package org.n52.security.authentication.saml2;

import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.LoginException;
import org.n52.security.authentication.callbacks.CredentialCallback;
import org.n52.security.authentication.loginmodule.AbstractLoginModule;
import org.n52.security.common.crypto.KeyPairProvider;
import org.n52.security.common.xml.DOMSerializer;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.StaticCredentialResolver;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/n52/security/authentication/saml2/SAML2AssertionLoginModule.class */
public class SAML2AssertionLoginModule extends AbstractLoginModule {
    private static final Logger LOG = LoggerFactory.getLogger(SAML2AssertionLoginModule.class);
    private static final long serialVersionUID = 5110666428237462401L;
    private static final String OPTION_TRUSTED_CERTS_PROVIDER = "trustedCertsProvider";
    private static final String OPTION_ATTRIBUTE_MAPPER = "attributeMapper";
    private Assertion m_assertion;
    private AssertionAttributeMapper m_attributeMapper;
    private KeyPairProvider m_trustedCertsProvider;

    protected boolean performLogin() throws LoginException {
        CredentialCallback credentialCallback = new CredentialCallback(SAML2AssertionCredential.class);
        handleCallbacks(new Callback[]{credentialCallback});
        SAML2AssertionCredential sAML2AssertionCredential = (SAML2AssertionCredential) credentialCallback.getCredential();
        if (sAML2AssertionCredential == null) {
            sAML2AssertionCredential = getCredentialFromPublicCredentials();
        }
        if (sAML2AssertionCredential == null) {
            LOG.debug("No SAML 2 assertion credential available. Skipping login for this module.");
            return false;
        }
        this.m_assertion = sAML2AssertionCredential.getAssertion();
        if (LOG.isDebugEnabled()) {
            LOG.debug("saml2 assertion to process: {}", DOMSerializer.createNew().serializeToString(this.m_assertion.getDOM()));
        }
        return validateAssertion(this.m_assertion, this.m_trustedCertsProvider.resolveByAlias(this.m_assertion.getIssuer().getValue(), (char[]) null).getPublicKey());
    }

    private boolean validateAssertion(Assertion assertion, PublicKey publicKey) throws CredentialException {
        Signature signature = assertion.getSignature();
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(SecurityHelper.getSimpleCredential(publicKey, (PrivateKey) null)), SecurityHelper.buildBasicInlineKeyInfoResolver());
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIDCriteria("foo"));
        try {
            return explicitKeySignatureTrustEngine.validate(signature, criteriaSet);
        } catch (SecurityException e) {
            LOG.info("Assertion signature verification failed for assertion:\n" + DOMSerializer.createNew().serializeToString(this.m_assertion.getDOM()));
            throw new CredentialException("Validating assertion signature failed.");
        }
    }

    private SAML2AssertionCredential getCredentialFromPublicCredentials() {
        Set publicCredentials = getSubject().getPublicCredentials(SAML2AssertionCredential.class);
        if (publicCredentials.isEmpty()) {
            return null;
        }
        return (SAML2AssertionCredential) publicCredentials.iterator().next();
    }

    protected void clearAuthenticationState() throws LoginException {
        this.m_assertion = null;
    }

    protected void prepareCommitState() throws LoginException {
        this.m_attributeMapper.mapAttributes(this.m_assertion, getLocalSubject());
    }

    protected void initialize() {
        this.m_trustedCertsProvider = (KeyPairProvider) getOptions().getAs(OPTION_TRUSTED_CERTS_PROVIDER, KeyPairProvider.class);
        this.m_attributeMapper = (AssertionAttributeMapper) getOptions().getAs(OPTION_ATTRIBUTE_MAPPER, AssertionAttributeMapper.class);
    }

    protected String getDescription() {
        return getClass().getName();
    }
}
