package org.forgerock.openam.oauth2.saml2.core;

import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.AudienceRestriction;
import com.sun.identity.saml2.assertion.Conditions;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.assertion.SubjectConfirmation;
import com.sun.identity.saml2.assertion.SubjectConfirmationData;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.inject.Inject;
import org.forgerock.oauth2.core.AccessToken;
import org.forgerock.oauth2.core.ClientAuthenticator;
import org.forgerock.oauth2.core.ClientRegistration;
import org.forgerock.oauth2.core.ClientRegistrationStore;
import org.forgerock.oauth2.core.GrantTypeHandler;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.RefreshToken;
import org.forgerock.oauth2.core.TokenStore;
import org.forgerock.oauth2.core.Utils;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.openam.oauth2.OAuth2UrisFactory;
import org.forgerock.openam.utils.Time;
import org.forgerock.util.Reject;
import org.forgerock.util.encode.Base64url;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openam/oauth2/saml2/core/Saml2GrantTypeHandler.class */
public class Saml2GrantTypeHandler extends GrantTypeHandler {
    private final Logger logger;
    private final ClientRegistrationStore clientRegistrationStore;
    private final TokenStore tokenStore;

    @Inject
    public Saml2GrantTypeHandler(ClientRegistrationStore clientRegistrationStore, TokenStore tokenStore, OAuth2UrisFactory oAuth2UrisFactory, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, ClientAuthenticator clientAuthenticator) {
        super(oAuth2ProviderSettingsFactory, oAuth2UrisFactory, clientAuthenticator);
        this.logger = LoggerFactory.getLogger("OAuth2Provider");
        this.clientRegistrationStore = clientRegistrationStore;
        this.tokenStore = tokenStore;
    }

    public AccessToken handle(OAuth2Request oAuth2Request) throws InvalidGrantException, InvalidClientException, InvalidRequestException, ServerException, InvalidScopeException, NotFoundException {
        String str = (String) oAuth2Request.getParameter("client_id");
        Reject.ifTrue(Utils.isEmpty(str), "Missing parameter, 'client_id'");
        ClientRegistration clientRegistration = null;
        if (oAuth2Request.getParameter("client_secret") != null) {
            clientRegistration = this.clientAuthenticator.authenticate(oAuth2Request, this.urisFactory.get(oAuth2Request).getTokenEndpoint());
        }
        String str2 = (String) oAuth2Request.getParameter("assertion");
        Reject.ifTrue(Utils.isEmpty(str2), "Missing parameter, 'assertion'");
        this.logger.trace("Assertion:\n{}", str2);
        byte[] decode = Base64url.decode(str2);
        if (decode == null) {
            this.logger.error("Decoding assertion failed\nassertion:{}", str2);
        }
        String str3 = new String(decode, StandardCharsets.UTF_8);
        this.logger.trace("Decoded assertion:\n{}", str3);
        String normaliseRealm = normaliseRealm((String) oAuth2Request.getParameter("realm"));
        if (clientRegistration == null) {
            clientRegistration = this.clientRegistrationStore.get(str, oAuth2Request);
        }
        try {
            Assertion createAssertion = AssertionFactory.getInstance().createAssertion(str3);
            validateAssertion(createAssertion, clientRegistration, normaliseRealm);
            this.logger.trace("Assertion is valid");
            OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
            String validateRequestedClaims = oAuth2ProviderSettings.validateRequestedClaims((String) oAuth2Request.getParameter("claims"));
            String str4 = (String) oAuth2Request.getParameter("grant_type");
            Set validateAccessTokenScope = oAuth2ProviderSettings.validateAccessTokenScope(clientRegistration, Utils.splitScope((String) oAuth2Request.getParameter("scope")), oAuth2Request);
            this.logger.trace("Granting scope: {}", validateAccessTokenScope.toString());
            this.logger.trace("Creating token with data: {}\n{}\n{}\n{}\n{}", new Object[]{clientRegistration.getAccessTokenType(), validateAccessTokenScope.toString(), normaliseRealm, createAssertion.getSubject().getNameID().getValue(), clientRegistration.getClientId()});
            AccessToken createAccessToken = this.tokenStore.createAccessToken(str4, "Bearer", (String) null, createAssertion.getSubject().getNameID().getValue(), clientRegistration.getClientId(), (String) null, validateAccessTokenScope, (RefreshToken) null, (String) null, validateRequestedClaims, oAuth2Request);
            this.logger.trace("Token created: {}", createAccessToken.toString());
            oAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(createAccessToken, oAuth2Request);
            if (validateAccessTokenScope != null && !validateAccessTokenScope.isEmpty()) {
                createAccessToken.addExtraData("scope", Utils.joinScope(validateAccessTokenScope));
            }
            this.tokenStore.updateAccessToken(oAuth2Request, createAccessToken);
            return createAccessToken;
        } catch (SAML2Exception e) {
            this.logger.error("An error occurred while validating the assertion", e);
            throw new InvalidGrantException("Assertion is invalid.");
        }
    }

    protected AccessToken handle(OAuth2Request oAuth2Request, ClientRegistration clientRegistration, OAuth2ProviderSettings oAuth2ProviderSettings) {
        throw new UnsupportedOperationException();
    }

    private String normaliseRealm(String str) {
        return str == null ? "/" : str;
    }

    private void validateAssertion(Assertion assertion, ClientRegistration clientRegistration, String str) throws SAML2Exception, InvalidGrantException {
        SubjectConfirmationData subjectConfirmationData;
        Issuer issuer = assertion.getIssuer();
        if (issuer == null) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Assertion's Issuer field is not specified");
            throw new InvalidGrantException("Issuer is not specified");
        }
        String value = issuer.getValue();
        SAML2MetaManager sAML2MetaManager = new SAML2MetaManager();
        Set verificationCerts = KeyUtil.getVerificationCerts(sAML2MetaManager.getIDPSSODescriptor(str, value), value, "IDPRole");
        if (!assertion.isSigned()) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Assertion is not signed");
            throw new InvalidGrantException("Assertion is not signed");
        }
        if (!assertion.isSignatureValid(verificationCerts)) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Assertion signature verification failed");
            throw new InvalidGrantException("Assertion signature is not valid");
        }
        this.logger.trace("Saml2GrantTypeHandler.isValidAssertion(): Assertion signature validation was successful");
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Conditions does not exist");
            throw new InvalidGrantException("Conditions element is missing");
        }
        List audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Audience Restriction does not exist");
            throw new InvalidGrantException("AudienceRestriction is missing");
        }
        boolean z = false;
        SPSSODescriptorElement sPSSODescriptorElement = null;
        Iterator it = audienceRestrictions.iterator();
        while (it.hasNext()) {
            List<String> audience = ((AudienceRestriction) it.next()).getAudience();
            if (audience != null && !audience.isEmpty()) {
                for (String str2 : audience) {
                    sPSSODescriptorElement = sAML2MetaManager.getSPSSODescriptor(str, str2);
                    if (sPSSODescriptorElement != null && SAML2Utils.isSourceSiteValid(issuer, str, str2)) {
                        z = true;
                    }
                }
            }
        }
        if (!z) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Didn't find the Oauth2 provider in audience restrictions");
            throw new InvalidGrantException("Audience validation failed");
        }
        Subject subject = assertion.getSubject();
        if (subject == null) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Subject is not specified in the assertion");
            throw new InvalidGrantException("Subject is not specified");
        }
        List<SubjectConfirmation> subjectConfirmation = subject.getSubjectConfirmation();
        boolean z2 = false;
        if (subjectConfirmation == null || subjectConfirmation.isEmpty()) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Subject Confirmations is not specified in the assertion");
            throw new InvalidGrantException("SubjectConfirmations element is missing");
        }
        if (!assertion.isTimeValid()) {
            this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Assertion expired");
            throw new InvalidGrantException("Assertion expired");
        }
        for (SubjectConfirmation subjectConfirmation2 : subjectConfirmation) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equalsIgnoreCase(subjectConfirmation2.getMethod()) && (subjectConfirmationData = subjectConfirmation2.getSubjectConfirmationData()) != null) {
                SAML2Utils.validateRecipient(sPSSODescriptorElement, assertion.getID(), subjectConfirmationData);
                Date notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
                if (notOnOrAfter == null) {
                    this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): Required NotOnOrAfter field is missing from the SubjectConfirmationData");
                } else if (Time.newDate().before(notOnOrAfter)) {
                    z2 = true;
                }
            }
        }
        if (z2) {
            return;
        }
        this.logger.error("Saml2GrantTypeHandler.isValidAssertion(): The assertion is either expired or had no expiration info");
        throw new InvalidGrantException("Assertion either expired or had no expiration information");
    }
}
