package com.adobe.ep.auth.ticket.impl;

import com.adobe.edc.server.businessobject.PolicyBO;
import com.adobe.ep.auth.ticket.InvalidTicketException;
import com.adobe.ep.auth.ticket.Ticket;
import com.adobe.ep.auth.ticket.TicketOptions;
import java.io.StringReader;
import java.security.Key;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Stack;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.codec.digest.DigestUtils;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;

/* loaded from: input_file:com/adobe/ep/auth/ticket/impl/SAMLHelper.class */
public class SAMLHelper {
    private static final String ADOBE_SAML_NAMESPACE = "adobe";
    private byte[] signingKey;
    public static final int DEFAULT_TICKET_VALIDITY_DURATION = 600;
    public static final String DEFAULT_ISSUER_NAME = "Adobe Enterprise Platform";
    private int assertionTimeoutInSeconds = 600;
    private String issuerName = DEFAULT_ISSUER_NAME;
    private ParserPool parserPool = new ParserPool();
    private int assertionThresholdInSeconds = 60;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/ep/auth/ticket/impl/SAMLHelper$ParserPool.class */
    public static final class ParserPool {
        private Stack<DocumentBuilder> stack;

        private ParserPool() {
            this.stack = new Stack<>();
        }

        public synchronized DocumentBuilder get() throws ParserConfigurationException {
            if (!this.stack.isEmpty()) {
                return this.stack.pop();
            }
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            newInstance.setExpandEntityReferences(false);
            return newInstance.newDocumentBuilder();
        }

        public synchronized void put(DocumentBuilder documentBuilder) {
            this.stack.push(documentBuilder);
        }
    }

    public boolean isInitialized() {
        return this.signingKey != null;
    }

    public void initialize(String str) {
        this.signingKey = DigestUtils.sha256(str);
    }

    public Ticket issueTicket(String str, TicketOptions ticketOptions) {
        if (ticketOptions == null) {
            try {
                ticketOptions = new TicketOptions();
            } catch (SAMLException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
        return issueTicket0(str, ticketOptions);
    }

    public Ticket verifyTicket(String str) throws InvalidTicketException {
        try {
            if (str == null) {
                throw new InvalidTicketException("Ticket value passed is empty");
            }
            return verifyTicket0(str);
        } catch (SAMLException e) {
            throw new InvalidTicketException("Ticket not valid", e);
        }
    }

    private Ticket issueTicket0(String str, TicketOptions ticketOptions) throws SAMLException {
        int assertionPeriod = getAssertionPeriod(ticketOptions);
        Calendar gregorianCalendar = GregorianCalendar.getInstance();
        gregorianCalendar.add(13, -this.assertionThresholdInSeconds);
        Calendar currentTime = getCurrentTime();
        currentTime.add(13, assertionPeriod);
        Date time = gregorianCalendar.getTime();
        Date time2 = currentTime.getTime();
        ArrayList arrayList = new ArrayList(1);
        arrayList.add("urn:oasis:names:tc:SAML:1.0:cm:sender-vouches");
        SAMLAuthenticationStatement sAMLAuthenticationStatement = new SAMLAuthenticationStatement(createSubject(str, arrayList), "urn:oasis:names:tc:SAML:1.0:am:unspecified", time, (String) null, (String) null, (Collection) null);
        SAMLSubject createSubject = createSubject(str, arrayList);
        SAMLAttributeStatement sAMLAttributeStatement = new SAMLAttributeStatement();
        sAMLAttributeStatement.setSubject(createSubject);
        addAttributes(ticketOptions, sAMLAttributeStatement);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(sAMLAuthenticationStatement);
        if (sAMLAttributeStatement.getAttributes().hasNext()) {
            arrayList2.add(sAMLAttributeStatement);
        }
        SAMLAssertion sAMLAssertion = new SAMLAssertion(this.issuerName, time, time2, (Collection) null, (Collection) null, arrayList2);
        sAMLAssertion.sign("http://www.w3.org/2000/09/xmldsig#hmac-sha1", getSecretKeySpec(), (Collection) null);
        return new Ticket(sAMLAssertion.toString());
    }

    private void addAttributes(TicketOptions ticketOptions, SAMLAttributeStatement sAMLAttributeStatement) throws SAMLException {
        Map<String, String> attributes = ticketOptions.getAttributes();
        if (attributes == null || attributes.isEmpty()) {
            return;
        }
        for (String str : attributes.keySet()) {
            sAMLAttributeStatement.addAttribute(createAttribute(str, attributes.get(str)));
        }
    }

    private SAMLAttribute createAttribute(String str, Object obj) throws SAMLException {
        SAMLAttribute sAMLAttribute = new SAMLAttribute();
        sAMLAttribute.setName(str);
        sAMLAttribute.addValue(obj);
        sAMLAttribute.setNamespace(ADOBE_SAML_NAMESPACE);
        return sAMLAttribute;
    }

    private int getAssertionPeriod(TicketOptions ticketOptions) {
        int duration = ticketOptions.getDuration();
        if (duration == -1 || duration > this.assertionTimeoutInSeconds) {
            duration = this.assertionTimeoutInSeconds;
        }
        return duration;
    }

    private SAMLSubject createSubject(String str, List<String> list) throws SAMLException {
        return new SAMLSubject(new SAMLNameIdentifier(str, (String) null, (String) null), list, (Element) null, (Object) null);
    }

    private Key getSecretKeySpec() {
        return new SecretKeySpec(this.signingKey, PolicyBO.AES);
    }

    private Ticket verifyTicket0(String str) throws SAMLException, InvalidTicketException {
        SAMLAssertion sAMLAssertion = new SAMLAssertion(parse(new InputSource(new StringReader(str))).getDocumentElement());
        SAMLAuthenticationStatement sAMLAuthenticationStatement = null;
        Iterator statements = sAMLAssertion.getStatements();
        while (statements.hasNext()) {
            SAMLStatement sAMLStatement = (SAMLStatement) statements.next();
            if (sAMLStatement instanceof SAMLAuthenticationStatement) {
                sAMLAuthenticationStatement = (SAMLAuthenticationStatement) sAMLStatement;
            }
        }
        if (sAMLAuthenticationStatement == null) {
            throw new InvalidTicketException("Ticket content not well formed. Expected an AuthenticationStatement");
        }
        SAMLSubject subject = sAMLAuthenticationStatement.getSubject();
        checkExpired(sAMLAssertion, subject);
        try {
            sAMLAssertion.verify(getSecretKeySpec());
            String name = subject.getName().getName();
            Ticket ticket = new Ticket();
            ticket.setPrincipalName(name);
            return ticket;
        } catch (Exception e) {
            throw new InvalidTicketException("Ticket signature not valid", e);
        }
    }

    private void checkExpired(SAMLAssertion sAMLAssertion, SAMLSubject sAMLSubject) throws InvalidTicketException {
        Date notBefore = sAMLAssertion.getNotBefore();
        Date notOnOrAfter = sAMLAssertion.getNotOnOrAfter();
        if (notBefore == null || notOnOrAfter == null) {
            throw new InvalidTicketException("Assertion is not valid. It does not have valid from (notBefore) or valid till (notOnOrAfter) dates.");
        }
        if (notBefore.getTime() > getCurrentTimeInMillis()) {
            throw new InvalidTicketException(String.format("Assertion is not valid for user [%s@%s]. Its valid from time [%s] was found to be greater than the current time [%s]", sAMLSubject.getName().getName(), sAMLSubject.getName().getNameQualifier(), notBefore, new Date()));
        }
        if (notOnOrAfter.getTime() <= getCurrentTimeInMillis()) {
            throw new InvalidTicketException(String.format("Assertion has expired and hence not valid for user [%s@%s]. Its valid till time [%s] was found to be before the current time [%s]", sAMLSubject.getName().getName(), sAMLSubject.getName().getNameQualifier(), notOnOrAfter, new Date()));
        }
    }

    long getCurrentTimeInMillis() {
        return System.currentTimeMillis();
    }

    Calendar getCurrentTime() {
        return GregorianCalendar.getInstance();
    }

    public Document parse(InputSource inputSource) throws InvalidTicketException {
        try {
            DocumentBuilder documentBuilder = this.parserPool.get();
            Document parse = documentBuilder.parse(inputSource);
            this.parserPool.put(documentBuilder);
            return parse;
        } catch (Exception e) {
            throw new InvalidTicketException("Ticket content not well formed", e);
        }
    }

    public void setAssertionTimeoutInSeconds(int i) {
        this.assertionTimeoutInSeconds = i;
    }

    public void setIssuerName(String str) {
        this.issuerName = str;
    }
}
