package com.bea.common.security.saml.service;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.internal.service.ServiceLogger;
import com.bea.common.security.legacy.spi.SAMLSingleSignOnServiceConfigInfoSpi;
import com.bea.common.security.saml.manager.SAMLKeyManager;
import com.bea.common.security.saml.manager.SAMLRPConfigManager;
import com.bea.common.security.saml.manager.SAMLTrustManager;
import com.bea.common.security.saml.registry.SAMLRelyingPartyConfig;
import com.bea.common.security.saml.utils.SAMLContextHandler;
import com.bea.common.security.saml.utils.SAMLProfile;
import com.bea.common.security.saml.utils.SAMLUtil;
import com.bea.common.security.service.CredentialMappingService;
import com.bea.common.security.service.Identity;
import com.bea.common.security.service.SAMLKeyService;
import com.bea.common.security.store.data.DomainRealmScopeId;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSOAPBinding;
import org.w3c.dom.Element;
import weblogic.security.providers.saml.SAMLAssertionStore;
import weblogic.security.providers.saml.SAMLAssertionStoreV2;
import weblogic.security.providers.utils.Utils;
import weblogic.security.service.AdminResource;
import weblogic.security.service.ContextElement;

/* loaded from: input_file:com/bea/common/security/saml/service/SAMLSourceSiteHelper.class */
public class SAMLSourceSiteHelper {
    private static final String DEFAULT_ASSERTION_STORE = "com.bea.common.security.saml.utils.SAMLAssertionStoreMemImpl";
    private static final String postURI = "/post";
    private static final String artifactURI = "/artifact";
    private SAMLSingleSignOnServiceConfigInfoSpi ssoServiceConfig;
    private CredentialMappingService credMapper;
    private LoggerSpi log;
    private SAMLKeyManager keyManager;
    private SAMLTrustManager trustManager;
    private SAMLRPConfigManager partnerManager;
    private SAMLAssertionStore assertionStore;
    private SAMLAssertionStoreV2 assertionStoreV2;
    private AdminResource rs;
    private static String SignatureMethod_RSA_SHA1_URI = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
    private static String allowExpiredCerts = "com.bea.common.security.saml.allowExpiredCerts";

    private final void logDebug(String str) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("SAMLSourceSite: " + str);
        }
    }

    private final boolean isDebugEnabled() {
        return this.log.isDebugEnabled();
    }

    public SAMLSourceSiteHelper(SAMLSingleSignOnServiceConfigInfoSpi sAMLSingleSignOnServiceConfigInfoSpi, CredentialMappingService credentialMappingService, LoggerSpi loggerSpi, SAMLKeyService sAMLKeyService) throws Exception {
        this.keyManager = null;
        this.trustManager = null;
        this.partnerManager = null;
        this.assertionStore = null;
        this.assertionStoreV2 = null;
        this.rs = null;
        this.ssoServiceConfig = sAMLSingleSignOnServiceConfigInfoSpi;
        this.credMapper = credentialMappingService;
        this.log = loggerSpi;
        this.rs = new AdminResource("Credential Mapping", DomainRealmScopeId.REALM, "SAML");
        this.keyManager = SAMLKeyManager.getManager(sAMLKeyService);
        this.trustManager = SAMLTrustManager.getManager();
        this.partnerManager = SAMLRPConfigManager.getManager();
        String assertionStoreClassName = sAMLSingleSignOnServiceConfigInfoSpi.getAssertionStoreClassName();
        Properties assertionStoreProperties = sAMLSingleSignOnServiceConfigInfoSpi.getAssertionStoreProperties();
        if (assertionStoreClassName == null || assertionStoreClassName.equals("")) {
            assertionStoreClassName = DEFAULT_ASSERTION_STORE;
            assertionStoreProperties = null;
        }
        this.assertionStore = (SAMLAssertionStore) SAMLUtil.instantiatePlugin(assertionStoreClassName, SAMLAssertionStore.class.getName());
        this.assertionStore.initStore(assertionStoreProperties);
        if (this.assertionStore != null) {
            if (this.assertionStore instanceof SAMLAssertionStoreV2) {
                this.assertionStoreV2 = (SAMLAssertionStoreV2) this.assertionStore;
                this.assertionStore = null;
                logDebug("init(): Assertion store is version 2, will verify destination sites");
            } else {
                logDebug("init(): Assertion store is version 1, unable to verify destination sites");
            }
        }
        String signingKeyAlias = sAMLSingleSignOnServiceConfigInfoSpi.getSigningKeyAlias();
        String signingKeyPassPhrase = sAMLSingleSignOnServiceConfigInfoSpi.getSigningKeyPassPhrase();
        if (signingKeyAlias == null || signingKeyAlias.equals("")) {
            return;
        }
        logDebug("init(): Setting SigningKey: " + signingKeyAlias);
        this.keyManager.setProtocolKeyAliasInfo(signingKeyAlias, signingKeyPassPhrase == null ? "" : signingKeyPassPhrase);
    }

    public void dispatchPOSTRequest(SAMLRelyingPartyConfig sAMLRelyingPartyConfig, Identity identity, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ServletContext servletContext) throws ServletException, IOException {
        if (!this.ssoServiceConfig.isITSPostEnabled()) {
            httpServletResponse.sendError(404);
            return;
        }
        Element assertion = getAssertion(sAMLRelyingPartyConfig.getPartnerId(), identity, str, new SAMLContextHandler());
        if (assertion == null) {
            httpServletResponse.sendError(403);
            return;
        }
        String assertionConsumerURL = sAMLRelyingPartyConfig.getAssertionConsumerURL();
        String postForm = sAMLRelyingPartyConfig.getPostForm();
        if (assertionConsumerURL == null) {
            throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("assertion", "null URL"));
        }
        String str2 = null;
        try {
            byte[] constructPOSTResponse = constructPOSTResponse(assertion, assertionConsumerURL);
            if (constructPOSTResponse != null) {
                str2 = new String(constructPOSTResponse);
            } else {
                logDebug("Failed to construct the POST response");
            }
            if (str2 == null) {
                throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("response", "unknown error"));
            }
            Map paramStringToMap = SAMLUtil.paramStringToMap(httpServletRequest.getQueryString());
            paramStringToMap.remove("TARGET");
            paramStringToMap.remove(SAMLUtil.RPID_PARAMETER_NAME);
            HashMap hashMap = new HashMap();
            for (Map.Entry entry : paramStringToMap.entrySet()) {
                String decode = URLDecoder.decode((String) entry.getKey(), "UTF-8");
                String decode2 = URLDecoder.decode((String) entry.getValue(), "UTF-8");
                if (decode.length() > 0 && decode2.length() > 0) {
                    hashMap.put(URLEncoder.encode(decode, "UTF-8"), URLEncoder.encode(decode2, "UTF-8"));
                }
            }
            Map paramArrayToMap = SAMLUtil.paramArrayToMap(sAMLRelyingPartyConfig.getAssertionConsumerParams());
            if (isDebugEnabled()) {
                String[] assertionConsumerParams = sAMLRelyingPartyConfig.getAssertionConsumerParams();
                for (int i = 0; assertionConsumerParams != null && i < assertionConsumerParams.length; i++) {
                    logDebug("ACSParams[" + i + "]: " + assertionConsumerParams[i]);
                }
            }
            if (isDebugEnabled()) {
                logDebug("Dispatch POST Request Target URL is '" + str + Expression.QUOTE);
            }
            String escapeFormValue = Utils.escapeFormValue(str);
            if (isDebugEnabled()) {
                logDebug("POST FORM escaped TARGET is '" + escapeFormValue + Expression.QUOTE);
            }
            if (postForm == null) {
                httpServletResponse.setContentType("text/html");
                PrintWriter writer = httpServletResponse.getWriter();
                writer.println("<HTML>");
                writer.println("<HEAD>");
                writer.println("<TITLE>SAML Post Profile Intersite Transfer Service</TITLE>");
                writer.println("</HEAD>");
                writer.println("<BODY onLoad=\"document.forms[0].submit();\">");
                writer.println("<FORM METHOD=\"POST\" ACTION=\"" + assertionConsumerURL + "\">");
                outputFormParameter(writer, "TARGET", escapeFormValue);
                if (this.ssoServiceConfig.isV2Config()) {
                    outputFormParameterMap(writer, paramArrayToMap);
                    outputFormParameterMap(writer, hashMap);
                }
                outputFormParameter(writer, "SAMLResponse", new String(str2));
                writer.println("</FORM>");
                writer.println("</BODY>");
                writer.println("</HTML>");
                return;
            }
            ServletContext context = servletContext.getContext(postForm);
            if (context == null) {
                logDebug("can't get servlet context for custom post form: " + postForm);
                throw new ServletException(ServiceLogger.getSAMLInvalidPostFormConfig());
            }
            RequestDispatcher requestDispatcher = null;
            try {
                ServletContext.class.getMethod("getContextPath", (Class[]) null);
                String contextPath = context.getContextPath();
                if (contextPath == null || contextPath.length() == 0) {
                    contextPath = "/";
                }
                requestDispatcher = context.getRequestDispatcher(postForm.substring(contextPath.length()));
            } catch (NoSuchMethodException e) {
                logDebug("can't call getContextPath(): " + e.getMessage());
            } catch (SecurityException e2) {
                logDebug("can't call getContextPath(): " + e2.getMessage());
            }
            if (requestDispatcher == null) {
                int indexOf = postForm.indexOf("/", 1);
                String substring = indexOf == -1 ? postForm : postForm.substring(indexOf);
                logDebug("dispatcherPath: " + substring);
                requestDispatcher = context.getRequestDispatcher(substring);
            }
            if (requestDispatcher == null) {
                throw new ServletException(ServiceLogger.getSAMLInvalidPostFormConfig());
            }
            httpServletRequest.setAttribute("TARGET", escapeFormValue);
            httpServletRequest.setAttribute(SAMLUtil.ACS_URL_ATTR_NAME, assertionConsumerURL);
            httpServletRequest.setAttribute(SAMLUtil.ACS_PARAMS_ATTR_NAME, paramArrayToMap);
            httpServletRequest.setAttribute(SAMLUtil.ITS_REQUEST_PARAMS_ATTR_NAME, hashMap);
            httpServletRequest.setAttribute("SAMLResponse", str2);
            requestDispatcher.forward(httpServletRequest, httpServletResponse);
        } catch (SAMLException e3) {
            throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("response", e3.getMessage()));
        } catch (IOException e4) {
            throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("response", e4.getMessage()));
        }
    }

    private void outputFormParameter(PrintWriter printWriter, String str, String str2) {
        printWriter.println("<INPUT TYPE=\"HIDDEN\" NAME=\"" + str + "\" VALUE=\"" + str2 + "\">");
    }

    private void outputFormParameterMap(PrintWriter printWriter, Map map) {
        for (Map.Entry entry : map.entrySet()) {
            if (isDebugEnabled()) {
                logDebug("Outputting param: " + ((String) entry.getKey()) + "=" + ((String) entry.getValue()));
            }
            outputFormParameter(printWriter, (String) entry.getKey(), (String) entry.getValue());
        }
    }

    public void dispatchArtifactRequest(SAMLRelyingPartyConfig sAMLRelyingPartyConfig, Identity identity, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!this.ssoServiceConfig.isITSArtifactEnabled()) {
            httpServletResponse.sendError(404);
            return;
        }
        SAMLContextHandler sAMLContextHandler = new SAMLContextHandler();
        Element assertion = getAssertion(sAMLRelyingPartyConfig.getPartnerId(), identity, str, sAMLContextHandler);
        if (assertion == null) {
            httpServletResponse.sendError(403);
            return;
        }
        String str2 = (String) sAMLContextHandler.getValue("com.bea.contextelement.saml.AssertionID");
        Long l = (Long) sAMLContextHandler.getValue("com.bea.contextelement.saml.AssertionExpireTime");
        if (str2 == null || l == null) {
            throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("assertion", "null id or expire time"));
        }
        String constructArtifact = constructArtifact(this.ssoServiceConfig.getSourceIdBytes(), str2);
        if (constructArtifact == null) {
            throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("assertion", "null artifact"));
        }
        if (this.assertionStoreV2 != null) {
            if (!this.assertionStoreV2.storeAssertionInfo(constructArtifact, sAMLRelyingPartyConfig.getPartnerId(), l.longValue(), assertion)) {
                throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("assertion", "store assertion fail"));
            }
        } else {
            if (this.assertionStore == null) {
                throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("assertion", "unknown error"));
            }
            if (!this.assertionStore.storeAssertion(constructArtifact, l.longValue(), assertion)) {
                throw new ServletException(ServiceLogger.getSAMLCouldNotGenerate("assertion", "store assertion fail"));
            }
        }
        String buildURLWithParams = SAMLUtil.buildURLWithParams(sAMLRelyingPartyConfig.getAssertionConsumerURL(), sAMLRelyingPartyConfig.getAssertionConsumerParams());
        logDebug("SAMLSourceSite: Consumer URL with params is '" + buildURLWithParams + Expression.QUOTE);
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null && queryString.length() > 0) {
            logDebug("Original request query params: '" + queryString + Expression.QUOTE);
            queryString = "&" + SAMLUtil.queryStringStripParam(queryString, SAMLUtil.RPID_PARAMETER_NAME);
            logDebug("Modified request query params: '" + queryString + Expression.QUOTE);
        }
        logDebug("SAMLSourceSite: Artifact is '" + constructArtifact + Expression.QUOTE);
        String str3 = "SAMLart=" + URLEncoder.encode(constructArtifact, "UTF-8");
        logDebug("SAMLSourceSite: URL-encoded artifact param is '" + str3 + Expression.QUOTE);
        String str4 = buildURLWithParams + str3 + queryString;
        logDebug("Redirect URL is '" + str4 + Expression.QUOTE);
        String encodeRedirectURL = SAMLUtil.ENABLE_URL_REWRITING ? httpServletResponse.encodeRedirectURL(str4) : str4;
        if (SAMLUtil.ENABLE_URL_REWRITING) {
            logDebug("Encoded redirect URL is '" + encodeRedirectURL + Expression.QUOTE);
        }
        httpServletResponse.sendRedirect(encodeRedirectURL);
    }

    public void dispatchAssertionRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, X509Certificate x509Certificate, String str) throws ServletException, IOException {
        if (!this.ssoServiceConfig.isITSArtifactEnabled()) {
            httpServletResponse.sendError(404);
            return;
        }
        SAMLSOAPBinding sAMLSOAPBinding = new SAMLSOAPBinding();
        logDebug("dispatchAssertionRequest: Setting response content type to 'text/xml;charset=UTF-8" + Expression.QUOTE);
        httpServletResponse.setContentType("text/xml;charset=UTF-8");
        try {
            SAMLRequest receive = sAMLSOAPBinding.receive(httpServletRequest);
            logDebug("dispatchAssertionRequest: Got SAML Request from SOAP message");
            Iterator artifacts = receive.getArtifacts();
            try {
                logDebug("dispatchAssertionRequest: fetching assertions");
                List lookupStoredAssertions = lookupStoredAssertions(artifacts, x509Certificate, str);
                if (lookupStoredAssertions == null) {
                    logDebug("dispatchAssertionRequest: destination site auth failure, returning FORBIDDEN");
                    httpServletResponse.sendError(403);
                } else {
                    logDebug("dispatchAssertionRequest: building response");
                    SAMLResponse constructAssertionResponse = constructAssertionResponse(receive.getId(), lookupStoredAssertions);
                    logDebug("dispatchAssertionRequest: Sending response to requester");
                    sAMLSOAPBinding.respond(httpServletResponse, constructAssertionResponse, (SAMLException) null);
                }
            } catch (SAMLException e) {
                logDebug("dispatchAssertionRequest: Exception while building response: " + e.toString());
                sAMLSOAPBinding.respond(httpServletResponse, (SAMLResponse) null, e);
            }
        } catch (SAMLException e2) {
            logDebug("dispatchAssertionRequest: Exception while processing request, returning SOAP fault: " + e2.toString());
            sAMLSOAPBinding.respond(httpServletResponse, (SAMLResponse) null, e2);
        }
    }

    private Element getAssertion(String str, Identity identity, String str2, SAMLContextHandler sAMLContextHandler) {
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml.PartnerId", str));
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml.TargetResource", str2));
        Object[] credentials = this.credMapper.getCredentials(identity, identity, this.rs, sAMLContextHandler, "SAML.Assertion.DOM");
        if (credentials == null || credentials.length == 0) {
            return null;
        }
        return (Element) credentials[0];
    }

    private String constructArtifact(byte[] bArr, String str) {
        if (str == null || str.length() == 0) {
            return null;
        }
        try {
            byte[] digest = MessageDigest.getInstance("SHA-1").digest(str.getBytes());
            byte[] bArr2 = new byte[42];
            bArr2[0] = 0;
            bArr2[1] = 1;
            for (int i = 0; i < 20; i++) {
                bArr2[i + 2] = bArr[i];
            }
            for (int i2 = 0; i2 < 20; i2++) {
                bArr2[i2 + 22] = digest[i2];
            }
            return SAMLUtil.base64Encode(bArr2);
        } catch (NoSuchAlgorithmException e) {
            return null;
        }
    }

    private byte[] constructPOSTResponse(Element element, String str) throws SAMLException, IOException {
        if (element == null || str == null) {
            return null;
        }
        SAMLKeyManager sAMLKeyManager = this.keyManager;
        if (sAMLKeyManager == null) {
            logDebug("Unable to locate SAML Key Manager");
            return null;
        }
        SAMLAssertion sAMLAssertion = new SAMLAssertion(element);
        SAMLResponse sAMLResponse = new SAMLResponse();
        sAMLResponse.setRecipient(str);
        sAMLResponse.addAssertion(sAMLAssertion);
        SAMLKeyManager.KeyInfo protocolSigningKeyInfo = sAMLKeyManager.getProtocolSigningKeyInfo();
        if (protocolSigningKeyInfo == null) {
            logDebug("Unable to retrieve protocol signing key info");
            return null;
        }
        boolean z = Boolean.getBoolean(allowExpiredCerts);
        try {
            ((X509Certificate) protocolSigningKeyInfo.getCert()).checkValidity();
        } catch (CertificateExpiredException e) {
            logDebug("constructPOSTResponse: Using expired certificate to sign response");
            if (!z) {
                throw new IOException("Using expired certificate to sign response: " + e.getMessage());
            }
        } catch (CertificateNotYetValidException e2) {
            logDebug("constructPOSTResponse:Certificate being used to sign response is not yet valid");
            if (!z) {
                throw new IOException("Certificate being used to sign response is not yet valid: " + e2.getMessage());
            }
        }
        sAMLResponse.sign(SignatureMethod_RSA_SHA1_URI, protocolSigningKeyInfo.getKey(), protocolSigningKeyInfo.getCertAsList());
        return sAMLResponse.toBase64();
    }

    private List lookupStoredAssertions(Iterator it, X509Certificate x509Certificate, String str) throws SAMLException {
        logDebug("lookupStoredAssertions: fetching assertions");
        if (!it.hasNext()) {
            logDebug("lookupStoredAssertions: no assertions were requested");
        }
        ArrayList arrayList = new ArrayList();
        boolean z = true;
        boolean z2 = false;
        boolean z3 = true;
        String str2 = null;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String str3 = (String) it.next();
            logDebug("lookupStoredAssertions: fetching assertion for artifact '" + str3 + Expression.QUOTE);
            if (this.assertionStoreV2 == null) {
                if (this.assertionStore == null) {
                    logDebug("lookupStoredAssertions: no assertion store!");
                    z = false;
                    break;
                }
                if (!z2) {
                    if (x509Certificate != null && !this.trustManager.isCertificateTrusted(x509Certificate)) {
                        logDebug("lookupStoredASsertions: auth failure: invalid credentials: certificate not trusted");
                        z3 = false;
                    }
                    if (str != null) {
                        logDebug("lookupStoredASsertions: auth failure: invalid credentials: basic auth not enabled");
                        z3 = false;
                    }
                    z2 = true;
                }
                Element retrieveAssertion = this.assertionStore.retrieveAssertion(str3);
                if (retrieveAssertion == null) {
                    logDebug("lookupStoredAssertions: assertion not found for artifact '" + str3 + "', will return no assertions");
                    z = false;
                } else if (z && z3) {
                    arrayList.add(new SAMLAssertion(retrieveAssertion));
                }
            } else {
                SAMLAssertionStoreV2.AssertionInfo retrieveAssertionInfo = this.assertionStoreV2.retrieveAssertionInfo(str3);
                if (retrieveAssertionInfo == null) {
                    logDebug("lookupStoredAssertions: assertion not found for artifact '" + str3 + "', will return no assertions");
                    z = false;
                } else {
                    SAMLRelyingPartyConfig findRelyingParty = this.partnerManager.findRelyingParty(retrieveAssertionInfo.getPartnerId());
                    if (findRelyingParty == null) {
                        logDebug("lookupStoredAssertions: auth failure: partner '" + retrieveAssertionInfo.getPartnerId() + "' not found");
                        z3 = false;
                    } else {
                        if (!z2) {
                            if (!verifyDestinationSite(findRelyingParty, x509Certificate, str)) {
                                logDebug("lookupStoredASsertions: auth failure: missing/invalid credentials for partner '" + findRelyingParty.getPartnerId() + Expression.QUOTE);
                                z3 = false;
                            }
                            z2 = true;
                            str2 = findRelyingParty.getPartnerId();
                        } else if (!str2.equals(findRelyingParty.getPartnerId())) {
                            logDebug("lookupStoredAssertions: auth failure: multiple partner IDs");
                            z3 = false;
                        }
                        if (z && z3) {
                            arrayList.add(new SAMLAssertion(retrieveAssertionInfo.getAssertion()));
                        }
                    }
                }
            }
        }
        if (!z3) {
            return null;
        }
        if (!z) {
            arrayList.clear();
        }
        return arrayList;
    }

    private SAMLResponse constructAssertionResponse(String str, List list) throws SAMLException {
        SAMLResponse sAMLResponse = new SAMLResponse();
        sAMLResponse.setInResponseTo(str);
        sAMLResponse.setAssertions(list);
        return sAMLResponse;
    }

    private boolean verifyDestinationSite(SAMLRelyingPartyConfig sAMLRelyingPartyConfig, X509Certificate x509Certificate, String str) {
        byte[] bArr;
        String sSLClientCertAlias = sAMLRelyingPartyConfig.getSSLClientCertAlias();
        if (sSLClientCertAlias != null) {
            if (x509Certificate == null) {
                logDebug("verifyDestinationSite: auth failure for partner '" + sAMLRelyingPartyConfig.getPartnerId() + "', client cert required but not provided");
                return false;
            }
            if (!this.trustManager.isCertificateTrustedAlias(x509Certificate, sSLClientCertAlias)) {
                logDebug("verifyDestinationSite: auth failure for partner '" + sAMLRelyingPartyConfig.getPartnerId() + "', supplied client cert not trusted");
                return false;
            }
        }
        String aRSUsername = sAMLRelyingPartyConfig.getARSUsername();
        String aRSPassword = sAMLRelyingPartyConfig.getARSPassword();
        if ((aRSUsername == null || aRSUsername.length() <= 0) && (aRSPassword == null || aRSPassword.length() <= 0)) {
            if (str != null) {
                logDebug("verifyDestinationSite: auth failure for partner '" + sAMLRelyingPartyConfig.getPartnerId() + "', Basic auth not required but username/password was provided");
                return false;
            }
        } else {
            if (str == null) {
                logDebug("verifyDestinationSite: auth failure for partner '" + sAMLRelyingPartyConfig.getPartnerId() + "', Basic auth required but username/password not provided");
                return false;
            }
            try {
                bArr = SAMLUtil.base64Decode(str);
            } catch (IOException e) {
                bArr = null;
            }
            if (bArr == null) {
                logDebug("verifyDestinationSite: auth failure for partner '" + sAMLRelyingPartyConfig.getPartnerId() + "', could not decode Basic auth credential");
                return false;
            }
            if (!new String(bArr).equals(aRSUsername + ":" + aRSPassword)) {
                logDebug("verifyDestinationSite: auth failure for partner '" + sAMLRelyingPartyConfig.getPartnerId() + "', Basic auth credentials invalid");
                return false;
            }
        }
        logDebug("verifyDestinationSite: authentication/verification succeeded for partner '" + sAMLRelyingPartyConfig.getPartnerId() + Expression.QUOTE);
        return true;
    }

    public SAMLRelyingPartyConfig lookupPartner(String str, String str2, String str3) {
        String str4;
        if (str != null) {
            return this.partnerManager.findRelyingParty(str);
        }
        if (str3.endsWith("/post")) {
            str4 = "bearer";
        } else {
            if (!str3.endsWith("/artifact")) {
                logDebug("lookupPartner: No RPID provided and request is not on '/post' or '/artifact' URI");
                return null;
            }
            str4 = SAMLProfile.CONF_ARTIFACT;
        }
        return this.partnerManager.findRelyingPartyByRequestParams(str4, str2);
    }

    public String validateRequestURI(SAMLRelyingPartyConfig sAMLRelyingPartyConfig, String str) {
        if (sAMLRelyingPartyConfig.getProfileConfMethodName().equals("bearer") && str.endsWith("/artifact")) {
            return "Artifact";
        }
        if (sAMLRelyingPartyConfig.getProfileConfMethodName().equals(SAMLProfile.CONF_ARTIFACT) && str.endsWith("/post")) {
            return "POST";
        }
        return null;
    }
}
