package com.sun.xml.wss.filter;

import com.sun.org.apache.xml.security.utils.resolver.ResourceResolver;
import com.sun.xml.wss.MessageConstants;
import com.sun.xml.wss.MessageFilter;
import com.sun.xml.wss.SamlAssertionHeaderBlock;
import com.sun.xml.wss.SecurableSoapMessage;
import com.sun.xml.wss.SecurityHeader;
import com.sun.xml.wss.SignatureHeaderBlock;
import com.sun.xml.wss.XMLUtil;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.helpers.KeyResolver;
import com.sun.xml.wss.helpers.ResolverId;
import com.sun.xml.wss.saml.assertion.NameIdentifier;
import com.sun.xml.wss.saml.assertion.SubjectStatement;
import java.security.PublicKey;
import java.util.Iterator;
import java.util.logging.Level;
import org.w3c.dom.Element;

/* loaded from: input_file:119166-09/SUNWascmn/reloc/appserver/lib/appserv-rt.jar:com/sun/xml/wss/filter/ImportSamlAssertionFilter.class */
public class ImportSamlAssertionFilter extends FilterBase implements MessageFilter {
    static Class class$com$sun$xml$wss$SamlAssertionHeaderBlock;

    @Override // com.sun.xml.wss.MessageFilter
    public void process(SecurableSoapMessage securableSoapMessage) throws XWSSecurityException {
        Class cls;
        SecurityHeader findSecurityHeader = securableSoapMessage.findSecurityHeader();
        try {
            if (class$com$sun$xml$wss$SamlAssertionHeaderBlock == null) {
                cls = class$("com.sun.xml.wss.SamlAssertionHeaderBlock");
                class$com$sun$xml$wss$SamlAssertionHeaderBlock = cls;
            } else {
                cls = class$com$sun$xml$wss$SamlAssertionHeaderBlock;
            }
            SamlAssertionHeaderBlock samlAssertionHeaderBlock = (SamlAssertionHeaderBlock) findSecurityHeader.getCurrentHeaderBlock(cls);
            securableSoapMessage.setToken(samlAssertionHeaderBlock.getAssertionID(), samlAssertionHeaderBlock);
            try {
                if (samlAssertionHeaderBlock.isSigned() && !signatureIsValid(samlAssertionHeaderBlock.getSignature(), securableSoapMessage)) {
                    log.log(Level.SEVERE, "WSS0416.saml.signature.invalid");
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, "SAML Assertion has invalid Signature", new Exception("SAML Assertion has invalid Signature"));
                }
                if (!samlAssertionHeaderBlock.isTimeValid()) {
                    log.log(Level.SEVERE, "WSS0417.saml.timestamp.invalid");
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, "SAML Condition (notBefore, notOnOrAfter) Validation failed", new Exception("SAML Condition (notBefore, notOnOrAfter) Validation failed"));
                }
                validateSamlVersion(samlAssertionHeaderBlock);
                validateIssuer(securableSoapMessage, samlAssertionHeaderBlock);
                validateSamlUser(securableSoapMessage, samlAssertionHeaderBlock);
            } catch (XWSSecurityException e) {
                log.log(Level.SEVERE, "WSS0419.saml.signature.verify.failed", (Throwable) e);
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Exception during Signature verfication in SAML Assertion", e);
            }
        } catch (XWSSecurityException e2) {
            log.log(Level.SEVERE, "WSS0418.saml.import.exception");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Exception while importing SAML Token", e2);
        } catch (ClassCastException e3) {
            log.log(Level.SEVERE, "WSS0406.saml.invalid.element");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, "Token of invalid class type encountered", e3);
        }
    }

    private void validateSamlVersion(SamlAssertionHeaderBlock samlAssertionHeaderBlock) {
        int majorVersion = samlAssertionHeaderBlock.getMajorVersion();
        int minorVersion = samlAssertionHeaderBlock.getMinorVersion();
        if (majorVersion != 1) {
            log.log(Level.SEVERE, "WSS0404.saml.invalid.version");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, new StringBuffer().append("Major version is not 1 for SAML Assertion:").append(samlAssertionHeaderBlock.getAssertionID()).toString(), new Exception("Major version is not 1 for SAML Assertion"));
        }
        if (minorVersion == 0 || minorVersion == 1) {
            return;
        }
        log.log(Level.SEVERE, "WSS0404.saml.invalid.version");
        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, new StringBuffer().append("Minor version is not 0/1 for SAML Assertion:").append(samlAssertionHeaderBlock.getAssertionID()).toString(), new Exception("Minor version is not 0/1 for SAML Assertion"));
    }

    private void validateIssuer(SecurableSoapMessage securableSoapMessage, SamlAssertionHeaderBlock samlAssertionHeaderBlock) {
        if (securableSoapMessage.getSecurityEnvironment().validateSamlIssuer(samlAssertionHeaderBlock.getIssuer())) {
            log.log(Level.INFO, new StringBuffer().append("SAML issuer validation successful for issuer=").append(samlAssertionHeaderBlock.getIssuer()).toString());
        } else {
            log.log(Level.SEVERE, "WSS0422.saml.issuer.validation.failed");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, new StringBuffer().append("Issuer validation failed for SAML Assertion:").append(samlAssertionHeaderBlock.getAssertionID()).toString(), new Exception("Issuer validation failed for SAML Assertion"));
        }
    }

    private void validateSamlUser(SecurableSoapMessage securableSoapMessage, SamlAssertionHeaderBlock samlAssertionHeaderBlock) {
        String str = null;
        boolean z = false;
        Iterator it = samlAssertionHeaderBlock.getStatement().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Object next = it.next();
            if (next instanceof SubjectStatement) {
                NameIdentifier nameIdentifier = ((SubjectStatement) next).getSubject().getNameIdentifier();
                String nameQualifier = nameIdentifier.getNameQualifier();
                String format = nameIdentifier.getFormat();
                str = nameIdentifier.getName();
                z = securableSoapMessage.getSecurityEnvironment().validateSamlUser(str, nameQualifier, format);
                break;
            }
        }
        if (z) {
            log.log(Level.INFO, new StringBuffer().append("SAML NameIdentifier validation successful user=").append(str).toString());
        } else {
            log.log(Level.SEVERE, "WSS0423.saml.subject.nameid.validation.failed");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, new StringBuffer().append("NameIdentifier validation failed for SAML Assertion:").append(samlAssertionHeaderBlock.getAssertionID()).toString(), new Exception("NameIdentifier validation failed for SAML Assertion"));
        }
    }

    private boolean signatureIsValid(Element element, SecurableSoapMessage securableSoapMessage) throws XWSSecurityException {
        if (!SecurableSoapMessage.isWsuIdResolverAdded()) {
            ResourceResolver.registerAtStart(ResolverId.getResolverName());
            SecurableSoapMessage.setWsuIdResolverAdded(true);
        }
        SignatureHeaderBlock signatureHeaderBlock = new SignatureHeaderBlock(XMLUtil.convertToSoapElement(securableSoapMessage.getSOAPPart(), element));
        PublicKey publicKey = (PublicKey) KeyResolver.getKey(signatureHeaderBlock.getKeyInfoHeaderBlock(), true, securableSoapMessage);
        if (publicKey == null) {
            log.log(Level.SEVERE, "WSS0336.cannot.locate.publickey.for.signature.verification");
            throw new XWSSecurityException("Couldn't locate the public key for signature verification");
        }
        try {
            boolean checkSignatureValue = signatureHeaderBlock.checkSignatureValue(publicKey);
            log.log(Level.INFO, "SAML Assertion Enveloped Signature Verified Successfully");
            return checkSignatureValue;
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, "WSS0133.exception.while.verifying.signature", new Object[]{e.getCause().getMessage()});
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_CHECK, "Signature Verification Failed", e.getCause());
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }
}
