package org.jboss.identity.federation.web.filters;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactoryConfigurationError;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.core.config.KeyProviderType;
import org.jboss.identity.federation.core.config.SPType;
import org.jboss.identity.federation.core.config.TrustType;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ProcessingException;
import org.jboss.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.jboss.identity.federation.core.interfaces.TrustKeyManager;
import org.jboss.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.jboss.identity.federation.core.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChain;
import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import org.jboss.identity.federation.core.saml.v2.util.AssertionUtil;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.HandlerUtil;
import org.jboss.identity.federation.core.util.XMLSignatureUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
import org.jboss.identity.federation.saml.v2.protocol.StatusType;
import org.jboss.identity.federation.web.constants.GeneralConstants;
import org.jboss.identity.federation.web.interfaces.IRoleValidator;
import org.jboss.identity.federation.web.roles.DefaultRoleValidator;
import org.jboss.identity.federation.web.util.ConfigurationUtil;
import org.jboss.identity.federation.web.util.PostBindingUtil;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/jboss/identity/federation/web/filters/SPFilter.class */
public class SPFilter implements Filter {
    private static Logger log = Logger.getLogger(SPFilter.class);
    private TrustKeyManager keyManager;
    private boolean trace = log.isTraceEnabled();
    protected SPType spConfiguration = null;
    protected String configFile = "/WEB-INF/jboss-idfed.xml";
    protected String serviceURL = null;
    protected String identityURL = null;
    private ServletContext context = null;
    private transient SAML2HandlerChain chain = null;
    protected boolean ignoreSignatures = false;
    private IRoleValidator roleValidator = new DefaultRoleValidator();

    public void destroy() {
    }

    /* JADX WARN: Code restructure failed: missing block: B:32:0x011d, code lost:
    
        r0.sendError(r0.getErrorCode());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void doFilter(javax.servlet.ServletRequest r8, javax.servlet.ServletResponse r9, javax.servlet.FilterChain r10) throws java.io.IOException, javax.servlet.ServletException {
        /*
            Method dump skipped, instructions count: 802
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.jboss.identity.federation.web.filters.SPFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain):void");
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.context = filterConfig.getServletContext();
        InputStream resourceAsStream = this.context.getResourceAsStream(this.configFile);
        if (resourceAsStream == null) {
            throw new RuntimeException(this.configFile + " missing");
        }
        try {
            this.spConfiguration = ConfigurationUtil.getSPConfiguration(resourceAsStream);
            this.identityURL = this.spConfiguration.getIdentityURL();
            this.serviceURL = this.spConfiguration.getServiceURL();
            log.trace("Identity Provider URL=" + this.identityURL);
            this.chain = new DefaultSAML2HandlerChain();
            try {
                this.chain.addAll(HandlerUtil.getHandlers(ConfigurationUtil.getHandlers(this.context.getResourceAsStream("/WEB-INF/jbid-handlers.xml"))));
                String initParameter = filterConfig.getInitParameter(GeneralConstants.IGNORE_SIGNATURES);
                if (initParameter != null && !"".equals(initParameter)) {
                    this.ignoreSignatures = Boolean.parseBoolean(initParameter);
                }
                if (!this.ignoreSignatures) {
                    KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
                    if (keyProvider == null) {
                        throw new RuntimeException("KeyProvider is null");
                    }
                    try {
                        ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
                        String className = keyProvider.getClassName();
                        if (className == null) {
                            throw new RuntimeException("KeyManager class name is null");
                        }
                        this.keyManager = (TrustKeyManager) contextClassLoader.loadClass(className).newInstance();
                        this.keyManager.setAuthProperties(keyProvider.getAuth());
                        this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
                        log.trace("Key Provider=" + keyProvider.getClassName());
                    } catch (Exception e) {
                        log.error("Exception reading configuration:", e);
                        throw new RuntimeException(e.getLocalizedMessage());
                    }
                }
                String initParameter2 = filterConfig.getInitParameter(GeneralConstants.ROLE_VALIDATOR);
                if (initParameter2 != null && !"".equals(initParameter2)) {
                    try {
                        this.roleValidator = (IRoleValidator) SecurityActions.getContextClassLoader().loadClass(initParameter2).newInstance();
                    } catch (Exception e2) {
                        throw new RuntimeException(e2);
                    }
                }
                HashMap hashMap = new HashMap();
                String initParameter3 = filterConfig.getInitParameter(GeneralConstants.ROLES);
                if (this.trace) {
                    log.trace("Found Roles in SPFilter config=" + initParameter3);
                }
                if (initParameter3 != null) {
                    hashMap.put(GeneralConstants.ROLES, initParameter3);
                }
                this.roleValidator.intialize(hashMap);
            } catch (Exception e3) {
                throw new RuntimeException(e3);
            }
        } catch (Exception e4) {
            throw new RuntimeException(e4);
        }
    }

    private AuthnRequestType createSAMLRequest(String str, String str2) throws ConfigurationException {
        if (str == null) {
            throw new IllegalArgumentException("serviceURL is null");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("identityURL is null");
        }
        return new SAML2Request().createAuthnRequestType(IDGenerator.create("ID_"), str, str2, str);
    }

    protected void sendRequestToIDP(AuthnRequestType authnRequestType, String str, HttpServletResponse httpServletResponse) throws IOException, SAXException, JAXBException, GeneralSecurityException {
        SAML2Request sAML2Request = new SAML2Request();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        sAML2Request.marshall(authnRequestType, byteArrayOutputStream);
        PostBindingUtil.sendPost(new DestinationInfoHolder(authnRequestType.getDestination(), PostBindingUtil.base64Encode(byteArrayOutputStream.toString()), str), httpServletResponse, true);
    }

    protected void sendToDestination(Document document, String str, String str2, HttpServletResponse httpServletResponse) throws IOException, SAXException, JAXBException, GeneralSecurityException {
        try {
            PostBindingUtil.sendPost(new DestinationInfoHolder(str2, PostBindingUtil.base64Encode(DocumentUtil.getDocumentAsString(document)), str), httpServletResponse, true);
        } catch (TransformerException e) {
            throw new ProcessingException(e);
        } catch (TransformerFactoryConfigurationError e2) {
            throw new ProcessingException(e2);
        }
    }

    protected boolean validate(HttpServletRequest httpServletRequest) throws IOException, GeneralSecurityException {
        return httpServletRequest.getParameter("SAMLResponse") != null;
    }

    protected boolean verifySignature(SAMLDocumentHolder sAMLDocumentHolder) throws IssuerNotTrustedException {
        Document samlDocument = sAMLDocumentHolder.getSamlDocument();
        String value = ((ResponseType) sAMLDocumentHolder.getSamlObject()).getIssuer().getValue();
        if (value == null) {
            throw new IssuerNotTrustedException("Issue missing");
        }
        try {
            try {
                PublicKey validatingKey = this.keyManager.getValidatingKey(new URL(value).getHost());
                log.trace("Going to verify signature in the saml response from IDP");
                boolean validate = XMLSignatureUtil.validate(samlDocument, validatingKey);
                log.trace("Signature verification=" + validate);
                return validate;
            } catch (TrustKeyProcessingException e) {
                log.error("Unable to verify signature", e);
                return false;
            } catch (XMLSignatureException e2) {
                log.error("Unable to verify signature", e2);
                return false;
            } catch (MarshalException e3) {
                log.error("Unable to verify signature", e3);
                return false;
            } catch (TrustKeyConfigurationException e4) {
                log.error("Unable to verify signature", e4);
                return false;
            }
        } catch (MalformedURLException e5) {
            throw new IssuerNotTrustedException(e5);
        }
    }

    protected void isTrusted(String str) throws IssuerNotTrustedException {
        try {
            String host = new URL(str).getHost();
            TrustType trust = this.spConfiguration.getTrust();
            if (trust == null || trust.getDomains().indexOf(host) >= 0) {
            } else {
                throw new IssuerNotTrustedException(str);
            }
        } catch (Exception e) {
            throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
        }
    }

    protected ResponseType decryptAssertion(ResponseType responseType) {
        throw new RuntimeException("This authenticator does not handle encryption");
    }

    public Principal handleSAMLResponse(HttpServletRequest httpServletRequest, ResponseType responseType) throws ConfigurationException, AssertionExpiredException {
        if (httpServletRequest == null) {
            throw new IllegalArgumentException("request is null");
        }
        if (responseType == null) {
            throw new IllegalArgumentException("response type is null");
        }
        StatusType status = responseType.getStatus();
        if (status == null) {
            throw new IllegalArgumentException("Status Type from the IDP is null");
        }
        if (!JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(status.getStatusCode().getValue())) {
            throw new SecurityException("IDP forbid the user");
        }
        List assertionOrEncryptedAssertion = responseType.getAssertionOrEncryptedAssertion();
        if (assertionOrEncryptedAssertion.size() == 0) {
            throw new IllegalStateException("No assertions in reply from IDP");
        }
        AssertionType assertionType = (AssertionType) assertionOrEncryptedAssertion.get(0);
        if (AssertionUtil.hasExpired(assertionType)) {
            throw new AssertionExpiredException();
        }
        final String value = ((NameIDType) ((JAXBElement) assertionType.getSubject().getContent().get(0)).getValue()).getValue();
        ArrayList arrayList = new ArrayList();
        Iterator it = ((AttributeStatementType) assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0)).getAttributeOrEncryptedAttribute().iterator();
        while (it.hasNext()) {
            arrayList.add((String) ((AttributeType) it.next()).getAttributeValue().get(0));
        }
        Principal principal = new Principal() { // from class: org.jboss.identity.federation.web.filters.SPFilter.1
            @Override // java.security.Principal
            public String getName() {
                return value;
            }
        };
        if (!this.roleValidator.userInRole(principal, arrayList)) {
            if (this.trace) {
                log.trace("Invalid role:" + arrayList);
            }
            principal = null;
        }
        return principal;
    }

    private boolean isNotNull(String str) {
        return (str == null || "".equals(str)) ? false : true;
    }
}
