package com.ibm.ws.security.saml.sso20.binding;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoRequest;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.impl.Saml20HTTPPostDecoder;
import com.ibm.ws.security.saml.sso20.acs.AcsSecurityPolicy;
import com.ibm.ws.security.saml.sso20.acs.SAMLMessageXMLSignatureSecurityPolicyRule;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.ws.security.SecurityPolicy;
import org.opensaml.ws.security.SecurityPolicyResolver;
import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.CredentialResolver;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/binding/BasicMessageContextBuilder.class */
public class BasicMessageContextBuilder<InboundMessageType extends SAMLObject, OutboundMessageType extends SAMLObject, NameIdentifierType extends SAMLObject> {
    private static TraceComponent tc = Tr.register(BasicMessageContextBuilder.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    static BasicMessageContextBuilder<?, ?, ?> instance = new BasicMessageContextBuilder<>();
    static final long serialVersionUID = 4571816687003785982L;

    public static void setInstance(BasicMessageContextBuilder<?, ?, ?> basicMessageContextBuilder) {
        instance = basicMessageContextBuilder;
    }

    public static BasicMessageContextBuilder<?, ?, ?> getInstance() {
        return instance;
    }

    BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> getBasicMessageContext(SsoSamlService ssoSamlService) {
        return new BasicMessageContext<>(ssoSamlService);
    }

    BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> getBasicMessageContext(SsoSamlService ssoSamlService, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return new BasicMessageContext<>(ssoSamlService, httpServletRequest, httpServletResponse);
    }

    public BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> buildAcs(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SsoSamlService ssoSamlService, String str, SsoRequest ssoRequest) throws SamlException {
        BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext = getBasicMessageContext(ssoSamlService, httpServletRequest, httpServletResponse);
        basicMessageContext.setAndRemoveCachedRequestInfo(str, ssoRequest);
        basicMessageContext.setInboundMessageTransport(new HttpServletRequestAdapter(httpServletRequest));
        setIdpMetadaProvider(basicMessageContext);
        decodeSamlResponse(basicMessageContext);
        return basicMessageContext;
    }

    public BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> buildSLO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SsoSamlService ssoSamlService, String str, SsoRequest ssoRequest) throws SamlException {
        BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext = getBasicMessageContext(ssoSamlService);
        basicMessageContext.setAndRemoveCachedRequestInfo(str, ssoRequest);
        basicMessageContext.setInboundMessageTransport(new HttpServletRequestAdapter(httpServletRequest));
        setIdpMetadaProvider(basicMessageContext);
        decodeSamlLogoutMessage(basicMessageContext);
        return basicMessageContext;
    }

    public BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> buildRsSaml(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SsoSamlService ssoSamlService, String str, SsoRequest ssoRequest) throws SamlException {
        BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext = getBasicMessageContext(ssoSamlService);
        basicMessageContext.setInboundMessageTransport(new HttpServletRequestAdapter(httpServletRequest));
        return basicMessageContext;
    }

    public BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> buildIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SsoSamlService ssoSamlService) throws SamlException {
        BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext = getBasicMessageContext(ssoSamlService);
        setIdpMetadaProvider(basicMessageContext);
        return basicMessageContext;
    }

    public boolean decodeSamlResponse(BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext) throws SamlException {
        String acsUrl = RequestUtil.getAcsUrl(basicMessageContext.getHttpServletRequest(), Constants.SAML20_CONTEXT_PATH, basicMessageContext.getSsoService().getProviderId(), basicMessageContext.getSsoConfig());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "acsUrl:", new Object[]{acsUrl});
        }
        try {
            getSamlHttpPostDecoder(acsUrl).decode(basicMessageContext);
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.binding.BasicMessageContextBuilder", "158", this, new Object[]{basicMessageContext});
            throw decodeError(e, basicMessageContext);
        }
    }

    public boolean decodeSamlLogoutMessage(BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext) throws SamlException {
        String sloUrl = RequestUtil.getSloUrl(basicMessageContext.getHttpServletRequest(), Constants.SAML20_CONTEXT_PATH, basicMessageContext.getSsoService().getProviderId(), basicMessageContext.getSsoConfig());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SLO Url:", new Object[]{sloUrl});
        }
        try {
            getSamlHttpPostDecoder(sloUrl).decode(basicMessageContext);
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.binding.BasicMessageContextBuilder", "181", this, new Object[]{basicMessageContext});
            throw decodeError(e, basicMessageContext);
        }
    }

    HTTPPostDecoder getSamlHttpPostDecoder(String str) {
        return new Saml20HTTPPostDecoder(str);
    }

    boolean verifySignatureWithIdpMetadata(BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext) throws SamlException {
        try {
            SecurityPolicyResolver idpSecurityPolicyResolver = basicMessageContext.getIdpSecurityPolicyResolver();
            if (idpSecurityPolicyResolver != null) {
                Iterable<SecurityPolicy> resolve = idpSecurityPolicyResolver.resolve(basicMessageContext);
                if (resolve != null) {
                    for (SecurityPolicy securityPolicy : resolve) {
                        if (securityPolicy != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Evaluating security policy of type '{}' for decoded message", new Object[]{securityPolicy.getClass().getName()});
                            }
                            securityPolicy.evaluate(basicMessageContext);
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No security policy resolved for this message context, no security policy evaluation attempted", new Object[0]);
                }
            }
            return true;
        } catch (SecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.binding.BasicMessageContextBuilder", "217", this, new Object[]{basicMessageContext});
            throw new SamlException((Exception) e);
        }
    }

    void setSecurityPolicyResolver(BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext) {
        AcsSecurityPolicy acsSecurityPolicy = new AcsSecurityPolicy();
        MetadataProvider metadataProvider = basicMessageContext.getMetadataProvider();
        MetadataCredentialResolverFactory factory = MetadataCredentialResolverFactory.getFactory();
        InlineX509DataProvider inlineX509DataProvider = new InlineX509DataProvider();
        ArrayList arrayList = new ArrayList();
        arrayList.add(inlineX509DataProvider);
        acsSecurityPolicy.add(new SAMLMessageXMLSignatureSecurityPolicyRule(new ExplicitKeySignatureTrustEngine((CredentialResolver) factory.getInstance(metadataProvider), new BasicProviderKeyInfoCredentialResolver(arrayList))));
        basicMessageContext.setIdpSecurityPolicyResolver(new StaticSecurityPolicyResolver(acsSecurityPolicy));
    }

    BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> setIdpMetadaProvider(BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext) throws SamlException {
        basicMessageContext.setMetadataProvider(basicMessageContext.getSsoConfig().getIdpMetadataProvider());
        return basicMessageContext;
    }

    public static SamlException decodeError(Exception exc, SAMLMessageContext<?, ?, ?> sAMLMessageContext) {
        return new SamlException("SAML20_DECODE_SAML_RESPONSE_FAILURE_LOG", exc, new Object[]{exc.getMessage(), exc.getClass().getName()});
    }
}
