package org.opensaml.provider;

import java.io.ByteArrayInputStream;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.apache.ws.security.message.token.UsernameToken;
import org.opensaml.ExpiredAssertionException;
import org.opensaml.FatalProfileException;
import org.opensaml.ReplayCache;
import org.opensaml.ReplayedAssertionException;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLBrowserProfile;
import org.opensaml.SAMLConfig;
import org.opensaml.SAMLException;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.opensaml.UnsupportedProfileException;
import org.opensaml.XML;
import org.opensaml.artifact.Artifact;
import org.opensaml.artifact.ArtifactParseException;
import org.opensaml.artifact.ArtifactParserException;
import org.opensaml.artifact.SAMLArtifact;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/opensaml-1.1.jar:org/opensaml/provider/BrowserProfileProvider.class */
public class BrowserProfileProvider implements SAMLBrowserProfile {
    private static Logger log;
    private static int skew;
    static Class class$org$opensaml$provider$BrowserProfileProvider;

    public BrowserProfileProvider(Element element) {
    }

    @Override // org.opensaml.SAMLBrowserProfile
    public SAMLBrowserProfile.BrowserProfileRequest receive(HttpServletRequest httpServletRequest) throws UnsupportedProfileException {
        SAMLBrowserProfile.BrowserProfileRequest browserProfileRequest = new SAMLBrowserProfile.BrowserProfileRequest();
        browserProfileRequest.SAMLResponse = httpServletRequest.getParameter("SAMLResponse");
        if (browserProfileRequest.SAMLResponse == null) {
            browserProfileRequest.SAMLArt = httpServletRequest.getParameterValues("SAMLart");
            if (browserProfileRequest.SAMLArt == null || browserProfileRequest.SAMLArt.length == 0) {
                throw new UnsupportedProfileException("no SAMLResponse or SAMLart parameters supplied in HTTP request");
            }
        }
        browserProfileRequest.TARGET = httpServletRequest.getParameter("TARGET");
        return browserProfileRequest;
    }

    @Override // org.opensaml.SAMLBrowserProfile
    public SAMLBrowserProfile.BrowserProfileResponse receive(StringBuffer stringBuffer, SAMLBrowserProfile.BrowserProfileRequest browserProfileRequest, String str, ReplayCache replayCache, SAMLBrowserProfile.ArtifactMapper artifactMapper, int i) throws SAMLException {
        SAMLResponse resolve;
        long currentTimeMillis = System.currentTimeMillis();
        SAMLAssertion sAMLAssertion = null;
        SAMLAuthenticationStatement sAMLAuthenticationStatement = null;
        boolean z = true;
        if (browserProfileRequest.SAMLResponse != null) {
            resolve = new SAMLResponse(new ByteArrayInputStream(Base64.decodeBase64(browserProfileRequest.SAMLResponse.getBytes())), i);
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer().append("decoded SAML response:\n").append(resolve.toString()).toString());
            }
            try {
                if (XML.isEmpty(str) || !XML.safeCompare(str, resolve.getRecipient())) {
                    throw new FatalProfileException("detected recipient mismatch in POST profile response");
                }
                if (resolve.getIssueInstant().getTime() < currentTimeMillis - (2 * skew)) {
                    throw new ExpiredAssertionException("detected expired POST profile response");
                }
                if (!resolve.isSigned()) {
                    throw new FatalProfileException("detected unsigned POST profile response");
                }
            } catch (SAMLException e) {
                if (stringBuffer != null) {
                    Iterator assertions = resolve.getAssertions();
                    if (assertions.hasNext()) {
                        stringBuffer.append(((SAMLAssertion) assertions.next()).getIssuer());
                    }
                }
                throw e;
            }
        } else {
            if (browserProfileRequest.SAMLArt == null || browserProfileRequest.SAMLArt.length == 0) {
                throw new FatalProfileException("no SAMLResponse or SAMLart parameters supplied");
            }
            if (artifactMapper == null) {
                throw new FatalProfileException("support of artifact profile requires ArtifactMapper interface object");
            }
            Artifact[] artifactArr = new Artifact[browserProfileRequest.SAMLArt.length];
            for (int i2 = 0; i2 < browserProfileRequest.SAMLArt.length; i2++) {
                try {
                    log.debug(new StringBuffer().append("processing encoded artifact (").append(browserProfileRequest.SAMLArt[i2]).append(")").toString());
                    if (replayCache == null) {
                        log.warn("replay cache was not provided, this is a potential security risk!");
                    } else if (!replayCache.check(new StringBuffer().append("A_").append(browserProfileRequest.SAMLArt[i2]).toString(), new Date(System.currentTimeMillis() + (2 * skew)))) {
                        throw new ReplayedAssertionException(new StringBuffer().append("rejecting replayed artifact (").append(browserProfileRequest.SAMLArt[i2]).append(")").toString());
                    }
                    artifactArr[i2] = SAMLArtifact.getTypeCode(browserProfileRequest.SAMLArt[i2]).getParser().parse(browserProfileRequest.SAMLArt[i2]);
                } catch (ArtifactParseException e2) {
                    log.error(new StringBuffer().append("invalid artifact (").append(browserProfileRequest.SAMLArt[i2]).append(")").toString());
                    throw new FatalProfileException("unable to parse artifact");
                } catch (ArtifactParserException e3) {
                    log.error(new StringBuffer().append("unrecognized artifact type (").append(browserProfileRequest.SAMLArt[i2]).append(")").toString());
                    throw new FatalProfileException("unable to build parser for received artifact, unknown type");
                }
            }
            SAMLRequest sAMLRequest = new SAMLRequest(Arrays.asList(artifactArr));
            sAMLRequest.setMinorVersion(i);
            resolve = artifactMapper.resolve(sAMLRequest);
            z = false;
        }
        try {
            boolean z2 = false;
            Iterator assertions2 = resolve.getAssertions();
            while (sAMLAssertion == null && assertions2.hasNext()) {
                z2 = false;
                SAMLAssertion sAMLAssertion2 = (SAMLAssertion) assertions2.next();
                Date notBefore = sAMLAssertion2.getNotBefore();
                Date notOnOrAfter = sAMLAssertion2.getNotOnOrAfter();
                if (notBefore == null || notOnOrAfter == null) {
                    log.debug("skipping assertion without time conditions...");
                } else if (currentTimeMillis + skew < notBefore.getTime()) {
                    z2 = true;
                    log.debug("skipping assertion that's not yet valid...");
                } else if (notOnOrAfter.getTime() > currentTimeMillis - skew) {
                    Iterator statements = sAMLAssertion2.getStatements();
                    while (sAMLAuthenticationStatement == null && statements.hasNext()) {
                        SAMLStatement sAMLStatement = (SAMLStatement) statements.next();
                        if (sAMLStatement instanceof SAMLAuthenticationStatement) {
                            SAMLAuthenticationStatement sAMLAuthenticationStatement2 = (SAMLAuthenticationStatement) sAMLStatement;
                            Iterator confirmationMethods = sAMLAuthenticationStatement2.getSubject().getConfirmationMethods();
                            while (confirmationMethods.hasNext()) {
                                String str2 = (String) confirmationMethods.next();
                                if ((z && str2.equals(SAMLSubject.CONF_BEARER)) || str2.equals(SAMLSubject.CONF_ARTIFACT) || str2.equals(SAMLSubject.CONF_ARTIFACT01)) {
                                    sAMLAuthenticationStatement = sAMLAuthenticationStatement2;
                                    sAMLAssertion = sAMLAssertion2;
                                    break;
                                }
                            }
                        }
                    }
                } else {
                    z2 = true;
                    log.debug("skipping expired assertion...");
                }
            }
            if (sAMLAuthenticationStatement == null) {
                if (z2 && resolve.getAssertions().hasNext()) {
                    throw new ExpiredAssertionException("unable to accept assertion because of clock skew");
                }
                throw new FatalProfileException("unable to locate a valid authentication statement");
            }
            if (z) {
                if (replayCache == null) {
                    log.warn("replay cache was not provided, this is a serious security risk!");
                } else if (!replayCache.check(new StringBuffer().append("P_").append(sAMLAssertion.getId()).toString(), sAMLAssertion.getNotOnOrAfter())) {
                    throw new ReplayedAssertionException(new StringBuffer().append("rejecting replayed assertion ID (").append(sAMLAssertion.getId()).append(")").toString());
                }
            }
            SAMLBrowserProfile.BrowserProfileResponse browserProfileResponse = new SAMLBrowserProfile.BrowserProfileResponse();
            browserProfileResponse.response = resolve;
            browserProfileResponse.assertion = sAMLAssertion;
            browserProfileResponse.authnStatement = sAMLAuthenticationStatement;
            browserProfileResponse.TARGET = browserProfileRequest.TARGET;
            return browserProfileResponse;
        } catch (SAMLException e4) {
            if (stringBuffer != null) {
                Iterator assertions3 = resolve.getAssertions();
                if (assertions3.hasNext()) {
                    stringBuffer.append(((SAMLAssertion) assertions3.next()).getIssuer());
                }
            }
            throw e4;
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$opensaml$provider$BrowserProfileProvider == null) {
            cls = class$("org.opensaml.provider.BrowserProfileProvider");
            class$org$opensaml$provider$BrowserProfileProvider = cls;
        } else {
            cls = class$org$opensaml$provider$BrowserProfileProvider;
        }
        log = Logger.getLogger(cls.getName());
        skew = UsernameToken.DEFAULT_ITERATION * SAMLConfig.instance().getIntProperty("org.opensaml.clock-skew");
    }
}
