package org.keycloak.saml.processing.core.saml.v2.util;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
import org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType;
import org.keycloak.dom.saml.v1.assertion.SAML11AttributeType;
import org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.assertion.ConditionsType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.assertion.SubjectType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.saml.common.ErrorCodes;
import org.keycloak.saml.common.PicketLinkLogger;
import org.keycloak.saml.common.PicketLinkLoggerFactory;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException;
import org.keycloak.saml.common.util.StaxParserUtil;
import org.keycloak.saml.common.util.StaxUtil;
import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
import org.keycloak.saml.processing.core.saml.v2.writers.SAMLAssertionWriter;
import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.class */
public class AssertionUtil {
    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();

    public static String asString(AssertionType assertionType) throws ProcessingException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(byteArrayOutputStream)).write(assertionType);
        return new String(byteArrayOutputStream.toByteArray());
    }

    public static Document asDocument(AssertionType assertionType) throws ProcessingException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(byteArrayOutputStream)).write(assertionType);
        try {
            return org.keycloak.saml.common.util.DocumentUtil.getDocument(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
        } catch (Exception e) {
            throw logger.processingError(e);
        }
    }

    public static SAML11AssertionType createSAML11Assertion(String str, XMLGregorianCalendar xMLGregorianCalendar, String str2) {
        SAML11AssertionType sAML11AssertionType = new SAML11AssertionType(str, xMLGregorianCalendar);
        sAML11AssertionType.setIssuer(str2);
        return sAML11AssertionType;
    }

    public static AssertionType createAssertion(String str, NameIDType nameIDType) {
        try {
            AssertionType assertionType = new AssertionType(str, XMLTimeUtil.getIssueInstant());
            assertionType.setIssuer(nameIDType);
            return assertionType;
        } catch (ConfigurationException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public static SubjectType createAssertionSubject(String str) {
        SubjectType subjectType = new SubjectType();
        SubjectType.STSubType sTSubType = new SubjectType.STSubType();
        NameIDType nameIDType = new NameIDType();
        nameIDType.setValue(str);
        sTSubType.addBaseID(nameIDType);
        subjectType.setSubType(sTSubType);
        return subjectType;
    }

    public static AttributeType createAttribute(String str, String str2, Object... objArr) {
        AttributeType attributeType = new AttributeType(str);
        attributeType.setNameFormat(str2);
        if (objArr != null && objArr.length > 0) {
            for (Object obj : objArr) {
                attributeType.addAttributeValue(obj);
            }
        }
        return attributeType;
    }

    public static void createTimedConditions(AssertionType assertionType, long j) throws ConfigurationException, IssueInstantMissingException {
        XMLGregorianCalendar issueInstant = assertionType.getIssueInstant();
        if (issueInstant == null) {
            throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
        }
        XMLGregorianCalendar add = XMLTimeUtil.add(issueInstant, j);
        ConditionsType conditionsType = new ConditionsType();
        conditionsType.setNotBefore(issueInstant);
        conditionsType.setNotOnOrAfter(add);
        assertionType.setConditions(conditionsType);
    }

    public static void createTimedConditions(AssertionType assertionType, long j, long j2) throws ConfigurationException, IssueInstantMissingException {
        XMLGregorianCalendar issueInstant = assertionType.getIssueInstant();
        if (issueInstant == null) {
            throw logger.samlIssueInstantMissingError();
        }
        XMLGregorianCalendar add = XMLTimeUtil.add(issueInstant, j + j2);
        ConditionsType conditionsType = new ConditionsType();
        conditionsType.setNotBefore(XMLTimeUtil.subtract(issueInstant, j2));
        conditionsType.setNotOnOrAfter(add);
        assertionType.setConditions(conditionsType);
    }

    public static void createSAML11TimedConditions(SAML11AssertionType sAML11AssertionType, long j, long j2) throws ConfigurationException, IssueInstantMissingException {
        XMLGregorianCalendar issueInstant = sAML11AssertionType.getIssueInstant();
        if (issueInstant == null) {
            throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
        }
        XMLGregorianCalendar add = XMLTimeUtil.add(issueInstant, j + j2);
        SAML11ConditionsType sAML11ConditionsType = new SAML11ConditionsType();
        sAML11ConditionsType.setNotBefore(XMLTimeUtil.subtract(issueInstant, j2));
        sAML11ConditionsType.setNotOnOrAfter(add);
        sAML11AssertionType.setConditions(sAML11ConditionsType);
    }

    public static boolean isSignatureValid(Element element, PublicKey publicKey) {
        try {
            Document createDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
            createDocument.appendChild(createDocument.importNode(element, true));
            return new SAML2Signature().validate(createDocument, publicKey);
        } catch (Exception e) {
            logger.signatureAssertionValidationError(e);
            return false;
        }
    }

    public static boolean hasExpired(AssertionType assertionType) throws ConfigurationException {
        boolean z = false;
        ConditionsType conditions = assertionType.getConditions();
        if (conditions != null) {
            XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
            XMLGregorianCalendar notBefore = conditions.getNotBefore();
            XMLGregorianCalendar notOnOrAfter = conditions.getNotOnOrAfter();
            if (notBefore != null) {
                logger.trace("Assertion: " + assertionType.getID() + " ::Now=" + issueInstant.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat());
            }
            if (notOnOrAfter != null) {
                logger.trace("Assertion: " + assertionType.getID() + " ::Now=" + issueInstant.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
            }
            z = !XMLTimeUtil.isValid(issueInstant, notBefore, notOnOrAfter);
            if (z) {
                logger.samlAssertionExpired(assertionType.getID());
            }
        }
        return z;
    }

    public static boolean hasExpired(AssertionType assertionType, long j) throws ConfigurationException {
        boolean z = false;
        ConditionsType conditions = assertionType.getConditions();
        if (conditions != null) {
            XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
            XMLGregorianCalendar notBefore = conditions.getNotBefore();
            XMLGregorianCalendar subtract = XMLTimeUtil.subtract(notBefore, j);
            XMLGregorianCalendar notOnOrAfter = conditions.getNotOnOrAfter();
            XMLGregorianCalendar add = XMLTimeUtil.add(notOnOrAfter, j);
            logger.trace("Now=" + issueInstant.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
            z = !XMLTimeUtil.isValid(issueInstant, subtract, add);
            if (z) {
                logger.samlAssertionExpired(assertionType.getID());
            }
        }
        return z;
    }

    public static boolean hasExpired(SAML11AssertionType sAML11AssertionType) throws ConfigurationException {
        boolean z = false;
        SAML11ConditionsType conditions = sAML11AssertionType.getConditions();
        if (conditions != null) {
            XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
            XMLGregorianCalendar notBefore = conditions.getNotBefore();
            XMLGregorianCalendar notOnOrAfter = conditions.getNotOnOrAfter();
            logger.trace("Now=" + issueInstant.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
            z = !XMLTimeUtil.isValid(issueInstant, notBefore, notOnOrAfter);
            if (z) {
                logger.samlAssertionExpired(sAML11AssertionType.getID());
            }
        }
        return z;
    }

    public static boolean hasExpired(SAML11AssertionType sAML11AssertionType, long j) throws ConfigurationException {
        boolean z = false;
        SAML11ConditionsType conditions = sAML11AssertionType.getConditions();
        if (conditions != null) {
            XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
            XMLGregorianCalendar notBefore = conditions.getNotBefore();
            XMLGregorianCalendar subtract = XMLTimeUtil.subtract(notBefore, j);
            XMLGregorianCalendar notOnOrAfter = conditions.getNotOnOrAfter();
            XMLGregorianCalendar add = XMLTimeUtil.add(notOnOrAfter, j);
            logger.trace("Now=" + issueInstant.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
            z = !XMLTimeUtil.isValid(issueInstant, subtract, add);
            if (z) {
                logger.samlAssertionExpired(sAML11AssertionType.getID());
            }
        }
        return z;
    }

    public static XMLGregorianCalendar getExpiration(AssertionType assertionType) {
        XMLGregorianCalendar xMLGregorianCalendar = null;
        ConditionsType conditions = assertionType.getConditions();
        if (conditions != null) {
            xMLGregorianCalendar = conditions.getNotOnOrAfter();
        }
        return xMLGregorianCalendar;
    }

    public static List<String> getRoles(AssertionType assertionType, List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (AttributeStatementType attributeStatementType : assertionType.getStatements()) {
            if (attributeStatementType instanceof AttributeStatementType) {
                Iterator it = attributeStatementType.getAttributes().iterator();
                while (it.hasNext()) {
                    AttributeType attribute = ((AttributeStatementType.ASTChoiceType) it.next()).getAttribute();
                    if (list == null || list.size() <= 0 || list.contains(attribute.getName())) {
                        List attributeValue = attribute.getAttributeValue();
                        if (attributeValue != null) {
                            for (Object obj : attributeValue) {
                                if (obj instanceof String) {
                                    arrayList.add((String) obj);
                                } else {
                                    if (!(obj instanceof Node)) {
                                        throw logger.unknownObjectType(obj);
                                    }
                                    arrayList.add(((Node) obj).getFirstChild().getNodeValue());
                                }
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    public static List<String> getRoles(SAML11AssertionType sAML11AssertionType, List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (SAML11AttributeStatementType sAML11AttributeStatementType : sAML11AssertionType.getStatements()) {
            if (sAML11AttributeStatementType instanceof SAML11AttributeStatementType) {
                for (SAML11AttributeType sAML11AttributeType : sAML11AttributeStatementType.get()) {
                    if (list == null || list.size() <= 0 || list.contains(sAML11AttributeType.getAttributeName())) {
                        List list2 = sAML11AttributeType.get();
                        if (list2 != null) {
                            for (Object obj : list2) {
                                if (obj instanceof String) {
                                    arrayList.add((String) obj);
                                } else {
                                    if (!(obj instanceof Node)) {
                                        throw logger.unknownObjectType(obj);
                                    }
                                    arrayList.add(((Node) obj).getFirstChild().getNodeValue());
                                }
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    public static AssertionType getAssertion(ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException {
        List assertions = responseType.getAssertions();
        if (assertions.isEmpty()) {
            throw new ProcessingException("No assertion from response.");
        }
        if (((ResponseType.RTChoiceType) assertions.get(0)).getEncryptedAssertion() != null) {
            if (privateKey == null) {
                throw new ProcessingException("Encryptd assertion and decrypt private key is null");
            }
            decryptAssertion(responseType, privateKey);
        }
        return ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion();
    }

    public static ResponseType decryptAssertion(ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException {
        Element element = org.keycloak.saml.common.util.DocumentUtil.getElement(new SAML2Response().convert((StatusResponseType) responseType), new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get()));
        if (element == null) {
            throw new ProcessingException("No encrypted assertion found.");
        }
        String attribute = element.getAttribute(JBossSAMLConstants.ID.get());
        Document createDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
        createDocument.appendChild(createDocument.importNode(element, true));
        Element decryptElementInDocument = XMLEncryptionUtil.decryptElementInDocument(createDocument, privateKey);
        SAMLParser sAMLParser = new SAMLParser();
        JAXPValidationUtil.checkSchemaValidation(decryptElementInDocument);
        responseType.replaceAssertion(attribute, new ResponseType.RTChoiceType((AssertionType) sAMLParser.parse(StaxParserUtil.getXMLEventReader(org.keycloak.saml.common.util.DocumentUtil.getNodeAsStream(decryptElementInDocument)))));
        return responseType;
    }
}
