package de.governikus.autent.sdk.saml.auth;

import de.bos_bremen.gov.autent.common.HttpRedirectUtils;
import de.bos_bremen.gov.autent.common.Utils;
import de.governikus.autent.saml.client.utils.ParsedResponse;
import de.governikus.autent.saml.client.utils.ResponseParser;
import de.governikus.autent.sdk.saml.RequestGenerator;
import de.governikus.autent.sdk.saml.constants.SamlHttpConstants;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.bind.DatatypeConverter;
import javax.xml.transform.TransformerException;
import org.apache.commons.lang.StringUtils;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.xmlsec.encryption.support.EncryptionException;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/sdk/saml/auth/AutentLoginModule.class */
public class AutentLoginModule implements LoginModule {
    private static final Logger log = LoggerFactory.getLogger(AutentLoginModule.class);
    private CallbackHandler callbackHandler;
    private Subject subject;
    private String providerName;
    private String providerAddress;
    private X509Certificate sslCert;
    private boolean authenticated;
    private X509Certificate decCert;
    private PrivateKey decKey;
    private X509Certificate encCert;
    private PrivateKey sigKey;
    private X509Certificate trustedAnchor;
    private String proxyHost;
    private int proxyPort;
    private Proxy.Type proxyType;
    private static final ThreadLocal<String> LAST_ERROR_MESSAGE;
    private AutentPrincipal subjectPrincipal = null;
    private List<AutentAttributeGroup> attributes = null;
    private boolean asyncSAML = false;
    private String sigAlg = "SHA256";
    private boolean doNotCheckHostname = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:de/governikus/autent/sdk/saml/auth/AutentLoginModule$NullHostnameVerifier.class */
    public static class NullHostnameVerifier implements HostnameVerifier {
        NullHostnameVerifier() {
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            return true;
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        LAST_ERROR_MESSAGE.set(null);
        this.callbackHandler = callbackHandler;
        this.subject = subject;
        this.providerName = (String) map2.get("providerName");
        this.providerAddress = (String) map2.get("providerAddress");
        this.trustedAnchor = loadCert(map2, "trustedAnchor");
        this.sslCert = loadCert(map2, "sslCertName");
        this.doNotCheckHostname = Boolean.parseBoolean((String) map2.get("doNotCheckHostname"));
        Utils.X509KeyPair loadKeyAndCert = loadKeyAndCert(map2, "decKey");
        if (loadKeyAndCert != null) {
            this.decKey = loadKeyAndCert.getKey();
            this.decCert = loadKeyAndCert.getCert();
        }
        this.asyncSAML = Boolean.parseBoolean((String) map2.get("asyncSAML"));
        this.encCert = loadCert(map2, "encCertPath");
        Utils.X509KeyPair loadKeyAndCert2 = loadKeyAndCert(map2, "sigKey");
        if (loadKeyAndCert2 != null) {
            this.sigKey = loadKeyAndCert2.getKey();
        }
        if (map2.containsKey("sigAlg")) {
            this.sigAlg = (String) map2.get("sigAlg");
        }
        this.proxyHost = (String) map2.get("proxyHost");
        String str = (String) map2.get("proxyPort");
        if (str != null) {
            this.proxyPort = Integer.parseInt(str);
        }
        String str2 = (String) map2.get("proxyType");
        if (str2 != null) {
            this.proxyType = Proxy.Type.valueOf(str2);
        } else {
            this.proxyType = Proxy.Type.HTTP;
        }
    }

    private X509Certificate loadCert(Map<String, ?> map, String str) {
        String str2 = (String) map.get(str);
        boolean parseBoolean = Boolean.parseBoolean((String) map.get("searchInClasspath"));
        if (str2 == null) {
            return null;
        }
        try {
            if (StringUtils.isEmpty(str2.trim())) {
                return null;
            }
            return parseBoolean ? (X509Certificate) Utils.readCert(AutentLoginModule.class.getResourceAsStream(str2), "x509") : (X509Certificate) Utils.readCert(new FileInputStream(str2), "x509");
        } catch (Exception e) {
            handleError("can not load certificate");
            log.error("can not load certificate", e);
            return null;
        }
    }

    private Utils.X509KeyPair loadKeyAndCert(Map<String, ?> map, String str) {
        String str2 = (String) map.get(str + "Path");
        String str3 = (String) map.get(str + "Type");
        String str4 = (String) map.get(str + "Pin");
        String str5 = (String) map.get(str + "Alias");
        boolean equalsIgnoreCase = "true".equalsIgnoreCase((String) map.get("searchInClasspath"));
        if (str2 != null) {
            try {
                if (!StringUtils.isEmpty(str2.trim()) && str3 != null && !StringUtils.isEmpty(str3.trim())) {
                    InputStream resourceAsStream = equalsIgnoreCase ? AutentLoginModule.class.getResourceAsStream(str2) : new FileInputStream(str2);
                    Throwable th = null;
                    try {
                        Utils.X509KeyPair readKeyAndCert = Utils.readKeyAndCert(resourceAsStream, str3, str4.toCharArray(), str5);
                        if (resourceAsStream != null) {
                            if (0 != 0) {
                                try {
                                    resourceAsStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                resourceAsStream.close();
                            }
                        }
                        return readKeyAndCert;
                    } finally {
                    }
                }
            } catch (Exception e) {
                handleError("can not load signature key");
                log.error("can not load signature key", e);
                return null;
            }
        }
        return null;
    }

    public boolean login() throws LoginException {
        Callback nameCallback = new NameCallback("Username");
        PasswordCallback passwordCallback = new PasswordCallback("Password", false);
        try {
            this.callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
            return this.asyncSAML ? parseResponse(DatatypeConverter.parseBase64Binary(new String(passwordCallback.getPassword())), true) : authenticate(nameCallback.getName(), passwordCallback.getPassword());
        } catch (IOException e) {
            handleError("Something went wrong while handling callbacks");
            log.error("Something went wrong while handling callbacks", e);
            throw new LoginException(e.getMessage());
        } catch (UnsupportedCallbackException e2) {
            handleError("The given callback handler does not support the requested callbacks");
            log.error("The given callback handler does not support the requested callbacks", e2);
            throw new LoginException(e2.getMessage());
        }
    }

    private boolean authenticate(String str, char[] cArr) throws LoginException {
        try {
            URL url = new URL(createQuery(str, cArr));
            URLConnection openConnection = (this.proxyHost == null || StringUtils.isEmpty(this.proxyHost.trim()) || this.proxyPort == 0) ? url.openConnection(Proxy.NO_PROXY) : url.openConnection(new Proxy(this.proxyType, new InetSocketAddress(this.proxyHost, this.proxyPort)));
            if (openConnection instanceof HttpURLConnection) {
                ((HttpURLConnection) openConnection).setInstanceFollowRedirects(false);
            }
            if (openConnection instanceof HttpsURLConnection) {
                HttpsURLConnection httpsURLConnection = (HttpsURLConnection) openConnection;
                if (this.doNotCheckHostname) {
                    httpsURLConnection.setHostnameVerifier(new NullHostnameVerifier());
                }
                if (this.sslCert != null) {
                    httpsURLConnection.setSSLSocketFactory(getSSLFactoryWithoutCA(this.sslCert));
                }
            }
            openConnection.connect();
            String headerField = openConnection.getHeaderField("Location");
            if (headerField == null) {
                byte[] readBytesFromStream = Utils.readBytesFromStream(openConnection.getInputStream());
                handleError("An error occurred while talking to the Autent");
                log.error("An error occurred while talking to the Autent");
                log.debug("Autent returned: \n" + new String(readBytesFromStream, Utils.ENCODING));
                throw new LoginException("An error occurred while talking to the Autent");
            }
            if (this.trustedAnchor == null || HttpRedirectUtils.checkQueryString(headerField, this.trustedAnchor)) {
                return parseResponse(HttpRedirectUtils.inflate(HttpRedirectUtils.findParameterInUrl(headerField, SamlHttpConstants.SAML_RESPONSE, true)), false);
            }
            handleError("The signature of the SAML Response does not match the signature certificate");
            log.error("The signature of the SAML Response does not match the signature certificate " + this.trustedAnchor);
            throw new LoginException("The signature of the SAML Response does not match the signature certificate");
        } catch (Exception e) {
            throw handleThrowable(e);
        }
    }

    private String createQuery(String str, char[] cArr) throws UnsupportedEncodingException, GeneralSecurityException, TransformerException, MalformedURLException, MarshallingException, SignatureException, EncryptionException {
        RequestGenerator requestGenerator = new RequestGenerator(this.providerName, this.providerAddress);
        if (this.encCert != null) {
            requestGenerator.setEncrypter(this.encCert);
        }
        requestGenerator.setUserNameAndPassword(str, cArr);
        return HttpRedirectUtils.createQueryString(this.providerAddress, requestGenerator.createSAMLRequest(), true, (String) null, this.sigKey, this.sigAlg);
    }

    private boolean parseResponse(byte[] bArr, boolean z) throws LoginException {
        try {
            ResponseParser responseParser = new ResponseParser();
            if (this.decCert != null && this.decKey != null) {
                responseParser.addDecryptionKey(this.decKey, this.decCert);
            }
            if (this.trustedAnchor != null && z) {
                responseParser.addTrustedAnchorCert(this.trustedAnchor);
            }
            ParsedResponse parse = responseParser.parse(bArr);
            this.authenticated = parse.isStatusSuccess();
            if (this.authenticated) {
                this.subjectPrincipal = new AutentSubjectPrincipal(parse.getSubjectName());
                this.attributes = new ArrayList();
                for (String str : parse.getAttributeNames()) {
                    AutentAttributeGroup autentAttributeGroup = new AutentAttributeGroup(str);
                    for (Object obj : parse.getAttributeValue(str)) {
                        autentAttributeGroup.addMember(new AutentPrincipal(obj));
                    }
                    this.attributes.add(autentAttributeGroup);
                }
            } else {
                handleError("SAML failed with StatusMessage: \"" + parse.getStatusMessage() + "\" and MinorStatusCode: \"" + parse.getMinorStatusCode() + "\"");
                log.error("SAML failed with StatusMessage: \"" + parse.getStatusMessage() + "\" and MinorStatusCode: \"" + parse.getMinorStatusCode() + "\"");
            }
            return this.authenticated;
        } catch (Exception e) {
            throw handleThrowable(e);
        }
    }

    private LoginException handleThrowable(Throwable th) {
        handleError("An error occurred while talking to the Autent");
        log.error("An error occurred while talking to the Autent", th);
        return new LoginException(th.getMessage());
    }

    private static SSLSocketFactory getSSLFactoryWithoutCA(X509Certificate x509Certificate) throws GeneralSecurityException, IOException {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore = KeyStore.getInstance("jks");
        keyStore.load(null, null);
        keyStore.setCertificateEntry("alias", x509Certificate);
        trustManagerFactory.init(keyStore);
        sSLContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
        return sSLContext.getSocketFactory();
    }

    public boolean commit() throws LoginException {
        if (!this.authenticated) {
            return false;
        }
        if (this.subject.isReadOnly()) {
            throw new LoginException("commit Failed: Subject is Readonly");
        }
        this.subject.getPrincipals().add(this.subjectPrincipal);
        Iterator<AutentAttributeGroup> it = this.attributes.iterator();
        while (it.hasNext()) {
            this.subject.getPrincipals().add(it.next());
        }
        return true;
    }

    public boolean abort() throws LoginException {
        if (this.authenticated) {
            return false;
        }
        this.subjectPrincipal = null;
        this.attributes = null;
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.subject.isReadOnly()) {
            throw new LoginException("logout Failed: Subject is Readonly");
        }
        this.subject.getPrincipals().remove(this.subjectPrincipal);
        Iterator<AutentAttributeGroup> it = this.attributes.iterator();
        while (it.hasNext()) {
            this.subject.getPrincipals().remove(it.next());
        }
        return true;
    }

    private static void handleError(String str) {
        LAST_ERROR_MESSAGE.set(str);
    }

    public static String getLastErrorMessage() {
        return LAST_ERROR_MESSAGE.get();
    }

    static {
        try {
            InitializationService.initialize();
        } catch (InitializationException e) {
            log.error("can not init OpenSAML", e);
        }
        LAST_ERROR_MESSAGE = new ThreadLocal<>();
    }
}
