package com.sun.identity.authentication.modules.saml2;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.Misc;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.server.AuthContextLocal;
import com.sun.identity.authentication.service.AuthUtils;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.SAML2Callback;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.AttributeStatement;
import com.sun.identity.saml2.assertion.EncryptedAttribute;
import com.sun.identity.saml2.assertion.EncryptedID;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.common.NameIDInfo;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.plugins.SPAccountMapper;
import com.sun.identity.saml2.plugins.SPAttributeMapper;
import com.sun.identity.saml2.profile.SPCache;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.security.AdminTokenAction;
import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import netscape.ldap.util.DN;

/* loaded from: input_file:122983-01/SUNWsaml2/reloc/SUNWam/saml2/lib/saml2.jar:com/sun/identity/authentication/modules/saml2/SAML2.class */
public class SAML2 extends AMLoginModule {
    private String userTokenId;
    private Map options;
    private Map sharedState;
    private CallbackHandler callbackHandler;
    private String realm;
    private static final String amAuthSAML2 = "amAuthSAML2";
    private static Debug debug = Debug.getInstance(amAuthSAML2);
    private static String AUTH_LEVEL = "sunAMAuthSAML2AuthLevel";
    private Principal userPrincipal = null;
    private ResourceBundle bundle = null;
    private String entityId = null;
    private String remoteHostId = null;
    private NameID nameId = null;
    private EncryptedID encId = null;
    private Subject assertionSubject = null;
    private Map attrMap = null;
    private boolean isPOSTBinding = false;
    private Assertion authnAssertion = null;
    private List assertions = null;
    private SPAccountMapper acctMapper = null;
    private SPAttributeMapper attrMapper = null;
    private boolean writeFedInfo = false;
    private String sessionIndex = null;
    private Long maxSessionTime = null;
    private String inRespToResp = null;
    private SPSSOConfigElement spssoconfig = null;

    public SAML2() {
        debug.message("SAML2()");
    }

    public void init(javax.security.auth.Subject subject, Map map, Map map2) {
        debug.message("in initialize...");
        Locale loginLocale = getLoginLocale();
        this.bundle = amCache.getResBundle(amAuthSAML2, loginLocale);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("amAuthSAML Authentication resource bundle locale=").append(loginLocale).toString());
        }
        this.callbackHandler = getCallbackHandler();
        this.options = map2;
        this.sharedState = map;
        if (map2 != null) {
            try {
                String mapAttr = Misc.getMapAttr(map2, AUTH_LEVEL);
                if (mapAttr != null) {
                    try {
                        setAuthLevel(Integer.parseInt(mapAttr));
                    } catch (Exception e) {
                        debug.error(new StringBuffer().append("Unable to set auth level ").append(mapAttr).toString(), e);
                    }
                }
            } catch (Exception e2) {
                debug.error("SAML Init Exception", e2);
            }
        }
    }

    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        boolean z;
        boolean z2;
        PrivateKey decryptionKey;
        String str = null;
        try {
            Response sendCallbacks = sendCallbacks();
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Response : ").append(sendCallbacks).toString());
            }
            this.realm = getRequestOrg();
            this.assertions = processResponse(sendCallbacks, this.realm, this.entityId, this.isPOSTBinding);
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Assertions : ").append(this.assertions).toString());
            }
            if (0 == 0) {
                str = getTokenPrincipal();
            } else if (!str.equals(getTokenPrincipal())) {
                throw new AuthLoginException(amAuthSAML2, "userIdNotMatch", (Object[]) null);
            }
            try {
                getSPMapper(this.realm, this.entityId, str);
                z = false;
                z2 = false;
                String attributeValueFromSPSSOConfig = SAML2Utils.getAttributeValueFromSPSSOConfig(this.spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
                if (attributeValueFromSPSSOConfig == null || !attributeValueFromSPSSOConfig.equals(SAML2Constants.TRUE)) {
                    String attributeValueFromSPSSOConfig2 = SAML2Utils.getAttributeValueFromSPSSOConfig(this.spssoconfig, SAML2Constants.WANT_ATTRIBUTE_ENCRYPTED);
                    if (attributeValueFromSPSSOConfig2 != null && attributeValueFromSPSSOConfig2.equals(SAML2Constants.TRUE)) {
                        z = true;
                    }
                    String attributeValueFromSPSSOConfig3 = SAML2Utils.getAttributeValueFromSPSSOConfig(this.spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
                    if (attributeValueFromSPSSOConfig3 != null && attributeValueFromSPSSOConfig3.equals(SAML2Constants.TRUE)) {
                        z2 = true;
                    }
                }
                decryptionKey = KeyUtil.getDecryptionKey(this.spssoconfig);
            } catch (SAML2MetaException e) {
                debug.error(new StringBuffer().append("get account/attribute mapper : ").append(e.toString()).toString());
            } catch (SAML2Exception e2) {
                debug.error(new StringBuffer().append("getUserMap : ").append(e2.toString()).toString());
            } catch (ClassNotFoundException e3) {
                debug.error(new StringBuffer().append("Class not Found : ").append(e3.toString()).toString());
            } catch (Exception e4) {
                debug.error("Misc in mapping : ", e4);
            }
            if (z2 && this.encId == null) {
                debug.error("process: NameID was not encrypted.");
                throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
            }
            if (this.encId != null) {
                this.nameId = this.encId.decrypt(decryptionKey);
            }
            if (str == null) {
                str = this.acctMapper.getIdentity(this.authnAssertion, this.entityId, this.realm);
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("process: userName =[").append(str).append("]").toString());
            }
            ArrayList arrayList = null;
            for (Assertion assertion : this.assertions) {
                this.remoteHostId = assertion.getIssuer().getValue();
                List sAMLAttributes = getSAMLAttributes(assertion, z, decryptionKey);
                if (sAMLAttributes != null && !sAMLAttributes.isEmpty()) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.addAll(sAMLAttributes);
                }
            }
            if (arrayList != null) {
                this.attrMap = this.attrMapper.getAttributes(arrayList, str, this.entityId, this.remoteHostId, this.realm);
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("process: remoteHostId = ").append(this.remoteHostId).toString());
                debug.message(new StringBuffer().append("process: attrMap = ").append(this.attrMap).toString());
            }
            if (str == null || str.length() == 0) {
                throw new AuthLoginException("NoUserMapping");
            }
            boolean isFedInfoExists = SAML2Utils.isFedInfoExists(str, this.entityId, this.remoteHostId, this.nameId);
            if (!SAML2Utils.isFM() && DN.isDN(str)) {
                str = new DN(str).explodeDN(true)[0];
            }
            boolean isPersistentNameID = SAML2Utils.isPersistentNameID(this.nameId);
            if (!isFedInfoExists && isPersistentNameID) {
                this.writeFedInfo = true;
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("userName : ").append(str).toString());
                debug.message(new StringBuffer().append("isPersistent : ").append(isPersistentNameID).toString());
                debug.message(new StringBuffer().append("isFedInfoExists : ").append(isFedInfoExists).toString());
                debug.message(new StringBuffer().append("writeFedInfo : ").append(this.writeFedInfo).toString());
            }
            debug.message("Module is successful");
            storeUsernamePasswd(str, null);
            this.userTokenId = str;
            if (this.inRespToResp == null || this.inRespToResp.length() == 0) {
                return -1;
            }
            SPCache.requestHash.remove(this.inRespToResp);
            return -1;
        } catch (AuthLoginException e5) {
            debug.error(new StringBuffer().append("Response validation failed: ").append(e5.toString()).toString());
            throw e5;
        }
    }

    private String getTokenPrincipal() {
        String str = null;
        try {
            AuthContextLocal prevAuthContext = getLoginState("getPrevAuthContext()").getPrevAuthContext();
            if (prevAuthContext != null) {
                debug.message("SSOToken exist");
                str = AuthUtils.getLoginState(prevAuthContext).getUserDN();
            }
        } catch (Exception e) {
            debug.message(new StringBuffer().append("getTokenPrincipal Error : ").append(e.toString()).toString());
        }
        return str;
    }

    private List getSAMLAttributes(Assertion assertion, boolean z, PrivateKey privateKey) {
        List<AttributeStatement> attributeStatements;
        ArrayList arrayList = null;
        if (assertion != null && (attributeStatements = assertion.getAttributeStatements()) != null && attributeStatements.size() > 0) {
            for (AttributeStatement attributeStatement : attributeStatements) {
                List attribute = attributeStatement.getAttribute();
                if (z && attribute != null && attribute.isEmpty()) {
                    debug.error("Attribute not encrypted.");
                    return null;
                }
                if (attribute != null) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.addAll(attribute);
                }
                List encryptedAttribute = attributeStatement.getEncryptedAttribute();
                if (encryptedAttribute != null) {
                    Iterator it = encryptedAttribute.iterator();
                    while (it.hasNext()) {
                        if (arrayList == null) {
                            arrayList = new ArrayList();
                        }
                        try {
                            arrayList.add(((EncryptedAttribute) it.next()).decrypt(privateKey));
                        } catch (SAML2Exception e) {
                            debug.error("Decryption error:", e);
                            return null;
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    private void getSPMapper(String str, String str2, String str3) throws SAML2MetaException, SSOException, ClassNotFoundException, AuthLoginException, Exception {
        this.spssoconfig = new SAML2MetaManager((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance())).getSPSSOConfig(str, str2);
        Map attributes = SAML2MetaUtils.getAttributes(this.spssoconfig);
        if (str3 == null) {
            List list = (List) attributes.get(SAML2Constants.SP_ACCOUNT_MAPPER);
            if (list != null) {
                this.acctMapper = (SPAccountMapper) Class.forName((String) list.get(0)).newInstance();
            }
            if (this.acctMapper == null) {
                throw new AuthLoginException(amAuthSAML2, "failedAcctMapper", (Object[]) null);
            }
        }
        List list2 = (List) attributes.get(SAML2Constants.SP_ATTRIBUTE_MAPPER);
        if (list2 != null) {
            this.attrMapper = (SPAttributeMapper) Class.forName((String) list2.get(0)).newInstance();
        }
        if (this.attrMapper == null) {
            throw new AuthLoginException(amAuthSAML2, "failedAttrUser", (Object[]) null);
        }
    }

    public Principal getPrincipal() {
        if (this.userPrincipal != null) {
            return this.userPrincipal;
        }
        if (this.userTokenId == null) {
            return null;
        }
        SAML2Principal sAML2Principal = new SAML2Principal(this.userTokenId);
        sAML2Principal.setAssertions(SAML2Utils.getStrAssertions(this.assertions));
        sAML2Principal.setAttrMap(this.attrMap);
        if (this.writeFedInfo) {
            sAML2Principal.setWriteFedInfo();
        }
        try {
            sAML2Principal.setNameIDInfo(new NameIDInfo(this.entityId, this.remoteHostId, this.nameId, SAML2Constants.SP_ROLE, true));
        } catch (SAML2Exception e) {
            debug.error("Failed to set NameIDInfo to principal", e);
        }
        sAML2Principal.setSessionIndex(this.sessionIndex);
        if (this.maxSessionTime != null) {
            sAML2Principal.setMaxSessionTime(this.maxSessionTime.longValue());
        }
        this.userPrincipal = sAML2Principal;
        return this.userPrincipal;
    }

    public void destroyModuleState() {
        debug.message("clean up module state");
        this.userTokenId = null;
        this.userPrincipal = null;
    }

    public void nullifyUsedVars() {
        debug.message("nullify Used Variables");
        this.acctMapper = null;
        this.attrMapper = null;
    }

    private Response sendCallbacks() throws AuthLoginException {
        if (this.callbackHandler == null) {
            throw new AuthLoginException(amAuthSAML2, "NoCallbackHandler", (Object[]) null);
        }
        try {
            NameCallback[] nameCallbackArr = {new SAML2Callback(this.bundle.getString("response")), new NameCallback(this.bundle.getString("entityId"))};
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Callback 0 is.. :").append(nameCallbackArr[0]).toString());
                debug.message(new StringBuffer().append("Callback 1 is.. :").append(nameCallbackArr[1]).toString());
            }
            this.callbackHandler.handle(nameCallbackArr);
            this.entityId = nameCallbackArr[1].getName();
            if (this.entityId == null) {
                debug.message("no entityId specified");
                throw new AuthLoginException(amAuthSAML2, "IllegalArgs", (Object[]) null);
            }
            SAML2Callback sAML2Callback = (SAML2Callback) nameCallbackArr[0];
            Response samlResponse = sAML2Callback.getSamlResponse();
            this.isPOSTBinding = sAML2Callback.getIsPOSTBinding();
            return samlResponse;
        } catch (IOException e) {
            throw new AuthLoginException(e);
        } catch (IllegalArgumentException e2) {
            debug.message("message type missing");
            throw new AuthLoginException(amAuthSAML2, "IllegalArgs", (Object[]) null);
        } catch (UnsupportedCallbackException e3) {
            throw new AuthLoginException(amAuthSAML2, "UnsupportedCallback", (Object[]) null);
        }
    }

    private List processResponse(Response response, String str, String str2, boolean z) throws AuthLoginException {
        int intValue;
        try {
            Map verifyResponse = SAML2Utils.verifyResponse(response, str, str2, z);
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("processResponse: smap = ").append(verifyResponse).toString());
            }
            this.assertionSubject = (Subject) verifyResponse.get("Subject");
            this.nameId = this.assertionSubject.getNameID();
            this.encId = this.assertionSubject.getEncryptedID();
            this.authnAssertion = (Assertion) verifyResponse.get(SAML2Constants.POST_ASSERTION);
            this.sessionIndex = (String) verifyResponse.get("SessionIndex");
            Integer num = (Integer) verifyResponse.get(SAML2Constants.AUTH_LEVEL);
            if (num != null && (intValue = num.intValue()) >= 0) {
                setAuthLevel(intValue);
            }
            this.maxSessionTime = (Long) verifyResponse.get(SAML2Constants.MAX_SESSION_TIME);
            this.inRespToResp = (String) verifyResponse.get(SAML2Constants.IN_RESPONSE_TO);
            return (List) verifyResponse.get(SAML2Constants.ASSERTIONS);
        } catch (SAML2Exception e) {
            throw new AuthLoginException(amAuthSAML2, "invalidResponse", (Object[]) null, e);
        }
    }
}
