package sirius.web.security;

import com.google.common.base.Charsets;
import com.google.common.hash.Hashing;
import com.google.common.io.BaseEncoding;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.format.DateTimeFormatter;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import sirius.kernel.commons.MultiMap;
import sirius.kernel.commons.Strings;
import sirius.kernel.di.std.Register;
import sirius.kernel.health.Exceptions;
import sirius.kernel.health.HandledException;
import sirius.kernel.health.Log;
import sirius.kernel.xml.Attribute;
import sirius.kernel.xml.StructuredNode;
import sirius.kernel.xml.XMLStructuredOutput;
import sirius.web.http.WebContext;

@Register(classes = {SAMLHelper.class})
/* loaded from: input_file:sirius/web/security/SAMLHelper.class */
public class SAMLHelper {
    public static final Log LOG = Log.get("saml");
    public static final int MAX_TIMESTAMP_DELTA_IN_HOURS = 3;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:sirius/web/security/SAMLHelper$KeyValueKeySelector.class */
    public static class KeyValueKeySelector extends KeySelector {
        private KeyValueKeySelector() {
        }

        public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
            if (keyInfo == null) {
                throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: Signature doesn't contain a KeyInfo!", new Object[0]).handle();
            }
            for (X509Data x509Data : keyInfo.getContent()) {
                if (x509Data instanceof X509Data) {
                    return new X509CertificateResult((X509Certificate) x509Data.getContent().get(0));
                }
            }
            throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: Signature doesn't contain a valid signing key (X509 certificate)!", new Object[0]).handle();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:sirius/web/security/SAMLHelper$X509CertificateResult.class */
    public static class X509CertificateResult implements KeySelectorResult {
        private X509Certificate cert;

        X509CertificateResult(X509Certificate x509Certificate) {
            this.cert = x509Certificate;
        }

        public Key getKey() {
            return this.cert.getPublicKey();
        }

        public X509Certificate getCert() {
            return this.cert;
        }
    }

    public String generateAuthenticationRequest(String str, String str2) {
        return BaseEncoding.base64().encode(createAuthenticationRequestXML(str, str2));
    }

    private byte[] createAuthenticationRequestXML(String str, String str2) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        XMLStructuredOutput xMLStructuredOutput = new XMLStructuredOutput(byteArrayOutputStream);
        xMLStructuredOutput.beginOutput("samlp:AuthnRequest", new Attribute[]{Attribute.set("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol"), Attribute.set("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion"), Attribute.set("ID", "identifier_" + System.currentTimeMillis()), Attribute.set("Version", "2.0"), Attribute.set("IssueInstant", DateTimeFormatter.ISO_INSTANT.format(Instant.now())), Attribute.set("AssertionConsumerServiceIndex", str2)});
        xMLStructuredOutput.property("saml:Issuer", str);
        xMLStructuredOutput.beginObject("samlp:NameIDPolicy", new Attribute[]{Attribute.set("AllowCreate", false), Attribute.set("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")});
        xMLStructuredOutput.endObject();
        xMLStructuredOutput.endOutput();
        if (LOG.isFINE()) {
            LOG.FINE("Generating SAML request: %s", new Object[]{new String(byteArrayOutputStream.toByteArray(), Charsets.UTF_8)});
        }
        return byteArrayOutputStream.toByteArray();
    }

    public SAMLResponse parseSAMLResponse(WebContext webContext) {
        if (!webContext.isUnsafePOST()) {
            throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: POST expected!", new Object[0]).handle();
        }
        try {
            Document responseDocument = getResponseDocument(webContext);
            Element selectSingleElement = selectSingleElement(responseDocument, null, "Assertion");
            verifyTimestamp(selectSingleElement);
            return parseAssertion(selectSingleElement, validateXMLSignature(responseDocument, selectSingleElement));
        } catch (Exception e) {
            throw Exceptions.handle().to(LOG).error(e).withSystemErrorMessage("An error occurred while parsing a SAML Response: %s (%s)", new Object[0]).handle();
        } catch (HandledException e2) {
            throw e2;
        }
    }

    private Element selectSingleElement(Document document, @Nullable String str, String str2) {
        NodeList elementsByTagNameNS = Strings.isFilled(str) ? document.getElementsByTagNameNS(str, str2) : document.getElementsByTagName(str2);
        if (elementsByTagNameNS.getLength() == 1) {
            return (Element) elementsByTagNameNS.item(0);
        }
        LOG.FINE("SAML Response has %s elements of type: %s", new Object[]{Integer.valueOf(elementsByTagNameNS.getLength()), str2});
        throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: Expected exactly one %s!", new Object[]{str2}).handle();
    }

    private void verifyTimestamp(Element element) {
        String attribute = element.getAttribute("IssueInstant");
        if (Duration.between(Instant.now(), Instant.from(DateTimeFormatter.ISO_INSTANT.parse(attribute))).toHours() > 3) {
            throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: Invalid IssueInstant: %s", new Object[]{attribute}).handle();
        }
    }

    private SAMLResponse parseAssertion(Element element, String str) {
        StructuredNode of = StructuredNode.of(element);
        MultiMap create = MultiMap.create();
        for (StructuredNode structuredNode : of.queryNodeList("*[local-name()='AttributeStatement']/*[local-name()='Attribute']")) {
            Iterator it = structuredNode.queryNodeList("*[local-name()='AttributeValue']").iterator();
            while (it.hasNext()) {
                create.put(structuredNode.queryString("@Name"), ((StructuredNode) it.next()).queryString("."));
            }
        }
        return new SAMLResponse(of.queryString("*[local-name()='Issuer']"), str, of.queryString("*[local-name()='Subject']/*[local-name()='NameID']"), create);
    }

    private Document getResponseDocument(WebContext webContext) throws SAXException, IOException, ParserConfigurationException {
        byte[] decode = BaseEncoding.base64().decode(webContext.get("SAMLResponse").asString());
        if (LOG.isFINE()) {
            LOG.FINE("Received SAML response: %s", new Object[]{new String(decode, Charsets.UTF_8)});
        }
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        return newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(decode));
    }

    private String validateXMLSignature(Document document, Element element) throws Exception {
        element.setIdAttribute("ID", true);
        String attribute = element.getAttribute("ID");
        Element selectSingleElement = selectSingleElement(document, "http://www.w3.org/2000/09/xmldsig#", "Signature");
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        DOMValidateContext dOMValidateContext = new DOMValidateContext(new KeyValueKeySelector(), selectSingleElement);
        XMLSignature unmarshalXMLSignature = xMLSignatureFactory.unmarshalXMLSignature(dOMValidateContext);
        if (!Strings.areEqual(getReferenceBeingSigned(unmarshalXMLSignature), "#" + attribute)) {
            LOG.FINE("SAML Response doesn't sign the assertion. Reference: %s, Assertion-ID: %s", new Object[]{getReferenceBeingSigned(unmarshalXMLSignature), attribute});
            throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: The given Signature doesn't sign the given Assertion.", new Object[0]).handle();
        }
        if (unmarshalXMLSignature.validate(dOMValidateContext)) {
            return Hashing.sha1().hashBytes(((X509CertificateResult) unmarshalXMLSignature.getKeySelectorResult()).getCert().getEncoded()).toString().toLowerCase();
        }
        LOG.FINE("SAML Response contains an invalid signature!");
        throw Exceptions.createHandled().withSystemErrorMessage("Invalid SAML Response: The given Signature isn't valid.", new Object[0]).handle();
    }

    @Nonnull
    private String getReferenceBeingSigned(XMLSignature xMLSignature) {
        return (String) xMLSignature.getSignedInfo().getReferences().stream().findFirst().map((v0) -> {
            return v0.getURI();
        }).orElse("");
    }
}
