package org.wso2.solutions.identity.sts;

import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Vector;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.om.impl.dom.factory.OMDOMFactory;
import org.apache.rahas.RahasData;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.components.crypto.X509NameTokenizer;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Base64;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.w3c.dom.Element;
import org.wso2.solutions.identity.IdentityProviderConstants;
import org.wso2.solutions.identity.IdentityProviderException;
import org.wso2.solutions.identity.InitialClaimsProcessor;
import org.wso2.solutions.identity.UserStore;
import org.wso2.solutions.identity.admin.KeystoreUtilAdmin;
import org.wso2.solutions.identity.admin.RegisteredInfoCardInfoAdmin;
import org.wso2.solutions.identity.admin.RelyingPartyAdmin;
import org.wso2.solutions.identity.cards.model.RequireAppliesTo;
import org.wso2.solutions.identity.persistence.IPPersistenceManager;
import org.wso2.solutions.identity.persistence.dataobject.ClaimDO;
import org.wso2.solutions.identity.persistence.dataobject.RegisteredInfoCardInfoDO;
import org.wso2.solutions.identity.persistence.dataobject.RelyingPartyDO;
import org.wso2.solutions.identity.persistence.dataobject.UserTrustedRPDO;
import org.wso2.wsas.persistence.PersistenceManager;

/* loaded from: input_file:org/wso2/solutions/identity/sts/IdentityProviderData.class */
public class IdentityProviderData {
    public static final String USERMAN_SERVICE = "UserManServiceURL";
    public static final String USER_CLASS = "UserClass";
    private SAMLAssertion assertion;
    private X509Certificate rpCert;
    private static KeyStore cacerts;
    protected String cardID = null;
    protected Map requestedClaims = new HashMap();
    protected String displayTokenLang = null;
    public String userClass = null;
    protected UserStore userStore = null;
    protected Map claimObjs = new HashMap();
    int authMechanism = -1;
    private String userIdentifier = null;
    private String requiredTokenType = null;

    /* loaded from: input_file:org/wso2/solutions/identity/sts/IdentityProviderData$RequestedClaimData.class */
    public class RequestedClaimData {
        public String value;
        public String uri;
        public boolean bOptional;

        public RequestedClaimData() {
        }
    }

    public IdentityProviderData(RahasData rahasData) throws IdentityProviderException, ClassNotFoundException {
        OMElement rstElement = rahasData.getRstElement();
        OMElement claimElem = rahasData.getClaimElem();
        loadClaims();
        processClaimsData(rahasData, claimElem);
        processInfoCardReference(rstElement);
        readAuthenticationMechanism(rahasData);
        readRequestedTokenType(rahasData);
        processUserIdentifier(rahasData);
        populateClaimValues(rahasData);
        extracAndValidatetRPCert(rahasData);
    }

    private void extracAndValidatetRPCert(RahasData rahasData) throws IdentityProviderException {
        OMElement appliesToEpr = rahasData.getAppliesToEpr();
        OMElement firstChildWithName = appliesToEpr.getFirstChildWithName(new QName("http://schemas.xmlsoap.org/ws/2006/02/addressingidentity", IdentityProviderConstants.LocalNames.IDENTITY));
        if (firstChildWithName == null) {
            throw new IdentityProviderException("missingIdentityElement", new String[]{appliesToEpr.toString()});
        }
        OMElement firstChildWithName2 = firstChildWithName.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "KeyInfo"));
        if (firstChildWithName2 == null) {
            throw new IdentityProviderException("malformedElement", new String[]{firstChildWithName.toString() + " missing ds:KeyInfo element"});
        }
        OMElement firstChildWithName3 = firstChildWithName2.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "X509Data"));
        if (firstChildWithName3 == null) {
            throw new IdentityProviderException("malformedElement", new String[]{firstChildWithName.toString() + " missing ds:X509Data element"});
        }
        OMElement firstChildWithName4 = firstChildWithName3.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "X509Certificate"));
        if (firstChildWithName4 == null) {
            throw new IdentityProviderException("malformedElement", new String[]{firstChildWithName.toString() + " missing ds:X509Certificate element"});
        }
        String text = firstChildWithName4.getText();
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.decode(text)));
            if (cacerts == null) {
                FileInputStream fileInputStream = new FileInputStream(System.getProperty("java.home") + "/lib/security/cacerts");
                cacerts = KeyStore.getInstance(KeyStore.getDefaultType());
                cacerts.load(fileInputStream, "changeit".toCharArray());
                fileInputStream.close();
            }
            Vector splitAndTrim = splitAndTrim(x509Certificate.getIssuerDN().getName());
            Enumeration<String> aliases = cacerts.aliases();
            boolean z = false;
            while (true) {
                if (!aliases.hasMoreElements()) {
                    break;
                }
                String nextElement = aliases.nextElement();
                if (cacerts.isCertificateEntry(nextElement) && splitAndTrim(((X509Certificate) cacerts.getCertificate(nextElement)).getSubjectDN().getName()).equals(splitAndTrim)) {
                    z = true;
                    this.rpCert = x509Certificate;
                    RelyingPartyAdmin relyingPartyAdmin = new RelyingPartyAdmin();
                    String appliesToHostName = IdentityProviderUtil.getAppliesToHostName(rahasData);
                    if (relyingPartyAdmin.getRelyingParty(appliesToHostName) == null) {
                        relyingPartyAdmin.create(appliesToHostName);
                    }
                }
            }
            if (!z) {
                X509Certificate readRpCertFromStores = readRpCertFromStores(rahasData);
                if (readRpCertFromStores == null) {
                    throw new IdentityProviderException("rpNotTrusted");
                }
                if (!readRpCertFromStores.equals(x509Certificate)) {
                    throw new IdentityProviderException("receivedCertMismatchWithTrustedCert", new String[]{text, Base64.encode(readRpCertFromStores.getEncoded())});
                }
                this.rpCert = readRpCertFromStores;
            }
        } catch (IdentityProviderException e) {
            throw e;
        } catch (Exception e2) {
            throw new IdentityProviderException("malformedBase64Certificate", new String[]{text}, e2);
        }
    }

    private Vector splitAndTrim(String str) {
        X509NameTokenizer x509NameTokenizer = new X509NameTokenizer(str);
        Vector vector = new Vector();
        while (x509NameTokenizer.hasMoreTokens()) {
            vector.add(x509NameTokenizer.nextToken());
        }
        Collections.sort(vector);
        return vector;
    }

    private void processInfoCardReference(OMElement oMElement) throws IdentityProviderException {
        this.cardID = oMElement.getFirstChildWithName(new QName("http://schemas.xmlsoap.org/ws/2005/05/identity", IdentityProviderConstants.LocalNames.INFO_CARD_REFERENCE)).getFirstChildWithName(new QName("http://schemas.xmlsoap.org/ws/2005/05/identity", IdentityProviderConstants.LocalNames.CARD_ID)).getText();
    }

    private void readRequestedTokenType(RahasData rahasData) {
        this.requiredTokenType = rahasData.getTokenType();
        if (this.requiredTokenType == null || this.requiredTokenType.trim().length() == 0) {
            this.requiredTokenType = getDefautTokenType();
        }
    }

    private void processClaimsData(RahasData rahasData, OMElement oMElement) throws IdentityProviderException {
        if (oMElement == null) {
            return;
        }
        Iterator childrenWithName = oMElement.getChildrenWithName(new QName("http://schemas.xmlsoap.org/ws/2005/05/identity", "ClaimType"));
        while (childrenWithName.hasNext()) {
            OMElement oMElement2 = (OMElement) childrenWithName.next();
            RequestedClaimData requestedClaim = getRequestedClaim();
            String attributeValue = oMElement2.getAttributeValue(new QName(null, InitialClaimsProcessor.ATTR_URI));
            if (attributeValue == null) {
                throw new IdentityProviderException("emptyClaimUri");
            }
            requestedClaim.uri = attributeValue;
            String attributeValue2 = oMElement2.getAttributeValue(new QName(null, RequireAppliesTo.ATTR_OPTIONAL));
            if (attributeValue2 != null) {
                requestedClaim.bOptional = attributeValue2.equals("true");
            } else {
                requestedClaim.bOptional = true;
            }
            this.requestedClaims.put(requestedClaim.uri, requestedClaim);
        }
    }

    public String getCardID() {
        return this.cardID;
    }

    public String getValueForClaim(String str) {
        return null;
    }

    public String getDisplayTokenLang() {
        return this.displayTokenLang;
    }

    public Map getRequestedClaims() {
        return this.requestedClaims;
    }

    protected RequestedClaimData getRequestedClaim() {
        return new RequestedClaimData();
    }

    protected void populateClaimValues(RahasData rahasData) throws IdentityProviderException {
        UserStore userStore = UserStore.getInstance();
        Iterator it = this.requestedClaims.values().iterator();
        ArrayList arrayList = new ArrayList();
        while (it.hasNext()) {
            ClaimDO claimDO = (ClaimDO) this.claimObjs.get(((RequestedClaimData) it.next()).uri);
            if (claimDO != null && !claimDO.getUri().equals("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier")) {
                arrayList.add(claimDO.getAttrId());
            }
        }
        Map<String, String> claimValues = userStore.getClaimValues(this.userIdentifier, arrayList);
        for (RequestedClaimData requestedClaimData : this.requestedClaims.values()) {
            requestedClaimData.value = claimValues.get(((ClaimDO) this.claimObjs.get(requestedClaimData.uri)).getAttrId());
        }
    }

    protected void processUserIdentifier(RahasData rahasData) throws IdentityProviderException {
        if (this.authMechanism != 4) {
            if (this.authMechanism != 1) {
                throw new IdentityProviderException("invalidAuthMechanism");
            }
            this.userIdentifier = rahasData.getPrincipal().getName();
            return;
        }
        Iterator statements = this.assertion.getStatements();
        String str = null;
        while (statements.hasNext()) {
            SAMLAttribute sAMLAttribute = (SAMLAttribute) ((SAMLAttributeStatement) statements.next()).getAttributes().next();
            if ("privatepersonalidentifier".equals(sAMLAttribute.getName()) && "http://schemas.xmlsoap.org/ws/2005/05/identity/claims".equals(sAMLAttribute.getNamespace())) {
                str = (String) sAMLAttribute.getValues().next();
            }
        }
        if (str == null) {
            throw new IdentityProviderException("invalidSamlAttrAssertion", new String[]{"privatepersonalidentifier"});
        }
        RegisteredInfoCardInfoDO info = new RegisteredInfoCardInfoAdmin().getInfo(str);
        if (info == null) {
            throw new IdentityProviderException("alianPPID", new String[]{str});
        }
        if (!validateKeyInfo(info.getIssuerInfo(), ((XMLSignature) this.assertion.getNativeSignature()).getKeyInfo().getElement())) {
            throw new IdentityProviderException("signatureInfoMismatch", new String[]{str});
        }
        this.userIdentifier = info.getUserId();
    }

    private boolean validateKeyInfo(String str, Element element) throws IdentityProviderException {
        try {
            OMElement firstElement = new StAXOMBuilder(new ByteArrayInputStream(str.getBytes())).getDocumentElement().getFirstElement();
            if (firstElement == null || !firstElement.getQName().equals(new QName("http://www.w3.org/2000/09/xmldsig#", "KeyValue"))) {
                throw new IdentityProviderException("unknownStoredKeyInfoType", new String[]{str});
            }
            OMElement firstElement2 = firstElement.getFirstElement();
            if (firstElement2 == null || !firstElement2.getQName().equals(new QName("http://www.w3.org/2000/09/xmldsig#", "RSAKeyValue"))) {
                throw new IdentityProviderException("unknownStoredKeyInfoType", new String[]{str});
            }
            String trim = firstElement2.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "Modulus")).getText().trim();
            String trim2 = firstElement2.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "Exponent")).getText().trim();
            OMElement importNode = new OMDOMFactory().getDocument().importNode(element, true);
            OMElement firstElement3 = importNode.getFirstElement();
            if (firstElement3 == null || !firstElement3.getQName().equals(new QName("http://www.w3.org/2000/09/xmldsig#", "KeyValue"))) {
                throw new IdentityProviderException("unknownReceivedKeyInfoType", new String[]{importNode.toString()});
            }
            OMElement firstChildWithName = firstElement3.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "RSAKeyValue"));
            if (firstChildWithName != null) {
                return trim.equals(firstChildWithName.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "Modulus")).getText().trim()) && trim2.equals(firstChildWithName.getFirstChildWithName(new QName("http://www.w3.org/2000/09/xmldsig#", "Exponent")).getText().trim());
            }
            throw new IdentityProviderException("unknownReceivedKeyInfoType", new String[]{importNode.toString()});
        } catch (XMLStreamException e) {
            throw new IdentityProviderException("errorParsignStoredKeyInfo", new String[]{str}, e);
        }
    }

    public String getDisplayName(String str) {
        return ((ClaimDO) this.claimObjs.get(str)).getDisplayTag();
    }

    protected void loadClaims() throws IdentityProviderException {
        for (ClaimDO claimDO : IPPersistenceManager.getPersistanceManager().getAllSupportedClaims()) {
            this.claimObjs.put(claimDO.getUri(), claimDO);
        }
    }

    protected void readAuthenticationMechanism(RahasData rahasData) throws IdentityProviderException {
        Vector vector = (Vector) rahasData.getInMessageContext().getProperty("RECV_RESULTS");
        if (vector == null) {
            throw new IdentityProviderException("missingAuthMechanism");
        }
        for (int i = 0; i < vector.size(); i++) {
            Vector results = ((WSHandlerResult) vector.get(i)).getResults();
            for (int i2 = 0; i2 < results.size(); i2++) {
                WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) results.get(i2);
                int intValue = ((Integer) wSSecurityEngineResult.get("action")).intValue();
                if (intValue == 8) {
                    this.authMechanism = 4;
                    this.assertion = (SAMLAssertion) wSSecurityEngineResult.get("saml-assertion");
                } else if (intValue == 1 && wSSecurityEngineResult.get("principal") != null) {
                    this.authMechanism = 1;
                }
            }
        }
    }

    public X509Certificate getRpCert() {
        return this.rpCert;
    }

    public String getUserIdentifier() {
        return this.userIdentifier;
    }

    public void setUserIdentifier(String str) {
        this.userIdentifier = str;
    }

    private X509Certificate readRpCertFromStores(RahasData rahasData) throws IdentityProviderException {
        X509Certificate x509Certificate = null;
        String appliesToHostName = IdentityProviderUtil.getAppliesToHostName(rahasData);
        IPPersistenceManager persistanceManager = IPPersistenceManager.getPersistanceManager();
        RelyingPartyDO relyingParty = persistanceManager.getRelyingParty(appliesToHostName);
        if (relyingParty != null) {
            x509Certificate = KeyUtil.getCertificate(new PersistenceManager().getKeyStore(IdentityProviderConstants.DEFAULT_IDENTITY_KEYSTORE_NAME).getKeyStoreName(), relyingParty.getAlias());
        } else {
            UserTrustedRPDO personalRelyingParty = persistanceManager.getPersonalRelyingParty(this.userIdentifier, appliesToHostName);
            if (personalRelyingParty != null) {
                x509Certificate = new KeystoreUtilAdmin().getCertificateFromUserTrustedRP(personalRelyingParty.getIdentifier().getHostName());
            }
        }
        return x509Certificate;
    }

    public String getRequiredTokenType() {
        return this.requiredTokenType;
    }

    public void setRequiredTokenType(String str) {
        if (str == null || str.trim().length() == 0) {
            str = getDefautTokenType();
        }
        this.requiredTokenType = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getDefautTokenType() {
        return "urn:oasis:names:tc:SAML:1.0:assertion";
    }
}
