package org.n52.security.authentication.loginmodule;

import java.security.Principal;
import java.util.Iterator;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.axis.transport.jms.JMSConstants;
import org.apache.bcel.Constants;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.n52.security.authentication.SAMLCredential;
import org.n52.security.authentication.SAMLTicket;
import org.n52.security.authentication.callbacks.CredentialCallback;
import org.n52.security.authentication.principals.AttributePrincipal;
import org.n52.security.authentication.principals.RolePrincipal;
import org.n52.security.common.crypto.KeyPair;
import org.opensaml.SAMLException;

/* loaded from: input_file:lib/52n-security-authentication-2.2-SNAPSHOT.jar:org/n52/security/authentication/loginmodule/SAMLTicketLoginModule.class */
public class SAMLTicketLoginModule extends AbstractLoginModule {
    public static final String OPTION_VALIDATION_KEYPAIR = "validationKeyPair";
    public static final String OPTION_NO_VALIDATION = "noValidation";
    public static final String OPTION_EXPIRED_TIME_OFFSET = "expiredTimeOffset";
    public static final String OPTION_SAML_ROLE_ATTRIBUTE_NAME = "SAMLRoleAttributeName";
    private static final Log LOG = LogFactory.getLog(SAMLTicketLoginModule.class);
    private static final long serialVersionUID = 2631946285948582729L;
    private KeyPair m_validationKeyPair;
    private SAMLCredential m_samlCredential;
    private long m_expiredTimeOffset;
    private boolean m_ticketFromPublicCredentials;
    private String m_samlRoleAttributeName;

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected String getDescription() {
        return new StringBuffer(Constants.FCMPG).append("The authentication is performed through the '").append(SAMLTicketLoginModule.class.getName()).append("' login module. It requires a SAML Response.").toString();
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void clearAuthenticationState() throws LoginException {
        this.m_ticketFromPublicCredentials = false;
        this.m_samlCredential = null;
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void initialize() {
        Options options = getOptions();
        if (!options.is(OPTION_NO_VALIDATION, false)) {
            this.m_validationKeyPair = (KeyPair) options.getAs(OPTION_VALIDATION_KEYPAIR, KeyPair.class);
            if (!this.m_validationKeyPair.isCertificateSet() && !this.m_validationKeyPair.isCertificateChainSet()) {
                throw new IllegalArgumentException("The property <validationKeyPair> contains no valid certificate");
            }
        }
        this.m_samlRoleAttributeName = options.getAsString(OPTION_SAML_ROLE_ATTRIBUTE_NAME, "");
        this.m_expiredTimeOffset = options.getAsLong(OPTION_EXPIRED_TIME_OFFSET, JMSConstants.DEFAULT_TIMEOUT_TIME);
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    public boolean performLogin() throws LoginException {
        CredentialCallback credentialCallback = new CredentialCallback(SAMLCredential.class);
        handleCallbacks(new Callback[]{credentialCallback});
        SAMLCredential sAMLCredential = (SAMLCredential) credentialCallback.getCredential();
        if (sAMLCredential == null) {
            Iterator it = getSubject().getPublicCredentials(SAMLCredential.class).iterator();
            if (it.hasNext()) {
                sAMLCredential = (SAMLCredential) it.next();
                this.m_ticketFromPublicCredentials = true;
            }
        }
        if (sAMLCredential == null) {
            if (!LOG.isInfoEnabled()) {
                return false;
            }
            LOG.info("No credentials for module <" + getClass().getName() + "> available, skip login.");
            return false;
        }
        SAMLTicket sAMLTicket = sAMLCredential.getSAMLTicket();
        try {
            if (this.m_validationKeyPair != null) {
                sAMLTicket.verify(this.m_validationKeyPair.getCertificate());
            }
            if (sAMLTicket.isExpired(this.m_expiredTimeOffset)) {
                throw new CredentialExpiredException("SAML Credential expired");
            }
            this.m_samlCredential = sAMLCredential;
            return true;
        } catch (SAMLException e) {
            throw new FailedLoginException("Invalid SAML Credential. Reason: " + e);
        }
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void prepareCommitState() throws LoginException {
        if (!this.m_ticketFromPublicCredentials) {
            addPublicCredential(this.m_samlCredential);
        }
        for (Principal principal : this.m_samlCredential.getSAMLTicket().asSubject(this.m_samlRoleAttributeName).getPrincipals()) {
            if ((principal instanceof AttributePrincipal) && this.m_samlRoleAttributeName.equals(principal.getName())) {
                addPrincipal(new RolePrincipal(((AttributePrincipal) principal).getValue()));
            } else {
                addPrincipal(principal);
            }
        }
    }
}
