package org.n52.security.authentication;

import java.io.IOException;
import java.io.StringReader;
import java.security.Key;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.n52.security.authentication.principals.AttributePrincipal;
import org.n52.security.authentication.principals.NamedScope;
import org.n52.security.authentication.principals.RolePrincipal;
import org.n52.security.authentication.principals.Scope;
import org.n52.security.authentication.principals.UsernameIDPrincipal;
import org.n52.security.common.attributes.Attribute;
import org.n52.security.common.attributes.AttributeValue;
import org.n52.security.common.attributes.DateAttributeValue;
import org.n52.security.common.attributes.StringAttributeValue;
import org.n52.security.common.util.StringUtils;
import org.n52.security.common.xml.DOMParser;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;

/* loaded from: input_file:org/n52/security/authentication/SAMLTicket.class */
public class SAMLTicket {
    private static Log LOG;
    public static final String SUBJECT_ATTRIBUTE_AUTH_INSTANT = "authInstant";
    public static final String SUBJECT_ATTRIBUTE_AUTH_METHOD = "authMethod";
    protected org.opensaml.SAMLResponse m_samlResponse;
    protected SAMLAssertion m_samlAssertion;
    static Class class$org$n52$security$authentication$SAMLTicket;
    static Class class$org$n52$security$authentication$principals$UsernameIDPrincipal;
    static Class class$org$n52$security$authentication$principals$AttributePrincipal;
    static Class class$org$n52$security$authentication$principals$RolePrincipal;

    public SAMLTicket(String str) throws SAMLException {
        this(DOMParser.createNew().parse(new InputSource(new StringReader(str))));
    }

    public SAMLTicket(Element element) throws SAMLException {
        if (!"urn:oasis:names:tc:SAML:1.0:protocol".equals(element.getNamespaceURI()) || !"Response".equals(element.getNodeName())) {
            if (!"urn:oasis:names:tc:SAML:1.0:assertion".equals(element.getNamespaceURI()) || !"Assertion".equals(element.getNodeName())) {
                throw new IllegalArgumentException(new StringBuffer().append("element <").append(element.getNodeName()).append("> with namespace <").append(element.getNamespaceURI()).append("> is not supported.").toString());
            }
            this.m_samlAssertion = new SAMLAssertion(element);
            return;
        }
        this.m_samlResponse = new org.opensaml.SAMLResponse(element);
        Iterator assertions = this.m_samlResponse.getAssertions();
        if (!assertions.hasNext()) {
            throw new IllegalArgumentException("<samlResponse> contains no saml assertion!");
        }
        this.m_samlAssertion = (SAMLAssertion) assertions.next();
        if (assertions.hasNext()) {
            LOG.warn("SAMLResponse contains more than one assertion, only the first is used!");
        }
    }

    public SAMLTicket(Document document) throws SAMLException {
        this(document.getDocumentElement());
    }

    public SAMLTicket(org.opensaml.SAMLResponse sAMLResponse) throws SAMLException {
        if (sAMLResponse == null) {
            throw new IllegalArgumentException("<samlResponse> must not null");
        }
        this.m_samlResponse = sAMLResponse;
        Iterator assertions = sAMLResponse.getAssertions();
        if (!assertions.hasNext()) {
            throw new IllegalArgumentException("<samlResponse> contains no saml assertion!");
        }
        this.m_samlAssertion = (SAMLAssertion) assertions.next();
        if (assertions.hasNext()) {
            LOG.warn("SAMLResponse contains more than one assertion, only the first is used!");
        }
    }

    public SAMLTicket(SAMLAssertion sAMLAssertion) throws SAMLException {
        if (sAMLAssertion == null) {
            throw new IllegalArgumentException("<samlAssertion> must not null");
        }
        this.m_samlAssertion = sAMLAssertion;
    }

    public void verify() throws SAMLException {
        if (this.m_samlResponse != null) {
            this.m_samlResponse.verify();
        }
        if (this.m_samlAssertion != null) {
            this.m_samlAssertion.verify();
        }
    }

    public void verify(Certificate certificate) throws SAMLException {
        if (certificate == null) {
            verify();
            return;
        }
        boolean z = false;
        if (this.m_samlResponse != null && this.m_samlResponse.isSigned()) {
            this.m_samlResponse.verify(certificate);
            z = true;
        }
        boolean z2 = false;
        if (this.m_samlAssertion != null && this.m_samlAssertion.isSigned()) {
            this.m_samlAssertion.verify(certificate);
            z2 = true;
        }
        if (!z && !z2) {
            throw new SAMLException("SAML Response and/or Assertion are not signed!");
        }
    }

    public boolean isExpired() {
        return isExpired(0L);
    }

    public boolean isExpired(long j) {
        long currentTimeMillis = System.currentTimeMillis();
        SAMLAssertion sAMLAssertion = this.m_samlAssertion;
        Date notBefore = sAMLAssertion.getNotBefore();
        if (notBefore != null && notBefore.getTime() - j > currentTimeMillis) {
            return true;
        }
        Date notOnOrAfter = sAMLAssertion.getNotOnOrAfter();
        return notOnOrAfter != null && notOnOrAfter.getTime() + j <= currentTimeMillis;
    }

    public Date getNotOnOrAfter() {
        return this.m_samlAssertion.getNotOnOrAfter();
    }

    public Date getNotBefore() {
        return this.m_samlAssertion.getNotBefore();
    }

    public String asString() {
        return this.m_samlResponse != null ? this.m_samlResponse.toString() : this.m_samlAssertion.toString();
    }

    public String asBase64String() {
        return StringUtils.encodeBase64(this.m_samlResponse != null ? this.m_samlResponse.toString() : this.m_samlAssertion.toString());
    }

    public String getAssertionAsBase64String() {
        return StringUtils.encodeBase64(this.m_samlAssertion.toString());
    }

    public Element getAssertionAsDOM() {
        return DOMParser.createNew().parse(new InputSource(new StringReader(this.m_samlAssertion.toString()))).getDocumentElement();
    }

    public Subject asSubject() {
        Subject subject = new Subject();
        updateSubject(subject);
        return subject;
    }

    public Subject asSubject(String str) {
        Subject subject = new Subject();
        updateSubject(subject, str);
        return subject;
    }

    public void updateSubject(Subject subject) {
        updateSubject(subject, "");
    }

    public void updateSubject(Subject subject, String str) {
        if (subject == null) {
            throw new IllegalArgumentException("Subject must not be null.");
        }
        if (str == null) {
            str = "urn:conterra:names:sdi-suite:policy:attribute:role";
        }
        subject.getPrincipals().addAll(retrievePrincipals(str));
    }

    private Set retrievePrincipals(String str) {
        HashSet hashSet = new HashSet();
        Iterator statements = this.m_samlAssertion.getStatements();
        while (statements.hasNext()) {
            SAMLAuthenticationStatement sAMLAuthenticationStatement = (SAMLStatement) statements.next();
            if (sAMLAuthenticationStatement instanceof SAMLAuthenticationStatement) {
                SAMLAuthenticationStatement sAMLAuthenticationStatement2 = sAMLAuthenticationStatement;
                SAMLSubject subject = sAMLAuthenticationStatement2.getSubject();
                String name = subject.getNameIdentifier().getName();
                String nameQualifier = subject.getNameIdentifier().getNameQualifier();
                hashSet.add(new UsernameIDPrincipal(name, nameQualifier == null ? Scope.GLOBAL : new NamedScope(nameQualifier)));
                Date authInstant = sAMLAuthenticationStatement2.getAuthInstant();
                if (authInstant != null) {
                    hashSet.add(new AttributePrincipal(new Attribute(SUBJECT_ATTRIBUTE_AUTH_INSTANT, new DateAttributeValue(authInstant))));
                }
                String authMethod = sAMLAuthenticationStatement2.getAuthMethod();
                if (authMethod != null) {
                    hashSet.add(new AttributePrincipal(new Attribute(SUBJECT_ATTRIBUTE_AUTH_METHOD, new StringAttributeValue(authMethod))));
                }
            }
            if (sAMLAuthenticationStatement instanceof SAMLAttributeStatement) {
                Iterator attributes = ((SAMLAttributeStatement) sAMLAuthenticationStatement).getAttributes();
                while (attributes.hasNext()) {
                    SAMLAttribute sAMLAttribute = (SAMLAttribute) attributes.next();
                    Iterator values = sAMLAttribute.getValues();
                    while (values.hasNext()) {
                        String name2 = sAMLAttribute.getName();
                        String str2 = (String) values.next();
                        if (str.length() <= 0 || !str.equals(name2)) {
                            hashSet.add(new AttributePrincipal(sAMLAttribute.getName(), str2));
                        } else {
                            hashSet.add(new RolePrincipal(str2));
                        }
                    }
                }
            }
        }
        return hashSet;
    }

    public static String createSAMLResponseFromPrincipals(AuthenticationContext authenticationContext, String str, String str2, String str3, int i, String str4, Key key, Certificate certificate, boolean z) throws SAMLException, IOException {
        return createSAMLResponseFromPrincipals(authenticationContext, str, null, str2, str3, i, str4, key, certificate, z, true, null);
    }

    public static String createSAMLResponseFromPrincipals(AuthenticationContext authenticationContext, String str, String str2, String str3, String str4, int i, String str5, Key key, Certificate certificate, boolean z, boolean z2, Set set) throws SAMLException, IOException {
        SAMLTicket createSAMLTicketFromPrincipals = createSAMLTicketFromPrincipals(authenticationContext, str, str2, str3, str4, i, str5, key, certificate, z, z2, set);
        return z ? createSAMLTicketFromPrincipals.asBase64String() : createSAMLTicketFromPrincipals.asString();
    }

    public static SAMLTicket createSAMLTicketFromPrincipals(AuthenticationContext authenticationContext, String str, String str2, String str3, String str4, int i, String str5, Key key, Certificate certificate, boolean z, boolean z2, Set set) throws SAMLException, IOException {
        Class cls;
        Subject subject = authenticationContext.getSubject();
        if (class$org$n52$security$authentication$principals$UsernameIDPrincipal == null) {
            cls = class$("org.n52.security.authentication.principals.UsernameIDPrincipal");
            class$org$n52$security$authentication$principals$UsernameIDPrincipal = cls;
        } else {
            cls = class$org$n52$security$authentication$principals$UsernameIDPrincipal;
        }
        UsernameIDPrincipal usernameIDPrincipal = (UsernameIDPrincipal) subject.getPrincipals(cls).iterator().next();
        String name = usernameIDPrincipal.getName();
        String name2 = usernameIDPrincipal.getScope().getName();
        Date authenticationTime = authenticationContext.getAuthenticationTime();
        AttributeValue complexAttributeValue = SubjectUtil.getComplexAttributeValue(subject, SUBJECT_ATTRIBUTE_AUTH_INSTANT);
        if (complexAttributeValue != null && ((DateAttributeValue) complexAttributeValue).getValue() != null) {
            authenticationTime = ((DateAttributeValue) complexAttributeValue).getValue();
        }
        AttributeValue complexAttributeValue2 = SubjectUtil.getComplexAttributeValue(subject, SUBJECT_ATTRIBUTE_AUTH_METHOD);
        if (complexAttributeValue2 != null && ((StringAttributeValue) complexAttributeValue2).getValue() != null) {
            str5 = ((StringAttributeValue) complexAttributeValue2).getValue();
        }
        Calendar calendar = Calendar.getInstance();
        Calendar calendar2 = (Calendar) calendar.clone();
        calendar.add(13, i);
        SAMLSubject sAMLSubject = new SAMLSubject(new SAMLNameIdentifier(name, name2, "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"), (Collection) null, (Element) null, (Object) null);
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add(new SAMLAuthenticationStatement((SAMLSubject) sAMLSubject.clone(), str5, authenticationTime, (String) null, (String) null, (Collection) null));
            Map attributesFromSubject = getAttributesFromSubject(subject, str, set);
            ArrayList arrayList2 = new ArrayList();
            for (Map.Entry entry : attributesFromSubject.entrySet()) {
                arrayList2.add(new SAMLAttribute((String) entry.getKey(), str2 == null ? "def" : str2, new QName("http://www.w3.org/2001/XMLSchema", "string"), 0L, (Collection) entry.getValue()));
            }
            if (!arrayList2.isEmpty()) {
                arrayList.add(new SAMLAttributeStatement((SAMLSubject) sAMLSubject.clone(), arrayList2));
            }
        } catch (CloneNotSupportedException e) {
            LOG.error("Error during SAMLAuthentication Statement creation.", e);
        }
        SAMLAssertion sAMLAssertion = new SAMLAssertion(str3, calendar2.getTime(), calendar.getTime(), (Collection) null, (Collection) null, arrayList);
        ArrayList arrayList3 = new ArrayList(1);
        arrayList3.add(sAMLAssertion);
        org.opensaml.SAMLResponse sAMLResponse = new org.opensaml.SAMLResponse((String) null, str4, arrayList3, (SAMLException) null);
        String sAMLResponse2 = sAMLResponse.toString();
        if (LOG.isDebugEnabled()) {
            LOG.debug(new StringBuffer().append("Generated SAMLResponse (yet unsigned):\n").append(sAMLResponse2).toString());
        }
        if (certificate != null) {
            ArrayList arrayList4 = new ArrayList(1);
            arrayList4.add(certificate);
            sAMLAssertion.sign("http://www.w3.org/2000/09/xmldsig#rsa-sha1", key, arrayList4);
            if (z2) {
                sAMLResponse.sign("http://www.w3.org/2000/09/xmldsig#rsa-sha1", key, arrayList4);
            }
        }
        return new SAMLTicket(sAMLResponse);
    }

    private static Map getAttributesFromSubject(Subject subject, String str, Set set) {
        Class cls;
        Class cls2;
        HashMap hashMap = new HashMap();
        if (class$org$n52$security$authentication$principals$AttributePrincipal == null) {
            cls = class$("org.n52.security.authentication.principals.AttributePrincipal");
            class$org$n52$security$authentication$principals$AttributePrincipal = cls;
        } else {
            cls = class$org$n52$security$authentication$principals$AttributePrincipal;
        }
        for (AttributePrincipal attributePrincipal : subject.getPrincipals(cls)) {
            String name = attributePrincipal.getName();
            if (set == null || set.isEmpty() || set.contains(name)) {
                if (!SUBJECT_ATTRIBUTE_AUTH_INSTANT.equals(name) && !SUBJECT_ATTRIBUTE_AUTH_METHOD.equals(name)) {
                    Collection collection = (Collection) hashMap.get(name);
                    if (collection == null) {
                        collection = new LinkedList();
                        hashMap.put(name, collection);
                    }
                    collection.add(attributePrincipal.getValue());
                }
            }
        }
        if (set != null && !set.isEmpty() && !set.contains(str)) {
            return hashMap;
        }
        if (class$org$n52$security$authentication$principals$RolePrincipal == null) {
            cls2 = class$("org.n52.security.authentication.principals.RolePrincipal");
            class$org$n52$security$authentication$principals$RolePrincipal = cls2;
        } else {
            cls2 = class$org$n52$security$authentication$principals$RolePrincipal;
        }
        Iterator it = subject.getPrincipals(cls2).iterator();
        LinkedList linkedList = new LinkedList();
        while (it.hasNext()) {
            linkedList.add(((RolePrincipal) it.next()).getName());
        }
        if (!linkedList.isEmpty()) {
            hashMap.put(str, linkedList);
        }
        return hashMap;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$n52$security$authentication$SAMLTicket == null) {
            cls = class$("org.n52.security.authentication.SAMLTicket");
            class$org$n52$security$authentication$SAMLTicket = cls;
        } else {
            cls = class$org$n52$security$authentication$SAMLTicket;
        }
        LOG = LogFactory.getLog(cls);
    }
}
