package com.ibm.ws.security.saml.sso20.token;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.saml2.Saml20Attribute;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.ws.security.saml.sso20.rs.ByteArrayDecoder;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.xml.NamespaceSupport;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.joda.time.DateTime;
import org.opensaml.core.xml.Namespace;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.ProxyRestriction;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectLocality;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.X509Data;
import org.w3c.dom.Element;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/token/Saml20TokenImpl.class */
public class Saml20TokenImpl implements Saml20Token, Serializable {
    private static final long serialVersionUID = -862850937499495719L;
    private static final TraceComponent tc = Tr.register(Saml20TokenImpl.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    private static final String samlElement = "samlElement";
    private static final String SINDEX = "sessionIndex";
    private static final String NAMEID = "NameID";
    private static final String dsUri = "http://www.w3.org/2000/09/xmldsig#";
    private String providerId;
    private transient Element assertionDOM;
    private transient String samlID;
    private transient QName assertionQName;
    private transient Date samlExpires;
    private transient Date samlCreated;
    private transient byte[] holderOfKeyBytes;
    private transient String SAMLIssuerName;
    private transient String authenticationMethod;
    private transient Date authenticationInstant;
    private transient String subjectDNS;
    private transient String subjectIPAddress;
    private transient String nameId;
    private transient String nameIdFormat;
    private String samlString = null;
    private transient String issuerNameFormat = null;
    private transient String sessionIndex = null;
    private transient boolean oneTimeUse = false;
    private transient boolean proxyRestriction = false;
    private transient long proxyRestrictionCount = 0;
    private transient List<String> proxyRestrictionAudience = new ArrayList();
    private transient List<X509Certificate> signerCertificates = new ArrayList();
    private transient List<String> signerCertificateDN = new ArrayList();
    private transient List<String> confirmationMethod = new ArrayList();
    private transient List<String> audienceRestriction = new ArrayList();
    private transient List<Saml20Attribute> attributes = new ArrayList();
    private transient long lSessionNotOnOrAfter = 0;
    private transient Map<String, Object> maps = new HashMap();
    private transient boolean wasDeserialized = false;

    public Saml20TokenImpl(Assertion assertion, String str) throws SamlException {
        this.providerId = str;
        init(assertion);
    }

    public Saml20TokenImpl(Assertion assertion) throws SamlException {
        init(assertion);
    }

    void init(Assertion assertion) throws SamlException {
        this.assertionDOM = getClonedAssertionDom(assertion);
        this.maps.put(samlElement, this.assertionDOM);
        this.samlString = SerializeSupport.nodeToString(this.assertionDOM);
        handleSamlAssertion(assertion);
        for (XMLObject xMLObject : assertion.getOrderedChildren()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "XMLObject : " + xMLObject, new Object[0]);
            }
            if (xMLObject != null) {
                QName elementQName = xMLObject.getElementQName();
                String localPart = elementQName.getLocalPart();
                String namespaceURI = elementQName.getNamespaceURI();
                if (localPart.equals(Constants.LOCAL_NAME_Issuer)) {
                    handleSamlIssuer((Issuer) xMLObject);
                } else if (localPart.equals(Constants.LOCAL_NAME_Signature)) {
                    handleSamlSignature((Signature) xMLObject);
                } else if (localPart.equals(Constants.LOCAL_NAME_Subject)) {
                    handleSamlSubject((Subject) xMLObject);
                } else if (localPart.equals(Constants.LOCAL_NAME_Conditions)) {
                    handleSamlConditions((Conditions) xMLObject);
                } else if (localPart.equals(Constants.LOCAL_NAME_AuthnStatement)) {
                    handleSamlAuthnStatement((AuthnStatement) xMLObject);
                } else if (localPart.equals(Constants.LOCAL_NAME_AttributeStatement)) {
                    handleSamlAttributeStatement((AttributeStatement) xMLObject);
                } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unhandle XMLObject: " + localPart + "(" + namespaceURI + ")", new Object[0]);
                }
            }
        }
    }

    private void handleSamlAuthnStatement(AuthnStatement authnStatement) throws SamlException {
        this.authenticationInstant = authnStatement.getAuthnInstant().toDate();
        this.sessionIndex = authnStatement.getSessionIndex();
        this.maps.put(SINDEX, this.sessionIndex);
        if (authnStatement.getAuthnContext() != null && authnStatement.getAuthnContext().getAuthnContextClassRef() != null) {
            this.authenticationMethod = authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef();
        }
        SubjectLocality subjectLocality = authnStatement.getSubjectLocality();
        if (subjectLocality != null) {
            this.subjectDNS = subjectLocality.getDNSName();
            this.subjectIPAddress = subjectLocality.getAddress();
        }
        DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter();
        if (sessionNotOnOrAfter != null) {
            this.lSessionNotOnOrAfter = sessionNotOnOrAfter.getMillis();
        }
    }

    private void handleSamlConditions(Conditions conditions) throws SamlException {
        this.samlExpires = conditions.getNotOnOrAfter().toDate();
        if (conditions.getOneTimeUse() != null) {
            this.oneTimeUse = true;
        }
        ProxyRestriction proxyRestriction = conditions.getProxyRestriction();
        if (proxyRestriction != null) {
            if (proxyRestriction.getProxyCount() != null) {
                this.proxyRestrictionCount = r0.intValue();
            }
            Iterator it = proxyRestriction.getAudiences().iterator();
            while (it.hasNext()) {
                this.proxyRestrictionAudience.add(((Audience) it.next()).getAudienceURI());
            }
        }
        Iterator it2 = conditions.getAudienceRestrictions().iterator();
        while (it2.hasNext()) {
            for (Audience audience : ((AudienceRestriction) it2.next()).getAudiences()) {
                if (audience.getAudienceURI() != null) {
                    this.audienceRestriction.add(audience.getAudienceURI());
                }
            }
        }
    }

    private void handleSamlSubject(Subject subject) {
        NameID nameID = subject.getNameID();
        if (nameID == null) {
            return;
        }
        this.nameId = nameID.getValue();
        this.nameIdFormat = nameID.getFormat();
        Iterator it = subject.getSubjectConfirmations().iterator();
        while (it.hasNext()) {
            this.confirmationMethod.add(((SubjectConfirmation) it.next()).getMethod());
        }
        this.maps.put("NameID", nameID);
    }

    private void handleSamlAttributeStatement(AttributeStatement attributeStatement) {
        Iterator it = attributeStatement.getAttributes().iterator();
        while (it.hasNext()) {
            this.attributes.add(new Saml20AttributeImpl((Attribute) it.next()));
        }
    }

    private void handleSamlSignature(Signature signature) throws SamlException {
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo == null) {
            return;
        }
        Iterator it = keyInfo.getX509Datas().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((X509Data) it.next()).getX509Certificates().iterator();
            while (it2.hasNext()) {
                try {
                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64Support.decode(((org.opensaml.xmlsec.signature.X509Certificate) it2.next()).getValue())));
                    this.signerCertificates.add(x509Certificate);
                    this.signerCertificateDN.add(x509Certificate.getSubjectDN().getName());
                } catch (CertificateException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.token.Saml20TokenImpl", "344", this, new Object[]{signature});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "ERROR: Get an Exception while generate the X509Cerficate", new Object[]{e});
                    }
                    throw new SamlException(e);
                }
            }
        }
    }

    private void handleSamlIssuer(Issuer issuer) {
        this.SAMLIssuerName = issuer.getValue();
        this.issuerNameFormat = issuer.getFormat();
    }

    public String getSAMLIssuerNameFormat() {
        return this.issuerNameFormat;
    }

    private void handleSamlAssertion(Assertion assertion) throws SamlException {
        this.samlID = assertion.getID();
        this.assertionQName = assertion.getElementQName();
        this.samlCreated = assertion.getIssueInstant().toDate();
    }

    public String getSamlID() {
        return this.samlID;
    }

    public QName getAssertionQName() {
        return SamlUtil.cloneQName(this.assertionQName);
    }

    public Date getSamlExpires() {
        return (Date) this.samlExpires.clone();
    }

    public Date getIssueInstant() {
        return (Date) this.samlCreated.clone();
    }

    public List<String> getConfirmationMethod() {
        return Collections.unmodifiableList(this.confirmationMethod);
    }

    public byte[] getHolderOfKeyBytes() {
        if (this.holderOfKeyBytes == null) {
            return null;
        }
        return (byte[]) this.holderOfKeyBytes.clone();
    }

    public String getSAMLNameID() {
        return this.nameId;
    }

    public String getSAMLNameIDFormat() {
        return this.nameIdFormat;
    }

    public String getSAMLIssuerName() {
        return this.SAMLIssuerName;
    }

    public String getAuthenticationMethod() {
        return this.authenticationMethod;
    }

    public Date getAuthenticationInstant() {
        return (Date) this.authenticationInstant.clone();
    }

    public String getSubjectDNS() {
        return this.subjectDNS;
    }

    public String getSubjectIPAddress() {
        return this.subjectIPAddress;
    }

    public List<String> getAudienceRestriction() {
        return Collections.unmodifiableList(this.audienceRestriction);
    }

    public boolean isOneTimeUse() {
        return this.oneTimeUse;
    }

    public boolean hasProxyRestriction() {
        return this.proxyRestriction;
    }

    public long getProxyRestrictionCount() {
        return this.proxyRestrictionCount;
    }

    public List<String> getProxyRestrictionAudience() {
        return Collections.unmodifiableList(this.proxyRestrictionAudience);
    }

    public List<X509Certificate> getSignerCertificate() {
        return Collections.unmodifiableList(this.signerCertificates);
    }

    public String getSAMLAsString() {
        return formatSamlString(this.samlString);
    }

    private String formatSamlString(String str) {
        String str2 = str;
        if (str != null) {
            String[] split = str.split("\r\n|\r|\n");
            if (split.length == 2 && split[0].startsWith("<?") && split[0].endsWith("?>")) {
                str2 = split[0].concat(split[1]);
            }
        }
        return str2;
    }

    public List<Saml20Attribute> getSAMLAttributes() {
        return Collections.unmodifiableList(this.attributes);
    }

    public String toString() {
        String str = "";
        try {
            str = new String(this.holderOfKeyBytes, Constants.UTF8);
        } catch (Exception e) {
        }
        return "Saml20Token\n samlID:" + this.samlID + "\n assertionQName:" + this.assertionQName + "\n samlExpires:" + this.samlExpires + "\n samlCreated:" + this.samlCreated + "\n confirmationMethod:" + this.confirmationMethod + "\n holderOfKeyBytes:" + str + "\n SAMLIssuerName:" + this.SAMLIssuerName + "\n authenticationMethod:" + this.authenticationMethod + "\n authenticationInstant:" + this.authenticationInstant + "\n subjectDNS:" + this.subjectDNS + "\n subjectIPAddress:" + this.subjectIPAddress + "\n audienceRestriction:" + this.audienceRestriction + "\n oneTimeUse:" + this.oneTimeUse + "\n proxyRestriction:" + this.proxyRestriction + "\n proxyRestrictionCount:" + this.proxyRestrictionCount + "\n proxyRestrictionAudience:" + this.proxyRestrictionAudience + "\n signerCertificate:" + this.signerCertificateDN + "\n wasDeserialized:" + this.wasDeserialized;
    }

    public String getServiceProviderID() {
        return this.providerId;
    }

    public long getSessionNotOnOrAfter() {
        return this.lSessionNotOnOrAfter;
    }

    public Map<String, Object> getProperties() {
        return this.maps;
    }

    Element getClonedAssertionDom(Assertion assertion) {
        Element element = (Element) assertion.getDOM().cloneNode(true);
        for (Namespace namespace : assertion.getNamespaceManager().getAllNamespacesInSubtreeScope()) {
            if (!dsUri.equals(namespace.getNamespaceURI())) {
                NamespaceSupport.appendNamespaceDeclaration(element, namespace.getNamespaceURI(), namespace.getNamespacePrefix());
            }
        }
        return element;
    }

    private void readObject(ObjectInputStream objectInputStream) throws ClassNotFoundException, IOException {
        objectInputStream.defaultReadObject();
        this.proxyRestrictionAudience = new ArrayList();
        this.signerCertificates = new ArrayList();
        this.signerCertificateDN = new ArrayList();
        this.confirmationMethod = new ArrayList();
        this.audienceRestriction = new ArrayList();
        this.attributes = new ArrayList();
        this.maps = new HashMap();
        this.wasDeserialized = true;
        try {
            init((Assertion) new ByteArrayDecoder().unmarshallMessage(new ByteArrayInputStream(this.samlString.getBytes())));
        } catch (SamlException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.token.Saml20TokenImpl", "721", this, new Object[]{objectInputStream});
            throw new IOException("Error initializing " + Saml20TokenImpl.class.getSimpleName() + " during deserialization. " + e.getMessage(), e);
        } catch (MessageDecodingException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.token.Saml20TokenImpl", "719", this, new Object[]{objectInputStream});
            throw new IOException("Error unmarshalling SAML during deserialization. " + e2.getMessage(), e2);
        }
    }
}
