package org.overlord.commons.auth.tomcat7;

import java.io.IOException;
import java.io.StringReader;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletResponse;
import javax.xml.stream.XMLInputFactory;
import org.apache.catalina.authenticator.BasicAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.overlord.commons.auth.util.SAMLBearerTokenUtil;
import org.picketbox.util.StringUtil;
import org.picketlink.common.constants.LDAPConstants;
import org.picketlink.identity.federation.core.constants.AttributeConstants;
import org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
import org.picketlink.idm.model.basic.Group;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-tomcat7-2.0.9-SNAPSHOT.jar:org/overlord/commons/auth/tomcat7/SAMLBearerTokenAuthenticator.class */
public class SAMLBearerTokenAuthenticator extends BasicAuthenticator {
    private Set<String> allowedIssuers;
    private boolean signatureRequired;
    private String keystorePath;
    private String keystorePassword;
    private String keyAlias;
    private String keyPassword;

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        MessageBytes value;
        if (request.getUserPrincipal() == null && (value = request.getCoyoteRequest().getMimeHeaders().getValue("authorization")) != null) {
            value.toBytes();
            ByteChunk byteChunk = value.getByteChunk();
            if (byteChunk.startsWithIgnoreCase("basic ", 0)) {
                byteChunk.setOffset(byteChunk.getOffset() + 6);
                String str = new String(Base64.decodeBase64(new String(byteChunk.getBuffer(), byteChunk.getOffset(), byteChunk.getLength())), "UTF-8");
                if (str.startsWith("SAML-BEARER-TOKEN:")) {
                    try {
                        String substring = str.substring(18);
                        Document document = DocumentUtil.getDocument(substring);
                        AssertionType assertionType = (AssertionType) new SAMLAssertionParser().parse(XMLInputFactory.newInstance().createXMLEventReader(new StringReader(substring)));
                        SAMLBearerTokenUtil.validateAssertion(assertionType, request, this.allowedIssuers);
                        if (this.signatureRequired && !SAMLBearerTokenUtil.isSAMLAssertionSignatureValid(document, getKeyPair(assertionType))) {
                            throw new IOException(Messages.getString("SAMLBearerTokenAuthenticator.InvalidSignature"));
                        }
                        Principal consumeAssertion = consumeAssertion(assertionType);
                        if (consumeAssertion != null) {
                            register(request, httpServletResponse, consumeAssertion, "BASIC", consumeAssertion.getName(), null);
                            return true;
                        }
                    } catch (Exception e) {
                        e.printStackTrace();
                        return false;
                    }
                }
            }
            byteChunk.setOffset(byteChunk.getOffset() - 6);
        }
        return super.authenticate(request, httpServletResponse, loginConfig);
    }

    private KeyPair getKeyPair(AssertionType assertionType) throws IOException {
        try {
            return SAMLBearerTokenUtil.getKeyPair(loadKeystore(), this.keyAlias, this.keyPassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IOException(Messages.getString("SAMLBearerTokenAuthenticator.FailedToGetKeyPair") + this.keyAlias);
        }
    }

    private KeyStore loadKeystore() throws IOException {
        try {
            return SAMLBearerTokenUtil.loadKeystore(this.keystorePath, this.keystorePassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IOException(Messages.getString("SAMLBearerTokenAuthenticator.ErrorLoadingKeystore") + e.getMessage());
        }
    }

    private Principal consumeAssertion(AssertionType assertionType) throws Exception {
        String value = ((NameIDType) assertionType.getSubject().getSubType().getBaseID()).getValue();
        ArrayList arrayList = new ArrayList();
        for (StatementAbstractType statementAbstractType : assertionType.getStatements()) {
            if (statementAbstractType instanceof AttributeStatementType) {
                for (AttributeStatementType.ASTChoiceType aSTChoiceType : ((AttributeStatementType) statementAbstractType).getAttributes()) {
                    if (aSTChoiceType.getAttribute() != null && aSTChoiceType.getAttribute().getName().equals(AttributeConstants.ROLE_IDENTIFIER_ASSERTION)) {
                        for (Object obj : aSTChoiceType.getAttribute().getAttributeValue()) {
                            if (obj != null) {
                                arrayList.add(obj.toString());
                            }
                        }
                    }
                }
            }
        }
        return new GenericPrincipal(value, StringUtils.EMPTY, arrayList);
    }

    public String getAllowedIssuers() {
        return this.allowedIssuers.toString();
    }

    public void setAllowedIssuers(String str) {
        String interpolate = interpolate(str);
        if (this.allowedIssuers == null) {
            this.allowedIssuers = new HashSet();
        }
        this.allowedIssuers.clear();
        if (interpolate != null) {
            for (String str2 : interpolate.split(LDAPConstants.COMMA)) {
                this.allowedIssuers.add(str2.trim());
            }
        }
    }

    public String getSignatureRequired() {
        return String.valueOf(this.signatureRequired);
    }

    public void setSignatureRequired(String str) {
        this.signatureRequired = Boolean.valueOf(interpolate(str)).booleanValue();
    }

    public String getKeystorePath() {
        return this.keystorePath;
    }

    public void setKeystorePath(String str) {
        String property;
        String interpolate = interpolate(str);
        if (interpolate != null && !interpolate.startsWith(Group.PATH_SEPARATOR) && interpolate.charAt(2) != ':' && (property = System.getProperty("catalina.home")) != null) {
            interpolate = property + Group.PATH_SEPARATOR + interpolate;
        }
        this.keystorePath = interpolate;
    }

    public String getKeystorePassword() {
        return this.keystorePassword;
    }

    public void setKeystorePassword(String str) {
        this.keystorePassword = interpolate(str);
    }

    public String getKeyAlias() {
        return this.keyAlias;
    }

    public void setKeyAlias(String str) {
        this.keyAlias = interpolate(str);
    }

    public String getKeyPassword() {
        return this.keyPassword;
    }

    public void setKeyPassword(String str) {
        this.keyPassword = interpolate(str);
    }

    private String interpolate(String str) {
        if (str == null || !str.startsWith("${")) {
            return str;
        }
        int indexOf = str.indexOf(StringUtil.PROPERTY_DEFAULT_SEPARATOR);
        return indexOf < 3 ? str : System.getProperty(str.substring(2, indexOf), str.substring(indexOf + 2, str.length() - 1));
    }
}
