package org.wso2.carbon.hostobjects.sso;

import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import javax.script.ScriptException;
import org.apache.axis2.clustering.ClusteringAgent;
import org.apache.axis2.clustering.ClusteringFault;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jaggeryjs.hostobjects.web.SessionHostObject;
import org.joda.time.DateTime;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.Function;
import org.mozilla.javascript.Scriptable;
import org.mozilla.javascript.ScriptableObject;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.signature.Signature;
import org.w3c.dom.NodeList;
import org.wso2.carbon.hostobjects.sso.internal.SSOConstants;
import org.wso2.carbon.hostobjects.sso.internal.SSOHostObjectDataHolder;
import org.wso2.carbon.hostobjects.sso.internal.SessionInfo;
import org.wso2.carbon.hostobjects.sso.internal.builder.AuthReqBuilder;
import org.wso2.carbon.hostobjects.sso.internal.builder.LogoutRequestBuilder;
import org.wso2.carbon.hostobjects.sso.internal.util.Util;
import org.wso2.carbon.utils.xml.StringUtils;

/* loaded from: input_file:org/wso2/carbon/hostobjects/sso/SAMLSSORelyingPartyObject.class */
public class SAMLSSORelyingPartyObject extends ScriptableObject {
    private Properties ssoConfigProperties = new Properties();
    protected static volatile SAMLSSORelyingPartyObject ssho;
    private String loggedInUserName;
    private static final Log log = LogFactory.getLog(SAMLSSORelyingPartyObject.class);
    private static Map<String, String> relayStateMap = new HashMap();
    private static volatile Map<String, SAMLSSORelyingPartyObject> ssoRelyingPartyMap = new HashMap();
    private static volatile Map<String, SessionInfo> sessionIdMap = new ConcurrentHashMap();
    private static volatile Map<String, Set<SessionHostObject>> sessionIndexMap = new ConcurrentHashMap();
    private static long maxInactiveInterval = 1800000;

    public String getClassName() {
        return "SSORelyingParty";
    }

    public static void jsFunction_addSession(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof SessionHostObject)) {
            throw new ScriptException("Invalid argument. Session is missing.");
        }
        maxInactiveInterval = ((SessionHostObject) objArr[0]).jsGet_maxInactive() * 1000;
        ssho = (SAMLSSORelyingPartyObject) scriptable;
    }

    public static Scriptable jsConstructor(Context context, Object[] objArr, Function function, boolean z) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid arguments!, IssuerId is missing in parameters.");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = ssoRelyingPartyMap.get((String) objArr[0]);
        if (sAMLSSORelyingPartyObject == null) {
            synchronized (SAMLSSORelyingPartyObject.class) {
                if (sAMLSSORelyingPartyObject == null) {
                    sAMLSSORelyingPartyObject = new SAMLSSORelyingPartyObject();
                    sAMLSSORelyingPartyObject.setSSOProperty(SSOConstants.ISSUER_ID, (String) objArr[0]);
                    ssoRelyingPartyMap.put((String) objArr[0], sAMLSSORelyingPartyObject);
                }
            }
        }
        return sAMLSSORelyingPartyObject;
    }

    public static boolean jsFunction_validateSignature(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. SAML response is missing.");
        }
        Response unmarshall = Util.unmarshall(Util.decode((String) objArr[0]));
        String domainName = Util.getDomainName(unmarshall);
        int tenantId = Util.getRealmService().getTenantManager().getTenantId(domainName);
        if (!(unmarshall instanceof Response)) {
            if (!log.isWarnEnabled()) {
                return false;
            }
            log.warn("SAML response in signature validation is not a SAML Response.");
            return false;
        }
        Response response = unmarshall;
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        Signature signature = response.getSignature();
        if (signature == null) {
            log.error("SAMLResponse signing is enabled, but signature element not found in SAML Response element.");
            return false;
        }
        boolean z = false;
        try {
            z = Util.validateSignature(signature, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super");
        } catch (SignatureVerificationFailure e) {
            if (log.isDebugEnabled()) {
                log.debug("Signature verification failed with Super-Tenant Key Store", e);
            }
        }
        if (!z && !"carbon.super".equals(domainName)) {
            try {
                z = Util.validateSignature(signature, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), tenantId, domainName);
            } catch (SignatureVerificationFailure e2) {
                log.error("Signature Verification Failed using super tenant and tenant key stores", e2);
                return false;
            }
        }
        return z;
    }

    public static boolean jsFunction_isLogoutRequest(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Logout request xml is missing.");
        }
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty((SAMLSSORelyingPartyObject) scriptable);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        String unescapeXml = StringEscapeUtils.unescapeXml((String) objArr[0]);
        XMLObject unmarshall = Util.unmarshall(z ? Util.decode(unescapeXml) : unescapeXml);
        if (log.isDebugEnabled() && (unmarshall instanceof LogoutRequest)) {
            log.debug("Request is a logout request and request is " + objArr[0]);
        }
        return unmarshall instanceof LogoutRequest;
    }

    public static boolean jsFunction_isLogoutResponse(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Logout response xml is missing.");
        }
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty((SAMLSSORelyingPartyObject) scriptable);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        XMLObject unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[0]) : (String) objArr[0]);
        if (log.isDebugEnabled() && (unmarshall instanceof LogoutResponse)) {
            log.debug("Response is a logout response and response is " + objArr[0]);
        }
        return unmarshall instanceof LogoutResponse;
    }

    public static boolean jsFunction_isPassiveAuthResponse(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Logout response xml is missing.");
        }
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty((SAMLSSORelyingPartyObject) scriptable);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        Response unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[0]) : (String) objArr[0]);
        if (!(unmarshall instanceof Response)) {
            return false;
        }
        Response response = unmarshall;
        return (response.getStatus() == null || response.getStatus().getStatusCode() == null || !response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Responder") || response.getStatus().getStatusCode().getStatusCode() == null || !response.getStatus().getStatusCode().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:NoPassive")) ? false : true;
    }

    public static String jsFunction_encode(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. String to be encoded is missing.");
        }
        String sSOSamlDeflateProperty = getSSOSamlDeflateProperty((SAMLSSORelyingPartyObject) scriptable);
        boolean z = true;
        if (sSOSamlDeflateProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlDeflateProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for deflate " + sSOSamlDeflateProperty);
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Response string to be encoded is " + objArr[0]);
        }
        return z ? Util.deflateAndEncode((String) objArr[0]) : Util.encode((String) objArr[0]);
    }

    public static String jsFunction_getSAMLToken(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Session Id is missing.");
        }
        SessionInfo sessionInfo = ((SAMLSSORelyingPartyObject) scriptable).getSessionInfo((String) objArr[0]);
        if (sessionInfo == null) {
            return null;
        }
        if (log.isDebugEnabled()) {
            log.debug("SAML token of relying party object is " + sessionInfo.getSamlToken());
        }
        return sessionInfo.getSamlToken();
    }

    public static String jsFunction_decode(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. String to be decoded is missing.");
        }
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty((SAMLSSORelyingPartyObject) scriptable);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("AuthReq string to be decoded is " + objArr[0]);
        }
        return z ? Util.decode((String) objArr[0]) : (String) objArr[0];
    }

    public static String jsFunction_getUUID(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        return UUID.randomUUID().toString();
    }

    public static String jsFunction_getSAMLAuthRequest(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        int length = objArr.length;
        String str = length >= 1 ? (String) objArr[0] : null;
        boolean booleanValue = length >= 2 ? ((Boolean) objArr[1]).booleanValue() : false;
        String sSOProperty = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.NAME_ID_POLICY);
        return Boolean.parseBoolean(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SIGN_REQUESTS)) ? Util.marshall(new AuthReqBuilder().buildSignedAuthRequest(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_URL), str, booleanValue, -1234, "carbon.super", sSOProperty)) : Util.marshall(new AuthReqBuilder().buildAuthenticationRequest(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID), str, booleanValue, sSOProperty));
    }

    public static String jsFunction_getSAMLLogoutRequest(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 2 || (!(objArr[0] instanceof String) && (objArr[1] instanceof String))) {
            throw new ScriptException("Invalid argument. The user to be logout is missing.");
        }
        if (log.isDebugEnabled()) {
            log.debug("The user to be logged out is " + objArr[0]);
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String sSOProperty = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.NAME_ID_POLICY);
        log.debug("SAMLLogoutRequest is going to get session details");
        if (sAMLSSORelyingPartyObject.getSessionInfo((String) objArr[1]) == null) {
            log.debug("Session Information not found");
            return null;
        }
        String sSOProperty2 = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_LOGOUT_URL);
        if (StringUtils.isEmpty(sSOProperty2)) {
            sSOProperty2 = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_URL);
        }
        String sessionIndex = sAMLSSORelyingPartyObject.getSessionInfo((String) objArr[1]).getSessionIndex();
        return (sessionIndex == null || sessionIndex.length() <= 0) ? !Boolean.parseBoolean(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SIGN_REQUESTS)) ? Util.marshall(new LogoutRequestBuilder().buildLogoutRequest((String) objArr[0], SSOConstants.LOGOUT_USER, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID), sSOProperty)) : Util.marshall(new LogoutRequestBuilder().buildSignedLogoutRequest((String) objArr[0], SSOConstants.LOGOUT_USER, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID), -1234, "carbon.super", sSOProperty2, sSOProperty)) : !Boolean.parseBoolean(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SIGN_REQUESTS)) ? Util.marshall(new LogoutRequestBuilder().buildLogoutRequest((String) objArr[0], sessionIndex, SSOConstants.LOGOUT_USER, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID), sSOProperty)) : Util.marshall(new LogoutRequestBuilder().buildSignedLogoutRequest((String) objArr[0], sessionIndex, SSOConstants.LOGOUT_USER, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID), -1234, "carbon.super", sSOProperty2, sSOProperty));
    }

    public static boolean jsFunction_validateSAMLResponseSchema(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. The SAML response is missing.");
        }
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty((SAMLSSORelyingPartyObject) scriptable);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        Response unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[0]) : (String) objArr[0]);
        if (!(unmarshall instanceof Response)) {
            return false;
        }
        Response response = unmarshall;
        if (response.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:protocol", "Response").getLength() > 0) {
            log.error("Invalid schema for the SAML2 response.");
            return false;
        }
        NodeList elementsByTagNameNS = response.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
        if (elementsByTagNameNS != null && elementsByTagNameNS.getLength() <= 1) {
            return true;
        }
        log.error("Invalid schema for the SAML2 response. Invalid number of assertions  detected.");
        return false;
    }

    public static String jsFunction_getSAMLResponseNameId(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. The SAML response is missing.");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty(sAMLSSORelyingPartyObject);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        Response unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[0]) : (String) objArr[0]);
        String str = null;
        String sSOProperty = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ASSERTIONENCRYPTIONENABLED);
        if (unmarshall instanceof Response) {
            Response response = unmarshall;
            if (SSOConstants.DEFAULT_ENCODED_VALUE.equals(sSOProperty)) {
                List encryptedAssertions = response.getEncryptedAssertions();
                if (encryptedAssertions == null || encryptedAssertions.size() != 1) {
                    log.error("SAML Response contains invalid number of assertions.");
                } else {
                    try {
                        str = Util.getUsernameFromAssertion(Util.getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(0), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super"), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.LOGIN_USERNAME_ATTRIBUTE));
                    } catch (Exception e2) {
                        if (log.isDebugEnabled()) {
                            log.debug("Assertion decryption failure : ", e2);
                        }
                        throw new Exception("Unable to decrypt the SAML2 Assertion");
                    }
                }
            } else {
                List assertions = response.getAssertions();
                if (assertions == null || assertions.size() != 1) {
                    log.error("SAML Response contains invalid number of assertions.");
                } else {
                    str = Util.getUsernameFromAssertion((Assertion) assertions.get(0), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.LOGIN_USERNAME_ATTRIBUTE));
                }
            }
        }
        if (str == null) {
            throw new Exception("Failed to get subject assertion from SAML response.");
        }
        return str;
    }

    public static void jsFunction_setProperty(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length != 2 || !(objArr[0] instanceof String) || !(objArr[1] instanceof String)) {
            throw new ScriptException("Invalid arguments when setting sso configuration values.");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        synchronized (SAMLSSORelyingPartyObject.class) {
            if (StringUtils.isEmpty(sAMLSSORelyingPartyObject.getSSOProperty((String) objArr[0]))) {
                sAMLSSORelyingPartyObject.setSSOProperty((String) objArr[0], (String) objArr[1]);
                if (log.isDebugEnabled()) {
                    log.debug("Configured SSO relying party object with key : " + objArr[0] + " value : " + objArr[1] + " for issuer : " + sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID));
                }
            }
        }
    }

    public static boolean jsFunction_isSessionAuthenticated(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Session id is missing.");
        }
        if (!((SAMLSSORelyingPartyObject) scriptable).isSessionIdExists((String) objArr[0])) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Browser session is valid..");
        return true;
    }

    public static String jsFunction_getIdentitySessionId(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        String str = null;
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Session id is missing.");
        }
        SessionInfo sessionInfo = ((SAMLSSORelyingPartyObject) scriptable).getSessionInfo((String) objArr[0]);
        if (sessionInfo != null) {
            str = sessionInfo.getSessionId();
        }
        return str;
    }

    public static String jsFunction_getLoggedInUser(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Session id is missing.");
        }
        SessionInfo sessionInfo = ((SAMLSSORelyingPartyObject) scriptable).getSessionInfo((String) objArr[0]);
        String str = null;
        if (sessionInfo != null && sessionInfo.getLoggedInUser() != null) {
            str = sessionInfo.getLoggedInUser();
        }
        if (log.isDebugEnabled()) {
            log.debug("Logged in user is" + str);
        }
        return str;
    }

    public static void jsFunction_invalidateSessionBySAMLResponse(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        List sessionIndexes;
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. SAML log out request is missing.");
        }
        if (log.isDebugEnabled()) {
            log.debug("jsFunction_invalidateSessionBySAMLResponse===================Invalidating the authenticated session ");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty(sAMLSSORelyingPartyObject);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        String unescapeXml = StringEscapeUtils.unescapeXml((String) objArr[0]);
        LogoutRequest unmarshall = Util.unmarshall(z ? Util.decode(unescapeXml) : unescapeXml);
        String str = null;
        if ((unmarshall instanceof LogoutRequest) && (sessionIndexes = unmarshall.getSessionIndexes()) != null && sessionIndexes.size() > 0) {
            str = ((SessionIndex) sessionIndexes.get(0)).getSessionIndex();
        }
        if (str == null) {
            log.debug("No session index found in authentication statement in SAML response.");
        } else {
            sAMLSSORelyingPartyObject.handleLogout(str);
        }
    }

    public static void jsFunction_invalidateSessionBySessionId(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Session id is missing.");
        }
        if (log.isDebugEnabled()) {
            log.debug("jsFunction_invalidateSessionBySessionId===================Invalidating the authenticated session ");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String str = (String) objArr[0];
        String sessionIndex = sAMLSSORelyingPartyObject.getSessionIndex(str);
        if (sessionIndex != null) {
            sAMLSSORelyingPartyObject.handleLogout(sessionIndex);
        } else {
            sAMLSSORelyingPartyObject.handleLogoutBySessionId(str);
        }
    }

    public static void jsFunction_setSessionAuthenticated(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 3 || !(objArr[0] instanceof String) || !(objArr[1] instanceof String) || !(objArr[2] instanceof SessionHostObject)) {
            throw new ScriptException("Invalid argument. Current session id, SAML response and Session are missing.");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty(sAMLSSORelyingPartyObject);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        Response unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[1]) : (String) objArr[1]);
        String str = null;
        String str2 = null;
        if (unmarshall instanceof Response) {
            Response response = unmarshall;
            Assertion assertion = null;
            if (SSOConstants.DEFAULT_ENCODED_VALUE.equals(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ASSERTIONENCRYPTIONENABLED))) {
                List encryptedAssertions = response.getEncryptedAssertions();
                if (encryptedAssertions != null && encryptedAssertions.size() == 1) {
                    try {
                        assertion = Util.getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(0), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super");
                    } catch (Exception e2) {
                        if (log.isDebugEnabled()) {
                            log.debug("Assertion decryption failure : ", e2);
                        }
                        throw new Exception("Unable to decrypt the SAML2 Assertion");
                    }
                }
            } else {
                List assertions = response.getAssertions();
                if (assertions == null || assertions.size() != 1) {
                    throw new ScriptException("SAML Response contains invalid number of assertions.");
                }
                assertion = (Assertion) assertions.get(0);
            }
            AuthnStatement authnStatement = (AuthnStatement) assertion.getAuthnStatements().get(0);
            if (authnStatement != null && authnStatement.getSessionIndex() != null) {
                str = authnStatement.getSessionIndex();
            }
            str2 = Util.getUsernameFromAssertion(assertion, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.LOGIN_USERNAME_ATTRIBUTE));
        }
        if (str == null) {
            log.debug("No session index found in authentication statement in SAML response.");
        }
        if (str2 == null) {
            throw new Exception("Failed to get subject assertion from SAML response.");
        }
        SessionInfo sessionInfo = new SessionInfo((String) objArr[0]);
        if (str != null) {
            sessionInfo.setSessionIndex(str);
        }
        sessionInfo.setLoggedInUser(str2);
        if (log.isDebugEnabled()) {
            log.debug("Encoded SAML token that is set on session info is " + objArr[1]);
        }
        sessionInfo.setSamlToken((String) objArr[1]);
        SessionHostObject sessionHostObject = (SessionHostObject) objArr[2];
        sessionInfo.setSessionHostObject(sessionHostObject);
        sAMLSSORelyingPartyObject.addSessionInfo(sessionInfo);
        if (str != null) {
            sAMLSSORelyingPartyObject.addSessionToSessionIndexMap(str, sessionHostObject);
        }
    }

    public static String jsFunction_getProperty(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length == 1 && (objArr[0] instanceof String)) {
            return ((SAMLSSORelyingPartyObject) scriptable).getSSOProperty((String) objArr[0]);
        }
        throw new ScriptException("Invalid argument. SSO configuratin key is missing.");
    }

    public static void jsFunction_setRelayStateProperty(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length != 2 || !(objArr[0] instanceof String) || !(objArr[1] instanceof String)) {
            throw new ScriptException("Invalid argument. RelayState and requested URI are missing.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Added relay state properties" + ((String) objArr[0]) + ":" + ((String) objArr[1]));
        }
        relayStateMap.put((String) objArr[0], (String) objArr[1]);
    }

    public static String jsFunction_getRelayStateProperty(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. Relay state value is missing.");
        }
        String str = relayStateMap.get((String) objArr[0]);
        if (log.isDebugEnabled()) {
            log.debug("Requested URI:" + relayStateMap.get((String) objArr[0]));
        }
        relayStateMap.remove((String) objArr[0]);
        return str;
    }

    public static String jsFunction_xmlDecode(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length == 1 && (objArr[0] instanceof String)) {
            return ((String) objArr[0]).replaceAll("&gt;", ">").replaceAll("&lt;", "<");
        }
        throw new ScriptException("Invalid argument. Relay state value is missing.");
    }

    public static String jsFunction_xmlEncode(Context context, Scriptable scriptable, Object[] objArr, Function function) throws ScriptException {
        if (objArr.length == 1 && (objArr[0] instanceof String)) {
            return ((String) objArr[0]).replaceAll(">", "&gt;").replaceAll("<", "&lt;");
        }
        throw new ScriptException("Invalid argument. Relay state value is missing.");
    }

    private String getSSOProperty(String str) {
        return this.ssoConfigProperties.getProperty(str);
    }

    private void setSSOProperty(String str, String str2) {
        if (str.equalsIgnoreCase(SSOConstants.SAML_DEFLATE) && str2 == null) {
            this.ssoConfigProperties.put(str, SSOConstants.DEFAULT_DEFLATE_VALUE);
        } else if (str.equalsIgnoreCase(SSOConstants.SAML_ENCODED) && str2 == null) {
            this.ssoConfigProperties.put(str, SSOConstants.DEFAULT_ENCODED_VALUE);
        } else {
            this.ssoConfigProperties.put(str, str2);
        }
    }

    public static String decode(String str) {
        return str.replaceAll("&gt;", ">").replaceAll("&lt;", "<").replaceAll("&apos;", "'").replaceAll("&quot;", "\"").replaceAll("&amp;", "&");
    }

    private void addSessionInfo(SessionInfo sessionInfo) {
        sessionIdMap.put(sessionInfo.getSessionId(), sessionInfo);
    }

    private void invalidateSessionBySessionIndex(String str) {
        SessionInfo value;
        if (str != null) {
            for (Map.Entry<String, SessionInfo> entry : sessionIdMap.entrySet()) {
                if ((entry.getValue() instanceof SessionInfo) && (value = entry.getValue()) != null && str.equals(value.getSessionIndex())) {
                    if (log.isDebugEnabled()) {
                        log.debug("Session Index exists,thus invalidating session by session index" + value.getSessionIndex());
                    }
                    sessionIdMap.remove(entry.getKey());
                }
            }
        }
    }

    private void invalidateSessionBySessionId(String str) {
        if (log.isDebugEnabled()) {
            log.debug("Session Id exists,thus invalidating it " + str);
        }
        sessionIdMap.remove(str);
    }

    private boolean isSessionIdExists(String str) throws Exception {
        Iterator<Map.Entry<String, Set<SessionHostObject>>> it = sessionIndexMap.entrySet().iterator();
        while (it.hasNext()) {
            for (SessionHostObject sessionHostObject : new HashSet(it.next().getValue())) {
                Object[] objArr = new Object[0];
                if (sessionHostObject != null && str.equals(SessionHostObject.jsFunction_getId((Context) null, sessionHostObject, objArr, (Function) null))) {
                    if (!log.isDebugEnabled()) {
                        return true;
                    }
                    log.debug("Session Id exists:" + SessionHostObject.jsFunction_getId((Context) null, sessionHostObject, objArr, (Function) null));
                    return true;
                }
            }
        }
        log.debug("Session Id does not exist in sessionIndexMap. Now searching in sessionIdMap.");
        if (getSessionInfo(str) != null) {
            log.debug("Session Id exists in sessionIdMap : " + str);
            return true;
        }
        log.debug("Session Id does not exist in sessionIdMap : " + str);
        return false;
    }

    private String getSessionIndex(String str) throws Exception {
        for (Map.Entry<String, Set<SessionHostObject>> entry : sessionIndexMap.entrySet()) {
            for (SessionHostObject sessionHostObject : new HashSet(entry.getValue())) {
                Object[] objArr = new Object[0];
                if (sessionHostObject != null && str.equals(SessionHostObject.jsFunction_getId((Context) null, sessionHostObject, objArr, (Function) null))) {
                    if (log.isDebugEnabled()) {
                        log.debug("Get corresponding session index " + entry.getKey() + "by passing session id" + str);
                    }
                    return entry.getKey();
                }
            }
        }
        return null;
    }

    protected SessionInfo getSessionInfo(String str) {
        if (sessionIdMap != null) {
            return sessionIdMap.get(str);
        }
        return null;
    }

    private static String getSSOSamlEncodingProperty(SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject) {
        return sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SAML_ENCODED) == null ? SSOConstants.DEFAULT_ENCODED_VALUE : sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SAML_ENCODED);
    }

    private static String getSSOSamlDeflateProperty(SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject) {
        return sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SAML_DEFLATE) == null ? SSOConstants.DEFAULT_DEFLATE_VALUE : sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.SAML_DEFLATE);
    }

    private void addSessionToSessionIndexMap(String str, SessionHostObject sessionHostObject) {
        if (log.isDebugEnabled()) {
            log.debug("Added session index:" + str);
        }
        if (sessionIndexMap.containsKey(str)) {
            sessionIndexMap.get(str).add(sessionHostObject);
            return;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(sessionHostObject);
        sessionIndexMap.put(str, hashSet);
    }

    private void invalidateSessionById(String str) throws Exception {
        for (Map.Entry<String, Set<SessionHostObject>> entry : sessionIndexMap.entrySet()) {
            boolean z = false;
            for (SessionHostObject sessionHostObject : new HashSet(entry.getValue())) {
                Object[] objArr = new Object[0];
                if (sessionHostObject != null && str.equals(SessionHostObject.jsFunction_getId((Context) null, sessionHostObject, objArr, (Function) null))) {
                    if (log.isDebugEnabled()) {
                        log.debug("Session Id exists.Invalidating that value" + SessionHostObject.jsFunction_getId((Context) null, sessionHostObject, objArr, (Function) null));
                    }
                    z = true;
                }
                if (z) {
                    sessionIndexMap.remove(entry.getKey());
                    z = false;
                }
            }
        }
    }

    public void removeSession(String str) {
        if (sessionIndexMap == null || str == null || !sessionIndexMap.containsKey(str)) {
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Remove session index from SessionIndexMap:" + str);
        }
        sessionIndexMap.remove(str);
    }

    public void clearSessionsSet() {
        Date date = new Date();
        for (Map.Entry<String, Set<SessionHostObject>> entry : sessionIndexMap.entrySet()) {
            boolean z = true;
            long j = 0;
            HashSet hashSet = new HashSet(entry.getValue());
            if (log.isDebugEnabled()) {
                log.debug("Cleanup: Checking session object status for  " + entry.getKey());
            }
            Iterator it = hashSet.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SessionHostObject sessionHostObject = (SessionHostObject) it.next();
                Object[] objArr = new Object[0];
                try {
                    j = SessionHostObject.jsFunction_getLastAccessedTime((Context) null, sessionHostObject, new Object[0], (Function) null);
                } catch (Exception e) {
                }
                if (j + maxInactiveInterval > date.getTime()) {
                    if (log.isDebugEnabled()) {
                        log.debug("Cleanup: Contains active session hostobject");
                    }
                    z = false;
                }
            }
            if (z) {
                if (log.isDebugEnabled()) {
                    log.debug("Cleanup: Removing expired session info for " + entry.getKey());
                }
                removeSession(entry.getKey());
                sessionIdMap.remove(entry.getKey());
            }
        }
    }

    public SessionHostObject getSession(String str) {
        if (sessionIndexMap != null) {
            return sessionIndexMap.get(str);
        }
        return null;
    }

    public void handleLogout(String str) {
        if (log.isDebugEnabled()) {
            log.debug("session index map value:" + sessionIndexMap);
            if (sessionIndexMap != null) {
                log.debug("session index map size:" + sessionIndexMap.size());
                log.debug("session index map :" + sessionIndexMap);
                log.debug("session index :" + str);
            }
        }
        if (sessionIndexMap != null && str != null && !sessionIndexMap.containsKey(str)) {
            sendSessionInvalidationClusterMessage(str);
            return;
        }
        clearSessionData(str);
        if (log.isDebugEnabled()) {
            log.debug("Cleared authenticated session index:" + str + "in handle logout method");
        }
    }

    public void handleLogoutBySessionId(String str) {
        clearSessionDataFromSessionId(str);
        if (log.isDebugEnabled()) {
            log.debug("Cleared authenticated session id:" + str + "in handle logout method");
        }
    }

    public void handleClusterLogout(String str) {
        if (log.isDebugEnabled()) {
            log.debug("session index map value:" + sessionIndexMap);
            if (sessionIndexMap != null) {
                log.debug("session index map size:" + sessionIndexMap.size());
                log.debug("session index map :" + sessionIndexMap);
                log.debug("session index :" + str);
            }
        }
        if (sessionIndexMap == null || str == null || sessionIndexMap.containsKey(str)) {
            clearSessionData(str);
            if (log.isDebugEnabled()) {
                log.debug("Cleared authenticated session index:" + str + "in handle logout method");
            }
        }
    }

    private void clearSessionData(String str) {
        try {
            ssho.invalidateSessionBySessionIndex(str);
            if (sessionIndexMap != null && str != null) {
                Set<SessionHostObject> set = sessionIndexMap.get(str);
                Object[] objArr = new Object[0];
                if (set != null) {
                    for (SessionHostObject sessionHostObject : set) {
                        if (SessionHostObject.jsFunction_getId((Context) null, sessionHostObject, objArr, (Function) null) != null) {
                            try {
                                SessionHostObject.jsFunction_invalidate((Context) null, sessionHostObject, objArr, (Function) null);
                            } catch (Exception e) {
                                if (!e.getMessage().contains("Session already invalidated")) {
                                    throw e;
                                }
                                log.info(e.getMessage());
                            }
                        }
                    }
                }
            }
            removeSession(str);
            clearSessionsSet();
        } catch (Exception e2) {
            if (log.isDebugEnabled()) {
                log.debug(e2.getMessage());
            }
            removeSession(str);
            clearSessionsSet();
        }
    }

    private void clearSessionDataFromSessionId(String str) {
        SessionHostObject sessionHostObject;
        SessionInfo sessionInfo = getSessionInfo(str);
        if (sessionInfo != null && (sessionHostObject = sessionInfo.getSessionHostObject()) != null) {
            try {
                SessionHostObject.jsFunction_invalidate((Context) null, sessionHostObject, new Object[0], (Function) null);
            } catch (Exception e) {
                if (e.getMessage().contains("Session already invalidated")) {
                    log.info(e.getMessage());
                } else {
                    log.error("Error while invalidating the session " + str, e);
                }
            }
        }
        ssho.invalidateSessionBySessionId(str);
        if (log.isDebugEnabled()) {
            log.debug("Cleared authenticated session index:" + str + "in handle logout method");
        }
    }

    public void sendSessionInvalidationClusterMessage(String str) {
        SessionClusterMessage sessionClusterMessage = new SessionClusterMessage();
        sessionClusterMessage.setMessageId(UUID.randomUUID());
        sessionClusterMessage.setSessionIndex(str);
        ClusteringAgent clusteringAgent = SSOHostObjectDataHolder.getInstance().getConfigurationContextService().getServerConfigContext().getAxisConfiguration().getClusteringAgent();
        if (clusteringAgent != null) {
            int i = 0;
            while (i < 60) {
                try {
                    clusteringAgent.sendMessage(sessionClusterMessage, true);
                    log.info("Sent [" + sessionClusterMessage + "]");
                    return;
                } catch (ClusteringFault e) {
                    i++;
                    if (i < 60) {
                        log.warn("Could not send SSOSessionInvalidationClusterMessage. Retry will be attempted in 2s. Request: " + sessionClusterMessage, e);
                    } else {
                        log.error("Could not send SSOSessionInvalidationClusterMessage. Several retries failed. Request:" + sessionClusterMessage, e);
                    }
                    try {
                        Thread.sleep(2000L);
                    } catch (InterruptedException e2) {
                    }
                }
            }
        }
    }

    private boolean validateAssertionValidityPeriod(Assertion assertion, int i) throws ScriptException {
        DateTime notBefore = assertion.getConditions().getNotBefore();
        DateTime notOnOrAfter = assertion.getConditions().getNotOnOrAfter();
        if (notBefore != null && notBefore.minusSeconds(i).isAfterNow()) {
            log.error("Failed to meet SAML Assertion Condition 'Not Before'");
            return false;
        }
        if (notOnOrAfter != null && notOnOrAfter.plusSeconds(i).isBeforeNow()) {
            log.error("Failed to meet SAML Assertion Condition 'Not On Or After'");
            return false;
        }
        if (notBefore == null || notOnOrAfter == null || !notBefore.isAfter(notOnOrAfter)) {
            return true;
        }
        log.error("SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'");
        return false;
    }

    private boolean validateAudienceRestriction(Assertion assertion, String str) throws ScriptException {
        if (assertion == null) {
            return true;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            log.error("SAML Response doesn't contain Conditions.");
            return false;
        }
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
            log.error("SAML Response doesn't contain AudienceRestrictions.");
            return false;
        }
        for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (!CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                log.error("SAML Response's AudienceRestriction doesn't contain Audiences.");
                return false;
            }
            boolean z = false;
            Iterator it = audienceRestriction.getAudiences().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (str.equals(((Audience) it.next()).getAudienceURI())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                log.error("SAML Assertion Audience Restriction validation failed.");
                return false;
            }
        }
        return true;
    }

    public static boolean jsFunction_validateAssertionSignature(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. SAML response is missing.");
        }
        Response unmarshall = Util.unmarshall(Util.decode((String) objArr[0]));
        String domainName = Util.getDomainName(unmarshall);
        int tenantId = Util.getRealmService().getTenantManager().getTenantId(domainName);
        if (!(unmarshall instanceof Response)) {
            if (!log.isWarnEnabled()) {
                return false;
            }
            log.warn("SAML response in signature validation is not a SAML Response.");
            return false;
        }
        Response response = unmarshall;
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        Assertion assertion = null;
        if (SSOConstants.DEFAULT_ENCODED_VALUE.equals(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ASSERTIONENCRYPTIONENABLED))) {
            List encryptedAssertions = response.getEncryptedAssertions();
            if (encryptedAssertions != null && encryptedAssertions.size() == 1) {
                try {
                    assertion = Util.getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(0), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super");
                } catch (Exception e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Assertion decryption failure : ", e);
                    }
                    throw new Exception("Unable to decrypt the SAML2 Assertion");
                }
            }
        } else {
            List assertions = response.getAssertions();
            if (assertions == null || assertions.size() != 1) {
                throw new ScriptException("SAML Response contains invalid number of assertions.");
            }
            assertion = (Assertion) assertions.get(0);
        }
        boolean z = false;
        Signature signature = assertion.getSignature();
        try {
        } catch (SignatureVerificationFailure e2) {
            if (log.isDebugEnabled()) {
                log.debug("Signature verification failed with Super-Tenant Key Store", e2);
            }
        }
        if (signature == null) {
            log.error("SAMLAssertion signing is enabled, but signature element not found in SAML Assertion element.");
            return false;
        }
        z = Util.validateSignature(signature, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super");
        if (!z && !"carbon.super".equals(domainName)) {
            try {
                z = Util.validateSignature(signature, sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), tenantId, domainName);
            } catch (SignatureVerificationFailure e3) {
                log.error("Signature Verification Failed using super tenant and tenant key stores", e3);
                return false;
            }
        }
        return z;
    }

    public static boolean jsFunction_validateAudienceRestrictions(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. The SAML response is missing.");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty(sAMLSSORelyingPartyObject);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        Response unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[0]) : (String) objArr[0]);
        if (!(unmarshall instanceof Response)) {
            return false;
        }
        Response response = unmarshall;
        String sSOProperty = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ASSERTIONENCRYPTIONENABLED);
        String sSOProperty2 = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ISSUER_ID);
        if (!SSOConstants.DEFAULT_ENCODED_VALUE.equals(sSOProperty)) {
            List assertions = response.getAssertions();
            if (assertions == null || assertions.size() != 1) {
                throw new ScriptException("SAML Response contains invalid number of assertions.");
            }
            return sAMLSSORelyingPartyObject.validateAudienceRestriction((Assertion) assertions.get(0), sSOProperty2);
        }
        List encryptedAssertions = response.getEncryptedAssertions();
        if (encryptedAssertions == null || encryptedAssertions.size() != 1) {
            throw new ScriptException("SAML Response contains invalid number of assertions.");
        }
        try {
            return sAMLSSORelyingPartyObject.validateAudienceRestriction(Util.getDecryptedAssertion((EncryptedAssertion) encryptedAssertions.get(0), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super"), sSOProperty2);
        } catch (Exception e2) {
            if (log.isDebugEnabled()) {
                log.debug("Assertion decryption failure : ", e2);
            }
            throw new Exception("Unable to decrypt the SAML2 Assertion");
        }
    }

    public static boolean jsFunction_validateAssertionValidityPeriod(Context context, Scriptable scriptable, Object[] objArr, Function function) throws Exception {
        Assertion assertion;
        if (objArr.length != 1 || !(objArr[0] instanceof String)) {
            throw new ScriptException("Invalid argument. The SAML response is missing.");
        }
        SAMLSSORelyingPartyObject sAMLSSORelyingPartyObject = (SAMLSSORelyingPartyObject) scriptable;
        String sSOSamlEncodingProperty = getSSOSamlEncodingProperty(sAMLSSORelyingPartyObject);
        boolean z = true;
        if (sSOSamlEncodingProperty != null) {
            try {
                z = Boolean.parseBoolean(sSOSamlEncodingProperty);
            } catch (Exception e) {
                throw new ScriptException("Invalid property value found for isEncoded " + sSOSamlEncodingProperty);
            }
        }
        Response unmarshall = Util.unmarshall(z ? Util.decode((String) objArr[0]) : (String) objArr[0]);
        String sSOProperty = sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.TIMESTAMP_SKEW_IN_SECONDS);
        int parseInt = (sSOProperty == null || sSOProperty.isEmpty()) ? 300 : Integer.parseInt(sSOProperty);
        if (!(unmarshall instanceof Response)) {
            return false;
        }
        Response response = unmarshall;
        if (SSOConstants.DEFAULT_ENCODED_VALUE.equals(sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.ASSERTIONENCRYPTIONENABLED))) {
            try {
                assertion = Util.getDecryptedAssertion((EncryptedAssertion) response.getEncryptedAssertions().get(0), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD), sAMLSSORelyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS), -1234, "carbon.super");
            } catch (Exception e2) {
                if (log.isDebugEnabled()) {
                    log.debug("Assertion decryption failure : ", e2);
                }
                throw new Exception("Unable to decrypt the SAML2 Assertion");
            }
        } else {
            assertion = (Assertion) response.getAssertions().get(0);
        }
        return sAMLSSORelyingPartyObject.validateAssertionValidityPeriod(assertion, parseInt);
    }
}
