package de.adorsys.oauth.saml.bridge;

import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.module.ServerAuthModule;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml.saml2.metadata.AuthzService;
import org.opensaml.saml.saml2.metadata.impl.AuthzServiceBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/adorsys/oauth/saml/bridge/SamlServerAuthModule.class */
public class SamlServerAuthModule implements ServerAuthModule {
    private static final Logger LOG = LoggerFactory.getLogger(SamlServerAuthModule.class);
    private static final Class<?>[] SUPPORTED_MESSAGE_TYPES = {HttpServletRequest.class, HttpServletResponse.class};
    private CallbackHandler callbackHandler;
    private String idpUrl;
    private SAMLPeerEntityContext entityContext;

    public Class[] getSupportedMessageTypes() {
        return SUPPORTED_MESSAGE_TYPES;
    }

    public void initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map map) throws AuthException {
        this.callbackHandler = callbackHandler;
        this.idpUrl = (String) map.get("saml.idp.url");
        try {
            InitializationService.initialize();
            AuthzService buildObject = new AuthzServiceBuilder().buildObject();
            buildObject.setResponseLocation(this.idpUrl);
            buildObject.setLocation(this.idpUrl);
            SAMLEndpointContext sAMLEndpointContext = new SAMLEndpointContext();
            sAMLEndpointContext.setEndpoint(buildObject);
            this.entityContext = new SAMLPeerEntityContext();
            this.entityContext.addSubcontext(sAMLEndpointContext);
        } catch (InitializationException e) {
            throw new AuthException(e.getMessage());
        }
    }

    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
    }

    public AuthStatus secureResponse(MessageInfo messageInfo, Subject subject) throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    public AuthStatus validateRequest(MessageInfo messageInfo, Subject subject, Subject subject2) throws AuthException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        HttpServletResponse httpServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
        if (httpServletRequest.getUserPrincipal() != null) {
            return AuthStatus.SUCCESS;
        }
        LOG.debug("request {}", httpServletRequest.getRequestURL());
        try {
            UserInfo checkSamlRespone = checkSamlRespone(httpServletRequest);
            if (checkSamlRespone != null) {
                return applyUserInfo(subject, checkSamlRespone);
            }
            redirectSamlRequest(httpServletRequest, httpServletResponse);
            return AuthStatus.FAILURE;
        } catch (Exception e) {
            LOG.error("ups", e);
            throw new AuthException(e.getMessage());
        }
    }

    private void redirectSamlRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (httpServletRequest.getQueryString() != null) {
            stringBuffer = String.format("%s?%s", stringBuffer, httpServletRequest.getQueryString());
        }
        AuthnRequest buildObject = new AuthnRequestBuilder().buildObject();
        buildObject.setAssertionConsumerServiceURL(stringBuffer);
        buildObject.setDestination(this.idpUrl);
        buildObject.setForceAuthn(false);
        buildObject.setID(UUID.randomUUID().toString());
        buildObject.setIsPassive(false);
        buildObject.setIssueInstant(DateTime.now());
        buildObject.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        buildObject.setVersion(SAMLVersion.VERSION_20);
        NameIDPolicy buildObject2 = new NameIDPolicyBuilder().buildObject();
        buildObject2.setAllowCreate(true);
        buildObject2.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
        buildObject.setNameIDPolicy(buildObject2);
        Issuer buildObject3 = new IssuerBuilder().buildObject();
        buildObject3.setValue(stringBuffer);
        buildObject.setIssuer(buildObject3);
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(buildObject);
        messageContext.addSubcontext(this.entityContext);
        HTTPRedirectDeflateEncoder hTTPRedirectDeflateEncoder = new HTTPRedirectDeflateEncoder();
        hTTPRedirectDeflateEncoder.setMessageContext(messageContext);
        hTTPRedirectDeflateEncoder.setHttpServletResponse(httpServletResponse);
        hTTPRedirectDeflateEncoder.initialize();
        hTTPRedirectDeflateEncoder.encode();
    }

    private UserInfo checkSamlRespone(HttpServletRequest httpServletRequest) throws Exception {
        if (httpServletRequest.getParameter("SAMLResponse") == null) {
            return null;
        }
        HTTPPostDecoder hTTPPostDecoder = new HTTPPostDecoder();
        hTTPPostDecoder.setHttpServletRequest(httpServletRequest);
        hTTPPostDecoder.initialize();
        hTTPPostDecoder.decode();
        Response response = (Response) hTTPPostDecoder.getMessageContext().getMessage();
        ArrayList arrayList = new ArrayList();
        arrayList.add("oauth");
        String str = null;
        for (Assertion assertion : response.getAssertions()) {
            if (assertion.getSubject() != null) {
                str = assertion.getSubject().getNameID().getValue();
            }
            Iterator it = assertion.getAttributeStatements().iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    if ("Role".equals(attribute.getName())) {
                        for (XSString xSString : attribute.getAttributeValues()) {
                            if (xSString instanceof XSString) {
                                arrayList.add(xSString.getValue());
                            }
                        }
                    }
                }
            }
        }
        UserInfo userInfo = new UserInfo(new com.nimbusds.oauth2.sdk.id.Subject(str));
        userInfo.setName(str);
        userInfo.setClaim("groups", arrayList);
        httpServletRequest.setAttribute("userInfo", userInfo);
        return userInfo;
    }

    private AuthStatus applyUserInfo(Subject subject, UserInfo userInfo) throws AuthException {
        try {
            String name = userInfo.getName();
            List list = (List) userInfo.getClaim("groups");
            this.callbackHandler.handle(new Callback[]{new CallerPrincipalCallback(subject, name), new GroupPrincipalCallback(subject, (String[]) list.toArray(new String[list.size()]))});
            return AuthStatus.SUCCESS;
        } catch (IOException | UnsupportedCallbackException e) {
            throw new AuthException(e.getMessage());
        }
    }
}
