package com.alfaariss.oa.util.saml2.profile;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.RequestorEvent;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.logging.IAuthority;
import com.alfaariss.oa.api.requestor.IRequestor;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.crypto.CryptoException;
import com.alfaariss.oa.engine.core.crypto.CryptoManager;
import com.alfaariss.oa.engine.core.requestor.RequestorPool;
import com.alfaariss.oa.engine.core.requestor.factory.IRequestorPoolFactory;
import com.alfaariss.oa.engine.core.session.factory.ISessionFactory;
import com.alfaariss.oa.engine.core.tgt.factory.ITGTFactory;
import com.alfaariss.oa.util.saml2.ISAML2Requestors;
import com.alfaariss.oa.util.saml2.SAML2IssueInstantWindow;
import com.alfaariss.oa.util.saml2.SAML2Requestor;
import com.alfaariss.oa.util.saml2.SAML2SecurityException;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.impl.SAMLObjectContentReference;
import org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.ChainingCredentialResolver;
import org.opensaml.xml.security.credential.StaticCredentialResolver;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/util/saml2/profile/AbstractSAML2Profile.class */
public abstract class AbstractSAML2Profile implements ISAML2Profile, IAuthority {
    public static final String EL_IDPPROXY = "idpproxy";
    public static final String ATTR_ENABLE_SHADOWED_ENTITYID = "enableShadowedEntityId";
    protected String _sID;
    protected String _sOAProfileID;
    protected ISessionFactory _sessionFactory;
    protected IRequestorPoolFactory _requestorPoolFactory;
    protected CryptoManager _cryptoManager;
    protected ITGTFactory _tgtFactory;
    protected String _sEntityID;
    protected String _sProfileURL;
    protected Log _eventLogger;
    protected String _sWebSSOPath;
    protected EntityDescriptor _entityDescriptor;
    protected ISAML2Requestors _requestors;
    protected boolean _signingEnabled;
    protected SAML2IssueInstantWindow _issueInstantWindow;
    protected BasicParserPool _pool;
    protected SAMLSignatureProfileValidator _profileValidator;
    protected KeyInfoCredentialResolver _keyInfoCredResolver;
    protected boolean _bEnableProxiedEntityId = false;
    private static final String AUTHORITY_NAME = "SAML2 Profile";
    private Log _logger;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // com.alfaariss.oa.util.saml2.profile.ISAML2Profile
    public void init(IConfigurationManager iConfigurationManager, Element element, EntityDescriptor entityDescriptor, String str, String str2, ISAML2Requestors iSAML2Requestors, SAML2IssueInstantWindow sAML2IssueInstantWindow, String str3) throws OAException {
        try {
            this._logger = LogFactory.getLog(getClass());
            this._eventLogger = LogFactory.getLog("com.alfaariss.oa.EventLogger");
            this._profileValidator = new SAMLSignatureProfileValidator();
            this._pool = new BasicParserPool();
            this._pool.setNamespaceAware(true);
            this._keyInfoCredResolver = Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
            this._entityDescriptor = entityDescriptor;
            this._sWebSSOPath = str2;
            this._requestors = iSAML2Requestors;
            this._issueInstantWindow = sAML2IssueInstantWindow;
            this._sOAProfileID = str3;
            this._sEntityID = this._entityDescriptor.getEntityID();
            Engine engine = Engine.getInstance();
            this._sessionFactory = engine.getSessionFactory();
            this._tgtFactory = engine.getTGTFactory();
            this._requestorPoolFactory = engine.getRequestorPoolFactory();
            this._cryptoManager = engine.getCryptoManager();
            this._sID = iConfigurationManager.getParam(element, "id");
            if (this._sID == null) {
                this._logger.error("No 'id' item found in 'profile' section in configuration");
                throw new OAException(17);
            }
            StringBuffer stringBuffer = new StringBuffer(str);
            if (!str.endsWith("/")) {
                stringBuffer.append("/");
            }
            stringBuffer.append(this._sID);
            this._sProfileURL = stringBuffer.toString();
            try {
                this._signingEnabled = false;
                SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._sEntityID);
                SAML2CryptoUtils.getXMLSignatureURI(this._cryptoManager);
                SAML2CryptoUtils.getXMLDigestMethodURI(this._cryptoManager.getMessageDigest());
                this._signingEnabled = true;
                this._logger.info("Signing enabled");
            } catch (OAException e) {
                this._logger.info("Signing disabled");
            }
            Element section = iConfigurationManager.getSection(element, EL_IDPPROXY);
            if (section == null) {
                this._bEnableProxiedEntityId = false;
                this._logger.info("No optional 'idpproxy' section found; disabled by default.");
            } else {
                String param = iConfigurationManager.getParam(section, ATTR_ENABLE_SHADOWED_ENTITYID);
                if ("true".equalsIgnoreCase(param)) {
                    this._bEnableProxiedEntityId = true;
                } else if (!"false".equalsIgnoreCase(param) && param != null) {
                    this._logger.warn("Invalid value for idpproxy@enableShadowedEntityId: '" + param + "'; allowed: {'true', 'false'}");
                }
                this._logger.info("IDPProxy Shadowed Entity Id mode enabled: " + this._bEnableProxiedEntityId);
            }
        } catch (OAException e2) {
            throw e2;
        } catch (Exception e3) {
            this._logger.fatal("Internal error during initialize", e3);
            throw new OAException(1);
        }
    }

    @Override // com.alfaariss.oa.util.saml2.profile.ISAML2Profile
    public void destroy() {
    }

    @Override // com.alfaariss.oa.util.saml2.profile.ISAML2Profile
    public String getID() {
        return this._sID;
    }

    public String getAuthority() {
        return AUTHORITY_NAME;
    }

    protected String getProfileURL() {
        return this._sProfileURL;
    }

    protected Endpoint buildMetadataEndpoint(QName qName, String str, String str2, String str3) {
        Endpoint buildObject = Configuration.getBuilderFactory().getBuilder(qName).buildObject(qName);
        buildObject.setLocation(str2);
        buildObject.setBinding(str);
        if (str3 != null) {
            buildObject.setResponseLocation(str3);
        }
        return buildObject;
    }

    protected void signSAMLObject(SignableSAMLObject signableSAMLObject) throws OAException {
        try {
            Signature buildObject = Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
            buildObject.setSignatureAlgorithm(SAML2CryptoUtils.getXMLSignatureURI(this._cryptoManager));
            X509Credential retrieveMySigningCredentials = SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._sEntityID);
            buildObject.setSigningCredential(retrieveMySigningCredentials);
            SecurityHelper.prepareSignatureParams(buildObject, retrieveMySigningCredentials, (SecurityConfiguration) null, (String) null);
            signableSAMLObject.setSignature(buildObject);
            ((SAMLObjectContentReference) buildObject.getContentReferences().get(0)).setDigestAlgorithm(SAML2CryptoUtils.getXMLDigestMethodURI(this._cryptoManager.getMessageDigest()));
            Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(signableSAMLObject);
            if (marshaller == null) {
                this._logger.error("No marshaller registered for " + signableSAMLObject.getElementQName() + ", unable to marshall assertion");
                throw new OAException(1);
            }
            if (signableSAMLObject.getDOM() == null) {
                marshaller.marshall(signableSAMLObject);
            }
            Signer.signObject(buildObject);
        } catch (Exception e) {
            this._logger.error("Could not sign object", e);
            throw new OAException(1);
        } catch (MarshallingException e2) {
            this._logger.warn("Marshalling error while signing object", e2);
            throw new OAException(1);
        } catch (OAException e3) {
            throw e3;
        }
    }

    protected void forwardUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession) throws OAException {
        try {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append(this._sProfileURL);
            stringBuffer.append("?");
            stringBuffer.append("asid");
            stringBuffer.append("=");
            stringBuffer.append(iSession.getId());
            iSession.setProfileURL(stringBuffer.toString());
            httpServletRequest.setAttribute("asid", iSession);
            RequestDispatcher requestDispatcher = httpServletRequest.getRequestDispatcher(this._sWebSSOPath);
            if (requestDispatcher == null) {
                this._logger.warn("There is no requestor dispatcher supported with name: " + this._sWebSSOPath);
                throw new OAException(1);
            }
            requestDispatcher.forward(httpServletRequest, httpServletResponse);
        } catch (OAException e) {
            throw e;
        } catch (Exception e2) {
            this._logger.fatal("Could not forward user", e2);
            throw new OAException(1);
        }
    }

    protected void logXML(XMLObject xMLObject) {
        Marshaller marshaller;
        if (!$assertionsDisabled && !this._logger.isDebugEnabled()) {
            throw new AssertionError("Logger debug state not checked");
        }
        Element dom = xMLObject.getDOM();
        if (dom == null && (marshaller = Configuration.getMarshallerFactory().getMarshaller(xMLObject)) != null) {
            try {
                dom = marshaller.marshall(xMLObject);
            } catch (MarshallingException e) {
                this._logger.debug("Could not prettyPrint XML object", e);
            }
        }
        if (dom != null) {
            this._logger.debug(XMLHelper.prettyPrintXML(dom));
        }
    }

    protected SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> createEncodingContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(httpServletRequest);
        HttpServletResponseAdapter httpServletResponseAdapter = new HttpServletResponseAdapter(httpServletResponse, httpServletRequest.isSecure());
        BasicSAMLMessageContext basicSAMLMessageContext = new BasicSAMLMessageContext();
        basicSAMLMessageContext.setInboundMessageTransport(httpServletRequestAdapter);
        basicSAMLMessageContext.setOutboundMessageTransport(httpServletResponseAdapter);
        return basicSAMLMessageContext;
    }

    protected SAML2Requestor validateRequest(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, QName qName) throws SAML2SecurityException, OAException {
        sAMLMessageContext.setPeerEntityRole(qName);
        return validateMessage(sAMLMessageContext, sAMLMessageContext.getInboundMessageIssuer());
    }

    protected SAML2Requestor validateResponse(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, QName qName) throws SAML2SecurityException, OAException {
        sAMLMessageContext.setPeerEntityRole(qName);
        return validateMessage(sAMLMessageContext, sAMLMessageContext.getInboundMessageIssuer());
    }

    protected IRequestor validateRequestor(String str) throws SAML2SecurityException, OAException {
        if (str == null) {
            this._logger.debug("Missing issuer");
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        IRequestor requestor = this._requestorPoolFactory.getRequestor(str);
        if (requestor == null) {
            StringBuffer stringBuffer = new StringBuffer("Unknown requestor found in request: ");
            stringBuffer.append(str);
            this._logger.debug(stringBuffer.toString());
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        if (!requestor.isEnabled()) {
            this._logger.debug("Disabled requestor found in request: " + str);
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        RequestorPool requestorPool = this._requestorPoolFactory.getRequestorPool(requestor.getID());
        if (requestorPool == null) {
            this._logger.warn("Requestor not available in a pool: " + requestor.getID());
            throw new OAException(1);
        }
        if (requestorPool.isEnabled()) {
            return requestor;
        }
        StringBuffer stringBuffer2 = new StringBuffer("Requestor '");
        stringBuffer2.append(requestor.getID());
        stringBuffer2.append("' is found in a disabled requestor pool: ");
        stringBuffer2.append(requestorPool.getID());
        this._logger.warn(stringBuffer2.toString());
        throw new OAException(1);
    }

    protected boolean validateSignature(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, SAML2Requestor sAML2Requestor, String str) throws OAException {
        MetadataProvider metadataProvider;
        boolean z = false;
        try {
            SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
            Signature signature = inboundSAMLMessage.getSignature();
            if (inboundSAMLMessage.isSigned()) {
                this._profileValidator.validate(signature);
            }
            ChainingCredentialResolver chainingCredentialResolver = new ChainingCredentialResolver();
            if (sAML2Requestor != null && (metadataProvider = sAML2Requestor.getMetadataProvider()) != null) {
                this._logger.debug("Metadata provider found for issuer: " + str);
                chainingCredentialResolver.getResolverChain().add(new MetadataCredentialResolver(metadataProvider));
            }
            try {
                if (this._signingEnabled) {
                    chainingCredentialResolver.getResolverChain().add(new StaticCredentialResolver(SAML2CryptoUtils.retrieveSigningCredentials(this._cryptoManager, str)));
                }
            } catch (CryptoException e) {
                this._logger.debug("No trusted certificate found for issuer: " + str);
            }
            if (chainingCredentialResolver.getResolverChain().isEmpty()) {
                this._logger.warn("No trusted certificate or metadata found for issuer: " + str);
            } else {
                ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(chainingCredentialResolver, this._keyInfoCredResolver);
                if (inboundSAMLMessage.isSigned()) {
                    CriteriaSet criteriaSet = new CriteriaSet();
                    criteriaSet.add(new EntityIDCriteria(str));
                    criteriaSet.add(new MetadataCriteria(sAMLMessageContext.getPeerEntityRole(), sAMLMessageContext.getInboundSAMLProtocol()));
                    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
                    z = explicitKeySignatureTrustEngine.validate(signature, criteriaSet);
                } else {
                    z = true;
                }
                if (z) {
                    new SAML2HTTPRedirectDeflateSignatureRule(explicitKeySignatureTrustEngine).evaluate(sAMLMessageContext);
                    new SAML2HTTPPostSimpleSignRule(explicitKeySignatureTrustEngine, this._pool, this._keyInfoCredResolver).evaluate(sAMLMessageContext);
                }
            }
        } catch (SecurityPolicyException e2) {
            this._logger.debug("Invalid signature", e2);
            z = false;
        } catch (SecurityException e3) {
            this._logger.error("Processing error evaluating the signature", e3);
            throw new OAException(1);
        } catch (ValidationException e4) {
            this._logger.debug("Invalid signature", e4);
            z = false;
        }
        return z;
    }

    private SAML2Requestor validateMessage(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, String str) throws SAML2SecurityException, OAException {
        SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        IRequestor validateRequestor = validateRequestor(str);
        boolean isDefaultSigningEnabled = this._requestors.isDefaultSigningEnabled();
        SAML2Requestor requestor = this._requestors.getRequestor(validateRequestor);
        if (requestor != null) {
            isDefaultSigningEnabled = requestor.isSigningEnabled();
        }
        if ((!DatatypeHelper.isEmpty(sAMLMessageContext.getInboundMessageTransport().getParameterValue("Signature"))) || inboundSAMLMessage.isSigned()) {
            if (!validateSignature(sAMLMessageContext, requestor, str)) {
                this._logger.debug("Invalid XML signature received for message from issuer: " + str);
                throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
            }
            this._logger.debug("XML signature validation okay");
        } else if (isDefaultSigningEnabled) {
            this._logger.debug("No mandatory signature received from issuer: " + str);
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        return requestor;
    }

    static {
        $assertionsDisabled = !AbstractSAML2Profile.class.desiredAssertionStatus();
    }
}
