package org.picketlink.identity.federation.bindings.jboss.auth;

import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.ws.Dispatch;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.callback.ObjectCallback;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.exceptions.fed.WSTrustException;
import org.picketlink.common.util.DocumentUtil;
import org.picketlink.common.util.StringUtil;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkGroup;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkPrincipal;
import org.picketlink.identity.federation.bindings.stspool.STSClientPoolFactory;
import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.wstrust.STSClient;
import org.picketlink.identity.federation.core.wstrust.STSClientConfig;
import org.picketlink.identity.federation.core.wstrust.STSClientPool;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
import org.w3c.dom.Element;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.class */
public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequestAbstractLoginModule {
    protected String stsConfigurationFile;
    protected Principal principal;
    protected SamlCredential credential;
    protected AssertionType assertion;
    protected String localValidationSecurityDomain;
    public static final String STS_CONFIG_FILE = "configFile";
    public static final String ENDPOINT_ADDRESS = "endpointAddress";
    public static final String PORT_NAME = "portName";
    public static final String SERVICE_NAME = "serviceName";
    public static final String USERNAME_KEY = "username";
    public static final String PASSWORD_KEY = "password";
    public static final String INITIAL_CLIENTS_IN_POOL = "initialClientsInPool";
    protected boolean enableCacheInvalidation = false;
    protected String securityDomain = null;
    protected boolean localValidation = false;
    protected String roleKey = "Role";
    protected int initialClientsInPool = 0;
    protected Map<String, Object> options = new HashMap();
    protected Map<String, Object> rawOptions = new HashMap();
    protected boolean localTestingOnly = false;

    @Override // org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.options.putAll(map2);
        this.rawOptions.putAll(map2);
        if (logger.isTraceEnabled()) {
            logger.trace(map2.toString());
        }
        this.stsConfigurationFile = (String) this.options.remove("configFile");
        String str = (String) this.options.remove("cache.invalidation");
        if (str != null && !str.isEmpty()) {
            this.enableCacheInvalidation = Boolean.parseBoolean(str);
            this.securityDomain = (String) this.options.remove("jboss.security.security_domain");
            if (this.securityDomain == null || this.securityDomain.isEmpty()) {
                throw logger.optionNotSet("jboss.security.security_domain");
            }
        }
        String str2 = (String) map2.get("roleKey");
        if (StringUtil.isNotNull(str2)) {
            this.roleKey = str2.trim();
        }
        String str3 = (String) map2.get("localValidation");
        if (StringUtil.isNotNull(str3)) {
            this.localValidation = Boolean.parseBoolean(str3);
            this.localValidationSecurityDomain = (String) map2.get("localValidationSecurityDomain");
            if (this.localValidationSecurityDomain == null) {
                logger.error("PL00105: When using local validation 'localValidationSecurityDomain' must be specified.");
                throw logger.optionNotSet("localValidationSecurityDomain");
            }
            if (!this.localValidationSecurityDomain.startsWith("java:")) {
                this.localValidationSecurityDomain = "java:jboss/jaas//" + this.localValidationSecurityDomain;
            }
            String str4 = (String) map2.get("localTestingOnly");
            if (StringUtil.isNotNull(str4)) {
                this.localTestingOnly = Boolean.valueOf(str4).booleanValue();
            }
        }
        String str5 = (String) map2.get(INITIAL_CLIENTS_IN_POOL);
        if (StringUtil.isNotNull(str5)) {
            try {
                this.initialClientsInPool = Integer.parseInt(str5);
            } catch (Exception e) {
                logger.cannotParseParameterValue(str5, e);
            }
        }
    }

    public boolean login() throws LoginException {
        if (super.login()) {
            Object obj = ((SAMLTokenFromHttpRequestAbstractLoginModule) this).sharedState.get("javax.security.auth.login.name");
            if (obj instanceof Principal) {
                this.principal = (Principal) obj;
            } else {
                try {
                    this.principal = createIdentity(obj.toString());
                } catch (Exception e) {
                    throw logger.authFailedToCreatePrincipal(e);
                }
            }
            Object obj2 = ((SAMLTokenFromHttpRequestAbstractLoginModule) this).sharedState.get("javax.security.auth.login.password");
            if (!(obj2 instanceof SamlCredential)) {
                throw logger.authSharedCredentialIsNotSAMLCredential(obj2.getClass().getName());
            }
            this.credential = (SamlCredential) obj2;
            return true;
        }
        Callback objectCallback = new ObjectCallback((String) null);
        try {
            if (getSamlTokenHttpHeader() != null) {
                this.credential = getCredentialFromHttpRequest();
            } else {
                ((SAMLTokenFromHttpRequestAbstractLoginModule) this).callbackHandler.handle(new Callback[]{objectCallback});
                if (objectCallback.getCredential() instanceof String) {
                    objectCallback.setCredential(new SamlCredential(DocumentUtil.getDocument(objectCallback.getCredential().toString()).getDocumentElement()));
                }
                if (!(objectCallback.getCredential() instanceof SamlCredential)) {
                    throw logger.authSharedCredentialIsNotSAMLCredential(objectCallback.getCredential().getClass().getName());
                }
                this.credential = (SamlCredential) objectCallback.getCredential();
            }
            Element assertionAsElement = this.credential.getAssertionAsElement();
            if (this.localValidation) {
                logger.trace("Local Validation is being Performed");
                try {
                    if (localValidation(assertionAsElement)) {
                        logger.trace("Local Validation passed.");
                    }
                } catch (Exception e2) {
                    LoginException loginException = new LoginException();
                    loginException.initCause(e2);
                    throw loginException;
                }
            } else {
                logger.trace("Local Validation is disabled. Verifying with STS");
                if (this.stsConfigurationFile == null) {
                    throw logger.authSTSConfigFileNotFound();
                }
                try {
                    if (!getSTSClient().validateToken(assertionAsElement)) {
                        throw logger.authInvalidSAMLAssertionBySTS();
                    }
                } catch (WSTrustException e3) {
                    throw logger.authAssertionValidationError(e3);
                }
            }
            try {
                this.assertion = SAMLUtil.fromElement(assertionAsElement);
                SubjectType subject = this.assertion.getSubject();
                if (subject != null) {
                    NameIDType baseID = subject.getSubType().getBaseID();
                    if (baseID instanceof NameIDType) {
                        this.principal = new PicketLinkPrincipal(baseID.getValue());
                        if (this.enableCacheInvalidation) {
                            JBossAuthCacheInvalidationFactory.TimeCacheExpiry cacheExpiry = getCacheExpiry();
                            XMLGregorianCalendar expiration = AssertionUtil.getExpiration(this.assertion);
                            if (expiration != null) {
                                Date time = expiration.toGregorianCalendar().getTime();
                                logger.trace("Creating Cache Entry for JBoss at [" + new Date() + "] , with expiration set to SAML expiry = " + time);
                                cacheExpiry.register(this.securityDomain, time, this.principal);
                            } else {
                                logger.samlAssertionWithoutExpiration(this.assertion.getID());
                            }
                        }
                    }
                }
                if (getUseFirstPass()) {
                    ((SAMLTokenFromHttpRequestAbstractLoginModule) this).sharedState.put("javax.security.auth.login.name", this.principal);
                    ((SAMLTokenFromHttpRequestAbstractLoginModule) this).sharedState.put("javax.security.auth.login.password", this.credential);
                }
                ((SAMLTokenFromHttpRequestAbstractLoginModule) this).loginOk = true;
                return true;
            } catch (Exception e4) {
                throw logger.authFailedToParseSAMLAssertion(e4);
            }
        } catch (Exception e5) {
            throw logger.authErrorHandlingCallback(e5);
        }
    }

    public boolean commit() throws LoginException {
        if (!super.commit()) {
            return false;
        }
        if (!this.subject.getPublicCredentials().add(this.credential) || !logger.isTraceEnabled()) {
            return true;
        }
        logger.trace("Added Credential " + this.credential);
        return true;
    }

    public boolean abort() throws LoginException {
        clearState();
        super.abort();
        return true;
    }

    public boolean logout() throws LoginException {
        clearState();
        super.logout();
        return true;
    }

    private void clearState() {
        AbstractSTSLoginModule.removeAllSamlCredentials(this.subject);
        this.credential = null;
    }

    protected Principal getIdentity() {
        return this.principal;
    }

    protected Group[] getRoleSets() throws LoginException {
        if (this.assertion == null) {
            try {
                this.assertion = SAMLUtil.fromElement(this.credential.getAssertionAsElement());
            } catch (Exception e) {
                throw logger.authFailedToParseSAMLAssertion(e);
            }
        }
        if (logger.isTraceEnabled()) {
            try {
                logger.trace("Assertion from where roles will be sought = " + AssertionUtil.asString(this.assertion));
            } catch (ProcessingException e2) {
            }
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtil.isNotNull(this.roleKey)) {
            arrayList.addAll(StringUtil.tokenize(this.roleKey));
        }
        PicketLinkGroup picketLinkGroup = new PicketLinkGroup(SAML20CommonTokenRoleAttributeProvider.JBOSS_ROLE_PRINCIPAL_NAME);
        Iterator it = AssertionUtil.getRoles(this.assertion, arrayList).iterator();
        while (it.hasNext()) {
            picketLinkGroup.addMember(new SimplePrincipal((String) it.next()));
        }
        return new Group[]{picketLinkGroup};
    }

    protected STSClient getSTSClient() {
        STSClientConfig.Builder builder;
        if (this.rawOptions.containsKey("configFile")) {
            builder = new STSClientConfig.Builder(this.stsConfigurationFile);
        } else {
            builder = new STSClientConfig.Builder();
            builder.endpointAddress((String) this.rawOptions.get("endpointAddress"));
            builder.portName((String) this.rawOptions.get("portName")).serviceName((String) this.rawOptions.get("serviceName"));
            builder.username((String) this.rawOptions.get("username")).password((String) this.rawOptions.get("password"));
            String str = (String) this.rawOptions.get("password");
            if (str != null && str.startsWith("MASK-")) {
                String str2 = (String) this.rawOptions.get("salt");
                if (StringUtil.isNullOrEmpty(str2)) {
                    throw logger.optionNotSet("Salt");
                }
                String str3 = (String) this.rawOptions.get("iterationCount");
                if (StringUtil.isNullOrEmpty(str3)) {
                    throw logger.optionNotSet("Iteration Count");
                }
                try {
                    builder.password(StringUtil.decode(str, str2, Integer.parseInt(str3)));
                } catch (Exception e) {
                    throw logger.unableToDecodePasswordError(str);
                }
            }
        }
        STSClientConfig build = builder.build();
        STSClientPool poolInstance = STSClientPoolFactory.getPoolInstance();
        if (this.initialClientsInPool > 0) {
            poolInstance.createPool(this.initialClientsInPool, build);
        }
        STSClient client = poolInstance.getClient(build);
        if (!this.options.isEmpty()) {
            Dispatch dispatch = client.getDispatch();
            for (Map.Entry<String, Object> entry : this.options.entrySet()) {
                dispatch.getRequestContext().put(entry.getKey(), entry.getValue());
            }
        }
        return client;
    }

    protected abstract boolean localValidation(Element element) throws Exception;

    protected abstract JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry() throws Exception;
}
