package weblogic.wsee.security.saml;

import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Stack;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.FactoryConfigurationError;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import weblogic.security.KeyPairCredential;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.CredentialManager;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RemoteResource;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.CredentialMapperV2;
import weblogic.security.spi.Resource;
import weblogic.wsee.policy.framework.DOMUtils;
import weblogic.xml.crypto.api.MarshalException;
import weblogic.xml.crypto.dsig.api.XMLSignatureException;
import weblogic.xml.crypto.dsig.api.XMLSignatureFactory;
import weblogic.xml.crypto.dsig.api.keyinfo.KeyInfoFactory;
import weblogic.xml.crypto.dsig.keyinfo.KeyInfoImpl;
import weblogic.xml.crypto.wss.SecurityTokenContextHandler;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss.X509Credential;
import weblogic.xml.crypto.wss.policy.ClaimsBuilder;
import weblogic.xml.dom.DOMStreamWriter;
import weblogic.xml.dom.NamespaceUtils;
import weblogic.xml.security.signature.DSIGConstants;

/* loaded from: input_file:weblogic/wsee/security/saml/CSSUtils.class */
public class CSSUtils {
    private static final Logger LOGGER = Logger.getLogger(CSSUtils.class.getName());
    private static final AuthenticatedSubject kernelId = getKernelID();
    private static final boolean isEnableSaml11RelativePath = Boolean.parseBoolean(System.getProperty("weblogic.wsee.security.saml.EnableSaml11RelativePathConfig"));
    private static Stack<DocumentBuilder> pool = new Stack<>();
    protected static final String SAML_ATTRIBUTES = "com.bea.contextelement.saml.Attributes";
    protected static final String SAML2_ATTRIBUTES = "com.bea.contextelement.saml2.Attributes";
    protected static final String SAML_ATTRIBUTE_ONLY = "com.bea.contextelement.saml.AttributeOnly";
    protected static final String SAML_ATTRIBUTE_PRINCIPALS = "com.bea.contextelement.saml.AttributePrincipals";

    private static AuthenticatedSubject getKernelID() {
        return (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    }

    private static CredentialManager getCredentialManager() {
        CredentialManager securityService = SecurityServiceManager.getSecurityService(kernelId, "weblogicDEFAULT", SecurityService.ServiceType.CREDENTIALMANAGER);
        if (securityService == null) {
            throw new RuntimeException("CredentialManager Unavailable");
        }
        return securityService;
    }

    private static PrincipalAuthenticator getPrincipalAuthenticator() {
        PrincipalAuthenticator principalAuthenticator = SecurityServiceManager.getPrincipalAuthenticator(kernelId, "weblogicDEFAULT");
        if (principalAuthenticator == null) {
            throw new RuntimeException("PrincipalAuthenticator Unavailable");
        }
        return principalAuthenticator;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void processSAMLClaims(boolean z, SecurityTokenContextHandler securityTokenContextHandler, Node node) {
        if (node == null) {
            throw new IllegalArgumentException("claims of SAML token is null");
        }
        String claimFromElt = ClaimsBuilder.getClaimFromElt(node, SAMLConstants.CONFIRMATION_METHOD_QNAME);
        String mapSAML2ConfMethod = z ? mapSAML2ConfMethod(claimFromElt) : mapSAMLConfMethod(claimFromElt);
        if (mapSAML2ConfMethod == null) {
            throw new IllegalArgumentException("ConfirmationMethod of saml token is not specified.");
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Requested subject confirmation is: " + mapSAML2ConfMethod);
        }
        securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.subject.ConfirmationMethod", mapSAML2ConfMethod);
    }

    public static void setupSAMLContextElements(boolean z, SecurityTokenContextHandler securityTokenContextHandler, ContextHandler contextHandler) {
        String str = (String) contextHandler.getValue(SecurityTokenContextHandler.ENDPOINT_URL);
        if (z) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Setting: com.bea.contextelement.saml.TargetResource to " + str);
            }
            securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.TargetResource", str);
        } else {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Setting ENDPOINT_URL and SAML_TARGET_RESOURCE to: " + str);
            }
            securityTokenContextHandler.addContextElement(SecurityTokenContextHandler.ENDPOINT_URL, str);
            securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.TargetResource", str);
        }
    }

    public static void setupSAMLAttributesContextElements(boolean z, SecurityTokenContextHandler securityTokenContextHandler, boolean z2, SAMLAttributeStatementData sAMLAttributeStatementData) {
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Setting SAML Attributes....");
        }
        if (null != sAMLAttributeStatementData && !sAMLAttributeStatementData.isEmpty()) {
            if (z) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Requesting SAML Attributes to be generated from colliction of <SAML2AttributeStatementInfo>");
                }
                securityTokenContextHandler.addContextElement(SAML2_ATTRIBUTES, sAMLAttributeStatementData.getCollectionsForSAML2AttributeStatementInfo());
            } else {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Requesting SAML Attributes to be generated from colliction of <SAMLAttributeStatementInfo>");
                }
                securityTokenContextHandler.addContextElement(SAML_ATTRIBUTES, sAMLAttributeStatementData.getCollectionsForSAMLAttributeStatementInfo());
            }
            if (z2) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Finally, requesting a SAML Token with SAML Attributes only");
                }
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Adding com.bea.contextelement.saml.AttributeOnly with \"True\" into CtxHandler");
                }
                securityTokenContextHandler.addContextElement(SAML_ATTRIBUTE_ONLY, new Boolean("true"));
                return;
            }
            return;
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "No SAML Attributes data found");
        }
        if (!z2) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Requesting a SAML Token without SAML Attributes");
                return;
            }
            return;
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Requesting a SAML Token with SAML Attributes only but no attributes value");
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Adding only com.bea.contextelement.saml.AttributeOnly with \"True\" into CtxHandler");
        }
        securityTokenContextHandler.addContextElement(SAML_ATTRIBUTE_ONLY, new Boolean("true"));
        if (z) {
            securityTokenContextHandler.addContextElement(SAML2_ATTRIBUTES, new ArrayList());
        } else {
            securityTokenContextHandler.addContextElement(SAML_ATTRIBUTES, new ArrayList());
        }
    }

    public static Object getSAMLCredential(boolean z, String str, SecurityTokenContextHandler securityTokenContextHandler, Object obj) throws WSSecurityException {
        return getSAMLCredential(z, str, securityTokenContextHandler, obj, null);
    }

    public static Object getSAMLCredential(boolean z, String str, SecurityTokenContextHandler securityTokenContextHandler, Object obj, AuthenticatedSubject authenticatedSubject) throws WSSecurityException {
        PrivateKey privateKey = null;
        if (obj != null) {
            if (obj instanceof X509Credential) {
                X509Credential x509Credential = (X509Credential) obj;
                ArrayList arrayList = new ArrayList();
                arrayList.add(x509Credential.getCertificate());
                Object keyInfoNodeFromCerts = getKeyInfoNodeFromCerts(arrayList);
                privateKey = x509Credential.getPrivateKey();
                if (keyInfoNodeFromCerts != null) {
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.log(Level.FINE, "Adding KeyInfo element to context handler: " + keyInfoNodeFromCerts);
                    }
                    securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.subject.dom.KeyInfo", keyInfoNodeFromCerts);
                } else if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Null KeyInfo element from X509 cert is NOT added to context handler ");
                }
            } else if (obj instanceof Node) {
                Node node = (Node) obj;
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Adding KeyInfo Node to context handler fot SAML assertion: [" + DOMUtils.toXMLString(node) + "]");
                }
                securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.subject.dom.KeyInfo", node);
            } else if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Not supported Key Info type found! NO ACTION");
            }
        }
        Object[] sAMLAssertionFromCredMapper = z ? getSAMLAssertionFromCredMapper(securityTokenContextHandler, "SAML2.Assertion.DOM", authenticatedSubject) : getSAMLAssertionFromCredMapper(securityTokenContextHandler, "SAML.Assertion.DOM", authenticatedSubject);
        if (sAMLAssertionFromCredMapper == null || sAMLAssertionFromCredMapper.length <= 0 || !(sAMLAssertionFromCredMapper[0] instanceof Element)) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Didn't get assertion, returning null credential");
            return null;
        }
        Element element = (Element) sAMLAssertionFromCredMapper[0];
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Returning new SAML Assertion from CSS for CredentialImpl: [" + DOMUtils.toXMLString(element) + "]");
        }
        return new SAMLCredentialImpl(str, element, privateKey);
    }

    public static boolean isHolderOfKey(boolean z, SecurityTokenContextHandler securityTokenContextHandler) {
        String str = (String) securityTokenContextHandler.getValue("com.bea.contextelement.saml.subject.ConfirmationMethod");
        return z ? str != null && str.equals("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key") : str != null && str.equals("holder-of-key");
    }

    public static boolean isHolderOfKey(String str) {
        return "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(str) || "holder-of-key".equals(str) || "HOLDER_OF_KEY".equals(str);
    }

    public static Subject getCurrentAuthenticatedSubject() {
        return SecurityServiceManager.getCurrentSubject(kernelId).getSubject();
    }

    public static X509Credential getX509CredFromPKICredMapper(SecurityTokenContextHandler securityTokenContextHandler) {
        CredentialManager credentialManager = getCredentialManager();
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(kernelId);
        RemoteResource remoteResource = getRemoteResource(securityTokenContextHandler);
        if (remoteResource == null) {
            return null;
        }
        Object[] credentials = credentialManager.getCredentials(kernelId, currentSubject, remoteResource, securityTokenContextHandler, CredentialMapperV2.PKI_KEY_PAIR_TYPE);
        if (credentials != null && credentials.length != 0) {
            KeyPairCredential keyPairCredential = (KeyPairCredential) credentials[0];
            return new X509Credential((X509Certificate) keyPairCredential.getCertificate(), (PrivateKey) keyPairCredential.getKey());
        }
        if (!LOGGER.isLoggable(Level.FINE)) {
            return null;
        }
        LOGGER.log(Level.FINE, "can't find holder-of-key from PKICreditMapper");
        return null;
    }

    public static Object[] getSAMLAssertionFromCredMapper(SecurityTokenContextHandler securityTokenContextHandler, String str) {
        return getSAMLAssertionFromCredMapper(securityTokenContextHandler, str, null);
    }

    public static Object[] getSAMLAssertionFromCredMapper(SecurityTokenContextHandler securityTokenContextHandler, String str, AuthenticatedSubject authenticatedSubject) {
        CredentialManager credentialManager = getCredentialManager();
        if (authenticatedSubject == null) {
            authenticatedSubject = SecurityServiceManager.getCurrentSubject(kernelId);
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Calling CSS for subject " + authenticatedSubject.toString() + " and token type " + str);
        }
        return credentialManager.getCredentials(kernelId, authenticatedSubject, (Resource) null, securityTokenContextHandler, str);
    }

    static RemoteResource getRemoteResource(SecurityTokenContextHandler securityTokenContextHandler) {
        String str = (String) securityTokenContextHandler.getValue(SecurityTokenContextHandler.ENDPOINT_URL);
        if (str == null) {
            return null;
        }
        try {
            URL url = new URL(str);
            return new RemoteResource(url.getProtocol(), url.getHost(), String.valueOf(url.getPort()), url.getPath(), null);
        } catch (MalformedURLException e) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Failed to resolve remote target URL", (Throwable) e);
            return null;
        }
    }

    public static AuthenticatedSubject assertIdentity(Node node, ContextHandler contextHandler, boolean z) throws LoginException {
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Attempting assertIdentity");
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "SAML_TARGET_RESOURCE is: " + contextHandler.getValue("com.bea.contextelement.saml.TargetResource"));
        }
        PrincipalAuthenticator principalAuthenticator = getPrincipalAuthenticator();
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Got Principal Authenticator");
        }
        Document newDocument = getParser().newDocument();
        Node importNode = newDocument.importNode(node, true);
        newDocument.appendChild(importNode);
        String str = z ? "SAML2.Assertion.DOM" : "SAML.Assertion.DOM";
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Cred type is: " + str + ", Node: " + importNode);
        }
        try {
            AuthenticatedSubject assertIdentity = principalAuthenticator.assertIdentity(str, importNode, contextHandler);
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Got subject: " + assertIdentity);
            }
            return assertIdentity;
        } catch (LoginException e) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Exception while asserting identity: " + e.toString());
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
            }
            throw e;
        }
    }

    private static DocumentBuilder createNewParser() {
        try {
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            return newInstance.newDocumentBuilder();
        } catch (FactoryConfigurationError e) {
            throw new RuntimeException(e);
        } catch (ParserConfigurationException e2) {
            throw new RuntimeException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static DocumentBuilder getParser() {
        DocumentBuilder createNewParser;
        synchronized (pool) {
            createNewParser = pool.empty() ? createNewParser() : pool.pop();
        }
        return createNewParser;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void returnParser(DocumentBuilder documentBuilder) {
        synchronized (pool) {
            pool.push(documentBuilder);
        }
    }

    private static Node getKeyInfoNodeFromCerts(List list) {
        try {
            KeyInfoFactory keyInfoFactory = XMLSignatureFactory.getInstance().getKeyInfoFactory();
            KeyInfoImpl newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(list)));
            Document newDocument = getParser().newDocument();
            newKeyInfo.write(new DOMStreamWriter(newDocument));
            Node firstChild = newDocument.getFirstChild();
            declarePrefixOnKeyInfoNode(firstChild);
            return firstChild;
        } catch (MarshalException e) {
            throw new RuntimeException(e);
        } catch (XMLSignatureException e2) {
            throw new RuntimeException((Throwable) e2);
        } catch (XMLStreamException e3) {
            throw new RuntimeException((Throwable) e3);
        }
    }

    private static void declarePrefixOnKeyInfoNode(Node node) {
        String prefix;
        if (node.getNodeType() == 1 && ((prefix = node.getPrefix()) == null || prefix.length() == 0)) {
            node.setPrefix(DSIGConstants.DSIG_PREFIX);
            NamespaceUtils.defineNamespace((Element) node, DSIGConstants.DSIG_PREFIX, DSIGConstants.DSIG_URI);
        }
        NodeList childNodes = node.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            declarePrefixOnKeyInfoNode(childNodes.item(i));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getEndpointPath(boolean z, String str) {
        if (z || isEnableSaml11RelativePath) {
            try {
                return new URL(str).getPath();
            } catch (MalformedURLException e) {
            }
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String mapSAML2ConfMethod(String str) {
        if ("bearer".equals(str) || "BEARER".equals(str)) {
            return "urn:oasis:names:tc:SAML:2.0:cm:bearer";
        }
        if ("sender-vouches".equals(str) || "SENDER_VOUCHES".equals(str)) {
            return "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches";
        }
        if ("holder-of-key".equals(str) || "HOLDER_OF_KEY".equals(str)) {
            return "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
        }
        if (!LOGGER.isLoggable(Level.FINE)) {
            return null;
        }
        LOGGER.log(Level.FINE, "Unable to map the SAML 2.0 confirmation method on: [" + str + "]");
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String mapSAMLConfMethod(String str) {
        if ("bearer".equals(str) || "BEARER".equals(str)) {
            return "bearer";
        }
        if ("sender-vouches".equals(str) || "SENDER_VOUCHES".equals(str)) {
            return "sender-vouches";
        }
        if ("holder-of-key".equals(str) || "HOLDER_OF_KEY".equals(str)) {
            return "holder-of-key";
        }
        if (!LOGGER.isLoggable(Level.FINE)) {
            return null;
        }
        LOGGER.log(Level.FINE, "Unable to map the SAML 1.1 confirmation method on: [" + str + "]");
        return null;
    }
}
