package com.vmware.vapi.cis.authn.json;

import com.vmware.vapi.CoreException;
import com.vmware.vapi.Message;
import com.vmware.vapi.MessageFactory;
import com.vmware.vapi.cis.authn.SamlTokenAuthnHandler;
import com.vmware.vapi.cis.authn.SamlTokenSecurityContext;
import com.vmware.vapi.core.ExecutionContext;
import com.vmware.vapi.data.ConstraintValidationException;
import com.vmware.vapi.dsig.json.SignatureException;
import com.vmware.vapi.dsig.json.StsTrustChain;
import com.vmware.vapi.internal.cis.authn.json.JsonSignerImpl;
import com.vmware.vapi.internal.dsig.json.JsonCanonicalizer;
import com.vmware.vapi.internal.dsig.json.Verifier;
import com.vmware.vapi.internal.security.SecurityUtil;
import com.vmware.vapi.internal.util.DateTimeConverter;
import com.vmware.vapi.internal.util.Validate;
import com.vmware.vapi.protocol.RequestProcessor;
import com.vmware.vapi.saml.ConfirmationType;
import com.vmware.vapi.saml.DefaultTokenFactory;
import com.vmware.vapi.saml.SamlToken;
import com.vmware.vapi.saml.exception.InvalidTokenException;
import java.io.UnsupportedEncodingException;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/vmware/vapi/cis/authn/json/JsonSignatureVerificationProcessor.class */
public final class JsonSignatureVerificationProcessor implements RequestProcessor {
    private static final int MILLIS_PER_SECOND = 1000;
    private static final Message VERIFY_ERROR;
    private static final Message DECODE_ERROR;
    private static final Logger logger;
    private final DateTimeConverter dateConverter;
    private final Verifier jsonVerifier;
    private final DefaultTokenFactory tokenFactory;
    private final StsTrustChain stsTrustChain;
    private final long clockToleranceSec;
    static final /* synthetic */ boolean $assertionsDisabled;

    public JsonSignatureVerificationProcessor(StsTrustChain stsTrustChain) {
        this(stsTrustChain, 600L);
    }

    public JsonSignatureVerificationProcessor(StsTrustChain stsTrustChain, long j) {
        this(new JsonSignerImpl(new JsonCanonicalizer(), stsTrustChain), stsTrustChain, j);
    }

    JsonSignatureVerificationProcessor(Verifier verifier, StsTrustChain stsTrustChain, long j) {
        this.dateConverter = new DateTimeConverter();
        this.tokenFactory = new DefaultTokenFactory();
        Validate.notNull(verifier);
        Validate.notNull(stsTrustChain);
        Validate.isTrue(j > -1);
        this.stsTrustChain = stsTrustChain;
        this.clockToleranceSec = j;
        this.jsonVerifier = verifier;
    }

    public byte[] process(byte[] bArr, Map<String, Object> map, RequestProcessor.Request request) {
        Validate.notNull(bArr);
        Validate.notNull(map);
        Validate.notNull(request);
        ExecutionContext.SecurityContext securityContext = getSecurityContext(request);
        if (securityContext == null) {
            return bArr;
        }
        String str = (String) SecurityUtil.narrowType(securityContext.getProperty("authn_scheme_id"), String.class);
        if (!validateSchemeId(str)) {
            return bArr;
        }
        SamlToken samlToken = null;
        Exception exc = null;
        try {
            samlToken = str.equalsIgnoreCase("com.vmware.vapi.std.security.saml_hok_token") ? validateSignature(securityContext, requestToString(bArr)) : parseBearerToken(securityContext);
        } catch (Exception e) {
            exc = e;
        }
        Map<String, Object> securityProcData = getSecurityProcData(map);
        securityProcData.put(SamlTokenAuthnHandler.SAML_TOKEN_KEY, samlToken);
        securityProcData.put(SamlTokenAuthnHandler.ERROR_KEY, exc);
        map.put("security_processor_metadata", securityProcData);
        return bArr;
    }

    private SamlToken validateSignature(ExecutionContext.SecurityContext securityContext, String str) throws InvalidTokenException {
        if (!$assertionsDisabled && securityContext == null) {
            throw new AssertionError();
        }
        Map map = (Map) SecurityUtil.narrowType(securityContext.getProperty("signature"), Map.class);
        if (map == null) {
            logger.debug("Signature not found.");
            throw new SignatureException(VERIFY_ERROR);
        }
        validateSignatureTimestamp(securityContext);
        map.put("signatureAlgorithm", SecurityUtil.narrowType(securityContext.getProperty("signatureAlgorithm"), String.class));
        if (!this.jsonVerifier.verifySignature(str, map, this.clockToleranceSec)) {
            throw new SignatureException(VERIFY_ERROR);
        }
        logger.debug("Signature validated");
        return parseToken(map.get(SamlTokenSecurityContext.SAML_TOKEN_ID));
    }

    private void validateSignatureTimestamp(ExecutionContext.SecurityContext securityContext) {
        Map map = (Map) SecurityUtil.narrowType(securityContext.getProperty("timestamp"), Map.class);
        if (map == null) {
            logger.debug("Timestamp is missing");
            throw new SignatureException(VERIFY_ERROR);
        }
        String str = (String) map.get("created");
        String str2 = (String) map.get("expires");
        if (str == null || str2 == null) {
            logger.debug("Invalid timestamp: " + str + " " + str2);
            throw new SignatureException(VERIFY_ERROR);
        }
        try {
            GregorianCalendar fromStringValue = this.dateConverter.fromStringValue(str);
            GregorianCalendar fromStringValue2 = this.dateConverter.fromStringValue(str2);
            long timeInMillis = fromStringValue.getTimeInMillis();
            long timeInMillis2 = fromStringValue2.getTimeInMillis();
            long j = this.clockToleranceSec * 1000;
            if (timeInMillis > timeInMillis2) {
                logger.debug("Invalid timestamp: " + str + " " + str2);
                throw new SignatureException(VERIFY_ERROR);
            }
            long currentTimeMillis = System.currentTimeMillis();
            if (timeInMillis > currentTimeMillis + j) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Invalid timestamp. Created: " + new Date(timeInMillis) + " Current time: " + new Date(currentTimeMillis));
                }
                throw new SignatureException(VERIFY_ERROR);
            }
            if (timeInMillis2 >= currentTimeMillis - j) {
                logger.debug("Signature timestamp validated");
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Invalid timestamp. Expires: " + new Date(timeInMillis2) + " Current time: " + new Date(currentTimeMillis));
                }
                throw new SignatureException(VERIFY_ERROR);
            }
        } catch (ConstraintValidationException e) {
            logger.debug("Cannot convert timestamp date", e);
            throw new SignatureException(VERIFY_ERROR, e);
        }
    }

    private SamlToken parseToken(Object obj) throws InvalidTokenException {
        SamlToken samlToken = null;
        if (obj instanceof String) {
            synchronized (this.tokenFactory) {
                samlToken = this.tokenFactory.parseToken((String) obj, this.stsTrustChain.getStsTrustChain(), this.clockToleranceSec);
            }
        }
        return samlToken;
    }

    private SamlToken parseBearerToken(ExecutionContext.SecurityContext securityContext) throws InvalidTokenException {
        if (!$assertionsDisabled && securityContext == null) {
            throw new AssertionError();
        }
        SamlToken parseToken = parseToken(securityContext.getProperty(SamlTokenSecurityContext.SAML_TOKEN_ID));
        if (parseToken == null || parseToken.getConfirmationType() != ConfirmationType.BEARER) {
            throw new RuntimeException("Cannot parse bearer token: " + parseToken);
        }
        return parseToken;
    }

    private boolean validateSchemeId(String str) {
        return str != null && (str.equalsIgnoreCase("com.vmware.vapi.std.security.saml_hok_token") || str.equalsIgnoreCase("com.vmware.vapi.std.security.saml_bearer_token"));
    }

    private ExecutionContext.SecurityContext getSecurityContext(RequestProcessor.Request request) {
        ExecutionContext ctx = request.getCtx();
        if (ctx == null) {
            return null;
        }
        return ctx.retrieveSecurityContext();
    }

    private String requestToString(byte[] bArr) {
        try {
            return new String(bArr, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            logger.error(e.getMessage(), e);
            throw new CoreException(DECODE_ERROR);
        }
    }

    private Map<String, Object> getSecurityProcData(Map<String, Object> map) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError();
        }
        Map<String, Object> map2 = (Map) SecurityUtil.narrowType(map.get("security_processor_metadata"), Map.class);
        if (map2 == null) {
            map2 = new HashMap();
        }
        return map2;
    }

    static {
        $assertionsDisabled = !JsonSignatureVerificationProcessor.class.desiredAssertionStatus();
        VERIFY_ERROR = MessageFactory.getMessage("vapi.signature.verify", new String[0]);
        DECODE_ERROR = MessageFactory.getMessage("vapi.sso.signproc.decoderequest", new String[0]);
        logger = LoggerFactory.getLogger(JsonSignatureVerificationProcessor.class);
    }
}
