package com.sun.identity.saml2.profile;

import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.AuthnContext;
import com.sun.identity.saml2.assertion.AuthnStatement;
import com.sun.identity.saml2.assertion.EncryptedAssertion;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2FailoverUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.common.SOAPCommunicator;
import com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.AuthnQueryServiceElement;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.plugins.IDPAuthnContextMapper;
import com.sun.identity.saml2.protocol.AuthnQuery;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.saml2.protocol.RequestedAuthnContext;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.saml2.protocol.Status;
import com.sun.identity.saml2.protocol.StatusCode;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.soap.SOAPException;
import org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:com/sun/identity/saml2/profile/AuthnQueryUtil.class */
public class AuthnQueryUtil {
    static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
    static SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();

    private AuthnQueryUtil() {
    }

    public static Response sendAuthnQuery(AuthnQuery authnQuery, String str, String str2, String str3) throws SAML2Exception {
        try {
            AuthnAuthorityDescriptorElement authnAuthorityDescriptor = SAML2Utils.getSAML2MetaManager().getAuthnAuthorityDescriptor(str2, str);
            if (authnAuthorityDescriptor == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("authnAuthorityNotFound"));
            }
            if (str3 == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
            }
            String str4 = null;
            Iterator it = authnAuthorityDescriptor.getAuthnQueryService().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AuthnQueryServiceElement authnQueryServiceElement = (AuthnQueryServiceElement) it.next();
                if (str3.equalsIgnoreCase(authnQueryServiceElement.getBinding())) {
                    str4 = authnQueryServiceElement.getLocation();
                    break;
                }
            }
            if (str4 == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
            }
            if (!str3.equalsIgnoreCase(SAML2Constants.SOAP)) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
            }
            signAuthnQuery(authnQuery, str2, true);
            return sendAuthnQuerySOAP(authnQuery, str4, str, str2, authnAuthorityDescriptor);
        } catch (SAML2MetaException e) {
            SAML2Utils.debug.error("AttributeService.sendAuthnQuery:", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    }

    /* JADX WARN: Type inference failed for: r12v0, types: [java.lang.Throwable, com.sun.identity.saml2.common.SAML2Exception] */
    public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws SAML2Exception {
        String identity;
        try {
            verifyAuthnQuery(authnQuery, str, str2);
            String value = authnQuery.getIssuer().getValue();
            try {
                if (SAML2Utils.getSAML2MetaManager().getAuthnAuthorityDescriptor(str2, str) == null) {
                    return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
                }
                NameID nameID = getNameID(authnQuery.getSubject(), str2, str);
                if (nameID != null && (identity = SAML2Utils.getIDPAccountMapper(str2, str).getIdentity(nameID, str, value, str2)) != null) {
                    IDPAuthnContextMapper iDPAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(str2, str);
                    ArrayList arrayList = new ArrayList();
                    String sessionIndex = authnQuery.getSessionIndex();
                    RequestedAuthnContext requestedAuthnContext = authnQuery.getRequestedAuthnContext();
                    List<Assertion> list = null;
                    String lowerCase = identity.toLowerCase();
                    AssertionFactory assertionFactory = AssertionFactory.getInstance();
                    if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: getting user assertions from DB. user = " + lowerCase);
                        }
                        List list2 = null;
                        try {
                            list2 = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(lowerCase);
                        } catch (SAML2TokenRepositoryException e) {
                            SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: Unable to obtain user assertions from CTS Repository. user = " + lowerCase, e);
                        }
                        if (list2 != null && !list2.isEmpty()) {
                            list = new ArrayList();
                            Iterator it = list2.iterator();
                            while (it.hasNext()) {
                                list.add(assertionFactory.createAssertion((String) it.next()));
                            }
                        }
                    } else {
                        list = (List) IDPCache.assertionCache.get(lowerCase);
                    }
                    if (list != null && !list.isEmpty()) {
                        synchronized (list) {
                            for (Assertion assertion : list) {
                                if (assertion.isTimeValid()) {
                                    Iterator<AuthnStatement> it2 = assertion.getAuthnStatements().iterator();
                                    while (true) {
                                        if (!it2.hasNext()) {
                                            break;
                                        }
                                        AuthnStatement next = it2.next();
                                        AuthnContext authnContext = next.getAuthnContext();
                                        String sessionIndex2 = next.getSessionIndex();
                                        String authnContextClassRef = authnContext.getAuthnContextClassRef();
                                        if (SAML2Utils.debug.messageEnabled()) {
                                            SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: authnStmtACClassRef is " + authnContextClassRef + ", sessionIndex = " + sessionIndex2);
                                        }
                                        if (sessionIndex == null || sessionIndex.length() == 0 || sessionIndex.equals(sessionIndex2)) {
                                            if (requestedAuthnContext == null) {
                                                arrayList.add(assertion);
                                                break;
                                            }
                                            if (iDPAuthnContextMapper.isAuthnContextMatching(requestedAuthnContext.getAuthnContextClassRef(), authnContextClassRef, requestedAuthnContext.getComparison(), str2, str)) {
                                                arrayList.add(assertion);
                                                break;
                                            }
                                        }
                                    }
                                } else if (SAML2Utils.debug.messageEnabled()) {
                                    SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery:  assertion " + assertion.getID() + " expired.");
                                }
                            }
                        }
                    }
                    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
                    Response createResponse = protocolFactory.createResponse();
                    if (!arrayList.isEmpty()) {
                        createResponse.setAssertion(arrayList);
                    }
                    createResponse.setID(SAML2Utils.generateID());
                    createResponse.setInResponseTo(authnQuery.getID());
                    createResponse.setVersion(SAML2Constants.VERSION_2_0);
                    createResponse.setIssueInstant(Time.newDate());
                    Status createStatus = protocolFactory.createStatus();
                    StatusCode createStatusCode = protocolFactory.createStatusCode();
                    createStatusCode.setValue(SAML2Constants.SUCCESS);
                    createStatus.setStatusCode(createStatusCode);
                    createResponse.setStatus(createStatus);
                    Issuer createIssuer = assertionFactory.createIssuer();
                    createIssuer.setValue(str);
                    createResponse.setIssuer(createIssuer);
                    signResponse(createResponse, str, str2, true);
                    return createResponse;
                }
                return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
            } catch (SAML2MetaException e2) {
                SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", e2);
                return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
            }
        } catch (SAML2Exception e3) {
            SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", (Throwable) e3);
            return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, e3.getMessage(), null);
        }
    }

    private static void signAuthnQuery(AuthnQuery authnQuery, String str, boolean z) throws SAML2Exception {
        String signingCertAlias = SAML2Utils.getSigningCertAlias(str, authnQuery.getIssuer().getValue(), SAML2Constants.SP_ROLE);
        PrivateKey privateKey = keyProvider.getPrivateKey(signingCertAlias);
        if (privateKey == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        X509Certificate x509Certificate = null;
        if (z) {
            x509Certificate = keyProvider.getX509Certificate(signingCertAlias);
        }
        if (privateKey != null) {
            authnQuery.sign(privateKey, x509Certificate);
        }
    }

    private static void verifyAuthnQuery(AuthnQuery authnQuery, String str, String str2) throws SAML2Exception {
        if (!authnQuery.isSigned()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryNotSigned"));
        }
        Issuer issuer = authnQuery.getIssuer();
        String value = issuer.getValue();
        if (!SAML2Utils.isSourceSiteValid(issuer, str2, str)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryIssuerInvalid"));
        }
        SPSSODescriptorElement sPSSODescriptor = SAML2Utils.getSAML2MetaManager().getSPSSODescriptor(str2, value);
        if (sPSSODescriptor == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryIssuerNotFound"));
        }
        Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(sPSSODescriptor, value, SAML2Constants.SP_ROLE);
        if (verificationCerts.isEmpty()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        boolean isSignatureValid = authnQuery.isSignatureValid(verificationCerts);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AuthnQueryUtil.verifyAuthnQuery: Signature validity is : " + isSignatureValid);
        }
        if (!isSignatureValid) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureAuthnQuery"));
        }
    }

    private static void signResponse(Response response, String str, String str2, boolean z) throws SAML2Exception {
        String signingCertAlias = SAML2Utils.getSigningCertAlias(str2, str, SAML2Constants.AUTHN_AUTH_ROLE);
        PrivateKey privateKey = keyProvider.getPrivateKey(signingCertAlias);
        if (privateKey == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        X509Certificate x509Certificate = null;
        if (z) {
            x509Certificate = keyProvider.getX509Certificate(signingCertAlias);
        }
        if (privateKey != null) {
            response.sign(privateKey, x509Certificate);
        }
    }

    private static Response sendAuthnQuerySOAP(AuthnQuery authnQuery, String str, String str2, String str3, AuthnAuthorityDescriptorElement authnAuthorityDescriptorElement) throws SAML2Exception {
        String xMLString = authnQuery.toXMLString(true, true);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: authnQueryXMLString = " + xMLString);
            SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: authnServiceURL= " + str);
        }
        try {
            Response createResponse = ProtocolFactory.getInstance().createResponse(SOAPCommunicator.getInstance().getSamlpElement(SOAPCommunicator.getInstance().sendSOAPMessage(xMLString, SAML2Utils.fillInBasicAuthInfo(metaManager.getAuthnAuthorityConfig(str3, str2), str), true), "Response"));
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: response = " + createResponse.toXMLString(true, true));
            }
            verifyResponse(createResponse, authnQuery, str2, str3, authnAuthorityDescriptorElement);
            return createResponse;
        } catch (SOAPException e) {
            SAML2Utils.debug.error("AuthnQueryUtil.sendAuthnQuerySOAP: ", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorSendingAuthnQuery"));
        }
    }

    private static void verifyResponse(Response response, AuthnQuery authnQuery, String str, String str2, AuthnAuthorityDescriptorElement authnAuthorityDescriptorElement) throws SAML2Exception {
        List encryptedAssertion;
        String id = authnQuery.getID();
        if (id != null && !id.equals(response.getInResponseTo())) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidInResponseToAuthnQuery"));
        }
        Issuer issuer = response.getIssuer();
        if (issuer == null) {
            return;
        }
        if (!str.equals(issuer.getValue())) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("responseIssuerMismatch"));
        }
        if (!response.isSigned()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("responseNotSigned"));
        }
        Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(authnAuthorityDescriptorElement, str, SAML2Constants.AUTHN_AUTH_ROLE);
        if (verificationCerts.isEmpty()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        boolean isSignatureValid = response.isSignatureValid(verificationCerts);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AuthnQueryUtil.verifyResponse: Signature validity is : " + isSignatureValid);
        }
        if (!isSignatureValid) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnResponse"));
        }
        String value = authnQuery.getIssuer().getValue();
        List<Assertion> assertion = response.getAssertion();
        if (assertion == null && (encryptedAssertion = response.getEncryptedAssertion()) != null && !encryptedAssertion.isEmpty()) {
            Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(str2, value, SAML2Constants.SP_ROLE);
            Iterator it = encryptedAssertion.iterator();
            while (it.hasNext()) {
                Assertion decrypt = ((EncryptedAssertion) it.next()).decrypt(decryptionKeys);
                if (assertion == null) {
                    assertion = new ArrayList();
                }
                assertion.add(decrypt);
            }
        }
        if (assertion == null || assertion.isEmpty()) {
            return;
        }
        Set<X509Certificate> verificationCerts2 = KeyUtil.getVerificationCerts(authnAuthorityDescriptorElement, str, SAML2Constants.IDP_ROLE);
        for (Assertion assertion2 : assertion) {
            if (assertion2.isSigned()) {
                if (verificationCerts2.isEmpty()) {
                    throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
                }
                boolean isSignatureValid2 = assertion2.isSignatureValid(verificationCerts2);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("AuthnQueryUtil.verifyResponse: Signature validity is : " + isSignatureValid2);
                }
                if (!isSignatureValid2) {
                    throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnAssertion"));
                }
            }
        }
    }

    private static NameID getNameID(Subject subject, String str, String str2) {
        NameID nameID = subject.getNameID();
        if (nameID == null) {
            try {
                nameID = subject.getEncryptedID().decrypt(KeyUtil.getDecryptionKeys(str, str2, SAML2Constants.AUTHN_AUTH_ROLE));
            } catch (SAML2Exception e) {
                if (!SAML2Utils.debug.messageEnabled()) {
                    return null;
                }
                SAML2Utils.debug.message("AuthnQueryUtil.getNameID:", e);
                return null;
            }
        }
        if (SAML2Utils.isPersistentNameID(nameID)) {
            return nameID;
        }
        return null;
    }
}
