package org.wso2.solutions.identity.relyingparty.servletfilter;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringReader;
import java.net.URI;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.xml.stream.XMLInputFactory;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.om.util.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.components.crypto.X509NameTokenizer;
import org.apache.ws.security.util.DOM2Writer;
import org.w3c.dom.Element;
import org.wso2.solutions.identity.relyingparty.RelyingPartyException;
import org.wso2.solutions.identity.relyingparty.TokenVerifier;
import org.wso2.solutions.identity.relyingparty.TokenVerifierConstants;

/* loaded from: input_file:org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyFilter.class */
public class RelyingPartyFilter implements Filter {
    public static Log log;
    private PrivateKey privateKey = null;
    private String IdPstoreFilePath = null;
    private String IdPStorePass = null;
    private String IdpStoreType = null;
    private String validatePolicy = null;
    private List[] blackList = null;
    private List[] whiteList = null;
    private String defaultStorePass = null;
    FilterConfig filterConfig = null;
    static Class class$org$wso2$solutions$identity$relyingparty$servletfilter$RelyingPartyFilter;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            String requestURI = ((HttpServletRequest) servletRequest).getRequestURI();
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer().append("RequestURI : ").append(requestURI).toString());
            }
            String parameter = servletRequest.getParameter("InfoCardSignin");
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer().append("InfoCardSignin : ").append(parameter).toString());
            }
            if (parameter != null && "Log in".equals(parameter)) {
                if (log.isDebugEnabled()) {
                    log.debug("InfoCardSignin=Log in");
                }
                String parameter2 = servletRequest.getParameter("xmlToken");
                if (parameter2 != null) {
                    TokenVerifier tokenVerifier = new TokenVerifier();
                    boolean z = false;
                    if (tokenVerifier.verifyDecryptedToken(tokenVerifier.decryptToken(parameter2, this.privateKey)) && validateIssuerInfoPolicy(tokenVerifier)) {
                        z = true;
                        injectDataToRequestOnSuccess(tokenVerifier, servletRequest);
                    }
                    if (!z) {
                        injectDataToRequestOnFailure(tokenVerifier, servletRequest);
                    }
                } else {
                    servletRequest.setAttribute(TokenVerifierConstants.ATTR_STATE, TokenVerifierConstants.STATE_FAILURE);
                    servletRequest.setAttribute(TokenVerifierConstants.FAILURE_REASON, TokenVerifierConstants.REASON_TOKEN_MISSING);
                }
            }
        } catch (Exception e) {
            log.error("Error in token verification", e);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            e.printStackTrace(new PrintWriter(byteArrayOutputStream));
            servletRequest.setAttribute(TokenVerifierConstants.ATTR_STATE, TokenVerifierConstants.STATE_FAILURE);
            servletRequest.setAttribute(TokenVerifierConstants.FAILURE_REASON, new String(byteArrayOutputStream.toByteArray()));
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected boolean validateIssuerInfoPolicy(TokenVerifier tokenVerifier) throws Exception {
        boolean z = false;
        if ("http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self".equals(tokenVerifier.getIssuerName())) {
            String initParameter = this.filterConfig.getInitParameter(TokenVerifierConstants.ISSUER_POLICY);
            if (initParameter == null || initParameter.equals(TokenVerifierConstants.SELF_ONLY) || initParameter.equals(TokenVerifierConstants.SELF_AND_MANGED)) {
                z = true;
            }
        } else if (this.validatePolicy.equals(TokenVerifierConstants.PROMISCUOUS)) {
            z = true;
        } else if (this.validatePolicy.equals(TokenVerifierConstants.BLACK_LIST)) {
            doCertValidation(tokenVerifier);
            if (doBlackListCheck(tokenVerifier)) {
                z = true;
            }
        } else if (this.validatePolicy.equals(TokenVerifierConstants.WHITE_LIST)) {
            doCertValidation(tokenVerifier);
            if (doWhiteListCheck(tokenVerifier)) {
                z = true;
            }
        } else if (this.validatePolicy.equals(TokenVerifierConstants.CERT_VALIDATE)) {
            doCertValidation(tokenVerifier);
            z = true;
        }
        return z;
    }

    protected boolean validateMultipleClaimsPolicy(TokenVerifier tokenVerifier) throws RelyingPartyException {
        boolean z = true;
        String initParameter = this.filterConfig.getInitParameter(TokenVerifierConstants.MULTIVALUE_CLAIMS_POLICY);
        if ((initParameter == null || initParameter.equals(TokenVerifierConstants.MULTIVALUED_CLAIMS_NOT_ALLOWED)) && tokenVerifier.isMultipleValues()) {
            z = false;
        }
        return z;
    }

    protected void injectDataToRequestOnFailure(TokenVerifier tokenVerifier, ServletRequest servletRequest) throws Exception {
        servletRequest.setAttribute(TokenVerifierConstants.SERVLET_ATTR_STATE, TokenVerifierConstants.STATE_FAILURE);
    }

    protected void injectDataToRequestOnSuccess(TokenVerifier tokenVerifier, ServletRequest servletRequest) throws Exception {
        servletRequest.setAttribute(TokenVerifierConstants.SERVLET_ATTR_STATE, TokenVerifierConstants.STATE_SUCCESS);
        String issuerInfoString = getIssuerInfoString(tokenVerifier);
        if (issuerInfoString != null) {
            servletRequest.setAttribute(TokenVerifierConstants.ISSUER_INFO, issuerInfoString);
        }
        for (Map.Entry entry : tokenVerifier.getAttributeTable().entrySet()) {
            servletRequest.setAttribute((String) entry.getKey(), (String) entry.getValue());
        }
    }

    protected String getIssuerInfoString(TokenVerifier tokenVerifier) throws Exception {
        String str = null;
        OMFactory oMFactory = OMAbstractFactory.getOMFactory();
        OMNamespace createOMNamespace = oMFactory.createOMNamespace(TokenVerifierConstants.NS, TokenVerifierConstants.PREFIX);
        List certificates = tokenVerifier.getCertificates();
        Element keyInfoElement = tokenVerifier.getKeyInfoElement();
        Iterator it = certificates.iterator();
        boolean z = false;
        OMElement oMElement = null;
        while (it.hasNext()) {
            String encode = Base64.encode(((X509Certificate) it.next()).getEncoded());
            if (oMElement == null) {
                oMElement = oMFactory.createOMElement(TokenVerifierConstants.LN_CERTIFICATES, createOMNamespace);
            }
            OMElement createOMElement = oMFactory.createOMElement(TokenVerifierConstants.LN_CERTIFICATE, createOMNamespace);
            if (!z) {
                createOMElement.addAttribute(TokenVerifierConstants.LN_SIGNING_CERT, "true", (OMNamespace) null);
                z = true;
            }
            createOMElement.setText(encode);
            oMElement.addChild(createOMElement);
        }
        OMElement oMElement2 = null;
        if (keyInfoElement != null) {
            oMElement2 = new StAXOMBuilder(XMLInputFactory.newInstance().createXMLStreamReader(new StringReader(DOM2Writer.nodeToString(keyInfoElement)))).getDocumentElement();
        }
        if (oMElement != null) {
            str = oMElement.toString();
        }
        if (oMElement2 != null) {
            str = new StringBuffer().append(str).append(oMElement2.toString()).toString();
        }
        return str;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter;
        String initParameter2;
        this.filterConfig = filterConfig;
        String initParameter3 = this.filterConfig.getInitParameter(TokenVerifierConstants.KEY_STORE);
        String initParameter4 = this.filterConfig.getInitParameter(TokenVerifierConstants.STORE_TYPE);
        String initParameter5 = this.filterConfig.getInitParameter(TokenVerifierConstants.STORE_PASS);
        String initParameter6 = this.filterConfig.getInitParameter(TokenVerifierConstants.KEY_ALIAS);
        String initParameter7 = this.filterConfig.getInitParameter(TokenVerifierConstants.KEY_PASS);
        try {
            KeyStore keyStore = KeyStore.getInstance(initParameter4);
            keyStore.load(new FileInputStream(filterConfig.getServletContext().getRealPath(initParameter3)), initParameter5.toCharArray());
            this.privateKey = (PrivateKey) keyStore.getKey(initParameter6, initParameter7.toCharArray());
            this.validatePolicy = this.filterConfig.getInitParameter(TokenVerifierConstants.TOKEN_VALIDATE_POLICY);
            if (this.validatePolicy == null) {
                this.validatePolicy = TokenVerifierConstants.PROMISCUOUS;
            }
            if (this.validatePolicy.equals(TokenVerifierConstants.BLACK_LIST) && (initParameter2 = this.filterConfig.getInitParameter(TokenVerifierConstants.BLACK_LIST)) != null) {
                this.blackList = readBlackWhiteList(initParameter2);
            }
            if (this.validatePolicy.equals(TokenVerifierConstants.WHITE_LIST) && (initParameter = this.filterConfig.getInitParameter(TokenVerifierConstants.WHITE_LIST)) != null) {
                this.whiteList = readBlackWhiteList(initParameter);
            }
            if (this.validatePolicy.equals(TokenVerifierConstants.WHITE_LIST) || this.validatePolicy.equals(TokenVerifierConstants.BLACK_LIST) || this.validatePolicy.equals(TokenVerifierConstants.CERT_VALIDATE)) {
                this.IdPstoreFilePath = this.filterConfig.getInitParameter(TokenVerifierConstants.TRUSTED_KEY_STORE);
                this.IdPStorePass = this.filterConfig.getInitParameter(TokenVerifierConstants.TRUSTED_STORE_PASS);
                this.IdpStoreType = this.filterConfig.getInitParameter(TokenVerifierConstants.TRUSTED_STORE_TYPE);
                this.defaultStorePass = this.filterConfig.getInitParameter(TokenVerifierConstants.SYSTEM_KEY_STORE_PASS);
                if (this.defaultStorePass == null) {
                    this.defaultStorePass = "changeit";
                }
            }
        } catch (Exception e) {
            throw new ServletException("Cannot load the private key", e);
        }
    }

    public void destroy() {
    }

    protected void doCertValidation(TokenVerifier tokenVerifier) throws Exception {
        String host = new URI(tokenVerifier.getIssuerName()).getHost();
        if (host == null) {
            throw new RelyingPartyException("invalidIssuerName");
        }
        X509Certificate signingCert = tokenVerifier.getSigningCert();
        String name = signingCert.getIssuerDN().getName();
        signingCert.checkValidity();
        boolean z = false;
        try {
            String str = System.getenv("JAVA_HOME");
            if (str == null) {
                throw new Exception("Cannot find JAVA_HOME");
            }
            String stringBuffer = new StringBuffer().append(str).append(File.separator.equals("/") ? TokenVerifierConstants.CACERTS_STORE_UNIX : TokenVerifierConstants.CACERTS_STORE_WIN).toString();
            System.out.println(stringBuffer);
            FileInputStream fileInputStream = new FileInputStream(stringBuffer);
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(fileInputStream, this.defaultStorePass.toCharArray());
            if (keyStore != null) {
                z = keyStore.containsAlias(name);
            }
            if (!z) {
                try {
                    FileInputStream fileInputStream2 = new FileInputStream(this.filterConfig.getServletContext().getRealPath(this.IdPstoreFilePath));
                    KeyStore keyStore2 = KeyStore.getInstance(this.IdpStoreType);
                    keyStore2.load(fileInputStream2, this.IdPStorePass.toCharArray());
                    z = keyStore2.containsAlias(host);
                } catch (Exception e) {
                    throw new RelyingPartyException("errorLoadingTrustedIdpKeystore", e);
                }
            }
            if (!z) {
                throw new RelyingPartyException("certificateNotTrusted");
            }
        } catch (Exception e2) {
            throw new RelyingPartyException("errorLoadingTrustedKeystore", e2);
        }
    }

    protected boolean doBlackListCheck(TokenVerifier tokenVerifier) throws RelyingPartyException {
        boolean z = true;
        X509Certificate signingCert = tokenVerifier.getSigningCert();
        if (signingCert == null) {
            throw new RelyingPartyException("noCertInToken");
        }
        if (this.blackList == null) {
            z = true;
        } else {
            List dNOfIssuer = getDNOfIssuer(signingCert.getIssuerDN().getName());
            int i = 0;
            while (true) {
                if (i >= this.blackList.length) {
                    break;
                }
                if (dNOfIssuer.equals(this.blackList[i])) {
                    z = false;
                    break;
                }
                i++;
            }
        }
        return z;
    }

    protected boolean doWhiteListCheck(TokenVerifier tokenVerifier) throws RelyingPartyException {
        boolean z = false;
        X509Certificate signingCert = tokenVerifier.getSigningCert();
        if (signingCert == null) {
            throw new RelyingPartyException("noCertInToken");
        }
        if (this.whiteList != null) {
            List dNOfIssuer = getDNOfIssuer(signingCert.getIssuerDN().getName());
            int i = 0;
            while (true) {
                if (i >= this.whiteList.length) {
                    break;
                }
                if (dNOfIssuer.equals(this.whiteList[i])) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        return z;
    }

    protected List getDNOfIssuer(String str) {
        X509NameTokenizer x509NameTokenizer = new X509NameTokenizer(str);
        ArrayList arrayList = new ArrayList();
        while (x509NameTokenizer.hasMoreTokens()) {
            arrayList.add(x509NameTokenizer.nextToken());
        }
        Collections.sort(arrayList);
        return arrayList;
    }

    protected String getCNOfSubject(X509Certificate x509Certificate) {
        String name = x509Certificate.getIssuerDN().getName();
        if (!name.contains("CN=")) {
            return null;
        }
        int indexOf = name.indexOf("CN=");
        return name.substring(indexOf + 3, name.indexOf(",", indexOf)).trim();
    }

    private List[] readBlackWhiteList(String str) {
        List[] listArr = null;
        String[] split = str.split("\\},\\{");
        if (split != null) {
            if (split.length > 1 && split[0].startsWith("{")) {
                StringBuffer stringBuffer = new StringBuffer(split[0]);
                stringBuffer.deleteCharAt(0);
                split[0] = stringBuffer.toString();
            }
            int length = split.length - 1;
            if (split.length > 1 && split[length].endsWith("}")) {
                StringBuffer stringBuffer2 = new StringBuffer(split[length]);
                stringBuffer2.deleteCharAt(stringBuffer2.length() - 1);
                split[length] = stringBuffer2.toString();
            }
            listArr = new List[split.length];
            for (int i = 0; i < split.length; i++) {
                listArr[i] = getDNOfIssuer(split[i]);
            }
        }
        return listArr;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$wso2$solutions$identity$relyingparty$servletfilter$RelyingPartyFilter == null) {
            cls = class$("org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyFilter");
            class$org$wso2$solutions$identity$relyingparty$servletfilter$RelyingPartyFilter = cls;
        } else {
            cls = class$org$wso2$solutions$identity$relyingparty$servletfilter$RelyingPartyFilter;
        }
        log = LogFactory.getLog(cls);
        WSSConfig.getDefaultWSConfig();
    }
}
