package org.apache.cxf.fediz.core.processor;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.zip.DataFormatException;
import javax.servlet.http.HttpServletRequest;
import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.TokenValidator;
import org.apache.cxf.fediz.core.TokenValidatorRequest;
import org.apache.cxf.fediz.core.TokenValidatorResponse;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.metadata.MetadataWriter;
import org.apache.cxf.fediz.core.samlsso.CompressionUtils;
import org.apache.cxf.fediz.core.samlsso.SAMLPRequestBuilder;
import org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator;
import org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator;
import org.apache.cxf.fediz.core.samlsso.SSOValidatorResponse;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.security.crypto.JCAConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/fediz-core-1.4.6.jar:org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.class */
public class SAMLProcessorImpl extends AbstractFedizProcessor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SAMLProcessorImpl.class);

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public FedizResponse processRequest(FedizRequest fedizRequest, FedizContext fedizContext) throws ProcessingException {
        if (!(fedizContext.getProtocol() instanceof SAMLProtocol)) {
            LOG.error("Unsupported protocol");
            throw new IllegalStateException("Unsupported protocol");
        }
        if (fedizRequest.getResponseToken() == null) {
            LOG.error("Missing response token parameter");
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
        if (fedizRequest.isSignOutResponse()) {
            return processSignOutResponse(fedizRequest, fedizContext);
        }
        if (fedizRequest.getState() != null || !fedizContext.isRequestStateValidation()) {
            return processSignInRequest(fedizRequest, fedizContext);
        }
        LOG.error("Missing RelayState parameter");
        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public Document getMetaData(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws ProcessingException {
        return new MetadataWriter().getMetaData(httpServletRequest, fedizContext);
    }

    private RequestState processRelayState(String str, RequestState requestState, FedizContext fedizContext) throws ProcessingException {
        if (!fedizContext.isRequestStateValidation() || (str.getBytes().length > 0 && str.getBytes().length <= 80)) {
            return requestState;
        }
        LOG.error("Invalid RelayState");
        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
    }

    protected FedizResponse processSignInRequest(FedizRequest fedizRequest, FedizContext fedizContext) throws ProcessingException {
        List<ClaimsProcessor> claimsProcessor;
        SAMLProtocol sAMLProtocol = (SAMLProtocol) fedizContext.getProtocol();
        RequestState processRelayState = processRelayState(fedizRequest.getState(), fedizRequest.getRequestState(), fedizContext);
        try {
            byte[] decode = Base64.decode(fedizRequest.getResponseToken());
            try {
                Element documentElement = DOMUtils.readXml(sAMLProtocol.isDisableDeflateEncoding() ? new ByteArrayInputStream(decode) : CompressionUtils.inflate(decode)).getDocumentElement();
                LOG.debug("Received response: " + DOM2Writer.nodeToString(documentElement));
                try {
                    XMLObject fromDom = OpenSAMLUtil.fromDom(documentElement);
                    if (!(fromDom instanceof Response)) {
                        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
                    }
                    validateSamlResponseProtocol((Response) fromDom, fedizContext);
                    SSOValidatorResponse validateSamlSSOResponse = validateSamlSSOResponse((Response) fromDom, fedizRequest.getRequest(), processRelayState, fedizContext);
                    TokenValidatorResponse tokenValidatorResponse = null;
                    List<Element> childrenWithName = DOMUtils.getChildrenWithName(documentElement, "urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
                    if (childrenWithName.isEmpty()) {
                        LOG.debug("No Assertion extracted from SAML Response");
                        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
                    }
                    Element element = childrenWithName.get(0);
                    Iterator<TokenValidator> it = sAMLProtocol.getTokenValidators().iterator();
                    if (it.hasNext()) {
                        TokenValidator next = it.next();
                        if (!next.canHandleToken(element)) {
                            LOG.warn("No security token validator found for '" + element.getLocalName() + "'");
                            throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
                        }
                        try {
                            tokenValidatorResponse = next.validateAndProcessToken(new TokenValidatorRequest(element, fedizRequest.getCerts()), fedizContext);
                        } catch (ProcessingException e) {
                            throw e;
                        } catch (Exception e2) {
                            LOG.warn("Failed to validate token", (Throwable) e2);
                            throw new ProcessingException(ProcessingException.TYPE.TOKEN_INVALID);
                        }
                    }
                    if (tokenValidatorResponse == null) {
                        LOG.warn("No token validation response was available");
                        throw new ProcessingException(ProcessingException.TYPE.BAD_REQUEST);
                    }
                    Date expires = tokenValidatorResponse.getExpires();
                    if (expires == null) {
                        expires = validateSamlSSOResponse.getSessionNotOnOrAfter();
                    }
                    testForReplayAttack(tokenValidatorResponse.getUniqueTokenId(), fedizContext, expires);
                    List<Claim> claims = tokenValidatorResponse.getClaims();
                    testForMandatoryClaims(fedizContext.getProtocol().getRoleURI(), fedizContext.getProtocol().getClaimTypesRequested(), claims, false);
                    if (fedizContext.getClaimsProcessor() != null && (claimsProcessor = fedizContext.getClaimsProcessor()) != null) {
                        for (ClaimsProcessor claimsProcessor2 : claimsProcessor) {
                            LOG.debug("invoking ClaimsProcessor {}", claimsProcessor2);
                            claims = claimsProcessor2.processClaims(claims);
                        }
                    }
                    return new FedizResponse(tokenValidatorResponse.getUsername(), tokenValidatorResponse.getIssuer(), getRoles(claims, fedizContext.getProtocol().getRoleURI()), claims, tokenValidatorResponse.getAudience(), tokenValidatorResponse.getCreated(), expires, element, tokenValidatorResponse.getUniqueTokenId());
                } catch (WSSecurityException e3) {
                    LOG.debug(e3.getMessage(), (Throwable) e3);
                    throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
                }
            } catch (Exception e4) {
                LOG.warn("Failed to parse token", (Throwable) e4);
                throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
            }
        } catch (IllegalArgumentException | DataFormatException e5) {
            LOG.warn("Invalid data format", e5);
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        } catch (Base64DecodingException e6) {
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    private FedizResponse processSignOutResponse(FedizRequest fedizRequest, FedizContext fedizContext) throws ProcessingException {
        SAMLProtocol sAMLProtocol = (SAMLProtocol) fedizContext.getProtocol();
        try {
            byte[] decode = Base64.decode(fedizRequest.getResponseToken());
            try {
                Element documentElement = DOMUtils.readXml(sAMLProtocol.isDisableDeflateEncoding() ? new ByteArrayInputStream(decode) : CompressionUtils.inflate(decode)).getDocumentElement();
                LOG.debug("Received response: " + DOM2Writer.nodeToString(documentElement));
                try {
                    XMLObject fromDom = OpenSAMLUtil.fromDom(documentElement);
                    if (!(fromDom instanceof LogoutResponse)) {
                        throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
                    }
                    LogoutResponse logoutResponse = (LogoutResponse) fromDom;
                    validateSamlResponseProtocol(logoutResponse, fedizContext);
                    Date date = logoutResponse.getIssueInstant().toDate();
                    if (logoutResponse.isSigned()) {
                        return new FedizResponse(null, logoutResponse.getIssuer().getValue(), Collections.emptyList(), Collections.emptyList(), null, date, null, null, logoutResponse.getID());
                    }
                    LOG.debug("The LogoutResponse is not signed");
                    throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
                } catch (WSSecurityException e) {
                    LOG.debug(e.getMessage(), (Throwable) e);
                    throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
                }
            } catch (Exception e2) {
                LOG.warn("Failed to parse token", (Throwable) e2);
                throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
            }
        } catch (IllegalArgumentException | DataFormatException e3) {
            LOG.warn("Invalid data format", e3);
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        } catch (Base64DecodingException e4) {
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    protected void validateSamlResponseProtocol(StatusResponseType statusResponseType, FedizContext fedizContext) throws ProcessingException {
        try {
            new SAMLProtocolResponseValidator().validateSamlResponse(statusResponseType, fedizContext);
        } catch (WSSecurityException e) {
            LOG.debug(e.getMessage(), (Throwable) e);
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    protected SSOValidatorResponse validateSamlSSOResponse(Response response, HttpServletRequest httpServletRequest, RequestState requestState, FedizContext fedizContext) throws ProcessingException {
        try {
            SAMLSSOResponseValidator sAMLSSOResponseValidator = new SAMLSSOResponseValidator();
            sAMLSSOResponseValidator.setAssertionConsumerURL(httpServletRequest.getRequestURL().toString());
            if (!((SAMLProtocol) fedizContext.getProtocol()).isDisableClientAddressCheck()) {
                sAMLSSOResponseValidator.setClientAddress(httpServletRequest.getRemoteAddr());
            }
            sAMLSSOResponseValidator.setEnforceKnownIssuer(!((SAMLProtocol) fedizContext.getProtocol()).isDoNotEnforceKnownIssuer());
            sAMLSSOResponseValidator.setIssuerIDP(requestState != null ? requestState.getIdpServiceAddress() : null);
            sAMLSSOResponseValidator.setRequestId(requestState != null ? requestState.getRequestId() : null);
            sAMLSSOResponseValidator.setSpIdentifier(requestState != null ? requestState.getIssuerId() : null);
            sAMLSSOResponseValidator.setEnforceAssertionsSigned(true);
            sAMLSSOResponseValidator.setReplayCache(fedizContext.getTokenReplayCache());
            return sAMLSSOResponseValidator.validateSamlResponse(response, false);
        } catch (WSSecurityException e) {
            LOG.debug(e.getMessage(), (Throwable) e);
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public RedirectionResponse createSignInRequest(HttpServletRequest httpServletRequest, FedizContext fedizContext) throws ProcessingException {
        String str = null;
        try {
            if (!(fedizContext.getProtocol() instanceof SAMLProtocol)) {
                LOG.error("Unsupported protocol");
                throw new IllegalStateException("Unsupported protocol");
            }
            String resolveIssuer = resolveIssuer(httpServletRequest, fedizContext);
            LOG.info("Issuer url: " + resolveIssuer);
            if (resolveIssuer != null && resolveIssuer.length() > 0) {
                str = resolveIssuer;
            }
            SAMLPRequestBuilder sAMLPRequestBuilder = ((SAMLProtocol) fedizContext.getProtocol()).getSAMLPRequestBuilder();
            Document createDocument = DOMUtils.createDocument();
            createDocument.appendChild(createDocument.createElement("root"));
            String resolveReply = resolveReply(httpServletRequest, fedizContext);
            if (resolveReply == null || resolveReply.length() == 0) {
                resolveReply = httpServletRequest.getRequestURL().toString();
            } else {
                try {
                    new URL(resolveReply);
                } catch (MalformedURLException e) {
                    resolveReply = resolveReply.startsWith("/") ? extractFullContextPath(httpServletRequest).concat(resolveReply.substring(1)) : extractFullContextPath(httpServletRequest).concat(resolveReply);
                }
            }
            String resolveWTRealm = resolveWTRealm(httpServletRequest, fedizContext);
            AuthnRequest createAuthnRequest = sAMLPRequestBuilder.createAuthnRequest(resolveWTRealm, resolveReply);
            if (((SAMLProtocol) fedizContext.getProtocol()).isSignRequest()) {
                createAuthnRequest.setDestination(str);
            }
            String encodeAuthnRequest = encodeAuthnRequest(OpenSAMLUtil.toDom(createAuthnRequest, createDocument));
            String encode = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
            RequestState requestState = new RequestState();
            requestState.setTargetAddress(resolveReply);
            requestState.setIdpServiceAddress(str);
            requestState.setRequestId(createAuthnRequest.getID());
            requestState.setIssuerId(resolveWTRealm);
            requestState.setWebAppContext(createAuthnRequest.getIssuer().getValue());
            requestState.setState(encode);
            requestState.setCreatedAt(System.currentTimeMillis());
            String encode2 = URLEncoder.encode(encodeAuthnRequest, "UTF-8");
            StringBuilder sb = new StringBuilder();
            sb.append("SAMLRequest").append('=').append(encode2);
            sb.append("&RelayState").append('=').append(encode);
            if (((SAMLProtocol) fedizContext.getProtocol()).isSignRequest()) {
                sb.append("&Signature").append('=').append(signRequest(fedizContext, sb));
            }
            RedirectionResponse redirectionResponse = new RedirectionResponse();
            redirectionResponse.addHeader("Cache-Control", "no-cache, no-store");
            redirectionResponse.addHeader("Pragma", CacheControlServerHttpHeadersWriter.PRAGMA_VALUE);
            redirectionResponse.setRequestState(requestState);
            redirectionResponse.setRedirectionURL(str + "?" + sb.toString());
            return redirectionResponse;
        } catch (Exception e2) {
            LOG.error("Failed to create SignInRequest", (Throwable) e2);
            throw new ProcessingException("Failed to create SignInRequest");
        }
    }

    private String signRequest(FedizContext fedizContext, StringBuilder sb) throws Exception {
        Crypto crypto = fedizContext.getSigningKey().getCrypto();
        if (crypto == null) {
            LOG.debug("No crypto instance of properties file configured for signature");
            throw new ProcessingException("Failed to Sign Request");
        }
        String keyAlias = fedizContext.getSigningKey().getKeyAlias();
        if (keyAlias == null) {
            LOG.debug("No user configured for signature");
            throw new ProcessingException("Failed to Sign Request");
        }
        String keyPassword = fedizContext.getSigningKey().getKeyPassword();
        if (keyPassword == null) {
            LOG.debug("No signature password available");
            throw new ProcessingException("Failed to Sign Request");
        }
        PrivateKey privateKey = crypto.getPrivateKey(keyAlias, keyPassword);
        if (privateKey == null) {
            LOG.debug("No private key available");
            throw new ProcessingException("Failed to Sign Request");
        }
        String str = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        String str2 = JCAConstants.SIGNATURE_RSA_SHA1;
        LOG.debug("automatic sig algo detection: " + privateKey.getAlgorithm());
        if (privateKey.getAlgorithm().equalsIgnoreCase(JCAConstants.KEY_ALGO_DSA)) {
            str = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
            str2 = JCAConstants.SIGNATURE_DSA_SHA1;
        }
        LOG.debug("Using Signature algorithm " + str);
        Signature signature = Signature.getInstance(str2);
        signature.initSign(privateKey);
        sb.append("&SigAlg").append('=').append(URLEncoder.encode(str, "UTF-8"));
        signature.update(sb.toString().getBytes(StandardCharsets.UTF_8));
        return URLEncoder.encode(Base64.encode(signature.sign()), "UTF-8");
    }

    protected String encodeAuthnRequest(Element element) throws IOException {
        return Base64.encode(CompressionUtils.deflate(DOM2Writer.nodeToString(element).getBytes(StandardCharsets.UTF_8)));
    }

    @Override // org.apache.cxf.fediz.core.processor.FedizProcessor
    public RedirectionResponse createSignOutRequest(HttpServletRequest httpServletRequest, SamlAssertionWrapper samlAssertionWrapper, FedizContext fedizContext) throws ProcessingException {
        try {
            if (!(fedizContext.getProtocol() instanceof SAMLProtocol)) {
                LOG.error("Unsupported protocol");
                throw new IllegalStateException("Unsupported protocol");
            }
            String issuerLogoutURL = ((SAMLProtocol) fedizContext.getProtocol()).getIssuerLogoutURL();
            if (issuerLogoutURL == null) {
                String resolveIssuer = resolveIssuer(httpServletRequest, fedizContext);
                LOG.info("Issuer url: " + resolveIssuer);
                if (resolveIssuer != null && resolveIssuer.length() > 0) {
                    issuerLogoutURL = resolveIssuer;
                }
            }
            if (issuerLogoutURL == null) {
                LOG.debug("No issuerLogoutURL or issuer parameter specified for logout");
                throw new ProcessingException("Failed to create SignOutRequest");
            }
            SAMLPRequestBuilder sAMLPRequestBuilder = ((SAMLProtocol) fedizContext.getProtocol()).getSAMLPRequestBuilder();
            Document createDocument = DOMUtils.createDocument();
            createDocument.appendChild(createDocument.createElement("root"));
            LogoutRequest createLogoutRequest = sAMLPRequestBuilder.createLogoutRequest(resolveWTRealm(httpServletRequest, fedizContext), "urn:oasis:names:tc:SAML:2.0:logout:user", samlAssertionWrapper);
            if (((SAMLProtocol) fedizContext.getProtocol()).isSignRequest()) {
                createLogoutRequest.setDestination(issuerLogoutURL);
            }
            String encodeAuthnRequest = encodeAuthnRequest(OpenSAMLUtil.toDom(createLogoutRequest, createDocument));
            String encode = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
            String encode2 = URLEncoder.encode(encodeAuthnRequest, "UTF-8");
            StringBuilder sb = new StringBuilder();
            sb.append("SAMLRequest").append('=').append(encode2);
            sb.append("&RelayState").append('=').append(encode);
            if (((SAMLProtocol) fedizContext.getProtocol()).isSignRequest()) {
                sb.append("&Signature").append('=').append(signRequest(fedizContext, sb));
            }
            RedirectionResponse redirectionResponse = new RedirectionResponse();
            redirectionResponse.addHeader("Cache-Control", "no-cache, no-store");
            redirectionResponse.addHeader("Pragma", CacheControlServerHttpHeadersWriter.PRAGMA_VALUE);
            redirectionResponse.setState(encode);
            redirectionResponse.setRedirectionURL(issuerLogoutURL + "?" + sb.toString());
            return redirectionResponse;
        } catch (Exception e) {
            LOG.error("Failed to create SignOutRequest", (Throwable) e);
            throw new ProcessingException("Failed to create SignOutRequest");
        }
    }

    static {
        OpenSAMLUtil.initSamlEngine();
    }
}
