package org.picketlink.identity.federation.web.process;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.util.PostBindingUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.w3c.dom.Document;

/* loaded from: input_file:org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.class */
public class ServiceProviderSAMLResponseProcessor extends ServiceProviderBaseProcessor {
    private boolean validateSignature;

    public ServiceProviderSAMLResponseProcessor(boolean z, String str) {
        super(z, str);
        this.validateSignature = false;
    }

    public void setValidateSignature(boolean z) {
        this.validateSignature = z;
    }

    public SAML2HandlerResponse process(String str, HTTPContext hTTPContext, Set<SAML2Handler> set, Lock lock) throws ProcessingException, IOException, ParsingException, ConfigurationException {
        SAML2Object sAML2ObjectFromStream;
        SAMLDocumentHolder samlDocumentHolder;
        SAML2Response sAML2Response = new SAML2Response();
        if (this.postBinding) {
            sAML2ObjectFromStream = sAML2Response.getSAML2ObjectFromStream(PostBindingUtil.base64DecodeAsStream(str));
            samlDocumentHolder = sAML2Response.getSamlDocumentHolder();
        } else {
            sAML2ObjectFromStream = sAML2Response.getSAML2ObjectFromStream(RedirectBindingUtil.base64DeflateDecode(str));
            samlDocumentHolder = sAML2Response.getSamlDocumentHolder();
        }
        if (this.validateSignature) {
            try {
                if (!verifySignature(samlDocumentHolder)) {
                    throw new ProcessingException("PL00009: Invalid Digital Signature:Signature Validation failed");
                }
            } catch (IssuerNotTrustedException e) {
                throw new ProcessingException(e);
            }
        }
        SAML2HandlerRequest sAML2HandlerRequest = getSAML2HandlerRequest(samlDocumentHolder, hTTPContext);
        SAML2HandlerResponse defaultSAML2HandlerResponse = new DefaultSAML2HandlerResponse();
        SAMLHandlerChainProcessor sAMLHandlerChainProcessor = new SAMLHandlerChainProcessor(set);
        if (this.spConfiguration != null) {
            HashMap hashMap = new HashMap();
            hashMap.put(GeneralConstants.CONFIGURATION, this.spConfiguration);
            if (this.keyManager != null) {
                String remoteAddr = hTTPContext.getRequest().getRemoteAddr();
                if (this.trace) {
                    log.trace("ServiceProviderSAMLResponseProcessor::Remote Host=" + remoteAddr);
                }
                String str2 = (String) this.keyManager.getAdditionalOption(ServiceProviderBaseProcessor.IDP_KEY);
                if (StringUtil.isNullOrEmpty(str2)) {
                    str2 = remoteAddr;
                }
                hashMap.put(GeneralConstants.SENDER_PUBLIC_KEY, CoreConfigUtil.getValidatingKey(this.keyManager, str2));
                hashMap.put(GeneralConstants.DECRYPTING_KEY, this.keyManager.getSigningKey());
            }
            sAML2HandlerRequest.setOptions(hashMap);
        }
        sAMLHandlerChainProcessor.callHandlerChain(sAML2ObjectFromStream, sAML2HandlerRequest, defaultSAML2HandlerResponse, hTTPContext, lock);
        return defaultSAML2HandlerResponse;
    }

    private boolean verifySignature(SAMLDocumentHolder sAMLDocumentHolder) throws IssuerNotTrustedException {
        if (this.keyManager == null) {
            throw new IllegalStateException("PL00078: Null Parameter:Key Manager");
        }
        Document samlDocument = sAMLDocumentHolder.getSamlDocument();
        String value = sAMLDocumentHolder.getSamlObject().getIssuer().getValue();
        if (value == null) {
            throw new IssuerNotTrustedException("PL00092: Null Value:Issue missing");
        }
        try {
            try {
                PublicKey validatingKey = this.keyManager.getValidatingKey(new URL(value).getHost());
                if (this.trace) {
                    log.trace("Going to verify signature in the saml response from IDP");
                }
                boolean validate = XMLSignatureUtil.validate(samlDocument, validatingKey);
                if (this.trace) {
                    log.trace("Signature verification=" + validate);
                }
                return validate;
            } catch (TrustKeyConfigurationException e) {
                log.error("Unable to verify signature", e);
                return false;
            } catch (XMLSignatureException e2) {
                log.error("Unable to verify signature", e2);
                return false;
            } catch (MarshalException e3) {
                log.error("Unable to verify signature", e3);
                return false;
            } catch (TrustKeyProcessingException e4) {
                log.error("Unable to verify signature", e4);
                return false;
            }
        } catch (MalformedURLException e5) {
            throw new IssuerNotTrustedException(e5);
        }
    }
}
