package org.picketlink.identity.federation.web.process;

import java.io.IOException;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.ErrorCodes;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.util.PostBindingUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;

/* loaded from: input_file:org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.class */
public class ServiceProviderSAMLResponseProcessor extends ServiceProviderBaseProcessor {
    private boolean validateSignature;
    private boolean idpPostBinding;

    public void setIdpPostBinding(boolean z) {
        this.idpPostBinding = z;
    }

    public ServiceProviderSAMLResponseProcessor(boolean z, String str) {
        super(z, str);
        this.validateSignature = false;
        this.idpPostBinding = false;
    }

    public void setValidateSignature(boolean z) {
        this.validateSignature = z;
    }

    public SAML2HandlerResponse process(String str, HTTPContext hTTPContext, Set<SAML2Handler> set, Lock lock) throws ProcessingException, IOException, ParsingException, ConfigurationException {
        SAMLDocumentHolder sAMLDocumentHolder = getSAMLDocumentHolder(str);
        validateSignature(hTTPContext, sAMLDocumentHolder);
        return processHandlersChain(hTTPContext, set, lock, sAMLDocumentHolder);
    }

    private SAML2HandlerResponse processHandlersChain(HTTPContext hTTPContext, Set<SAML2Handler> set, Lock lock, SAMLDocumentHolder sAMLDocumentHolder) throws ConfigurationException, ProcessingException, TrustKeyConfigurationException, TrustKeyProcessingException, IOException {
        SAML2HandlerRequest sAML2HandlerRequest = getSAML2HandlerRequest(sAMLDocumentHolder, hTTPContext);
        DefaultSAML2HandlerResponse defaultSAML2HandlerResponse = new DefaultSAML2HandlerResponse();
        SAMLHandlerChainProcessor sAMLHandlerChainProcessor = new SAMLHandlerChainProcessor(set);
        if (this.spConfiguration != null) {
            HashMap hashMap = new HashMap();
            hashMap.put(GeneralConstants.CONFIGURATION, this.spConfiguration);
            if (this.keyManager != null) {
                hashMap.put(GeneralConstants.SENDER_PUBLIC_KEY, getIDPPublicKey());
                hashMap.put(GeneralConstants.DECRYPTING_KEY, this.keyManager.getSigningKey());
            }
            sAML2HandlerRequest.setOptions(hashMap);
        }
        sAMLHandlerChainProcessor.callHandlerChain(sAMLDocumentHolder.getSamlObject(), sAML2HandlerRequest, defaultSAML2HandlerResponse, hTTPContext, lock);
        return defaultSAML2HandlerResponse;
    }

    private boolean isPostBinding() {
        return this.postBinding || this.idpPostBinding;
    }

    private void validateSignature(HTTPContext hTTPContext, SAMLDocumentHolder sAMLDocumentHolder) throws ProcessingException {
        if (this.validateSignature) {
            try {
                if (isPostBinding()) {
                    verifyPostBindingSignature(sAMLDocumentHolder);
                } else {
                    verifyRedirectBindingSignature(hTTPContext);
                }
            } catch (IssuerNotTrustedException e) {
                throw new ProcessingException("PL00009: Invalid Digital Signature:Signature Validation failed. Issuer is not trusted by this Service Provider", e);
            } catch (Exception e2) {
                throw new ProcessingException("PL00009: Invalid Digital Signature:Signature Validation failed", e2);
            }
        }
    }

    private SAMLDocumentHolder getSAMLDocumentHolder(String str) throws ParsingException, ConfigurationException, ProcessingException {
        SAML2Response sAML2Response = new SAML2Response();
        sAML2Response.getSAML2ObjectFromStream(isPostBinding() ? PostBindingUtil.base64DecodeAsStream(str) : RedirectBindingUtil.base64DeflateDecode(str));
        return sAML2Response.getSamlDocumentHolder();
    }

    private void verifyRedirectBindingSignature(HTTPContext hTTPContext) throws IssuerNotTrustedException, ProcessingException {
        if (this.keyManager == null) {
            throw new IllegalStateException(ErrorCodes.TRUST_MANAGER_MISSING);
        }
        try {
            String queryString = hTTPContext.getRequest().getQueryString();
            byte[] signatureValueFromSignedURL = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
            if (signatureValueFromSignedURL == null) {
                throw new ProcessingException("PL00009: Invalid Digital Signature:Signature Validation failed. Signature is not present. Check if the IDP is supporting signatures.");
            }
            if (!RedirectBindingSignatureUtil.validateSignature(queryString, getIDPPublicKey(), signatureValueFromSignedURL)) {
                throw new IssuerNotTrustedException("PL00009: Invalid Digital Signature:Signature Validation failed");
            }
        } catch (Exception e) {
            throw new ProcessingException("PL00009: Invalid Digital Signature:Signature Validation failed", e);
        }
    }

    private PublicKey getIDPPublicKey() throws TrustKeyConfigurationException, TrustKeyProcessingException {
        if (this.keyManager == null) {
            throw new TrustKeyConfigurationException(ErrorCodes.TRUST_MANAGER_MISSING);
        }
        String str = (String) this.keyManager.getAdditionalOption(ServiceProviderBaseProcessor.IDP_KEY);
        if (StringUtil.isNullOrEmpty(str)) {
            str = safeURL(this.spConfiguration.getIdentityURL()).getHost();
        }
        return this.keyManager.getValidatingKey(str);
    }

    private void verifyPostBindingSignature(SAMLDocumentHolder sAMLDocumentHolder) throws IssuerNotTrustedException, ProcessingException {
        if (this.keyManager == null) {
            throw new IllegalStateException(ErrorCodes.TRUST_MANAGER_MISSING);
        }
        try {
            PublicKey iDPPublicKey = getIDPPublicKey();
            if (this.trace) {
                log.trace("Going to verify signature in the saml response from IDP");
            }
            boolean validate = new SAML2Signature().validate(sAMLDocumentHolder.getSamlDocument(), iDPPublicKey);
            if (this.trace) {
                log.trace("Signature verification=" + validate);
            }
            if (!validate) {
                throw new IssuerNotTrustedException("PL00009: Invalid Digital Signature:Signature Validation failed");
            }
        } catch (Exception e) {
            throw new ProcessingException("PL00009: Invalid Digital Signature:Signature Validation failed", e);
        }
    }
}
