package com.sun.identity.wss.sts;

import com.iplanet.sso.SSOToken;
import com.sun.identity.classloader.FAMClassLoader;
import com.sun.identity.common.SystemConfigurationUtil;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.jaxrpc.SOAPClient;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.wss.logging.LogUtil;
import com.sun.identity.wss.provider.ProviderConfig;
import com.sun.identity.wss.provider.STSConfig;
import com.sun.identity.wss.provider.TrustAuthorityConfig;
import com.sun.identity.wss.security.AssertionToken;
import com.sun.identity.wss.security.FAMSecurityToken;
import com.sun.identity.wss.security.SAML2Token;
import com.sun.identity.wss.security.SecurityException;
import com.sun.identity.wss.security.SecurityMechanism;
import com.sun.identity.wss.security.SecurityToken;
import com.sun.identity.wss.security.UserNameToken;
import com.sun.identity.wss.security.handler.SOAPRequestHandler;
import com.sun.identity.wss.trust.BinarySecret;
import com.sun.identity.wss.trust.ClaimType;
import com.sun.identity.wss.trust.RequestSecurityToken;
import com.sun.identity.wss.trust.RequestSecurityTokenResponse;
import com.sun.identity.wss.trust.RequestedProofToken;
import com.sun.identity.wss.trust.WSTException;
import com.sun.identity.wss.trust.WSTrustFactory;
import com.sun.identity.xmlenc.EncryptionConstants;
import java.security.Key;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.servlet.ServletContext;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:com/sun/identity/wss/sts/TrustAuthorityClient.class */
public class TrustAuthorityClient {
    private static Class clientTokenClass;
    private static final String KEYTYPE = "KeyType";
    private byte[] secretKey;
    private static Debug debug = STSUtils.debug;
    public static String[] jars = {"webservices-api.jar", "webservices-rt.jar", "webservices-tools.jar", "webservices-extra-api.jar", "webservices-extra.jar", "openssoclientsdk.jar", "openssowssproviders.jar", "xalan.jar", "xercesImpl.jar"};

    public SecurityToken getSecurityToken(ProviderConfig providerConfig, Object obj) throws FAMSTSException {
        return getSecurityToken(providerConfig, null, null, null, obj, null, null, null);
    }

    public SecurityToken getSecurityToken(ProviderConfig providerConfig, Object obj, ServletContext servletContext) throws FAMSTSException {
        return getSecurityToken(providerConfig, null, null, null, obj, null, null, servletContext);
    }

    public SecurityToken getSecurityToken(String str, String str2, String str3, Object obj, String str4, ServletContext servletContext) throws FAMSTSException {
        return getSecurityToken(null, str, str2, str3, obj, str4, null, servletContext);
    }

    public SecurityToken getSecurityToken(String str, String str2, String str3, Object obj, String str4, String str5, ServletContext servletContext) throws FAMSTSException {
        return getSecurityToken(null, str, str2, str3, obj, str4, str5, servletContext);
    }

    private SecurityToken getSecurityToken(ProviderConfig providerConfig, String str, String str2, String str3, Object obj, String str4, String str5, ServletContext servletContext) throws FAMSTSException {
        String str6;
        String str7;
        String str8 = STSConstants.WST13_PUBLIC_KEY;
        List<ClaimType> list = null;
        if (providerConfig != null) {
            List securityMechanisms = providerConfig.getSecurityMechanisms();
            if (securityMechanisms == null || securityMechanisms.isEmpty()) {
                if (!debug.messageEnabled()) {
                    return null;
                }
                debug.message("TrustAuthorityClient.getSecurityToken::Security Mechanisms are not configured");
                return null;
            }
            str4 = (String) securityMechanisms.get(0);
            TrustAuthorityConfig trustAuthorityConfig = providerConfig.getTrustAuthorityConfig();
            if (!(trustAuthorityConfig instanceof STSConfig)) {
                throw new FAMSTSException(STSUtils.bundle.getString("invalidtaconfig"));
            }
            STSConfig sTSConfig = (STSConfig) trustAuthorityConfig;
            str6 = sTSConfig.getName();
            str2 = sTSConfig.getEndpoint();
            str3 = sTSConfig.getMexEndpoint();
            String keyType = sTSConfig.getKeyType();
            if (keyType.equals("SymmetricKey")) {
                str8 = STSConstants.WST13_SYMMETRIC_KEY;
            }
            str7 = sTSConfig.getProtocolVersion();
            if ("1.0".equals(str7)) {
                str8 = keyType.equals("SymmetricKey") ? STSConstants.WST10_SYMMETRIC_KEY : STSConstants.WST10_PUBLIC_KEY;
            }
            String str9 = (String) sTSConfig.getSecurityMech().get(0);
            if (str9.equals(SecurityMechanism.WSS_NULL_KERBEROS_TOKEN_URI) || str9.equals(SecurityMechanism.WSS_NULL_USERNAME_TOKEN_PLAIN_URI) || str9.equals(SecurityMechanism.WSS_NULL_USERNAME_TOKEN_URI) || str9.equals(SecurityMechanism.WSS_NULL_SAML2_SV_URI) || str9.equals(SecurityMechanism.WSS_NULL_SAML_SV_URI) || str9.equals(SecurityMechanism.STS_SECURITY_URI)) {
                str8 = "1.0".equals(str7) ? STSConstants.WST10_BEARER_KEY : STSConstants.WST13_BEARER_KEY;
            }
            List<String> requestedClaims = sTSConfig.getRequestedClaims();
            if (requestedClaims != null && !requestedClaims.isEmpty()) {
                list = getClaims(requestedClaims);
            }
            str = providerConfig.getWSPEndpoint();
        } else {
            Map agentAttributes = STSUtils.getAgentAttributes(str2, "STSEndpoint", null, TrustAuthorityConfig.STS_TRUST_AUTHORITY);
            str6 = (String) agentAttributes.get("Name");
            str7 = (String) ((Set) agentAttributes.get(STSConstants.WST_VERSION_ATTR)).iterator().next();
            if (str7 == null || str7.length() == 0) {
                str7 = STSConstants.WST_VERSION_13;
            }
            Set set = (Set) agentAttributes.get(KEYTYPE);
            String str10 = STSConstants.PUBLIC_KEY;
            if (set != null) {
                str10 = (String) set.iterator().next();
            }
            if (str10.equals("SymmetricKey")) {
                str8 = STSConstants.WST13_SYMMETRIC_KEY;
            }
            if ("1.0".equals(str7)) {
                str8 = str10.equals("SymmetricKey") ? STSConstants.WST10_SYMMETRIC_KEY : STSConstants.WST10_PUBLIC_KEY;
            }
            Set set2 = (Set) agentAttributes.get("SecurityMech");
            if (set2 != null && !set2.isEmpty()) {
                String str11 = (String) set2.iterator().next();
                if (str11.equals(SecurityMechanism.WSS_NULL_KERBEROS_TOKEN_URI) || str11.equals(SecurityMechanism.WSS_NULL_USERNAME_TOKEN_PLAIN_URI) || str11.equals(SecurityMechanism.WSS_NULL_USERNAME_TOKEN_URI) || str11.equals(SecurityMechanism.WSS_NULL_SAML2_SV_URI) || str11.equals(SecurityMechanism.WSS_NULL_SAML_SV_URI) || str11.equals(SecurityMechanism.STS_SECURITY_URI)) {
                    str8 = str7.equals("1.0") ? STSConstants.WST10_BEARER_KEY : STSConstants.WST13_BEARER_KEY;
                }
            }
            Set set3 = (Set) agentAttributes.get("RequestedClaims");
            if (set3 != null && !set3.isEmpty()) {
                List<String> arrayList = new ArrayList<>();
                arrayList.addAll(set3);
                list = getClaims(arrayList);
            }
        }
        if (str4.equals(SecurityMechanism.STS_SECURITY_URI)) {
            return !Boolean.valueOf(SystemConfigurationUtil.getProperty("com.sun.identity.wss.trustclient.enablemetro", "true")).booleanValue() ? getSTSToken(str, str2, str3, obj, str8, str5, list, str7, str6) : getSTSToken(str, str2, str3, obj, str8, str5, str7, servletContext);
        }
        if (str4.equals(SecurityMechanism.LIBERTY_DS_SECURITY_URI)) {
            return getLibertyToken(providerConfig, obj);
        }
        debug.error("TrustAuthorityClient.getSecurityTokenInvalid security mechanism to get token from TA");
        return null;
    }

    public SecurityToken renewIssuedToken(SecurityToken securityToken, ProviderConfig providerConfig, Object obj) throws FAMSTSException {
        throw new FAMSTSException("unsupported");
    }

    public boolean cancelIssuedToken(SecurityToken securityToken, ProviderConfig providerConfig) throws FAMSTSException {
        throw new FAMSTSException("unsupported");
    }

    private SecurityToken getSTSToken(String str, String str2, String str3, Object obj, String str4, String str5, String str6, ServletContext servletContext) throws FAMSTSException {
        if (debug.messageEnabled()) {
            debug.message("TrustAuthorityClient.getSTSToken:: stsEndpoint : " + str2);
            debug.message("TrustAuthorityClient.getSTSToken:: stsMexAddress : " + str3);
            debug.message("TrustAuthorityClient.getSTSToken:: wsp end point : " + str);
            debug.message("TrustAuthorityClient.getSTSToken:: keyType : " + str4);
        }
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                ClassLoader fAMClassLoader = FAMClassLoader.getFAMClassLoader(servletContext, jars);
                Thread.currentThread().setContextClassLoader(fAMClassLoader);
                Object newInstance = fAMClassLoader.loadClass("com.sun.identity.wss.sts.TrustAuthorityClientImpl").getConstructor(new Class[0]).newInstance(new Object[0]);
                Element element = (Element) newInstance.getClass().getDeclaredMethod("getSTSTokenElement", Class.forName("java.lang.String"), Class.forName("java.lang.String"), Class.forName("java.lang.String"), Class.forName("java.lang.Object"), Class.forName("java.lang.String"), Class.forName("java.lang.String"), Class.forName("java.lang.String")).invoke(newInstance, str, str2, str3, obj, str4, str5, str6);
                String tokenType = getTokenType(element);
                if (debug.messageEnabled()) {
                    debug.message("TrustAuthorityClient.getSTSToken:: Token type : " + tokenType);
                    debug.message("TrustAuthorityClient.getSTSToken:: Token obtained from STS : " + XMLUtils.print(element));
                }
                if (LogUtil.isLogEnabled()) {
                    if (obj == null || !(obj instanceof SSOToken)) {
                        LogUtil.access(Level.INFO, LogUtil.SUCCESS_RETRIEVING_TOKEN_FROM_STS, new String[]{str, str2, str3, null, str4, str5}, null);
                    } else {
                        LogUtil.access(Level.INFO, LogUtil.SUCCESS_RETRIEVING_TOKEN_FROM_STS, new String[]{str, str2, str3, obj.toString(), str4, str5}, obj);
                    }
                }
                if (tokenType == null) {
                    throw new FAMSTSException(STSUtils.bundle.getString("nulltokentype"));
                }
                if (tokenType.equals("urn:oasis:names:tc:SAML:2.0:assertion")) {
                    SAML2Token sAML2Token = new SAML2Token(element);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return sAML2Token;
                }
                if (tokenType.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) {
                    AssertionToken assertionToken = new AssertionToken(element);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return assertionToken;
                }
                if (tokenType.equals(SecurityToken.WSS_FAM_SSO_TOKEN)) {
                    FAMSecurityToken fAMSecurityToken = new FAMSecurityToken(element);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return fAMSecurityToken;
                }
                if (!tokenType.equals(SecurityToken.WSS_USERNAME_TOKEN)) {
                    throw new FAMSTSException(STSUtils.bundle.getString("unsupportedtokentype"));
                }
                UserNameToken userNameToken = new UserNameToken(element);
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                return userNameToken;
            } catch (Exception e) {
                debug.error("TrustAuthorityClient.getSTSToken:: Failed inobtainining STS Token : ", e);
                String[] strArr = {e.getLocalizedMessage()};
                LogUtil.error(Level.INFO, LogUtil.ERROR_RETRIEVING_TOKEN_FROM_STS, strArr, null);
                LogUtil.error(Level.SEVERE, LogUtil.ERROR_RETRIEVING_TOKEN_FROM_STS, strArr, null);
                throw new FAMSTSException(STSUtils.bundle.getString("wstrustexception"));
            }
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    private SecurityToken getLibertyToken(ProviderConfig providerConfig, Object obj) throws FAMSTSException {
        throw new FAMSTSException(STSUtils.bundle.getString("unsupportedoperation"));
    }

    private String getTokenType(Element element) throws FAMSTSException {
        String localName = element.getLocalName();
        if (localName == null) {
            throw new FAMSTSException(STSUtils.bundle.getString("invalidelementname"));
        }
        if (!localName.equals(STSConstants.ASSERTION_ELEMENT)) {
            return localName.equals("UsernameToken") ? SecurityToken.WSS_USERNAME_TOKEN : localName.equals("FAMToken") ? SecurityToken.WSS_FAM_SSO_TOKEN : "getTokenType:NOT IMPLEMENTED TOKEN TYPE";
        }
        String namespaceURI = element.getNamespaceURI();
        if (namespaceURI != null && namespaceURI.length() != 0 && namespaceURI.equals("urn:oasis:names:tc:SAML:2.0:assertion")) {
            return "urn:oasis:names:tc:SAML:2.0:assertion";
        }
        String namespaceURI2 = element.getNamespaceURI();
        if (namespaceURI2 == null || namespaceURI2.length() == 0 || !namespaceURI2.equals("urn:oasis:names:tc:SAML:1.0:assertion")) {
            return null;
        }
        return "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
    }

    private SecurityToken getSTSToken(String str, String str2, String str3, Object obj, String str4, String str5, List list, String str6, String str7) throws FAMSTSException {
        BinarySecret binarySecret;
        try {
            if (debug.messageEnabled()) {
                debug.message("TrustAuthorityClient.getSTSToken: WS-Trust Parameters: STSEndpoint = " + str2 + " keyType = " + str4 + " tokenType = " + str5 + " wstVersion = " + str6 + " STSAgentName = " + str7);
            }
            RequestSecurityToken createRequestSecurityToken = WSTrustFactory.newInstance(str6).createRequestSecurityToken();
            createRequestSecurityToken.setAppliesTo(str);
            createRequestSecurityToken.setKeyType(str4);
            createRequestSecurityToken.setRequestType(STSConstants.WST_VERSION_13.equals(str6) ? "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" : "http://schemas.xmlsoap.org/ws/2005/02/trust/Issue");
            if (obj != null) {
                createRequestSecurityToken.setOnBehalfOf(getClientUserToken(obj));
            }
            createRequestSecurityToken.setTokenType(str5);
            if (list != null && !list.isEmpty()) {
                createRequestSecurityToken.setClaimTypes(list);
            }
            RequestSecurityTokenResponse trustResponse = getTrustResponse(createRequestSecurityToken, str2, str7, str6, obj);
            RequestedProofToken requestedProofToken = trustResponse.getRequestedProofToken();
            if (requestedProofToken != null && (requestedProofToken.getProofToken() instanceof BinarySecret) && (binarySecret = (BinarySecret) requestedProofToken.getProofToken()) != null) {
                this.secretKey = binarySecret.getSecret();
            }
            return parseSecurityToken((Element) trustResponse.getRequestedSecurityToken().getFirstChild());
        } catch (WSTException e) {
            debug.error("TrustAuthorityClient.getSTSToken: Failed in  retrieving Token from STS", e);
            throw new FAMSTSException(e.getMessage());
        }
    }

    private RequestSecurityTokenResponse getTrustResponse(RequestSecurityToken requestSecurityToken, String str, String str2, String str3, Object obj) throws FAMSTSException {
        SOAPMessage prepareSOAPMessage = STSUtils.prepareSOAPMessage(str, str3);
        if (prepareSOAPMessage == null) {
            throw new FAMSTSException("nullElement");
        }
        try {
            prepareSOAPMessage.getSOAPBody().appendChild(prepareSOAPMessage.getSOAPPart().importNode(requestSecurityToken.toDOMElement(), true));
            SOAPRequestHandler sOAPRequestHandler = new SOAPRequestHandler();
            HashMap hashMap = new HashMap();
            hashMap.put("providername", str2);
            hashMap.put("javax.xml.ws.wsdl.service", new QName(str2));
            sOAPRequestHandler.init(hashMap);
            Subject subject = new Subject();
            if (obj != null) {
                subject.getPrivateCredentials().add(obj);
            }
            SOAPMessage sOAPResponse = getSOAPResponse(sOAPRequestHandler.secureRequest(prepareSOAPMessage, subject, hashMap), str);
            sOAPRequestHandler.validateResponse(sOAPResponse, hashMap);
            return getRequestSecurityTokenResponse(sOAPResponse, str3);
        } catch (SOAPException e) {
            debug.error("TrustAuthorityClient.getTrustResponse:  SOAP Exception", e);
            throw new FAMSTSException(e.getMessage());
        } catch (SecurityException e2) {
            debug.error("TrustAuthorityClient.getTrustResponse:  SecurityException", e2);
            throw new FAMSTSException(e2.getMessage());
        } catch (WSTException e3) {
            debug.error("TrustAuthorityClient.getTrustResponse:  WST Exception", e3);
            throw new FAMSTSException(e3.getMessage());
        }
    }

    private SOAPMessage getSOAPResponse(SOAPMessage sOAPMessage, String str) throws FAMSTSException {
        try {
            SOAPClient sOAPClient = new SOAPClient();
            sOAPClient.setURL(str);
            return STSUtils.createSOAPMessage(sOAPClient.call(XMLUtils.print(sOAPMessage.getSOAPPart(), "UTF-8"), null, null));
        } catch (Exception e) {
            debug.error("TrustAutorityClient.getSOAPResponse:   exception", e);
            throw new FAMSTSException(e.getMessage());
        } catch (SOAPException e2) {
            debug.error("TrustAutorityClient.getSOAPResponse:  soap exception", e2);
            throw new FAMSTSException(e2.getMessage());
        }
    }

    private RequestSecurityTokenResponse getRequestSecurityTokenResponse(SOAPMessage sOAPMessage, String str) throws FAMSTSException {
        try {
            Element element = (Element) sOAPMessage.getSOAPBody().getFirstChild();
            WSTrustFactory newInstance = WSTrustFactory.newInstance(str);
            if ("RequestSecurityTokenResponse".equals(element.getLocalName())) {
                return newInstance.createRequestSecurityTokenResponse(element);
            }
            List requestSecurityTokenResponses = newInstance.createRequestSecurityTokenResponseCollection(element).getRequestSecurityTokenResponses();
            if (requestSecurityTokenResponses.size() == 0) {
                throw new FAMSTSException("nullElements");
            }
            return (RequestSecurityTokenResponse) requestSecurityTokenResponses.get(0);
        } catch (WSTException e) {
            debug.error("TrustAuthorityClient.getRequestSecurityTokenResponse: wst exception", e);
            throw new FAMSTSException(e.getMessage());
        } catch (SOAPException e2) {
            debug.error("TrustAuthorityClient.getRequestSecurityTokenResponse: soap exception", e2);
            throw new FAMSTSException(e2.getMessage());
        }
    }

    private SecurityToken parseSecurityToken(Element element) throws FAMSTSException {
        String tokenType = getTokenType(element);
        try {
            if (tokenType == null) {
                throw new FAMSTSException(STSUtils.bundle.getString("nulltokentype"));
            }
            if (tokenType.equals("urn:oasis:names:tc:SAML:2.0:assertion")) {
                return new SAML2Token(element);
            }
            if (tokenType.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) {
                return new AssertionToken(element);
            }
            if (tokenType.equals(SecurityToken.WSS_FAM_SSO_TOKEN)) {
                return new FAMSecurityToken(element);
            }
            if (tokenType.equals(SecurityToken.WSS_USERNAME_TOKEN)) {
                return new UserNameToken(element);
            }
            throw new FAMSTSException(STSUtils.bundle.getString("unsupportedtokentype"));
        } catch (Exception e) {
            debug.error("TrustAuthorityClient.parseSecurityToken: Exception :", e);
            throw new FAMSTSException(e.getMessage());
        }
    }

    public Key getSecretKey() {
        if (this.secretKey == null) {
            return null;
        }
        return new SecretKeySpec(this.secretKey, EncryptionConstants.AES);
    }

    private Element getClientUserToken(Object obj) throws FAMSTSException {
        if (clientTokenClass == null) {
            try {
                clientTokenClass = Thread.currentThread().getContextClassLoader().loadClass(SystemConfigurationUtil.getProperty(STSConstants.STS_CLIENT_USER_TOKEN_PLUGIN, "com.sun.identity.wss.sts.STSClientUserToken"));
            } catch (Exception e) {
                debug.error("TrustAuthorityClientImpl.getClientUserToken:Failed in obtaining class", e);
                throw new FAMSTSException(STSUtils.bundle.getString("initializationFailed"));
            }
        }
        try {
            ClientUserToken clientUserToken = (ClientUserToken) clientTokenClass.newInstance();
            clientUserToken.init(obj);
            if (debug.messageEnabled()) {
                debug.message("TrustAuthorityClientImpl:getClientUserToken: Client User Token : " + clientUserToken);
            }
            return (Element) clientUserToken.getTokenValue();
        } catch (Exception e2) {
            debug.error("TrustAuthorityClientImpl.getClientUserToken: Failed in initialization", e2);
            throw new FAMSTSException(STSUtils.bundle.getString("usertokeninitfailed"));
        }
    }

    private List<ClaimType> getClaims(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            ClaimType claimType = new ClaimType(ClaimType.IDENTITY_NS);
            claimType.setName(str);
            arrayList.add(claimType);
        }
        return arrayList;
    }
}
