package eu.unicore.security.wsutil;

import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.FormatMode;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.samly2.validators.SSOAuthnAssertionValidator;
import eu.unicore.security.HTTPAuthNTokens;
import eu.unicore.security.SecurityTokens;
import eu.unicore.security.UnicoreSecurityFactory;
import eu.unicore.security.UserAttributeHandler;
import eu.unicore.security.ValidationResult;
import eu.unicore.security.consignor.ConsignorAssertion;
import eu.unicore.security.user.UserAssertion;
import eu.unicore.security.wsutil.client.OAuthBearerTokenOutInterceptor;
import eu.unicore.util.Log;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;
import org.w3c.dom.Element;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.AttributeStatementType;
import xmlbeans.org.oasis.saml2.assertion.AttributeType;
import xmlbeans.org.oasis.saml2.assertion.AuthnStatementType;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.assertion.SubjectLocalityType;

/* loaded from: input_file:eu/unicore/security/wsutil/AuthInHandler.class */
public class AuthInHandler extends AbstractSoapInterceptor {
    public static final String SAML2_NS = "urn:oasis:names:tc:SAML:2.0:assertion";
    public static final String CONSIGNOR_IP_HEADER = "X-UNICORE-Consignor-IP";
    public static final String GW_EXTERNAL_URL = "X-UNICORE-Gateway";
    private final boolean useGatewayAssertions;
    private final boolean useHTTPBasic;
    private final boolean useSSLData;
    private final X509Certificate gatewayC;
    private final boolean verifyConsignor;
    private SamlTrustChecker samlAuthnTrustChecker;
    private String samlConsumerName;
    private String samlConsumerEndpointUri;
    private final List<String> alternativeSAMLConsumerNames;
    private long samlGraceTime;
    private final String actor;
    private final List<UserAttributeHandler> userAttributeHandlers;
    private final Set<QName> qnameSet;
    private final SecuritySessionStore sessionStore;
    protected static final Logger logger = Log.getLogger("unicore.security", AuthInHandler.class);
    public static final String RAW_SAML_ASSERTIONS_KEY = AuthInHandler.class.getName() + ".RAW_SAML_ASSERTIONS";

    public AuthInHandler(boolean z, boolean z2, boolean z3, X509Certificate x509Certificate, SecuritySessionStore securitySessionStore) {
        this(z, z2, z3, x509Certificate, null, securitySessionStore);
    }

    public AuthInHandler(boolean z, boolean z2, boolean z3, X509Certificate x509Certificate, String str, SecuritySessionStore securitySessionStore) {
        super("pre-invoke");
        this.alternativeSAMLConsumerNames = new ArrayList();
        this.userAttributeHandlers = new ArrayList();
        this.qnameSet = new HashSet();
        this.qnameSet.add(new QName(WSSecHeader.WSSE_NS_URI, WSSecHeader.WSSE_LN));
        this.useGatewayAssertions = z;
        this.useHTTPBasic = z3;
        this.useSSLData = z2;
        if (x509Certificate == null || !z) {
            this.gatewayC = null;
            this.verifyConsignor = false;
        } else {
            this.gatewayC = x509Certificate;
            this.verifyConsignor = true;
        }
        this.actor = str;
        this.sessionStore = securitySessionStore;
    }

    public void enableSamlAuthentication(String str, String str2, SamlTrustChecker samlTrustChecker, long j, List<String> list) {
        this.samlAuthnTrustChecker = samlTrustChecker;
        this.samlConsumerEndpointUri = str2;
        this.samlConsumerName = str;
        this.samlGraceTime = j;
        this.alternativeSAMLConsumerNames.addAll(list);
    }

    public void enableSamlAuthentication(String str, String str2, SamlTrustChecker samlTrustChecker, long j) {
        enableSamlAuthentication(str, str2, samlTrustChecker, j, Collections.emptyList());
    }

    public void disableSamlAuthentication() {
        this.samlAuthnTrustChecker = null;
    }

    public void addUserAttributeHandler(UserAttributeHandler userAttributeHandler) {
        this.userAttributeHandlers.add(userAttributeHandler);
    }

    public Set<QName> getUnderstoodHeaders() {
        return this.qnameSet;
    }

    public void handleMessage(SoapMessage soapMessage) {
        SecurityTokens tokens;
        String securitySessionID = SecuritySessionCreateInHandler.getSecuritySessionID(soapMessage);
        if (securitySessionID == null) {
            tokens = new SecurityTokens();
            process(soapMessage, tokens);
        } else {
            SecuritySession session = getSession(soapMessage, securitySessionID);
            tokens = session.getTokens();
            tokens.getContext().put("reused-unicore-security-session", Boolean.TRUE);
            SessionIDServerOutHandler.setSession(session);
            if (logger.isDebugEnabled()) {
                logger.debug("Re-using session " + securitySessionID + " for <" + session.getUserKey() + ">");
            }
        }
        soapMessage.put(SecurityTokens.KEY, tokens);
    }

    protected SecuritySession getSession(SoapMessage soapMessage, String str) {
        SecuritySession session = this.sessionStore.getSession(str);
        if (session == null || session.isExpired()) {
            throwFault(432, "No (valid) security session found, please (re-)send full security data!");
        }
        return session;
    }

    protected void process(SoapMessage soapMessage, SecurityTokens securityTokens) {
        if (this.useHTTPBasic) {
            HTTPAuthNTokens hTTPCredentials = getHTTPCredentials(soapMessage);
            if (hTTPCredentials != null) {
                securityTokens.getContext().put(SecurityTokens.CTX_LOGIN_HTTP, hTTPCredentials);
            }
            String bearerToken = CXFUtils.getBearerToken(soapMessage);
            if (bearerToken != null) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Have OAuth bearer token.");
                }
                securityTokens.getContext().put(OAuthBearerTokenOutInterceptor.TOKEN_KEY, bearerToken);
            }
        }
        ConsignorAssertion consignorAssertion = null;
        Element element = null;
        Element element2 = null;
        if (soapMessage.hasHeaders()) {
            List<Element> extractSAMLAssertions = extractSAMLAssertions(soapMessage);
            if (this.useGatewayAssertions) {
                consignorAssertion = getConsignorAssertion(extractSAMLAssertions);
            }
            element = getUserAssertion(extractSAMLAssertions);
            element2 = getSAMLAuthnAssertion(extractSAMLAssertions);
            securityTokens.getContext().put(RAW_SAML_ASSERTIONS_KEY, extractSAMLAssertions);
        }
        if (this.samlAuthnTrustChecker == null || element2 == null) {
            if (element2 != null) {
                throwFault(400, "Got request with SAML Authentication assertions, but this server does not allow for SAML authentication.");
            }
            processConsignor(consignorAssertion, securityTokens, soapMessage);
        } else {
            processSAMLAuthentication(element2, consignorAssertion, securityTokens, soapMessage);
        }
        if (element != null) {
            try {
                processUser(element, securityTokens);
            } catch (IOException e) {
                throw new Fault(e);
            }
        }
        securityTokens.getContext().put(SecurityTokens.CTX_SCOPE_KEY, "request");
        securityTokens.getContext().put("REQUEST.soapAction", getSOAPAction(soapMessage));
    }

    protected List<Element> extractSAMLAssertions(SoapMessage soapMessage) {
        List<Header> headers = soapMessage.getHeaders();
        ArrayList arrayList = new ArrayList();
        if (headers.size() == 0) {
            logger.debug("No SOAP header");
            return arrayList;
        }
        Element findWSSecElement = this.actor != null ? new WSSecHeader(this.actor, true).findWSSecElement(headers) : null;
        if (findWSSecElement == null) {
            findWSSecElement = new WSSecHeader(true).findWSSecElement(headers);
        }
        ArrayList arrayList2 = new ArrayList();
        for (Header header : headers) {
            if ("urn:oasis:names:tc:SAML:2.0:assertion".equals(header.getName().getNamespaceURI()) && "Assertion".equals(header.getName().getLocalPart())) {
                arrayList2.add((Element) header.getObject());
            }
        }
        arrayList.addAll(arrayList2);
        if (findWSSecElement != null) {
            arrayList.addAll(DOMUtils.getChildrenWithName(findWSSecElement, "urn:oasis:names:tc:SAML:2.0:assertion", "Assertion"));
            if (arrayList.size() == 0) {
                logger.debug("No assertion found in the wssec:Security element");
            }
        } else {
            logger.debug("No valid WS Security element found in SOAP header");
        }
        return arrayList;
    }

    protected void processUser(Element element, SecurityTokens securityTokens) throws IOException {
        logger.debug("Found user assertion in request");
        UserAssertion processUserAssertion = processUserAssertion(element);
        X509Certificate[] extractCertPath = extractCertPath(processUserAssertion);
        if (extractCertPath == null) {
            String subjectName = processUserAssertion.getSubjectName();
            securityTokens.setUserName(subjectName);
            if (logger.isDebugEnabled()) {
                logger.debug("Requested USER (retrieved as a DN): " + X500NameUtils.getReadableForm(subjectName));
            }
        } else {
            securityTokens.setUser(extractCertPath);
            if (logger.isDebugEnabled()) {
                logger.debug("Requested USER (retrieved as a full certificate): " + CertificateUtils.format(extractCertPath[0], FormatMode.COMPACT_ONE_LINE));
            }
        }
        AttributeStatementType[] attributeStatementArray = processUserAssertion.getXMLBean().getAttributeStatementArray();
        if (attributeStatementArray == null || this.userAttributeHandlers.size() <= 0) {
            return;
        }
        for (AttributeStatementType attributeStatementType : attributeStatementArray) {
            for (AttributeType attributeType : attributeStatementType.getAttributeArray()) {
                String nameFormat = attributeType.getNameFormat();
                if (!"urn:unicore:subject-role".equals(nameFormat)) {
                    String name = attributeType.getName();
                    XmlObject[] attributeValueArray = attributeType.getAttributeValueArray();
                    Iterator<UserAttributeHandler> it = this.userAttributeHandlers.iterator();
                    while (it.hasNext()) {
                        it.next().processUserDefinedAttribute(name, nameFormat, attributeValueArray, securityTokens);
                    }
                }
            }
        }
    }

    protected void processSAMLAuthentication(Element element, ConsignorAssertion consignorAssertion, SecurityTokens securityTokens, SoapMessage soapMessage) {
        String str = this.samlConsumerEndpointUri;
        String header = CXFUtils.getServletRequest(soapMessage).getHeader(GW_EXTERNAL_URL);
        if (header != null && !str.startsWith(header)) {
            str = header + "/services";
        }
        SSOAuthnAssertionValidator sSOAuthnAssertionValidator = new SSOAuthnAssertionValidator(this.samlConsumerName, str, (String) null, this.samlGraceTime, this.samlAuthnTrustChecker, (ReplayAttackChecker) null, SAMLBindings.OTHER);
        sSOAuthnAssertionValidator.setLaxInResponseToChecking(true);
        sSOAuthnAssertionValidator.addConsumerSamlNameAlias(str);
        Iterator<String> it = this.alternativeSAMLConsumerNames.iterator();
        while (it.hasNext()) {
            sSOAuthnAssertionValidator.addConsumerSamlNameAlias(it.next());
        }
        try {
            AssertionDocument parse = AssertionDocument.Factory.parse(element);
            try {
                sSOAuthnAssertionValidator.validate(parse);
            } catch (SAMLValidationException e) {
                logger.warn("SAML authentication assertion received in request is not trusted: " + e.getMessage());
                throwFault(400, "SAML authentication assertion received in request can not be parsed " + e.getMessage());
            }
            NameIDType nameID = parse.getAssertion().getSubject().getNameID();
            if (nameID == null) {
                throwFault(400, "SAML authentication for UNICORE assertion must have nameID element");
            }
            if (!"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(nameID.getFormat())) {
                throwFault(400, "SAML authentication assertion for UNICORE must have subject of urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName format, was: " + nameID.getFormat());
            }
            String stringValue = nameID.getStringValue();
            if (stringValue == null || stringValue.isEmpty()) {
                throwFault(400, "SAML authenticated user must be non-empty");
            }
            try {
                logger.debug("Using consignor info from SAML authentication assertion: " + X500NameUtils.getReadableForm(stringValue));
            } catch (Exception e2) {
                Log.logException("Invalid DN in SAML authn assertion", e2, logger);
                throwFault(400, "SAML authenticated user identity is not a valid X.500 name: " + e2.toString());
            }
            securityTokens.setConsignorName(stringValue);
            establishIP(consignorAssertion, securityTokens, soapMessage);
        } catch (XmlException e3) {
            Log.logException("SAML authentication assertion received in request can not be parsed", e3, logger);
            throwFault(400, "SAML authentication assertion received in request can not be parsed " + e3.toString());
        }
    }

    protected void processConsignor(ConsignorAssertion consignorAssertion, SecurityTokens securityTokens, SoapMessage soapMessage) {
        if (consignorAssertion == null && this.useGatewayAssertions) {
            logger.debug("No consignor info in request -> request didn't come through a gateway");
        }
        X509Certificate[] x509CertificateArr = null;
        String str = null;
        if (consignorAssertion != null && this.useGatewayAssertions) {
            x509CertificateArr = processConsignorAssertion(consignorAssertion);
            if (x509CertificateArr != null) {
                logger.debug("Using consignor info from Gateway.");
                str = extractIPFromConsignorAssertion(consignorAssertion);
            }
        }
        if (consignorAssertion == null && this.useSSLData) {
            x509CertificateArr = getSSLCertPath(soapMessage);
            str = getClientIP(soapMessage);
            if (x509CertificateArr != null) {
                logger.debug("Using consignor info from SSL connection.");
            }
        }
        if (logger.isDebugEnabled() && x509CertificateArr != null) {
            logger.debug("Consignor: " + X500NameUtils.getReadableForm(x509CertificateArr[0].getSubjectX500Principal()));
        }
        if (x509CertificateArr == null) {
            logger.debug("No valid Consignor info received, request is not authenticated.");
        } else {
            securityTokens.setConsignor(x509CertificateArr);
        }
        securityTokens.setClientIP(str);
    }

    protected void establishIP(ConsignorAssertion consignorAssertion, SecurityTokens securityTokens, SoapMessage soapMessage) {
        String str = null;
        if (consignorAssertion != null && this.useGatewayAssertions && processConsignorAssertion(consignorAssertion) != null) {
            logger.debug("Using consignor info from Gateway.");
            str = extractIPFromConsignorAssertion(consignorAssertion);
        }
        if (str == null) {
            String header = CXFUtils.getServletRequest(soapMessage).getHeader(CONSIGNOR_IP_HEADER);
            str = header != null ? header : getClientIP(soapMessage);
        }
        securityTokens.setClientIP(str);
    }

    protected X509Certificate[] getSSLCertPath(SoapMessage soapMessage) {
        return CXFUtils.getSSLCerts(soapMessage);
    }

    protected String getClientIP(SoapMessage soapMessage) {
        return CXFUtils.getClientIP(soapMessage);
    }

    protected String extractIPFromConsignorAssertion(ConsignorAssertion consignorAssertion) {
        SubjectLocalityType subjectLocality;
        AuthnStatementType[] authnStatementArray = consignorAssertion.getXMLBean().getAuthnStatementArray();
        if (authnStatementArray == null || authnStatementArray.length == 0 || (subjectLocality = authnStatementArray[0].getSubjectLocality()) == null) {
            return null;
        }
        return subjectLocality.getAddress();
    }

    protected HTTPAuthNTokens getHTTPCredentials(SoapMessage soapMessage) {
        return CXFUtils.getHTTPCredentials(soapMessage);
    }

    protected Element getUserAssertion(List<Element> list) {
        Element element;
        for (int size = list.size() - 1; size >= 0; size--) {
            Element element2 = list.get(size);
            List childrenWithName = DOMUtils.getChildrenWithName(element2, "urn:oasis:names:tc:SAML:2.0:assertion", "AttributeStatement");
            if (childrenWithName.size() != 0 && (element = (Element) childrenWithName.get(0)) != null) {
                for (Element element3 : DOMUtils.getChildrenWithName(element, "urn:oasis:names:tc:SAML:2.0:assertion", "Attribute")) {
                    String attribute = element3.getAttribute("Name");
                    String attribute2 = element3.getAttribute("NameFormat");
                    if (!StringUtils.isEmpty(attribute) && !StringUtils.isEmpty(attribute2) && attribute.equals("USER") && attribute2.equals("urn:unicore:subject-role")) {
                        list.remove(size);
                        return element2;
                    }
                }
            }
        }
        return null;
    }

    protected Element getSAMLAuthnAssertion(List<Element> list) {
        Element element = null;
        for (int size = list.size() - 1; size >= 0; size--) {
            Element element2 = list.get(size);
            List childrenWithName = DOMUtils.getChildrenWithName(element2, "urn:oasis:names:tc:SAML:2.0:assertion", "AuthnStatement");
            if (childrenWithName.size() != 0 && ((Element) childrenWithName.get(0)) != null) {
                if (element != null) {
                    throwFault(400, "Multiple SAML authentication assertions received, what is not supported.");
                }
                element = element2;
                list.remove(size);
            }
        }
        return element;
    }

    protected ConsignorAssertion getConsignorAssertion(List<Element> list) {
        if (list.size() == 0) {
            return null;
        }
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            CXFUtils.writeXml(list.get(0), byteArrayOutputStream);
            ConsignorAssertion consignorAssertion = new ConsignorAssertion(AssertionDocument.Factory.parse(byteArrayOutputStream.toString()));
            list.remove(0);
            return consignorAssertion;
        } catch (Exception e) {
            logger.debug("The first assertion is not a valid CONSIGNOR assertion, ignoring: " + e.getMessage());
            return null;
        }
    }

    protected X509Certificate[] processConsignorAssertion(ConsignorAssertion consignorAssertion) {
        X509Certificate[] consignor = consignorAssertion.getConsignor();
        if (this.verifyConsignor) {
            if (!consignorAssertion.isSigned()) {
                logger.warn("Consignor assertion is unsigned. Probably gateway is not configured properly to sign consignor assertions. Either fix gateway configuration or turn off signature checking in this server's configuration");
                return null;
            }
            ValidationResult verifyConsignorToken = UnicoreSecurityFactory.getConsignorAPI().verifyConsignorToken(consignorAssertion, this.gatewayC);
            if (!verifyConsignorToken.isValid()) {
                logger.warn("Consignor assertion is invalid (probably FAKED): " + verifyConsignorToken.getInvalidResaon() + ", inserted consignor was: " + ((consignor == null || consignor.length == 0) ? "null" : X500NameUtils.getReadableForm(consignor[0].getSubjectX500Principal())));
                return null;
            }
            logger.debug("Successfully verified consignor assertion.");
        }
        if (consignor == null) {
            logger.debug("Anonymous CONSIGNOR");
        }
        return consignor;
    }

    protected UserAssertion processUserAssertion(Element element) {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            StaxUtils.writeTo(element, byteArrayOutputStream);
            return new UserAssertion(AssertionDocument.Factory.parse(byteArrayOutputStream.toString()));
        } catch (Exception e) {
            logger.warn("The USER assertion is invalid, ignoring: " + e.getMessage());
            return null;
        }
    }

    protected X509Certificate[] extractCertPath(UserAssertion userAssertion) {
        X509Certificate[] subjectFromConfirmation = userAssertion.getSubjectFromConfirmation();
        if (subjectFromConfirmation == null) {
            logger.debug("USER retrieved, but no certificate is given.");
        }
        return subjectFromConfirmation;
    }

    protected String getSOAPAction(SoapMessage soapMessage) {
        String action = CXFUtils.getAction(soapMessage);
        if (logger.isDebugEnabled() && action != null) {
            logger.debug("Setting SOAP action to '" + action + "'");
        }
        return action;
    }

    protected void throwFault(int i, String str) {
        logger.debug("AuthN failed: " + str);
        Fault fault = new Fault((Throwable) null);
        fault.setStatusCode(i);
        fault.setMessage(str);
        throw fault;
    }
}
