package com.sun.identity.saml2.profile;

import com.sun.identity.plugin.session.SessionException;
import com.sun.identity.plugin.session.SessionManager;
import com.sun.identity.plugin.session.SessionProvider;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.EncryptedID;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.saml2.common.AccountUtils;
import com.sun.identity.saml2.common.NameIDInfo;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2SDKUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.common.SOAPCommunicator;
import com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement;
import com.sun.identity.saml2.key.EncInfo;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.protocol.NameIDMappingRequest;
import com.sun.identity.saml2.protocol.NameIDMappingResponse;
import com.sun.identity.saml2.protocol.NameIDPolicy;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.saml2.protocol.Status;
import com.sun.identity.shared.xml.XMLUtils;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.xml.soap.SOAPException;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:com/sun/identity/saml2/profile/NameIDMapping.class */
public class NameIDMapping {
    static SAML2MetaManager metaManager;
    static SessionProvider sessionProvider;
    static ProtocolFactory pf = ProtocolFactory.getInstance();
    static AssertionFactory af = AssertionFactory.getInstance();
    static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();

    public static NameIDMappingResponse initiateNameIDMappingRequest(Object obj, String str, String str2, String str3, String str4, String str5, Map map) throws SAML2Exception {
        NameIDMappingServiceElement nameIDMappingService;
        if (str2 == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
        }
        if (str3 == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
        }
        String str6 = null;
        try {
            str6 = sessionProvider.getPrincipalName(obj);
        } catch (SessionException e) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("NameIDMapping.createNameIDMappingRequest: ", e);
            }
        }
        if (str6 == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest: IDP EntityID is : " + str3);
            SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest: SP HOST EntityID is : " + str2);
            SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest: target SP EntityID is : " + str4);
        }
        try {
            String parameter = SAML2Utils.getParameter(map, SAML2Constants.BINDING);
            if (parameter == null) {
                parameter = SAML2Constants.SOAP;
            } else if (!parameter.equals(SAML2Constants.SOAP)) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("nimServiceBindingUnsupport"));
            }
            String parameter2 = SAML2Utils.getParameter(map, "nimURL");
            if (parameter2 == null && (nameIDMappingService = getNameIDMappingService(str, str3, parameter)) != null) {
                parameter2 = nameIDMappingService.getLocation();
            }
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest: nimURL" + parameter2);
            }
            if (parameter2 == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("nimServiceNotFound"));
            }
            NameIDMappingRequest createNameIDMappingRequest = createNameIDMappingRequest(str6, str, str2, str3, parameter2, str4, str5);
            signNIMRequest(createNameIDMappingRequest, str, str2, true);
            return doNIMBySOAP(createNameIDMappingRequest.toXMLString(true, true), SAML2SDKUtils.fillInBasicAuthInfo(metaManager.getIDPSSOConfig(str, str3), parameter2), str, str2);
        } catch (SAML2MetaException e2) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    }

    public static NameIDMappingResponse processNameIDMappingRequest(NameIDMappingRequest nameIDMappingRequest, String str, String str2) throws SAML2Exception {
        Status generateStatus;
        String value = nameIDMappingRequest.getIssuer().getValue();
        if (value == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
        }
        String generateID = SAML2Utils.generateID();
        if (generateID == null) {
            SAML2Utils.debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
        }
        NameIDMappingResponse createNameIDMappingResponse = pf.createNameIDMappingResponse();
        createNameIDMappingResponse.setID(generateID);
        createNameIDMappingResponse.setInResponseTo(nameIDMappingRequest.getID());
        createNameIDMappingResponse.setVersion(SAML2Constants.VERSION_2_0);
        createNameIDMappingResponse.setIssueInstant(Time.newDate());
        createNameIDMappingResponse.setIssuer(SAML2Utils.createIssuer(str2));
        SAML2Utils.verifyRequestIssuer(str, str2, nameIDMappingRequest.getIssuer(), nameIDMappingRequest.getID());
        NameIDPolicy nameIDPolicy = nameIDMappingRequest.getNameIDPolicy();
        String sPNameQualifier = nameIDPolicy.getSPNameQualifier();
        String format = nameIDPolicy.getFormat();
        if (format != null && format.length() != 0 && !format.equals(SAML2Constants.PERSISTENT) && !format.equals(SAML2Constants.UNSPECIFIED)) {
            createNameIDMappingResponse.setNameID(nameIDMappingRequest.getNameID());
            createNameIDMappingResponse.setEncryptedID(nameIDMappingRequest.getEncryptedID());
            generateStatus = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
        } else if (sPNameQualifier == null || sPNameQualifier.length() == 0 || sPNameQualifier.equals(value)) {
            createNameIDMappingResponse.setNameID(nameIDMappingRequest.getNameID());
            createNameIDMappingResponse.setEncryptedID(nameIDMappingRequest.getEncryptedID());
            generateStatus = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNoChange"));
        } else {
            String identity = SAML2Utils.getIDPAccountMapper(str, str2).getIdentity(getNameID(nameIDMappingRequest, str, str2), str2, value, str);
            NameIDInfo nameIDInfo = null;
            if (identity != null) {
                nameIDInfo = AccountUtils.getAccountFederation(identity, str2, sPNameQualifier);
            }
            if (nameIDInfo == null) {
                createNameIDMappingResponse.setNameID(nameIDMappingRequest.getNameID());
                createNameIDMappingResponse.setEncryptedID(nameIDMappingRequest.getEncryptedID());
                generateStatus = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNotFound"));
            } else {
                NameID nameID = nameIDInfo.getNameID();
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("NameIDMapping.processNameIDMappingRequest: User ID = " + identity + ", name ID = " + nameID.toXMLString(true, true));
                }
                createNameIDMappingResponse.setEncryptedID(getEncryptedID(nameID, str, value, SAML2Constants.SP_ROLE));
                generateStatus = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, null);
            }
        }
        createNameIDMappingResponse.setStatus(generateStatus);
        signNIMResponse(createNameIDMappingResponse, str, str2, true);
        return createNameIDMappingResponse;
    }

    private static NameIDMappingRequest createNameIDMappingRequest(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws SAML2Exception {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.createNameIDMappingRequest: User ID : " + str);
        }
        NameIDMappingRequest createNameIDMappingRequest = pf.createNameIDMappingRequest();
        createNameIDMappingRequest.setID(SAML2Utils.generateID());
        createNameIDMappingRequest.setVersion(SAML2Constants.VERSION_2_0);
        createNameIDMappingRequest.setDestination(XMLUtils.escapeSpecialCharacters(str5));
        createNameIDMappingRequest.setIssuer(SAML2Utils.createIssuer(str3));
        createNameIDMappingRequest.setIssueInstant(Time.newDate());
        setNameIDForNIMRequest(createNameIDMappingRequest, str2, str3, str4, str6, str7, str);
        return createNameIDMappingRequest;
    }

    private static NameIDMappingResponse doNIMBySOAP(String str, String str2, String str3, String str4) throws SAML2Exception {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: NIMRequestXMLString : " + str);
            SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: NIMRedirectURL : " + str2);
        }
        try {
            NameIDMappingResponse createNameIDMappingResponse = pf.createNameIDMappingResponse(SOAPCommunicator.getInstance().getSamlpElement(SOAPCommunicator.getInstance().sendSOAPMessage(str, str2, true), "NameIDMappingResponse"));
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: NameIDMappingResponse without SOAP envelope:\n" + createNameIDMappingResponse.toXMLString(true, true));
            }
            String value = createNameIDMappingResponse.getIssuer().getValue();
            SAML2Utils.verifyResponseIssuer(str3, str4, createNameIDMappingResponse.getIssuer(), createNameIDMappingResponse.getInResponseTo());
            if (verifyNIMResponse(createNameIDMappingResponse, str3, value)) {
                return createNameIDMappingResponse;
            }
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
        } catch (SOAPException e) {
            SAML2Utils.debug.error("NameIDMapping.doNIMBySOAP: ", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSOAPMessge"));
        }
    }

    private static void setNameIDForNIMRequest(NameIDMappingRequest nameIDMappingRequest, String str, String str2, String str3, String str4, String str5, String str6) throws SAML2Exception {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: user ID = " + str6);
        }
        NameID createNameID = AssertionFactory.getInstance().createNameID();
        NameIDInfo accountFederation = AccountUtils.getAccountFederation(str6, str2, str3);
        createNameID.setValue(accountFederation.getNameIDValue());
        createNameID.setFormat(accountFederation.getFormat());
        createNameID.setNameQualifier(str3);
        createNameID.setSPNameQualifier(str2);
        NameIDPolicy createNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
        createNameIDPolicy.setSPNameQualifier(str4);
        createNameIDPolicy.setFormat(str5);
        nameIDMappingRequest.setNameIDPolicy(createNameIDPolicy);
        if (SAML2Utils.getWantNameIDEncrypted(str, str3, SAML2Constants.IDP_ROLE)) {
            nameIDMappingRequest.setEncryptedID(getEncryptedID(createNameID, str, str3, SAML2Constants.IDP_ROLE));
            return;
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: NamID doesn't need to be encrypted.");
        }
        nameIDMappingRequest.setNameID(createNameID);
    }

    public static NameIDMappingServiceElement getNameIDMappingService(String str, String str2, String str3) throws SAML2MetaException {
        IDPSSODescriptorElement iDPSSODescriptor = metaManager.getIDPSSODescriptor(str, str2);
        if (iDPSSODescriptor == null) {
            SAML2Utils.debug.error(SAML2Utils.bundle.getString("noIDPEntry"));
            return null;
        }
        List<NameIDMappingServiceElement> nameIDMappingService = iDPSSODescriptor.getNameIDMappingService();
        if (nameIDMappingService == null || nameIDMappingService.isEmpty()) {
            return null;
        }
        if (str3 == null) {
            return (NameIDMappingServiceElement) nameIDMappingService.get(0);
        }
        for (NameIDMappingServiceElement nameIDMappingServiceElement : nameIDMappingService) {
            if (str3.equalsIgnoreCase(nameIDMappingServiceElement.getBinding())) {
                return nameIDMappingServiceElement;
            }
        }
        return null;
    }

    static EncryptedID getEncryptedID(NameID nameID, String str, String str2, String str3) throws SAML2Exception {
        EncInfo encInfo = KeyUtil.getEncInfo(str3.equals(SAML2Constants.SP_ROLE) ? metaManager.getSPSSODescriptor(str, str2) : metaManager.getIDPSSODescriptor(str, str2), str2, str3);
        if (encInfo == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
        }
        return nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), str2);
    }

    private static void signNIMRequest(NameIDMappingRequest nameIDMappingRequest, String str, String str2, boolean z) throws SAML2Exception {
        String signingCertAlias = SAML2Utils.getSigningCertAlias(str, str2, SAML2Constants.SP_ROLE);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.signNIMRequest: Cert Alias is : " + signingCertAlias);
            SAML2Utils.debug.message("NameIDMapping.signNIMRequest: NIMRequest before sign : " + nameIDMappingRequest.toXMLString(true, true));
        }
        PrivateKey privateKey = keyProvider.getPrivateKey(signingCertAlias);
        X509Certificate x509Certificate = null;
        if (z) {
            x509Certificate = keyProvider.getX509Certificate(signingCertAlias);
        }
        if (privateKey == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        nameIDMappingRequest.sign(privateKey, x509Certificate);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.signNIMRequest: NIMRequest after sign : " + nameIDMappingRequest.toXMLString(true, true));
        }
    }

    static void signNIMResponse(NameIDMappingResponse nameIDMappingResponse, String str, String str2, boolean z) throws SAML2Exception {
        String signingCertAlias = SAML2Utils.getSigningCertAlias(str, str2, SAML2Constants.IDP_ROLE);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + str);
            SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + str2);
            SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + signingCertAlias);
        }
        String signingCertEncryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(str, str2, SAML2Constants.IDP_ROLE);
        PrivateKey privateKey = (signingCertEncryptedKeyPass == null || signingCertEncryptedKeyPass.isEmpty()) ? keyProvider.getPrivateKey(signingCertAlias) : keyProvider.getPrivateKey(signingCertAlias, signingCertEncryptedKeyPass);
        X509Certificate x509Certificate = null;
        if (z) {
            x509Certificate = keyProvider.getX509Certificate(signingCertAlias);
        }
        if (privateKey != null) {
            nameIDMappingResponse.sign(privateKey, x509Certificate);
        } else {
            SAML2Utils.debug.error("NameIDMapping.signNIMResponse: Incorrect configuration for Signing Certificate.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    }

    private static boolean verifyNIMResponse(NameIDMappingResponse nameIDMappingResponse, String str, String str2) throws SAML2Exception {
        Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(metaManager.getIDPSSODescriptor(str, str2), str2, SAML2Constants.IDP_ROLE);
        if (verificationCerts.isEmpty()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        boolean isSignatureValid = nameIDMappingResponse.isSignatureValid(verificationCerts);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.verifyNIMResponse: Signature is : " + isSignatureValid);
        }
        return isSignatureValid;
    }

    private static NameID getNameID(NameIDMappingRequest nameIDMappingRequest, String str, String str2) {
        NameID nameID = nameIDMappingRequest.getNameID();
        if (nameID == null) {
            try {
                nameID = nameIDMappingRequest.getEncryptedID().decrypt(KeyUtil.getDecryptionKeys((BaseConfigType) metaManager.getIDPSSOConfig(str, str2)));
            } catch (SAML2Exception e) {
                if (!SAML2Utils.debug.messageEnabled()) {
                    return null;
                }
                SAML2Utils.debug.message("NameIDMapping.getNameID:", e);
                return null;
            }
        }
        if (SAML2Utils.isPersistentNameID(nameID)) {
            return nameID;
        }
        return null;
    }

    static {
        metaManager = null;
        sessionProvider = null;
        try {
            metaManager = new SAML2MetaManager();
            sessionProvider = SessionManager.getProvider();
        } catch (SessionException e) {
            SAML2Utils.debug.error("Error retrieving session provider.", e);
        } catch (SAML2MetaException e2) {
            SAML2Utils.debug.error(SAML2Utils.bundle.getString("errorMetaManager"), e2);
        }
    }
}
