package org.miniorange.saml;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.miniorange.saml.MoSAMLException;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.xml.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:WEB-INF/lib/miniorange-saml-sp.jar:org/miniorange/saml/MoSAMLManager.class */
public class MoSAMLManager {
    private MoSAMLPluginSettings settings;
    private String certificateexpected = "";
    private static final Logger LOGGER = Logger.getLogger(MoSAMLManager.class.getName());

    public MoSAMLManager(MoSAMLPluginSettings moSAMLPluginSettings) {
        this.settings = moSAMLPluginSettings;
    }

    public MoSAMLResponse readSAMLResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str;
        try {
            MoSAMLUtils.doBootstrap();
            Response decodeResponse = MoSAMLUtils.decodeResponse(httpServletRequest.getParameter(MoSAMLUtils.SAML_RESPONSE_PARAM));
            if (!StringUtils.equals(decodeResponse.getStatus().getStatusCode().getValue(), StatusCode.SUCCESS_URI)) {
                LOGGER.fine("Invalid SAML response. SAML Status Code received: " + decodeResponse.getStatus().getStatusCode().getValue());
                if (decodeResponse.getStatus().getStatusMessage() != null) {
                    LOGGER.fine("Saml Status Message received: " + decodeResponse.getStatus().getStatusMessage().getMessage());
                    str = decodeResponse.getStatus().getStatusMessage().getMessage() + ". Status Code received in SAML response: " + decodeResponse.getStatus().getStatusCode().getValue().split(":")[7];
                } else {
                    str = "Invalid status code \"" + decodeResponse.getStatus().getStatusCode().getValue().split(":")[7] + "\" received in SAML response";
                }
                if (StringUtils.equalsIgnoreCase(decodeResponse.getStatus().getStatusCode().getValue().split(":")[7], StatusCode.RESPONDER_URI)) {
                    LOGGER.fine(str);
                    throw new MoSAMLException(str, MoSAMLException.SAMLErrorCode.RESPONDER);
                }
                LOGGER.fine(str);
                throw new MoSAMLException(str, MoSAMLException.SAMLErrorCode.INVALID_SAML_STATUS);
            }
            Assertion decryptAssertion = (decodeResponse.getAssertions() == null || decodeResponse.getAssertions().size() <= 0) ? MoSAMLUtils.decryptAssertion(decodeResponse.getEncryptedAssertions().get(0), this.settings.getPublicSPCertificate(), this.settings.getPrivateSPCertificate()) : decodeResponse.getAssertions().get(0);
            LOGGER.fine(String.valueOf(decryptAssertion));
            verifyConditions(decryptAssertion, this.settings.getSPAudienceURI());
            String spAcsUrl = this.settings.getSpAcsUrl();
            verifyIssuer(decodeResponse, decryptAssertion, this.settings.getIdpEntityId());
            verifyDestination(decodeResponse, spAcsUrl);
            verifyRecipient(decryptAssertion, spAcsUrl);
            MoSAMLException moSAMLException = null;
            Boolean bool = Boolean.FALSE;
            try {
                bool = verifyCertificate(decodeResponse, decryptAssertion, this.settings.getX509PublicCertificate());
                LOGGER.fine("Verified Certificates:" + bool);
            } catch (MoSAMLException e) {
                moSAMLException = e;
            }
            if (!bool.booleanValue()) {
                LOGGER.fine(moSAMLException.getMessage());
                throw moSAMLException;
            }
            Map<String, String[]> attributes = getAttributes(decryptAssertion);
            NameID nameID = decryptAssertion.getSubject().getNameID();
            String sessionIndex = decryptAssertion.getAuthnStatements().get(0).getSessionIndex();
            String value = nameID != null ? nameID.getValue() : "";
            attributes.put(NameID.DEFAULT_ELEMENT_LOCAL_NAME, new String[]{value});
            return new MoSAMLResponse(attributes, value, sessionIndex);
        } catch (MoSAMLException e2) {
            LOGGER.fine(e2.getMessage());
            throw e2;
        } catch (Throwable th) {
            LOGGER.fine("An error occurred while verifying the SAML Response.");
            throw new MoSAMLException(th, MoSAMLException.SAMLErrorCode.UNKNOWN);
        }
    }

    private void verifyIssuer(Response response, Assertion assertion, String str) {
        LOGGER.fine("Verifying Issuer in SAML Response");
        String value = response.getIssuer().getValue();
        String value2 = assertion.getIssuer().getValue();
        if (!StringUtils.equals(value, str)) {
            MoSAMLException.SAMLErrorCode sAMLErrorCode = MoSAMLException.SAMLErrorCode.INVALID_ISSUER;
            MoSAMLException moSAMLException = new MoSAMLException(sAMLErrorCode.getMessage(), buildResolutionMessage(sAMLErrorCode, str, value), sAMLErrorCode);
            LOGGER.fine(moSAMLException.getMessage());
            throw moSAMLException;
        }
        if (StringUtils.equals(value2, str)) {
            return;
        }
        MoSAMLException.SAMLErrorCode sAMLErrorCode2 = MoSAMLException.SAMLErrorCode.INVALID_ISSUER;
        MoSAMLException moSAMLException2 = new MoSAMLException(sAMLErrorCode2.getMessage(), buildResolutionMessage(sAMLErrorCode2, str, value2), sAMLErrorCode2);
        LOGGER.fine(moSAMLException2.getMessage());
        throw moSAMLException2;
    }

    private void verifyDestination(Response response, String str) {
        LOGGER.fine("Verifying Destination if present in SAML Response");
        String destination = response.getDestination();
        LOGGER.fine("destInResponse: " + destination + "acsURL: " + str);
        if (StringUtils.isBlank(destination) || StringUtils.equals(destination, str)) {
            return;
        }
        MoSAMLException.SAMLErrorCode sAMLErrorCode = MoSAMLException.SAMLErrorCode.INVALID_DESTINATION;
        MoSAMLException moSAMLException = new MoSAMLException(sAMLErrorCode.getMessage(), buildResolutionMessage(sAMLErrorCode, str, destination), sAMLErrorCode);
        LOGGER.fine(moSAMLException.getMessage());
        throw moSAMLException;
    }

    private void verifyRecipient(Assertion assertion, String str) {
        LOGGER.fine("Verifying Recipient if present in SAML Response");
        String recipient = assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().getRecipient();
        LOGGER.fine("destInResponse: " + recipient);
        if (StringUtils.isBlank(recipient) || StringUtils.equals(recipient, str)) {
            return;
        }
        MoSAMLException.SAMLErrorCode sAMLErrorCode = MoSAMLException.SAMLErrorCode.INVALID_RECIPIENT;
        MoSAMLException moSAMLException = new MoSAMLException(sAMLErrorCode.getMessage(), buildResolutionMessage(sAMLErrorCode, str, recipient), sAMLErrorCode);
        LOGGER.fine(moSAMLException.getMessage());
        throw moSAMLException;
    }

    private void verifyConditions(Assertion assertion, String str) {
        LOGGER.fine("Verifying Conditions...");
        Date date = new DateTime().toDate();
        long j = 0;
        long j2 = 0;
        if (assertion.getConditions().getNotBefore() != null) {
            LOGGER.fine("Verifying Conditions...");
            Date date2 = assertion.getConditions().getNotBefore().toDate();
            if (date.before(date2)) {
                j = Math.abs(date2.getTime() - date.getTime());
            }
            LOGGER.fine("timeDifferenceInBefore = " + j);
        }
        if (assertion.getConditions().getNotOnOrAfter() != null) {
            LOGGER.fine("Verifying Conditions...");
            Date date3 = assertion.getConditions().getNotOnOrAfter().toDate();
            if (date.after(date3)) {
                j2 = Math.abs(date.getTime() - date3.getTime());
            }
            LOGGER.fine("timeDifferenceNotOnOrAfter = " + j2);
        }
        LOGGER.fine("audienceExpected Before: " + str);
        if (str.endsWith("/")) {
            str = str.substring(0, str.length() - 1);
        }
        LOGGER.fine("audienceExpected After : " + str);
        Iterator<Audience> it = assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().iterator();
        while (it.hasNext()) {
            if (StringUtils.equalsIgnoreCase(it.next().getAudienceURI(), str)) {
                return;
            }
        }
        MoSAMLException moSAMLException = new MoSAMLException(MoSAMLException.SAMLErrorCode.INVALID_AUDIENCE);
        LOGGER.fine(MoSAMLException.SAMLErrorCode.INVALID_AUDIENCE.getMessage());
        throw moSAMLException;
    }

    private Boolean verifyCertificate(Response response, Assertion assertion, String str) {
        LOGGER.fine("Verifying Certificates.");
        if (str != null) {
            try {
                if (!response.isSigned() && !assertion.isSigned()) {
                    MoSAMLException moSAMLException = new MoSAMLException(MoSAMLException.SAMLErrorCode.ASSERTION_NOT_SIGNED);
                    LOGGER.fine(MoSAMLException.SAMLErrorCode.ASSERTION_NOT_SIGNED.getMessage());
                    throw moSAMLException;
                }
                if (response.isSigned()) {
                    return MoSAMLUtils.verifyCertificate(response, str);
                }
                if (assertion.isSigned()) {
                    return MoSAMLUtils.verifyCertificate(assertion, str);
                }
                LOGGER.fine("Error occurred while verifying the certificate");
            } catch (NoSuchAlgorithmException e) {
                MoSAMLException.SAMLErrorCode sAMLErrorCode = MoSAMLException.SAMLErrorCode.INVALID_CERTIFICATE;
                MoSAMLException moSAMLException2 = new MoSAMLException(sAMLErrorCode.getMessage(), buildResolutionforcertificate(sAMLErrorCode, assertion, response), sAMLErrorCode);
                LOGGER.fine(moSAMLException2.getMessage());
                throw moSAMLException2;
            } catch (CertificateException e2) {
                MoSAMLException.SAMLErrorCode sAMLErrorCode2 = MoSAMLException.SAMLErrorCode.INVALID_CERTIFICATE;
                MoSAMLException moSAMLException3 = new MoSAMLException(sAMLErrorCode2.getMessage(), buildResolutionforcertificate(sAMLErrorCode2, assertion, response), sAMLErrorCode2);
                LOGGER.fine(moSAMLException3.getMessage());
                throw moSAMLException3;
            } catch (InvalidKeySpecException e3) {
                MoSAMLException.SAMLErrorCode sAMLErrorCode3 = MoSAMLException.SAMLErrorCode.INVALID_CERTIFICATE;
                MoSAMLException moSAMLException4 = new MoSAMLException(sAMLErrorCode3.getMessage(), buildResolutionforcertificate(sAMLErrorCode3, assertion, response), sAMLErrorCode3);
                LOGGER.fine(moSAMLException4.getMessage());
                throw moSAMLException4;
            } catch (ValidationException e4) {
                MoSAMLException.SAMLErrorCode sAMLErrorCode4 = MoSAMLException.SAMLErrorCode.INVALID_SIGNATURE;
                MoSAMLException moSAMLException5 = new MoSAMLException(sAMLErrorCode4.getMessage(), buildResolutionforcertificate(sAMLErrorCode4, assertion, response), sAMLErrorCode4);
                LOGGER.fine(moSAMLException5.getMessage());
                throw moSAMLException5;
            }
        }
        return false;
    }

    private String buildResolutionforcertificate(MoSAMLException.SAMLErrorCode sAMLErrorCode, Assertion assertion, Response response) {
        try {
            if (assertion.isSigned()) {
                Iterator<X509Data> it = assertion.getSignature().getKeyInfo().getX509Datas().iterator();
                while (it.hasNext()) {
                    Iterator<X509Certificate> it2 = it.next().getX509Certificates().iterator();
                    while (it2.hasNext()) {
                        this.certificateexpected = it2.next().getValue();
                    }
                }
            } else if (response.isSigned()) {
                Iterator<X509Data> it3 = response.getSignature().getKeyInfo().getX509Datas().iterator();
                while (it3.hasNext()) {
                    Iterator<X509Certificate> it4 = it3.next().getX509Certificates().iterator();
                    while (it4.hasNext()) {
                        this.certificateexpected = it4.next().getValue();
                    }
                }
            }
        } catch (Exception e) {
            LOGGER.fine(e.getMessage());
        }
        StringBuffer stringBuffer = new StringBuffer(sAMLErrorCode.getResolution());
        stringBuffer.append(" Expected certificate : ");
        stringBuffer.append("<textarea rows='6' cols='100' word-wrap='break-word;' style='width:580px; margin:0px; height:290px;' id ='errormsg' readonly>-----BEGIN CERTIFICATE-----" + this.certificateexpected + "-----END CERTIFICATE-----</textarea> ");
        stringBuffer.append("<div style=\"margin:3%;display:block;text-align:center;\"><input id =\"copy-button\" style=\"padding:1%;width:150px;background: #0091CD none repeat scroll 0% 0%;cursor: pointer;font-size:15px;border-width: 1px;border-style: solid;border-radius: 3px;white-space: nowrap;box-sizing:border-box;border-color: #0073AA;box-shadow:0px 1px 0px rgba(120,200,230,0.6) inset;color: #FFF;\" type=\"button\" value=\"Copy to Clipboard\"></div>");
        stringBuffer.append("<script>document.querySelector(\"#copy-button\").onclick = function() {document.querySelector(\"#errormsg\").select();document.execCommand('copy');};</script>");
        return stringBuffer.toString();
    }

    private Map<String, String[]> getAttributes(Assertion assertion) {
        LOGGER.fine("Getting attributes from SAML Response");
        HashMap hashMap = new HashMap();
        if (assertion.getAttributeStatements().size() > 0) {
            for (Attribute attribute : assertion.getAttributeStatements().get(0).getAttributes()) {
                if (attribute.getAttributeValues().size() > 0) {
                    String[] strArr = new String[attribute.getAttributeValues().size()];
                    for (int i = 0; i < attribute.getAttributeValues().size(); i++) {
                        strArr[i] = attribute.getAttributeValues().get(i).getDOM().getTextContent();
                    }
                    hashMap.put(attribute.getName(), strArr);
                }
            }
        }
        return hashMap;
    }

    private String buildResolutionMessage(MoSAMLException.SAMLErrorCode sAMLErrorCode, String str, String str2) {
        StringBuffer stringBuffer = new StringBuffer(sAMLErrorCode.getResolution());
        stringBuffer.append(" app was expecting ");
        stringBuffer.append(str2);
        stringBuffer.append(" but found: ");
        stringBuffer.append(str);
        return stringBuffer.toString();
    }

    public void createAuthnRequestAndRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String createUnSignedRedirectURL;
        try {
            LOGGER.fine("Creating Authentication Request and rediecting user to Idp for authentication");
            MoSAMLUtils.doBootstrap();
            String substringAfter = StringUtils.substringAfter(str, "from=");
            AuthnRequest buildAuthnRequest = MoSAMLUtils.buildAuthnRequest(this.settings.getSPEntityID(), this.settings.getSpAcsUrl(), this.settings.getSsoUrl(), this.settings.getNameIDFormat());
            if (StringUtils.equals(this.settings.getSsoBindingType(), "HttpPost")) {
                LOGGER.fine("HTTP-POST Binding selected for SSO");
                if (this.settings.getSignedRequest()) {
                    buildAuthnRequest = (AuthnRequest) MoSAMLUtils.signHttpPostRequest(buildAuthnRequest, this.settings.getPublicSPCertificate(), this.settings.getPrivateSPCertificate());
                }
                httpServletResponse.getOutputStream().write(MoSAMLUtils.base64EncodeRequest(buildAuthnRequest, true).getBytes(StandardCharsets.UTF_8));
                httpServletResponse.getOutputStream().close();
                return;
            }
            LOGGER.fine("HTTP-Redirect Binding selected for SSO");
            String base64EncodeRequest = MoSAMLUtils.base64EncodeRequest(buildAuthnRequest, false);
            LOGGER.fine("encodedAuthnRequest: " + base64EncodeRequest);
            String signHttpRedirectRequest = MoSAMLUtils.signHttpRedirectRequest(createRequestQueryParamsForSignature(base64EncodeRequest, substringAfter), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", this.settings.getPublicSPCertificate(), this.settings.getPrivateSPCertificate());
            if (this.settings.getSignedRequest()) {
                createUnSignedRedirectURL = createRedirectURL(this.settings.getSsoUrl(), base64EncodeRequest, substringAfter, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", signHttpRedirectRequest, false);
            } else {
                LOGGER.fine("sending relay state " + substringAfter);
                createUnSignedRedirectURL = createUnSignedRedirectURL(this.settings.getSsoUrl(), base64EncodeRequest, substringAfter, false);
            }
            httpRedirect(httpServletResponse, createUnSignedRedirectURL);
        } catch (Throwable th) {
            LOGGER.fine("An unknown error occurred while creating the AuthnRequest." + th);
            throw new MoSAMLException(MoSAMLException.SAMLErrorCode.UNKNOWN);
        }
    }

    public static void httpRedirect(HttpServletResponse httpServletResponse, String str) throws IOException {
        LOGGER.fine("Redirecting user to " + str);
        httpServletResponse.sendRedirect(str);
    }

    private String createUnSignedRedirectURL(String str, String str2, String str3, Boolean bool) throws UnsupportedEncodingException {
        StringBuilder sb = new StringBuilder(str);
        if (StringUtils.contains(str, "?") && !StringUtils.endsWith(str, "?") && !StringUtils.endsWith(str, "&")) {
            sb.append("&");
        } else if (!StringUtils.contains(str, "?")) {
            sb.append("?");
        }
        if (bool.booleanValue()) {
            sb.append(createResponseQueryParamsForSignature(str2, str3));
        } else {
            sb.append(createRequestQueryParamsForSignature(str2, str3));
        }
        return sb.toString();
    }

    private String createResponseQueryParamsForSignature(String str, String str2) throws UnsupportedEncodingException {
        LOGGER.fine("Creating response query parameter for signature");
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(MoSAMLUtils.SAML_RESPONSE_PARAM).append("=").append(URLEncoder.encode(str, StandardCharsets.UTF_8.toString()));
        stringBuffer.append("&").append("RelayState").append("=" + str2);
        stringBuffer.append(URLEncoder.encode("/", StandardCharsets.UTF_8.toString()));
        return stringBuffer.toString();
    }

    private String createRequestQueryParamsForSignature(String str, String str2) throws UnsupportedEncodingException {
        LOGGER.fine("Creating request query parameter for signature");
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(MoSAMLUtils.SAML_REQUEST_PARAM).append("=").append(URLEncoder.encode(str, StandardCharsets.UTF_8.toString()));
        stringBuffer.append("&").append("RelayState").append("=");
        if (StringUtils.isNotBlank(str2)) {
            LOGGER.fine("relay state is not blank " + str2);
            stringBuffer.append(URLEncoder.encode(str2, StandardCharsets.UTF_8.toString()));
        } else {
            stringBuffer.append(URLEncoder.encode("/", StandardCharsets.UTF_8.toString()));
        }
        LOGGER.fine(stringBuffer.toString());
        return stringBuffer.toString();
    }

    private String createRedirectURL(String str, String str2, String str3, String str4, String str5, Boolean bool) throws UnsupportedEncodingException {
        StringBuilder sb = new StringBuilder(str);
        if (StringUtils.contains(str, "?") && !StringUtils.endsWith(str, "?") && !StringUtils.endsWith(str, "&")) {
            sb.append("&");
        } else if (!StringUtils.contains(str, "?")) {
            sb.append("?");
        }
        if (bool.booleanValue()) {
            sb.append(createResponseQueryParamsForSignature(str2, str3));
        } else {
            sb.append(createRequestQueryParamsForSignature(str2, str3));
        }
        sb.append("&").append(MoSAMLUtils.SIGNATURE_ALGO_PARAM).append("=").append(URLEncoder.encode(str4, "UTF-8")).append("&").append("Signature").append("=").append(URLEncoder.encode(str5, "UTF-8"));
        return sb.toString();
    }
}
