package org.wso2.carbon.identity.sso.agent.saml;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.wso2.carbon.identity.sso.agent.bean.SSOAgentSessionBean;
import org.wso2.carbon.identity.sso.agent.exception.SSOAgentException;
import org.wso2.carbon.identity.sso.agent.util.SSOAgentConfigs;
import org.wso2.carbon.identity.sso.agent.util.SSOAgentConstants;
import org.wso2.carbon.identity.sso.agent.util.SSOAgentUtils;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/agent/saml/SAML2SSOManager.class */
public class SAML2SSOManager {
    private String authReqRandomId = Integer.toHexString(new Double(Math.random()).intValue());
    private String relayState = null;
    private X509Credential credential;

    public SAML2SSOManager() throws SSOAgentException {
        this.credential = null;
        try {
            DefaultBootstrap.bootstrap();
            synchronized (this) {
                if (this.credential == null) {
                    synchronized (this) {
                        SSOAgentCredential sSOAgentCredential = (SSOAgentCredential) Class.forName(SSOAgentConfigs.getSSOAgentCredentialImplClass()).newInstance();
                        sSOAgentCredential.init();
                        this.credential = new X509CredentialImpl(sSOAgentCredential);
                    }
                }
            }
        } catch (ConfigurationException e) {
            throw new SSOAgentException("Error while bootstrapping OpenSAML library", e);
        } catch (ClassNotFoundException e2) {
            throw new SSOAgentException("Error while instantiating SSOAgentCredentialImplClass: " + SSOAgentConfigs.getSSOAgentCredentialImplClass(), e2);
        } catch (IllegalAccessException e3) {
            throw new SSOAgentException("Error while instantiating SSOAgentCredentialImplClass: " + SSOAgentConfigs.getSSOAgentCredentialImplClass(), e3);
        } catch (InstantiationException e4) {
            throw new SSOAgentException("Error while instantiating SSOAgentCredentialImplClass: " + SSOAgentConfigs.getSSOAgentCredentialImplClass(), e4);
        }
    }

    public String buildRequest(HttpServletRequest httpServletRequest, boolean z, boolean z2) throws SSOAgentException {
        StringBuilder sb = new StringBuilder("SAMLRequest=" + encodeRequestMessage(!z ? buildAuthnRequest(z2) : buildLogoutRequest(((SSOAgentSessionBean) httpServletRequest.getSession().getAttribute(SSOAgentConfigs.getSessionBeanName())).getSubjectId(), ((SSOAgentSessionBean) httpServletRequest.getSession().getAttribute(SSOAgentConfigs.getSessionBeanName())).getIdPSession())));
        if (this.relayState != null && !this.relayState.isEmpty()) {
            try {
                sb.append("&RelayState=" + URLEncoder.encode(this.relayState, "UTF-8").trim());
            } catch (UnsupportedEncodingException e) {
                throw new SSOAgentException("Error occurred while url encoding RelayState", e);
            }
        }
        if (SSOAgentConfigs.isRequestSigned()) {
            SSOAgentUtils.addDeflateSignatureToHTTPQueryString(sb, this.credential);
        }
        return SSOAgentConfigs.getIdPUrl().indexOf("?") > -1 ? SSOAgentConfigs.getIdPUrl().concat("&").concat(sb.toString()) : SSOAgentConfigs.getIdPUrl().concat("?").concat(sb.toString());
    }

    public void processResponse(HttpServletRequest httpServletRequest) throws SSOAgentException {
        if (unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOAgentConstants.HTTP_POST_PARAM_SAML2_RESP)))) instanceof LogoutResponse) {
            doSLO(httpServletRequest);
        } else {
            processSSOResponse(httpServletRequest);
        }
    }

    public void doSLO(HttpServletRequest httpServletRequest) throws SSOAgentException {
        XMLObject xMLObject = null;
        if (httpServletRequest.getParameter(SSOAgentConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) {
            xMLObject = unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOAgentConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ))));
        }
        if (xMLObject == null) {
            xMLObject = unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOAgentConstants.HTTP_POST_PARAM_SAML2_RESP))));
        }
        if (xMLObject instanceof LogoutRequest) {
            SSOAgentSessionManager.invalidateSessionByIdPSId(((SessionIndex) ((LogoutRequest) xMLObject).getSessionIndexes().get(0)).getSessionIndex());
        } else {
            if (!(xMLObject instanceof LogoutResponse)) {
                throw new SSOAgentException("Invalid Single Logout SAML Request");
            }
            httpServletRequest.getSession().invalidate();
        }
    }

    private void processSSOResponse(HttpServletRequest httpServletRequest) throws SSOAgentException {
        Response response = (Response) unmarshall(new String(Base64.decode(httpServletRequest.getParameter(SSOAgentConstants.HTTP_POST_PARAM_SAML2_RESP))));
        List assertions = response.getAssertions();
        Assertion assertion = null;
        if (assertions != null && assertions.size() > 0) {
            assertion = (Assertion) assertions.get(0);
        }
        if (assertion == null) {
            if (response.getStatus() == null || response.getStatus().getStatusCode() == null || !response.getStatus().getStatusCode().getValue().equals(SSOAgentConstants.StatusCodes.IDENTITY_PROVIDER_ERROR) || response.getStatus().getStatusCode().getStatusCode() == null || !response.getStatus().getStatusCode().getStatusCode().getValue().equals(SSOAgentConstants.StatusCodes.NO_PASSIVE)) {
                throw new SSOAgentException("SAML Assertion not found in the Response");
            }
            return;
        }
        String str = null;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            str = assertion.getSubject().getNameID().getValue();
        }
        if (str == null) {
            throw new SSOAgentException("SAML Response does not contain the name of the subject");
        }
        SSOAgentSessionBean sSOAgentSessionBean = httpServletRequest.getSession().getAttribute(SSOAgentConfigs.getSessionBeanName()) != null ? (SSOAgentSessionBean) httpServletRequest.getSession().getAttribute(SSOAgentConfigs.getSessionBeanName()) : new SSOAgentSessionBean();
        sSOAgentSessionBean.setSubjectId(str);
        httpServletRequest.getSession().setAttribute(SSOAgentConfigs.getSessionBeanName(), sSOAgentSessionBean);
        validateAudienceRestriction(assertion);
        validateSignature(response);
        ((SSOAgentSessionBean) httpServletRequest.getSession(false).getAttribute(SSOAgentConfigs.getSessionBeanName())).setSamlSSOAttributes(getAssertionStatements(assertion));
        if (SSOAgentConfigs.isSLOEnabled()) {
            String sessionIndex = ((AuthnStatement) assertion.getAuthnStatements().get(0)).getSessionIndex();
            if (sessionIndex == null) {
                throw new SSOAgentException("Single Logout is enabled but IdP Session ID not found in SAML Assertion");
            }
            ((SSOAgentSessionBean) httpServletRequest.getSession().getAttribute(SSOAgentConfigs.getSessionBeanName())).setIdPSession(sessionIndex);
            SSOAgentSessionManager.addAuthenticatedSession(sessionIndex, httpServletRequest.getSession());
        }
    }

    private LogoutRequest buildLogoutRequest(String str, String str2) throws SSOAgentException {
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        buildObject.setID(SSOAgentUtils.createID());
        buildObject.setDestination(SSOAgentConfigs.getIdPUrl());
        DateTime dateTime = new DateTime();
        buildObject.setIssueInstant(dateTime);
        buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        Issuer buildObject2 = new IssuerBuilder().buildObject();
        buildObject2.setValue(SSOAgentConfigs.getIssuerId());
        buildObject.setIssuer(buildObject2);
        NameID buildObject3 = new NameIDBuilder().buildObject();
        buildObject3.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        buildObject3.setValue(str);
        buildObject.setNameID(buildObject3);
        SessionIndex buildObject4 = new SessionIndexBuilder().buildObject();
        buildObject4.setSessionIndex(str2);
        buildObject.getSessionIndexes().add(buildObject4);
        buildObject.setReason("Single Logout");
        return buildObject;
    }

    private AuthnRequest buildAuthnRequest(boolean z) throws SSOAgentException {
        Issuer buildObject = new IssuerBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
        buildObject.setValue(SSOAgentConfigs.getIssuerId());
        NameIDPolicy buildObject2 = new NameIDPolicyBuilder().buildObject();
        buildObject2.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
        buildObject2.setSPNameQualifier("Issuer");
        buildObject2.setAllowCreate(true);
        AuthnContextClassRef buildObject3 = new AuthnContextClassRefBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml");
        buildObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
        RequestedAuthnContext buildObject4 = new RequestedAuthnContextBuilder().buildObject();
        buildObject4.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        buildObject4.getAuthnContextClassRefs().add(buildObject3);
        DateTime dateTime = new DateTime();
        AuthnRequest buildObject5 = new AuthnRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
        buildObject5.setForceAuthn(false);
        buildObject5.setIsPassive(Boolean.valueOf(z));
        buildObject5.setIssueInstant(dateTime);
        buildObject5.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        buildObject5.setAssertionConsumerServiceURL(SSOAgentConfigs.getConsumerUrl());
        buildObject5.setIssuer(buildObject);
        buildObject5.setNameIDPolicy(buildObject2);
        buildObject5.setRequestedAuthnContext(buildObject4);
        buildObject5.setID(this.authReqRandomId);
        buildObject5.setVersion(SAMLVersion.VERSION_20);
        buildObject5.setDestination(SSOAgentConfigs.getIdPUrl());
        if (SSOAgentConfigs.getAttributeConsumingServiceIndex() != null && SSOAgentConfigs.getAttributeConsumingServiceIndex().trim().length() > 0) {
            buildObject5.setAttributeConsumingServiceIndex(Integer.valueOf(Integer.parseInt(SSOAgentConfigs.getAttributeConsumingServiceIndex())));
        }
        return buildObject5;
    }

    private String encodeRequestMessage(RequestAbstractType requestAbstractType) throws SSOAgentException {
        try {
            Element marshall = Configuration.getMarshallerFactory().getMarshaller(requestAbstractType).marshall(requestAbstractType);
            Deflater deflater = new Deflater(8, true);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
            StringWriter stringWriter = new StringWriter();
            XMLHelper.writeNode(marshall, stringWriter);
            deflaterOutputStream.write(stringWriter.toString().getBytes());
            deflaterOutputStream.close();
            return URLEncoder.encode(Base64.encodeBytes(byteArrayOutputStream.toByteArray(), 8), "UTF-8").trim();
        } catch (UnsupportedEncodingException e) {
            throw new SSOAgentException("Error occurred while encoding SAML request", e);
        } catch (MarshallingException e2) {
            throw new SSOAgentException("Error occurred while encoding SAML request", e2);
        } catch (IOException e3) {
            throw new SSOAgentException("Error occurred while encoding SAML request", e3);
        }
    }

    private XMLObject unmarshall(String str) throws SSOAgentException {
        String decodeHTMLCharacters = decodeHTMLCharacters(str);
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            Element documentElement = newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(decodeHTMLCharacters.getBytes())).getDocumentElement();
            return Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (IOException e) {
            throw new SSOAgentException("Error in unmarshalling SAML Request from the encoded String", e);
        } catch (ParserConfigurationException e2) {
            throw new SSOAgentException("Error in unmarshalling SAML Request from the encoded String", e2);
        } catch (SAXException e3) {
            throw new SSOAgentException("Error in unmarshalling SAML Request from the encoded String", e3);
        } catch (UnmarshallingException e4) {
            throw new SSOAgentException("Error in unmarshalling SAML Request from the encoded String", e4);
        }
    }

    private String decodeHTMLCharacters(String str) {
        return str.replaceAll("&amp;", "&").replaceAll("&lt;", "<").replaceAll("&gt;", ">").replaceAll("&quot;", "\"").replaceAll("&apos;", "'");
    }

    private Map<String, String> getAssertionStatements(Assertion assertion) {
        List attributeStatements;
        HashMap hashMap = new HashMap();
        if (assertion != null && (attributeStatements = assertion.getAttributeStatements()) != null) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    hashMap.put(attribute.getName(), ((XMLObject) attribute.getAttributeValues().get(0)).getDOM().getTextContent());
                }
            }
        }
        return hashMap;
    }

    private void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {
        if (assertion != null) {
            Conditions conditions = assertion.getConditions();
            if (conditions == null) {
                throw new SSOAgentException("SAML Response doesn't contain Conditions");
            }
            List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
            if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
                throw new SSOAgentException("SAML Response doesn't contain AudienceRestrictions");
            }
            boolean z = false;
            for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                if (audienceRestriction.getAudiences() != null && audienceRestriction.getAudiences().size() > 0) {
                    Iterator it = audienceRestriction.getAudiences().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (SSOAgentConfigs.getIssuerId().equals(((Audience) it.next()).getAudienceURI())) {
                            z = true;
                            break;
                        }
                    }
                }
                if (z) {
                    break;
                }
            }
            if (!z) {
                throw new SSOAgentException("SAML Assertion Audience Restriction validation failed");
            }
        }
    }

    private void validateSignature(Response response) throws SSOAgentException {
        List assertions = response.getAssertions();
        Assertion assertion = null;
        if (assertions != null && assertions.size() > 0) {
            assertion = (Assertion) assertions.get(0);
        }
        if (SSOAgentConfigs.isResponseSigned()) {
            if (response.getSignature() == null) {
                throw new SSOAgentException("SAMLResponse signing is enabled, but signature element not found in SAML Response element.");
            }
            try {
                new SignatureValidator(this.credential).validate(response.getSignature());
            } catch (ValidationException e) {
                throw new SSOAgentException("Signature validation failed for SAML Response");
            }
        }
        if (SSOAgentConfigs.isAssertionSigned()) {
            if (assertion.getSignature() == null) {
                throw new SSOAgentException("SAMLAssertion signing is enabled, but signature element not found in SAML Assertion element.");
            }
            try {
                new SignatureValidator(this.credential).validate(assertion.getSignature());
            } catch (ValidationException e2) {
                throw new SSOAgentException("Signature validation failed for SAML Assertion");
            }
        }
    }
}
