package org.picketlink.identity.federation.bindings.jboss.auth;

import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import javax.xml.bind.JAXBElement;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkGroup;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkPrincipal;
import org.picketlink.identity.federation.core.wstrust.SAMLPrincipal;
import org.picketlink.identity.federation.core.wstrust.STSClient;
import org.picketlink.identity.federation.core.wstrust.STSClientConfig;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
import org.w3c.dom.Element;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSIssuingLoginModule.class */
public class SAML2STSIssuingLoginModule extends AbstractServerLoginModule {
    private String endpointURL = null;
    private String portName = "PicketLinkSTSPort";
    private String serviceName = "PicketLinkSTS";
    private SAMLPrincipal principal;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        if (map2.get("endpointAddress") == null) {
            throw new IllegalArgumentException("The endpointURL property is required and must specify the STS URL");
        }
        this.endpointURL = (String) map2.get("endpointAddress");
        String str = (String) map2.get("portName");
        if (str != null) {
            this.portName = str;
        }
        String str2 = (String) map2.get("serviceName");
        if (str2 != null) {
            this.serviceName = str2;
        }
    }

    public boolean login() throws LoginException {
        if (super.login()) {
            Object obj = ((AbstractServerLoginModule) this).sharedState.get("javax.security.auth.login.name");
            if (obj instanceof SAMLPrincipal) {
                this.principal = (SAMLPrincipal) obj;
                return true;
            }
            ((AbstractServerLoginModule) this).log.warn("Shared principal is not a SAMLPrincipal.");
            return false;
        }
        if (this.callbackHandler == null) {
            throw new LoginException("Error: no CallbackHandler available to collect authentication information");
        }
        Callback nameCallback = new NameCallback("User name: ", "guest");
        PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
        try {
            this.callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
            String name = nameCallback.getName();
            String str = new String(passwordCallback.getPassword());
            STSClientConfig.Builder builder = new STSClientConfig.Builder();
            builder.endpointAddress(this.endpointURL).portName(this.portName).serviceName(this.serviceName);
            builder.username(name).password(str);
            STSClient sTSClient = new STSClient(builder.build());
            try {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Calling STS at " + this.endpointURL);
                }
                Element issueToken = sTSClient.issueToken("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
                this.principal = new SAMLPrincipal(getAssertionSubjectName(issueToken), new SamlCredential(issueToken));
                if (super.getUseFirstPass()) {
                    ((AbstractServerLoginModule) this).sharedState.put("javax.security.auth.login.name", this.principal);
                    ((AbstractServerLoginModule) this).sharedState.put("javax.security.auth.login.password", this.principal.getSAMLCredential());
                }
                ((AbstractServerLoginModule) this).loginOk = true;
                return true;
            } catch (WSTrustException e) {
                LoginException loginException = new LoginException("Failed to authenticate client via STS: " + e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        } catch (Exception e2) {
            LoginException loginException2 = new LoginException("Error handling callback" + e2.getMessage());
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    protected Principal getIdentity() {
        return this.principal;
    }

    protected Group[] getRoleSets() throws LoginException {
        PicketLinkGroup picketLinkGroup = new PicketLinkGroup("CallerPrincipal");
        picketLinkGroup.addMember(this.principal);
        try {
            AttributeStatementType attributeStatement = getAttributeStatement(SAMLUtil.fromElement(this.principal.getSAMLCredential().getAssertionAsElement()));
            if (attributeStatement == null) {
                return new Group[]{picketLinkGroup};
            }
            HashSet hashSet = new HashSet();
            for (Object obj : attributeStatement.getAttributeOrEncryptedAttribute()) {
                if (obj instanceof AttributeType) {
                    AttributeType attributeType = (AttributeType) obj;
                    if (attributeType.getName().equals(SAML20TokenRoleAttributeProvider.DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME)) {
                        Iterator it = attributeType.getAttributeValue().iterator();
                        while (it.hasNext()) {
                            hashSet.add(new PicketLinkPrincipal((String) it.next()));
                        }
                    }
                }
            }
            PicketLinkGroup picketLinkGroup2 = new PicketLinkGroup(SAML20TokenRoleAttributeProvider.JBOSS_ROLE_PRINCIPAL_NAME);
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                picketLinkGroup2.addMember((Principal) it2.next());
            }
            return new Group[]{picketLinkGroup, picketLinkGroup2};
        } catch (Exception e) {
            LoginException loginException = new LoginException("Failed to parse assertion element: " + e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private String getAssertionSubjectName(Element element) {
        try {
            SubjectType subject = SAMLUtil.fromElement(element).getSubject();
            if (subject != null) {
                for (JAXBElement jAXBElement : subject.getContent()) {
                    if (jAXBElement.getDeclaredType().equals(NameIDType.class)) {
                        return ((NameIDType) jAXBElement.getValue()).getValue();
                    }
                }
            }
            return null;
        } catch (Exception e) {
            throw new RuntimeException("Failed to parse assertion element" + e.getMessage(), e);
        }
    }

    private AttributeStatementType getAttributeStatement(AssertionType assertionType) {
        List<AttributeStatementType> statementOrAuthnStatementOrAuthzDecisionStatement = assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement();
        if (statementOrAuthnStatementOrAuthzDecisionStatement.size() == 0) {
            return null;
        }
        for (AttributeStatementType attributeStatementType : statementOrAuthnStatementOrAuthzDecisionStatement) {
            if (attributeStatementType instanceof AttributeStatementType) {
                return attributeStatementType;
            }
        }
        return null;
    }
}
