package org.wso2.carbon.identity.sso.agent.saml;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.crypto.SecretKey;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.spi.Configurator;
import org.apache.log4j.spi.LocationInfo;
import org.eclipse.core.runtime.internal.adaptor.EclipseAdaptorHook;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.common.Extensions;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml2.core.impl.LogoutResponseBuilder;
import org.opensaml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.saml2.core.impl.StatusBuilder;
import org.opensaml.saml2.core.impl.StatusCodeBuilder;
import org.opensaml.saml2.core.impl.StatusMessageBuilder;
import org.opensaml.saml2.ecp.RelayState;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.signature.impl.SignatureImpl;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.sso.agent.InvalidSessionException;
import org.wso2.carbon.identity.sso.agent.SSOAgentConstants;
import org.wso2.carbon.identity.sso.agent.SSOAgentDataHolder;
import org.wso2.carbon.identity.sso.agent.SSOAgentException;
import org.wso2.carbon.identity.sso.agent.bean.LoggedInSessionBean;
import org.wso2.carbon.identity.sso.agent.bean.SSOAgentConfig;
import org.wso2.carbon.identity.sso.agent.util.SAMLSignatureValidator;
import org.wso2.carbon.identity.sso.agent.util.SSOAgentUtils;

/* loaded from: input_file:WEB-INF/lib/org.wso2.carbon.identity.sso.agent-5.1.14.jar:org/wso2/carbon/identity/sso/agent/saml/SAML2SSOManager.class */
public class SAML2SSOManager {
    private static final Log log = LogFactory.getLog(SAML2SSOManager.class);
    private static final Logger LOGGER = Logger.getLogger(SSOAgentConstants.LOGGER_NAME);
    private SSOAgentConfig ssoAgentConfig;

    public SAML2SSOManager(SSOAgentConfig sSOAgentConfig) throws SSOAgentException {
        this.ssoAgentConfig = null;
        this.ssoAgentConfig = sSOAgentConfig;
        String signatureValidatorImplClass = sSOAgentConfig.getSAML2().getSignatureValidatorImplClass();
        if (signatureValidatorImplClass != null) {
            try {
                SSOAgentDataHolder.getInstance().setSignatureValidator(Class.forName(signatureValidatorImplClass).newInstance());
            } catch (ClassNotFoundException e) {
                throw new SSOAgentException("Error loading custom signature validator class", e);
            } catch (IllegalAccessException e2) {
                throw new SSOAgentException("Error loading custom signature validator class", e2);
            } catch (InstantiationException e3) {
                throw new SSOAgentException("Error loading custom signature validator class", e3);
            }
        }
        SSOAgentUtils.doBootstrap();
    }

    public String buildRedirectRequest(HttpServletRequest httpServletRequest, boolean z) throws SSOAgentException {
        AuthnRequest buildLogoutRequest;
        if (z) {
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null) {
                throw new InvalidSessionException("Session is expired or user already logged out.");
            }
            LoggedInSessionBean loggedInSessionBean = (LoggedInSessionBean) session.getAttribute(SSOAgentConstants.SESSION_BEAN_NAME);
            if (loggedInSessionBean == null) {
                throw new SSOAgentException("SLO Request can not be built. SSO Session is NULL");
            }
            buildLogoutRequest = buildLogoutRequest(loggedInSessionBean.getSAML2SSO().getSubjectId(), loggedInSessionBean.getSAML2SSO().getSessionIndex());
        } else {
            buildLogoutRequest = buildAuthnRequest(httpServletRequest);
        }
        StringBuilder sb = new StringBuilder("SAMLRequest=" + encodeRequestMessage(buildLogoutRequest, SAMLConstants.SAML2_REDIRECT_BINDING_URI));
        String parameter = httpServletRequest.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        if (StringUtils.isNotEmpty(parameter)) {
            parameter = this.ssoAgentConfig.getSAML2().getRelayState();
        }
        if (parameter != null) {
            try {
                sb.append("&RelayState=" + URLEncoder.encode(parameter, "UTF-8").trim());
            } catch (UnsupportedEncodingException e) {
                throw new SSOAgentException("Error occurred while URLEncoding RelayState", e);
            }
        }
        if (this.ssoAgentConfig.getSAML2().isRequestSigned().booleanValue()) {
            SSOAgentUtils.addDeflateSignatureToHTTPQueryString(sb, new X509CredentialImpl(this.ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
        }
        if (this.ssoAgentConfig.getQueryParams() != null && !this.ssoAgentConfig.getQueryParams().isEmpty()) {
            StringBuilder sb2 = new StringBuilder();
            for (Map.Entry<String, String[]> entry : this.ssoAgentConfig.getQueryParams().entrySet()) {
                if (entry.getKey() != null && entry.getValue() != null && entry.getValue().length > 0) {
                    for (String str : entry.getValue()) {
                        sb2.append("&").append(entry.getKey()).append("=").append(str);
                    }
                }
            }
            sb.append((CharSequence) sb2);
        }
        return this.ssoAgentConfig.getSAML2().getIdPURL().indexOf(LocationInfo.NA) > -1 ? this.ssoAgentConfig.getSAML2().getIdPURL().concat("&").concat(sb.toString()) : this.ssoAgentConfig.getSAML2().getIdPURL().concat(LocationInfo.NA).concat(sb.toString());
    }

    public String buildPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws SSOAgentException {
        SignableSAMLObject buildLogoutRequest;
        if (z) {
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null) {
                throw new InvalidSessionException("Session is expired or user already logged out.");
            }
            LoggedInSessionBean loggedInSessionBean = (LoggedInSessionBean) session.getAttribute(SSOAgentConstants.SESSION_BEAN_NAME);
            if (loggedInSessionBean == null) {
                throw new SSOAgentException("SLO Request can not be built. SSO Session is null");
            }
            buildLogoutRequest = buildLogoutRequest(loggedInSessionBean.getSAML2SSO().getSubjectId(), loggedInSessionBean.getSAML2SSO().getSessionIndex());
            if (this.ssoAgentConfig.getSAML2().isRequestSigned().booleanValue()) {
                buildLogoutRequest = SSOAgentUtils.setSignature((LogoutRequest) buildLogoutRequest, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", new X509CredentialImpl(this.ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            }
        } else {
            buildLogoutRequest = buildAuthnRequest(httpServletRequest);
            if (this.ssoAgentConfig.getSAML2().isRequestSigned().booleanValue()) {
                buildLogoutRequest = SSOAgentUtils.setSignature((AuthnRequest) buildLogoutRequest, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", new X509CredentialImpl(this.ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            }
        }
        String encodeRequestMessage = encodeRequestMessage(buildLogoutRequest, SAMLConstants.SAML2_POST_BINDING_URI);
        HashMap hashMap = new HashMap();
        hashMap.put("SAMLRequest", new String[]{encodeRequestMessage});
        String parameter = httpServletRequest.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        if (StringUtils.isNotEmpty(parameter)) {
            hashMap.put(RelayState.DEFAULT_ELEMENT_LOCAL_NAME, new String[]{parameter});
        } else if (this.ssoAgentConfig.getSAML2().getRelayState() != null) {
            hashMap.put(RelayState.DEFAULT_ELEMENT_LOCAL_NAME, new String[]{this.ssoAgentConfig.getSAML2().getRelayState()});
        }
        if (this.ssoAgentConfig.getQueryParams() != null && !this.ssoAgentConfig.getQueryParams().isEmpty()) {
            hashMap.putAll(this.ssoAgentConfig.getQueryParams());
        }
        StringBuilder sb = new StringBuilder();
        for (Map.Entry entry : hashMap.entrySet()) {
            if (entry.getKey() != null && entry.getValue() != null && ((String[]) entry.getValue()).length > 0) {
                for (String str : (String[]) entry.getValue()) {
                    sb.append("<input type='hidden' name='").append((String) entry.getKey()).append("' value='").append(str).append("'>\n");
                }
            }
        }
        String postBindingRequestHTMLPayload = this.ssoAgentConfig.getSAML2().getPostBindingRequestHTMLPayload();
        return (postBindingRequestHTMLPayload == null || !postBindingRequestHTMLPayload.contains("<!--$saml_params-->")) ? "<html>\n<body>\n<p>You are now redirected back to " + this.ssoAgentConfig.getSAML2().getIdPURL() + " \nIf the redirection fails, please click the post button.</p>\n<form method='post' action='" + this.ssoAgentConfig.getSAML2().getIdPURL() + "'>\n<p>\n" + sb.toString() + "<button type='submit'>POST</button>\n</p>\n</form>\n<script type='text/javascript'>\ndocument.forms[0].submit();\n</script>\n</body>\n</html>" : postBindingRequestHTMLPayload.replace("<!--$saml_params-->", sb.toString());
    }

    public String buildPostResponse(SignableSAMLObject signableSAMLObject) throws SSOAgentException {
        return encodeRequestMessage(signableSAMLObject, SAMLConstants.SAML2_POST_BINDING_URI);
    }

    public void processResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws SSOAgentException {
        String parameter = httpServletRequest.getParameter("SAMLResponse");
        if (parameter == null) {
            throw new SSOAgentException("Invalid SAML2 Response. SAML2 Response can not be null.");
        }
        if (SSOAgentUtils.unmarshall(new String(Base64.decode(parameter), Charset.forName("UTF-8"))) instanceof LogoutResponse) {
            doSLO(httpServletRequest);
        } else {
            processSSOResponse(httpServletRequest);
        }
        String parameter2 = httpServletRequest.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        if (parameter2 == null || parameter2.isEmpty() || Configurator.NULL.equalsIgnoreCase(parameter2)) {
            return;
        }
        this.ssoAgentConfig.getSAML2().setRelayState(parameter2);
    }

    public LogoutResponse doSLO(HttpServletRequest httpServletRequest) throws SSOAgentException {
        Object obj = null;
        if (httpServletRequest.getParameter("SAMLRequest") != null) {
            obj = SSOAgentUtils.unmarshall(new String(Base64.decode(httpServletRequest.getParameter("SAMLRequest")), Charset.forName("UTF-8")));
        }
        if (obj == null) {
            obj = SSOAgentUtils.unmarshall(new String(Base64.decode(httpServletRequest.getParameter("SAMLResponse")), Charset.forName("UTF-8")));
        }
        if (obj instanceof LogoutRequest) {
            LogoutRequest logoutRequest = (LogoutRequest) obj;
            Iterator<HttpSession> it = SSOAgentSessionManager.invalidateAllSessions(logoutRequest.getSessionIndexes().get(0).getSessionIndex()).iterator();
            while (it.hasNext()) {
                it.next().invalidate();
            }
            return buildLogoutResponse(logoutRequest.getID(), "urn:oasis:names:tc:SAML:2.0:status:Success", null);
        }
        if (!(obj instanceof LogoutResponse)) {
            throw new SSOAgentException("Invalid SAML2 Single Logout Request/Response");
        }
        if (httpServletRequest.getSession(false) != null) {
            Iterator<HttpSession> it2 = SSOAgentSessionManager.invalidateAllSessions(httpServletRequest.getSession(false)).iterator();
            while (it2.hasNext()) {
                try {
                    it2.next().invalidate();
                } catch (IllegalStateException e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Ignoring exception : ", e);
                    }
                }
            }
        }
        return (LogoutResponse) obj;
    }

    protected void processSSOResponse(HttpServletRequest httpServletRequest) throws SSOAgentException {
        LoggedInSessionBean loggedInSessionBean = new LoggedInSessionBean();
        loggedInSessionBean.getClass();
        loggedInSessionBean.setSAML2SSO(new LoggedInSessionBean.SAML2SSO());
        String str = new String(Base64.decode(httpServletRequest.getParameter("SAMLResponse")), Charset.forName("UTF-8"));
        XMLObject unmarshall = SSOAgentUtils.unmarshall(str);
        if (unmarshall.getDOM().getElementsByTagNameNS(SAMLConstants.SAML20P_NS, "Response").getLength() > 0) {
            log.error("Invalid schema for the SAML2 response. Multiple Response elements found.");
            throw new SSOAgentException("Error occurred while processing SAML2 response.");
        }
        if (unmarshall.getDOM().getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").getLength() > 1) {
            log.error("Invalid schema for the SAML2 response. Multiple Assertion elements found.");
            throw new SSOAgentException("Error occurred while processing SAML2 response.");
        }
        Response response = (Response) unmarshall;
        loggedInSessionBean.getSAML2SSO().setResponseString(str);
        loggedInSessionBean.getSAML2SSO().setSAMLResponse(response);
        Assertion assertion = null;
        if (this.ssoAgentConfig.getSAML2().isAssertionEncrypted().booleanValue()) {
            List<EncryptedAssertion> encryptedAssertions = response.getEncryptedAssertions();
            if (!CollectionUtils.isEmpty(encryptedAssertions)) {
                try {
                    assertion = getDecryptedAssertion(encryptedAssertions.get(0));
                } catch (Exception e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Assertion decryption failure : ", e);
                    }
                    throw new SSOAgentException("Unable to decrypt the SAML2 Assertion");
                }
            }
        } else {
            List<Assertion> assertions = response.getAssertions();
            if (assertions != null && !assertions.isEmpty()) {
                assertion = assertions.get(0);
            }
        }
        if (assertion == null) {
            if (!isNoPassive(response)) {
                throw new SSOAgentException("SAML2 Assertion not found in the Response");
            }
            LOGGER.log(Level.FINE, "Cannot authenticate in passive mode");
            return;
        }
        String value = assertion.getIssuer().getValue();
        if (value == null || value.isEmpty()) {
            throw new SSOAgentException("SAML2 Response does not contain an Issuer value");
        }
        if (!value.equals(this.ssoAgentConfig.getSAML2().getIdPEntityId())) {
            throw new SSOAgentException("SAML2 Response Issuer verification failed");
        }
        loggedInSessionBean.getSAML2SSO().setAssertion(assertion);
        validateAssertionValidityPeriod(assertion);
        validateAudienceRestriction(assertion);
        validateSignature(response, assertion);
        String str2 = null;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            str2 = assertion.getSubject().getNameID().getValue();
        }
        if (str2 == null) {
            throw new SSOAgentException("SAML2 Response does not contain the name of the subject");
        }
        loggedInSessionBean.getSAML2SSO().setSubjectId(str2);
        httpServletRequest.getSession().setAttribute(SSOAgentConstants.SESSION_BEAN_NAME, loggedInSessionBean);
        loggedInSessionBean.getSAML2SSO().setAssertionString(marshall(assertion));
        ((LoggedInSessionBean) httpServletRequest.getSession(false).getAttribute(SSOAgentConstants.SESSION_BEAN_NAME)).getSAML2SSO().setSubjectAttributes(getAssertionStatements(assertion));
        if (this.ssoAgentConfig.getSAML2().isSLOEnabled().booleanValue()) {
            String sessionIndex = assertion.getAuthnStatements().get(0).getSessionIndex();
            if (sessionIndex == null) {
                throw new SSOAgentException("Single Logout is enabled but IdP Session ID not found in SAML2 Assertion");
            }
            ((LoggedInSessionBean) httpServletRequest.getSession(false).getAttribute(SSOAgentConstants.SESSION_BEAN_NAME)).getSAML2SSO().setSessionIndex(sessionIndex);
            SSOAgentSessionManager.addAuthenticatedSession(httpServletRequest.getSession(false));
        }
        httpServletRequest.getSession(false).setAttribute(SSOAgentConstants.SESSION_BEAN_NAME, loggedInSessionBean);
    }

    protected LogoutRequest buildLogoutRequest(String str, String str2) throws SSOAgentException {
        LogoutRequest mo3237buildObject = new LogoutRequestBuilder().mo3237buildObject();
        mo3237buildObject.setID(SSOAgentUtils.createID());
        mo3237buildObject.setDestination(this.ssoAgentConfig.getSAML2().getIdPURL());
        DateTime dateTime = new DateTime();
        mo3237buildObject.setIssueInstant(dateTime);
        mo3237buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        Issuer mo3237buildObject2 = new IssuerBuilder().mo3237buildObject();
        mo3237buildObject2.setValue(this.ssoAgentConfig.getSAML2().getSPEntityId());
        mo3237buildObject.setIssuer(mo3237buildObject2);
        NameID mo3237buildObject3 = new NameIDBuilder().mo3237buildObject();
        mo3237buildObject3.setFormat(NameIDType.ENTITY);
        mo3237buildObject3.setValue(str);
        mo3237buildObject.setNameID(mo3237buildObject3);
        SessionIndex mo3237buildObject4 = new SessionIndexBuilder().mo3237buildObject();
        mo3237buildObject4.setSessionIndex(str2);
        mo3237buildObject.getSessionIndexes().add(mo3237buildObject4);
        mo3237buildObject.setReason("Single Logout");
        return mo3237buildObject;
    }

    public LogoutResponse buildLogoutResponse(String str, String str2, String str3) throws SSOAgentException {
        LogoutResponse mo3237buildObject = new LogoutResponseBuilder().mo3237buildObject();
        mo3237buildObject.setID(SSOAgentUtils.createID());
        mo3237buildObject.setInResponseTo(str);
        Issuer mo3237buildObject2 = new IssuerBuilder().mo3237buildObject();
        mo3237buildObject2.setValue(this.ssoAgentConfig.getSAML2().getSPEntityId());
        mo3237buildObject.setIssuer(mo3237buildObject2);
        mo3237buildObject.setStatus(buildStatus(str2, str3));
        mo3237buildObject.setIssueInstant(new DateTime());
        mo3237buildObject.setDestination(this.ssoAgentConfig.getSAML2().getIdPURL());
        SSOAgentUtils.setSignatureValue(mo3237buildObject, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", new X509CredentialImpl(this.ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
        return mo3237buildObject;
    }

    protected AuthnRequest buildAuthnRequest(HttpServletRequest httpServletRequest) throws SSOAgentException {
        Issuer buildObject = new IssuerBuilder().buildObject(SAMLConstants.SAML20_NS, "Issuer", "samlp");
        buildObject.setValue(this.ssoAgentConfig.getSAML2().getSPEntityId());
        NameIDPolicy mo3237buildObject = new NameIDPolicyBuilder().mo3237buildObject();
        mo3237buildObject.setFormat(NameIDType.PERSISTENT);
        mo3237buildObject.setSPNameQualifier("Issuer");
        mo3237buildObject.setAllowCreate((Boolean) true);
        AuthnContextClassRef buildObject2 = new AuthnContextClassRefBuilder().buildObject(SAMLConstants.SAML20_NS, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, "saml");
        buildObject2.setAuthnContextClassRef(AuthnContext.PPT_AUTHN_CTX);
        RequestedAuthnContext mo3237buildObject2 = new RequestedAuthnContextBuilder().mo3237buildObject();
        mo3237buildObject2.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        mo3237buildObject2.getAuthnContextClassRefs().add(buildObject2);
        DateTime dateTime = new DateTime();
        AuthnRequest buildObject3 = new AuthnRequestBuilder().buildObject(SAMLConstants.SAML20P_NS, AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME, "samlp");
        buildObject3.setForceAuthn(this.ssoAgentConfig.getSAML2().isForceAuthn());
        buildObject3.setIsPassive(this.ssoAgentConfig.getSAML2().isPassiveAuthn());
        buildObject3.setIssueInstant(dateTime);
        buildObject3.setProtocolBinding(this.ssoAgentConfig.getSAML2().getHttpBinding());
        buildObject3.setAssertionConsumerServiceURL(this.ssoAgentConfig.getSAML2().getACSURL());
        buildObject3.setIssuer(buildObject);
        buildObject3.setNameIDPolicy(mo3237buildObject);
        buildObject3.setRequestedAuthnContext(mo3237buildObject2);
        buildObject3.setID(SSOAgentUtils.createID());
        buildObject3.setVersion(SAMLVersion.VERSION_20);
        buildObject3.setDestination(this.ssoAgentConfig.getSAML2().getIdPURL());
        if (httpServletRequest.getAttribute(Extensions.LOCAL_NAME) != null) {
            buildObject3.setExtensions((Extensions) httpServletRequest.getAttribute(Extensions.LOCAL_NAME));
        }
        if (this.ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex() != null && this.ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex().trim().length() > 0) {
            buildObject3.setAttributeConsumingServiceIndex(Integer.valueOf(Integer.parseInt(this.ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex())));
        }
        return buildObject3;
    }

    protected String encodeRequestMessage(SignableSAMLObject signableSAMLObject, String str) throws SSOAgentException {
        try {
            Element marshall = Configuration.getMarshallerFactory().getMarshaller(signableSAMLObject).marshall(signableSAMLObject);
            StringWriter stringWriter = new StringWriter();
            XMLHelper.writeNode(marshall, stringWriter);
            if (!SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(str)) {
                if (SAMLConstants.SAML2_POST_BINDING_URI.equals(str)) {
                    return Base64.encodeBytes(stringWriter.toString().getBytes(), 8);
                }
                LOGGER.log(Level.FINE, "Unsupported SAML2 HTTP Binding. Defaulting to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
                return Base64.encodeBytes(stringWriter.toString().getBytes(), 8);
            }
            Deflater deflater = new Deflater(8, true);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
            deflaterOutputStream.write(stringWriter.toString().getBytes(Charset.forName("UTF-8")));
            deflaterOutputStream.close();
            return URLEncoder.encode(Base64.encodeBytes(byteArrayOutputStream.toByteArray(), 8), "UTF-8").trim();
        } catch (UnsupportedEncodingException e) {
            throw new SSOAgentException("Error occurred while encoding SAML2 request", e);
        } catch (IOException e2) {
            throw new SSOAgentException("Error occurred while encoding SAML2 request", e2);
        } catch (MarshallingException e3) {
            throw new SSOAgentException("Error occurred while encoding SAML2 request", e3);
        }
    }

    private Map<String, String> getAssertionStatements(Assertion assertion) {
        HashMap hashMap = new HashMap();
        if (assertion != null && assertion.getAttributeStatements() != null) {
            Iterator<AttributeStatement> it = assertion.getAttributeStatements().iterator();
            while (it.hasNext()) {
                for (Attribute attribute : it.next().getAttributes()) {
                    ArrayList arrayList = new ArrayList();
                    Iterator<XMLObject> it2 = attribute.getAttributeValues().iterator();
                    while (it2.hasNext()) {
                        arrayList.add(it2.next().getDOM().getTextContent());
                    }
                    hashMap.put(attribute.getName(), StringUtils.join(arrayList, ","));
                }
            }
        }
        return hashMap;
    }

    protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {
        if (assertion != null) {
            Conditions conditions = assertion.getConditions();
            if (conditions == null) {
                throw new SSOAgentException("SAML2 Response doesn't contain Conditions");
            }
            List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
            if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
                throw new SSOAgentException("SAML2 Response doesn't contain AudienceRestrictions");
            }
            boolean z = false;
            for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                if (audienceRestriction.getAudiences() != null && !audienceRestriction.getAudiences().isEmpty()) {
                    Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (this.ssoAgentConfig.getSAML2().getSPEntityId().equals(it.next().getAudienceURI())) {
                            z = true;
                            break;
                        }
                    }
                }
                if (z) {
                    break;
                }
            }
            if (!z) {
                throw new SSOAgentException("SAML2 Assertion Audience Restriction validation failed");
            }
        }
    }

    protected void validateSignature(Response response, Assertion assertion) throws SSOAgentException {
        if (SSOAgentDataHolder.getInstance().getSignatureValidator() != null) {
            ((SAMLSignatureValidator) SSOAgentDataHolder.getInstance().getSignatureValidator()).validateSignature(response, assertion, this.ssoAgentConfig);
            return;
        }
        if (this.ssoAgentConfig.getSAML2().isResponseSigned().booleanValue()) {
            if (response.getSignature() == null) {
                throw new SSOAgentException("SAML2 Response signing is enabled, but signature element not found in SAML2 Response element");
            }
            validateSignature(response.getSignature());
        }
        if (this.ssoAgentConfig.getSAML2().isAssertionSigned().booleanValue()) {
            if (assertion.getSignature() == null) {
                throw new SSOAgentException("SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element");
            }
            validateSignature(assertion.getSignature());
        }
    }

    protected String marshall(XMLObject xMLObject) throws SSOAgentException {
        try {
            System.setProperty(EclipseAdaptorHook.DOMFACTORYNAME, "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
            Element marshall = org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DOMImplementationLS dOMImplementationLS = (DOMImplementationLS) DOMImplementationRegistry.newInstance().getDOMImplementation("LS");
            LSSerializer createLSSerializer = dOMImplementationLS.createLSSerializer();
            LSOutput createLSOutput = dOMImplementationLS.createLSOutput();
            createLSOutput.setByteStream(byteArrayOutputStream);
            createLSSerializer.write(marshall, createLSOutput);
            return new String(byteArrayOutputStream.toByteArray(), Charset.forName("UTF-8"));
        } catch (ClassNotFoundException e) {
            throw new SSOAgentException("Error in marshalling SAML2 Assertion", e);
        } catch (IllegalAccessException e2) {
            throw new SSOAgentException("Error in marshalling SAML2 Assertion", e2);
        } catch (InstantiationException e3) {
            throw new SSOAgentException("Error in marshalling SAML2 Assertion", e3);
        } catch (MarshallingException e4) {
            throw new SSOAgentException("Error in marshalling SAML2 Assertion", e4);
        }
    }

    protected Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) throws SSOAgentException {
        try {
            StaticKeyInfoCredentialResolver staticKeyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(new X509CredentialImpl(this.ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            Decrypter decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(SecurityHelper.getSimpleCredential((SecretKey) new Decrypter(null, staticKeyInfoCredentialResolver, null).decryptKey(encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0), encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm()))), null, null);
            decrypter.setRootInNewDocument(true);
            return decrypter.decrypt(encryptedAssertion);
        } catch (Exception e) {
            throw new SSOAgentException("Decrypted assertion error", e);
        }
    }

    protected boolean isNoPassive(Response response) {
        return (response.getStatus() == null || response.getStatus().getStatusCode() == null || !response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Responder") || response.getStatus().getStatusCode().getStatusCode() == null || !response.getStatus().getStatusCode().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:NoPassive")) ? false : true;
    }

    public SSOAgentConfig getSsoAgentConfig() {
        return this.ssoAgentConfig;
    }

    private void validateAssertionValidityPeriod(Assertion assertion) throws SSOAgentException {
        if (assertion.getConditions() != null) {
            int timeStampSkewInSeconds = this.ssoAgentConfig.getSAML2().getTimeStampSkewInSeconds();
            DateTime notBefore = assertion.getConditions().getNotBefore();
            DateTime notOnOrAfter = assertion.getConditions().getNotOnOrAfter();
            if (notBefore != null && notBefore.minusSeconds(timeStampSkewInSeconds).isAfterNow()) {
                throw new SSOAgentException("Failed to meet SAML Assertion Condition 'Not Before'");
            }
            if (notOnOrAfter != null && notOnOrAfter.plusSeconds(timeStampSkewInSeconds).isBeforeNow()) {
                throw new SSOAgentException("Failed to meet SAML Assertion Condition 'Not On Or After'");
            }
            if (notBefore != null && notOnOrAfter != null && notBefore.isAfter(notOnOrAfter)) {
                throw new SSOAgentException("SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'");
            }
        }
    }

    private void validateSignature(XMLObject xMLObject) throws SSOAgentException {
        SignatureImpl signatureImpl = (SignatureImpl) xMLObject;
        try {
            new SAMLSignatureProfileValidator().validate((Signature) signatureImpl);
            try {
                new SignatureValidator(new X509CredentialImpl(this.ssoAgentConfig.getSAML2().getSSOAgentX509Credential())).validate((Signature) signatureImpl);
            } catch (ValidationException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Validation exception : ", e);
                }
                throw new SSOAgentException("Signature validation failed for SAML2 Element");
            }
        } catch (ValidationException e2) {
            CarbonConstants.AUDIT_LOG.warn("Signature do not confirm to SAML signature profile. Possible XML Signature Wrapping  Attack!");
            if (log.isDebugEnabled()) {
                log.debug("Signature do not confirm to SAML signature profile. Possible XML Signature Wrapping  Attack!", e2);
            }
            throw new SSOAgentException("Signature do not confirm to SAML signature profile. Possible XML Signature Wrapping  Attack!", e2);
        }
    }

    private Status buildStatus(String str, String str2) {
        Status mo3237buildObject = new StatusBuilder().mo3237buildObject();
        StatusCode mo3237buildObject2 = new StatusCodeBuilder().mo3237buildObject();
        mo3237buildObject2.setValue(str);
        mo3237buildObject.setStatusCode(mo3237buildObject2);
        if (str2 != null) {
            StatusMessage mo3237buildObject3 = new StatusMessageBuilder().mo3237buildObject();
            mo3237buildObject3.setMessage(str2);
            mo3237buildObject.setStatusMessage(mo3237buildObject3);
        }
        return mo3237buildObject;
    }
}
