package org.apereo.cas.support.wsfederation;

import java.io.ByteArrayInputStream;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.HashMap;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.inspektr.aspect.TraceLogAspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.internal.Conversions;
import org.aspectj.runtime.reflect.Factory;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.core.xml.schema.XSAny;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.Attribute;
import org.opensaml.saml.saml1.core.AttributeStatement;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml.saml1.core.AuthenticationStatement;
import org.opensaml.saml.saml1.core.Conditions;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.soap.wsfed.RequestedSecurityToken;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.stereotype.Component;
import org.w3c.dom.Element;

@RefreshScope
@Component("wsFederationHelper")
/* loaded from: input_file:org/apereo/cas/support/wsfederation/WsFederationHelper.class */
public class WsFederationHelper {
    private static final Logger LOGGER;

    @Autowired
    private OpenSamlConfigBean configBean;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;
    private static final JoinPoint.StaticPart ajc$tjp_2 = null;

    /* loaded from: input_file:org/apereo/cas/support/wsfederation/WsFederationHelper$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return WsFederationHelper.createCredentialFromToken_aroundBody0((WsFederationHelper) objArr2[0], (Assertion) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    /* loaded from: input_file:org/apereo/cas/support/wsfederation/WsFederationHelper$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return WsFederationHelper.parseTokenFromString_aroundBody2((WsFederationHelper) objArr2[0], (String) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    /* loaded from: input_file:org/apereo/cas/support/wsfederation/WsFederationHelper$AjcClosure5.class */
    public class AjcClosure5 extends AroundClosure {
        public AjcClosure5(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(WsFederationHelper.validateSignature_aroundBody4((WsFederationHelper) objArr2[0], (Assertion) objArr2[1], (WsFederationConfiguration) objArr2[2], (JoinPoint) objArr2[3]));
        }
    }

    static {
        ajc$preClinit();
        LOGGER = LoggerFactory.getLogger(WsFederationHelper.class);
    }

    public WsFederationCredential createCredentialFromToken(Assertion assertion) {
        return (WsFederationCredential) TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, assertion, Factory.makeJP(ajc$tjp_0, this, this, assertion)}).linkClosureAndJoinPoint(69648));
    }

    public Assertion parseTokenFromString(String str) {
        return (Assertion) TraceLogAspect.aspectOf().traceMethod(new AjcClosure3(new Object[]{this, str, Factory.makeJP(ajc$tjp_1, this, this, str)}).linkClosureAndJoinPoint(69648));
    }

    public boolean validateSignature(Assertion assertion, WsFederationConfiguration wsFederationConfiguration) {
        return Conversions.booleanValue(TraceLogAspect.aspectOf().traceMethod(new AjcClosure5(new Object[]{this, assertion, wsFederationConfiguration, Factory.makeJP(ajc$tjp_2, this, this, assertion, wsFederationConfiguration)}).linkClosureAndJoinPoint(69648)));
    }

    private SignatureTrustEngine buildSignatureTrustEngine(WsFederationConfiguration wsFederationConfiguration) {
        try {
            return new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(wsFederationConfiguration.getSigningCertificates()), new StaticKeyInfoCredentialResolver(wsFederationConfiguration.getSigningCertificates()));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    static final WsFederationCredential createCredentialFromToken_aroundBody0(WsFederationHelper wsFederationHelper, Assertion assertion, JoinPoint joinPoint) {
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        LOGGER.debug("Retrieved on {}", now);
        WsFederationCredential wsFederationCredential = new WsFederationCredential();
        wsFederationCredential.setRetrievedOn(now);
        wsFederationCredential.setId(assertion.getID());
        wsFederationCredential.setIssuer(assertion.getIssuer());
        wsFederationCredential.setIssuedOn(DateTimeUtils.zonedDateTimeOf(assertion.getIssueInstant()));
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            wsFederationCredential.setNotBefore(DateTimeUtils.zonedDateTimeOf(conditions.getNotBefore()));
            wsFederationCredential.setNotOnOrAfter(DateTimeUtils.zonedDateTimeOf(conditions.getNotOnOrAfter()));
            wsFederationCredential.setAudience(((Audience) ((AudienceRestrictionCondition) conditions.getAudienceRestrictionConditions().get(0)).getAudiences().get(0)).getUri());
        }
        if (!assertion.getAuthenticationStatements().isEmpty()) {
            wsFederationCredential.setAuthenticationMethod(((AuthenticationStatement) assertion.getAuthenticationStatements().get(0)).getAuthenticationMethod());
        }
        HashMap hashMap = new HashMap();
        for (Attribute attribute : ((AttributeStatement) assertion.getAttributeStatements().get(0)).getAttributes()) {
            LOGGER.debug("Processed attribute: {}", attribute.getAttributeName());
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < attribute.getAttributeValues().size(); i++) {
                arrayList.add(((XSAny) attribute.getAttributeValues().get(i)).getTextContent());
            }
            if (!arrayList.isEmpty()) {
                hashMap.put(attribute.getAttributeName(), arrayList);
            }
        }
        wsFederationCredential.setAttributes(hashMap);
        LOGGER.debug("Credential: {}", wsFederationCredential);
        return wsFederationCredential;
    }

    static final Assertion parseTokenFromString_aroundBody2(WsFederationHelper wsFederationHelper, String str, JoinPoint joinPoint) {
        Throwable th = null;
        try {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes("UTF-8"));
                try {
                    Element documentElement = wsFederationHelper.configBean.getParserPool().parse(byteArrayInputStream).getDocumentElement();
                    Unmarshaller unmarshaller = wsFederationHelper.configBean.getUnmarshallerFactory().getUnmarshaller(documentElement);
                    if (unmarshaller == null) {
                        throw new IllegalArgumentException("Unmarshaller for the metadata root element cannot be determined");
                    }
                    Assertion assertion = (Assertion) ((RequestedSecurityToken) unmarshaller.unmarshall(documentElement).getRequestedSecurityToken().get(0)).getSecurityTokens().get(0);
                    if (assertion == null) {
                        LOGGER.debug("Assertion is null");
                    } else {
                        LOGGER.debug("Assertion: {}", assertion);
                    }
                    return assertion;
                } finally {
                    if (byteArrayInputStream != null) {
                        byteArrayInputStream.close();
                    }
                }
            } catch (Throwable th2) {
                if (0 == 0) {
                    th = th2;
                } else if (null != th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (Exception e) {
            LOGGER.warn(e.getMessage());
            return null;
        }
    }

    static final boolean validateSignature_aroundBody4(WsFederationHelper wsFederationHelper, Assertion assertion, WsFederationConfiguration wsFederationConfiguration, JoinPoint joinPoint) {
        if (assertion == null) {
            LOGGER.warn("No assertion was provided to validate signatures");
            return false;
        }
        boolean z = false;
        if (assertion.getSignature() != null) {
            try {
                new SAMLSignatureProfileValidator().validate(assertion.getSignature());
                CriteriaSet criteriaSet = new CriteriaSet();
                criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
                criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
                criteriaSet.add(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol"));
                criteriaSet.add(new EntityIdCriterion(wsFederationConfiguration.getIdentityProviderIdentifier()));
                try {
                    try {
                        z = wsFederationHelper.buildSignatureTrustEngine(wsFederationConfiguration).validate(assertion.getSignature(), criteriaSet);
                        if (!z) {
                            LOGGER.warn("Signature doesn't match any signing credential.");
                        }
                    } catch (SecurityException e) {
                        LOGGER.warn(e.getMessage(), e);
                        if (!z) {
                            LOGGER.warn("Signature doesn't match any signing credential.");
                        }
                    }
                } catch (Throwable th) {
                    if (!z) {
                        LOGGER.warn("Signature doesn't match any signing credential.");
                    }
                    throw th;
                }
            } catch (SignatureException e2) {
                LOGGER.warn("Failed to validate assertion signature", e2);
            }
        }
        return z;
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("WsFederationHelper.java", WsFederationHelper.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "createCredentialFromToken", "org.apereo.cas.support.wsfederation.WsFederationHelper", "org.opensaml.saml.saml1.core.Assertion", "assertion", "", "org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential"), 76);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "parseTokenFromString", "org.apereo.cas.support.wsfederation.WsFederationHelper", "java.lang.String", "wresult", "", "org.opensaml.saml.saml1.core.Assertion"), 124);
        ajc$tjp_2 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "validateSignature", "org.apereo.cas.support.wsfederation.WsFederationHelper", "org.opensaml.saml.saml1.core.Assertion:org.apereo.cas.support.wsfederation.WsFederationConfiguration", "assertion:wsFederationConfiguration", "", "boolean"), 160);
    }
}
