package org.webswing.server.services.security.modules.saml2.com.lastpass.saml;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import javax.xml.bind.DatatypeConverter;
import javax.xml.bind.ValidationException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.apache.commons.io.IOUtils;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.w3c.dom.Element;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSSerializer;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

/* loaded from: input_file:WEB-INF/lib/webswing-server-security-2.6.jar:org/webswing/server/services/security/modules/saml2/com/lastpass/saml/SAMLClient.class */
public class SAMLClient {
    private SPConfig spConfig;
    private IdPConfig idpConfig;
    private BasicCredential credentials;
    private BasicParserPool parsers;
    private static final int slack = (int) TimeUnit.MINUTES.toSeconds(5);

    public SAMLClient(SPConfig sPConfig, IdPConfig idPConfig) throws SAMLException {
        this.spConfig = sPConfig;
        this.idpConfig = idPConfig;
        BasicCredential basicCredential = new BasicCredential() { // from class: org.webswing.server.services.security.modules.saml2.com.lastpass.saml.SAMLClient.1
        };
        basicCredential.setEntityId(idPConfig.getEntityId());
        basicCredential.setPublicKey(idPConfig.getCert().getPublicKey());
        this.credentials = basicCredential;
        this.parsers = new BasicParserPool();
        this.parsers.setNamespaceAware(true);
        try {
            this.parsers.initialize();
        } catch (ComponentInitializationException e) {
            throw new SAMLException(e);
        }
    }

    public IdPConfig getIdPConfig() {
        return this.idpConfig;
    }

    public SPConfig getSPConfig() {
        return this.spConfig;
    }

    private Response parseResponse(String str) throws SAMLException {
        try {
            Element documentElement = this.parsers.getBuilder().parse(new InputSource(new StringReader(str))).getDocumentElement();
            return (Response) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (IOException e) {
            throw new SAMLException(e);
        } catch (XMLParserException e2) {
            throw new SAMLException(e2);
        } catch (UnmarshallingException e3) {
            throw new SAMLException(e3);
        } catch (SAXException e4) {
            throw new SAMLException(e4);
        }
    }

    private Assertion decrypt(EncryptedAssertion encryptedAssertion) throws DecryptionException {
        if (this.spConfig.getPrivateKey() == null) {
            throw new DecryptionException("Encrypted assertion found but no SP key available");
        }
        BasicCredential basicCredential = new BasicCredential() { // from class: org.webswing.server.services.security.modules.saml2.com.lastpass.saml.SAMLClient.2
        };
        basicCredential.setPrivateKey(this.spConfig.getPrivateKey());
        Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(basicCredential), new InlineEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        return decrypter.decrypt(encryptedAssertion);
    }

    private List<Assertion> getAssertions(Response response) throws DecryptionException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(response.getAssertions());
        Iterator<EncryptedAssertion> it = response.getEncryptedAssertions().iterator();
        while (it.hasNext()) {
            arrayList.add(decrypt(it.next()));
        }
        return arrayList;
    }

    private void validate(Response response) throws ValidationException, SignatureException {
        DateTime plusSeconds;
        Signature signature = response.getSignature();
        if (signature != null) {
            SignatureValidator.validate(signature, this.credentials);
        }
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null || !StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
            throw new ValidationException("Response has an unsuccessful status code");
        }
        if ((signature != null || response.getDestination() != null) && !this.spConfig.getAcs().equals(response.getDestination())) {
            throw new ValidationException("Response is destined for a different endpoint");
        }
        DateTime now = DateTime.now();
        DateTime issueInstant = response.getIssueInstant();
        if (issueInstant != null) {
            if (issueInstant.isBefore(now.minusSeconds(slack))) {
                throw new ValidationException("Response IssueInstant is in the past");
            }
            if (issueInstant.isAfter(now.plusSeconds(slack))) {
                throw new ValidationException("Response IssueInstant is in the future");
            }
        }
        try {
            for (Assertion assertion : getAssertions(response)) {
                if (!assertion.isSigned()) {
                    throw new ValidationException("Assertion must be signed");
                }
                SignatureValidator.validate(assertion.getSignature(), this.credentials);
                if (assertion.getAuthnStatements().isEmpty()) {
                    throw new ValidationException("Assertion should contain an AuthnStatement");
                }
                Iterator<AuthnStatement> it = assertion.getAuthnStatements().iterator();
                while (it.hasNext()) {
                    DateTime sessionNotOnOrAfter = it.next().getSessionNotOnOrAfter();
                    if (sessionNotOnOrAfter != null && (plusSeconds = sessionNotOnOrAfter.plusSeconds(slack)) != null && (now.isEqual(plusSeconds) || now.isAfter(plusSeconds))) {
                        throw new ValidationException("AuthnStatement has expired");
                    }
                }
                if (assertion.getConditions() == null) {
                    throw new ValidationException("Assertion should contain conditions");
                }
                DateTime issueInstant2 = assertion.getIssueInstant();
                if (issueInstant2 != null) {
                    if (issueInstant2.isBefore(now.minusSeconds(slack))) {
                        throw new ValidationException("Response IssueInstant is in the past");
                    }
                    if (issueInstant2.isAfter(now.plusSeconds(slack))) {
                        throw new ValidationException("Response IssueInstant is in the future");
                    }
                }
                Conditions conditions = assertion.getConditions();
                DateTime notBefore = conditions.getNotBefore();
                DateTime notOnOrAfter = conditions.getNotOnOrAfter();
                if (notBefore == null || notOnOrAfter == null) {
                    throw new ValidationException("Assertion conditions must have limits");
                }
                DateTime minusSeconds = notBefore.minusSeconds(slack);
                DateTime plusSeconds2 = notOnOrAfter.plusSeconds(slack);
                if (now.isBefore(minusSeconds)) {
                    throw new ValidationException("Assertion conditions is in the future");
                }
                if (now.isEqual(plusSeconds2) || now.isAfter(plusSeconds2)) {
                    throw new ValidationException("Assertion conditions is in the past");
                }
                Subject subject = assertion.getSubject();
                if (subject != null && !subject.getSubjectConfirmations().isEmpty()) {
                    boolean z = false;
                    for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
                        if (subjectConfirmation.getSubjectConfirmationData() != null) {
                            SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                            if (subjectConfirmationData.getNotOnOrAfter() != null) {
                                DateTime plusSeconds3 = subjectConfirmationData.getNotOnOrAfter().plusSeconds(slack);
                                if (now.isEqual(plusSeconds3) || now.isAfter(plusSeconds3)) {
                                    throw new ValidationException("SubjectConfirmationData is in the past");
                                }
                            }
                            if (this.spConfig.getAcs().equals(subjectConfirmationData.getRecipient())) {
                                z = true;
                            }
                        }
                    }
                    if (!z) {
                        throw new ValidationException("No SubjectConfirmationData found for ACS");
                    }
                }
                if (conditions.getAudienceRestrictions().isEmpty()) {
                    throw new ValidationException("Assertion conditions must have audience restrictions");
                }
                if (conditions.getAudienceRestrictions().size() > 1) {
                    throw new ValidationException("Assertion contains multiple audience restrictions");
                }
                boolean z2 = false;
                Iterator<Audience> it2 = conditions.getAudienceRestrictions().get(0).getAudiences().iterator();
                while (it2.hasNext()) {
                    if (this.spConfig.getEntityId().equals(it2.next().getAudienceURI())) {
                        z2 = true;
                    }
                }
                if (!z2) {
                    throw new ValidationException("Assertion audience does not include issuer");
                }
            }
        } catch (DecryptionException e) {
            throw new ValidationException(e);
        }
    }

    private String createAuthnRequest(String str) throws SAMLException {
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        SAMLObjectBuilder sAMLObjectBuilder2 = (SAMLObjectBuilder) builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
        AuthnRequest authnRequest = (AuthnRequest) sAMLObjectBuilder.buildObject();
        authnRequest.setAssertionConsumerServiceURL(this.spConfig.getAcs().toString());
        authnRequest.setDestination(this.idpConfig.getLoginUrl().toString());
        authnRequest.setIssueInstant(new DateTime());
        authnRequest.setID(str);
        Issuer issuer = (Issuer) sAMLObjectBuilder2.buildObject();
        issuer.setValue(this.spConfig.getEntityId());
        authnRequest.setIssuer(issuer);
        try {
            Element marshall = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(authnRequest).marshall(authnRequest);
            LSSerializer createLSSerializer = ((DOMImplementationLS) marshall.getOwnerDocument().getImplementation()).createLSSerializer();
            createLSSerializer.getDomConfig().setParameter("xml-declaration", false);
            return createLSSerializer.writeToString(marshall);
        } catch (MarshallingException e) {
            throw new SAMLException(e);
        }
    }

    private byte[] deflate(byte[] bArr) throws IOException {
        Deflater deflater = new Deflater(-1, true);
        deflater.setInput(bArr);
        deflater.finish();
        byte[] bArr2 = new byte[8192];
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        while (!deflater.finished()) {
            byteArrayOutputStream.write(bArr2, 0, deflater.deflate(bArr2));
        }
        byteArrayOutputStream.close();
        deflater.end();
        return byteArrayOutputStream.toByteArray();
    }

    public static byte[] inflate(byte[] bArr) throws IOException {
        return IOUtils.toByteArray(new InflaterInputStream(new ByteArrayInputStream(bArr), new Inflater(true)));
    }

    public String generateAuthnRequest(String str) throws SAMLException {
        try {
            return DatatypeConverter.printBase64Binary(deflate(createAuthnRequest(str).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            throw new SAMLException("Apparently your platform lacks UTF-8.  That's too bad.", e);
        } catch (IOException e2) {
            throw new SAMLException("Unable to compress the AuthnRequest", e2);
        }
    }

    public AttributeSet validateResponse(String str) throws SAMLException {
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(str);
        try {
            parseBase64Binary = inflate(parseBase64Binary);
        } catch (IOException e) {
        }
        try {
            Response parseResponse = parseResponse(new String(parseBase64Binary, "UTF-8"));
            try {
                validate(parseResponse);
                try {
                    List<Assertion> assertions = getAssertions(parseResponse);
                    if (assertions.size() != 1) {
                        throw new SAMLException("Response should have a single assertion.");
                    }
                    Assertion assertion = assertions.get(0);
                    Subject subject = assertion.getSubject();
                    if (subject == null) {
                        throw new SAMLException("No subject contained in the assertion.");
                    }
                    if (subject.getNameID() == null) {
                        throw new SAMLException("No NameID found in the subject.");
                    }
                    String value = subject.getNameID().getValue();
                    HashMap hashMap = new HashMap();
                    Iterator<AttributeStatement> it = assertion.getAttributeStatements().iterator();
                    while (it.hasNext()) {
                        for (Attribute attribute : it.next().getAttributes()) {
                            String name = attribute.getName();
                            ArrayList arrayList = new ArrayList();
                            Iterator<XMLObject> it2 = attribute.getAttributeValues().iterator();
                            while (it2.hasNext()) {
                                arrayList.add(it2.next().getDOM().getTextContent());
                            }
                            hashMap.put(name, arrayList);
                        }
                    }
                    return new AttributeSet(value, hashMap);
                } catch (DecryptionException e2) {
                    throw new SAMLException(e2);
                }
            } catch (ValidationException e3) {
                throw new SAMLException(e3);
            } catch (SignatureException e4) {
                throw new SAMLException(e4);
            }
        } catch (UnsupportedEncodingException e5) {
            throw new SAMLException("UTF-8 is missing, oh well.", e5);
        }
    }
}
