package org.overlord.commons.auth.jboss7;

import java.security.KeyPair;
import java.security.KeyStore;
import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.dom.DOMSource;
import org.apache.commons.codec.binary.Base64;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SimpleGroup;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
import org.overlord.commons.auth.tomcat7.HttpRequestThreadLocalValve;
import org.overlord.commons.auth.util.SAMLBearerTokenUtil;
import org.picketlink.common.constants.LDAPConstants;
import org.picketlink.identity.federation.core.constants.AttributeConstants;
import org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-jboss7-2.0.16.Final.jar:org/overlord/commons/auth/jboss7/SAMLBearerTokenLoginModule.class */
public class SAMLBearerTokenLoginModule extends AbstractServerLoginModule {
    private String signatureRequired;
    private String keystorePath;
    private String keystorePassword;
    private String keyAlias;
    private String keyPassword;
    private Principal identity;
    private Set<String> allowedIssuers = new HashSet();
    private Set<String> roles = new HashSet();

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        String str = (String) map2.get("allowedIssuers");
        if (str != null) {
            for (String str2 : str.split(LDAPConstants.COMMA)) {
                if (str2 != null && str2.trim().length() > 0) {
                    this.allowedIssuers.add(str2);
                }
            }
        }
        this.signatureRequired = (String) map2.get("signatureRequired");
        this.keystorePath = (String) map2.get("keystorePath");
        this.keystorePassword = (String) map2.get("keystorePassword");
        this.keyAlias = (String) map2.get("keyAlias");
        this.keyPassword = (String) map2.get("keyPassword");
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean login() throws LoginException {
        try {
            HttpServletRequest currentRequest = getCurrentRequest();
            String header = currentRequest.getHeader("Authorization");
            if (header != null && header.startsWith("Basic")) {
                String str = new String(Base64.decodeBase64(header.substring(6)), "UTF-8");
                if (str.startsWith("SAML-BEARER-TOKEN:")) {
                    Document document = DocumentUtil.getDocument(str.substring(18));
                    AssertionType assertionType = (AssertionType) new SAMLAssertionParser().parse(XMLInputFactory.newInstance().createXMLEventReader(new DOMSource(document)));
                    SAMLBearerTokenUtil.validateAssertion(assertionType, currentRequest, this.allowedIssuers);
                    if ("true".equals(this.signatureRequired) && !SAMLBearerTokenUtil.isSAMLAssertionSignatureValid(document, getKeyPair(assertionType))) {
                        throw new LoginException(Messages.getString("SAMLBearerTokenLoginModule.InvalidSignature"));
                    }
                    consumeAssertion(assertionType);
                    this.loginOk = true;
                    return true;
                }
            }
            return super.login();
        } catch (LoginException e) {
            throw e;
        } catch (Exception e2) {
            e2.printStackTrace();
            this.loginOk = false;
            return false;
        }
    }

    private HttpServletRequest getCurrentRequest() throws LoginException {
        HttpServletRequest httpServletRequest = HttpRequestThreadLocalValve.TL_request.get();
        if (httpServletRequest == null) {
            try {
                httpServletRequest = (HttpServletRequest) PolicyContext.getContext(SecurityConstants.WEB_REQUEST_KEY);
            } catch (Exception e) {
                httpServletRequest = null;
            }
        }
        if (httpServletRequest == null) {
            throw new LoginException("Failed to get current HTTP request.");
        }
        return httpServletRequest;
    }

    private KeyPair getKeyPair(AssertionType assertionType) throws LoginException {
        try {
            return SAMLBearerTokenUtil.getKeyPair(loadKeystore(), this.keyAlias, this.keyPassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new LoginException(Messages.getString("SAMLBearerTokenLoginModule.FailedToGetKeyPair") + this.keyAlias);
        }
    }

    private KeyStore loadKeystore() throws LoginException {
        try {
            return SAMLBearerTokenUtil.loadKeystore(this.keystorePath, this.keystorePassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new LoginException("Error loading signature keystore: " + e.getMessage());
        }
    }

    private void consumeAssertion(AssertionType assertionType) throws Exception {
        this.identity = createIdentity(((NameIDType) assertionType.getSubject().getSubType().getBaseID()).getValue());
        for (StatementAbstractType statementAbstractType : assertionType.getStatements()) {
            if (statementAbstractType instanceof AttributeStatementType) {
                for (AttributeStatementType.ASTChoiceType aSTChoiceType : ((AttributeStatementType) statementAbstractType).getAttributes()) {
                    if (aSTChoiceType.getAttribute() != null && aSTChoiceType.getAttribute().getName().equals(AttributeConstants.ROLE_IDENTIFIER_ASSERTION)) {
                        for (Object obj : aSTChoiceType.getAttribute().getAttributeValue()) {
                            if (obj != null) {
                                this.roles.add(obj.toString());
                            }
                        }
                    }
                }
            }
        }
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Principal getIdentity() {
        return this.identity;
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        Group[] groupArr = {new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER)};
        try {
            Iterator<String> it = this.roles.iterator();
            while (it.hasNext()) {
                groupArr[0].addMember(createIdentity(it.next()));
            }
            return groupArr;
        } catch (Exception e) {
            throw new LoginException(Messages.getString("SAMLBearerTokenLoginModule.FailedToCreateGroupPrincipal") + e.getMessage());
        }
    }
}
