package org.jboss.identity.seam.federation;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.jboss.identity.federation.core.saml.v2.util.AssertionUtil;
import org.jboss.identity.federation.core.util.XMLSignatureUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
import org.jboss.identity.federation.saml.v2.protocol.StatusType;
import org.jboss.identity.federation.web.util.HTTPRedirectUtil;
import org.jboss.identity.federation.web.util.PostBindingUtil;
import org.jboss.identity.federation.web.util.RedirectBindingUtil;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.intercept.BypassInterceptors;
import org.jboss.seam.annotations.web.Filter;
import org.jboss.seam.contexts.SessionContext;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Credentials;
import org.jboss.seam.security.Identity;
import org.jboss.seam.servlet.ContextualHttpServletRequest;
import org.jboss.seam.servlet.ServletRequestSessionMap;
import org.jboss.seam.util.Base64;
import org.jboss.seam.web.AbstractFilter;
import org.xml.sax.SAXException;

@Name("org.jboss.identity.seam.federation.samlAuthenticationFilter")
@Scope(ScopeType.APPLICATION)
@Filter(within = {"org.jboss.seam.web.exceptionFilter"})
@BypassInterceptors
/* loaded from: input_file:seam-sp.war:WEB-INF/lib/jboss-identity-seam-1.0.0.beta3.pre.jar:org/jboss/identity/seam/federation/SamlAuthenticationFilter.class */
public class SamlAuthenticationFilter extends AbstractFilter {
    private String identityProviderURL;
    private String singleSignOnServiceURL;
    private String keyStoreURL;
    private String keyStorePass;
    private String idpCertificateAlias;
    private PublicKey publicKeyOfIDP;
    private Binding binding = Binding.HTTP_Post;
    private boolean signatureRequired = true;

    @Logger
    private Log log;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:seam-sp.war:WEB-INF/lib/jboss-identity-seam-1.0.0.beta3.pre.jar:org/jboss/identity/seam/federation/SamlAuthenticationFilter$AuthenticatedUser.class */
    public static class AuthenticatedUser {
        String userName;
        Map<String, List<String>> attributes = new HashMap();

        protected AuthenticatedUser() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:seam-sp.war:WEB-INF/lib/jboss-identity-seam-1.0.0.beta3.pre.jar:org/jboss/identity/seam/federation/SamlAuthenticationFilter$Binding.class */
    public enum Binding {
        HTTP_Redirect,
        HTTP_Post
    }

    @Override // org.jboss.seam.web.AbstractFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        if (this.signatureRequired) {
            this.publicKeyOfIDP = getPublicKeyOfIDP();
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException("This filter can only process HttpServletRequest requests");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (servletRequest.getParameter("SAMLResponse") != null) {
            AuthenticatedUser processIDPResponse = processIDPResponse((HttpServletRequest) servletRequest);
            if (processIDPResponse != null) {
                loginUser(httpServletRequest, httpServletResponse, processIDPResponse);
                return;
            }
            return;
        }
        if (servletRequest.getParameter("newRelayState") != null) {
            sendRequestToIDP(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private void loginUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedUser authenticatedUser) throws ServletException, IOException {
        httpServletRequest.getSession();
        SessionContext sessionContext = new SessionContext(new ServletRequestSessionMap(httpServletRequest));
        Credentials credentials = (Credentials) sessionContext.get(Credentials.class);
        if (((Identity) sessionContext.get(Identity.class)).isLoggedIn()) {
            throw new RuntimeException("User is already logged in.");
        }
        credentials.setPassword("");
        authenticate(httpServletRequest, authenticatedUser);
        RelayStates relayStates = (RelayStates) sessionContext.get(RelayStates.class);
        String parameter = httpServletRequest.getParameter("RelayState");
        if (parameter == null) {
            throw new RuntimeException("RelayState parameter is missing");
        }
        relayStates.restoreState(Integer.parseInt(parameter), httpServletResponse);
    }

    private void authenticate(HttpServletRequest httpServletRequest, final AuthenticatedUser authenticatedUser) throws ServletException, IOException {
        new ContextualHttpServletRequest(httpServletRequest) { // from class: org.jboss.identity.seam.federation.SamlAuthenticationFilter.1
            @Override // org.jboss.seam.servlet.ContextualHttpServletRequest
            public void process() throws ServletException, IOException, LoginException {
                SamlIdentity samlIdentity = (SamlIdentity) Identity.instance();
                samlIdentity.getCredentials().setUsername(authenticatedUser.userName);
                samlIdentity.setAttributes(authenticatedUser.attributes);
                samlIdentity.authenticate();
            }
        }.run();
    }

    private AuthenticatedUser processIDPResponse(HttpServletRequest httpServletRequest) {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.decode(httpServletRequest.getParameter("SAMLResponse")));
        SAML2Response sAML2Response = new SAML2Response();
        try {
            ResponseType responseType = sAML2Response.getResponseType(byteArrayInputStream);
            if (this.signatureRequired && !validateSignature(sAML2Response.getSamlDocumentHolder())) {
                this.log.error("Invalid signature", new Object[0]);
                throw new RuntimeException("Validity Checks failed");
            }
            StatusType status = responseType.getStatus();
            if (status == null) {
                throw new RuntimeException("Status Type from the IDP is null");
            }
            if (!JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(status.getStatusCode().getValue())) {
                throw new RuntimeException("IDP forbid the user");
            }
            if (responseType.getAssertionOrEncryptedAssertion().size() == 0) {
                throw new RuntimeException("IDP response does not contain assertions");
            }
            AuthenticatedUser authenticatedUser = null;
            for (Object obj : responseType.getAssertionOrEncryptedAssertion()) {
                if (obj instanceof AssertionType) {
                    AuthenticatedUser handleAssertion = handleAssertion((AssertionType) obj);
                    if (authenticatedUser == null) {
                        authenticatedUser = handleAssertion;
                    } else {
                        this.log.warn("Multiple authenticated users found in assertions. Using the first one.", new Object[0]);
                    }
                } else {
                    this.log.warn("Encountered encrypted assertion. Skipping it because decryption is not yet supported.", new Object[0]);
                }
            }
            if (authenticatedUser == null) {
                this.log.warn("No authenticated users found in assertions.", new Object[0]);
            }
            return authenticatedUser;
        } catch (ConfigurationException e) {
            throw new RuntimeException((Throwable) e);
        } catch (ParsingException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }

    private AuthenticatedUser handleAssertion(AssertionType assertionType) {
        try {
            if (AssertionUtil.hasExpired(assertionType)) {
                this.log.warn("Received assertion will not be processed because it has expired.", new Object[0]);
                return null;
            }
            AuthenticatedUser authenticatedUser = null;
            for (JAXBElement jAXBElement : assertionType.getSubject().getContent()) {
                if (jAXBElement.getName().getLocalPart().equals("NameID")) {
                    authenticatedUser = new AuthenticatedUser();
                    authenticatedUser.userName = ((NameIDType) jAXBElement.getValue()).getValue();
                }
            }
            if (authenticatedUser != null) {
                for (AttributeStatementType attributeStatementType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
                    if (attributeStatementType instanceof AttributeStatementType) {
                        for (Object obj : attributeStatementType.getAttributeOrEncryptedAttribute()) {
                            if (obj instanceof AttributeType) {
                                AttributeType attributeType = (AttributeType) obj;
                                List<String> list = authenticatedUser.attributes.get(attributeType.getName());
                                if (list == null) {
                                    list = new LinkedList();
                                }
                                Iterator it = attributeType.getAttributeValue().iterator();
                                while (it.hasNext()) {
                                    list.add((String) it.next());
                                }
                                authenticatedUser.attributes.put(attributeType.getName(), list);
                            } else {
                                this.log.warn("Encrypted attributes are not supported. Ignoring the attribute.", new Object[0]);
                            }
                        }
                    }
                }
            } else {
                this.log.warn("Subject is not specified using the NameID element. Ignoring the assertion.", new Object[0]);
            }
            return authenticatedUser;
        } catch (ConfigurationException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private boolean validateSignature(SAMLDocumentHolder sAMLDocumentHolder) {
        try {
            return XMLSignatureUtil.validate(sAMLDocumentHolder.getSamlDocument(), this.publicKeyOfIDP);
        } catch (MarshalException e) {
            throw new RuntimeException((Throwable) e);
        } catch (XMLSignatureException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }

    private PublicKey getPublicKeyOfIDP() {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(this.keyStoreURL.startsWith("classpath:") ? getClass().getClassLoader().getResourceAsStream(this.keyStoreURL.substring("classpath:".length())) : new URL(this.keyStoreURL).openStream(), this.keyStorePass != null ? this.keyStorePass.toCharArray() : null);
            return keyStore.getCertificate(this.idpCertificateAlias).getPublicKey();
        } catch (MalformedURLException e) {
            throw new RuntimeException(e);
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        } catch (KeyStoreException e3) {
            throw new RuntimeException(e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new RuntimeException(e4);
        } catch (CertificateException e5) {
            throw new RuntimeException(e5);
        }
    }

    private void sendRequestToIDP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Integer valueOf = Integer.valueOf(Integer.parseInt(httpServletRequest.getParameter("newRelayState")));
        try {
            AuthnRequestType createSAMLRequest = createSAMLRequest(httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + ":" + httpServletRequest.getServerPort() + httpServletRequest.getContextPath() + "/SamlAuthenticationFilter.seam", this.identityProviderURL);
            SAML2Request sAML2Request = new SAML2Request();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            sAML2Request.marshall(createSAMLRequest, byteArrayOutputStream);
            String base64Encode = PostBindingUtil.base64Encode(byteArrayOutputStream.toString());
            if (this.binding == Binding.HTTP_Redirect) {
                String deflateBase64URLEncode = RedirectBindingUtil.deflateBase64URLEncode(byteArrayOutputStream.toByteArray());
                StringBuilder sb = new StringBuilder();
                sb.append("?SAMLRequest=").append(deflateBase64URLEncode);
                sb.append("&RelayState=").append(valueOf);
                HTTPRedirectUtil.sendRedirectForRequestor(this.singleSignOnServiceURL + sb.toString(), httpServletResponse);
            } else {
                PostBindingUtil.sendPost(new DestinationInfoHolder(this.singleSignOnServiceURL, base64Encode, Integer.toString(valueOf.intValue())), httpServletResponse, true);
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (JAXBException e2) {
            throw new RuntimeException((Throwable) e2);
        } catch (SAXException e3) {
            throw new RuntimeException(e3);
        } catch (ConfigurationException e4) {
            throw new RuntimeException();
        }
    }

    private AuthnRequestType createSAMLRequest(String str, String str2) throws ConfigurationException {
        if (str == null) {
            throw new IllegalArgumentException("serviceURL is null");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("identityURL is null");
        }
        return new SAML2Request().createAuthnRequestType(IDGenerator.create("ID_"), str, str2, str);
    }
}
