package org.apache.cxf.sts.token.provider;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.sts.cache.CacheUtils;
import org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider;
import org.apache.cxf.sts.claims.CombinedClaimsAttributeStatementProvider;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.token.realm.RealmProperties;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
import org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean;
import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apereo.cas.ws.idp.WSFederationConstants;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-services-sts-core-3.5.3.jar:org/apache/cxf/sts/token/provider/SAMLTokenProvider.class */
public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements TokenProvider {
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLTokenProvider.class);
    private List<AttributeStatementProvider> attributeStatementProviders;
    private List<AuthenticationStatementProvider> authenticationStatementProviders;
    private List<AuthDecisionStatementProvider> authDecisionStatementProviders;
    private SamlCustomHandler samlCustomHandler;
    private SubjectProvider subjectProvider = new DefaultSubjectProvider();
    private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
    private boolean signToken = true;
    private Map<String, RealmProperties> realmMap = new HashMap();
    private boolean combineClaimAttributes = true;

    @Override // org.apache.cxf.sts.token.provider.TokenProvider
    public boolean canHandleToken(String str) {
        return canHandleToken(str, null);
    }

    @Override // org.apache.cxf.sts.token.provider.TokenProvider
    public boolean canHandleToken(String str, String str2) {
        if (str2 == null || this.realmMap.containsKey(str2)) {
            return WSFederationConstants.WSS_SAML2_TOKEN_TYPE.equals(str) || SAMLConstants.SAML20_NS.equals(str) || WSFederationConstants.WSS_SAML1_TOKEN_TYPE.equals(str) || SAMLConstants.SAML1_NS.equals(str);
        }
        return false;
    }

    @Override // org.apache.cxf.sts.token.provider.TokenProvider
    public TokenProviderResponse createToken(TokenProviderParameters tokenProviderParameters) {
        DateTime notBefore;
        DateTime notOnOrAfter;
        testKeyType(tokenProviderParameters);
        KeyRequirements keyRequirements = tokenProviderParameters.getKeyRequirements();
        TokenRequirements tokenRequirements = tokenProviderParameters.getTokenRequirements();
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Handling token of type: " + tokenRequirements.getTokenType());
        }
        byte[] bArr = null;
        byte[] bArr2 = null;
        long j = 0;
        boolean z = false;
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(keyRequirements.getKeyType())) {
            SymmetricKeyHandler symmetricKeyHandler = new SymmetricKeyHandler(tokenProviderParameters);
            symmetricKeyHandler.createSymmetricKey();
            bArr = symmetricKeyHandler.getSecret();
            bArr2 = symmetricKeyHandler.getEntropyBytes();
            j = symmetricKeyHandler.getKeySize();
            z = symmetricKeyHandler.isComputedKey();
        }
        try {
            Document createDocument = DOMUtils.createDocument();
            SamlAssertionWrapper createSamlToken = createSamlToken(tokenProviderParameters, bArr, createDocument);
            Element dom = createSamlToken.toDOM(createDocument);
            byte[] signatureValue = createSamlToken.getSignatureValue();
            if (tokenProviderParameters.getTokenStore() != null && signatureValue != null && signatureValue.length > 0) {
                CacheUtils.storeTokenInCache(CacheUtils.createSecurityTokenForStorage(dom, createSamlToken.getId(), createSamlToken.getNotOnOrAfter(), tokenProviderParameters.getPrincipal(), tokenProviderParameters.getRealm(), tokenProviderParameters.getTokenRequirements().getRenewing()), tokenProviderParameters.getTokenStore(), signatureValue);
            }
            TokenProviderResponse tokenProviderResponse = new TokenProviderResponse();
            String tokenType = tokenRequirements.getTokenType();
            if (WSFederationConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || SAMLConstants.SAML20_NS.equals(tokenType)) {
                tokenProviderResponse.setTokenId(dom.getAttributeNS(null, "ID"));
            } else {
                tokenProviderResponse.setTokenId(dom.getAttributeNS(null, "AssertionID"));
            }
            if (tokenProviderParameters.isEncryptToken()) {
                dom = TokenProviderUtils.encryptToken(dom, tokenProviderResponse.getTokenId(), tokenProviderParameters.getStsProperties(), tokenProviderParameters.getEncryptionProperties(), keyRequirements, tokenProviderParameters.getMessageContext());
            }
            tokenProviderResponse.setToken(dom);
            if (createSamlToken.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
                notBefore = createSamlToken.getSaml2().getConditions().getNotBefore();
                notOnOrAfter = createSamlToken.getSaml2().getConditions().getNotOnOrAfter();
            } else {
                notBefore = createSamlToken.getSaml1().getConditions().getNotBefore();
                notOnOrAfter = createSamlToken.getSaml1().getConditions().getNotOnOrAfter();
            }
            tokenProviderResponse.setCreated(notBefore.toDate().toInstant());
            tokenProviderResponse.setExpires(notOnOrAfter.toDate().toInstant());
            tokenProviderResponse.setEntropy(bArr2);
            if (j > 0) {
                tokenProviderResponse.setKeySize(j);
            }
            tokenProviderResponse.setComputedKey(z);
            LOG.fine("SAML Token successfully created");
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            return tokenProviderResponse;
        } catch (Exception e) {
            LOG.log(Level.WARNING, "", (Throwable) e);
            throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);
        }
    }

    public void setAttributeStatementProviders(List<AttributeStatementProvider> list) {
        this.attributeStatementProviders = list;
    }

    public List<AttributeStatementProvider> getAttributeStatementProviders() {
        return this.attributeStatementProviders;
    }

    public void setAuthenticationStatementProviders(List<AuthenticationStatementProvider> list) {
        this.authenticationStatementProviders = list;
    }

    public List<AuthenticationStatementProvider> getAuthenticationStatementProviders() {
        return this.authenticationStatementProviders;
    }

    public void setAuthDecisionStatementProviders(List<AuthDecisionStatementProvider> list) {
        this.authDecisionStatementProviders = list;
    }

    public List<AuthDecisionStatementProvider> getAuthDecisionStatementProviders() {
        return this.authDecisionStatementProviders;
    }

    public void setSubjectProvider(SubjectProvider subjectProvider) {
        this.subjectProvider = subjectProvider;
    }

    public SubjectProvider getSubjectProvider() {
        return this.subjectProvider;
    }

    public void setConditionsProvider(ConditionsProvider conditionsProvider) {
        this.conditionsProvider = conditionsProvider;
    }

    public ConditionsProvider getConditionsProvider() {
        return this.conditionsProvider;
    }

    public boolean isSignToken() {
        return this.signToken;
    }

    public void setSignToken(boolean z) {
        this.signToken = z;
    }

    public void setRealmMap(Map<String, ? extends RealmProperties> map) {
        this.realmMap.clear();
        if (map != null) {
            this.realmMap.putAll(map);
        }
    }

    public Map<String, RealmProperties> getRealmMap() {
        return Collections.unmodifiableMap(this.realmMap);
    }

    public void setSamlCustomHandler(SamlCustomHandler samlCustomHandler) {
        this.samlCustomHandler = samlCustomHandler;
    }

    private SamlAssertionWrapper createSamlToken(TokenProviderParameters tokenProviderParameters, byte[] bArr, Document document) throws Exception {
        String realm = tokenProviderParameters.getRealm();
        RealmProperties realmProperties = null;
        if (realm != null && this.realmMap.containsKey(realm)) {
            realmProperties = this.realmMap.get(realm);
        }
        SamlCallbackHandler createCallbackHandler = createCallbackHandler(tokenProviderParameters, bArr, realmProperties, document);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(createCallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        if (this.samlCustomHandler != null) {
            this.samlCustomHandler.handle(samlAssertionWrapper, tokenProviderParameters);
        }
        if (this.signToken) {
            signToken(samlAssertionWrapper, realmProperties, tokenProviderParameters.getStsProperties(), tokenProviderParameters.getKeyRequirements());
        }
        return samlAssertionWrapper;
    }

    public SamlCallbackHandler createCallbackHandler(TokenProviderParameters tokenProviderParameters, byte[] bArr, RealmProperties realmProperties, Document document) throws Exception {
        boolean z = false;
        ArrayList arrayList = null;
        if (this.attributeStatementProviders != null && !this.attributeStatementProviders.isEmpty()) {
            arrayList = new ArrayList();
            for (AttributeStatementProvider attributeStatementProvider : this.attributeStatementProviders) {
                AttributeStatementBean statement = attributeStatementProvider.getStatement(tokenProviderParameters);
                if (statement != null) {
                    if (LOG.isLoggable(Level.FINE)) {
                        LOG.fine("AttributeStatements " + statement.toString() + " returned by AttributeStatementProvider " + attributeStatementProvider.getClass().getName());
                    }
                    arrayList.add(statement);
                    z = true;
                }
            }
        }
        ArrayList arrayList2 = null;
        if (this.authenticationStatementProviders != null && !this.authenticationStatementProviders.isEmpty()) {
            arrayList2 = new ArrayList();
            for (AuthenticationStatementProvider authenticationStatementProvider : this.authenticationStatementProviders) {
                AuthenticationStatementBean statement2 = authenticationStatementProvider.getStatement(tokenProviderParameters);
                if (statement2 != null) {
                    if (LOG.isLoggable(Level.FINE)) {
                        LOG.fine("AuthenticationStatement " + statement2.toString() + " returned by AuthenticationStatementProvider " + authenticationStatementProvider.getClass().getName());
                    }
                    arrayList2.add(statement2);
                    z = true;
                }
            }
        }
        ArrayList arrayList3 = null;
        if (this.authDecisionStatementProviders != null && !this.authDecisionStatementProviders.isEmpty()) {
            arrayList3 = new ArrayList();
            for (AuthDecisionStatementProvider authDecisionStatementProvider : this.authDecisionStatementProviders) {
                AuthDecisionStatementBean statement3 = authDecisionStatementProvider.getStatement(tokenProviderParameters);
                if (statement3 != null) {
                    if (LOG.isLoggable(Level.FINE)) {
                        LOG.fine("AuthDecisionStatement " + statement3.toString() + " returned by AuthDecisionStatementProvider " + authDecisionStatementProvider.getClass().getName());
                    }
                    arrayList3.add(statement3);
                    z = true;
                }
            }
        }
        if (!z) {
            arrayList = new ArrayList();
            AttributeStatementBean statement4 = (this.combineClaimAttributes ? new CombinedClaimsAttributeStatementProvider() : new ClaimsAttributeStatementProvider()).getStatement(tokenProviderParameters);
            if (statement4 == null || statement4.getSamlAttributes() == null || statement4.getSamlAttributes().isEmpty()) {
                arrayList.add(new DefaultAttributeStatementProvider().getStatement(tokenProviderParameters));
            } else {
                arrayList.add(statement4);
            }
            AttributeStatementBean statement5 = new ActAsAttributeStatementProvider().getStatement(tokenProviderParameters);
            if (statement5 != null && statement5.getSamlAttributes() != null && !statement5.getSamlAttributes().isEmpty()) {
                arrayList.add(statement5);
            }
        }
        SubjectProviderParameters subjectProviderParameters = new SubjectProviderParameters();
        subjectProviderParameters.setProviderParameters(tokenProviderParameters);
        subjectProviderParameters.setDoc(document);
        subjectProviderParameters.setSecret(bArr);
        subjectProviderParameters.setAttrBeanList(arrayList);
        subjectProviderParameters.setAuthBeanList(arrayList2);
        subjectProviderParameters.setAuthDecisionBeanList(arrayList3);
        SubjectBean subject = this.subjectProvider.getSubject(subjectProviderParameters);
        ConditionsBean conditions = this.conditionsProvider.getConditions(tokenProviderParameters);
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
        samlCallbackHandler.setTokenProviderParameters(tokenProviderParameters);
        samlCallbackHandler.setSubjectBean(subject);
        samlCallbackHandler.setConditionsBean(conditions);
        samlCallbackHandler.setAttributeBeans(arrayList);
        samlCallbackHandler.setAuthenticationBeans(arrayList2);
        samlCallbackHandler.setAuthDecisionStatementBeans(arrayList3);
        if (realmProperties != null) {
            samlCallbackHandler.setIssuer(realmProperties.getIssuer());
        }
        return samlCallbackHandler;
    }

    private void testKeyType(TokenProviderParameters tokenProviderParameters) {
        KeyRequirements keyRequirements = tokenProviderParameters.getKeyRequirements();
        String keyType = keyRequirements.getKeyType();
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(keyType)) {
            if (keyRequirements.getReceivedCredential() == null || (keyRequirements.getReceivedCredential().getX509Cert() == null && keyRequirements.getReceivedCredential().getPublicKey() == null)) {
                LOG.log(Level.WARNING, "A PublicKey Keytype is requested, but no certificate is provided");
                throw new STSException("No client certificate for PublicKey KeyType", STSException.INVALID_REQUEST);
            }
            return;
        }
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(keyType) || "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer".equals(keyType) || keyType == null) {
            return;
        }
        LOG.log(Level.WARNING, "An unknown KeyType was requested: " + keyType);
        throw new STSException("Unknown KeyType", STSException.INVALID_REQUEST);
    }

    public boolean isCombineClaimAttributes() {
        return this.combineClaimAttributes;
    }

    public void setCombineClaimAttributes(boolean z) {
        this.combineClaimAttributes = z;
    }
}
