package org.apache.cxf.rs.security.oauth2.auth.saml;

import java.io.ByteArrayInputStream;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.jaxrs.ext.form.Form;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.oauth2.saml.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.saml.Constants;
import org.apache.cxf.rs.security.oauth2.saml.SamlOAuthValidator;
import org.apache.cxf.rs.security.saml.AbstractSamlInHandler;
import org.apache.cxf.rs.security.saml.SAMLUtils;
import org.apache.cxf.rs.security.saml.assertion.Subject;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthHandler.class */
public class Saml2BearerAuthHandler extends AbstractSamlInHandler {
    private FormEncodingProvider<Form> provider = new FormEncodingProvider<>(true);
    private SamlOAuthValidator samlOAuthValidator = new SamlOAuthValidator();

    public void setSamlOAuthValidator(SamlOAuthValidator samlOAuthValidator) {
        this.samlOAuthValidator = samlOAuthValidator;
    }

    public Response handleRequest(Message message, ClassResourceInfo classResourceInfo) {
        Form readFormData = readFormData(message);
        String str = (String) readFormData.getData().getFirst(Constants.CLIENT_AUTH_ASSERTION_TYPE);
        String urlDecode = str != null ? HttpUtils.urlDecode(str) : null;
        if (urlDecode == null || !Constants.CLIENT_AUTH_SAML2_BEARER.equals(urlDecode)) {
            throw new NotAuthorizedException(errorResponse());
        }
        validateToken(message, readToken(message, (String) readFormData.getData().getFirst(Constants.CLIENT_AUTH_ASSERTION_PARAM)), (String) readFormData.getData().getFirst("client_id"));
        readFormData.getData().remove("client_id");
        readFormData.getData().remove(Constants.CLIENT_AUTH_ASSERTION_PARAM);
        readFormData.getData().remove(Constants.CLIENT_AUTH_ASSERTION_TYPE);
        try {
            FormUtils.restoreForm(this.provider, readFormData, message);
            return null;
        } catch (Exception e) {
            throw new NotAuthorizedException(errorResponse());
        }
    }

    private Form readFormData(Message message) {
        try {
            return FormUtils.readForm(this.provider, message);
        } catch (Exception e) {
            throw new NotAuthorizedException(errorResponse());
        }
    }

    protected Element readToken(Message message, String str) {
        if (str == null) {
            throw new NotAuthorizedException(errorResponse());
        }
        try {
            return readToken(message, new ByteArrayInputStream(Base64UrlUtility.decode(str)));
        } catch (Base64Exception e) {
            throw new NotAuthorizedException(errorResponse());
        }
    }

    protected void validateToken(Message message, Element element, String str) {
        AssertionWrapper wrapper = toWrapper(element);
        super.validateToken(message, wrapper);
        Subject subject = SAMLUtils.getSubject(message, wrapper);
        if (subject.getName() == null) {
            throw new NotAuthorizedException(errorResponse());
        }
        if (str != null && !str.equals(subject.getName())) {
            throw new NotAuthorizedException(errorResponse());
        }
        this.samlOAuthValidator.validate(message, wrapper);
        message.put("client_id", subject.getName());
    }

    private static Response errorResponse() {
        return Response.status(401).build();
    }
}
