package org.asimba.idp.profile.catalog.saml2;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.requestor.IRequestor;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.crypto.CryptoManager;
import com.alfaariss.oa.engine.core.idp.storage.IIDP;
import com.alfaariss.oa.util.saml2.SAML2Exchange;
import com.alfaariss.oa.util.saml2.SAML2Requestor;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.asimba.idp.profile.catalog.AbstractCatalog;
import org.asimba.idp.profile.catalog.saml2.builder.CatalogEntitiesDescriptorBuilder;
import org.asimba.utility.xml.XMLUtils;
import org.opensaml.Configuration;
import org.opensaml.saml2.common.Extensions;
import org.opensaml.saml2.metadata.ArtifactResolutionService;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.NameIDFormat;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.util.XMLObjectHelper;
import org.w3c.dom.Element;

/* loaded from: input_file:org/asimba/idp/profile/catalog/saml2/SAML2Catalog.class */
public class SAML2Catalog extends AbstractCatalog {
    public static final String EL_REQUESTORSIGNING = "requestorsigning";
    public static final String ATTR_DEFAULT = "default";
    public static final String EL_SAML2REFERENCES = "saml2_refs";
    public static final String EL_IDP_PROFILE = "idp_profile";
    public static final String EL_SP_METHOD = "sp_method";
    public static final String ATTR_ID = "id";
    public static final String EL_METADATA = "metadata";
    protected boolean _bDefaultRequestorSigning;
    protected String _sLinkedSAML2IDPProfileID;
    protected String _sLinkedSAML2SPAuthenticationMethodID;
    protected String _sMPMId;
    protected boolean _bEnableProxiedLogoutService = false;
    protected boolean _bEnableProxiedArtifactResolutionService = false;
    private Log _oLogger = LogFactory.getLog(SAML2Catalog.class);
    protected BasicParserPool _oParserPool = new BasicParserPool();

    public SAML2Catalog() {
        this._oParserPool.setNamespaceAware(true);
        synchronized (this) {
            if (Configuration.getParserPool() == null) {
                Configuration.setParserPool(this._oParserPool);
            }
        }
    }

    @Override // org.asimba.idp.profile.catalog.AbstractCatalog
    public void start(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        String param;
        super.start(iConfigurationManager, element);
        Element section = iConfigurationManager.getSection(element, EL_SAML2REFERENCES);
        if (section == null) {
            this._oLogger.error("Missing element 'saml2_refs' in SAML2Catalog configuration.");
            throw new OAException(17);
        }
        readLinkedProfiles(iConfigurationManager, section);
        this._bDefaultRequestorSigning = false;
        Element section2 = iConfigurationManager.getSection(element, EL_REQUESTORSIGNING);
        if (section2 != null && (param = iConfigurationManager.getParam(section2, ATTR_DEFAULT)) != null) {
            if (!"TRUE".equalsIgnoreCase(param)) {
                if (!"FALSE".equalsIgnoreCase(param)) {
                    this._oLogger.warn("Invalid value provided for 'default' attribute for 'requestorsigning': " + param);
                }
                throw new OAException(17);
            }
            this._bDefaultRequestorSigning = true;
        }
        this._sMPMId = null;
        Element section3 = iConfigurationManager.getSection(element, "mp_manager");
        if (section3 == null) {
            this._oLogger.info("No 'mp_manager'@'id' configured for catalog '" + this._sID + "'; ensure that no SAML2Requestors are used in the catalog");
        } else {
            this._sMPMId = iConfigurationManager.getParam(section3, "id");
            if (this._sMPMId == null) {
                this._oLogger.error("Missing @'id' attribute for 'mp_manager' configuration");
                throw new OAException(17);
            }
            this._oLogger.info("Using MetadataProviderManager Id from configuration: '" + this._sMPMId + "'");
        }
        this._oLogger.info("Started SAML2Catalog profile '" + getID() + "'");
    }

    @Override // org.asimba.idp.profile.catalog.AbstractCatalog
    public void stop() {
        super.stop();
    }

    protected void readLinkedProfiles(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        this._sLinkedSAML2IDPProfileID = null;
        Element section = iConfigurationManager.getSection(element, EL_IDP_PROFILE);
        if (section == null) {
            this._oLogger.error("No 'idp_profile' configured.");
            throw new OAException(17);
        }
        this._sLinkedSAML2IDPProfileID = iConfigurationManager.getParam(section, "id");
        if (this._sLinkedSAML2IDPProfileID == null) {
            this._oLogger.error("No 'id' configured for 'idp_profile'.");
            throw new OAException(17);
        }
        this._sLinkedSAML2SPAuthenticationMethodID = null;
        Element section2 = iConfigurationManager.getSection(element, EL_SP_METHOD);
        if (section2 == null) {
            this._oLogger.warn("No 'sp_method' configured.");
            return;
        }
        this._sLinkedSAML2SPAuthenticationMethodID = iConfigurationManager.getParam(section2, "id");
        if (this._sLinkedSAML2SPAuthenticationMethodID == null) {
            this._oLogger.error("No 'id' configured for 'sp_method'.");
            throw new OAException(17);
        }
    }

    @Override // org.asimba.idp.profile.catalog.ICatalog
    public void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAException {
        EntityDescriptor proxiedIDPEntityDescriptor;
        EntityDescriptor proxiedSPEntityDescriptor;
        List<IRequestor> requestors = getRequestors(httpServletRequest);
        List<IIDP> iDPs = getIDPs(httpServletRequest);
        CatalogEntitiesDescriptorBuilder catalogEntitiesDescriptorBuilder = new CatalogEntitiesDescriptorBuilder(this._oConfigManager, Engine.getInstance().getServer());
        EntityDescriptor entityDescriptor = SAML2Exchange.getEntityDescriptor(this._sLinkedSAML2IDPProfileID);
        for (IRequestor iRequestor : requestors) {
            SAML2Requestor sAML2Requestor = getSAML2Requestor(iRequestor);
            if (this._sPublishMode.equals(AbstractCatalog.PUBLISHMODE_TRANSPARANT)) {
                if (sAML2Requestor == null) {
                    this._oLogger.info("Skipping SP '" + iRequestor.getID() + "' in SAML2 Catalog because it is not a SAML2 SP");
                } else {
                    EntityDescriptor transparantSPEntityDescriptor = getTransparantSPEntityDescriptor(sAML2Requestor);
                    if (transparantSPEntityDescriptor != null) {
                        catalogEntitiesDescriptorBuilder.addEntityDescriptor(transparantSPEntityDescriptor);
                    }
                }
            } else if (this._sPublishMode.equals(AbstractCatalog.PUBLISHMODE_PROXY) && (proxiedSPEntityDescriptor = getProxiedSPEntityDescriptor(iRequestor, entityDescriptor)) != null) {
                catalogEntitiesDescriptorBuilder.addEntityDescriptor(proxiedSPEntityDescriptor);
            }
        }
        for (IIDP iidp : iDPs) {
            SAML2IDP saml2idp = getSAML2IDP(iidp);
            if (this._sPublishMode.equals(AbstractCatalog.PUBLISHMODE_TRANSPARANT)) {
                if (saml2idp == null) {
                    this._oLogger.warn("Skipping IDP '" + iidp.getID() + "' in SAML2 Catalog because it is not a SAML2 IDP");
                } else {
                    EntityDescriptor transparantIDPEntityDescriptor = getTransparantIDPEntityDescriptor(saml2idp);
                    if (transparantIDPEntityDescriptor != null) {
                        catalogEntitiesDescriptorBuilder.addEntityDescriptor(transparantIDPEntityDescriptor);
                    }
                }
            } else if (this._sPublishMode.equals(AbstractCatalog.PUBLISHMODE_PROXY) && (proxiedIDPEntityDescriptor = getProxiedIDPEntityDescriptor(iidp, entityDescriptor)) != null) {
                catalogEntitiesDescriptorBuilder.addEntityDescriptor(proxiedIDPEntityDescriptor);
            }
        }
        EntitiesDescriptor entitiesDescriptor = catalogEntitiesDescriptorBuilder.getEntitiesDescriptor();
        try {
            Element marshall = Configuration.getMarshallerFactory().getMarshaller(entitiesDescriptor).marshall(entitiesDescriptor);
            PrintWriter writer = httpServletResponse.getWriter();
            writer.write(XMLUtils.getStringFromDocument(marshall.getOwnerDocument()));
            writer.close();
        } catch (MarshallingException e) {
            this._oLogger.error("Could not marshall EntitiesDescriptor catalog to DOM: " + e.getMessage());
            throw new OAException(1);
        } catch (IOException e2) {
            this._oLogger.error("Could not write output: " + e2.getMessage());
            throw new OAException(1);
        }
    }

    protected EntityDescriptor getTransparantSPEntityDescriptor(SAML2Requestor sAML2Requestor) {
        MetadataProvider metadataProvider = sAML2Requestor.getMetadataProvider();
        if (metadataProvider == null) {
            this._oLogger.warn("Exclude requestor '" + sAML2Requestor.getID() + "' from proxy-catalog, not a SAML2 SP");
            return null;
        }
        try {
            EntityDescriptor entityDescriptor = metadataProvider.getEntityDescriptor(sAML2Requestor.getID());
            if (this._oLogger.isTraceEnabled()) {
                this._oLogger.trace("Adding SP '" + sAML2Requestor.getID() + "' to catalog.");
            }
            return entityDescriptor;
        } catch (MetadataProviderException e) {
            this._oLogger.warn("Could not retrieve metadata for '" + sAML2Requestor.getID() + "'; omitting from catalog.");
            return null;
        }
    }

    protected EntityDescriptor getTransparantIDPEntityDescriptor(SAML2IDP saml2idp) {
        try {
            MetadataProvider metadataProvider = saml2idp.getMetadataProvider();
            if (metadataProvider != null) {
                EntityDescriptor entityDescriptor = metadataProvider.getEntityDescriptor(saml2idp.getID());
                if (this._oLogger.isTraceEnabled()) {
                    this._oLogger.trace("Adding IDP '" + saml2idp.getID() + "' to catalog.");
                }
                return entityDescriptor;
            }
        } catch (MetadataProviderException e) {
            this._oLogger.warn("Could not retrieve metadata for IDP '" + saml2idp.getID() + "': " + e.getMessage());
        } catch (OAException e2) {
            this._oLogger.warn("Could not retrieve metadataprovider for IDP '" + saml2idp.getID() + "': " + e2.getMessage());
        }
        this._oLogger.warn("Exclude IDP '" + saml2idp.getID() + "' from proxy-catalog, metadata is not available.");
        return null;
    }

    protected EntityDescriptor getProxiedSPEntityDescriptor(IRequestor iRequestor, EntityDescriptor entityDescriptor) throws OAException {
        XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
        SPSSODescriptor sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        EntityDescriptor buildObject = builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setEntityID(iRequestor.getID());
        SPSSODescriptor buildObject2 = builderFactory.getBuilder(SPSSODescriptor.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.addSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        if (sPSSODescriptor.getWantAssertionsSigned().booleanValue()) {
            buildObject2.setWantAssertionsSigned(true);
        }
        try {
            Iterator it = sPSSODescriptor.getAssertionConsumerServices().iterator();
            while (it.hasNext()) {
                buildObject2.getAssertionConsumerServices().add(XMLObjectHelper.cloneXMLObject((AssertionConsumerService) it.next(), true));
            }
            KeyDescriptor signingKeyDescriptor = getSigningKeyDescriptor(builderFactory, Engine.getInstance().getCryptoManager(), iRequestor.getID());
            if (signingKeyDescriptor != null) {
                buildObject2.getKeyDescriptors().add(signingKeyDescriptor);
            }
            buildObject.getRoleDescriptors().add(buildObject2);
            return buildObject;
        } catch (MarshallingException e) {
            this._oLogger.warn("Could not add SP '" + iRequestor.getID() + "'; due to marshalling problem with ACS.");
            return null;
        } catch (UnmarshallingException e2) {
            this._oLogger.warn("Could not add SP '" + iRequestor.getID() + "'; due to unmarshalling problem with ACS.");
            return null;
        }
    }

    protected EntityDescriptor getProxiedIDPEntityDescriptor(IIDP iidp, EntityDescriptor entityDescriptor) throws OAException {
        List<ArtifactResolutionService> artifactResolutionServices;
        List<SingleLogoutService> singleLogoutServices;
        XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        EntityDescriptor buildObject = builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setEntityID(iidp.getID());
        IDPSSODescriptor buildObject2 = builderFactory.getBuilder(IDPSSODescriptor.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.addSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        if (iDPSSODescriptor.getWantAuthnRequestsSigned().booleanValue()) {
            buildObject2.setWantAuthnRequestsSigned(true);
        }
        try {
            List nameIDFormats = iDPSSODescriptor.getNameIDFormats();
            if (nameIDFormats != null) {
                Iterator it = nameIDFormats.iterator();
                while (it.hasNext()) {
                    buildObject2.getNameIDFormats().add(XMLObjectHelper.cloneXMLObject((NameIDFormat) it.next(), true));
                }
            }
            String shaHex = DigestUtils.shaHex(iidp.getID());
            try {
                List<SingleSignOnService> singleSignOnServices = iDPSSODescriptor.getSingleSignOnServices();
                if (singleSignOnServices != null) {
                    for (SingleSignOnService singleSignOnService : singleSignOnServices) {
                        SingleSignOnService cloneXMLObject = XMLObjectHelper.cloneXMLObject(singleSignOnService, true);
                        cloneXMLObject.setLocation(singleSignOnService.getLocation() + "/i=" + shaHex);
                        buildObject2.getSingleSignOnServices().add(cloneXMLObject);
                    }
                }
                if (this._bEnableProxiedLogoutService && (singleLogoutServices = iDPSSODescriptor.getSingleLogoutServices()) != null) {
                    for (SingleLogoutService singleLogoutService : singleLogoutServices) {
                        SingleLogoutService cloneXMLObject2 = XMLObjectHelper.cloneXMLObject(singleLogoutService, true);
                        cloneXMLObject2.setLocation(singleLogoutService.getLocation() + "/i=" + shaHex);
                        buildObject2.getSingleLogoutServices().add(cloneXMLObject2);
                    }
                }
                if (this._bEnableProxiedArtifactResolutionService && (artifactResolutionServices = iDPSSODescriptor.getArtifactResolutionServices()) != null) {
                    for (ArtifactResolutionService artifactResolutionService : artifactResolutionServices) {
                        ArtifactResolutionService cloneXMLObject3 = XMLObjectHelper.cloneXMLObject(artifactResolutionService, true);
                        cloneXMLObject3.setLocation(artifactResolutionService.getLocation() + "/i=" + shaHex);
                        buildObject2.getArtifactResolutionServices().add(cloneXMLObject3);
                    }
                }
                try {
                    Extensions extensions = iDPSSODescriptor.getExtensions();
                    if (extensions != null) {
                        buildObject2.setExtensions(XMLObjectHelper.cloneXMLObject(extensions, true));
                    }
                    KeyDescriptor signingKeyDescriptor = getSigningKeyDescriptor(builderFactory, Engine.getInstance().getCryptoManager(), iidp.getID());
                    if (signingKeyDescriptor != null) {
                        buildObject2.getKeyDescriptors().add(signingKeyDescriptor);
                    }
                    buildObject.getRoleDescriptors().add(buildObject2);
                    return buildObject;
                } catch (UnmarshallingException e) {
                    this._oLogger.warn("Could not add IDP '" + iidp.getID() + "'; due to unmarshalling problem with Extensions.");
                    return null;
                } catch (MarshallingException e2) {
                    this._oLogger.warn("Could not add IDP '" + iidp.getID() + "'; due to marshalling problem with Extensions.");
                    return null;
                }
            } catch (UnmarshallingException e3) {
                this._oLogger.warn("Could not add IDP '" + iidp.getID() + "'; due to unmarshalling problem with Services.");
                return null;
            } catch (MarshallingException e4) {
                this._oLogger.warn("Could not add IDP '" + iidp.getID() + "'; due to marshalling problem with Services.");
                return null;
            }
        } catch (UnmarshallingException e5) {
            this._oLogger.warn("Could not add IDP '" + iidp.getID() + "'; due to unmarshalling problem with NameIDFormat.");
            return null;
        } catch (MarshallingException e6) {
            this._oLogger.warn("Could not add IDP '" + iidp.getID() + "'; due to marshalling problem with NameIDFormat.");
            return null;
        }
    }

    public KeyDescriptor getSigningKeyDescriptor(XMLObjectBuilderFactory xMLObjectBuilderFactory, CryptoManager cryptoManager, String str) throws OAException {
        try {
            KeyDescriptor buildObject = xMLObjectBuilderFactory.getBuilder(KeyDescriptor.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject.setUse(UsageType.SIGNING);
            X509Credential retrieveMySigningCredentials = SAML2CryptoUtils.retrieveMySigningCredentials(cryptoManager, str);
            KeyInfoGenerator newInstance = Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager().getFactory(retrieveMySigningCredentials).newInstance();
            if (newInstance != null) {
                buildObject.setKeyInfo(newInstance.generate(retrieveMySigningCredentials));
            }
            return buildObject;
        } catch (SecurityException e) {
            this._oLogger.error("Could not generate SigningKeyDescriptor", e);
            throw new OAException(1);
        }
    }

    private SAML2Requestor getSAML2Requestor(IRequestor iRequestor) throws OAException {
        SAML2Requestor sAML2Requestor = null;
        try {
            sAML2Requestor = new SAML2Requestor(iRequestor, this._bDefaultRequestorSigning, this._sLinkedSAML2IDPProfileID, this._sMPMId);
        } catch (OAException e) {
            this._oLogger.error("Could not create SAML2Requestor for requestor '" + iRequestor.getID() + "'");
        }
        return sAML2Requestor;
    }

    private SAML2IDP getSAML2IDP(IIDP iidp) {
        if (iidp instanceof SAML2IDP) {
            return (SAML2IDP) iidp;
        }
        return null;
    }

    private <T extends XMLObject> T cloneXMLObject_usingDOM(XMLObject xMLObject) throws MarshallingException, UnmarshallingException {
        try {
            Element element = (Element) xMLObject.getDOM().cloneNode(true);
            return (T) Configuration.getUnmarshallerFactory().getUnmarshaller(element).unmarshall(element);
        } catch (UnmarshallingException e) {
            this._oLogger.warn("Could not unmarshall element '" + xMLObject.getElementQName() + "'");
            return null;
        }
    }

    private <T extends XMLObject> T cloneXMLObject(XMLObject xMLObject) throws MarshallingException, UnmarshallingException {
        try {
            if (Configuration.getMarshallerFactory().getMarshaller(xMLObject) == null) {
                this._oLogger.warn("Unknown element '" + xMLObject.getElementQName() + "'; no marshaller available");
                return null;
            }
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            newInstance.newDocumentBuilder().getDOMImplementation().createDocument(null, null, null);
            Element element = (Element) xMLObject.getDOM().cloneNode(true);
            return (T) Configuration.getUnmarshallerFactory().getUnmarshaller(element).unmarshall(element);
        } catch (ParserConfigurationException e) {
            this._oLogger.warn("Exception when creating intermedia document for cloning: " + e.getMessage());
            return null;
        } catch (UnmarshallingException e2) {
            this._oLogger.warn("Could not unmarshall element '" + xMLObject.getElementQName() + "'");
            return null;
        }
    }
}
