package com.bea.security.saml2.artifact.impl;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.legacy.spi.LegacyEncryptorSpi;
import com.bea.common.security.saml2.SingleSignOnServicesConfigSpi;
import com.bea.security.saml2.Saml2Logger;
import com.bea.security.saml2.artifact.ArtifactResolver;
import com.bea.security.saml2.artifact.SAMLArtifact;
import com.bea.security.saml2.binding.BindingHandlerException;
import com.bea.security.saml2.binding.BindingHandlerFactory;
import com.bea.security.saml2.binding.SynchronousBindingClient;
import com.bea.security.saml2.config.SAML2ConfigSpi;
import com.bea.security.saml2.providers.registry.IndexedEndpoint;
import com.bea.security.saml2.providers.registry.WebSSOPartner;
import com.bea.security.saml2.registry.PartnerManager;
import com.bea.security.saml2.util.SAML2Constants;
import com.bea.security.saml2.util.SAML2Utils;
import com.bea.security.saml2.util.SAMLObjectBuilder;
import com.bea.security.saml2.util.key.SAML2KeyManager;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.security.KeyException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.ArtifactResolve;
import org.opensaml.saml2.core.ArtifactResponse;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/bea/security/saml2/artifact/impl/AbstractArtifactResolver.class */
public abstract class AbstractArtifactResolver implements ArtifactResolver {
    protected LoggerSpi log;
    protected boolean logdebug;
    private PartnerManager pm;
    private BindingHandlerFactory bhFactory;
    private static final int CONNECT_TIMEOUT = 300000;
    private static final int READ_TIMEOUT = 300000;
    SingleSignOnServicesConfigSpi localConfig;
    SAML2KeyManager keyManager;
    LegacyEncryptorSpi encryptor;
    TransformerFactory transformerFactory;
    private SynchronousBindingClient binding = null;
    private WebSSOPartner remotePartner = null;
    private IndexedEndpoint remoteEndpoint = null;
    private HttpURLConnection connection = null;
    protected String sslClientKeyAlias = null;
    protected PrivateKey sslClientKey = null;
    protected Certificate[] sslClientCert = null;

    public AbstractArtifactResolver(SAML2ConfigSpi sAML2ConfigSpi) {
        this.log = null;
        this.logdebug = false;
        this.pm = null;
        this.bhFactory = null;
        this.localConfig = null;
        this.keyManager = null;
        this.encryptor = null;
        this.transformerFactory = null;
        this.bhFactory = sAML2ConfigSpi.getBindingHandlerFactory();
        this.log = sAML2ConfigSpi.getLogger();
        if (this.log != null && this.log.isDebugEnabled()) {
            this.logdebug = true;
        }
        this.pm = sAML2ConfigSpi.getPartnerManager();
        this.localConfig = sAML2ConfigSpi.getLocalConfiguration();
        this.keyManager = sAML2ConfigSpi.getSAML2KeyManager();
        this.encryptor = sAML2ConfigSpi.getEncryptSpi();
        getSSLClientKeyCert(sAML2ConfigSpi);
        this.transformerFactory = TransformerFactory.newInstance();
    }

    private PrivateKey getArtifactSignKey(SingleSignOnServicesConfigSpi singleSignOnServicesConfigSpi) throws BindingHandlerException {
        if (this.keyManager == null || this.keyManager.getSSOKeyInfo() == null) {
            throw new BindingHandlerException(Saml2Logger.getSAML2NoSignKeyFor("<samlp:ArtifactResolve>"), 404);
        }
        PrivateKey key = this.keyManager.getSSOKeyInfo().getKey();
        if (key == null) {
            throw new BindingHandlerException(Saml2Logger.getSAML2NoSignKeyFor("<samlp:ArtifactResolve>"), 404);
        }
        if (this.logdebug) {
            this.log.debug("got samlp:ArtifactResolve signing key:" + key);
        }
        return key;
    }

    private Certificate getArtifactSignCert(SingleSignOnServicesConfigSpi singleSignOnServicesConfigSpi) throws BindingHandlerException {
        if (this.keyManager == null || this.keyManager.getSSOKeyInfo() == null) {
            throw new BindingHandlerException(Saml2Logger.getSAML2NoSignKeyFor("<samlp:ArtifactResolve>"), 404);
        }
        return this.keyManager.getSSOKeyInfo().getCert();
    }

    private void getSSLClientKeyCert(SAML2ConfigSpi sAML2ConfigSpi) {
        SAML2KeyManager.KeyInfo sSLKeyInfo = sAML2ConfigSpi.getSAML2KeyManager().getSSLKeyInfo();
        if (sSLKeyInfo == null) {
            if (this.logdebug) {
                this.log.debug("There is no ssl client key and certificate.");
            }
        } else {
            this.sslClientKey = sSLKeyInfo.getKey();
            this.sslClientCert = sSLKeyInfo.getChain();
            this.sslClientKeyAlias = this.localConfig.getTransportLayerSecurityKeyAlias();
            if (this.logdebug) {
                this.log.debug("ssl client key:" + this.sslClientKey + ", ssl client cert chain:" + this.sslClientCert);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getBasicAuthn(WebSSOPartner webSSOPartner) {
        boolean isClientPasswordSet = webSSOPartner.isClientPasswordSet();
        if (this.logdebug) {
            this.log.debug("isClientPasswordSet:" + isClientPasswordSet);
        }
        if (!isClientPasswordSet) {
            return null;
        }
        String clientUsername = webSSOPartner.getClientUsername();
        String clientPasswordEncrypted = webSSOPartner.getClientPasswordEncrypted();
        if (clientPasswordEncrypted != null) {
            try {
                clientPasswordEncrypted = this.encryptor.decryptString(clientPasswordEncrypted);
            } catch (Exception e) {
                this.log.warn(Saml2Logger.getDecryptPasswordError(clientPasswordEncrypted));
                clientPasswordEncrypted = null;
            }
        }
        if (this.logdebug) {
            this.log.debug("basic authentication: name :" + clientUsername);
        }
        return clientUsername + ":" + clientPasswordEncrypted;
    }

    @Override // com.bea.security.saml2.artifact.ArtifactResolver
    public SAMLObject resolve(int i, String str) throws BindingHandlerException {
        if (str == null || str.equals("")) {
            throw new BindingHandlerException(Saml2Logger.getSAML2ArtifactIsNull("SAMLart"), 400);
        }
        try {
            SAMLArtifact sAMLArtifact = new SAMLArtifact(SAML2Utils.base64Decode(str));
            byte[] sourceId = sAMLArtifact.getSourceId();
            short endPointIndex = sAMLArtifact.getEndPointIndex();
            this.remotePartner = getRemotePartner(i, sourceId);
            if (!this.remotePartner.isEnabled()) {
                throw new BindingHandlerException(Saml2Logger.getPartnerIsNotEnabledInRegistry(this.remotePartner.getName()), 404);
            }
            this.remoteEndpoint = getRemoteARSEndpoint(this.remotePartner, endPointIndex);
            SAMLObject genArtResolve = genArtResolve(str, this.remotePartner);
            logSamlMsg(genArtResolve);
            this.connection = openConnection(this.remotePartner, this.remoteEndpoint);
            this.binding = this.bhFactory.newSyncBindingClient(SAML2Constants.SOAP_HTTP, this.connection);
            if (this.binding == null) {
                throw new BindingHandlerException(Saml2Logger.getSAML2CouldNotGetBindingHandler("SynchronousBindingClient"), 500);
            }
            ArtifactResponse sendAndReceive = this.binding.sendAndReceive(genArtResolve);
            closeConnection(this.connection);
            if (sendAndReceive == null || !(sendAndReceive instanceof ArtifactResponse)) {
                throw new BindingHandlerException(Saml2Logger.getSAML2CouldNotGetSamlResponse("<samlp:ArtifactResponse>"), 403);
            }
            ArtifactResponse artifactResponse = sendAndReceive;
            logSamlMsg(artifactResponse);
            return getSamlMsg(artifactResponse, genArtResolve);
        } catch (IOException e) {
            if (this.logdebug) {
                this.log.debug("can't create SAMLArtifact from BASE64 encoded artifact:" + str);
            }
            throw new BindingHandlerException(e.getMessage(), 400);
        }
    }

    public abstract HttpURLConnection openConnection(WebSSOPartner webSSOPartner, IndexedEndpoint indexedEndpoint) throws BindingHandlerException;

    private void closeConnection(HttpURLConnection httpURLConnection) {
        if (httpURLConnection != null) {
            httpURLConnection.disconnect();
            if (this.logdebug) {
                this.log.debug("http url connection disconnect.");
            }
        }
    }

    private ArtifactResolve genArtResolve(String str, WebSSOPartner webSSOPartner) throws BindingHandlerException {
        SignableSAMLObject buildArtifactResolve = SAMLObjectBuilder.buildArtifactResolve(new SecureRandomIdentifierGenerator().generateIdentifier(), new DateTime(), SAMLObjectBuilder.buildIssuer(this.localConfig.getEntityID()), SAMLObjectBuilder.buildArtifact(str));
        if (webSSOPartner.isWantArtifactRequestSigned()) {
            PrivateKey artifactSignKey = getArtifactSignKey(this.localConfig);
            Certificate artifactSignCert = getArtifactSignCert(this.localConfig);
            String sSOSigningKeyAlias = this.localConfig.getSSOSigningKeyAlias();
            if (artifactSignCert != null) {
                try {
                    ((X509Certificate) artifactSignCert).checkValidity();
                } catch (CertificateExpiredException e) {
                    if (this.log != null && this.log.isDebugEnabled()) {
                        this.log.debug("Using expired certificate at alias " + sSOSigningKeyAlias + " for signing.");
                    }
                    if (!SAML2Utils.ALLOW_EXPIRE_CERTS) {
                        throw new BindingHandlerException(Saml2Logger.getSignWithExpiredCert(sSOSigningKeyAlias), e, 500);
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (this.log != null && this.log.isDebugEnabled()) {
                        this.log.debug("Using not yet valid certificate at alias " + sSOSigningKeyAlias + " for signing.");
                    }
                    if (!SAML2Utils.ALLOW_EXPIRE_CERTS) {
                        throw new BindingHandlerException(Saml2Logger.getSignWithNotYetValidCert(sSOSigningKeyAlias), e2, 500);
                    }
                }
            }
            try {
                buildArtifactResolve = (ArtifactResolve) SAML2Utils.signSamlObject(artifactSignKey, buildArtifactResolve);
            } catch (MarshallingException e3) {
                throw new BindingHandlerException("MarshallingException", e3, 500);
            }
        }
        return buildArtifactResolve;
    }

    private SAMLObject getSamlMsg(ArtifactResponse artifactResponse, ArtifactResolve artifactResolve) throws BindingHandlerException {
        if (this.logdebug) {
            this.log.debug("get samlp:ArtifactResponse and verify it.");
        }
        SAMLVersion version = artifactResponse.getVersion();
        if (this.logdebug) {
            this.log.debug("saml version:" + version.toString());
        }
        if (!version.toString().equals(SAMLVersion.VERSION_20.toString())) {
            throw new BindingHandlerException(Saml2Logger.getSAML2SamlResponseError("Version", SAMLVersion.VERSION_20.toString(), version.toString()), 403);
        }
        String inResponseTo = artifactResponse.getInResponseTo();
        if (this.logdebug) {
            this.log.debug("inResponseTo:" + inResponseTo);
        }
        if (inResponseTo != null && !inResponseTo.equals("")) {
            String id = artifactResolve.getID();
            if (!inResponseTo.equals(id)) {
                throw new BindingHandlerException(Saml2Logger.getSAML2SamlResponseError("InResponseTo", id, inResponseTo), 403);
            }
        }
        Status status = artifactResponse.getStatus();
        StatusCode statusCode = status != null ? status.getStatusCode() : null;
        StatusMessage statusMessage = status != null ? status.getStatusMessage() : null;
        if (this.logdebug) {
            this.log.debug("status code: " + (statusCode != null ? statusCode.getValue() : null));
            this.log.debug("status message: " + (statusMessage != null ? statusMessage.getMessage() : null));
        }
        if (statusCode != null && !statusCode.getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
            throw new BindingHandlerException(statusMessage != null ? statusMessage.getMessage() : null, 403);
        }
        Signature signature = artifactResponse.getSignature();
        if (signature != null) {
            if (this.logdebug) {
                this.log.debug("<samlp:ArtifactResponse> is signed.");
            }
            try {
                SAML2Utils.verifySamlObjectSignature(SAML2Utils.getVerifyKey(this.remotePartner), signature);
            } catch (ValidationException e) {
                this.log.error(e.getMessage(), e);
                throw new BindingHandlerException(Saml2Logger.getSAML2VerifySignatureFail(), 403);
            } catch (KeyException e2) {
                this.log.error(e2.getMessage(), e2);
                throw new BindingHandlerException(Saml2Logger.getSAML2NoVerifyKeyFor("<samlp:ArtifactResponse>"), 403);
            } catch (CertificateException e3) {
                this.log.error(e3.getMessage(), e3);
                throw new BindingHandlerException(Saml2Logger.getNoVerifyingCert("<samlp:ArtifactResponse>", this.remotePartner.getName()), 403);
            }
        }
        List unknownXMLObjects = artifactResponse.getUnknownXMLObjects();
        if (unknownXMLObjects == null || unknownXMLObjects.isEmpty()) {
            throw new BindingHandlerException(Saml2Logger.getSAML2SamlMessageIsNull(), 403);
        }
        SAMLObject sAMLObject = (SAMLObject) unknownXMLObjects.get(0);
        if (this.logdebug) {
            this.log.debug("get saml message " + sAMLObject + " from samlp:ArtifactResponse");
        }
        return sAMLObject;
    }

    /* JADX WARN: Code restructure failed: missing block: B:22:0x00be, code lost:
    
        if (r5.logdebug == false) goto L25;
     */
    /* JADX WARN: Code restructure failed: missing block: B:23:0x00c1, code lost:
    
        r5.log.debug("ArtifactResolver: found remote partner '" + r0.getName() + "' with entity ID '" + r0.getEntityID() + "'");
     */
    /* JADX WARN: Code restructure failed: missing block: B:25:0x00fe, code lost:
    
        if (r0.isEnabled() == false) goto L28;
     */
    /* JADX WARN: Code restructure failed: missing block: B:26:0x0101, code lost:
    
        r8 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:39:0x010b, code lost:
    
        if (r5.logdebug == false) goto L31;
     */
    /* JADX WARN: Code restructure failed: missing block: B:40:0x010e, code lost:
    
        r5.log.debug("ArtifactResolver: remote partner is disabled, resolution failed");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private com.bea.security.saml2.providers.registry.WebSSOPartner getRemotePartner(int r6, byte[] r7) throws com.bea.security.saml2.binding.BindingHandlerException {
        /*
            Method dump skipped, instructions count: 367
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.getRemotePartner(int, byte[]):com.bea.security.saml2.providers.registry.WebSSOPartner");
    }

    private IndexedEndpoint getRemoteARSEndpoint(WebSSOPartner webSSOPartner, short s) throws BindingHandlerException {
        if (this.logdebug) {
            this.log.debug("partner entityid is" + webSSOPartner.getEntityID() + ", end point index is:" + ((int) s));
        }
        IndexedEndpoint indexedEndpoint = null;
        String sAML2CouldNotGetEndpoint = Saml2Logger.getSAML2CouldNotGetEndpoint(webSSOPartner.getEntityID(), "ARTIFACTRESOLUTIONSERVICE", new Short(s).toString());
        IndexedEndpoint[] artifactResolutionService = webSSOPartner.getArtifactResolutionService();
        if (artifactResolutionService == null || artifactResolutionService.length == 0) {
            throw new BindingHandlerException(sAML2CouldNotGetEndpoint, 404);
        }
        int i = 0;
        while (true) {
            if (i >= artifactResolutionService.length) {
                break;
            }
            IndexedEndpoint indexedEndpoint2 = artifactResolutionService[i];
            if (indexedEndpoint2.getIndex() == s) {
                indexedEndpoint = indexedEndpoint2;
                break;
            }
            i++;
        }
        if (indexedEndpoint == null) {
            throw new BindingHandlerException(sAML2CouldNotGetEndpoint, 404);
        }
        if (this.logdebug) {
            this.log.debug("find end point:" + indexedEndpoint + ", binding location is:" + indexedEndpoint.getLocation());
        }
        return indexedEndpoint;
    }

    private void logSamlMsg(XMLObject xMLObject) {
        try {
            Element marshall = Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            this.transformerFactory.newTransformer().transform(new DOMSource(marshall), new StreamResult(byteArrayOutputStream));
            if (this.logdebug) {
                this.log.debug(new String(byteArrayOutputStream.toByteArray()));
            }
            byteArrayOutputStream.close();
        } catch (Exception e) {
            if (this.logdebug) {
                this.log.debug("can't print out samlp:ArtifactResolve or samlp:ArtifactResponse.");
            }
        }
    }
}
