package org.jasig.cas.client.validation;

import ch.qos.logback.core.net.ssl.SSL;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.Charset;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import javax.xml.namespace.NamespaceContext;
import org.jasig.cas.client.authentication.AttributePrincipalImpl;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.util.IOUtils;
import org.jasig.cas.client.util.MapNamespaceContext;
import org.jasig.cas.client.util.SamlUtils;
import org.jasig.cas.client.util.ThreadLocalXPathExpression;
import org.jasig.cas.client.util.XmlUtils;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.Interval;
import org.pac4j.cas.config.CasConfiguration;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/jasig/cas/client/validation/Saml11TicketValidator.class */
public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator {
    public static final String AUTH_METHOD_ATTRIBUTE = "samlAuthenticationStatement::authMethod";
    private static final String SAML_REQUEST_TEMPLATE;
    private static final NamespaceContext NS_CONTEXT = new MapNamespaceContext("soap->http://schemas.xmlsoap.org/soap/envelope/", "sa->urn:oasis:names:tc:SAML:1.0:assertion", "sp->urn:oasis:names:tc:SAML:1.0:protocol");
    private static final ThreadLocalXPathExpression XPATH_ASSERTION_DATE_START = new ThreadLocalXPathExpression("//sa:Assertion/sa:Conditions/@NotBefore", NS_CONTEXT);
    private static final ThreadLocalXPathExpression XPATH_ASSERTION_DATE_END = new ThreadLocalXPathExpression("//sa:Assertion/sa:Conditions/@NotOnOrAfter", NS_CONTEXT);
    private static final ThreadLocalXPathExpression XPATH_NAME_ID = new ThreadLocalXPathExpression("//sa:AuthenticationStatement/sa:Subject/sa:NameIdentifier", NS_CONTEXT);
    private static final ThreadLocalXPathExpression XPATH_AUTH_METHOD = new ThreadLocalXPathExpression("//sa:AuthenticationStatement/@AuthenticationMethod", NS_CONTEXT);
    private static final ThreadLocalXPathExpression XPATH_ATTRIBUTES = new ThreadLocalXPathExpression("//sa:AttributeStatement/sa:Attribute", NS_CONTEXT);
    private static final String HEX_CHARS = "0123456789abcdef";
    private long tolerance;
    private final Random random;

    public Saml11TicketValidator(String str) {
        super(str);
        this.tolerance = 1000L;
        try {
            this.random = SecureRandom.getInstance(SSL.DEFAULT_SECURE_RANDOM_ALGORITHM);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Cannot find required SHA1PRNG algorithm");
        }
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected String getUrlSuffix() {
        return "samlValidate";
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected void populateUrlAttributeMap(Map<String, String> map) {
        String str = map.get(CasConfiguration.SERVICE_PARAMETER);
        map.remove(CasConfiguration.SERVICE_PARAMETER);
        map.remove(CasConfiguration.TICKET_PARAMETER);
        map.put("TARGET", str);
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected Assertion parseResponseFromServer(String str) throws TicketValidationException {
        try {
            Document newDocument = XmlUtils.newDocument(str);
            Date parseUtcDate = SamlUtils.parseUtcDate(XPATH_ASSERTION_DATE_START.evaluateAsString(newDocument));
            Date parseUtcDate2 = SamlUtils.parseUtcDate(XPATH_ASSERTION_DATE_END.evaluateAsString(newDocument));
            if (!isValidAssertion(parseUtcDate, parseUtcDate2)) {
                throw new TicketValidationException("Invalid SAML assertion");
            }
            String evaluateAsString = XPATH_NAME_ID.evaluateAsString(newDocument);
            if (evaluateAsString == null) {
                throw new TicketValidationException("SAML assertion does not contain NameIdentifier element");
            }
            String evaluateAsString2 = XPATH_AUTH_METHOD.evaluateAsString(newDocument);
            NodeList evaluateAsNodeList = XPATH_ATTRIBUTES.evaluateAsNodeList(newDocument);
            HashMap hashMap = new HashMap(evaluateAsNodeList.getLength());
            for (int i = 0; i < evaluateAsNodeList.getLength(); i++) {
                Element element = (Element) evaluateAsNodeList.item(i);
                String attribute = element.getAttribute("AttributeName");
                this.logger.trace("Processing attribute {}", attribute);
                NodeList elementsByTagNameNS = element.getElementsByTagNameNS("*", "AttributeValue");
                if (elementsByTagNameNS.getLength() == 1) {
                    hashMap.put(attribute, elementsByTagNameNS.item(0).getTextContent());
                } else {
                    ArrayList arrayList = new ArrayList(elementsByTagNameNS.getLength());
                    for (int i2 = 0; i2 < elementsByTagNameNS.getLength(); i2++) {
                        arrayList.add(elementsByTagNameNS.item(i2).getTextContent());
                    }
                    hashMap.put(attribute, arrayList);
                }
            }
            return new AssertionImpl(new AttributePrincipalImpl(evaluateAsString, hashMap), parseUtcDate, parseUtcDate2, new Date(), Collections.singletonMap(AUTH_METHOD_ATTRIBUTE, evaluateAsString2));
        } catch (Exception e) {
            throw new TicketValidationException("Error processing SAML response", e);
        }
    }

    private boolean isValidAssertion(Date date, Date date2) {
        if (date == null || date2 == null) {
            this.logger.debug("Assertion is not valid because it does not have bounding dates.");
            return false;
        }
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        Interval interval = new Interval(new DateTime(date).minus(this.tolerance), new DateTime(date2).plus(this.tolerance));
        if (interval.contains(dateTime)) {
            this.logger.debug("Current time is within the interval validity.");
            return true;
        }
        if (dateTime.isBefore(interval.getStart())) {
            this.logger.debug("Assertion is not yet valid");
            return false;
        }
        this.logger.debug("Assertion is expired");
        return false;
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected String retrieveResponseFromServer(URL url, String str) {
        String format = String.format(SAML_REQUEST_TEMPLATE, generateId(), SamlUtils.formatForUtcTime(new Date()), str);
        HttpURLConnection httpURLConnection = null;
        try {
            try {
                httpURLConnection = getURLConnectionFactory().buildHttpURLConnection(url.openConnection());
                httpURLConnection.setRequestMethod("POST");
                httpURLConnection.setRequestProperty("Content-Type", "text/xml");
                httpURLConnection.setRequestProperty("SOAPAction", "http://www.oasis-open.org/committees/security");
                httpURLConnection.setUseCaches(false);
                httpURLConnection.setDoInput(true);
                httpURLConnection.setDoOutput(true);
                Charset forName = CommonUtils.isNotBlank(getEncoding()) ? Charset.forName(getEncoding()) : IOUtils.UTF8;
                httpURLConnection.getOutputStream().write(format.getBytes(forName));
                String readString = IOUtils.readString(httpURLConnection.getInputStream(), forName);
                if (httpURLConnection != null) {
                    httpURLConnection.disconnect();
                }
                return readString;
            } catch (IOException e) {
                throw new RuntimeException("IO error sending HTTP request to /samlValidate", e);
            }
        } catch (Throwable th) {
            if (httpURLConnection != null) {
                httpURLConnection.disconnect();
            }
            throw th;
        }
    }

    public void setTolerance(long j) {
        this.tolerance = j;
    }

    private String generateId() {
        byte[] bArr = new byte[16];
        this.random.nextBytes(bArr);
        StringBuilder sb = new StringBuilder(33);
        sb.append('_');
        for (int i = 0; i < bArr.length; i++) {
            sb.append(HEX_CHARS.charAt((bArr[i] & 240) >> 4));
            sb.append(HEX_CHARS.charAt(bArr[i] & 15));
        }
        return sb.toString();
    }

    static {
        try {
            SAML_REQUEST_TEMPLATE = IOUtils.readString(Saml11TicketValidator.class.getResourceAsStream("/META-INF/cas/samlRequestTemplate.xml"));
        } catch (IOException e) {
            throw new IllegalStateException("Cannot load SAML request template from classpath", e);
        }
    }
}
