package org.n52.security.authentication.loginmodule;

import java.security.Principal;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.n52.security.authentication.SAMLCredential;
import org.n52.security.authentication.SAMLTicket;
import org.n52.security.authentication.callbacks.CredentialCallback;
import org.n52.security.authentication.principals.AttributePrincipal;
import org.n52.security.authentication.principals.RolePrincipal;
import org.n52.security.common.crypto.KeyPair;
import org.opensaml.SAMLException;

/* loaded from: input_file:org/n52/security/authentication/loginmodule/SAMLTicketLoginModule.class */
public class SAMLTicketLoginModule extends AbstractLoginModule {
    private static final Log LOG;
    public static final String OPTION_VALIDATION_KEYPAIR = "validationKeyPair";
    public static final String OPTION_NO_VALIDATION = "noValidation";
    public static final String OPTION_EXPIRED_TIME_OFFSET = "expiredTimeOffset";
    public static final String OPTION_SAML_ROLE_ATTRIBUTE_NAME = "SAMLRoleAttributeName";
    private static final long serialVersionUID = 2631946285948582729L;
    private KeyPair m_validationKeyPair;
    private SAMLCredential m_samlCredential;
    private long m_expiredTimeOffset;
    private boolean m_ticketFromPublicCredentials;
    private String m_samlRoleAttributeName;
    static Class class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule;
    static Class class$org$n52$security$common$crypto$KeyPair;
    static Class class$org$n52$security$authentication$SAMLCredential;

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected String getDescription() {
        Class cls;
        StringBuffer append = new StringBuffer(150).append("The authentication is performed through the '");
        if (class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule == null) {
            cls = class$("org.n52.security.authentication.loginmodule.SAMLTicketLoginModule");
            class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule = cls;
        } else {
            cls = class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule;
        }
        return append.append(cls.getName()).append("' login module. It requires a SAML Response.").toString();
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void clearAuthenticationState() throws LoginException {
        this.m_ticketFromPublicCredentials = false;
        this.m_samlCredential = null;
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void initialize() {
        Class cls;
        Options options = getOptions();
        if (!options.is(OPTION_NO_VALIDATION, false)) {
            if (class$org$n52$security$common$crypto$KeyPair == null) {
                cls = class$("org.n52.security.common.crypto.KeyPair");
                class$org$n52$security$common$crypto$KeyPair = cls;
            } else {
                cls = class$org$n52$security$common$crypto$KeyPair;
            }
            this.m_validationKeyPair = (KeyPair) options.getAs(OPTION_VALIDATION_KEYPAIR, cls);
            if (!this.m_validationKeyPair.isCertificateSet() && !this.m_validationKeyPair.isCertificateChainSet()) {
                throw new IllegalArgumentException("The property <validationKeyPair> contains no valid certificate");
            }
        }
        this.m_samlRoleAttributeName = options.getAsString(OPTION_SAML_ROLE_ATTRIBUTE_NAME, "");
        this.m_expiredTimeOffset = options.getAsLong(OPTION_EXPIRED_TIME_OFFSET, 5000L);
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    public boolean performLogin() throws LoginException {
        Class cls;
        Class cls2;
        if (class$org$n52$security$authentication$SAMLCredential == null) {
            cls = class$("org.n52.security.authentication.SAMLCredential");
            class$org$n52$security$authentication$SAMLCredential = cls;
        } else {
            cls = class$org$n52$security$authentication$SAMLCredential;
        }
        CredentialCallback credentialCallback = new CredentialCallback(cls);
        handleCallbacks(new Callback[]{credentialCallback});
        SAMLCredential sAMLCredential = (SAMLCredential) credentialCallback.getCredential();
        if (sAMLCredential == null) {
            Subject subject = getSubject();
            if (class$org$n52$security$authentication$SAMLCredential == null) {
                cls2 = class$("org.n52.security.authentication.SAMLCredential");
                class$org$n52$security$authentication$SAMLCredential = cls2;
            } else {
                cls2 = class$org$n52$security$authentication$SAMLCredential;
            }
            Iterator it = subject.getPublicCredentials(cls2).iterator();
            if (it.hasNext()) {
                sAMLCredential = (SAMLCredential) it.next();
                this.m_ticketFromPublicCredentials = true;
            }
        }
        if (sAMLCredential == null) {
            if (!LOG.isInfoEnabled()) {
                return false;
            }
            LOG.info(new StringBuffer().append("No credentials for module <").append(getClass().getName()).append("> available, skip login.").toString());
            return false;
        }
        SAMLTicket sAMLTicket = sAMLCredential.getSAMLTicket();
        try {
            if (this.m_validationKeyPair != null) {
                sAMLTicket.verify(this.m_validationKeyPair.getCertificate());
            }
            if (sAMLTicket.isExpired(this.m_expiredTimeOffset)) {
                throw new CredentialExpiredException("SAML Credential expired");
            }
            this.m_samlCredential = sAMLCredential;
            return true;
        } catch (SAMLException e) {
            throw new FailedLoginException(new StringBuffer().append("Invalid SAML Credential. Reason: ").append(e).toString());
        }
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void prepareCommitState() throws LoginException {
        if (!this.m_ticketFromPublicCredentials) {
            addPublicCredential(this.m_samlCredential);
        }
        for (Principal principal : this.m_samlCredential.getSAMLTicket().asSubject().getPrincipals()) {
            if ((principal instanceof AttributePrincipal) && this.m_samlRoleAttributeName.equals(principal.getName())) {
                addPrincipal(new RolePrincipal(((AttributePrincipal) principal).getValue()));
            } else {
                addPrincipal(principal);
            }
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule == null) {
            cls = class$("org.n52.security.authentication.loginmodule.SAMLTicketLoginModule");
            class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule = cls;
        } else {
            cls = class$org$n52$security$authentication$loginmodule$SAMLTicketLoginModule;
        }
        LOG = LogFactory.getLog(cls);
    }
}
