package org.picketlink.identity.federation.bindings.jboss.auth;

import java.security.KeyStore;
import java.security.Principal;
import java.security.acl.Group;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.apache.xml.security.Init;
import org.apache.xml.security.signature.XMLSignature;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.callback.ObjectCallback;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.util.StringUtil;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkGroup;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkPrincipal;
import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.util.NamespaceContext;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.BaseIDAbstractType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/layers/base/org/picketlink/federation/bindings/main/picketlink-wildfly8-2.5.5.SP2.jar:org/picketlink/identity/federation/bindings/jboss/auth/SAMLTokenCertValidatingCommonLoginModule.class */
public abstract class SAMLTokenCertValidatingCommonLoginModule extends SAMLTokenFromHttpRequestAbstractLoginModule {
    protected Principal principal;
    protected SamlCredential credential;
    protected AssertionType assertion;
    protected String localValidationSecurityDomain;
    public static final String STS_CONFIG_FILE = "configFile";
    public static final String ENDPOINT_ADDRESS = "endpointAddress";
    public static final String PORT_NAME = "portName";
    public static final String SERVICE_NAME = "serviceName";
    public static final String USERNAME_KEY = "username";
    public static final String PASSWORD_KEY = "password";
    protected boolean enableCacheInvalidation = false;
    protected String securityDomain = null;
    protected String roleKey = "Role";
    protected Map<String, Object> options = new HashMap();
    protected Map<String, Object> rawOptions = new HashMap();
    protected boolean localTestingOnly = false;

    @Override // org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule, org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.options.putAll(map2);
        this.rawOptions.putAll(map2);
        if (logger.isTraceEnabled()) {
            logger.trace(map2.toString());
        }
        String str = (String) this.options.remove("cache.invalidation");
        if (str != null && !str.isEmpty()) {
            this.enableCacheInvalidation = Boolean.parseBoolean(str);
            this.securityDomain = (String) this.options.remove(SecurityConstants.SECURITY_DOMAIN_OPTION);
            if (this.securityDomain == null || this.securityDomain.isEmpty()) {
                throw logger.optionNotSet(SecurityConstants.SECURITY_DOMAIN_OPTION);
            }
        }
        String str2 = (String) map2.get(AbstractSTSLoginModule.ROLE_KEY);
        if (StringUtil.isNotNull(str2)) {
            this.roleKey = str2.trim();
        }
        this.localValidationSecurityDomain = (String) map2.get("localValidationSecurityDomain");
        if (this.localValidationSecurityDomain == null) {
            logger.error("PL00105: When using local validation 'localValidationSecurityDomain' must be specified.");
            throw logger.optionNotSet("localValidationSecurityDomain");
        }
        if (!this.localValidationSecurityDomain.startsWith("java:")) {
            this.localValidationSecurityDomain = "java:jboss/jaas//" + this.localValidationSecurityDomain;
        }
        Init.init();
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean login() throws LoginException {
        if (super.login()) {
            Object obj = this.sharedState.get("javax.security.auth.login.name");
            if (obj instanceof Principal) {
                this.principal = (Principal) obj;
            } else {
                try {
                    this.principal = createIdentity(obj.toString());
                } catch (Exception e) {
                    throw logger.authFailedToCreatePrincipal(e);
                }
            }
            Object obj2 = this.sharedState.get("javax.security.auth.login.password");
            if (!(obj2 instanceof SamlCredential)) {
                throw logger.authSharedCredentialIsNotSAMLCredential(obj2.getClass().getName());
            }
            this.credential = (SamlCredential) obj2;
            return true;
        }
        ObjectCallback objectCallback = new ObjectCallback(null);
        try {
            if (getSamlTokenHttpHeader() != null) {
                this.credential = getCredentialFromHttpRequest();
            } else {
                this.callbackHandler.handle(new Callback[]{objectCallback});
                if (!(objectCallback.getCredential() instanceof SamlCredential)) {
                    throw logger.authSharedCredentialIsNotSAMLCredential(objectCallback.getCredential().getClass().getName());
                }
                this.credential = (SamlCredential) objectCallback.getCredential();
            }
            try {
                this.assertion = SAMLUtil.fromElement(this.credential.getAssertionAsElement());
                try {
                    validateSAMLCredential();
                    SubjectType subject = this.assertion.getSubject();
                    if (subject != null) {
                        BaseIDAbstractType baseID = subject.getSubType().getBaseID();
                        if (baseID instanceof NameIDType) {
                            this.principal = new PicketLinkPrincipal(((NameIDType) baseID).getValue());
                            if (this.enableCacheInvalidation) {
                                JBossAuthCacheInvalidationFactory.TimeCacheExpiry cacheExpiry = getCacheExpiry();
                                XMLGregorianCalendar expiration = AssertionUtil.getExpiration(this.assertion);
                                if (expiration != null) {
                                    Date time = expiration.toGregorianCalendar().getTime();
                                    logger.trace("Creating Cache Entry for JBoss at [" + new Date() + "] , with expiration set to SAML expiry = " + time);
                                    cacheExpiry.register(this.securityDomain, time, this.principal);
                                } else {
                                    logger.samlAssertionWithoutExpiration(this.assertion.getID());
                                }
                            }
                        }
                    }
                    if (getUseFirstPass()) {
                        this.sharedState.put("javax.security.auth.login.name", this.principal);
                        this.sharedState.put("javax.security.auth.login.password", this.credential);
                    }
                    this.loginOk = true;
                    return true;
                } catch (Throwable th) {
                    logger.error(th);
                    throw new LoginException(th.getMessage());
                }
            } catch (Exception e2) {
                throw logger.authFailedToParseSAMLAssertion(e2);
            }
        } catch (Exception e3) {
            throw logger.authErrorHandlingCallback(e3);
        }
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean commit() throws LoginException {
        if (!super.commit()) {
            return false;
        }
        if (!this.subject.getPublicCredentials().add(this.credential) || !logger.isTraceEnabled()) {
            return true;
        }
        logger.trace("Added Credential " + this.credential);
        return true;
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean abort() throws LoginException {
        clearState();
        super.abort();
        return true;
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean logout() throws LoginException {
        clearState();
        super.logout();
        return true;
    }

    private void clearState() {
        AbstractSTSLoginModule.removeAllSamlCredentials(this.subject);
        this.credential = null;
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Principal getIdentity() {
        return this.principal;
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        if (this.assertion == null) {
            try {
                this.assertion = SAMLUtil.fromElement(this.credential.getAssertionAsElement());
            } catch (Exception e) {
                throw logger.authFailedToParseSAMLAssertion(e);
            }
        }
        if (logger.isTraceEnabled()) {
            try {
                logger.trace("Assertion from where roles will be sought = " + AssertionUtil.asString(this.assertion));
            } catch (ProcessingException e2) {
            }
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtil.isNotNull(this.roleKey)) {
            arrayList.addAll(StringUtil.tokenize(this.roleKey));
        }
        PicketLinkGroup picketLinkGroup = new PicketLinkGroup("Roles");
        Iterator<String> it = AssertionUtil.getRoles(this.assertion, arrayList).iterator();
        while (it.hasNext()) {
            picketLinkGroup.addMember(new SimplePrincipal(it.next()));
        }
        return new Group[]{picketLinkGroup};
    }

    protected JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry() throws Exception {
        return JBossAuthCacheInvalidationFactory.getCacheExpiry();
    }

    private void validateSAMLCredential() throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException {
        X509Certificate x509Certificate = getX509Certificate();
        validateCertPath(x509Certificate);
        x509Certificate.checkValidity();
        boolean z = false;
        try {
            z = AssertionUtil.isSignatureValid(this.credential.getAssertionAsElement(), x509Certificate.getPublicKey());
        } catch (ProcessingException e) {
            logger.processingError(e);
        }
        if (!z) {
            throw logger.authSAMLInvalidSignatureError();
        }
        if (AssertionUtil.hasExpired(this.assertion)) {
            throw logger.authSAMLAssertionExpiredError();
        }
    }

    private X509Certificate getX509Certificate() throws LoginException {
        try {
            String findNameSpacePrefix = findNameSpacePrefix(this.credential.getAssertionAsElement(), JBossSAMLURIConstants.XMLDSIG_NSURI.get());
            String str = "//" + findNameSpacePrefix + ":Signature[1]";
            XPath newXPath = XPathFactory.newInstance().newXPath();
            newXPath.setNamespaceContext(NamespaceContext.create().addNsUriPair(findNameSpacePrefix, JBossSAMLURIConstants.XMLDSIG_NSURI.get()));
            Element element = (Element) newXPath.evaluate(str, this.credential.getAssertionAsElement(), XPathConstants.NODE);
            XMLSignature xMLSignature = new XMLSignature(element, "");
            if (logger.isTraceEnabled()) {
                logger.trace("sigElement=" + element.getTextContent());
            }
            if (!xMLSignature.getKeyInfo().containsX509Data()) {
                this.log.error("Cannot find X509Data element");
                throw new LoginException("Cannot find X509Data element");
            }
            X509Certificate x509Certificate = xMLSignature.getKeyInfo().getX509Certificate();
            if (x509Certificate == null) {
                logger.error("Not able to extract x509 certificate");
                throw new LoginException("Not able to extract x509 certificate");
            }
            if (logger.isTraceEnabled()) {
                logger.trace("Got certificate=" + x509Certificate.toString());
            }
            return x509Certificate;
        } catch (Exception e) {
            logger.error(e);
            throw new LoginException(e.getLocalizedMessage());
        }
    }

    private String findNameSpacePrefix(Element element, String str) {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(str, "Signature");
        if (elementsByTagNameNS.getLength() > 0) {
            return elementsByTagNameNS.item(0).getPrefix();
        }
        return null;
    }

    protected void validateCertPath(X509Certificate x509Certificate) throws LoginException {
        try {
            CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509Certificate));
            if (logger.isTraceEnabled()) {
                logger.trace("Certificates from SAML token:");
                for (Certificate certificate : generateCertPath.getCertificates()) {
                    logger.trace("Type of certificate=" + certificate.getType());
                    logger.trace(certificate.toString());
                }
            }
            try {
                KeyStore keyStore = getKeyStore();
                if (keyStore == null) {
                    throw logger.authNullKeyStoreFromSecurityDomainError(this.localValidationSecurityDomain);
                }
                if (logger.isTraceEnabled()) {
                    logger.trace("Certificates from truststore:");
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        logger.trace("Alias=" + nextElement);
                        Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                        if (certificateChain != null) {
                            logger.trace(nextElement + " is a chain:");
                            for (Certificate certificate2 : certificateChain) {
                                logger.trace(certificate2.toString());
                            }
                        }
                        Certificate certificate3 = keyStore.getCertificate(nextElement);
                        if (certificate3 != null) {
                            logger.trace(nextElement + " is a certificate of type " + certificate3.getType());
                            logger.trace(certificate3.toString());
                        }
                    }
                }
                PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
                pKIXParameters.setRevocationEnabled(false);
                CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
                if (logger.isTraceEnabled()) {
                    logger.trace("certPathValidator is ready");
                }
                CertPathValidatorResult validate = certPathValidator.validate(generateCertPath, pKIXParameters);
                if (logger.isTraceEnabled()) {
                    logger.trace("CertPathValidatorResult=" + validate);
                }
            } catch (Exception e) {
                logger.error(e);
                throw new LoginException(e.getLocalizedMessage());
            }
        } catch (CertificateEncodingException e2) {
            logger.error(e2.getMessage());
            throw new LoginException(e2.getLocalizedMessage());
        } catch (CertificateException e3) {
            logger.error(e3.getMessage());
            throw new LoginException(e3.getLocalizedMessage());
        }
    }

    protected abstract KeyStore getKeyStore() throws Exception;
}
