package org.picketlink.trust.jbossws.jaas;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.stream.XMLInputFactory;
import org.apache.wss4j.common.crypto.Merlin;
import org.jboss.security.SimpleGroup;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.util.Base64;
import org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser;
import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AudienceRestrictionType;
import org.picketlink.identity.federation.saml.v2.assertion.ConditionAbstractType;
import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/layers/base/org/picketlink/federation/bindings/main/picketlink-wildfly8-2.5.5.SP2.jar:org/picketlink/trust/jbossws/jaas/SAMLBearerTokenLoginModule.class */
public class SAMLBearerTokenLoginModule extends AbstractServerLoginModule {
    public static final String AUTHORIZATION = "Authorization";
    public static final String BASIC = "Basic";
    public static final String SAML_BEARER_TOKEN = "SAML-BEARER-TOKEN:";
    private Principal identity;
    private Set<String> allowedIssuers = new HashSet();
    private Set<String> roles = new HashSet();

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        String str = (String) map2.get("allowedIssuers");
        if (str != null) {
            for (String str2 : str.split(",")) {
                if (str2 != null && str2.trim().length() > 0) {
                    this.allowedIssuers.add(str2);
                }
            }
        }
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean login() throws LoginException {
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            try {
                try {
                    HttpServletRequest httpServletRequest = (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
                    String header = httpServletRequest.getHeader("Authorization");
                    if (header != null && header.startsWith("Basic")) {
                        String str = new String(Base64.decode(header.substring(6)), "UTF-8");
                        if (str.startsWith(SAML_BEARER_TOKEN)) {
                            String substring = str.substring(18);
                            SAMLAssertionParser sAMLAssertionParser = new SAMLAssertionParser();
                            byteArrayInputStream = new ByteArrayInputStream(substring.getBytes("UTF-8"));
                            AssertionType assertionType = (AssertionType) sAMLAssertionParser.parse(XMLInputFactory.newInstance().createXMLEventReader(byteArrayInputStream));
                            validateAssertion(assertionType, httpServletRequest);
                            consumeAssertion(assertionType);
                            this.loginOk = true;
                            if (byteArrayInputStream != null) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (IOException e) {
                                }
                            }
                            return true;
                        }
                    }
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (IOException e2) {
                        }
                    }
                    return super.login();
                } catch (LoginException e3) {
                    throw e3;
                }
            } catch (Exception e4) {
                e4.printStackTrace();
                this.loginOk = false;
                if (byteArrayInputStream != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (IOException e5) {
                    }
                }
                return false;
            }
        } catch (Throwable th) {
            if (byteArrayInputStream != null) {
                try {
                    byteArrayInputStream.close();
                } catch (IOException e6) {
                }
            }
            throw th;
        }
    }

    private void validateAssertion(AssertionType assertionType, HttpServletRequest httpServletRequest) throws LoginException {
        String value = assertionType.getIssuer().getValue();
        if (!this.allowedIssuers.contains(value)) {
            throw new LoginException("Dis-allowed SAML Assertion Issuer: " + value + " Allowed: " + this.allowedIssuers);
        }
        String contextPath = httpServletRequest.getContextPath();
        if (!getAudienceRestrictions(assertionType).contains(contextPath)) {
            throw new LoginException("SAML Assertion Audience Restrictions not valid for this context (" + contextPath + Merlin.ENCRYPTED_PASSWORD_SUFFIX);
        }
        try {
            ConditionsType conditions = assertionType.getConditions();
            if (conditions == null) {
                throw new LoginException("SAML Assertion not valid (no Conditions supplied).");
            }
            XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
            XMLGregorianCalendar notBefore = conditions.getNotBefore();
            XMLGregorianCalendar notOnOrAfter = conditions.getNotOnOrAfter();
            if (!XMLTimeUtil.isValid(issueInstant, notBefore, notOnOrAfter)) {
                throw new LoginException("SAML Assertion has expired: Now=" + issueInstant.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
            }
        } catch (ConfigurationException e) {
            throw new LoginException(e.getMessage());
        }
    }

    private Set<String> getAudienceRestrictions(AssertionType assertionType) {
        HashSet hashSet = new HashSet();
        if (assertionType == null || assertionType.getConditions() == null || assertionType.getConditions().getConditions() == null) {
            return hashSet;
        }
        for (ConditionAbstractType conditionAbstractType : assertionType.getConditions().getConditions()) {
            if (conditionAbstractType instanceof AudienceRestrictionType) {
                Iterator<URI> it = ((AudienceRestrictionType) conditionAbstractType).getAudience().iterator();
                while (it.hasNext()) {
                    hashSet.add(it.next().toString());
                }
            }
        }
        return hashSet;
    }

    private void consumeAssertion(AssertionType assertionType) throws Exception {
        this.identity = createIdentity(((NameIDType) assertionType.getSubject().getSubType().getBaseID()).getValue());
        for (StatementAbstractType statementAbstractType : assertionType.getStatements()) {
            if (statementAbstractType instanceof AttributeStatementType) {
                for (AttributeStatementType.ASTChoiceType aSTChoiceType : ((AttributeStatementType) statementAbstractType).getAttributes()) {
                    if (aSTChoiceType.getAttribute() != null && aSTChoiceType.getAttribute().getName().equals("Role")) {
                        for (Object obj : aSTChoiceType.getAttribute().getAttributeValue()) {
                            if (obj != null) {
                                this.roles.add(obj.toString());
                            }
                        }
                    }
                }
            }
        }
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Principal getIdentity() {
        return this.identity;
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        Group[] groupArr = {new SimpleGroup("Roles")};
        try {
            Iterator<String> it = this.roles.iterator();
            while (it.hasNext()) {
                groupArr[0].addMember(createIdentity(it.next()));
            }
            return groupArr;
        } catch (Exception e) {
            throw new LoginException("Failed to create group principal: " + e.getMessage());
        }
    }
}
