package com.sun.identity.wss.sts.spi;

import com.iplanet.security.x509.CertUtils;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.common.SystemConfigurationUtil;
import com.sun.identity.session.util.RestrictedTokenAction;
import com.sun.identity.session.util.RestrictedTokenContext;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.wss.logging.LogUtil;
import com.sun.identity.wss.provider.ProviderConfig;
import com.sun.identity.wss.security.SAML11AssertionValidator;
import com.sun.identity.wss.security.SAML2AssertionValidator;
import com.sun.identity.wss.security.SecurityException;
import com.sun.identity.wss.security.SecurityToken;
import com.sun.identity.wss.security.WSSUtils;
import com.sun.identity.wss.sts.ClientUserToken;
import com.sun.identity.wss.sts.FAMSTSException;
import com.sun.identity.wss.sts.STSClientUserToken;
import com.sun.identity.wss.sts.STSConstants;
import com.sun.identity.wss.sts.STSUtils;
import com.sun.identity.wss.sts.config.FAMSTSConfiguration;
import com.sun.identity.wss.trust.ClaimType;
import com.sun.xml.ws.api.security.trust.Claims;
import com.sun.xml.ws.api.security.trust.STSAttributeProvider;
import com.sun.xml.wss.saml.util.SAMLUtil;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamReader;
import org.w3c.dom.Element;

/* loaded from: input_file:com/sun/identity/wss/sts/spi/FAMSTSAttributeProvider.class */
public class FAMSTSAttributeProvider implements STSAttributeProvider {
    private static final String FAM_TOKEN = "FAMToken";
    private static final String SAML_ATTRIBUTE_MAP = "SAMLAttributeMapping";
    private static final String NAMEID_MAPPER_CLASS = "NameIDMapper";
    private static final String ATTR_NAMESPACE = "AttributeNamespace";
    private static final String STS = "sts";
    private static final String MEMBERSHIPS = "Memberships";
    private static final String INCLUDE_MEMBERSHIPS = "includeMemberships";
    private static final String defaultNS = "http://example.com";
    private Map attributeMap = new HashMap();
    private SSOToken ssoToken = null;
    protected static SSOTokenManager tokenManager;

    public Map<QName, List<String>> getClaimedAttributes(Subject subject, String str, String str2, Claims claims) {
        Map<QName, List<String>> membershipAttributes;
        Set set;
        FAMSTSConfiguration fAMSTSConfiguration = new FAMSTSConfiguration();
        try {
            String subjectNameFromCustomToken = getSubjectNameFromCustomToken(subject, fAMSTSConfiguration);
            if (subjectNameFromCustomToken == null) {
                if (STSUtils.debug.messageEnabled()) {
                    STSUtils.debug.message("FAMSTSAttributeProvider.getClaimedAttributes: subject is null from 'On Behalf Of' OR Custom token");
                }
                subjectNameFromCustomToken = getAuthenticatedSubject(subject);
            }
            if (subjectNameFromCustomToken == null) {
                if (STSUtils.debug.messageEnabled()) {
                    STSUtils.debug.message("FAMSTSAttributeProvider.getClaimedAttributes: subject is null from authenticated subject");
                }
                Object next = subject.getPublicCredentials().iterator().next();
                if (next instanceof X509Certificate) {
                    subjectNameFromCustomToken = CertUtils.getSubjectName((X509Certificate) next);
                } else if (next instanceof XMLStreamReader) {
                    try {
                        parseSAMLAssertion(SAMLUtil.createSAMLAssertion((XMLStreamReader) next), subject, fAMSTSConfiguration);
                    } catch (Exception e) {
                        STSUtils.debug.error("FAMSTSAttributeProvider.getClaimedAttributes: assertion validation failed");
                    }
                } else if (next instanceof Element) {
                    Element element = (Element) next;
                    if (element.getLocalName().equals("Assertion")) {
                        parseSAMLAssertion(element, subject, fAMSTSConfiguration);
                    }
                }
            }
            if (subjectNameFromCustomToken == null) {
                if (STSUtils.debug.messageEnabled()) {
                    STSUtils.debug.message("FAMSTSAttributeProvider.getClaimedAttributes: subject from X509certificate is null Checking in subject principals");
                }
                Set<Principal> principals = subject.getPrincipals();
                if (principals != null && principals.iterator().hasNext()) {
                    String name = principals.iterator().next().getName();
                    String[] split = name.split(",");
                    subjectNameFromCustomToken = (split.length != 1 || split[0].indexOf("=") == -1) ? name : split[0].substring(split[0].indexOf("=") + 1);
                }
            }
            if (STSUtils.debug.messageEnabled()) {
                STSUtils.debug.message("FAMSTSAttributeProvider.getClaimedAttributes: subjectName : " + subjectNameFromCustomToken);
            }
            if (subjectNameFromCustomToken == null) {
                STSUtils.debug.error("FAMSTSAttributeProvider.getClaimed Subject could not found.");
                return null;
            }
            LogUtil.access(Level.INFO, LogUtil.IDENTITY_SUBJECT_NAME, new String[]{subjectNameFromCustomToken}, null);
            HashMap hashMap = new HashMap();
            String str3 = defaultNS;
            Map sTSSAMLAttributes = str != null ? fAMSTSConfiguration.getSTSEndpoint().equals(str) ? STSUtils.getSTSSAMLAttributes(fAMSTSConfiguration) : STSUtils.getAgentAttributes(str, null, null, ProviderConfig.WSP) : null;
            if (sTSSAMLAttributes != null && !sTSSAMLAttributes.isEmpty() && (set = (Set) sTSSAMLAttributes.get(ATTR_NAMESPACE)) != null && !set.isEmpty()) {
                str3 = (String) set.iterator().next();
            }
            QName qName = new QName(str3, "NameID");
            ArrayList arrayList = new ArrayList();
            arrayList.add(getUserPseduoName(subjectNameFromCustomToken, sTSSAMLAttributes));
            hashMap.put(qName, arrayList);
            if (sTSSAMLAttributes == null || sTSSAMLAttributes.isEmpty()) {
                STSUtils.debug.error("FAMSTSAttributeProvider.getClaimed Agent configuration not defined for " + str);
                return hashMap;
            }
            Set set2 = (Set) sTSSAMLAttributes.get(SAML_ATTRIBUTE_MAP);
            Map<QName, List<String>> map = null;
            if (set2 != null && !set2.isEmpty()) {
                map = WSSUtils.getSAMLAttributes(subjectNameFromCustomToken, set2, str3, this.ssoToken);
            }
            if (map != null) {
                hashMap.putAll(map);
            }
            if (this.attributeMap != null && !this.attributeMap.isEmpty()) {
                for (String str4 : this.attributeMap.keySet()) {
                    String str5 = (String) this.attributeMap.get(str4);
                    QName qName2 = new QName(str3, str4);
                    ArrayList arrayList2 = new ArrayList();
                    arrayList2.add(str5);
                    hashMap.put(qName2, arrayList2);
                }
            }
            if (Boolean.valueOf(CollectionHelper.getMapAttr(sTSSAMLAttributes, INCLUDE_MEMBERSHIPS, "false")).booleanValue() && (membershipAttributes = WSSUtils.getMembershipAttributes(subjectNameFromCustomToken, str3)) != null && !membershipAttributes.isEmpty()) {
                hashMap.putAll(membershipAttributes);
            }
            if (claims != null) {
                hashMap.putAll(WSSUtils.getRequestedClaims(subjectNameFromCustomToken, getClaimNames(claims), this.ssoToken));
            }
            LogUtil.access(Level.INFO, LogUtil.ATTR_MAP_FOR_SP, new String[]{hashMap.toString()}, null);
            return hashMap;
        } catch (FAMSTSException e2) {
            STSUtils.debug.error("FAMSTSAttributeProvider.getClaimedAttributes getSubjectNameFromCustomToken failed : ", e2);
            return null;
        }
    }

    private String getUserPseduoName(String str, Map map) {
        String mapAttr;
        if (map != null && (mapAttr = CollectionHelper.getMapAttr(map, NAMEID_MAPPER_CLASS)) != null) {
            return WSSUtils.getUserPseduoName(str, mapAttr);
        }
        return str;
    }

    private String getSubjectNameFromCustomToken(Subject subject, FAMSTSConfiguration fAMSTSConfiguration) throws FAMSTSException {
        for (Object obj : subject.getPublicCredentials()) {
            if (obj instanceof Element) {
                Element element = (Element) obj;
                if (element.getLocalName().equals(FAM_TOKEN)) {
                    try {
                        STSClientUserToken sTSClientUserToken = new STSClientUserToken(element);
                        String tokenId = sTSClientUserToken.getTokenId();
                        if (sTSClientUserToken.getType().equals(SecurityToken.WSS_SAML2_TOKEN)) {
                            return new SAML2AssertionValidator(XMLUtils.toDOMDocument(tokenId, STSUtils.debug).getDocumentElement(), fAMSTSConfiguration).getSubjectName();
                        }
                        if (sTSClientUserToken.getType().equals(SecurityToken.WSS_SAML_TOKEN)) {
                            return new SAML11AssertionValidator(XMLUtils.toDOMDocument(tokenId, STSUtils.debug).getDocumentElement(), fAMSTSConfiguration).getSubjectName();
                        }
                        if (!sTSClientUserToken.getType().equals(SecurityToken.WSS_FAM_SSO_TOKEN)) {
                            return null;
                        }
                        this.ssoToken = getSSOToken(tokenId, sTSClientUserToken.getAppTokenID());
                        if (this.ssoToken != null) {
                            return this.ssoToken.getPrincipal().getName();
                        }
                        return null;
                    } catch (SecurityException e) {
                        if (STSUtils.debug.messageEnabled()) {
                            STSUtils.debug.message("FAMSTSAttributeProvider.getSubjectNameFromCustomToken: SecurityException", e);
                        }
                        throw new FAMSTSException(e.getMessage());
                    } catch (SSOException e2) {
                        if (STSUtils.debug.messageEnabled()) {
                            STSUtils.debug.message("FAMSTSAttributeProvider.getSubjectNameFromCustomToken: SSOException", e2);
                        }
                        throw new FAMSTSException(e2.getMessage());
                    } catch (FAMSTSException e3) {
                        if (STSUtils.debug.messageEnabled()) {
                            STSUtils.debug.message("FAMSTSAttributeProvider.getSubjectNameFromCustomToken: FAMException", e3);
                        }
                        throw new FAMSTSException(e3.getMessage());
                    }
                }
                String clientUserTokenClass = fAMSTSConfiguration.getClientUserTokenClass();
                if (clientUserTokenClass != null && clientUserTokenClass.length() != 0) {
                    try {
                        ClientUserToken clientUserToken = (ClientUserToken) Thread.currentThread().getContextClassLoader().loadClass(clientUserTokenClass).newInstance();
                        clientUserToken.parse(element);
                        return clientUserToken.getPrincipalName();
                    } catch (Exception e4) {
                        if (STSUtils.debug.messageEnabled()) {
                            STSUtils.debug.message("FAMSTSAttributeProvider.CheckForCustomTokens: " + e4.getMessage());
                        }
                    }
                }
            }
        }
        return null;
    }

    private String getAuthenticatedSubject(final Subject subject) {
        try {
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.identity.wss.sts.spi.FAMSTSAttributeProvider.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    Set<Object> privateCredentials = subject.getPrivateCredentials();
                    if (privateCredentials == null || privateCredentials.isEmpty()) {
                        return null;
                    }
                    for (Object obj : privateCredentials) {
                        if (obj instanceof SSOToken) {
                            FAMSTSAttributeProvider.this.ssoToken = (SSOToken) obj;
                        }
                    }
                    return null;
                }
            });
            try {
                if (this.ssoToken != null) {
                    return this.ssoToken.getPrincipal().getName();
                }
                return null;
            } catch (SSOException e) {
                STSUtils.debug.error("FAMSTSAttributeProvider.getAuthenticatedSubject: SSOException", e);
                return null;
            }
        } catch (Exception e2) {
            STSUtils.debug.error("FAMSTSAttributeProvider.getAuthenticatedSubject: Priveleged exception error", e2);
            return null;
        }
    }

    private void parseSAMLAssertion(Element element, Subject subject, FAMSTSConfiguration fAMSTSConfiguration) {
        X509Certificate x509Certificate = null;
        try {
            String namespaceURI = element.getNamespaceURI();
            if (STSConstants.SAML10_ASSERTION.equals(namespaceURI)) {
                SAML11AssertionValidator sAML11AssertionValidator = new SAML11AssertionValidator(element, fAMSTSConfiguration);
                x509Certificate = sAML11AssertionValidator.getKeyInfoCert();
                this.attributeMap = sAML11AssertionValidator.getAttributes();
            } else if ("urn:oasis:names:tc:SAML:2.0:assertion".equals(namespaceURI)) {
                SAML2AssertionValidator sAML2AssertionValidator = new SAML2AssertionValidator(element, fAMSTSConfiguration);
                x509Certificate = sAML2AssertionValidator.getKeyInfoCert();
                this.attributeMap = sAML2AssertionValidator.getAttributes();
            }
            if (x509Certificate != null) {
                subject.getPublicCredentials().add(x509Certificate);
            }
        } catch (Exception e) {
            STSUtils.debug.error("FAMSTSAttributeProvider.parseSAMLAssertion failed : ", e);
        }
    }

    private Set getClaimNames(Claims claims) {
        List any;
        HashSet hashSet = new HashSet();
        String dialect = claims.getDialect();
        if (dialect != null && ClaimType.IDENTITY_NS.equals(dialect) && (any = claims.getAny()) != null && !any.isEmpty()) {
            Iterator it = any.iterator();
            while (it.hasNext()) {
                try {
                    hashSet.add(new ClaimType((Element) it.next()).getName());
                } catch (Exception e) {
                    STSUtils.debug.message("FAMSTSAttributeProvider. getClaimNames: ", e);
                }
            }
        }
        return hashSet;
    }

    protected SSOToken getSSOToken(final String str, String str2) throws SSOException {
        boolean booleanValue = Boolean.valueOf(SystemConfigurationUtil.getProperty("com.sun.identity.enableUniqueSSOTokenCookie", "false")).booleanValue();
        if (tokenManager == null) {
            tokenManager = SSOTokenManager.getInstance();
        }
        if (!booleanValue) {
            return tokenManager.createSSOToken(str);
        }
        SSOToken sSOToken = null;
        try {
            sSOToken = (SSOToken) RestrictedTokenContext.doUsing(tokenManager.createSSOToken(str2), new RestrictedTokenAction() { // from class: com.sun.identity.wss.sts.spi.FAMSTSAttributeProvider.2
                public Object run() throws Exception {
                    return FAMSTSAttributeProvider.tokenManager.createSSOToken(str);
                }
            });
        } catch (Exception e) {
            STSUtils.debug.error("FAMSTSAttributeProvider:getSSOToken", e);
        } catch (SSOException e2) {
            STSUtils.debug.error("FAMSTSAttributeProvider:getSSOToken", e2);
            return tokenManager.createSSOToken(str);
        }
        return sSOToken;
    }
}
