package org.wso2.carbon.identity.oauth2.token.handlers;

import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.xml.signature.SignatureValidator;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.identity.authenticator.saml2.sso.util.Util;
import org.wso2.carbon.identity.authenticator.saml2.sso.util.X509CredentialImpl;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/SAML2BearerGrantTypeHandler.class */
public class SAML2BearerGrantTypeHandler extends AbstractAuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(SAML2BearerGrantTypeHandler.class);

    /* JADX WARN: Type inference failed for: r8v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth.IdentityOAuthAdminException] */
    @Override // org.wso2.carbon.identity.oauth2.token.handlers.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.AuthorizationGrantHandler
    public boolean authenticateClient(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        try {
            String authenticatedUsername = OAuth2Util.getAuthenticatedUsername(oauth2AccessTokenReqDTO.getClientId(), oauth2AccessTokenReqDTO.getClientSecret());
            if (authenticatedUsername.equals("")) {
                return false;
            }
            oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().setResourceOwnerUsername(authenticatedUsername);
            oAuthTokenReqMessageContext.setAuthorizedUser(authenticatedUsername);
            return true;
        } catch (IdentityOAuthAdminException e) {
            throw new IdentityOAuth2Exception(e.getMessage(), e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        Assertion unmarshall;
        boolean z = false;
        try {
            if (log.isDebugEnabled()) {
                log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion())));
            }
            unmarshall = Util.unmarshall(new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion())));
        } catch (Exception e) {
            log.error(e.getMessage(), e);
        }
        if (unmarshall == null) {
            log.error("Assertion is null, cannot continue");
            throw new Exception("Assertion is null, cannot continue");
        }
        if (unmarshall.getIssuer() != null && unmarshall.getIssuer().getValue().equals("")) {
            log.error("Issuer is empty in the SAML assertion");
            throw new Exception("Issuer is empty in the SAML assertion");
        }
        Conditions conditions = unmarshall.getConditions();
        if (conditions == null) {
            log.error("Cannot find any Conditions in the Assertion");
            throw new Exception("Cannot find any Conditions in the Assertion");
        }
        List audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null || audienceRestrictions.size() <= 0) {
            log.error("Cannot find any AudienceRestrictions in the Assertion");
            throw new Exception("Cannot find any AudienceRestrictions in the Assertion");
        }
        Iterator it = ((AudienceRestriction) audienceRestrictions.get(0)).getAudiences().iterator();
        while (it.hasNext()) {
            ((Audience) it.next()).getAudienceURI();
        }
        if (unmarshall.getSubject() == null) {
            log.error("Cannot find a Subject in the Assertion");
            throw new Exception("Cannot find a Subject in the Assertion");
        }
        if (!unmarshall.getSubject().getNameID().getValue().equals(OAuth2Util.getAuthenticatedUsername(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientSecret()))) {
            log.error("NameID in Assertion doesn't match username the client id belongs to");
            throw new Exception("NameID in Assertion doesn't match username the client id belongs to");
        }
        boolean z2 = false;
        DateTime dateTime = null;
        if (unmarshall.getSubject().getSubjectConfirmations() != null) {
            Iterator it2 = unmarshall.getSubject().getSubjectConfirmations().iterator();
            while (it2.hasNext()) {
                dateTime = ((SubjectConfirmation) it2.next()).getSubjectConfirmationData().getNotOnOrAfter();
                z2 = true;
            }
        }
        if (!z2) {
            if (unmarshall.getConditions() == null) {
                log.error("Didn't find any NotOnOrAfter attribute, must have an expiry time");
                throw new Exception("Didn't find any NotOnOrAfter attribute, must have an expiry time");
            }
            dateTime = unmarshall.getConditions().getNotOnOrAfter();
        }
        if (unmarshall.getSubject().getSubjectConfirmations() == null || unmarshall.getSubject().getSubjectConfirmations().size() <= 0) {
            log.error("No SubjectConfirmation exist in Assertion");
            throw new Exception("No SubjectConfirmation exist in Assertion");
        }
        List<SubjectConfirmation> subjectConfirmations = unmarshall.getSubject().getSubjectConfirmations();
        boolean z3 = false;
        ArrayList arrayList = new ArrayList();
        for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
            if (subjectConfirmation.getSubjectConfirmationData() != null) {
                arrayList.add(subjectConfirmation.getSubjectConfirmationData().getRecipient());
            }
            if (subjectConfirmation.getMethod().equals(OAuth2Constants.OAUTH_SAML2_BEARER_METHOD)) {
                z3 = true;
            }
        }
        if (!z3) {
            log.error("Failed to find a SubjectConfirmation with a Method attribute having : " + OAuth2Constants.OAUTH_SAML2_BEARER_METHOD);
            throw new Exception("Failed to find a SubjectConfirmation with a Method attribute having : " + OAuth2Constants.OAUTH_SAML2_BEARER_METHOD);
        }
        if (dateTime.compareTo(new DateTime()) != 1) {
            log.error("NotOnOrAfter is having an expired timestamp");
            throw new Exception("NotOnOrAfter is having an expired timestamp");
        }
        ServerConfiguration serverConfiguration = ServerConfiguration.getInstance();
        KeyStore keyStore = KeyStore.getInstance(serverConfiguration.getFirstProperty("Security.KeyStore.Type"));
        FileInputStream fileInputStream = new FileInputStream(serverConfiguration.getFirstProperty("Security.KeyStore.Location"));
        keyStore.load(fileInputStream, serverConfiguration.getFirstProperty("Security.KeyStore.Password").toCharArray());
        fileInputStream.close();
        String firstProperty = serverConfiguration.getFirstProperty("Security.KeyStore.KeyAlias");
        X509Certificate x509Certificate = null;
        if (firstProperty != null) {
            x509Certificate = (X509Certificate) keyStore.getCertificate(firstProperty);
            if (x509Certificate == null) {
                log.error("Cannot find certificate with the alias - " + firstProperty);
            }
        }
        new SignatureValidator(new X509CredentialImpl(x509Certificate)).validate(unmarshall.getSignature());
        z = true;
        return z;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.AuthorizationGrantHandler
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        if (oAuthTokenReqMessageContext.getScope() != null) {
            return true;
        }
        oAuthTokenReqMessageContext.setScope(new String[]{"SAML2 OAuth"});
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.AuthorizationGrantHandler
    public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return true;
    }
}
