package org.apache.cxf.rs.security.oauth2.grants.saml;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.saml.Constants;
import org.apache.cxf.rs.security.oauth2.saml.SamlOAuthValidator;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SamlAssertionValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.opensaml.xmlsec.signature.Signature;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.class */
public class Saml2BearerGrantHandler extends AbstractGrantHandler {
    private static final String ENCODED_SAML2_BEARER_GRANT;
    private Validator samlValidator;
    private SamlOAuthValidator samlOAuthValidator;
    private SecurityContextProvider scProvider;

    public Saml2BearerGrantHandler() {
        super(Arrays.asList(Constants.SAML2_BEARER_GRANT, ENCODED_SAML2_BEARER_GRANT));
        this.samlValidator = new SamlAssertionValidator();
        this.samlOAuthValidator = new SamlOAuthValidator();
        this.scProvider = new SecurityContextProviderImpl();
    }

    public void setSamlValidator(Validator validator) {
        this.samlValidator = validator;
    }

    public void setSamlOAuthValidator(SamlOAuthValidator samlOAuthValidator) {
        this.samlOAuthValidator = samlOAuthValidator;
    }

    public void setSecurityContextProvider(SecurityContextProvider securityContextProvider) {
        this.scProvider = securityContextProvider;
    }

    public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> multivaluedMap) throws OAuthServiceException {
        String str = (String) multivaluedMap.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
        if (str == null) {
            throw new OAuthServiceException("invalid_grant");
        }
        try {
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(readToken(decodeAssertion(str)));
            Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
            validateToken(currentMessage, samlAssertionWrapper);
            return doCreateAccessToken(client, getGrantSubject(currentMessage, samlAssertionWrapper), Constants.SAML2_BEARER_GRANT, OAuthUtils.parseScope((String) multivaluedMap.getFirst("scope")));
        } catch (Exception e) {
            throw new OAuthServiceException("invalid_grant", e);
        } catch (OAuthServiceException e2) {
            throw e2;
        }
    }

    protected UserSubject getGrantSubject(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        SAMLSecurityContext securityContext = this.scProvider.getSecurityContext(message, samlAssertionWrapper);
        if (!(securityContext instanceof SAMLSecurityContext)) {
            return new UserSubject(securityContext.getUserPrincipal().getName());
        }
        SAMLSecurityContext sAMLSecurityContext = securityContext;
        Set userRoles = sAMLSecurityContext.getUserRoles();
        ArrayList arrayList = new ArrayList();
        if (userRoles != null) {
            Iterator it = userRoles.iterator();
            while (it.hasNext()) {
                arrayList.add(((Principal) it.next()).getName());
            }
        }
        return new SamlUserSubject(sAMLSecurityContext.getUserPrincipal().getName(), arrayList, sAMLSecurityContext.getClaims());
    }

    private InputStream decodeAssertion(String str) {
        try {
            return new ByteArrayInputStream(Base64UrlUtility.decode(str));
        } catch (Base64Exception e) {
            throw new OAuthServiceException("invalid_grant");
        }
    }

    protected Element readToken(InputStream inputStream) {
        try {
            return StaxUtils.read(new InputStreamReader(inputStream, StandardCharsets.UTF_8)).getDocumentElement();
        } catch (Exception e) {
            throw new OAuthServiceException("invalid_grant");
        }
    }

    protected void validateToken(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        try {
            RequestData requestData = new RequestData();
            if (samlAssertionWrapper.isSigned()) {
                requestData.setWssConfig(WSSConfig.getNewInstance());
                requestData.setCallbackHandler(RSSecurityUtils.getCallbackHandler(message, getClass()));
                try {
                    requestData.setSigVerCrypto(new CryptoLoader().getCrypto(message, "security.signature.crypto", "security.signature.properties"));
                    boolean z = false;
                    String str = (String) SecurityUtils.getSecurityPropertyValue("security.enableRevocation", message);
                    if (str != null) {
                        z = Boolean.parseBoolean(str);
                    }
                    requestData.setEnableRevocation(z);
                    Signature signature = samlAssertionWrapper.getSignature();
                    samlAssertionWrapper.verifySignature(SAMLUtil.getCredentialFromKeyInfo(signature.getKeyInfo().getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(signature.getDOM().getOwnerDocument())), requestData.getSigVerCrypto()));
                    samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData, (WSDocInfo) null), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
                } catch (IOException e) {
                    throw new OAuthServiceException("invalid_grant");
                }
            } else if (getTLSCertificates(message) == null) {
                throw new OAuthServiceException("invalid_grant");
            }
            if (this.samlValidator != null) {
                Credential credential = new Credential();
                credential.setSamlAssertion(samlAssertionWrapper);
                this.samlValidator.validate(credential, requestData);
            }
            this.samlOAuthValidator.validate(message, samlAssertionWrapper);
        } catch (Exception e2) {
            throw new OAuthServiceException("invalid_grant", e2);
        }
    }

    private Certificate[] getTLSCertificates(Message message) {
        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
        if (tLSSessionInfo != null) {
            return tLSSessionInfo.getPeerCertificates();
        }
        return null;
    }

    protected void setSecurityContext(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        if (this.scProvider != null) {
            message.put(SecurityContext.class, this.scProvider.getSecurityContext(message, samlAssertionWrapper));
        }
    }

    static {
        WSSConfig.init();
        ENCODED_SAML2_BEARER_GRANT = HttpUtils.urlEncode(Constants.SAML2_BEARER_GRANT, StandardCharsets.UTF_8.name());
    }
}
