package com.sun.identity.authentication.modules.saml;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.Misc;
import com.iplanet.services.util.Base64;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.SAMLCallback;
import com.sun.identity.saml.SAMLClient;
import com.sun.identity.saml.assertion.Subject;
import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.common.SAMLException;
import com.sun.identity.saml.common.SAMLServiceManager;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.protocol.AssertionArtifact;
import com.sun.identity.saml.protocol.Response;
import java.io.IOException;
import java.security.Principal;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:119465-01/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/authentication/modules/saml/SAML.class */
public class SAML extends AMLoginModule {
    private String userTokenId;
    private Map options;
    private String authLevel;
    private Map sharedState;
    private CallbackHandler callbackHandler;
    private static final String amAuthSAML = "amAuthSAML";
    private static Debug debug = Debug.getInstance(amAuthSAML);
    private static String AUTH_LEVEL = "sunAMAuthSAMLAuthLevel";
    private Principal userPrincipal = null;
    private ResourceBundle bundle = null;
    private String[] arti = null;
    private Response samlResponse = null;
    private String target = null;
    private SAMLServiceManager.SOAPEntry partnerdest = null;
    private Subject assertionSubject = null;
    private Map attrMap = null;
    private List assertions = null;
    private boolean checkSignature = false;

    public SAML() {
        debug.message("SAML()");
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void init(javax.security.auth.Subject subject, Map map, Map map2) {
        debug.message("in initialize...");
        Locale loginLocale = getLoginLocale();
        this.bundle = AMLoginModule.amCache.getResBundle(amAuthSAML, loginLocale);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("amAuthSAML Authentication resource bundle locale=").append(loginLocale).toString());
        }
        this.callbackHandler = getCallbackHandler();
        this.options = map2;
        this.sharedState = map;
        if (map2 != null) {
            try {
                String mapAttr = Misc.getMapAttr(map2, AUTH_LEVEL);
                if (mapAttr != null) {
                    try {
                        setAuthLevel(Integer.parseInt(mapAttr));
                    } catch (Exception e) {
                        debug.error(new StringBuffer().append("Unable to set auth level ").append(mapAttr).toString(), e);
                    }
                }
            } catch (Exception e2) {
                debug.error("SAML Init Exception", e2);
            }
        }
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        String str = null;
        try {
            HttpServletRequest httpServletRequest = getHttpServletRequest();
            if (httpServletRequest != null) {
                processRequest(httpServletRequest);
            } else {
                sendCallbacks();
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Artifact : ").append(this.arti).toString());
                debug.message(new StringBuffer().append("Response : ").append(this.samlResponse).toString());
            }
            if (this.arti != null) {
                this.assertions = processArtifact();
            } else {
                if (this.samlResponse == null) {
                    debug.error("Invalid input given to the Module");
                    throw new AuthLoginException(amAuthSAML, "invalidInput", null);
                }
                this.assertions = processResponse();
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Assertions : ").append(this.assertions).toString());
            }
            try {
                this.attrMap = SAMLUtils.getAttributeMap(this.partnerdest, this.assertions, this.assertionSubject, this.target);
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("Attribute Map : ").append(this.attrMap).toString());
                }
                if (this.attrMap != null && !this.attrMap.isEmpty()) {
                    str = (String) this.attrMap.get(SAMLConstants.USER_NAME);
                    this.attrMap.remove(SAMLConstants.USER_NAME);
                }
                debug.message("Module is successful");
                storeUsernamePasswd(str, null);
                this.userTokenId = str;
                return -1;
            } catch (Exception e) {
                debug.error("getAttributeMap : ", e);
                throw new AuthLoginException(amAuthSAML, "failedGettingAttrMap", null);
            }
        } catch (AuthLoginException e2) {
            setFailureID(this.userTokenId);
            debug.error("Error in 'process' : ", e2);
            throw new AuthLoginException(amAuthSAML, "failedProcess", null);
        }
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public Principal getPrincipal() {
        if (this.userPrincipal != null) {
            return this.userPrincipal;
        }
        if (this.userTokenId == null) {
            return null;
        }
        SAMLPrincipal sAMLPrincipal = new SAMLPrincipal(this.userTokenId);
        this.assertions = SAMLUtils.getStrAssertions(this.assertions);
        sAMLPrincipal.setAssertions(this.assertions);
        sAMLPrincipal.setAttrMap(this.attrMap);
        this.userPrincipal = sAMLPrincipal;
        return this.userPrincipal;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void destroyModuleState() {
        debug.message("clean up module state");
        this.userTokenId = null;
        this.userPrincipal = null;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void nullifyUsedVars() {
        debug.message("nullify Used Variables");
        this.arti = null;
        this.samlResponse = null;
    }

    private void sendCallbacks() throws AuthLoginException {
        if (this.callbackHandler == null) {
            throw new AuthLoginException(amAuthSAML, "NoCallbackHandler", null);
        }
        try {
            NameCallback[] nameCallbackArr = {new SAMLCallback(this.bundle.getString("arti_or_response")), new NameCallback(this.bundle.getString("target_url"))};
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Callback 0 is.. :").append(nameCallbackArr[0]).toString());
                debug.message(new StringBuffer().append("Callback 1 is.. :").append(nameCallbackArr[1]).toString());
            }
            this.callbackHandler.handle(nameCallbackArr);
            this.target = nameCallbackArr[1].getName();
            if (this.target == null) {
                debug.message("no Target specified");
                throw new AuthLoginException(amAuthSAML, "IllegalArgs", null);
            }
            SAMLCallback sAMLCallback = (SAMLCallback) nameCallbackArr[0];
            int type = sAMLCallback.getType();
            if (type == 1) {
                this.arti = sAMLCallback.getArtifact();
            } else {
                if (type != 2) {
                    debug.message("no type specified");
                    throw new AuthLoginException(amAuthSAML, "IllegalArgs", null);
                }
                this.samlResponse = sAMLCallback.getSamlResponse();
                this.checkSignature = sAMLCallback.getCheckSignature();
            }
        } catch (IOException e) {
            throw new AuthLoginException(e);
        } catch (IllegalArgumentException e2) {
            debug.message("message type missing");
            throw new AuthLoginException(amAuthSAML, "IllegalArgs", null);
        } catch (UnsupportedCallbackException e3) {
            throw new AuthLoginException(amAuthSAML, "UnsupportedCallback", null);
        }
    }

    private void processRequest(HttpServletRequest httpServletRequest) throws AuthLoginException {
        this.target = httpServletRequest.getParameter((String) SAMLServiceManager.getAttribute(SAMLConstants.TARGET_SPECIFIER));
        this.arti = httpServletRequest.getParameterValues((String) SAMLServiceManager.getAttribute("iplanet-am-saml-artifact-name"));
        if (this.target == null) {
            this.target = httpServletRequest.getParameter("TARGET");
        }
        if (this.target == null) {
            debug.message("no Target specified");
            throw new AuthLoginException(amAuthSAML, "missingTargetSite", null);
        }
        String parameter = httpServletRequest.getParameter("SAMLResponse");
        if (parameter != null) {
            try {
                this.samlResponse = SAMLUtils.getResponse(Base64.decode(parameter));
                if (this.samlResponse == null) {
                    throw new AuthLoginException(amAuthSAML, "errorObtainResponse", null);
                }
                if (!SAMLUtils.verifySignature(this.samlResponse)) {
                    throw new AuthLoginException(amAuthSAML, "invalidResponse", null);
                }
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("Received response : ").append(this.samlResponse.toString()).toString());
                }
                StringBuffer requestURL = httpServletRequest.getRequestURL();
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("processRequest: requestUrl = ").append((Object) requestURL).toString());
                }
                if (!SAMLUtils.verifyResponse(this.samlResponse, requestURL.toString(), httpServletRequest)) {
                    throw new AuthLoginException(amAuthSAML, "invalidResponse", null);
                }
            } catch (Exception e) {
                debug.error("processRequest : Exception when decoding SAMLResponse:", e);
                throw new AuthLoginException(amAuthSAML, "errorDecodeResponse", null);
            }
        }
    }

    private List processArtifact() throws AuthLoginException {
        try {
            List artifactQueryHandler = SAMLClient.artifactQueryHandler(this.arti, null);
            Subject examAssertions = SAMLUtils.examAssertions(artifactQueryHandler);
            this.assertionSubject = examAssertions;
            if (examAssertions == null) {
                throw new AuthLoginException(amAuthSAML, "nullSubject", null);
            }
            String sourceID = new AssertionArtifact(this.arti[0]).getSourceID();
            Map map = (Map) SAMLServiceManager.getAttribute("iplanet-am-saml-partner-urls");
            if (map == null) {
                throw new AuthLoginException(amAuthSAML, "nullPartnerUrl", null);
            }
            this.partnerdest = (SAMLServiceManager.SOAPEntry) map.get(sourceID);
            if (this.partnerdest == null) {
                throw new AuthLoginException(amAuthSAML, "failedAccountMapping", null);
            }
            return artifactQueryHandler;
        } catch (SAMLException e) {
            debug.error("Error in artifactQueryHandler :", e);
            throw new AuthLoginException(amAuthSAML, "errorArtiQuery", null);
        } catch (IOException e2) {
            debug.error("Error in artifactQueryHandler :", e2);
            throw new AuthLoginException(amAuthSAML, "errorArtiQuery", null);
        }
    }

    private List processResponse() throws AuthLoginException {
        if (this.checkSignature && !SAMLUtils.verifySignature(this.samlResponse)) {
            throw new AuthLoginException(amAuthSAML, "invalidResponse", null);
        }
        Map verifyAssertionAndGetSSMap = SAMLUtils.verifyAssertionAndGetSSMap(this.samlResponse);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("processResponse: ssMap = ").append(verifyAssertionAndGetSSMap).toString());
        }
        if (verifyAssertionAndGetSSMap == null) {
            throw new AuthLoginException(amAuthSAML, "invalidAssertion", null);
        }
        this.assertionSubject = (Subject) verifyAssertionAndGetSSMap.get("subject");
        if (this.assertionSubject == null) {
            throw new AuthLoginException(amAuthSAML, "nullSubject", null);
        }
        this.partnerdest = (SAMLServiceManager.SOAPEntry) verifyAssertionAndGetSSMap.get("sourceSite");
        if (this.partnerdest == null) {
            throw new AuthLoginException(amAuthSAML, "failedAccountMapping", null);
        }
        return (List) verifyAssertionAndGetSSMap.get(SAMLConstants.POST_ASSERTION);
    }
}
