package org.jboss.identity.federation.bindings.tomcat.idp;

import java.io.StringReader;
import java.io.StringWriter;
import java.net.URL;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import javax.crypto.SecretKey;
import javax.xml.namespace.QName;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.api.util.XMLEncryptionUtil;
import org.jboss.identity.federation.bindings.config.EncryptionType;
import org.jboss.identity.federation.bindings.config.KeyProviderType;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;

/* loaded from: input_file:org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.class */
public class IDPRedirectWithSignatureValve extends IDPRedirectValve {
    private static Logger log = Logger.getLogger(IDPRedirectWithSignatureValve.class);
    private boolean ignoreSignature = false;
    private TrustKeyManager keyManager;

    public void setIgnoreSignature(String str) {
        if (str == null || str.length() <= 0) {
            return;
        }
        this.ignoreSignature = Boolean.valueOf(str).booleanValue();
    }

    @Override // org.jboss.identity.federation.bindings.tomcat.idp.IDPRedirectValve
    public void start() throws LifecycleException {
        super.start();
        KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
        try {
            ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
            String className = keyProvider.getClassName();
            if (className == null) {
                throw new RuntimeException("KeyManager class name is null");
            }
            this.keyManager = (TrustKeyManager) contextClassLoader.loadClass(className).newInstance();
            this.keyManager.setAuthProperties(keyProvider.getAuth());
            this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
            log.trace("Key Provider=" + keyProvider.getClassName());
        } catch (Exception e) {
            log.error("Exception reading configuration:", e);
            throw new LifecycleException(e.getLocalizedMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jboss.identity.federation.bindings.tomcat.idp.IDPRedirectValve
    public boolean validate(Request request) throws Exception {
        boolean validate = super.validate(request);
        if (!validate) {
            return validate;
        }
        if (this.ignoreSignature) {
            log.trace("Since signature is to be ignored, validation returns");
            return true;
        }
        String queryString = request.getQueryString();
        byte[] signatureValueFromSignedURL = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
        if (signatureValueFromSignedURL == null) {
            return false;
        }
        String tokenValue = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLRequest");
        String tokenValue2 = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState");
        String tokenValue3 = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg");
        StringBuilder sb = new StringBuilder();
        sb.append("SAMLRequest=").append(tokenValue);
        if (tokenValue2 != null && tokenValue2.length() > 0) {
            sb.append("&RelayState=").append(tokenValue2);
        }
        sb.append("&SigAlg=").append(tokenValue3);
        return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), signatureValueFromSignedURL, this.keyManager.getValidatingKey(request.getRemoteAddr()));
    }

    @Override // org.jboss.identity.federation.bindings.tomcat.idp.IDPRedirectValve
    protected String getDestination(String str, String str2) {
        try {
            PrivateKey signingKey = this.keyManager.getSigningKey();
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("?").append(RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(str, str2, signingKey));
            return stringBuffer.toString();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jboss.identity.federation.bindings.tomcat.idp.IDPRedirectValve
    public ResponseType getResponse(Request request, Principal principal) throws Exception {
        SAML2Response sAML2Response = new SAML2Response();
        ResponseType response = super.getResponse(request, principal);
        if (this.idpConfiguration.isEncrypt()) {
            String destination = response.getDestination();
            if (destination == null) {
                throw new IllegalStateException("Unable to handle encryption as SP url is null");
            }
            URL url = new URL(destination);
            PublicKey validatingKey = this.keyManager.getValidatingKey(url.getHost());
            EncryptionType encryption = this.idpConfiguration.getEncryption();
            if (encryption == null) {
                throw new IllegalStateException("EncryptionType not configured");
            }
            String value = encryption.getEncAlgo().value();
            int keySize = encryption.getKeySize();
            SecretKey encryptionKey = this.keyManager.getEncryptionKey(url.getHost(), value, keySize);
            StringWriter stringWriter = new StringWriter();
            sAML2Response.marshall(response, stringWriter);
            response.getAssertionOrEncryptedAssertion().set(0, sAML2Response.getEncryptedAssertion(DocumentUtil.getNodeAsStream(XMLEncryptionUtil.encryptElementInDocument(DocumentUtil.getDocument(new StringReader(stringWriter.toString())), validatingKey, encryptionKey, keySize, new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "EncryptedAssertion", "saml"), true))));
        }
        if (log.isTraceEnabled()) {
            StringWriter stringWriter2 = new StringWriter();
            sAML2Response.marshall(response, stringWriter2);
            log.trace("IDPRedirectValveWithSignature::Response=" + stringWriter2.toString());
        }
        return response;
    }
}
