package org.picketlink.identity.federation.core.wstrust.plugins.saml;

import java.net.URI;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import javax.xml.namespace.QName;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.picketlink.common.constants.JBossSAMLConstants;
import org.picketlink.common.constants.WSTrustConstants;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.ProtocolContext;
import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider;
import org.picketlink.identity.federation.core.saml.v1.SAML11Constants;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.sts.AbstractSecurityTokenProvider;
import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken;
import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext;
import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
import org.picketlink.identity.federation.core.wstrust.wrappers.Lifetime;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AudienceRestrictionCondition;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AuthenticationStatementType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11ConditionsType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11NameIdentifierType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11SubjectConfirmationType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11SubjectType;
import org.picketlink.identity.federation.ws.policy.AppliesTo;
import org.picketlink.identity.federation.ws.trust.StatusType;
import org.picketlink.identity.federation.ws.wss.secext.KeyIdentifierType;
import org.picketlink.identity.xmlsec.w3.xmldsig.KeyInfoType;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/picketlink-federation-2.5.3.SP4.jar:org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML11TokenProvider.class */
public class SAML11TokenProvider extends AbstractSecurityTokenProvider {
    private boolean useAbsoluteKeyIdentifier;

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void cancelToken(ProtocolContext protocolContext) throws ProcessingException {
        if (protocolContext instanceof WSTrustRequestContext) {
            Element cancelTargetElement = ((WSTrustRequestContext) protocolContext).getRequestSecurityToken().getCancelTargetElement();
            if (cancelTargetElement == null) {
                throw logger.wsTrustNullCancelTargetError();
            }
            Element element = (Element) cancelTargetElement.getFirstChild();
            if (!isSAMLAssertion(element)) {
                throw logger.assertionInvalidError();
            }
            this.revocationRegistry.revokeToken(SAMLUtil.SAML11_TOKEN_TYPE, element.getAttribute(SAML11Constants.ASSERTIONID));
            String str = this.properties.get("USE_ABSOLUTE_KEYIDENTIFIER");
            if (str == null || !SchemaSymbols.ATTVAL_TRUE.equalsIgnoreCase(str)) {
                return;
            }
            this.useAbsoluteKeyIdentifier = true;
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void issueToken(ProtocolContext protocolContext) throws ProcessingException {
        String str;
        if (protocolContext instanceof WSTrustRequestContext) {
            WSTrustRequestContext wSTrustRequestContext = (WSTrustRequestContext) protocolContext;
            String create = IDGenerator.create("ID_");
            Lifetime lifetime = wSTrustRequestContext.getRequestSecurityToken().getLifetime();
            SAML11AudienceRestrictionCondition sAML11AudienceRestrictionCondition = null;
            AppliesTo appliesTo = wSTrustRequestContext.getRequestSecurityToken().getAppliesTo();
            if (appliesTo != null) {
                sAML11AudienceRestrictionCondition = new SAML11AudienceRestrictionCondition();
                sAML11AudienceRestrictionCondition.add(URI.create(WSTrustUtil.parseAppliesTo(appliesTo)));
            }
            SAML11ConditionsType sAML11ConditionsType = new SAML11ConditionsType();
            sAML11ConditionsType.setNotBefore(lifetime.getCreated());
            sAML11ConditionsType.setNotOnOrAfter(lifetime.getExpires());
            sAML11ConditionsType.add(sAML11AudienceRestrictionCondition);
            Principal callerPrincipal = wSTrustRequestContext.getCallerPrincipal();
            KeyInfoType keyInfoType = null;
            if (wSTrustRequestContext.getOnBehalfOfPrincipal() != null) {
                callerPrincipal = wSTrustRequestContext.getOnBehalfOfPrincipal();
                str = SAMLUtil.SAML11_SENDER_VOUCHES_URI;
            } else if (wSTrustRequestContext.getProofTokenInfo() != null) {
                str = SAMLUtil.SAML11_HOLDER_OF_KEY_URI;
                keyInfoType = wSTrustRequestContext.getProofTokenInfo();
            } else {
                str = SAMLUtil.SAML11_BEARER_URI;
            }
            SAML11SubjectConfirmationType sAML11SubjectConfirmationType = new SAML11SubjectConfirmationType();
            sAML11SubjectConfirmationType.addConfirmationMethod(URI.create(str));
            if (keyInfoType != null) {
                throw logger.notImplementedYet("KeyInfoType");
            }
            SAML11NameIdentifierType sAML11NameIdentifierType = new SAML11NameIdentifierType(callerPrincipal == null ? "ANONYMOUS" : callerPrincipal.getName());
            sAML11NameIdentifierType.setFormat(URI.create(SAML11Constants.FORMAT_UNSPECIFIED));
            SAML11SubjectType sAML11SubjectType = new SAML11SubjectType();
            sAML11SubjectType.setChoice(new SAML11SubjectType.SAML11SubjectTypeChoice(sAML11NameIdentifierType));
            sAML11SubjectType.setSubjectConfirmation(sAML11SubjectConfirmationType);
            SAML11AuthenticationStatementType sAML11AuthenticationStatementType = new SAML11AuthenticationStatementType(URI.create("urn:picketlink:auth"), lifetime.getCreated());
            sAML11AuthenticationStatementType.setSubject(sAML11SubjectType);
            SAML11AssertionType sAML11AssertionType = new SAML11AssertionType(create, lifetime.getCreated());
            sAML11AssertionType.add(sAML11AuthenticationStatementType);
            sAML11AssertionType.setConditions(sAML11ConditionsType);
            sAML11AssertionType.setIssuer(wSTrustRequestContext.getTokenIssuer());
            try {
                wSTrustRequestContext.setSecurityToken(new StandardSecurityToken(wSTrustRequestContext.getRequestSecurityToken().getTokenType().toString(), SAMLUtil.toElement(sAML11AssertionType), create));
                String str2 = create;
                if (!this.useAbsoluteKeyIdentifier) {
                    str2 = "#" + str2;
                }
                KeyIdentifierType createKeyIdentifier = WSTrustUtil.createKeyIdentifier(SAMLUtil.SAML11_VALUE_TYPE, str2);
                HashMap hashMap = new HashMap();
                hashMap.put(new QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", WSTrustConstants.TOKEN_TYPE, WSTrustConstants.WSSE.PREFIX_11), SAMLUtil.SAML11_TOKEN_TYPE);
                wSTrustRequestContext.setAttachedReference(WSTrustUtil.createRequestedReference(createKeyIdentifier, hashMap));
            } catch (Exception e) {
                throw logger.samlAssertionMarshallError(e);
            }
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void renewToken(ProtocolContext protocolContext) throws ProcessingException {
        if (protocolContext instanceof WSTrustRequestContext) {
            WSTrustRequestContext wSTrustRequestContext = (WSTrustRequestContext) protocolContext;
            Element renewTargetElement = wSTrustRequestContext.getRequestSecurityToken().getRenewTargetElement();
            if (renewTargetElement == null) {
                throw logger.wsTrustNullRenewTargetError();
            }
            Element element = (Element) renewTargetElement.getFirstChild();
            if (!isSAMLAssertion(element)) {
                throw logger.assertionInvalidError();
            }
            try {
                SAML11AssertionType saml11FromElement = SAMLUtil.saml11FromElement(element);
                if (this.revocationRegistry.isRevoked(SAMLUtil.SAML11_TOKEN_TYPE, saml11FromElement.getID())) {
                    throw logger.samlAssertionRevokedCouldNotRenew(saml11FromElement.getID());
                }
                SAML11ConditionsType conditions = saml11FromElement.getConditions();
                conditions.setNotBefore(wSTrustRequestContext.getRequestSecurityToken().getLifetime().getCreated());
                conditions.setNotOnOrAfter(wSTrustRequestContext.getRequestSecurityToken().getLifetime().getExpires());
                String create = IDGenerator.create("ID_");
                ArrayList arrayList = new ArrayList();
                arrayList.addAll(saml11FromElement.getStatements());
                SAML11AssertionType sAML11AssertionType = new SAML11AssertionType(create, conditions.getNotBefore());
                sAML11AssertionType.addAllStatements(arrayList);
                sAML11AssertionType.setConditions(conditions);
                sAML11AssertionType.setIssuer(wSTrustRequestContext.getTokenIssuer());
                try {
                    wSTrustRequestContext.setSecurityToken(new StandardSecurityToken(wSTrustRequestContext.getRequestSecurityToken().getTokenType().toString(), SAMLUtil.toElement(sAML11AssertionType), create));
                    KeyIdentifierType createKeyIdentifier = WSTrustUtil.createKeyIdentifier(SAMLUtil.SAML11_VALUE_TYPE, "#" + create);
                    HashMap hashMap = new HashMap();
                    hashMap.put(new QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", WSTrustConstants.TOKEN_TYPE), SAMLUtil.SAML11_TOKEN_TYPE);
                    wSTrustRequestContext.setAttachedReference(WSTrustUtil.createRequestedReference(createKeyIdentifier, hashMap));
                } catch (Exception e) {
                    throw logger.samlAssertionMarshallError(e);
                }
            } catch (Exception e2) {
                throw logger.samlAssertionUnmarshallError(e2);
            }
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void validateToken(ProtocolContext protocolContext) throws ProcessingException {
        if (protocolContext instanceof WSTrustRequestContext) {
            WSTrustRequestContext wSTrustRequestContext = (WSTrustRequestContext) protocolContext;
            logger.trace("SAML token validation started");
            Element validateTargetElement = wSTrustRequestContext.getRequestSecurityToken().getValidateTargetElement();
            if (validateTargetElement == null) {
                throw logger.wsTrustNullValidationTargetError();
            }
            String str = WSTrustConstants.STATUS_CODE_VALID;
            String str2 = "SAMLV1.1 Assertion successfuly validated";
            SAML11AssertionType sAML11AssertionType = null;
            Element element = (Element) validateTargetElement.getFirstChild();
            if (isSAMLAssertion(element)) {
                try {
                    sAML11AssertionType = SAMLUtil.saml11FromElement(element);
                } catch (Exception e) {
                    throw logger.samlAssertionUnmarshallError(e);
                }
            } else {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: supplied token is not a SAMLV1.1 Assertion";
            }
            if (this.revocationRegistry.isRevoked(SAMLUtil.SAML11_TOKEN_TYPE, sAML11AssertionType.getID())) {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: assertion with id " + sAML11AssertionType.getID() + " has been canceled";
            }
            try {
                if (AssertionUtil.hasExpired(sAML11AssertionType)) {
                    str = WSTrustConstants.STATUS_CODE_INVALID;
                    str2 = "Validation failure: assertion expired or used before its lifetime period";
                }
            } catch (Exception e2) {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: unable to verify assertion lifetime: " + e2.getMessage();
            }
            StatusType statusType = new StatusType();
            statusType.setCode(str);
            statusType.setReason(str2);
            wSTrustRequestContext.setStatus(statusType);
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public String family() {
        return SecurityTokenProvider.FAMILY_TYPE.WS_TRUST.toString();
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public QName getSupportedQName() {
        return new QName(tokenType(), JBossSAMLConstants.ASSERTION.get());
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public boolean supports(String str) {
        return WSTrustConstants.BASE_NAMESPACE.equals(str);
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public String tokenType() {
        return SAMLUtil.SAML11_TOKEN_TYPE;
    }

    private boolean isSAMLAssertion(Element element) {
        return element != null && "Assertion".equals(element.getLocalName()) && "urn:oasis:names:tc:SAML:1.0:assertion".equals(element.getNamespaceURI());
    }
}
