package com.sun.identity.saml2.soapbinding;

import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.EncryptedAssertion;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2SDKUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
import com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement;
import com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement;
import com.sun.identity.saml2.jaxb.metadata.XACMLAuthzServiceElement;
import com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.logging.LogUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.protocol.RequestAbstract;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.saml2.protocol.impl.ResponseImpl;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.jaxrpc.SOAPClient;
import com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.xml.soap.SOAPException;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:com/sun/identity/saml2/soapbinding/QueryClient.class */
public class QueryClient {
    public static Debug debug = Debug.getInstance(SAML2SDKUtils.BUNDLE_NAME);
    private static SAML2MetaManager saml2MetaManager;

    private QueryClient() {
    }

    public static Response processXACMLQuery(RequestAbstract requestAbstract, String str, String str2) throws SAML2Exception {
        XACMLAuthzDecisionQuery xACMLAuthzDecisionQuery;
        String attributeValueFromPDPConfig;
        Response response = null;
        if (str == null || str.length() == 0) {
            debug.error("QueryClient:processXACMLQueryPEP Identifier is null");
            LogUtil.error(Level.INFO, LogUtil.INVALID_PEP_ID, new String[]{str});
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPEP"));
        }
        if (str2 == null || str2.length() == 0) {
            debug.error("QueryClient:processXACMLQueryPDP Identifier is null");
            LogUtil.error(Level.INFO, LogUtil.INVALID_PDP_ID, new String[]{str2});
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPDP"));
        }
        if (requestAbstract != null && (xACMLAuthzDecisionQuery = (XACMLAuthzDecisionQuery) requestAbstract) != null) {
            xACMLAuthzDecisionQuery.setIssuer(createIssuer(str));
            xACMLAuthzDecisionQuery.setID(SAML2SDKUtils.generateID());
            xACMLAuthzDecisionQuery.setVersion(SAML2Constants.VERSION_2_0);
            xACMLAuthzDecisionQuery.setIssueInstant(Time.newDate());
            XACMLPDPConfigElement pDPConfig = getPDPConfig("/", str2);
            if (pDPConfig != null && (attributeValueFromPDPConfig = getAttributeValueFromPDPConfig(pDPConfig, SAML2Constants.WANT_XACML_AUTHZ_DECISION_QUERY_SIGNED)) != null && attributeValueFromPDPConfig.equals("true")) {
                signAttributeQuery(xACMLAuthzDecisionQuery, "/", str, true);
            }
            String xMLString = xACMLAuthzDecisionQuery.toXMLString(true, true);
            if (debug.messageEnabled()) {
                debug.message("QueryClient:processXACMLQueryXACML Query XML String :" + xMLString);
            }
            XACMLAuthzDecisionQueryConfigElement pEPConfig = getPEPConfig("/", str);
            String pDPEndPoint = getPDPEndPoint(str2);
            if (debug.messageEnabled()) {
                debug.message("QueryClient:processXACMLQuery ResponseLocation is :" + pDPEndPoint);
            }
            try {
                String createSOAPMessageString = SAML2SDKUtils.createSOAPMessageString(xMLString);
                SOAPClient sOAPClient = new SOAPClient(new String[]{SAML2SDKUtils.fillInBasicAuthInfo(pEPConfig, pDPEndPoint)});
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:processXACMLQuerysoapMessage :" + createSOAPMessageString);
                }
                InputStream call = sOAPClient.call(createSOAPMessageString, (String) null, (String) null);
                StringBuffer stringBuffer = new StringBuffer();
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(call, "UTF-8"));
                while (true) {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    stringBuffer.append(readLine).append("\n");
                }
                String stringBuffer2 = stringBuffer.toString();
                if (debug.messageEnabled()) {
                    debug.message("Response Message:\n" + stringBuffer2);
                }
                Response sAMLResponse = getSAMLResponse(stringBuffer2);
                Issuer issuer = sAMLResponse.getIssuer();
                String str3 = null;
                if (issuer != null) {
                    str3 = issuer.getValue().trim();
                }
                if (!verifyResponseIssuer("/", str, str3)) {
                    if (debug.messageEnabled()) {
                        debug.message("QueryClient:processXACMLQueryIssuer in Request is not valid.");
                    }
                    LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, new String[]{"/", str, str2});
                    throw new SAML2Exception("invalidIssuerInRequest");
                }
                if (sAMLResponse != null) {
                    String xMLString2 = sAMLResponse.toXMLString(true, true);
                    if (debug.messageEnabled()) {
                        debug.message("QueryClient:processXACMLQueryResponse: " + xMLString2);
                    }
                    response = verifyResponse("/", str, sAMLResponse);
                    if (debug.messageEnabled()) {
                        debug.message("QueryClient:processXACMLQueryResponse with decrypted Assertion: " + response.toXMLString(true, true));
                    }
                }
            } catch (Exception e) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:processXACMLQueryException ", e);
                }
                throw new SAML2Exception(e.getMessage());
            } catch (SOAPException e2) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:processXACMLQuerySOAPException :", e2);
                }
                throw new SAML2Exception(e2.getMessage());
            }
        }
        return response;
    }

    private static Issuer createIssuer(String str) throws SAML2Exception {
        Issuer createIssuer = AssertionFactory.getInstance().createIssuer();
        createIssuer.setValue(str);
        return createIssuer;
    }

    /* JADX WARN: Code restructure failed: missing block: B:56:0x0223, code lost:
    
        continue;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static com.sun.identity.saml2.protocol.Response getSAMLResponse(java.lang.String r5) throws java.io.IOException, com.sun.identity.saml2.common.SAML2Exception {
        /*
            Method dump skipped, instructions count: 555
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.sun.identity.saml2.soapbinding.QueryClient.getSAMLResponse(java.lang.String):com.sun.identity.saml2.protocol.Response");
    }

    private static boolean verifyResponseIssuer(String str, String str2, String str3) throws SAML2Exception {
        boolean z = false;
        try {
            z = saml2MetaManager.isTrustedXACMLProvider(str, str2, str3, SAML2Constants.PEP_ROLE);
        } catch (SAML2MetaException e) {
            debug.error("Error retreiving meta", e);
        }
        return z;
    }

    private static String getPDPEndPoint(String str) throws SAML2Exception {
        List xACMLAuthzService;
        String str2 = null;
        if (saml2MetaManager != null) {
            try {
                XACMLPDPDescriptorElement policyDecisionPointDescriptor = saml2MetaManager.getPolicyDecisionPointDescriptor(null, str);
                if (policyDecisionPointDescriptor != null && (xACMLAuthzService = policyDecisionPointDescriptor.getXACMLAuthzService()) != null) {
                    Iterator it = xACMLAuthzService.iterator();
                    if (it.hasNext()) {
                        Object next = it.next();
                        if (next instanceof XACMLAuthzServiceElement) {
                            str2 = ((XACMLAuthzServiceElement) next).getLocation();
                            if (debug.messageEnabled()) {
                                debug.message("QueryClient:getPDPEndPointEndPoint :" + str2);
                            }
                        }
                    }
                }
            } catch (SAML2MetaException e) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:getPDPEndPointError retreiving PDP Meta", e);
                }
                String[] strArr = {str};
                LogUtil.error(Level.INFO, LogUtil.PDP_METADATA_ERROR, strArr);
                throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pdpMetaRetreivalError", strArr);
            }
        }
        return str2;
    }

    private static XACMLAuthzDecisionQueryConfigElement getPEPConfig(String str, String str2) throws SAML2Exception {
        XACMLAuthzDecisionQueryConfigElement xACMLAuthzDecisionQueryConfigElement = null;
        if (saml2MetaManager != null) {
            try {
                xACMLAuthzDecisionQueryConfigElement = saml2MetaManager.getPolicyEnforcementPointConfig(str, str2);
            } catch (SAML2MetaException e) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:getPEPConfigError retreiving PEP meta", e);
                }
                String[] strArr = {str2};
                LogUtil.error(Level.INFO, LogUtil.PEP_METADATA_ERROR, strArr);
                throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pepMetaRetreivalError", strArr);
            }
        }
        return xACMLAuthzDecisionQueryConfigElement;
    }

    private static XACMLPDPConfigElement getPDPConfig(String str, String str2) throws SAML2Exception {
        XACMLPDPConfigElement xACMLPDPConfigElement = null;
        if (saml2MetaManager != null) {
            try {
                xACMLPDPConfigElement = saml2MetaManager.getPolicyDecisionPointConfig(str, str2);
            } catch (SAML2MetaException e) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:getPDPConfigError retreiving PDP meta", e);
                }
                String[] strArr = {str2};
                LogUtil.error(Level.INFO, LogUtil.PEP_METADATA_ERROR, strArr);
                throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pdpMetaRetreivalError", strArr);
            }
        }
        return xACMLPDPConfigElement;
    }

    private static Response verifyResponse(String str, String str2, Response response) throws SAML2Exception {
        Response response2 = response;
        if (response != null) {
            Issuer issuer = response.getIssuer();
            String trim = issuer != null ? issuer.getValue().trim() : null;
            String str3 = trim;
            if (!verifyResponseIssuer(str, str2, trim)) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:verifyResponseIssuer in Response is not valid.");
                }
                String[] strArr = {str, str2, trim};
                LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_RESPONSE, strArr);
                throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "invalidIssuerInResponse", strArr);
            }
            verifySignedResponse(str2, str3, response);
            try {
                XACMLAuthzDecisionQueryConfigElement policyEnforcementPointConfig = saml2MetaManager.getPolicyEnforcementPointConfig(str, str2);
                String attributeValueFromPEPConfig = getAttributeValueFromPEPConfig(policyEnforcementPointConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
                boolean z = attributeValueFromPEPConfig != null && attributeValueFromPEPConfig.equalsIgnoreCase("true");
                boolean wantAssertionSigned = wantAssertionSigned(str, str2);
                String id = response.getID();
                List<Assertion> assertion = response.getAssertion();
                if (z && assertion != null && assertion.size() != 0) {
                    LogUtil.error(Level.INFO, LogUtil.ASSERTION_FROM_PDP_NOT_ENCRYPTED, new String[]{trim, id});
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("assertionNotEncrypted"));
                }
                List encryptedAssertion = response.getEncryptedAssertion();
                if (encryptedAssertion != null) {
                    Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys((BaseConfigType) policyEnforcementPointConfig);
                    Iterator it = encryptedAssertion.iterator();
                    while (it.hasNext()) {
                        Assertion decrypt = ((EncryptedAssertion) it.next()).decrypt(decryptionKeys);
                        if (assertion == null) {
                            assertion = new ArrayList();
                        }
                        assertion.add(decrypt);
                    }
                }
                if (assertion == null || assertion.size() == 0) {
                    if (debug.messageEnabled()) {
                        debug.message("QueryClient:verifyResponseno assertion in the Response.");
                    }
                    LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION_IN_PDP_RESPONSE, new String[]{trim, id});
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missingAssertion"));
                }
                Set<X509Certificate> pDPVerificationCerts = wantAssertionSigned ? KeyUtil.getPDPVerificationCerts(saml2MetaManager.getPolicyDecisionPointDescriptor(str, str3), str3) : null;
                for (Assertion assertion2 : assertion) {
                    String id2 = assertion2.getID();
                    String trim2 = assertion2.getIssuer().getValue().trim();
                    if (!verifyResponseIssuer(str, str2, trim2)) {
                        debug.error("QueryClient:verifyResponseAssertion's source site is not valid.");
                        LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_ASSERTION_FROM_PDP, new String[]{trim2, id2});
                        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidIssuerInAssertion"));
                    }
                    String trim3 = response.getIssuer().getValue().trim();
                    if (!trim3.equals(trim2)) {
                        if (debug.messageEnabled()) {
                            debug.message("QueryClient:verifyResponseIssuer in Assertion " + trim2 + "doesn't match the Issuer in Response." + trim3);
                        }
                        LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_IN_ASSERTION_FROM_PDP, new String[]{str3, trim2});
                        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("mismatchIssuer"));
                    }
                    if (wantAssertionSigned) {
                        if (debug.messageEnabled()) {
                            debug.message("QueryClient:verifyResponsewantAssertionSigned " + wantAssertionSigned);
                        }
                        if (!assertion2.isSigned() || !assertion2.isSignatureValid(pDPVerificationCerts)) {
                            debug.error("QueryClient:verifyResponseAssertion is not signed or signature is not valid.");
                            LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION_FROM_PDP, new String[]{trim2, id2});
                            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidSignatureOnAssertion"));
                        }
                    }
                }
                if (z) {
                    response2 = createResponse(response, assertion);
                }
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:verifyResponse Response : " + response2.toXMLString(true, true));
                }
            } catch (SAML2MetaException e) {
                if (debug.messageEnabled()) {
                    debug.message("QueryClient:verifyResponseError retreiving meta", e);
                }
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
            }
        }
        return response2;
    }

    private static Response createResponse(Response response, List list) throws SAML2Exception {
        ResponseImpl responseImpl = new ResponseImpl();
        responseImpl.setVersion(response.getVersion());
        responseImpl.setIssueInstant(response.getIssueInstant());
        responseImpl.setID(response.getID());
        responseImpl.setInResponseTo(response.getInResponseTo());
        responseImpl.setIssuer(response.getIssuer());
        responseImpl.setDestination(response.getDestination());
        responseImpl.setExtensions(response.getExtensions());
        responseImpl.setConsent(response.getConsent());
        responseImpl.setStatus(response.getStatus());
        responseImpl.setAssertion(list);
        return responseImpl;
    }

    private static String getAttributeValueFromPEPConfig(XACMLAuthzDecisionQueryConfigElement xACMLAuthzDecisionQueryConfigElement, String str) throws SAML2MetaException {
        List<String> list;
        if (debug.messageEnabled()) {
            debug.message("QueryClient:getAttributeValueFromPEPConfig:attrName : " + str);
        }
        String str2 = null;
        Map<String, List<String>> attributes = SAML2MetaUtils.getAttributes(xACMLAuthzDecisionQueryConfigElement);
        if (attributes != null && (list = attributes.get(str)) != null && list.size() != 0) {
            str2 = list.get(0);
        }
        if (debug.messageEnabled()) {
            debug.message("QueryClient:getAttributeValueFromPEPConfig:Attribute value is : " + str2);
        }
        return str2;
    }

    private static String getAttributeValueFromPDPConfig(XACMLPDPConfigElement xACMLPDPConfigElement, String str) throws SAML2MetaException {
        List<String> list;
        if (debug.messageEnabled()) {
            debug.message("QueryClient:getAttributeValueFromPDPConfig:attrName : " + str);
        }
        String str2 = null;
        Map<String, List<String>> attributes = SAML2MetaUtils.getAttributes(xACMLPDPConfigElement);
        if (attributes != null && (list = attributes.get(str)) != null && list.size() != 0) {
            str2 = list.get(0);
        }
        if (debug.messageEnabled()) {
            debug.message("QueryClient:getAttributeValueFromPDPConfig:Attribute value is : " + str2);
        }
        return str2;
    }

    private static boolean wantAssertionSigned(String str, String str2) throws SAML2MetaException {
        return saml2MetaManager.getPolicyEnforcementPointDescriptor(str, str2).isWantAssertionsSigned();
    }

    private static void signAttributeQuery(XACMLAuthzDecisionQuery xACMLAuthzDecisionQuery, String str, String str2, boolean z) throws SAML2Exception {
        KeyProvider keyProviderInstance = KeyUtil.getKeyProviderInstance();
        String attributeValueFromPEPConfig = getAttributeValueFromPEPConfig(getPEPConfig(str, str2), "signingCertAlias");
        PrivateKey privateKey = keyProviderInstance.getPrivateKey(attributeValueFromPEPConfig);
        if (privateKey == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        X509Certificate x509Certificate = null;
        if (z) {
            x509Certificate = keyProviderInstance.getX509Certificate(attributeValueFromPEPConfig);
        }
        if (privateKey != null) {
            xACMLAuthzDecisionQuery.sign(privateKey, x509Certificate);
        }
    }

    public static boolean verifySignedResponse(String str, String str2, Response response) throws SAML2Exception {
        boolean z;
        String attributeValueFromPEPConfig = getAttributeValueFromPEPConfig(getPEPConfig("/", str), SAML2Constants.WANT_XACML_AUTHZ_DECISION_RESPONSED_SIGNED);
        if (attributeValueFromPEPConfig == null || !attributeValueFromPEPConfig.equalsIgnoreCase("true")) {
            if (debug.messageEnabled()) {
                debug.message("QueryClient:verifySignedResponse: Response doesn't need to be verified.");
            }
            z = true;
        } else {
            Set<X509Certificate> pDPVerificationCerts = KeyUtil.getPDPVerificationCerts(saml2MetaManager.getPolicyDecisionPointDescriptor(null, str2), str2);
            if (pDPVerificationCerts.isEmpty()) {
                debug.error("QueryClient:verifySignedResponse: Incorrect configuration for Signing Certificate.");
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
            }
            z = response.isSignatureValid(pDPVerificationCerts);
            if (debug.messageEnabled()) {
                debug.message("QueryClient:verifySignedResponse: Signature is valid :" + z);
            }
        }
        return z;
    }

    static {
        saml2MetaManager = null;
        try {
            saml2MetaManager = new SAML2MetaManager();
        } catch (SAML2MetaException e) {
            debug.error("Error retreiving metadata", e);
        }
    }
}
