package org.wso2.carbon.identity.application.authenticator.passive.sts.manager;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.Attribute;
import org.opensaml.saml1.core.AttributeStatement;
import org.opensaml.saml1.core.AuthenticationStatement;
import org.opensaml.saml1.core.NameIdentifier;
import org.opensaml.saml1.core.Subject;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignableXMLObject;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authenticator.passive.sts.exception.PassiveSTSException;
import org.wso2.carbon.identity.application.authenticator.passive.sts.util.PassiveSTSConstants;
import org.wso2.carbon.ui.CarbonUIUtil;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/passive/sts/manager/PassiveSTSManager.class */
public class PassiveSTSManager {
    private X509Credential credential;
    private static Log log = LogFactory.getLog(PassiveSTSManager.class);
    private static boolean bootStrapped = false;

    public PassiveSTSManager(ExternalIdPConfig externalIdPConfig) throws PassiveSTSException {
        this.credential = null;
        try {
            synchronized (this) {
                if (this.credential == null) {
                    synchronized (this) {
                        STSAgentCredential sTSAgentCredential = (STSAgentCredential) Class.forName("org.wso2.carbon.identity.application.authenticator.passive.sts.manager.STSAgentKeyStoreCredential").newInstance();
                        sTSAgentCredential.init(externalIdPConfig);
                        this.credential = new X509CredentialImpl(sTSAgentCredential);
                    }
                }
            }
        } catch (ClassNotFoundException e) {
            throw new PassiveSTSException("Error while instantiating SSOAgentCredentialImplClass: org.wso2.carbon.identity.application.authenticator.passive.sts.manager.STSAgentKeyStoreCredential", e);
        } catch (IllegalAccessException e2) {
            throw new PassiveSTSException("Error while instantiating SSOAgentCredentialImplClass: org.wso2.carbon.identity.application.authenticator.passive.sts.manager.STSAgentKeyStoreCredential", e2);
        } catch (InstantiationException e3) {
            throw new PassiveSTSException("Error while instantiating SSOAgentCredentialImplClass: org.wso2.carbon.identity.application.authenticator.passive.sts.manager.STSAgentKeyStoreCredential", e3);
        }
    }

    public static void doBootstrap() {
        if (bootStrapped) {
            return;
        }
        try {
            DefaultBootstrap.bootstrap();
            bootStrapped = true;
        } catch (ConfigurationException e) {
            log.error("Error in bootstrapping the OpenSAML2 library", e);
        }
    }

    public String buildRequest(HttpServletRequest httpServletRequest, String str, ExternalIdPConfig externalIdPConfig, String str2, Map<String, String> map) throws PassiveSTSException {
        try {
            return (str + "?wa=wsignin1.0&wreply=" + CarbonUIUtil.getAdminConsoleURL(httpServletRequest).replace("commonauth/carbon/", "commonauth") + "&wtrealm=" + map.get(PassiveSTSConstants.REALM_ID)) + "&wctx=" + URLEncoder.encode(str2, "UTF-8").trim();
        } catch (UnsupportedEncodingException e) {
            throw new PassiveSTSException("Error occurred while url encoding WCTX ", e);
        }
    }

    public void processResponse(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) throws PassiveSTSException {
        Subject subject;
        NameIdentifier nameIdentifier;
        doBootstrap();
        Assertion unmarshall = unmarshall(httpServletRequest.getParameter(PassiveSTSConstants.HTTP_PARAM_PASSIVE_STS_RESULT).replaceAll("(\\r|\\n)", ""));
        if (unmarshall == null) {
            throw new PassiveSTSException("SAML Assertion not found in the Response");
        }
        String str = null;
        HashMap hashMap = new HashMap();
        if (unmarshall instanceof Assertion) {
            Assertion assertion = unmarshall;
            if (assertion.getAuthenticationStatements() != null && assertion.getAuthenticationStatements().size() > 0 && (subject = ((AuthenticationStatement) assertion.getAuthenticationStatements().get(0)).getSubject()) != null && (nameIdentifier = subject.getNameIdentifier()) != null) {
                str = nameIdentifier.getNameIdentifier();
            }
            if (assertion.getAttributeStatements() != null && assertion.getAttributeStatements().size() > 0) {
                if (str == null) {
                    str = ((AttributeStatement) assertion.getAttributeStatements().get(0)).getSubject().getNameIdentifier().getNameIdentifier();
                }
                Iterator it = assertion.getAttributeStatements().iterator();
                while (it.hasNext()) {
                    for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                        String attributeNamespace = attribute.getAttributeNamespace();
                        attribute.getAttributeName();
                        Iterator it2 = attribute.getAttributeValues().iterator();
                        while (it2.hasNext()) {
                            hashMap.put(attributeNamespace, ((XMLObject) it2.next()).getDOM().getTextContent());
                        }
                    }
                }
            }
        } else if (unmarshall instanceof org.opensaml.saml2.core.Assertion) {
            org.opensaml.saml2.core.Assertion assertion2 = (org.opensaml.saml2.core.Assertion) unmarshall;
            if (assertion2.getSubject() != null && assertion2.getSubject().getNameID() != null) {
                str = assertion2.getSubject().getNameID().getValue();
            }
            Iterator it3 = assertion2.getAttributeStatements().iterator();
            while (it3.hasNext()) {
                for (org.opensaml.saml2.core.Attribute attribute2 : ((org.opensaml.saml2.core.AttributeStatement) it3.next()).getAttributes()) {
                    String name = attribute2.getName();
                    attribute2.getFriendlyName();
                    Iterator it4 = attribute2.getAttributeValues().iterator();
                    while (it4.hasNext()) {
                        hashMap.put(name, ((XMLObject) it4.next()).getDOM().getTextContent());
                    }
                }
            }
        }
        if (str == null) {
            throw new PassiveSTSException("SAML Response does not contain the name of the subject");
        }
        authenticationContext.setSubject(str);
        httpServletRequest.getSession().setAttribute("userAttributes", hashMap);
    }

    private XMLObject unmarshall(String str) throws PassiveSTSException {
        String decodeHTMLCharacters = decodeHTMLCharacters(str);
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            NodeList elementsByTagNameNS = newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(decodeHTMLCharacters.getBytes(Charset.forName("UTF-8")))).getDocumentElement().getElementsByTagNameNS("http://docs.oasis-open.org/ws-sx/ws-trust/200512", "RequestedSecurityToken");
            if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
                throw new PassiveSTSException("Security Token is not found in the Response");
            }
            if (elementsByTagNameNS.getLength() > 1) {
                log.warn("More than one Security Token is found in the Response");
            }
            Element element = (Element) elementsByTagNameNS.item(0).getFirstChild();
            return Configuration.getUnmarshallerFactory().getUnmarshaller(element).unmarshall(element);
        } catch (ParserConfigurationException e) {
            throw new PassiveSTSException("Error in unmarshalling SAML Request from the encoded String", e);
        } catch (SAXException e2) {
            throw new PassiveSTSException("Error in unmarshalling SAML Request from the encoded String", e2);
        } catch (UnmarshallingException e3) {
            throw new PassiveSTSException("Error in unmarshalling SAML Request from the encoded String", e3);
        } catch (IOException e4) {
            throw new PassiveSTSException("Error in unmarshalling SAML Request from the encoded String", e4);
        }
    }

    private String decodeHTMLCharacters(String str) {
        return str.replaceAll("&amp;", "&").replaceAll("&lt;", "<").replaceAll("&gt;", ">").replaceAll("&quot;", "\"").replaceAll("&apos;", "'");
    }

    private void validateSignature(SignableXMLObject signableXMLObject) throws PassiveSTSException {
        if (signableXMLObject.getSignature() == null) {
            throw new PassiveSTSException("SAMLAssertion signing is enabled, but signature element not found in SAML Assertion element.");
        }
        try {
            new SignatureValidator(this.credential).validate(signableXMLObject.getSignature());
        } catch (ValidationException e) {
            throw new PassiveSTSException("Signature validation failed for SAML Assertion");
        }
    }
}
