package org.xacml4j.opensaml;

import java.io.IOException;
import java.util.ArrayList;
import javax.xml.namespace.QName;
import javax.xml.transform.dom.DOMResult;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.xacml4j.v30.Attribute;
import org.xacml4j.v30.AttributeExp;
import org.xacml4j.v30.Categories;
import org.xacml4j.v30.Category;
import org.xacml4j.v30.Entity;
import org.xacml4j.v30.RequestContext;
import org.xacml4j.v30.ResponseContext;
import org.xacml4j.v30.SubjectAttributes;
import org.xacml4j.v30.XacmlSyntaxException;
import org.xacml4j.v30.marshal.jaxb.Xacml20RequestContextUnmarshaller;
import org.xacml4j.v30.marshal.jaxb.Xacml20ResponseContextMarshaller;
import org.xacml4j.v30.pdp.PolicyDecisionPoint;
import org.xacml4j.v30.types.StringExp;

/* loaded from: input_file:org/xacml4j/opensaml/XACMLAuthzDecisionQueryEndpoint.class */
public class XACMLAuthzDecisionQueryEndpoint implements OpenSamlEndpoint {
    private static final Logger log = LoggerFactory.getLogger(XACMLAuthzDecisionQueryEndpoint.class);
    private final IDPConfiguration idpConfig;
    private final PolicyDecisionPoint pdp;
    private final Xacml20RequestContextUnmarshaller xacmlRequest20Unmarshaller = new Xacml20RequestContextUnmarshaller();
    private final Xacml20ResponseContextMarshaller xacmlResponse20Unmarshaller = new Xacml20ResponseContextMarshaller();
    private final BasicParserPool parserPool = new BasicParserPool();
    private boolean requireSignatureValidation;

    public XACMLAuthzDecisionQueryEndpoint(IDPConfiguration iDPConfiguration, PolicyDecisionPoint policyDecisionPoint) {
        this.idpConfig = iDPConfiguration;
        this.pdp = policyDecisionPoint;
        this.parserPool.setNamespaceAware(true);
        this.requireSignatureValidation = true;
    }

    public void setRequireSignatureValidation(boolean z) {
        this.requireSignatureValidation = z;
    }

    @Override // org.xacml4j.opensaml.OpenSamlEndpoint
    public Response handle(RequestAbstractType requestAbstractType) {
        if (log.isDebugEnabled()) {
            QName elementQName = requestAbstractType.getElementQName();
            log.debug("Processing SAML request type=\"{}:{}\"", elementQName.getNamespaceURI(), elementQName.getLocalPart());
        }
        if (!(requestAbstractType instanceof XACMLAuthzDecisionQueryType)) {
            return makeErrorResponse(requestAbstractType, "Invalid request");
        }
        XACMLAuthzDecisionQueryType xACMLAuthzDecisionQueryType = (XACMLAuthzDecisionQueryType) requestAbstractType;
        RequestType request = xACMLAuthzDecisionQueryType.getRequest();
        if (request == null) {
            if (log.isDebugEnabled()) {
                log.debug("No XACML request found in the given request");
            }
            return makeErrorResponse(requestAbstractType, "Invalid request");
        }
        try {
            if (!this.requireSignatureValidation) {
                log.info("Signature validation has been disabled");
            } else if (!validateRequestSignature(requestAbstractType)) {
                if (log.isDebugEnabled()) {
                    log.debug("Failed to validate signature");
                }
                return makeErrorResponse(requestAbstractType, "Failed to validate signature");
            }
            if (!validateRequest(requestAbstractType)) {
                if (log.isDebugEnabled()) {
                    log.debug("Failed to validate request");
                }
                return makeErrorResponse(requestAbstractType, "Failed to validate request");
            }
            Document newDocument = this.parserPool.newDocument();
            OpenSamlObjectBuilder.marshallXacml20Request(request, newDocument);
            Response makeXacml20AuthzDecisionQueryResponse = OpenSamlObjectBuilder.makeXacml20AuthzDecisionQueryResponse(this.idpConfig.getLocalEntity().getEntityID(), xACMLAuthzDecisionQueryType, OpenSamlObjectBuilder.makeXacml20AuthzDecisionAssertion(this.idpConfig.getLocalEntity().getEntityID(), xACMLAuthzDecisionQueryType.isReturnContext().booleanValue() ? request : null, OpenSamlObjectBuilder.unmarshallXacml20Response(performXacmlRequest(xACMLAuthzDecisionQueryType.getIssuer().getValue(), newDocument).getDocumentElement())));
            signResponse(makeXacml20AuthzDecisionQueryResponse);
            return makeXacml20AuthzDecisionQueryResponse;
        } catch (Exception e) {
            log.error("Caught exception while processing XacmlAuthDecisionQuery", e);
            return makeErrorResponse(requestAbstractType, "Internal error");
        }
    }

    private Response makeErrorResponse(RequestAbstractType requestAbstractType, String str) {
        Response makeResponse = OpenSamlObjectBuilder.makeResponse(requestAbstractType, OpenSamlObjectBuilder.makeStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", str));
        makeResponse.setIssuer(OpenSamlObjectBuilder.makeIssuer(this.idpConfig.getLocalEntity().getEntityID()));
        return makeResponse;
    }

    private boolean validateRequestSignature(RequestAbstractType requestAbstractType) throws ValidationException, SecurityException {
        SAMLSignatureProfileValidator sAMLSignatureProfileValidator = new SAMLSignatureProfileValidator();
        if (requestAbstractType.getSignature() == null) {
            log.debug("Request is not signed");
            return false;
        }
        sAMLSignatureProfileValidator.validate(requestAbstractType.getSignature());
        if (requestAbstractType.getIssuer() == null || requestAbstractType.getIssuer().getValue() == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Request does not have issuer");
            return false;
        }
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIDCriteria(requestAbstractType.getIssuer().getValue()));
        criteriaSet.add(new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol"));
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
        boolean validate = this.idpConfig.getSignatureTrustEngine().validate(requestAbstractType.getSignature(), criteriaSet);
        if (log.isDebugEnabled()) {
            log.debug("Is SAML request XML dsig trusted=\"{}\"", Boolean.valueOf(validate));
        }
        return validate;
    }

    private boolean validateRequest(RequestAbstractType requestAbstractType) {
        if (this.idpConfig.getAuthzServiceByLocation(requestAbstractType.getDestination()) != null) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Failed to get authorization service by destination location");
        return false;
    }

    public Document performXacmlRequest(String str, Document document) throws IOException, XMLParserException {
        try {
            RequestContext addIssuerToRequest = addIssuerToRequest(str, (RequestContext) this.xacmlRequest20Unmarshaller.unmarshal(document));
            if (log.isDebugEnabled()) {
                log.debug("XACML request=\"{}\"", addIssuerToRequest);
            }
            ResponseContext decide = this.pdp.decide(addIssuerToRequest);
            Document newDocument = this.parserPool.newDocument();
            this.xacmlResponse20Unmarshaller.marshal(decide, new DOMResult(newDocument));
            return newDocument;
        } catch (IOException e) {
            if (log.isDebugEnabled()) {
                log.debug(e.getMessage(), e);
            }
            throw e;
        } catch (XacmlSyntaxException e2) {
            if (log.isDebugEnabled()) {
                log.debug(e2.getMessage(), e2);
            }
            throw e2;
        } catch (XMLParserException e3) {
            if (log.isDebugEnabled()) {
                log.debug(e3.getMessage(), e3);
            }
            throw e3;
        }
    }

    private void signResponse(Response response) throws SecurityException, MarshallingException, SignatureException {
        Signature buildObject = Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSigningCredential(this.idpConfig.getSigningCredential());
        buildObject.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
        buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        response.setSignature(buildObject);
        SecurityHelper.prepareSignatureParams(buildObject, this.idpConfig.getSigningCredential(), (SecurityConfiguration) null, (String) null);
        Configuration.getMarshallerFactory().getMarshaller(response).marshall(response);
        Signer.signObject(buildObject);
    }

    private RequestContext addIssuerToRequest(String str, RequestContext requestContext) {
        Category build = Category.builder(Categories.SUBJECT_INTERMEDIARY).entity(Entity.builder().attribute(new Attribute[]{Attribute.builder(SubjectAttributes.SUBJECT_ID.toString()).value(new AttributeExp[]{StringExp.of(str)}).build()}).build()).build();
        ArrayList arrayList = new ArrayList();
        arrayList.add(build);
        for (Category category : requestContext.getAttributes()) {
            if (!category.getCategoryId().equals(build.getCategoryId())) {
                arrayList.add(category);
            }
        }
        return RequestContext.builder().copyOf(requestContext, arrayList).build();
    }
}
