package com.ibm.ws.wssecurity.saml.saml20.assertion.utils;

import com.ibm.websphere.wssecurity.wssapi.XMLStructure;
import com.ibm.ws.wssecurity.saml.assertion.wssapi.SAMLAssertionParser;
import com.ibm.ws.wssecurity.saml.common.SAMLAssertion;
import com.ibm.ws.wssecurity.saml.common.SAMLObjectElement;
import com.ibm.ws.wssecurity.saml.common.util.Base64;
import com.ibm.ws.wssecurity.saml.common.util.KeyUtils;
import com.ibm.ws.wssecurity.saml.common.util.OMUtil;
import com.ibm.ws.wssecurity.saml.saml20.assertion.Assertion;
import com.ibm.ws.wssecurity.saml.saml20.assertion.Attribute;
import com.ibm.ws.wssecurity.saml.saml20.assertion.AttributeStatement;
import com.ibm.ws.wssecurity.saml.saml20.assertion.AudienceRestriction;
import com.ibm.ws.wssecurity.saml.saml20.assertion.AuthnStatement;
import com.ibm.ws.wssecurity.saml.saml20.assertion.ConditionAbstract;
import com.ibm.ws.wssecurity.saml.saml20.assertion.Conditions;
import com.ibm.ws.wssecurity.saml.saml20.assertion.NameID;
import com.ibm.ws.wssecurity.saml.saml20.assertion.OneTimeUse;
import com.ibm.ws.wssecurity.saml.saml20.assertion.ProxyRestriction;
import com.ibm.ws.wssecurity.saml.saml20.assertion.StatementAbstract;
import com.ibm.ws.wssecurity.saml.saml20.assertion.SubjectConfirmationData;
import com.ibm.ws.wssecurity.saml.security.HoKAssertion;
import com.ibm.ws.wssecurity.token.UTC;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.WSSecurityFactoryBuilder;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.wssapi.token.impl.SAML20TokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.SAMLTokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.TokenFactory;
import com.ibm.ws.wssecurity.wssapi.token.impl.TokenFactoryFactory;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;
import com.ibm.wsspi.wssecurity.saml.data.SAMLNameID;
import com.ibm.wsspi.wssecurity.trust.config.ConsumerConfig;
import java.security.AccessController;
import java.security.Key;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.axiom.om.OMElement;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/saml/saml20/assertion/utils/SAMLTokenBuilder.class */
public class SAMLTokenBuilder {
    private static final TraceComponent tc = Tr.register(SAMLTokenBuilder.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.samlmessages");
    private static String _factoryKey = (String) WSSecurityFactoryBuilder.getImplClassName("com.ibm.ws.wssecurity.platform.SAML20Token");
    private static TokenFactory _tokenFactory = TokenFactoryFactory.getTokenFactory(_factoryKey);

    public static SAML20TokenImpl createSAMLToken(SAMLAssertion sAMLAssertion) throws SoapSecurityException {
        AuthnStatement authnStatement;
        SubjectConfirmationData subjectConfirmationData;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSAMLToken(SAMLAssertion)");
        }
        Assertion assertion = (Assertion) sAMLAssertion;
        SAML20TokenImpl sAML20TokenImpl = (SAML20TokenImpl) _tokenFactory.getToken(true);
        sAML20TokenImpl.setAssertionQName(assertion.getAssertionQName());
        sAML20TokenImpl.setConfirmationMethod(assertion.getConfirmationMethod());
        NameID issuer = assertion.getIssuer();
        if (issuer != null) {
            sAML20TokenImpl.setSAMLIssuerName(issuer.getValue());
            sAML20TokenImpl.setSAMLIssuerFormat(issuer.getFormat());
        }
        boolean z = false;
        if (assertion.getSubject() != null) {
            if (assertion.getSubject().getNameID() != null) {
                String value = assertion.getSubject().getNameID().getValue();
                String format = assertion.getSubject().getNameID().getFormat();
                String nameQualifier = assertion.getSubject().getNameID().getNameQualifier();
                String sPProvidedID = assertion.getSubject().getNameID().getSPProvidedID();
                String sPNameQualifier = assertion.getSubject().getNameID().getSPNameQualifier();
                sAML20TokenImpl.setPrincipal(value);
                sAML20TokenImpl.setSAMLNameID(new SAMLNameID(value, format, nameQualifier, sPNameQualifier, sPProvidedID));
            }
            if (assertion.getSubject().getSubjectConfirmation() != null && (subjectConfirmationData = assertion.getSubject().getSubjectConfirmation().getSubjectConfirmationData()) != null) {
                if (subjectConfirmationData.getNotOnOrAfter() != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting token expiration to SubjectConfirmationData NotOnOrAfter");
                        Tr.debug(tc, "SubjectConfirmationData NotOnOrAfter is [" + UTC.format(subjectConfirmationData.getNotOnOrAfter()) + "]");
                    }
                    sAML20TokenImpl.setSamlExpires(subjectConfirmationData.getNotOnOrAfter());
                } else {
                    Tr.debug(tc, "SubjectConfirmationData NotOnOrAfter is null");
                }
                HoKAssertion keyInfoAssertion = subjectConfirmationData.getKeyInfoAssertion();
                if (keyInfoAssertion != null && keyInfoAssertion.getPrivateOrSharedKey() != null) {
                    z = true;
                }
            }
        }
        List<StatementAbstract> statementOrAuthnStatementOrAuthzDecisionStatement = assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement();
        statementOrAuthnStatementOrAuthzDecisionStatement.size();
        for (StatementAbstract statementAbstract : statementOrAuthnStatementOrAuthzDecisionStatement) {
            if (statementAbstract instanceof AttributeStatement) {
                Iterator<Attribute> it = ((AttributeStatement) statementAbstract).getAttributeOrEncryptedAttribute().iterator();
                ArrayList arrayList = new ArrayList();
                HashMap hashMap = new HashMap();
                while (it.hasNext()) {
                    Attribute next = it.next();
                    String name = next.getName();
                    int size = next.getAttributeValue().size();
                    List<Object> attributeValue = next.getAttributeValue();
                    String attributeNamespace = next.getAttributeNamespace();
                    String nameFormat = next.getNameFormat();
                    String friendlyName = next.getFriendlyName();
                    ArrayList arrayList2 = new ArrayList();
                    ArrayList arrayList3 = new ArrayList();
                    for (Object obj : attributeValue) {
                        if (obj instanceof String) {
                            arrayList3.add((String) obj);
                        } else if (obj instanceof XMLStructure) {
                            arrayList2.add((XMLStructure) obj);
                        }
                    }
                    String[] strArr = null;
                    XMLStructure[] xMLStructureArr = null;
                    if (!arrayList3.isEmpty()) {
                        strArr = new String[arrayList3.size()];
                        for (int i = 0; i < strArr.length; i++) {
                            strArr[i] = (String) arrayList3.get(i);
                        }
                    }
                    if (!arrayList2.isEmpty()) {
                        xMLStructureArr = new XMLStructure[arrayList2.size()];
                        for (int i2 = 0; i2 < xMLStructureArr.length; i2++) {
                            xMLStructureArr[i2] = (XMLStructure) arrayList2.get(i2);
                        }
                    }
                    SAMLAttribute sAMLAttribute = new SAMLAttribute(name, strArr, xMLStructureArr, attributeNamespace, nameFormat, friendlyName);
                    sAMLAttribute.setEncoding(next.getEncoding());
                    sAMLAttribute.setXsiType(next.getXsiType());
                    arrayList.add(sAMLAttribute);
                    if (size == 1 && !hasValue(attributeNamespace) && !hasValue(nameFormat) && !hasValue(friendlyName) && (attributeValue.get(0) instanceof String)) {
                        hashMap.put(name, (String) attributeValue.get(0));
                    }
                }
                sAML20TokenImpl.addSAMLAttributes(arrayList);
                sAML20TokenImpl.addSAMLAttributeStatement(arrayList);
                sAML20TokenImpl.setStringAttributes(hashMap);
            } else if ((statementAbstract instanceof AuthnStatement) && (authnStatement = (AuthnStatement) statementAbstract) != null) {
                if (authnStatement.getSubjectLocality() != null) {
                    sAML20TokenImpl.setSubjectIPAddress(authnStatement.getSubjectLocality().getAddress());
                    sAML20TokenImpl.setSubjectDNS(authnStatement.getSubjectLocality().getDNSName());
                }
                if (authnStatement.getAuthnContext() != null) {
                    sAML20TokenImpl.setAuthenticationMethod(authnStatement.getAuthnContext().getAuthnContextClassRef());
                    sAML20TokenImpl.setAuthenticationInstant(authnStatement.getAuthnInstant());
                }
                if (tc.isDebugEnabled()) {
                    if (authnStatement.getSessionNotOnOrAfter() != null) {
                        Tr.debug(tc, "AuthnStatement SessionNotOnOrAfter is [" + UTC.format(authnStatement.getSessionNotOnOrAfter()) + "]");
                        if (sAML20TokenImpl.getSamlExpires() == null) {
                            Tr.debug(tc, "samlToken.getSamlExpires() is null");
                        } else {
                            Tr.debug(tc, "samlToken.getSamlExpires() is [" + UTC.format(sAML20TokenImpl.getSamlExpires()) + "]");
                        }
                    } else {
                        Tr.debug(tc, "AuthnStatement SessionNotOnOrAfter is null");
                    }
                }
                if (authnStatement.getSessionNotOnOrAfter() != null) {
                    if (sAML20TokenImpl.getSamlExpires() == null || authnStatement.getSessionNotOnOrAfter().before(sAML20TokenImpl.getSamlExpires())) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "AuthnStatement SessionNotOnOrAfter is before current expires setting.");
                            Tr.debug(tc, "Setting token expires to AuthnStatement SessionNotOnOrAfter");
                        }
                        sAML20TokenImpl.setSamlExpires(authnStatement.getSessionNotOnOrAfter());
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Current expires setting is before current SessionNotOnOrAfter");
                    }
                }
            }
        }
        if (assertion.getConditions() != null) {
            Conditions conditions = assertion.getConditions();
            sAML20TokenImpl.setSamlCreated(conditions.getNotBefore());
            if (tc.isDebugEnabled()) {
                if (conditions.getNotOnOrAfter() != null) {
                    Tr.debug(tc, "Conditions NotOnOrAfter is [" + UTC.format(conditions.getNotOnOrAfter()) + "]");
                    if (sAML20TokenImpl.getSamlExpires() == null) {
                        Tr.debug(tc, "samlToken.getSamlExpires() is null");
                    } else {
                        Tr.debug(tc, "samlToken.getSamlExpires() is [" + UTC.format(sAML20TokenImpl.getSamlExpires()) + "]");
                    }
                } else {
                    Tr.debug(tc, "Conditions NotOnOrAfter is null");
                }
            }
            if (conditions.getNotOnOrAfter() != null) {
                if (sAML20TokenImpl.getSamlExpires() == null || conditions.getNotOnOrAfter().before(sAML20TokenImpl.getSamlExpires())) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Conditions NotOnOrAfter is before current expires setting.");
                        Tr.debug(tc, "Setting token expires to Conditions NotOnOrAfter");
                    }
                    sAML20TokenImpl.setSamlExpires(conditions.getNotOnOrAfter());
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Current expires setting is before current Conditions NotOnOrAfter");
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Final token expires setting samlToken.getSamlExpires() is [" + UTC.format(sAML20TokenImpl.getSamlExpires()) + "]");
            }
            if (conditions.getConditionOrAudienceRestrictionOrOneTimeUse() != null) {
                for (ConditionAbstract conditionAbstract : conditions.getConditionOrAudienceRestrictionOrOneTimeUse()) {
                    if (conditionAbstract instanceof AudienceRestriction) {
                        sAML20TokenImpl.setAudienceRestriction(((AudienceRestriction) conditionAbstract).getAudience());
                    } else if (conditionAbstract instanceof OneTimeUse) {
                        boolean oneTimeUse = ((OneTimeUse) conditionAbstract).oneTimeUse();
                        sAML20TokenImpl.setIsOneTimeUse(oneTimeUse);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "OneTimeUse:" + oneTimeUse);
                        }
                    } else if (conditionAbstract instanceof ProxyRestriction) {
                        ProxyRestriction proxyRestriction = (ProxyRestriction) conditionAbstract;
                        if (proxyRestriction.getAudience() != null && !proxyRestriction.getAudience().isEmpty()) {
                            sAML20TokenImpl.setHasProxyRestriction(true);
                            sAML20TokenImpl.setProxyRestrictionAudience(proxyRestriction.getAudience());
                        }
                        if (proxyRestriction.getCount() != null && proxyRestriction.getCount().longValue() > 0) {
                            sAML20TokenImpl.setHasProxyRestriction(true);
                            sAML20TokenImpl.setProxyRestrictionCount(proxyRestriction.getCount().longValue());
                        }
                    }
                }
            }
        }
        if (assertion.getHolderOfKey() == null) {
            sAML20TokenImpl.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer");
        } else if (z) {
            byte[] encoded = assertion.getHolderOfKey().getEncoded();
            sAML20TokenImpl.setHolderOfKeyBytes(encoded);
            Key genertaeEncryptionKey = KeyUtils.genertaeEncryptionKey(encoded, "AES");
            sAML20TokenImpl.setKey(62, genertaeEncryptionKey);
            sAML20TokenImpl.setKey(64, genertaeEncryptionKey);
            Key genertaeSigningKey = KeyUtils.genertaeSigningKey(encoded, null);
            sAML20TokenImpl.setKey(61, genertaeSigningKey);
            sAML20TokenImpl.setKey(63, genertaeSigningKey);
            sAML20TokenImpl.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey");
        } else {
            sAML20TokenImpl.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey");
            sAML20TokenImpl.setKey(63, assertion.getHolderOfKey());
            sAML20TokenImpl.setKey(62, assertion.getHolderOfKey());
        }
        sAML20TokenImpl.setKeyIdentifier(assertion.getSamlID());
        sAML20TokenImpl.setKeyIdentifierValueType(SAMLTokenImpl.saml20KeyIdentifierValueType);
        sAML20TokenImpl.setSamlID(assertion.getSamlID());
        sAML20TokenImpl.setId(assertion.getSamlID());
        sAML20TokenImpl.setXML(new OMStructure(assertion.getXML()));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createSAMLToken(SAMLAssertion)");
        }
        return sAML20TokenImpl;
    }

    public static SAML20TokenImpl createSAMLToken(Map map, Map map2, OMElement oMElement) throws SoapSecurityException {
        SAML20TokenImpl createSAMLToken = createSAMLToken(map, oMElement);
        if (map2 != null) {
            createSAMLToken.setProperties(map2);
        }
        return createSAMLToken;
    }

    public static SAML20TokenImpl createSAMLToken(Map map, final OMElement oMElement) throws SoapSecurityException {
        OMElement firstElement;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createEncryptedSAMLToken(Map, OMElement)");
        }
        SAML20TokenImpl sAML20TokenImpl = (SAML20TokenImpl) _tokenFactory.getToken(true);
        if (!oMElement.getLocalName().equals("EncryptedData") && !oMElement.getLocalName().equals("EncryptedAssertion")) {
            try {
                sAML20TokenImpl = createSAMLToken((SAMLAssertion) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.saml.saml20.assertion.utils.SAMLTokenBuilder.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws SoapSecurityException {
                        return SAMLAssertionParser.parseSAML(OMElement.this);
                    }
                }));
            } catch (PrivilegedActionException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "caught exception calling doPrivileged method: " + e.getException().getMessage());
                }
            }
        }
        OMElement oMElement2 = (OMElement) map.get(ConsumerConfig.RSTR.REQUESTEDPROOFTOKENXML);
        if (oMElement2 != null) {
            byte[] decode = Base64.decode(OMUtil.getFirstElement(oMElement2).getText());
            try {
                sAML20TokenImpl.setHolderOfKeyBytes(decode);
                Key genertaeEncryptionKey = KeyUtils.genertaeEncryptionKey(decode, "AES");
                sAML20TokenImpl.setKey(62, genertaeEncryptionKey);
                sAML20TokenImpl.setKey(64, genertaeEncryptionKey);
                Key genertaeSigningKey = KeyUtils.genertaeSigningKey(decode, null);
                sAML20TokenImpl.setKey(61, genertaeSigningKey);
                sAML20TokenImpl.setKey(63, genertaeSigningKey);
                sAML20TokenImpl.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey");
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "fail to extract proofKey from RSTR", e2.getMessage());
                }
                throw new SoapSecurityException(e2);
            }
        } else if (((String) map.get("KeyType")) != null) {
        }
        sAML20TokenImpl.setXML(new OMStructure(oMElement));
        if (sAML20TokenImpl.getSamlCreated() == null) {
            sAML20TokenImpl.setSamlCreated((Date) map.get(ConsumerConfig.RSTR.LIFETIME_CREATED));
        }
        if (sAML20TokenImpl.getSamlExpires() == null) {
            sAML20TokenImpl.setSamlExpires((Date) map.get(ConsumerConfig.RSTR.LIFETIME_EXPIRES));
        }
        sAML20TokenImpl.setAssertionQName(SAMLObjectElement._saml2_ns_qname);
        String str = null;
        OMElement oMElement3 = (OMElement) map.get(ConsumerConfig.RSTR.REQUESTEDUNATTACHEDREFERENCEXML);
        if (oMElement3 == null) {
            oMElement3 = (OMElement) map.get(ConsumerConfig.RSTR.REQUESTEDATTACHEDREFERENCEXML);
        }
        OMElement firstElement2 = DOMUtils.getFirstElement(oMElement3);
        while (true) {
            OMElement oMElement4 = firstElement2;
            if (oMElement4 == null) {
                break;
            }
            if ("SecurityTokenReference".equals(oMElement4.getLocalName()) && (firstElement = DOMUtils.getFirstElement(oMElement4)) != null && "KeyIdentifier".equals(firstElement.getLocalName())) {
                str = firstElement.getText();
            }
            firstElement2 = DOMUtils.getNextElement(oMElement4);
        }
        sAML20TokenImpl.setKeyIdentifier(str);
        sAML20TokenImpl.setKeyIdentifierValueType(SAMLTokenImpl.saml20KeyIdentifierValueType);
        sAML20TokenImpl.setSamlID(str);
        sAML20TokenImpl.setId(sAML20TokenImpl.getSamlID());
        sAML20TokenImpl.setXML(new OMStructure(oMElement));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createEncryptedSAMLToken(Map, OMElement)");
        }
        return sAML20TokenImpl;
    }

    public static boolean hasValue(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "hasValue(" + str + ")");
        }
        if (str == null || str.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "hasValue(" + str + ") returning false");
            return false;
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "hasValue(" + str + ") returning true");
        return true;
    }
}
