package org.overlord.commons.auth.util;

import java.io.File;
import java.io.FileInputStream;
import java.net.URI;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.xml.datatype.XMLGregorianCalendar;
import org.overlord.commons.auth.Messages;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.saml.v2.assertion.AudienceRestrictionType;
import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
import org.w3c.dom.Document;

/* loaded from: input_file:lib/overlord-commons-auth-2.0.11.Final.jar:org/overlord/commons/auth/util/SAMLBearerTokenUtil.class */
public class SAMLBearerTokenUtil {
    public static String createSAMLAssertion(Principal principal, Set<String> set, String str, String str2) {
        return createSAMLAssertion(principal, set, str, str2, 10000);
    }

    public static String createSAMLAssertion(Principal principal, Set<String> set, String str, String str2, int i) {
        try {
            NameIDType createNameID = org.picketlink.identity.federation.core.saml.v2.factories.SAMLAssertionFactory.createNameID((String) null, (String) null, str);
            SubjectType createAssertionSubject = AssertionUtil.createAssertionSubject(principal.getName());
            AssertionType createAssertion = AssertionUtil.createAssertion(UUID.randomUUID().toString(), createNameID);
            createAssertion.setSubject(createAssertionSubject);
            AssertionUtil.createTimedConditions(createAssertion, i);
            createAssertion.getConditions().addCondition(org.picketlink.identity.federation.core.saml.v2.factories.SAMLAssertionFactory.createAudienceRestriction(new String[]{str2}));
            addRoleStatements(set, createAssertion, principal);
            return AssertionUtil.asString(createAssertion);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static void addRoleStatements(Set<String> set, AssertionType assertionType, Principal principal) {
        AttributeType attributeType = new AttributeType("Role");
        AttributeStatementType.ASTChoiceType aSTChoiceType = new AttributeStatementType.ASTChoiceType(attributeType);
        AttributeStatementType attributeStatementType = new AttributeStatementType();
        attributeStatementType.addAttribute(aSTChoiceType);
        if (set != null) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                attributeType.addAttributeValue(it.next());
            }
        }
        assertionType.addStatement(attributeStatementType);
    }

    public static String signSAMLAssertion(String str, KeyPair keyPair) {
        try {
            Document document = DocumentUtil.getDocument(str);
            new SAML2Signature().signSAMLDocument(document, keyPair);
            return DocumentUtil.getDocumentAsString(document);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static boolean isSAMLAssertionSignatureValid(Document document, KeyPair keyPair) {
        return AssertionUtil.isSignatureValid(document.getDocumentElement(), keyPair.getPublic());
    }

    public static KeyPair getKeyPair(KeyStore keyStore, String str, String str2) throws Exception {
        try {
            Key key = keyStore.getKey(str, str2.toCharArray());
            if (key instanceof PrivateKey) {
                return new KeyPair(keyStore.getCertificate(str).getPublicKey(), (PrivateKey) key);
            }
            throw new Exception(Messages.format("SAMLBearerTokenUtil.FailedToGetKeyPair.IncorrectKeyType", str));
        } catch (Exception e) {
            e.printStackTrace();
            throw new Exception(Messages.format("SAMLBearerTokenUtil.FailedToGetKeyPair.Alias", str));
        }
    }

    public static KeyStore loadKeystore(String str, String str2) throws Exception {
        File file = str.startsWith("file:") ? new File(new URI(str)) : new File(str);
        if (!file.isFile()) {
            throw new Exception(Messages.format("SAMLBearerTokenUtil.NoKeystore", str));
        }
        KeyStore keyStore = KeyStore.getInstance("jks");
        FileInputStream fileInputStream = null;
        try {
            fileInputStream = new FileInputStream(file);
            keyStore.load(fileInputStream, str2.toCharArray());
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e) {
                }
            }
            return keyStore;
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e2) {
                }
            }
            throw th;
        }
    }

    public static void validateAssertion(AssertionType assertionType, HttpServletRequest httpServletRequest, Set<String> set) throws LoginException {
        String value = assertionType.getIssuer().getValue();
        if (set != null && !set.contains(value)) {
            throw new LoginException(Messages.format("SAMLBearerTokenUtil.BadIssuer", value, set.toString()));
        }
        String contextPath = httpServletRequest.getContextPath();
        if (!getAudienceRestrictions(assertionType).contains(contextPath)) {
            throw new LoginException(Messages.format("SAMLBearerTokenUtil.InvalidAudienceRestrictions", contextPath));
        }
        try {
            ConditionsType conditions = assertionType.getConditions();
            if (conditions == null) {
                throw new LoginException(Messages.getString("SAMLBearerTokenUtil.InvalidAssertion"));
            }
            XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
            XMLGregorianCalendar notBefore = conditions.getNotBefore();
            XMLGregorianCalendar notOnOrAfter = conditions.getNotOnOrAfter();
            if (!XMLTimeUtil.isValid(issueInstant, notBefore, notOnOrAfter)) {
                throw new LoginException(Messages.format("SAMLBearerTokenUtil.AssertionExpired", issueInstant.toXMLFormat(), notBefore.toXMLFormat(), notOnOrAfter));
            }
        } catch (Exception e) {
            throw new LoginException(e.getMessage());
        }
    }

    private static Set<String> getAudienceRestrictions(AssertionType assertionType) {
        HashSet hashSet = new HashSet();
        if (assertionType == null || assertionType.getConditions() == null || assertionType.getConditions().getConditions() == null) {
            return hashSet;
        }
        for (AudienceRestrictionType audienceRestrictionType : assertionType.getConditions().getConditions()) {
            if (audienceRestrictionType instanceof AudienceRestrictionType) {
                Iterator it = audienceRestrictionType.getAudience().iterator();
                while (it.hasNext()) {
                    hashSet.add(((URI) it.next()).toString());
                }
            }
        }
        return hashSet;
    }
}
