package org.jasig.cas.client.validation;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.xml.validation.Schema;
import org.jasig.cas.client.authentication.AttributePrincipalImpl;
import org.jasig.cas.client.session.SingleSignOutHandler;
import org.jasig.cas.client.util.CommonUtils;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.Interval;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.IdentifierGenerator;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml1.core.Attribute;
import org.opensaml.saml1.core.AttributeStatement;
import org.opensaml.saml1.core.AuthenticationStatement;
import org.opensaml.saml1.core.Response;
import org.opensaml.saml1.core.Subject;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.schema.XSAny;
import org.opensaml.xml.schema.XSString;
import org.w3c.dom.Element;

/* loaded from: input_file:cas-client-core-3.3.3.jar:org/jasig/cas/client/validation/Saml11TicketValidator.class */
public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator {
    private long tolerance;
    private final BasicParserPool basicParserPool;
    private final IdentifierGenerator identifierGenerator;

    public Saml11TicketValidator(String str) {
        super(str);
        this.tolerance = 1000L;
        this.basicParserPool = new BasicParserPool();
        this.basicParserPool.setNamespaceAware(true);
        try {
            this.identifierGenerator = new SecureRandomIdentifierGenerator();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected String getUrlSuffix() {
        return "samlValidate";
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected void populateUrlAttributeMap(Map<String, String> map) {
        String str = map.get("service");
        map.remove("service");
        map.remove(SingleSignOutHandler.DEFAULT_ARTIFACT_PARAMETER_NAME);
        map.put("TARGET", str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    public void setDisableXmlSchemaValidation(boolean z) {
        if (z) {
            this.basicParserPool.setSchema((Schema) null);
        }
    }

    protected byte[] getBytes(String str) {
        try {
            return CommonUtils.isNotBlank(getEncoding()) ? str.getBytes(getEncoding()) : str.getBytes();
        } catch (Exception e) {
            return str.getBytes();
        }
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected Assertion parseResponseFromServer(String str) throws TicketValidationException {
        try {
            Element documentElement = this.basicParserPool.parse(new ByteArrayInputStream(getBytes(str))).getDocumentElement();
            List<org.opensaml.saml1.core.Assertion> assertions = ((Response) Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement).getBody().getOrderedChildren().get(0)).getAssertions();
            if (assertions.isEmpty()) {
                throw new TicketValidationException("No assertions found.");
            }
            for (org.opensaml.saml1.core.Assertion assertion : assertions) {
                if (isValidAssertion(assertion)) {
                    AuthenticationStatement sAMLAuthenticationStatement = getSAMLAuthenticationStatement(assertion);
                    if (sAMLAuthenticationStatement == null) {
                        throw new TicketValidationException("No AuthentiationStatement found in SAML Assertion.");
                    }
                    Subject subject = sAMLAuthenticationStatement.getSubject();
                    if (subject == null) {
                        throw new TicketValidationException("No Subject found in SAML Assertion.");
                    }
                    List<Attribute> attributesFor = getAttributesFor(assertion, subject);
                    HashMap hashMap = new HashMap();
                    for (Attribute attribute : attributesFor) {
                        List<?> valuesFrom = getValuesFrom(attribute);
                        hashMap.put(attribute.getAttributeName(), valuesFrom.size() == 1 ? valuesFrom.get(0) : valuesFrom);
                    }
                    AttributePrincipalImpl attributePrincipalImpl = new AttributePrincipalImpl(subject.getNameIdentifier().getNameIdentifier(), hashMap);
                    HashMap hashMap2 = new HashMap();
                    hashMap2.put("samlAuthenticationStatement::authMethod", sAMLAuthenticationStatement.getAuthenticationMethod());
                    return new AssertionImpl(attributePrincipalImpl, assertion.getConditions().getNotBefore().toDate(), assertion.getConditions().getNotOnOrAfter().toDate(), sAMLAuthenticationStatement.getAuthenticationInstant().toDate(), hashMap2);
                }
            }
            throw new TicketValidationException("No Assertion found within valid time range.  Either there's a replay of the ticket or there's clock drift. Check tolerance range, or server/client synchronization.");
        } catch (XMLParserException e) {
            throw new TicketValidationException((Throwable) e);
        } catch (UnmarshallingException e2) {
            throw new TicketValidationException((Throwable) e2);
        }
    }

    private boolean isValidAssertion(org.opensaml.saml1.core.Assertion assertion) {
        DateTime notBefore = assertion.getConditions().getNotBefore();
        DateTime notOnOrAfter = assertion.getConditions().getNotOnOrAfter();
        if (notBefore == null || notOnOrAfter == null) {
            this.logger.debug("Assertion has no bounding dates. Will not process.");
            return false;
        }
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        Interval interval = new Interval(notBefore.minus(this.tolerance), notOnOrAfter.plus(this.tolerance));
        if (interval.contains(dateTime)) {
            this.logger.debug("Current time is within the interval validity.");
            return true;
        }
        if (dateTime.isBefore(interval.getStart())) {
            this.logger.debug("skipping assertion that's not yet valid...");
            return false;
        }
        this.logger.debug("skipping expired assertion...");
        return false;
    }

    private AuthenticationStatement getSAMLAuthenticationStatement(org.opensaml.saml1.core.Assertion assertion) {
        List<AuthenticationStatement> authenticationStatements = assertion.getAuthenticationStatements();
        if (authenticationStatements.isEmpty()) {
            return null;
        }
        return authenticationStatements.get(0);
    }

    private List<Attribute> getAttributesFor(org.opensaml.saml1.core.Assertion assertion, Subject subject) {
        ArrayList arrayList = new ArrayList();
        for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
            if (subject.getNameIdentifier().getNameIdentifier().equals(attributeStatement.getSubject().getNameIdentifier().getNameIdentifier())) {
                arrayList.addAll(attributeStatement.getAttributes());
            }
        }
        return arrayList;
    }

    private List<?> getValuesFrom(Attribute attribute) {
        ArrayList arrayList = new ArrayList();
        for (XSString xSString : attribute.getAttributeValues()) {
            if (xSString instanceof XSAny) {
                arrayList.add(((XSAny) xSString).getTextContent());
            } else if (xSString instanceof XSString) {
                arrayList.add(xSString.getValue());
            } else {
                arrayList.add(xSString.toString());
            }
        }
        return arrayList;
    }

    @Override // org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator
    protected String retrieveResponseFromServer(URL url, String str) {
        String str2 = "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\"  MajorVersion=\"1\" MinorVersion=\"1\" RequestID=\"" + this.identifierGenerator.generateIdentifier() + "\" IssueInstant=\"" + CommonUtils.formatForUtcTime(new Date()) + "\"><samlp:AssertionArtifact>" + str + "</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>";
        HttpURLConnection httpURLConnection = null;
        DataOutputStream dataOutputStream = null;
        BufferedReader bufferedReader = null;
        try {
            try {
                httpURLConnection = getURLConnectionFactory().buildHttpURLConnection(url.openConnection());
                httpURLConnection.setRequestMethod("POST");
                httpURLConnection.setRequestProperty("Content-Type", "text/xml");
                httpURLConnection.setRequestProperty("Content-Length", Integer.toString(str2.length()));
                httpURLConnection.setRequestProperty("SOAPAction", "http://www.oasis-open.org/committees/security");
                httpURLConnection.setUseCaches(false);
                httpURLConnection.setDoInput(true);
                httpURLConnection.setDoOutput(true);
                dataOutputStream = new DataOutputStream(httpURLConnection.getOutputStream());
                dataOutputStream.writeBytes(str2);
                dataOutputStream.flush();
                bufferedReader = new BufferedReader(CommonUtils.isNotBlank(getEncoding()) ? new InputStreamReader(httpURLConnection.getInputStream(), Charset.forName(getEncoding())) : new InputStreamReader(httpURLConnection.getInputStream()));
                StringBuilder sb = new StringBuilder(256);
                while (true) {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    sb.append(readLine);
                }
                String sb2 = sb.toString();
                CommonUtils.closeQuietly(dataOutputStream);
                CommonUtils.closeQuietly(bufferedReader);
                if (httpURLConnection != null) {
                    httpURLConnection.disconnect();
                }
                return sb2;
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            CommonUtils.closeQuietly(dataOutputStream);
            CommonUtils.closeQuietly(bufferedReader);
            if (httpURLConnection != null) {
                httpURLConnection.disconnect();
            }
            throw th;
        }
    }

    public void setTolerance(long j) {
        this.tolerance = j;
    }

    static {
        try {
            DefaultBootstrap.bootstrap();
        } catch (ConfigurationException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
