package eu.unicore.services.rest.security;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.assertion.AssertionParser;
import eu.unicore.samly2.assertion.AttributeAssertionParser;
import eu.unicore.samly2.elements.NameID;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.trust.TruststoreBasedSamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.samly2.validators.SSOAuthnAssertionValidator;
import eu.unicore.security.AuthenticationException;
import eu.unicore.security.SecurityTokens;
import eu.unicore.security.etd.TrustDelegation;
import eu.unicore.security.wsutil.samlclient.AuthnResponseAssertions;
import eu.unicore.security.wsutil.samlclient.SAMLAuthnClient;
import eu.unicore.util.Log;
import eu.unicore.util.httpclient.DefaultClientConfiguration;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.log4j.Logger;

/* loaded from: input_file:eu/unicore/services/rest/security/UnityBaseSAMLAuthenticator.class */
public abstract class UnityBaseSAMLAuthenticator extends BaseRemoteAuthenticator<AuthnResponseAssertions> {
    private static final Logger logger = Log.getLogger("unicore.security", UnityBaseSAMLAuthenticator.class);
    private boolean validate = true;

    public void setValidate(boolean z) {
        this.validate = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // eu.unicore.services.rest.security.BaseRemoteAuthenticator
    public AuthnResponseAssertions performAuth(DefaultClientConfiguration defaultClientConfiguration) throws Exception {
        AuthnResponseAssertions doAuth = doAuth(this.kernel.getContainerSecurityConfiguration().getCredential().getSubjectName(), this.kernel.getContainerProperties().getBaseUrl(), defaultClientConfiguration);
        if (this.validate) {
            validate(doAuth);
        }
        return doAuth;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.services.rest.security.BaseRemoteAuthenticator
    public long getExpiryTime(AuthnResponseAssertions authnResponseAssertions) {
        long j = 0;
        if (authnResponseAssertions.getAuthNAssertions().size() > 0) {
            try {
                j = ((AssertionParser) authnResponseAssertions.getAuthNAssertions().get(0)).getNotOnOrAfter().getTime();
            } catch (Exception e) {
            }
        }
        if (j == 0) {
            j = System.currentTimeMillis() + defaultCacheTime;
        }
        return j;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.services.rest.security.BaseRemoteAuthenticator
    public void extractAuthInfo(AuthnResponseAssertions authnResponseAssertions, SecurityTokens securityTokens) {
        if (authnResponseAssertions.getAuthNAssertions().size() <= 0) {
            logger.debug("No authentication assertion found!");
            return;
        }
        if (authnResponseAssertions.getAuthNAssertions().size() > 1) {
            logger.debug("More than one authn assertion found! Will use first one.");
        }
        String subjectName = ((AssertionParser) authnResponseAssertions.getAuthNAssertions().get(0)).getSubjectName();
        if (subjectName != null) {
            securityTokens.setUserName(subjectName);
            securityTokens.setConsignorTrusted(true);
            securityTokens.setTrustDelegationTokens(getTDTokens(authnResponseAssertions));
        }
    }

    protected List<TrustDelegation> getTDTokens(AuthnResponseAssertions authnResponseAssertions) {
        ArrayList arrayList = new ArrayList();
        Iterator it = authnResponseAssertions.getAttributeAssertions().iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(new TrustDelegation(((AttributeAssertionParser) it.next()).getXMLBeanDoc()));
            } catch (Exception e) {
            }
        }
        return arrayList;
    }

    protected void validate(AuthnResponseAssertions authnResponseAssertions) {
        TruststoreBasedSamlTrustChecker truststoreBasedSamlTrustChecker = new TruststoreBasedSamlTrustChecker(this.kernel.getContainerSecurityConfiguration().getTrustedAssertionIssuers());
        String baseUrl = this.kernel.getContainerProperties().getBaseUrl();
        String subjectName = this.kernel.getContainerSecurityConfiguration().getCredential().getSubjectName();
        SSOAuthnAssertionValidator sSOAuthnAssertionValidator = new SSOAuthnAssertionValidator(subjectName, baseUrl, (String) null, 0L, truststoreBasedSamlTrustChecker, (ReplayAttackChecker) null, SAMLBindings.OTHER);
        sSOAuthnAssertionValidator.setLaxInResponseToChecking(true);
        sSOAuthnAssertionValidator.addConsumerSamlNameAlias(baseUrl);
        if (logger.isDebugEnabled()) {
            logger.debug("Validating AuthN assertions. endpointURI=" + baseUrl + " consumerName=" + subjectName);
        }
        for (AssertionParser assertionParser : authnResponseAssertions.getAuthNAssertions()) {
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("Validating " + assertionParser.getXMLBeanDoc());
                }
                sSOAuthnAssertionValidator.validate(assertionParser.getXMLBeanDoc());
            } catch (Exception e) {
                logger.warn("SAML authentication assertion is not trusted: " + e.getMessage());
                throw new AuthenticationException("SAML authentication assertion is not trusted: " + e.getMessage());
            }
        }
    }

    protected AuthnResponseAssertions doAuth(String str, String str2, DefaultClientConfiguration defaultClientConfiguration) throws MalformedURLException, SAMLValidationException {
        try {
            return new SAMLAuthnClient(this.address, defaultClientConfiguration).authenticate("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", str != null ? new NameID(str, "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName") : new NameID(str2, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"), str2);
        } catch (RuntimeException e) {
            this.cb.notOK(Log.createFaultMessage("Error for " + this.address, e));
            throw e;
        }
    }
}
