package org.wso2.carbon.identity.entitlement.pep.agent.wsxacml;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.util.AXIOMUtil;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.transport.http.HttpTransportProperties;
import org.apache.axis2.util.XMLUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xml.security.Init;
import org.apache.xml.security.utils.Base64;
import org.joda.time.DateTime;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Response;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionStatementType;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient;
import org.wso2.carbon.identity.entitlement.pep.agent.Attribute;
import org.wso2.carbon.identity.entitlement.pep.agent.XACMLRequetBuilder;
import org.wso2.carbon.identity.entitlement.pep.agent.exception.EntitlementAgentException;

/* loaded from: input_file:org/wso2/carbon/identity/entitlement/pep/agent/wsxacml/WSXACMLEntitlementServiceClient.class */
public class WSXACMLEntitlementServiceClient extends AbstractEntitlementServiceClient {
    private String serverUrl;
    private static boolean isBootStrapped = false;
    private static OMNamespace xacmlContextNS = OMAbstractFactory.getOMFactory().createOMNamespace("urn:oasis:names:tc:xacml:2.0:context:schema:os", "xacml-context");
    private static final Log log = LogFactory.getLog(WSXACMLEntitlementServiceClient.class);
    HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();

    public WSXACMLEntitlementServiceClient(String str, String str2, String str3) {
        this.serverUrl = str;
        this.authenticator.setUsername(str2);
        this.authenticator.setPassword(str3);
        this.authenticator.setPreemptiveAuthentication(true);
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public String getDecision(Attribute[] attributeArr, String str) throws Exception {
        try {
            String buildSAMLXACMLAuthzDecisionQuery = buildSAMLXACMLAuthzDecisionQuery(XACMLRequetBuilder.buildXACML3Request(attributeArr));
            ServiceClient serviceClient = new ServiceClient();
            Options options = new Options();
            options.setTo(new EndpointReference(this.serverUrl + "ws-xacml"));
            options.setAction("XACMLAuthzDecisionQuery");
            options.setProperty("_NTLM_DIGEST_BASIC_AUTHENTICATION_", this.authenticator);
            options.setManageSession(true);
            serviceClient.setOptions(options);
            String extractXACMLResponse = extractXACMLResponse(serviceClient.sendReceive(AXIOMUtil.stringToOM(buildSAMLXACMLAuthzDecisionQuery)).toString());
            serviceClient.cleanupTransport();
            return extractXACMLResponse;
        } catch (Exception e) {
            log.error("Error occurred while getting decision using SAML.", e);
            throw new Exception("Error occurred while getting decision using SAML.", e);
        }
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public boolean subjectCanActOnResource(String str, String str2, String str3, String str4, String str5, String str6) throws Exception {
        return false;
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public boolean subjectCanActOnResource(String str, String str2, String str3, String str4, Attribute[] attributeArr, String str5, String str6) throws Exception {
        return false;
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public List<String> getResourcesForAlias(String str, String str2) throws Exception {
        return null;
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public List<String> getActionableResourcesForAlias(String str, String str2) throws Exception {
        return null;
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public List<String> getActionableChildResourcesForAlias(String str, String str2, String str3, String str4) throws Exception {
        return null;
    }

    @Override // org.wso2.carbon.identity.entitlement.pep.agent.AbstractEntitlementServiceClient
    public List<String> getActionsForResource(String str, String str2, String str3) throws Exception {
        return null;
    }

    public static void doBootstrap() {
        if (isBootStrapped) {
            return;
        }
        try {
            DefaultBootstrap.bootstrap();
            isBootStrapped = true;
        } catch (ConfigurationException e) {
            log.error("Error in bootstrapping the OpenSAML2 library", e);
        }
    }

    private String extractXACMLResponse(String str) throws EntitlementAgentException {
        doBootstrap();
        Init.init();
        try {
            Response unmarshall = unmarshall(str);
            String str2 = null;
            if (!validateIssuer(unmarshall.getIssuer())) {
                log.debug("The submitted issuer is not valid for the saml response.");
            } else if (validateSignature(unmarshall.getSignature())) {
                Assertion assertion = (Assertion) unmarshall.getAssertions().get(0);
                if (validateIssuer(assertion.getIssuer())) {
                    try {
                        str2 = XMLUtils.toOM(((XACMLAuthzDecisionStatementType) assertion.getStatements(XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20).get(0)).getResponse().getDOM()).toString().replaceAll("xacml-context:", "");
                    } catch (Exception e) {
                        log.error("Error occurred while converting the SAML Response DOM to OMElement", e);
                        throw new EntitlementAgentException("Error occurred while converting the SAML Response DOM to OMElement", e);
                    }
                } else {
                    log.debug("The submitted issuer is not valid for assertion.");
                }
            } else {
                log.debug("The submitted signature is not valid for the saml response.");
            }
            return str2;
        } catch (Exception e2) {
            log.error("Error occurred while unmarshalling the SAML Response!", e2);
            throw new EntitlementAgentException("Error occurred while unmarshalling the SAML Response!", e2);
        }
    }

    private boolean validateIssuer(Issuer issuer) {
        boolean z = false;
        if (issuer.getValue().equals("https://identity.carbon.wso2.org") && issuer.getSPProvidedID().equals("SPPProvierId")) {
            z = true;
        }
        return z;
    }

    private boolean validateSignature(Signature signature) throws EntitlementAgentException {
        boolean z = false;
        try {
            new SignatureValidator(getPublicX509CredentialImpl()).validate(signature);
            z = true;
        } catch (ValidationException e) {
            log.warn("Signature validation failed.", e);
        }
        return z;
    }

    private X509CredentialImpl getPublicX509CredentialImpl() throws EntitlementAgentException {
        return new X509CredentialImpl(createBasicCredentials().getEntityCertificate());
    }

    private String buildSAMLXACMLAuthzDecisionQuery(String str) throws EntitlementAgentException {
        doBootstrap();
        String str2 = null;
        try {
            RequestType unmarshall = unmarshall(formatRequest(str));
            XACMLAuthzDecisionQueryType xACMLAuthzDecisionQueryType = (XACMLAuthzDecisionQueryType) Configuration.getBuilderFactory().getBuilder(XACMLAuthzDecisionQueryType.TYPE_NAME_XACML20).buildObject(XACMLAuthzDecisionQueryType.TYPE_NAME_XACML20);
            DateTime dateTime = new DateTime();
            xACMLAuthzDecisionQueryType.setRequest(unmarshall);
            xACMLAuthzDecisionQueryType.setInputContextOnly(true);
            xACMLAuthzDecisionQueryType.setReturnContext(false);
            xACMLAuthzDecisionQueryType.setIssueInstant(dateTime);
            xACMLAuthzDecisionQueryType.setIssuer(createIssuer());
            try {
                XACMLAuthzDecisionQueryType signature = setSignature(xACMLAuthzDecisionQueryType, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", createBasicCredentials());
                if (signature != null) {
                    try {
                        str2 = marshall(signature).replace("<?xml version=\"1.0\" encoding=\"UTF-8\"?>", "").replace("\n", "");
                    } catch (Exception e) {
                        log.error("Error occurred while marshalling XACMLAuthzDecisionQuery.", e);
                        throw new EntitlementAgentException("Error occurred while marshalling XACMLAuthzDecisionQuery.", e);
                    }
                }
                return str2;
            } catch (Exception e2) {
                log.error("Error while building SAMLXACMLAuthzDecisionQuery from the given xacml request.", e2);
                throw new EntitlementAgentException("Error while building SAMLXACMLAuthzDecisionQuery from the given xacml request.", e2);
            }
        } catch (Exception e3) {
            log.error("Error occurred while unmarshalling the XACML Request!", e3);
            throw new EntitlementAgentException("Error occurred while unmarshalling the XACML Request!", e3);
        }
    }

    private String formatRequest(String str) throws EntitlementAgentException {
        try {
            OMElement stringToOM = AXIOMUtil.stringToOM(str.replace("\n", ""));
            stringToOM.setNamespace(xacmlContextNS);
            setXACMLNamespace(stringToOM.getChildElements());
            return stringToOM.toString();
        } catch (Exception e) {
            log.error("Error occurred while formatting the XACML request.", e);
            throw new EntitlementAgentException("Error occurred while formatting the XACML request.", e);
        }
    }

    private static void setXACMLNamespace(Iterator it) {
        while (it.hasNext()) {
            OMElement oMElement = (OMElement) it.next();
            oMElement.setNamespace(xacmlContextNS);
            if (oMElement.getChildElements().hasNext()) {
                setXACMLNamespace(oMElement.getChildElements());
            }
        }
    }

    private XMLObject unmarshall(String str) throws EntitlementAgentException {
        try {
            doBootstrap();
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            Element documentElement = newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(str.trim().getBytes())).getDocumentElement();
            return org.opensaml.Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (Exception e) {
            log.error("Error in constructing XML(SAML or XACML) Object from the encoded String", e);
            throw new EntitlementAgentException("Error in constructing XML(SAML or XACML) from the encoded String ", e);
        }
    }

    private String marshall(XMLObject xMLObject) throws EntitlementAgentException {
        try {
            doBootstrap();
            System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
            Element marshall = Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DOMImplementationLS dOMImplementationLS = (DOMImplementationLS) DOMImplementationRegistry.newInstance().getDOMImplementation("LS");
            LSSerializer createLSSerializer = dOMImplementationLS.createLSSerializer();
            LSOutput createLSOutput = dOMImplementationLS.createLSOutput();
            createLSOutput.setByteStream(byteArrayOutputStream);
            createLSSerializer.write(marshall, createLSOutput);
            return byteArrayOutputStream.toString();
        } catch (Exception e) {
            log.error("Error Serializing the SAML Response");
            throw new EntitlementAgentException("Error Serializing the SAML Response", e);
        }
    }

    private XACMLAuthzDecisionQueryType setSignature(XACMLAuthzDecisionQueryType xACMLAuthzDecisionQueryType, String str, X509Credential x509Credential) throws EntitlementAgentException {
        doBootstrap();
        try {
            Signature buildXMLObject = buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
            buildXMLObject.setSigningCredential(x509Credential);
            buildXMLObject.setSignatureAlgorithm(str);
            buildXMLObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
            try {
                KeyInfo buildXMLObject2 = buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
                X509Data buildXMLObject3 = buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
                X509Certificate buildXMLObject4 = buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
                buildXMLObject4.setValue(Base64.encode(x509Credential.getEntityCertificate().getEncoded()));
                buildXMLObject3.getX509Certificates().add(buildXMLObject4);
                buildXMLObject2.getX509Datas().add(buildXMLObject3);
                buildXMLObject.setKeyInfo(buildXMLObject2);
                xACMLAuthzDecisionQueryType.setSignature(buildXMLObject);
                ArrayList arrayList = new ArrayList();
                arrayList.add(buildXMLObject);
                Configuration.getMarshallerFactory().getMarshaller(xACMLAuthzDecisionQueryType).marshall(xACMLAuthzDecisionQueryType);
                Init.init();
                Signer.signObjects(arrayList);
                return xACMLAuthzDecisionQueryType;
            } catch (CertificateEncodingException e) {
                throw new EntitlementAgentException("Error getting the certificate.");
            }
        } catch (Exception e2) {
            throw new EntitlementAgentException("Error When signing the assertion.", e2);
        }
    }

    private BasicX509Credential createBasicCredentials() {
        PrivateKey privateKey = null;
        Object obj = null;
        ServerConfiguration serverConfiguration = ServerConfiguration.getInstance();
        String firstProperty = serverConfiguration.getFirstProperty("Security.KeyStore.Password");
        String firstProperty2 = serverConfiguration.getFirstProperty("Security.KeyStore.Location");
        String firstProperty3 = serverConfiguration.getFirstProperty("Security.KeyStore.KeyAlias");
        String firstProperty4 = serverConfiguration.getFirstProperty("Security.KeyStore.Type");
        String firstProperty5 = serverConfiguration.getFirstProperty("Security.KeyStore.KeyPassword");
        try {
            BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(firstProperty2));
            KeyStore keyStore = KeyStore.getInstance(firstProperty4);
            keyStore.load(bufferedInputStream, firstProperty.toCharArray());
            bufferedInputStream.close();
            privateKey = (PrivateKey) keyStore.getKey(firstProperty3, firstProperty5.toCharArray());
            obj = keyStore.getCertificate(firstProperty3);
        } catch (FileNotFoundException e) {
            log.error("Error in reading the keystore file from given the location.", e);
        } catch (IOException e2) {
            log.error("Error in reading keystore file.", e2);
        } catch (KeyStoreException e3) {
            log.error("Error in getting a keystore.", e3);
        } catch (NoSuchAlgorithmException e4) {
            log.error("Error in loading the keystore.", e4);
        } catch (UnrecoverableKeyException e5) {
            log.error("Error in getting the private key.", e5);
        } catch (CertificateException e6) {
            log.error("Error in creating a X.509 certificate.", e6);
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setEntityCertificate((java.security.cert.X509Certificate) obj);
        basicX509Credential.setPrivateKey(privateKey);
        return basicX509Credential;
    }

    private XMLObject buildXMLObject(QName qName) throws EntitlementAgentException {
        XMLObjectBuilder builder = Configuration.getBuilderFactory().getBuilder(qName);
        if (builder == null) {
            throw new EntitlementAgentException("Unable to retrieve builder for object QName " + qName);
        }
        return builder.buildObject(qName.getNamespaceURI(), qName.getLocalPart(), qName.getPrefix());
    }

    private static Issuer createIssuer() {
        Issuer buildObject = Configuration.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setValue("https://identity.carbon.wso2.org");
        buildObject.setSPProvidedID("SPPProvierId");
        return buildObject;
    }
}
