRequest));
    }

    @Override // org.wso2.carbon.identity.application.authenticator.samlsso.manager.SAML2SSOManager
    public void processResponse(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        doBootstrap();
        if (unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP)))) instanceof LogoutResponse) {
            doSLO(httpServletRequest);
        } else {
            processSSOResponse(httpServletRequest);
        }
    }

    protected AuthnRequest getAuthnRequest(AuthenticationContext authenticationContext) throws SAMLSSOException {
        AuthnRequest authnRequest = ENTITY_EXPANSION_LIMIT;
        AuthenticationRequest authenticationRequest = authenticationContext.getAuthenticationRequest();
        String[] requestQueryParam = authenticationRequest.getRequestQueryParam(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
        if (requestQueryParam != null && requestQueryParam.length > 0) {
            String str = requestQueryParam[ENTITY_EXPANSION_LIMIT];
            XMLObject unmarshall = authenticationRequest.isPost() ? unmarshall(SSOUtils.decodeForPost(str)) : unmarshall(SSOUtils.decode(str));
            if (unmarshall instanceof AuthnRequest) {
                authnRequest = (AuthnRequest) unmarshall;
            }
        }
        return authnRequest;
    }

    protected Extensions getSAMLExtensions(HttpServletRequest httpServletRequest) {
        Extensions extensions;
        try {
            String parameter = httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
            if (parameter == null) {
                parameter = (String) httpServletRequest.getAttribute(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
            }
            if (parameter == null) {
                return null;
            }
            XMLObject unmarshall = "POST".equals(httpServletRequest.getMethod()) ? unmarshall(SSOUtils.decodeForPost(parameter)) : unmarshall(SSOUtils.decode(parameter));
            if (!(unmarshall instanceof AuthnRequest) || (extensions = ((AuthnRequest) unmarshall).getExtensions()) == null) {
                return null;
            }
            Extensions buildObject = new ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "saml2p");
            buildObject.setDOM(extensions.getDOM());
            return buildObject;
        } catch (Exception e) {
            log.debug("Error while loading SAML Extensions", e);
            return null;
        }
    }

    protected Extensions getSAMLExtensions(AuthnRequest authnRequest) {
        Extensions extensions = ENTITY_EXPANSION_LIMIT;
        Extensions extensions2 = authnRequest.getExtensions();
        if (extensions2 != null) {
            extensions = new ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "saml2p");
            extensions.setDOM(extensions2.getDOM());
        }
        return extensions;
    }

    public void doSLO(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        doBootstrap();
        XMLObject xMLObject = ENTITY_EXPANSION_LIMIT;
        if (httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) {
            xMLObject = unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ))));
        }
        if (xMLObject == null) {
            xMLObject = unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP))));
        }
        if (xMLObject instanceof LogoutRequest) {
            ((SessionIndex) ((LogoutRequest) xMLObject).getSessionIndexes().get(ENTITY_EXPANSION_LIMIT)).getSessionIndex();
        } else {
            if (!(xMLObject instanceof LogoutResponse)) {
                throw new SAMLSSOException("Invalid Single Logout SAML Request");
            }
            httpServletRequest.getSession().invalidate();
        }
    }

    private void processSSOResponse(HttpServletRequest httpServletRequest) throws SAMLSSOException {
        Response response = (Response) unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP))));
        Assertion assertion = ENTITY_EXPANSION_LIMIT;
        if (SSOUtils.isAssertionEncryptionEnabled(this.properties)) {
            List encryptedAssertions = response.getEncryptedAssertions();
            if (CollectionUtils.isNotEmpty(encryptedAssertions)) {
                try {
                    assertion = getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(ENTITY_EXPANSION_LIMIT));
                } catch (Exception e) {
                    throw new SAMLSSOException("Unable to decrypt the SAML Assertion", e);
                }
            }
        } else {
            List assertions = response.getAssertions();
            if (CollectionUtils.isNotEmpty(assertions)) {
                assertion = (Assertion) assertions.get(ENTITY_EXPANSION_LIMIT);
            }
        }
        if (assertion == null) {
            if (response.getStatus() == null || response.getStatus().getStatusCode() == null || !response.getStatus().getStatusCode().getValue().equals(SSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR) || response.getStatus().getStatusCode().getStatusCode() == null || !response.getStatus().getStatusCode().getStatusCode().getValue().equals(SSOConstants.StatusCodes.NO_PASSIVE)) {
                throw new SAMLSSOException("SAML Assertion not found in the Response");
            }
            return;
        }
        String str = ENTITY_EXPANSION_LIMIT;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            str = assertion.getSubject().getNameID().getValue();
        }
        if (str == null) {
            throw new SAMLSSOException("SAML Response does not contain the name of the subject");
        }
        httpServletRequest.getSession().setAttribute("username", str);
        String nameQualifier = assertion.getSubject().getNameID().getNameQualifier();
        String sPNameQualifier = assertion.getSubject().getNameID().getSPNameQualifier();
        validateAudienceRestriction(assertion);
        validateSignature(response, assertion);
        httpServletRequest.getSession(false).setAttribute("samlssoAttributes", getAssertionStatements(assertion));
        if (SSOUtils.isLogoutEnabled(this.properties)) {
            String sessionIndex = ((AuthnStatement) assertion.getAuthnStatements().get(ENTITY_EXPANSION_LIMIT)).getSessionIndex();
            if (sessionIndex == null) {
                throw new SAMLSSOException("Single Logout is enabled but IdP Session ID not found in SAML Assertion");
            }
            httpServletRequest.getSession().setAttribute(SSOConstants.IDP_SESSION, sessionIndex);
            httpServletRequest.getSession().setAttribute(SSOConstants.LOGOUT_USERNAME, nameQualifier);
            httpServletRequest.getSession().setAttribute(SSOConstants.SP_NAME_QUALIFIER, sPNameQualifier);
        }
    }

    private LogoutRequest buildLogoutRequest(String str, String str2, String str3, String str4, String str5) throws SAMLSSOException {
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        buildObject.setID(SSOUtils.createID());
        buildObject.setDestination(str3);
        DateTime dateTime = new DateTime();
        buildObject.setIssueInstant(dateTime);
        buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        Issuer buildObject2 = new IssuerBuilder().buildObject();
        String str6 = this.properties.get("SPEntityId");
        if (str6 == null || str6.isEmpty()) {
            buildObject2.setValue("carbonServer");
        } else {
            buildObject2.setValue(str6);
        }
        buildObject.setIssuer(buildObject2);
        NameID buildObject3 = new NameIDBuilder().buildObject();
        buildObject3.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
        buildObject3.setValue(str);
        buildObject3.setNameQualifier(str4);
        buildObject3.setSPNameQualifier(str5);
        buildObject.setNameID(buildObject3);
        SessionIndex buildObject4 = new SessionIndexBuilder().buildObject();
        if (str2 != null) {
            buildObject4.setSessionIndex(str2);
        } else {
            buildObject4.setSessionIndex(UUID.randomUUID().toString());
        }
        buildObject.getSessionIndexes().add(buildObject4);
        buildObject.setReason("Single Logout");
        return buildObject;
    }

    private AuthnRequest buildAuthnRequest(HttpServletRequest httpServletRequest, boolean z, String str, AuthenticationContext authenticationContext) throws SAMLSSOException {
        Issuer buildObject = new IssuerBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
        String str2 = this.properties.get("SPEntityId");
        if (str2 == null || str2.isEmpty()) {
            buildObject.setValue("carbonServer");
        } else {
            buildObject.setValue(str2);
        }
        DateTime dateTime = new DateTime();
        AuthnRequest buildObject2 = new AuthnRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
        buildObject2.setForceAuthn(Boolean.valueOf(isForceAuthenticate(authenticationContext)));
        buildObject2.setIsPassive(Boolean.valueOf(z));
        buildObject2.setIssueInstant(dateTime);
        String str3 = this.properties.get("IncludeProtocolBinding");
        if (StringUtils.isEmpty(str3) || Boolean.parseBoolean(str3)) {
            buildObject2.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        }
        buildObject2.setAssertionConsumerServiceURL(IdentityUtil.getServerURL("commonauth", true));
        buildObject2.setIssuer(buildObject);
        buildObject2.setID(SSOUtils.createID());
        buildObject2.setVersion(SAMLVersion.VERSION_20);
        buildObject2.setDestination(str);
        String str4 = this.properties.get("AttributeConsumingServiceIndex");
        if (StringUtils.isNotEmpty(str4)) {
            try {
                buildObject2.setAttributeConsumingServiceIndex(Integer.valueOf(str4));
            } catch (NumberFormatException e) {
                log.error("Error while populating SAMLRequest with AttributeConsumingServiceIndex: " + str4, e);
            }
        }
        String str5 = this.properties.get("IncludeNameIDPolicy");
        if (StringUtils.isEmpty(str5) || Boolean.parseBoolean(str5)) {
            NameIDPolicy buildObject3 = new NameIDPolicyBuilder().buildObject();
            buildObject3.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
            buildObject3.setAllowCreate(true);
            buildObject2.setNameIDPolicy(buildObject3);
        }
        RequestedAuthnContext buildRequestedAuthnContext = buildRequestedAuthnContext(getAuthnRequest(authenticationContext));
        if (buildRequestedAuthnContext != null) {
            buildObject2.setRequestedAuthnContext(buildRequestedAuthnContext);
        }
        Extensions sAMLExtensions = getSAMLExtensions(httpServletRequest);
        if (sAMLExtensions != null) {
            buildObject2.setExtensions(sAMLExtensions);
        }
        return buildObject2;
    }

    private RequestedAuthnContext buildRequestedAuthnContext(AuthnRequest authnRequest) throws SAMLSSOException {
        RequestedAuthnContext requestedAuthnContext;
        RequestedAuthnContext requestedAuthnContext2 = ENTITY_EXPANSION_LIMIT;
        String str = this.properties.get("IncludeAuthnContext");
        if (StringUtils.isNotEmpty(str) && "as_request".equalsIgnoreCase(str)) {
            if (authnRequest != null && (requestedAuthnContext = authnRequest.getRequestedAuthnContext()) != null) {
                requestedAuthnContext2 = new RequestedAuthnContextBuilder().buildObject();
                requestedAuthnContext2.setDOM(requestedAuthnContext.getDOM());
            }
        } else if (StringUtils.isEmpty(str) || "yes".equalsIgnoreCase(str)) {
            requestedAuthnContext2 = new RequestedAuthnContextBuilder().buildObject();
            AuthnContextClassRef buildObject = new AuthnContextClassRefBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml2");
            String str2 = this.properties.get("AuthnContextClassRef");
            if (StringUtils.isNotEmpty(str2)) {
                buildObject.setAuthnContextClassRef((String) IdentityApplicationManagementUtil.getSAMLAuthnContextClasses().get(str2));
            } else {
                buildObject.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
            }
            String str3 = this.properties.get("AuthnContextComparisonLevel");
            if (!StringUtils.isNotEmpty(str3)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
            } else if (AuthnContextComparisonTypeEnumeration.EXACT.toString().equalsIgnoreCase(str3)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
            } else if (AuthnContextComparisonTypeEnumeration.MINIMUM.toString().equalsIgnoreCase(str3)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
            } else if (AuthnContextComparisonTypeEnumeration.MAXIMUM.toString().equalsIgnoreCase(str3)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.MAXIMUM);
            } else if (AuthnContextComparisonTypeEnumeration.BETTER.toString().equalsIgnoreCase(str3)) {
                requestedAuthnContext2.setComparison(AuthnContextComparisonTypeEnumeration.BETTER);
            }
            requestedAuthnContext2.getAuthnContextClassRefs().add(buildObject);
        }
        return requestedAuthnContext2;
    }

    private boolean isForceAuthenticate(AuthenticationContext authenticationContext) {
        boolean z = ENTITY_EXPANSION_LIMIT;
        String str = this.properties.get("ForceAuthentication");
        if ("yes".equalsIgnoreCase(str)) {
            z = true;
        } else if ("as_request".equalsIgnoreCase(str)) {
            z = authenticationContext.isForceAuthenticate();
        }
        return z;
    }

    private String encodeRequestMessage(RequestAbstractType requestAbstractType) throws SAMLSSOException {
        try {
            Element marshall = Configuration.getMarshallerFactory().getMarshaller(requestAbstractType).marshall(requestAbstractType);
            Deflater deflater = new Deflater(8, true);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
            StringWriter stringWriter = new StringWriter();
            XMLHelper.writeNode(marshall, stringWriter);
            deflaterOutputStream.write(stringWriter.toString().getBytes());
            deflaterOutputStream.close();
            String encodeBytes = Base64.encodeBytes(byteArrayOutputStream.toByteArray(), 8);
            byteArrayOutputStream.write(byteArrayOutputStream.toByteArray());
            byteArrayOutputStream.toString();
            if (log.isDebugEnabled()) {
                log.debug("SAML Request  :  " + stringWriter.toString());
            }
            return URLEncoder.encode(encodeBytes, "UTF-8").trim();
        } catch (UnsupportedEncodingException e) {
            throw new SAMLSSOException("Error occurred while encoding SAML request", e);
        } catch (IOException e2) {
            throw new SAMLSSOException("Error occurred while encoding SAML request", e2);
        } catch (MarshallingException e3) {
            throw new SAMLSSOException("Error occurred while encoding SAML request", e3);
        }
    }

    private XMLObject unmarshall(String str) throws SAMLSSOException {
        try {
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            newInstance.setExpandEntityReferences(false);
            newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
            SecurityManager securityManager = new SecurityManager();
            securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
            newInstance.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
            DocumentBuilder newDocumentBuilder = newInstance.newDocumentBuilder();
            newDocumentBuilder.setEntityResolver(new CarbonEntityResolver());
            Element documentElement = newDocumentBuilder.parse(new ByteArrayInputStream(str.getBytes())).getDocumentElement();
            return Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (UnmarshallingException e) {
            throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
        } catch (IOException e2) {
            throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e2);
        } catch (ParserConfigurationException e3) {
            throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e3);
        } catch (SAXException e4) {
            throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e4);
        }
    }

    private Map<ClaimMapping, String> getAssertionStatements(Assertion assertion) {
        List attributeStatements;
        HashMap hashMap = new HashMap();
        if (assertion != null && (attributeStatements = assertion.getAttributeStatements()) != null) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    hashMap.put(ClaimMapping.build(attribute.getName(), attribute.getName(), (String) null, false), ((XMLObject) attribute.getAttributeValues().get(ENTITY_EXPANSION_LIMIT)).getDOM().getTextContent());
                }
            }
        }
        return hashMap;
    }

    private void validateAudienceRestriction(Assertion assertion) throws SAMLSSOException {
        if (assertion != null) {
            Conditions conditions = assertion.getConditions();
            if (conditions == null) {
                throw new SAMLSSOException("SAML Response doesn't contain Conditions");
            }
            List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
            if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
                throw new SAMLSSOException("SAML Response doesn't contain AudienceRestrictions");
            }
            for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                if (!CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                    throw new SAMLSSOException("SAML Response's AudienceRestriction doesn't contain Audiences");
                }
                boolean z = ENTITY_EXPANSION_LIMIT;
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (this.properties.get("SPEntityId").equals(((Audience) it.next()).getAudienceURI())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new SAMLSSOException("SAML Assertion Audience Restriction validation failed");
                }
            }
        }
    }

    private void validateSignature(Response response, Assertion assertion) throws SAMLSSOException {
        if (SSOUtils.isAuthnResponseSigned(this.properties)) {
            if (this.identityProvider.getCertificate() == null || this.identityProvider.getCertificate().isEmpty()) {
                throw new SAMLSSOException("SAMLResponse signing is enabled, but IdP doesn't have a certificate");
            }
            if (response.getSignature() == null) {
                throw new SAMLSSOException("SAMLResponse signing is enabled, but signature element not found in SAML Response element.");
            }
            try {
                new SignatureValidator(new X509CredentialImpl(this.tenantDomain, this.identityProvider.getCertificate())).validate(response.getSignature());
            } catch (ValidationException e) {
                throw new SAMLSSOException("Signature validation failed for SAML Response", e);
            }
        }
        if (SSOUtils.isAssertionSigningEnabled(this.properties)) {
            if (this.identityProvider.getCertificate() == null || this.identityProvider.getCertificate().isEmpty()) {
                throw new SAMLSSOException("SAMLAssertion signing is enabled, but IdP doesn't have a certificate");
            }
            if (assertion.getSignature() == null) {
                throw new SAMLSSOException("SAMLAssertion signing is enabled, but signature element not found in SAML Assertion element.");
            }
            try {
                new SignatureValidator(new X509CredentialImpl(this.tenantDomain, this.identityProvider.getCertificate())).validate(assertion.getSignature());
            } catch (ValidationException e2) {
                throw new SAMLSSOException("Signature validation failed for SAML Assertion", e2);
            }
        }
    }

    private Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) throws Exception {
        StaticKeyInfoCredentialResolver staticKeyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(new X509CredentialImpl(this.tenantDomain, null));
        Decrypter decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(SecurityHelper.getSimpleCredential((SecretKey) new Decrypter((KeyInfoCredentialResolver) null, staticKeyInfoCredentialResolver, (EncryptedKeyResolver) null).decryptKey((EncryptedKey) encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(ENTITY_EXPANSION_LIMIT), encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm()))), (KeyInfoCredentialResolver) null, (EncryptedKeyResolver) null);
        decrypter.setRootInNewDocument(true);
        return decrypter.decrypt(encryptedAssertion);
    }
}
