package org.apache.rahas.impl;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.PublicKey;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.description.Parameter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
import org.apache.rahas.TokenStorage;
import org.apache.rahas.TokenValidator;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.saml.SAML2Util;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.io.UnmarshallingException;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/apache/rahas/impl/SAMLTokenValidator.class */
public class SAMLTokenValidator implements TokenValidator {
    private static Log log = LogFactory.getLog(SAMLTokenValidator.class);
    private String configFile;
    private OMElement configElement;
    private String configParamName;

    @Override // org.apache.rahas.TokenValidator
    public SOAPEnvelope validate(RahasData rahasData) throws TrustException {
        MessageContext inMessageContext = rahasData.getInMessageContext();
        TokenStorage tokenStore = TrustUtil.getTokenStore(inMessageContext);
        SOAPEnvelope createSOAPEnvelope = TrustUtil.createSOAPEnvelope(inMessageContext.getEnvelope().getNamespace().getNamespaceURI());
        int version = rahasData.getVersion();
        OMElement createRequestSecurityTokenResponseElement = 1 == version ? TrustUtil.createRequestSecurityTokenResponseElement(version, createSOAPEnvelope.getBody()) : TrustUtil.createRequestSecurityTokenResponseElement(version, TrustUtil.createRequestSecurityTokenResponseCollectionElement(version, createSOAPEnvelope.getBody()));
        TrustUtil.createTokenTypeElement(version, createRequestSecurityTokenResponseElement).setText(TrustUtil.getWSTNamespace(version) + RahasConstants.TOK_TYPE_STATUS);
        OMElement createMessageElement = createMessageElement(version, createRequestSecurityTokenResponseElement, RahasConstants.LocalNames.STATUS);
        Token token = tokenStore.getToken(rahasData.getTokenId());
        SAMLTokenIssuerConfig config = getConfig(inMessageContext);
        Crypto crypto = getCrypto(inMessageContext, config);
        createMessageElement(version, createMessageElement, RahasConstants.LocalNames.CODE).setText(TrustUtil.getWSTNamespace(version) + (isValid(token, getIssuerPublicKey(config, crypto), crypto) ? RahasConstants.STATUS_CODE_VALID : RahasConstants.STATUS_CODE_INVALID));
        return createSOAPEnvelope;
    }

    private boolean isValid(Token token, PublicKey publicKey, Crypto crypto) {
        Element token2 = token.getToken();
        if ("urn:oasis:names:tc:SAML:2.0:assertion".equals(token2.getQName().getNamespaceURI())) {
            try {
                Assertion buildAssertion = buildAssertion(token2.toString());
                if (buildAssertion.getSignature() != null) {
                    SAML2Util.validateSignature(buildAssertion, crypto);
                }
                return true;
            } catch (WSSecurityException e) {
                log.error("Could not verify signature", e);
                return false;
            }
        }
        try {
            SAMLAssertion sAMLAssertion = new SAMLAssertion(token2);
            log.info("Verifying token validity...");
            sAMLAssertion.verify(publicKey);
            return true;
        } catch (SAMLException e2) {
            log.error("Could not verify signature", e2);
            return false;
        }
    }

    private SAMLTokenIssuerConfig getConfig(MessageContext messageContext) {
        SAMLTokenIssuerConfig sAMLTokenIssuerConfig = null;
        try {
            if (this.configElement != null) {
                sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(this.configElement.getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
            }
            if (sAMLTokenIssuerConfig == null && this.configFile != null) {
                sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(this.configFile);
            }
            if (sAMLTokenIssuerConfig == null && this.configParamName != null) {
                Parameter parameter = messageContext.getParameter(this.configParamName);
                if (parameter == null || parameter.getParameterElement() == null) {
                    throw new TrustException("expectedParameterMissing", new String[]{this.configParamName});
                }
                sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(parameter.getParameterElement().getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
            }
        } catch (Exception e) {
            log.error("Could not build crypto object", e);
        }
        if (sAMLTokenIssuerConfig == null) {
            throw new TrustException("configurationIsNull");
        }
        if (sAMLTokenIssuerConfig.isTokenStoreDisabled()) {
            throw new TrustException("errorTokenStoreDisabled");
        }
        if (TokenIssuerUtil.isPersisterConfigured(sAMLTokenIssuerConfig)) {
            TokenIssuerUtil.manageTokenPersistenceSettings(sAMLTokenIssuerConfig, messageContext);
        }
        return sAMLTokenIssuerConfig;
    }

    private Crypto getCrypto(MessageContext messageContext, SAMLTokenIssuerConfig sAMLTokenIssuerConfig) {
        return sAMLTokenIssuerConfig.cryptoElement != null ? CryptoFactory.getInstance(TrustUtil.toProperties(sAMLTokenIssuerConfig.cryptoElement), messageContext.getAxisService().getClassLoader()) : CryptoFactory.getInstance(sAMLTokenIssuerConfig.cryptoPropertiesFile, messageContext.getAxisService().getClassLoader());
    }

    private PublicKey getIssuerPublicKey(SAMLTokenIssuerConfig sAMLTokenIssuerConfig, Crypto crypto) {
        PublicKey publicKey = null;
        try {
            publicKey = crypto.getCertificates(sAMLTokenIssuerConfig.issuerKeyAlias)[0].getPublicKey();
        } catch (WSSecurityException e) {
            e.printStackTrace();
        }
        return publicKey;
    }

    public Assertion buildAssertion(String str) throws WSSecurityException {
        try {
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            Element documentElement = newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(str.trim().getBytes())).getDocumentElement();
            Assertion unmarshall = Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
            if (log.isDebugEnabled()) {
                log.debug("SAML2 Token was validated successfully.");
            }
            return unmarshall;
        } catch (IOException e) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", (Object[]) null, e);
        } catch (ParserConfigurationException e2) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", (Object[]) null, e2);
        } catch (SAXException e3) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", (Object[]) null, e3);
        } catch (UnmarshallingException e4) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", (Object[]) null, e4);
        }
    }

    private static OMElement createMessageElement(int i, OMElement oMElement, String str) throws TrustException {
        return createOMElement(oMElement, TrustUtil.getWSTNamespace(i), str, RahasConstants.WST_PREFIX);
    }

    private static OMElement createOMElement(OMElement oMElement, String str, String str2, String str3) {
        return oMElement.getOMFactory().createOMElement(new QName(str, str2, str3), oMElement);
    }

    @Override // org.apache.rahas.TokenValidator
    public void setConfigurationFile(String str) {
        this.configFile = str;
    }

    @Override // org.apache.rahas.TokenValidator
    public void setConfigurationParamName(String str) {
        this.configParamName = str;
    }

    @Override // org.apache.rahas.TokenValidator
    public void setConfigurationElement(OMElement oMElement) {
        this.configElement = oMElement;
    }

    static {
        try {
            DefaultBootstrap.bootstrap();
        } catch (ConfigurationException e) {
            log.error("SAMLTokenValidatorBootstrapError", e);
            throw new RuntimeException(e);
        }
    }
}
