package org.overlord.commons.auth.jetty8;

import java.io.IOException;
import java.io.StringReader;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.xml.stream.XMLInputFactory;
import org.eclipse.jetty.plus.jaas.JAASLoginService;
import org.eclipse.jetty.server.AbstractHttpConnection;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.overlord.commons.auth.util.SAMLBearerTokenUtil;
import org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-jetty8-2.0.5-SNAPSHOT.jar:org/overlord/commons/auth/jetty8/SAMLBearerTokenLoginService.class */
public class SAMLBearerTokenLoginService extends JAASLoginService {
    private static final Logger LOG = Log.getLogger(JAASLoginService.class);
    private Set<String> allowedIssuers;
    private boolean signatureRequired;
    private String keystorePath;
    private String keystorePassword;
    private String keyAlias;
    private String keyPassword;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-jetty8-2.0.5-SNAPSHOT.jar:org/overlord/commons/auth/jetty8/SAMLBearerTokenLoginService$SAMLRolePrincipal.class */
    public static class SAMLRolePrincipal extends SAMLUserPrincipal {
        public SAMLRolePrincipal(String str) {
            super(str);
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (obj instanceof SAMLRolePrincipal) {
                return getName().equals(((SAMLRolePrincipal) obj).getName());
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-jetty8-2.0.5-SNAPSHOT.jar:org/overlord/commons/auth/jetty8/SAMLBearerTokenLoginService$SAMLUserPrincipal.class */
    public static class SAMLUserPrincipal implements Principal {
        private final String name;

        public SAMLUserPrincipal(String str) {
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }
    }

    public UserIdentity login(String str, Object obj) {
        String obj2 = obj.toString();
        return obj2.startsWith("SAML-BEARER-TOKEN:") ? doSamlLogin(str, obj2.substring(18)) : super.login(str, obj);
    }

    private UserIdentity doSamlLogin(String str, String str2) {
        try {
            Document document = DocumentUtil.getDocument(str2);
            AssertionType assertionType = (AssertionType) new SAMLAssertionParser().parse(XMLInputFactory.newInstance().createXMLEventReader(new StringReader(str2)));
            SAMLBearerTokenUtil.validateAssertion(assertionType, AbstractHttpConnection.getCurrentConnection().getRequest(), this.allowedIssuers);
            if (!this.signatureRequired || SAMLBearerTokenUtil.isSAMLAssertionSignatureValid(document, getKeyPair(assertionType))) {
                return consumeAssertion(assertionType);
            }
            throw new IOException(Messages.getString("SAMLBearerTokenLoginService.InvalidSignature"));
        } catch (Exception e) {
            LOG.info(e.getMessage(), new Object[0]);
            LOG.debug(e);
            return null;
        }
    }

    private KeyPair getKeyPair(AssertionType assertionType) throws IOException {
        try {
            return SAMLBearerTokenUtil.getKeyPair(loadKeystore(), this.keyAlias, this.keyPassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IOException(Messages.getString("SAMLBearerTokenLoginService.FailedToGetKeyPair") + this.keyAlias);
        }
    }

    private KeyStore loadKeystore() throws IOException {
        try {
            return SAMLBearerTokenUtil.loadKeystore(this.keystorePath, this.keystorePassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IOException(Messages.getString("SAMLBearerTokenLoginService.ErrorLoadingKeystore") + e.getMessage());
        }
    }

    private UserIdentity consumeAssertion(AssertionType assertionType) throws Exception {
        String value = assertionType.getSubject().getSubType().getBaseID().getValue();
        ArrayList arrayList = new ArrayList();
        for (AttributeStatementType attributeStatementType : assertionType.getStatements()) {
            if (attributeStatementType instanceof AttributeStatementType) {
                for (AttributeStatementType.ASTChoiceType aSTChoiceType : attributeStatementType.getAttributes()) {
                    if (aSTChoiceType.getAttribute() != null && aSTChoiceType.getAttribute().getName().equals("Role")) {
                        for (Object obj : aSTChoiceType.getAttribute().getAttributeValue()) {
                            if (obj != null) {
                                arrayList.add(obj.toString());
                            }
                        }
                    }
                }
            }
        }
        Subject subject = new Subject();
        SAMLUserPrincipal sAMLUserPrincipal = new SAMLUserPrincipal(value);
        subject.getPrincipals().add(sAMLUserPrincipal);
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            subject.getPrincipals().add(new SAMLRolePrincipal((String) it.next()));
        }
        return this._identityService.newUserIdentity(subject, sAMLUserPrincipal, (String[]) arrayList.toArray(new String[arrayList.size()]));
    }

    public Set<String> getAllowedIssuers() {
        return this.allowedIssuers;
    }

    public void setAllowedIssuers(Set<String> set) {
        this.allowedIssuers = set;
    }

    public void setAllowedIssuers(String[] strArr) {
        this.allowedIssuers = new HashSet();
        for (String str : strArr) {
            this.allowedIssuers.add(str);
        }
    }

    public boolean isSignatureRequired() {
        return this.signatureRequired;
    }

    public void setSignatureRequired(boolean z) {
        this.signatureRequired = z;
    }

    public String getKeystorePath() {
        return this.keystorePath;
    }

    public void setKeystorePath(String str) {
        this.keystorePath = str;
    }

    public String getKeystorePassword() {
        return this.keystorePassword;
    }

    public void setKeystorePassword(String str) {
        this.keystorePassword = str;
    }

    public String getKeyAlias() {
        return this.keyAlias;
    }

    public void setKeyAlias(String str) {
        this.keyAlias = str;
    }

    public String getKeyPassword() {
        return this.keyPassword;
    }

    public void setKeyPassword(String str) {
        this.keyPassword = str;
    }
}
