package org.jboss.seam.security.external.saml;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.jboss.logging.Logger;
import org.jboss.seam.security.external.Base64;
import org.jboss.seam.security.external.InvalidRequestException;
import org.jboss.seam.security.external.JaxbContext;
import org.jboss.seam.security.external.dialogues.api.DialogueManager;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.RequestAbstractType;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.ResponseType;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.StatusResponseType;
import org.jboss.seam.security.external.saml.idp.SamlIdpBean;
import org.jboss.seam.security.external.saml.idp.SamlIdpSingleLogoutService;
import org.jboss.seam.security.external.saml.idp.SamlIdpSingleSignOnService;
import org.jboss.seam.security.external.saml.sp.SamlSpBean;
import org.jboss.seam.security.external.saml.sp.SamlSpSingleLogoutService;
import org.jboss.seam.security.external.saml.sp.SamlSpSingleSignOnService;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;

@ApplicationScoped
/* loaded from: input_file:WEB-INF/lib/seam-security-external-3.0.0.CR1.jar:org/jboss/seam/security/external/saml/SamlMessageReceiver.class */
public class SamlMessageReceiver {

    @Inject
    private Logger log;

    @Inject
    private DialogueManager dialogueManager;

    @Inject
    private Instance<SamlDialogue> samlDialogue;

    @Inject
    private SamlSpSingleLogoutService samlSpSingleLogoutService;

    @Inject
    private SamlIdpSingleLogoutService samlIdpSingleLogoutService;

    @Inject
    private SamlSpSingleSignOnService samlSpSingleSignOnService;

    @Inject
    private SamlIdpSingleSignOnService samlIdpSingleSignOnService;

    @Inject
    private Instance<SamlEntityBean> samlEntityBean;

    @Inject
    private Instance<SamlSpBean> samlSpBean;

    @Inject
    private Instance<SamlIdpBean> samlIdpBean;

    @Inject
    private SamlSignatureUtilForPostBinding signatureUtilForPostBinding;

    @Inject
    private SamlSignatureUtilForRedirectBinding signatureUtilForRedirectBinding;

    @Inject
    @JaxbContext({RequestAbstractType.class, StatusResponseType.class})
    private JAXBContext jaxbContext;

    public void handleIncomingSamlMessage(SamlServiceType samlServiceType, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlIdpOrSp samlIdpOrSp) throws InvalidRequestException {
        String str;
        SamlRequestOrResponse samlRequestOrResponse;
        String value;
        String parameter = httpServletRequest.getParameter(SamlMessage.QSP_SAML_REQUEST);
        String parameter2 = httpServletRequest.getParameter(SamlMessage.QSP_SAML_RESPONSE);
        if (parameter != null && parameter2 == null) {
            str = parameter;
            samlRequestOrResponse = SamlRequestOrResponse.REQUEST;
        } else {
            if (parameter != null || parameter2 == null) {
                throw new InvalidRequestException("SAML message should either have a SAMLRequest parameter or a SAMLResponse parameter");
            }
            str = parameter2;
            samlRequestOrResponse = SamlRequestOrResponse.RESPONSE;
        }
        Document document = getDocument(httpServletRequest.getMethod().equals("POST") ? new ByteArrayInputStream(Base64.decode(str)) : new InflaterInputStream(new ByteArrayInputStream(Base64.decode(str)), new Inflater(true)));
        RequestAbstractType requestAbstractType = null;
        StatusResponseType statusResponseType = null;
        if (samlRequestOrResponse.isRequest()) {
            requestAbstractType = getSamlRequest(document);
            value = requestAbstractType.getIssuer().getValue();
        } else {
            statusResponseType = getSamlResponse(document);
            value = statusResponseType.getIssuer().getValue();
        }
        this.log.debug("Received: " + SamlUtils.getDocumentAsString(document));
        try {
            if (samlRequestOrResponse.isRequest() || statusResponseType.getInResponseTo() == null) {
                String destination = samlRequestOrResponse.isRequest() ? requestAbstractType.getDestination() : statusResponseType.getDestination();
                if (!((SamlEntityBean) this.samlEntityBean.get()).getServiceURL(samlServiceType).equals(destination)) {
                    throw new InvalidRequestException("Destination (" + destination + ") is not valid.");
                }
                this.dialogueManager.beginDialogue();
                ((SamlDialogue) this.samlDialogue.get()).setExternalProviderMessageId(samlRequestOrResponse.isRequest() ? requestAbstractType.getID() : statusResponseType.getID());
                SamlExternalEntity externalSamlEntityByEntityId = ((SamlEntityBean) this.samlEntityBean.get()).getExternalSamlEntityByEntityId(value);
                if (externalSamlEntityByEntityId == null) {
                    throw new InvalidRequestException("Received message from unknown entity id " + value);
                }
                ((SamlDialogue) this.samlDialogue.get()).setExternalProvider(externalSamlEntityByEntityId);
            } else {
                String inResponseTo = statusResponseType.getInResponseTo();
                if (!this.dialogueManager.isExistingDialogue(inResponseTo)) {
                    throw new InvalidRequestException("No request that corresponds with the received response");
                }
                this.dialogueManager.attachDialogue(inResponseTo);
                if (!((SamlDialogue) this.samlDialogue.get()).getExternalProvider().getEntityId().equals(value)) {
                    throw new InvalidRequestException("Identity samlEntityBean of request and response do not match");
                }
            }
            SamlExternalEntity externalSamlEntityByEntityId2 = ((SamlEntityBean) this.samlEntityBean.get()).getExternalSamlEntityByEntityId(value);
            if (samlRequestOrResponse.isRequest() ? samlServiceType.getProfile() == SamlProfile.SINGLE_SIGN_ON ? samlIdpOrSp == SamlIdpOrSp.IDP ? ((SamlIdpBean) this.samlIdpBean.get()).isWantAuthnRequestsSigned() : ((SamlSpBean) this.samlSpBean.get()).isWantAssertionsSigned() : samlIdpOrSp == SamlIdpOrSp.IDP ? ((SamlIdpBean) this.samlIdpBean.get()).isWantSingleLogoutMessagesSigned() : ((SamlSpBean) this.samlSpBean.get()).isWantSingleLogoutMessagesSigned() : statusResponseType instanceof ResponseType) {
                if (httpServletRequest.getMethod().equals("POST")) {
                    this.signatureUtilForPostBinding.validateSignature(externalSamlEntityByEntityId2.getPublicKey(), document);
                } else {
                    this.signatureUtilForRedirectBinding.validateSignature(new SamlRedirectMessage(samlRequestOrResponse, httpServletRequest), externalSamlEntityByEntityId2.getPublicKey());
                }
            }
            if (samlServiceType.getProfile() == SamlProfile.SINGLE_SIGN_ON) {
                if (samlRequestOrResponse.isRequest()) {
                    this.samlIdpSingleSignOnService.processSPRequest(httpServletRequest, httpServletResponse, requestAbstractType);
                } else {
                    this.samlSpSingleSignOnService.processIDPResponse(httpServletRequest, httpServletResponse, statusResponseType);
                }
            } else if (samlRequestOrResponse.isRequest()) {
                if (samlIdpOrSp == SamlIdpOrSp.IDP) {
                    this.samlIdpSingleLogoutService.processSPRequest(httpServletRequest, httpServletResponse, requestAbstractType);
                } else {
                    this.samlSpSingleLogoutService.processIDPRequest(httpServletRequest, httpServletResponse, requestAbstractType);
                }
            } else if (samlIdpOrSp == SamlIdpOrSp.IDP) {
                this.samlIdpSingleLogoutService.processSPResponse(httpServletRequest, httpServletResponse, statusResponseType);
            } else {
                this.samlSpSingleLogoutService.processIDPResponse(httpServletRequest, httpServletResponse, statusResponseType);
            }
            this.dialogueManager.detachDialogue();
        } catch (Exception e) {
            if (this.dialogueManager.isAttached()) {
                this.dialogueManager.endDialogue();
            }
            throw new RuntimeException(e);
        }
    }

    private RequestAbstractType getSamlRequest(Document document) throws InvalidRequestException {
        try {
            return (RequestAbstractType) ((JAXBElement) this.jaxbContext.createUnmarshaller().unmarshal(document)).getValue();
        } catch (JAXBException e) {
            throw new InvalidRequestException("SAML message could not be parsed", e);
        }
    }

    private StatusResponseType getSamlResponse(Document document) throws InvalidRequestException {
        try {
            return (StatusResponseType) ((JAXBElement) this.jaxbContext.createUnmarshaller().unmarshal(document)).getValue();
        } catch (JAXBException e) {
            throw new InvalidRequestException("SAML message could not be parsed", e);
        }
    }

    private Document getDocument(InputStream inputStream) throws InvalidRequestException {
        try {
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            newInstance.setXIncludeAware(true);
            return newInstance.newDocumentBuilder().parse(inputStream);
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (ParserConfigurationException e2) {
            throw new RuntimeException(e2);
        } catch (SAXException e3) {
            throw new InvalidRequestException("SAML request could not be parsed", e3);
        }
    }
}
