package org.inversoft.samlv2.service;

import com.sun.org.apache.xerces.internal.jaxp.datatype.XMLGregorianCalendarImpl;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.KeyPair;
import java.util.Collections;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.UUID;
import java.util.zip.Deflater;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.inversoft.samlv2.domain.AuthenticationRequest;
import org.inversoft.samlv2.domain.AuthenticationResponse;
import org.inversoft.samlv2.domain.ConfirmationMethod;
import org.inversoft.samlv2.domain.NameIDFormat;
import org.inversoft.samlv2.domain.ResponseStatus;
import org.inversoft.samlv2.domain.User;
import org.inversoft.samlv2.domain.UserConfirmation;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.AssertionType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.AttributeStatementType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.AttributeType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.AudienceRestrictionType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.ConditionAbstractType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.EncryptedElementType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.NameIDType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.OneTimeUseType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.ProxyRestrictionType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.StatementAbstractType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.SubjectConfirmationDataType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.SubjectConfirmationType;
import org.inversoft.samlv2.domain.jaxb.oasis.assertion.SubjectType;
import org.inversoft.samlv2.domain.jaxb.oasis.protocol.AuthnRequestType;
import org.inversoft.samlv2.domain.jaxb.oasis.protocol.NameIDPolicyType;
import org.inversoft.samlv2.domain.jaxb.oasis.protocol.ResponseType;
import org.joda.time.DateTime;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

/* loaded from: input_file:org/inversoft/samlv2/service/DefaultAuthenticationService.class */
public class DefaultAuthenticationService implements AuthenticationService {
    @Override // org.inversoft.samlv2.service.AuthenticationService
    public AuthenticationRequest buildRequest(String str, NameIDFormat nameIDFormat, boolean z, KeyPair keyPair) {
        String uuid = UUID.randomUUID().toString();
        AuthnRequestType authnRequestType = new AuthnRequestType();
        authnRequestType.setIssuer(new NameIDType());
        authnRequestType.getIssuer().setValue(str);
        authnRequestType.setNameIDPolicy(new NameIDPolicyType());
        authnRequestType.getNameIDPolicy().setAllowCreate(true);
        authnRequestType.getNameIDPolicy().setFormat(nameIDFormat.toSAMLFormat());
        authnRequestType.setID(uuid);
        authnRequestType.setIssueInstant(new XMLGregorianCalendarImpl(new GregorianCalendar()));
        authnRequestType.setVersion("2.0");
        Document marshallToDocument = marshallToDocument(authnRequestType, AuthnRequestType.class);
        if (z) {
            sign(marshallToDocument.getDocumentElement(), keyPair);
        }
        byte[] documentToBytes = documentToBytes(marshallToDocument);
        return new AuthenticationRequest(uuid, deflateAndEncode(documentToBytes), documentToBytes);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.inversoft.samlv2.service.AuthenticationService
    public AuthenticationResponse parseResponse(String str, boolean z, Key key) {
        try {
            Document parseFromBytes = parseFromBytes(new BASE64Decoder().decodeBuffer(str));
            if (z) {
                verifySignature(parseFromBytes, key);
            }
            AuthenticationResponse authenticationResponse = new AuthenticationResponse();
            ResponseType responseType = (ResponseType) unmarshallFromDocument(parseFromBytes, ResponseType.class);
            authenticationResponse.status = ResponseStatus.fromSAMLFormat(responseType.getStatus().getStatusCode().getValue());
            authenticationResponse.id = responseType.getID();
            authenticationResponse.issuer = parseIssuer(responseType.getIssuer());
            authenticationResponse.instant = toJodaDateTime(responseType.getIssueInstant());
            authenticationResponse.destination = responseType.getDestination();
            for (Object obj : responseType.getAssertionOrEncryptedAssertion()) {
                if (obj instanceof EncryptedElementType) {
                    throw new RuntimeException("This library currently doesn't handle encrypted assertions");
                }
                AssertionType assertionType = (AssertionType) obj;
                SubjectType subject = assertionType.getSubject();
                if (subject != null) {
                    for (JAXBElement<?> jAXBElement : subject.getContent()) {
                        Class declaredType = jAXBElement.getDeclaredType();
                        if (declaredType == NameIDType.class) {
                            if (authenticationResponse.user != null) {
                                throw new RuntimeException("This library currently does not handle multiple NameID elements in the Response assertions.");
                            }
                            authenticationResponse.user = parseUser((NameIDType) jAXBElement.getValue());
                        } else if (declaredType == SubjectConfirmationType.class) {
                            authenticationResponse.confirmation = parseConfirmation((SubjectConfirmationType) jAXBElement.getValue());
                        } else if (declaredType == EncryptedElementType.class) {
                            throw new RuntimeException("This library currently doesn't handle encrypted assertions");
                        }
                    }
                }
                for (ConditionAbstractType conditionAbstractType : assertionType.getConditions().getConditionOrAudienceRestrictionOrOneTimeUse()) {
                    if (conditionAbstractType instanceof AudienceRestrictionType) {
                        authenticationResponse.audiences.addAll(((AudienceRestrictionType) conditionAbstractType).getAudience());
                    } else if (conditionAbstractType instanceof OneTimeUseType) {
                        authenticationResponse.oneTimeUse = true;
                    } else if (conditionAbstractType instanceof ProxyRestrictionType) {
                        ProxyRestrictionType proxyRestrictionType = (ProxyRestrictionType) conditionAbstractType;
                        authenticationResponse.proxyAudiences.addAll(proxyRestrictionType.getAudience());
                        authenticationResponse.proxyCount = proxyRestrictionType.getCount() == null ? null : Integer.valueOf(proxyRestrictionType.getCount().intValue());
                    }
                }
                for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
                    if (statementAbstractType instanceof AttributeStatementType) {
                        for (Object obj2 : ((AttributeStatementType) statementAbstractType).getAttributeOrEncryptedAttribute()) {
                            if (!(obj2 instanceof AttributeType)) {
                                throw new RuntimeException("This library currently doesn't support encrypted attributes");
                            }
                            AttributeType attributeType = (AttributeType) obj2;
                            String name = attributeType.getName();
                            List<Object> attributeValue = attributeType.getAttributeValue();
                            if (attributeValue.size() == 1) {
                                Object obj3 = attributeValue.get(0);
                                if (obj3 instanceof Number) {
                                    authenticationResponse.user.numberAttributes.put(name, (Number) obj3);
                                } else {
                                    if (!(obj3 instanceof String)) {
                                        throw new RuntimeException("This library currently doesn't handle attributes of type [" + obj3.getClass() + "]");
                                    }
                                    authenticationResponse.user.stringAttributes.put(name, (String) obj3);
                                }
                            } else {
                                Object obj4 = attributeValue.get(0);
                                if (!(obj4 instanceof String)) {
                                    throw new RuntimeException("This library currently doesn't handle multi-value attributes of type [" + obj4.getClass() + "]");
                                }
                                authenticationResponse.user.stringListAttributes.put(name, attributeValue);
                            }
                        }
                    }
                }
            }
            return authenticationResponse;
        } catch (IOException e) {
            throw new RuntimeException("Unable to decode the SAML authentication response", e);
        }
    }

    private String deflateAndEncode(byte[] bArr) {
        byte[] bArr2 = new byte[bArr.length];
        Deflater deflater = new Deflater();
        deflater.setInput(bArr);
        deflater.finish();
        return new BASE64Encoder().encode(ByteBuffer.wrap(bArr2, 0, deflater.deflate(bArr2))).replaceAll("\n", "").replaceAll("\r", "");
    }

    private byte[] documentToBytes(Document document) {
        try {
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            DOMSource dOMSource = new DOMSource(document);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            newTransformer.transform(dOMSource, new StreamResult(byteArrayOutputStream));
            return byteArrayOutputStream.toByteArray();
        } catch (TransformerException e) {
            throw new RuntimeException("Unable to write DOM object to a byte[]", e);
        }
    }

    private <T> Document marshallToDocument(T t, Class<T> cls) {
        try {
            Marshaller createMarshaller = JAXBContext.newInstance(new Class[]{cls}).createMarshaller();
            DOMResult dOMResult = new DOMResult();
            createMarshaller.marshal(t, dOMResult);
            return (Document) dOMResult.getNode();
        } catch (JAXBException e) {
            throw new RuntimeException("Unable to marshall JAXB SAML object to DOM for signing.", e);
        }
    }

    private UserConfirmation parseConfirmation(SubjectConfirmationType subjectConfirmationType) {
        UserConfirmation userConfirmation = new UserConfirmation();
        SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
        if (subjectConfirmationData != null) {
            userConfirmation.address = subjectConfirmationData.getAddress();
            userConfirmation.inResponseTo = subjectConfirmationData.getInResponseTo();
            userConfirmation.notBefore = toJodaDateTime(subjectConfirmationData.getNotBefore());
            userConfirmation.notOnOrAfter = toJodaDateTime(subjectConfirmationData.getNotOnOrAfter());
            userConfirmation.recipient = subjectConfirmationData.getRecipient();
        }
        userConfirmation.method = ConfirmationMethod.fromSAMLFormat(subjectConfirmationType.getMethod());
        return userConfirmation;
    }

    private Document parseFromBytes(byte[] bArr) {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            return newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(bArr));
        } catch (IOException e) {
            throw new RuntimeException("Unable to parse SAML v2.0 authentication response", e);
        } catch (ParserConfigurationException e2) {
            throw new RuntimeException("Unable to parse SAML v2.0 authentication response", e2);
        } catch (SAXException e3) {
            throw new RuntimeException("Unable to parse SAML v2.0 authentication response", e3);
        }
    }

    private String parseIssuer(NameIDType nameIDType) {
        if (nameIDType == null) {
            return null;
        }
        return nameIDType.getValue();
    }

    private User parseUser(NameIDType nameIDType) {
        NameIDFormat fromSAMLFormat = NameIDFormat.fromSAMLFormat(nameIDType.getFormat());
        String nameQualifier = nameIDType.getNameQualifier();
        String sPNameQualifier = nameIDType.getSPNameQualifier();
        return new User(fromSAMLFormat, nameIDType.getValue(), nameQualifier, nameIDType.getSPProvidedID(), sPNameQualifier);
    }

    private void sign(Node node, KeyPair keyPair) {
        try {
            XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
            SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(xMLSignatureFactory.newCanonicalizationMethod("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments", (XMLStructure) null), xMLSignatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#dsa-sha1", (SignatureMethodParameterSpec) null), Collections.singletonList(xMLSignatureFactory.newReference("", xMLSignatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null), Collections.singletonList(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (XMLStructure) null)), (String) null, (String) null)));
            KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
            KeyInfo newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newKeyValue(keyPair.getPublic())));
            xMLSignatureFactory.newXMLSignature(newSignedInfo, newKeyInfo).sign(new DOMSignContext(keyPair.getPrivate(), node));
        } catch (Exception e) {
            throw new RuntimeException("Unable to sign XML document.", e);
        }
    }

    private DateTime toJodaDateTime(XMLGregorianCalendar xMLGregorianCalendar) {
        if (xMLGregorianCalendar == null) {
            return null;
        }
        return new DateTime(xMLGregorianCalendar.toGregorianCalendar());
    }

    private <T> T unmarshallFromDocument(Document document, Class<T> cls) {
        try {
            return (T) ((JAXBElement) JAXBContext.newInstance(new Class[]{cls}).createUnmarshaller().unmarshal(document)).getValue();
        } catch (JAXBException e) {
            throw new RuntimeException("Unable to unmarshall SAML response", e);
        }
    }

    private void verifySignature(Document document, Key key) {
        fixIDs(document.getDocumentElement());
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            return;
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(key, elementsByTagNameNS.item(0));
        try {
            if (XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext)) {
            } else {
                throw new RuntimeException("Invalid SAML v2.0 authentication response. The signature is invalid.");
            }
        } catch (XMLSignatureException e) {
            throw new RuntimeException("Unable to verify XML signature in the SAML v2.0 authentication response. The signature was unmarshalled we couldn't validate it for an unknown reason", e);
        } catch (MarshalException e2) {
            throw new RuntimeException("Unable to verify XML signature in the SAML v2.0 authentication response because we couldn't unmarshall the XML Signature element", e2);
        }
    }

    private void fixIDs(Element element) {
        NamedNodeMap attributes = element.getAttributes();
        for (int i = 0; i < attributes.getLength(); i++) {
            Attr attr = (Attr) attributes.item(i);
            if (attr.getLocalName().toLowerCase().equals("id")) {
                element.setIdAttributeNode(attr, true);
            }
        }
        NodeList childNodes = element.getChildNodes();
        for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
            Node item = childNodes.item(i2);
            if (item.getNodeType() == 1) {
                fixIDs((Element) item);
            }
        }
    }
}
