package org.picketlink.identity.federation.core.wstrust.plugins.saml;

import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import javax.xml.namespace.QName;
import org.picketlink.identity.federation.PicketLinkLogger;
import org.picketlink.identity.federation.PicketLinkLoggerFactory;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.ProtocolContext;
import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
import org.picketlink.identity.federation.core.saml.v2.factories.SAMLAssertionFactory;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
import org.picketlink.identity.federation.core.sts.AbstractSecurityTokenProvider;
import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken;
import org.picketlink.identity.federation.core.wstrust.WSTrustConstants;
import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext;
import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
import org.picketlink.identity.federation.core.wstrust.wrappers.Lifetime;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AudienceRestrictionType;
import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
import org.picketlink.identity.federation.saml.v2.assertion.KeyInfoConfirmationDataType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
import org.picketlink.identity.federation.ws.policy.AppliesTo;
import org.picketlink.identity.federation.ws.trust.StatusType;
import org.picketlink.identity.federation.ws.wss.secext.KeyIdentifierType;
import org.w3c.dom.Element;

/* loaded from: input_file:org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.class */
public class SAML20TokenProvider extends AbstractSecurityTokenProvider implements SecurityTokenProvider {
    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
    private SAML20TokenAttributeProvider attributeProvider;

    @Override // org.picketlink.identity.federation.core.sts.AbstractSecurityTokenProvider, org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void initialize(Map<String, String> map) {
        super.initialize(map);
        String str = this.properties.get("AttributeProvider");
        if (str == null) {
            logger.trace("No attribute provider set");
            return;
        }
        try {
            Object newInstance = SecurityActions.loadClass(getClass(), str).newInstance();
            if (newInstance instanceof SAML20TokenAttributeProvider) {
                this.attributeProvider = (SAML20TokenAttributeProvider) newInstance;
                this.attributeProvider.setProperties(this.properties);
            } else {
                logger.stsWrongAttributeProviderTypeNotInstalled(str);
            }
        } catch (Exception e) {
            logger.attributeProviderInstationError(e);
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void cancelToken(ProtocolContext protocolContext) throws ProcessingException {
        if (protocolContext instanceof WSTrustRequestContext) {
            Element cancelTargetElement = ((WSTrustRequestContext) protocolContext).getRequestSecurityToken().getCancelTargetElement();
            if (cancelTargetElement == null) {
                throw logger.wsTrustNullCancelTargetError();
            }
            Element element = (Element) cancelTargetElement.getFirstChild();
            if (!isAssertion(element)) {
                throw logger.assertionInvalidError();
            }
            this.revocationRegistry.revokeToken(SAMLUtil.SAML2_TOKEN_TYPE, element.getAttribute("ID"));
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void issueToken(ProtocolContext protocolContext) throws ProcessingException {
        String str;
        AttributeStatementType attributeStatement;
        if (protocolContext instanceof WSTrustRequestContext) {
            WSTrustRequestContext wSTrustRequestContext = (WSTrustRequestContext) protocolContext;
            String create = IDGenerator.create("ID_");
            Lifetime lifetime = wSTrustRequestContext.getRequestSecurityToken().getLifetime();
            AudienceRestrictionType audienceRestrictionType = null;
            AppliesTo appliesTo = wSTrustRequestContext.getRequestSecurityToken().getAppliesTo();
            if (appliesTo != null) {
                audienceRestrictionType = SAMLAssertionFactory.createAudienceRestriction(WSTrustUtil.parseAppliesTo(appliesTo));
            }
            ConditionsType createConditions = SAMLAssertionFactory.createConditions(lifetime.getCreated(), lifetime.getExpires(), audienceRestrictionType);
            Principal callerPrincipal = wSTrustRequestContext.getCallerPrincipal();
            KeyInfoConfirmationDataType keyInfoConfirmationDataType = null;
            if (wSTrustRequestContext.getOnBehalfOfPrincipal() != null) {
                callerPrincipal = wSTrustRequestContext.getOnBehalfOfPrincipal();
                str = SAMLUtil.SAML2_SENDER_VOUCHES_URI;
            } else if (wSTrustRequestContext.getProofTokenInfo() != null) {
                str = SAMLUtil.SAML2_HOLDER_OF_KEY_URI;
                keyInfoConfirmationDataType = SAMLAssertionFactory.createKeyInfoConfirmation(wSTrustRequestContext.getProofTokenInfo());
            } else {
                str = SAMLUtil.SAML2_BEARER_URI;
            }
            SubjectType createSubject = SAMLAssertionFactory.createSubject(SAMLAssertionFactory.createNameID(null, "urn:picketlink:identity-federation", callerPrincipal == null ? "ANONYMOUS" : callerPrincipal.getName()), SAMLAssertionFactory.createSubjectConfirmation(null, str, keyInfoConfirmationDataType));
            ArrayList arrayList = null;
            Map<String, Object> claimedAttributes = wSTrustRequestContext.getClaimedAttributes();
            if (claimedAttributes != null) {
                arrayList = new ArrayList();
                arrayList.add(StatementUtil.createAttributeStatement(claimedAttributes));
            }
            AssertionType createAssertion = SAMLAssertionFactory.createAssertion(create, SAMLAssertionFactory.createNameID(null, null, wSTrustRequestContext.getTokenIssuer()), lifetime.getCreated(), createConditions, createSubject, arrayList);
            if (this.attributeProvider != null && (attributeStatement = this.attributeProvider.getAttributeStatement()) != null) {
                createAssertion.addStatement(attributeStatement);
            }
            try {
                wSTrustRequestContext.setSecurityToken(new StandardSecurityToken(wSTrustRequestContext.getRequestSecurityToken().getTokenType().toString(), SAMLUtil.toElement(createAssertion), create));
                KeyIdentifierType createKeyIdentifier = WSTrustUtil.createKeyIdentifier("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID", "#" + create);
                HashMap hashMap = new HashMap();
                hashMap.put(new QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", WSTrustConstants.TOKEN_TYPE, WSTrustConstants.WSSE.PREFIX_11), SAMLUtil.SAML2_TOKEN_TYPE);
                wSTrustRequestContext.setAttachedReference(WSTrustUtil.createRequestedReference(createKeyIdentifier, hashMap));
            } catch (Exception e) {
                throw logger.samlAssertionMarshallError(e);
            }
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void renewToken(ProtocolContext protocolContext) throws ProcessingException {
        if (protocolContext instanceof WSTrustRequestContext) {
            WSTrustRequestContext wSTrustRequestContext = (WSTrustRequestContext) protocolContext;
            Element renewTargetElement = wSTrustRequestContext.getRequestSecurityToken().getRenewTargetElement();
            if (renewTargetElement == null) {
                throw logger.wsTrustNullRenewTargetError();
            }
            Element element = (Element) renewTargetElement.getFirstChild();
            if (!isAssertion(element)) {
                throw logger.assertionInvalidError();
            }
            try {
                AssertionType fromElement = SAMLUtil.fromElement(element);
                if (this.revocationRegistry.isRevoked(SAMLUtil.SAML2_TOKEN_TYPE, fromElement.getID())) {
                    throw logger.samlAssertionRevokedCouldNotRenew(fromElement.getID());
                }
                ConditionsType conditions = fromElement.getConditions();
                conditions.setNotBefore(wSTrustRequestContext.getRequestSecurityToken().getLifetime().getCreated());
                conditions.setNotOnOrAfter(wSTrustRequestContext.getRequestSecurityToken().getLifetime().getExpires());
                String create = IDGenerator.create("ID_");
                ArrayList arrayList = new ArrayList();
                arrayList.addAll(fromElement.getStatements());
                try {
                    wSTrustRequestContext.setSecurityToken(new StandardSecurityToken(wSTrustRequestContext.getRequestSecurityToken().getTokenType().toString(), SAMLUtil.toElement(SAMLAssertionFactory.createAssertion(create, fromElement.getIssuer(), wSTrustRequestContext.getRequestSecurityToken().getLifetime().getCreated(), conditions, fromElement.getSubject(), arrayList)), create));
                    KeyIdentifierType createKeyIdentifier = WSTrustUtil.createKeyIdentifier("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID", "#" + create);
                    HashMap hashMap = new HashMap();
                    hashMap.put(new QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", WSTrustConstants.TOKEN_TYPE), SAMLUtil.SAML2_TOKEN_TYPE);
                    wSTrustRequestContext.setAttachedReference(WSTrustUtil.createRequestedReference(createKeyIdentifier, hashMap));
                } catch (Exception e) {
                    throw logger.samlAssertionMarshallError(e);
                }
            } catch (Exception e2) {
                throw logger.samlAssertionUnmarshallError(e2);
            }
        }
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public void validateToken(ProtocolContext protocolContext) throws ProcessingException {
        if (protocolContext instanceof WSTrustRequestContext) {
            WSTrustRequestContext wSTrustRequestContext = (WSTrustRequestContext) protocolContext;
            logger.trace("SAML token validation started");
            Element validateTargetElement = wSTrustRequestContext.getRequestSecurityToken().getValidateTargetElement();
            if (validateTargetElement == null) {
                throw logger.wsTrustNullValidationTargetError();
            }
            String str = WSTrustConstants.STATUS_CODE_VALID;
            String str2 = "SAMLV2.0 Assertion successfuly validated";
            AssertionType assertionType = null;
            Element element = (Element) validateTargetElement.getFirstChild();
            if (isAssertion(element)) {
                try {
                    if (logger.isTraceEnabled()) {
                        logger.samlAssertion(DocumentUtil.getNodeAsString(element));
                    }
                    assertionType = SAMLUtil.fromElement(element);
                } catch (Exception e) {
                    throw logger.samlAssertionUnmarshallError(e);
                }
            } else {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: supplied token is not a SAMLV2.0 Assertion";
            }
            if (this.revocationRegistry.isRevoked(SAMLUtil.SAML2_TOKEN_TYPE, assertionType.getID())) {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: assertion with id " + assertionType.getID() + " has been canceled";
            }
            try {
                if (AssertionUtil.hasExpired(assertionType)) {
                    str = WSTrustConstants.STATUS_CODE_INVALID;
                    str2 = "Validation failure: assertion expired or used before its lifetime period";
                }
            } catch (Exception e2) {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: unable to verify assertion lifetime: " + e2.getMessage();
            }
            StatusType statusType = new StatusType();
            statusType.setCode(str);
            statusType.setReason(str2);
            wSTrustRequestContext.setStatus(statusType);
        }
    }

    private boolean isAssertion(Element element) {
        return element != null && "Assertion".equals(element.getLocalName()) && WSTrustConstants.SAML2_ASSERTION_NS.equals(element.getNamespaceURI());
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public boolean supports(String str) {
        return WSTrustConstants.BASE_NAMESPACE.equals(str);
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public String tokenType() {
        return SAMLUtil.SAML2_TOKEN_TYPE;
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public QName getSupportedQName() {
        return new QName(tokenType(), JBossSAMLConstants.ASSERTION.get());
    }

    @Override // org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider
    public String family() {
        return SecurityTokenProvider.FAMILY_TYPE.WS_TRUST.toString();
    }
}
