package org.overlord.commons.auth.filters;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import org.jboss.logging.Logger;
import org.overlord.commons.auth.util.SamlPostBindingUtil;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ParsingException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.exceptions.TrustKeyConfigurationException;
import org.picketlink.common.exceptions.TrustKeyProcessingException;
import org.picketlink.common.exceptions.fed.AssertionExpiredException;
import org.picketlink.common.exceptions.fed.IssuerNotTrustedException;
import org.picketlink.common.util.DocumentUtil;
import org.picketlink.common.util.StringUtil;
import org.picketlink.config.federation.KeyProviderType;
import org.picketlink.config.federation.PicketLinkType;
import org.picketlink.config.federation.SPType;
import org.picketlink.config.federation.TrustType;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.factories.SAML2HandlerChainFactory;
import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusType;
import org.picketlink.identity.federation.web.interfaces.IRoleValidator;
import org.picketlink.identity.federation.web.roles.DefaultRoleValidator;
import org.picketlink.identity.federation.web.util.ConfigurationUtil;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;

/* loaded from: input_file:lib/overlord-commons-auth-2.0.7.Final.jar:org/overlord/commons/auth/filters/SamlSPFilter.class */
public class SamlSPFilter implements Filter {
    private static Logger log = Logger.getLogger((Class<?>) SamlSPFilter.class);
    private TrustKeyManager keyManager;
    private final boolean trace = log.isTraceEnabled();
    protected SPType spConfiguration = null;
    protected PicketLinkType picketLinkConfiguration = null;
    protected String configFile = "/WEB-INF/picketlink.xml";
    protected String serviceURL = null;
    protected String identityURL = null;
    private ServletContext context = null;
    private transient SAML2HandlerChain chain = null;
    private IRoleValidator roleValidator = new DefaultRoleValidator();
    private String logOutPage = "/logout.jsp";
    protected String canonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments";

    public void destroy() {
    }

    /* JADX WARN: Code restructure failed: missing block: B:45:0x0144, code lost:
    
        r0.sendError(r0.getErrorCode());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void doFilter(javax.servlet.ServletRequest r8, javax.servlet.ServletResponse r9, javax.servlet.FilterChain r10) throws java.io.IOException, javax.servlet.ServletException {
        /*
            Method dump skipped, instructions count: 1293
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.overlord.commons.auth.filters.SamlSPFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain):void");
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.context = filterConfig.getServletContext();
        InputStream resourceAsStream = this.context.getResourceAsStream(this.configFile);
        if (resourceAsStream != null) {
            try {
                this.picketLinkConfiguration = ConfigurationUtil.getConfiguration(resourceAsStream);
                this.spConfiguration = this.picketLinkConfiguration.getIdpOrSP();
            } catch (ParsingException e) {
                throw new RuntimeException((Throwable) e);
            }
        } else {
            InputStream resourceAsStream2 = this.context.getResourceAsStream("/WEB-INF/picketlink-idfed.xml");
            if (resourceAsStream2 == null) {
                throw new RuntimeException("PL00025: Service Provider:: Configuration File missing:" + this.configFile + " missing");
            }
            try {
                this.spConfiguration = ConfigurationUtil.getSPConfiguration(resourceAsStream2);
            } catch (ParsingException e2) {
                throw new RuntimeException((Throwable) e2);
            }
        }
        try {
            this.identityURL = this.spConfiguration.getIdentityURL();
            this.serviceURL = this.spConfiguration.getServiceURL();
            this.canonicalizationMethod = this.spConfiguration.getCanonicalizationMethod();
            log.info("SPFilter:: Setting the CanonicalizationMethod on XMLSignatureUtil::" + this.canonicalizationMethod);
            XMLSignatureUtil.setCanonicalizationMethodType(this.canonicalizationMethod);
            log.trace("Identity Provider URL=" + this.identityURL);
            String initParameter = filterConfig.getInitParameter("ROLE_VALIDATOR");
            if (initParameter != null && !"".equals(initParameter)) {
                try {
                    this.roleValidator = (IRoleValidator) SecurityActions.loadClass(getClass(), initParameter).newInstance();
                } catch (Exception e3) {
                    throw new RuntimeException(e3);
                }
            }
            HashMap hashMap = new HashMap();
            String initParameter2 = filterConfig.getInitParameter("ROLES");
            if (this.trace) {
                log.trace("Found Roles in SPFilter config=" + initParameter2);
            }
            if (initParameter2 != null) {
                hashMap.put("ROLES", initParameter2);
            }
            this.roleValidator.intialize(hashMap);
            String initParameter3 = filterConfig.getInitParameter("SAML_HANDLER_CHAIN_CLASS");
            if (StringUtil.isNullOrEmpty(initParameter3)) {
                this.chain = SAML2HandlerChainFactory.createChain();
            } else {
                try {
                    this.chain = SAML2HandlerChainFactory.createChain(initParameter3);
                } catch (ProcessingException e4) {
                    throw new ServletException(e4);
                }
            }
            try {
                this.chain.addAll(HandlerUtil.getHandlers(this.picketLinkConfiguration != null ? this.picketLinkConfiguration.getHandlers() : ConfigurationUtil.getHandlers(this.context.getResourceAsStream("/WEB-INF/picketlink-handlers.xml"))));
                HashMap hashMap2 = new HashMap();
                hashMap2.put("CONFIGURATION", this.spConfiguration);
                hashMap2.put("ROLE_VALIDATOR", this.roleValidator);
                DefaultSAML2HandlerChainConfig defaultSAML2HandlerChainConfig = new DefaultSAML2HandlerChainConfig(hashMap2);
                Iterator it = this.chain.handlers().iterator();
                while (it.hasNext()) {
                    ((SAML2Handler) it.next()).initChainConfig(defaultSAML2HandlerChainConfig);
                }
                KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
                if (keyProvider != null) {
                    try {
                        String className = keyProvider.getClassName();
                        if (className == null) {
                            throw new RuntimeException("PL00092: Null Value:KeyManager class name");
                        }
                        this.keyManager = (TrustKeyManager) SecurityActions.loadClass(getClass(), className).newInstance();
                        this.keyManager.setAuthProperties(CoreConfigUtil.getKeyProviderProperties(keyProvider));
                        this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
                        log.trace("Key Provider=" + keyProvider.getClassName());
                    } catch (Exception e5) {
                        log.error("Exception reading configuration:", e5);
                        throw new RuntimeException(e5.getLocalizedMessage());
                    }
                }
                String initParameter4 = filterConfig.getInitParameter("LOGOUT_PAGE");
                if (initParameter4 == null || "".equals(initParameter4)) {
                    return;
                }
                this.logOutPage = initParameter4;
            } catch (Exception e6) {
                throw new RuntimeException(e6);
            }
        } catch (Exception e7) {
            throw new RuntimeException(e7);
        }
    }

    private AuthnRequestType createSAMLRequest(String str, String str2) throws ConfigurationException {
        if (str == null) {
            throw new IllegalArgumentException("PL00078: Null Parameter:serviceURL");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("PL00078: Null Parameter:identityURL");
        }
        return new SAML2Request().createAuthnRequestType(IDGenerator.create("ID_"), str, str2, str);
    }

    protected void sendRequestToIDP(AuthnRequestType authnRequestType, String str, HttpServletResponse httpServletResponse) throws IOException, SAXException, GeneralSecurityException {
        SAML2Request sAML2Request = new SAML2Request();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        sAML2Request.marshall(authnRequestType, byteArrayOutputStream);
        SamlPostBindingUtil.sendPost(new DestinationInfoHolder(authnRequestType.getDestination().toASCIIString(), SamlPostBindingUtil.base64Encode(byteArrayOutputStream.toString()), str), httpServletResponse, true);
    }

    protected void sendToDestination(Document document, String str, String str2, HttpServletResponse httpServletResponse, boolean z) throws IOException, SAXException, GeneralSecurityException {
        SamlPostBindingUtil.sendPost(new DestinationInfoHolder(str2, SamlPostBindingUtil.base64Encode(DocumentUtil.getDocumentAsString(document)), str), httpServletResponse, z);
    }

    protected boolean validate(HttpServletRequest httpServletRequest) throws IOException, GeneralSecurityException {
        return httpServletRequest.getParameter("SAMLResponse") != null;
    }

    protected boolean verifySignature(SAMLDocumentHolder sAMLDocumentHolder) throws IssuerNotTrustedException {
        Document samlDocument = sAMLDocumentHolder.getSamlDocument();
        StatusResponseType samlObject = sAMLDocumentHolder.getSamlObject();
        String value = samlObject instanceof StatusResponseType ? samlObject.getIssuer().getValue() : ((RequestAbstractType) samlObject).getIssuer().getValue();
        if (value == null) {
            throw new IssuerNotTrustedException("PL00092: Null Value:IssuerID missing");
        }
        try {
            try {
                PublicKey validatingKey = this.keyManager.getValidatingKey(new URL(value).getHost());
                log.trace("Going to verify signature in the saml response from IDP");
                boolean validate = XMLSignatureUtil.validate(samlDocument, validatingKey);
                log.trace("Signature verification=" + validate);
                return validate;
            } catch (TrustKeyProcessingException e) {
                log.error("Unable to verify signature", e);
                return false;
            } catch (MarshalException e2) {
                log.error("Unable to verify signature", e2);
                return false;
            } catch (TrustKeyConfigurationException e3) {
                log.error("Unable to verify signature", e3);
                return false;
            } catch (XMLSignatureException e4) {
                log.error("Unable to verify signature", e4);
                return false;
            }
        } catch (MalformedURLException e5) {
            throw new IssuerNotTrustedException(e5);
        }
    }

    protected void isTrusted(String str) throws IssuerNotTrustedException {
        try {
            String host = new URL(str).getHost();
            TrustType trust = this.spConfiguration.getTrust();
            if (trust == null || trust.getDomains().indexOf(host) >= 0) {
            } else {
                throw new IssuerNotTrustedException(str);
            }
        } catch (Exception e) {
            throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
        }
    }

    protected ResponseType decryptAssertion(ResponseType responseType) {
        throw new RuntimeException("PL00102: Processing Exception:This filter does not handle encryption");
    }

    public Principal handleSAMLResponse(HttpServletRequest httpServletRequest, ResponseType responseType) throws ConfigurationException, AssertionExpiredException {
        if (httpServletRequest == null) {
            throw new IllegalArgumentException("PL00078: Null Parameter:request");
        }
        if (responseType == null) {
            throw new IllegalArgumentException("PL00078: Null Parameter:response type");
        }
        StatusType status = responseType.getStatus();
        if (status == null) {
            throw new IllegalArgumentException("PL00092: Null Value:Status Type from the IDP");
        }
        if (!JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(status.getStatusCode().getValue().toASCIIString())) {
            throw new SecurityException("PL00015: IDP Authentication Failed:IDP forbid the user");
        }
        List assertions = responseType.getAssertions();
        if (assertions.size() == 0) {
            throw new IllegalStateException("PL00092: Null Value:No assertions in reply from IDP");
        }
        AssertionType assertion = ((ResponseType.RTChoiceType) assertions.get(0)).getAssertion();
        if (AssertionUtil.hasExpired(assertion)) {
            throw new AssertionExpiredException("PL00079: Assertion has expired:");
        }
        final String value = assertion.getSubject().getSubType().getBaseID().getValue();
        ArrayList arrayList = new ArrayList();
        Iterator it = ((AttributeStatementType) assertion.getStatements().iterator().next()).getAttributes().iterator();
        while (it.hasNext()) {
            arrayList.add((String) ((AttributeStatementType.ASTChoiceType) it.next()).getAttribute().getAttributeValue().get(0));
        }
        Principal principal = new Principal() { // from class: org.overlord.commons.auth.filters.SamlSPFilter.1
            @Override // java.security.Principal
            public String getName() {
                return value;
            }
        };
        if (!this.roleValidator.userInRole(principal, arrayList)) {
            if (this.trace) {
                log.trace("Invalid role:" + arrayList);
            }
            principal = null;
        }
        return principal;
    }
}
