package com.ibm.ws.security.saml.sso20.rs;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.SsoRequest;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContextBuilder;
import java.io.ByteArrayInputStream;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.util.Base64;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso.2.0_1.0.15.jar:com/ibm/ws/security/saml/sso20/rs/RsSamlConsumer.class */
public class RsSamlConsumer<InboundMessageType extends SAMLObject, OutboundMessageType extends SAMLObject, NameIdentifierType extends SAMLObject> {
    private static TraceComponent tc = Tr.register((Class<?>) RsSamlConsumer.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    static RsSamlConsumer<?, ?, ?> instance = new RsSamlConsumer<>();
    static final long serialVersionUID = -1038309578086514297L;

    public static RsSamlConsumer<?, ?, ?> getInstance() {
        return instance;
    }

    static void setInstance(RsSamlConsumer<?, ?, ?> rsSamlConsumer) {
        instance = rsSamlConsumer;
    }

    @FFDCIgnore({SamlException.class})
    public BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> handleSAMLResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SsoSamlService ssoSamlService, SsoRequest ssoRequest, String str) throws SamlException {
        try {
            BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext = (BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType>) BasicMessageContextBuilder.getInstance().buildRsSaml(httpServletRequest, httpServletResponse, ssoSamlService, null, ssoRequest);
            str = str.trim();
            byte[] bytes = (str.startsWith("<") && str.endsWith(">")) ? str.getBytes("UTF-8") : Base64.decode(str);
            if (bytes == null) {
                throw new SamlException("SAML_BAD_INBOUND_SAML_TOKEN", (Exception) null, new Object[]{str});
            }
            new ByteArrayDecoder().doDecode(basicMessageContext, new ByteArrayInputStream(bytes));
            Assertion assertion = null;
            SamlException samlException = null;
            Exception exc = null;
            for (Assertion assertion2 : decryptEncryptedAssertion(basicMessageContext)) {
                if (assertion2.getAuthnStatements().size() > 0 && assertion2.getSubject() != null) {
                    try {
                        String value = assertion2.getIssuer().getValue();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Issuer from ToBeValidate-assertion:" + value, new Object[0]);
                        }
                        basicMessageContext.setInboundMessageIssuer(value);
                        new RsAssertionValidator(basicMessageContext, assertion2).validateAssertion();
                        assertion = assertion2;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found valid Asserion " + assertion2.getID(), new Object[0]);
                        }
                        break;
                    } catch (SamlException e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Invalid Asserion " + assertion2.getID(), new Object[0]);
                        }
                        samlException = e;
                    } catch (Exception e2) {
                        FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.rs.RsSamlConsumer", "121", this, new Object[]{httpServletRequest, httpServletResponse, ssoSamlService, ssoRequest, str});
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Invalid Asserion " + assertion2.getID(), new Object[0]);
                        }
                        exc = e2;
                    }
                } else if (assertion2.getSubject() == null) {
                    exc = new SamlException("SAML20_ELEMENT_ERR", (Exception) null, new Object[]{"Subject"});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Assertion " + assertion2.getID() + " does not contain Subject", new Object[0]);
                    }
                }
            }
            if (assertion != null) {
                basicMessageContext.setValidatedAssertion(assertion);
            } else {
                if (exc != null) {
                    throw exc;
                }
                if (samlException != null) {
                    throw samlException;
                }
            }
            return basicMessageContext;
        } catch (SamlException e3) {
            throw e3;
        } catch (Exception e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.saml.sso20.rs.RsSamlConsumer", "152", this, new Object[]{httpServletRequest, httpServletResponse, ssoSamlService, ssoRequest, str});
            throw new SamlException(e4);
        }
    }

    List<Assertion> decryptEncryptedAssertion(BasicMessageContext<?, ?, ?> basicMessageContext) throws SamlException {
        ArrayList arrayList = new ArrayList();
        XMLObject inboundMessage = basicMessageContext.getInboundMessage();
        if (inboundMessage instanceof Response) {
            throw new SamlException("RS_SAML_RESPONSE_NOT_SUPPORTED", (Exception) null, new Object[]{basicMessageContext.getSsoService().getConfig().getHeaderName()});
        }
        if (!(inboundMessage instanceof EncryptedAssertion)) {
            if (inboundMessage instanceof Assertion) {
                arrayList.add((Assertion) inboundMessage);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "InboundMessage is:" + inboundMessage.getClass().getName() + "\n" + inboundMessage, new Object[0]);
            }
            return arrayList;
        }
        try {
            EncryptedAssertion encryptedAssertion = (EncryptedAssertion) inboundMessage;
            Decrypter decrypter = basicMessageContext.getDecrypter();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "encryptedAssertion:" + encryptedAssertion + " decrypter:" + decrypter, new Object[0]);
            }
            Assertion decrypt = decrypter.decrypt(encryptedAssertion);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "decryptedAssertion:" + decrypt, new Object[0]);
            }
            arrayList.add(decrypt);
            return arrayList;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.rs.RsSamlConsumer", "184", this, new Object[]{basicMessageContext});
            throw new SamlException(e);
        }
    }
}
