package io.fusionauth.samlv2.service;

import com.sun.org.apache.xerces.internal.jaxp.datatype.XMLGregorianCalendarImpl;
import io.fusionauth.samlv2.domain.Algorithm;
import io.fusionauth.samlv2.domain.AuthenticationRequest;
import io.fusionauth.samlv2.domain.AuthenticationResponse;
import io.fusionauth.samlv2.domain.Conditions;
import io.fusionauth.samlv2.domain.ConfirmationMethod;
import io.fusionauth.samlv2.domain.MetaData;
import io.fusionauth.samlv2.domain.NameID;
import io.fusionauth.samlv2.domain.NameIDFormat;
import io.fusionauth.samlv2.domain.ResponseStatus;
import io.fusionauth.samlv2.domain.SAMLException;
import io.fusionauth.samlv2.domain.Subject;
import io.fusionauth.samlv2.domain.SubjectConfirmation;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AssertionType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AttributeStatementType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AttributeType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AudienceRestrictionType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AuthnContextType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AuthnStatementType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ConditionAbstractType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ConditionsType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.EncryptedElementType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.NameIDType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ObjectFactory;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.StatementAbstractType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.SubjectConfirmationDataType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.SubjectConfirmationType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.SubjectType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.EndpointType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.EntityDescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.IDPSSODescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.KeyDescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.KeyTypes;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.RoleDescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.AuthnRequestType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.NameIDPolicyType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.ResponseType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.StatusCodeType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.StatusType;
import io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.KeyInfoType;
import io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.X509DataType;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.lang.reflect.Field;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.zip.DataFormatException;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2Service.class */
public class DefaultSAMLv2Service implements SAMLv2Service {
    private static final ObjectFactory ASSERTION_OBJECT_FACTORY = new ObjectFactory();
    private static final io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.ObjectFactory DSIG_OBJECT_FACTORY = new io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.ObjectFactory();
    private static final io.fusionauth.samlv2.domain.jaxb.oasis.metadata.ObjectFactory METADATA_OBJECT_FACTORY = new io.fusionauth.samlv2.domain.jaxb.oasis.metadata.ObjectFactory();
    private static final io.fusionauth.samlv2.domain.jaxb.oasis.protocol.ObjectFactory PROTOCOL_OBJECT_FACTORY = new io.fusionauth.samlv2.domain.jaxb.oasis.protocol.ObjectFactory();
    private static final Logger logger = LoggerFactory.getLogger(DefaultSAMLv2Service.class);

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildAuthnResponse(AuthenticationResponse authenticationResponse, boolean z, PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str) throws SAMLException {
        Element documentElement;
        Node node;
        ResponseType responseType = new ResponseType();
        StatusType statusType = new StatusType();
        statusType.setStatusCode(new StatusCodeType());
        statusType.getStatusCode().setValue(authenticationResponse.status.code.toSAMLFormat());
        statusType.setStatusMessage(authenticationResponse.status.message);
        responseType.setStatus(statusType);
        responseType.setID(authenticationResponse.id);
        responseType.setIssuer(new NameIDType());
        responseType.getIssuer().setValue(authenticationResponse.issuer);
        responseType.setVersion(authenticationResponse.version);
        responseType.setInResponseTo(authenticationResponse.inResponseTo);
        responseType.setIssueInstant(toXMLGregorianCalendar(authenticationResponse.issueInstant));
        responseType.setDestination(authenticationResponse.destination);
        AssertionType assertionType = new AssertionType();
        if (authenticationResponse.assertion != null && authenticationResponse.status.code == ResponseStatus.Success) {
            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
            assertionType.setID("_" + UUID.randomUUID().toString());
            assertionType.setIssuer(responseType.getIssuer());
            assertionType.setIssueInstant(toXMLGregorianCalendar(now));
            assertionType.setVersion(authenticationResponse.version);
            if (authenticationResponse.assertion.subject != null) {
                SubjectType subjectType = new SubjectType();
                if (authenticationResponse.assertion.subject.nameID != null) {
                    NameIDType nameIDType = new NameIDType();
                    nameIDType.setValue(authenticationResponse.assertion.subject.nameID.id);
                    nameIDType.setFormat(authenticationResponse.assertion.subject.nameID.format.toSAMLFormat());
                    subjectType.getContent().add(ASSERTION_OBJECT_FACTORY.createNameID(nameIDType));
                }
                if (authenticationResponse.assertion.subject.subjectConfirmation != null) {
                    SubjectConfirmationDataType subjectConfirmationDataType = new SubjectConfirmationDataType();
                    subjectConfirmationDataType.setInResponseTo(authenticationResponse.assertion.subject.subjectConfirmation.inResponseTo);
                    subjectConfirmationDataType.setNotBefore(toXMLGregorianCalendar(authenticationResponse.assertion.subject.subjectConfirmation.notBefore));
                    subjectConfirmationDataType.setNotOnOrAfter(toXMLGregorianCalendar(authenticationResponse.assertion.subject.subjectConfirmation.notOnOrAfter));
                    subjectConfirmationDataType.setRecipient(authenticationResponse.assertion.subject.subjectConfirmation.recipient);
                    SubjectConfirmationType subjectConfirmationType = new SubjectConfirmationType();
                    subjectConfirmationType.setSubjectConfirmationData(subjectConfirmationDataType);
                    if (authenticationResponse.assertion.subject.subjectConfirmation.method != null) {
                        subjectConfirmationType.setMethod(authenticationResponse.assertion.subject.subjectConfirmation.method.toSAMLFormat());
                    }
                    subjectType.getContent().add(ASSERTION_OBJECT_FACTORY.createSubjectConfirmation(subjectConfirmationType));
                }
                assertionType.setSubject(subjectType);
            }
            if (authenticationResponse.assertion.conditions != null) {
                ConditionsType conditionsType = new ConditionsType();
                conditionsType.setNotBefore(toXMLGregorianCalendar(authenticationResponse.assertion.conditions.notBefore));
                conditionsType.setNotOnOrAfter(toXMLGregorianCalendar(authenticationResponse.assertion.conditions.notOnOrAfter));
                assertionType.setConditions(conditionsType);
                if (authenticationResponse.assertion.conditions.audiences.size() > 0) {
                    AudienceRestrictionType audienceRestrictionType = new AudienceRestrictionType();
                    audienceRestrictionType.getAudience().addAll(authenticationResponse.assertion.conditions.audiences);
                    conditionsType.getConditionOrAudienceRestrictionOrOneTimeUse().add(audienceRestrictionType);
                }
            }
            AttributeStatementType attributeStatementType = new AttributeStatementType();
            authenticationResponse.assertion.attributes.forEach((str2, list) -> {
                AttributeType attributeType = new AttributeType();
                attributeType.setName(str2);
                attributeType.getAttributeValue().addAll(list);
                attributeStatementType.getAttributeOrEncryptedAttribute().add(attributeType);
            });
            assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attributeStatementType);
            AuthnStatementType authnStatementType = new AuthnStatementType();
            authnStatementType.setAuthnInstant(toXMLGregorianCalendar(now));
            authnStatementType.setAuthnContext(new AuthnContextType());
            authnStatementType.getAuthnContext().getContent().add(ASSERTION_OBJECT_FACTORY.createAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password"));
            assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(authnStatementType);
            responseType.getAssertionOrEncryptedAssertion().add(assertionType);
        }
        Document marshallToDocument = marshallToDocument(PROTOCOL_OBJECT_FACTORY.createResponse(responseType), ResponseType.class);
        try {
            if (authenticationResponse.status.code == ResponseStatus.Success) {
                documentElement = (Element) marshallToDocument.getElementsByTagName("Assertion").item(0);
                node = documentElement.getElementsByTagName("Subject").item(0);
            } else {
                documentElement = marshallToDocument.getDocumentElement();
                node = null;
            }
            documentElement.setIdAttributeNode(documentElement.getAttributeNode("ID"), true);
            DOMSignContext dOMSignContext = new DOMSignContext(privateKey, documentElement);
            if (node != null) {
                dOMSignContext.setNextSibling(node);
            }
            XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
            Transform newCanonicalizationMethod = xMLSignatureFactory.newCanonicalizationMethod(str, (C14NMethodParameterSpec) null);
            SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(newCanonicalizationMethod, xMLSignatureFactory.newSignatureMethod(algorithm.uri, (SignatureMethodParameterSpec) null), Collections.singletonList(xMLSignatureFactory.newReference("#" + documentElement.getAttribute("ID"), xMLSignatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256", (DigestMethodParameterSpec) null), Arrays.asList(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null), newCanonicalizationMethod), (String) null, (String) null)));
            KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
            xMLSignatureFactory.newXMLSignature(newSignedInfo, keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(Collections.singletonList(x509Certificate))))).sign(dOMSignContext);
            StringWriter stringWriter = new StringWriter();
            TransformerFactory.newInstance().newTransformer().transform(new DOMSource(marshallToDocument), new StreamResult(stringWriter));
            return Base64.getEncoder().encodeToString(stringWriter.toString().getBytes(StandardCharsets.UTF_8));
        } catch (Exception e) {
            throw new SAMLException("Unable to sign XML SAML response", e);
        }
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildHTTPRedirectAuthnRequest(AuthenticationRequest authenticationRequest, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return _buildAuthnRequest(authenticationRequest, "2.0", str, z, privateKey, algorithm);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildInvalidTestingHTTPRedirectAuthnRequest(AuthenticationRequest authenticationRequest, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return _buildAuthnRequest(authenticationRequest, "bad", str, z, privateKey, algorithm);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildMetadataResponse(MetaData metaData) throws SAMLException {
        EntityDescriptorType entityDescriptorType = new EntityDescriptorType();
        entityDescriptorType.setID(metaData.id);
        entityDescriptorType.setEntityID(metaData.entityId);
        IDPSSODescriptorType iDPSSODescriptorType = new IDPSSODescriptorType();
        if (metaData.idp.signInEndpoint != null) {
            EndpointType endpointType = new EndpointType();
            endpointType.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
            endpointType.setLocation(metaData.idp.signInEndpoint);
            iDPSSODescriptorType.getSingleSignOnService().add(endpointType);
        }
        if (metaData.idp.logoutEndpoint != null) {
            EndpointType endpointType2 = new EndpointType();
            endpointType2.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
            endpointType2.setLocation(metaData.idp.logoutEndpoint);
            iDPSSODescriptorType.getSingleLogoutService().add(endpointType2);
        }
        metaData.idp.certificates.forEach(certificate -> {
            KeyDescriptorType keyDescriptorType = new KeyDescriptorType();
            keyDescriptorType.setUse(KeyTypes.SIGNING);
            KeyInfoType keyInfoType = new KeyInfoType();
            keyDescriptorType.setKeyInfo(keyInfoType);
            X509DataType x509DataType = new X509DataType();
            keyInfoType.getContent().add(DSIG_OBJECT_FACTORY.createX509Data(x509DataType));
            try {
                x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(DSIG_OBJECT_FACTORY.createX509DataTypeX509Certificate(certificate.getEncoded()));
                iDPSSODescriptorType.getKeyDescriptor().add(keyDescriptorType);
            } catch (Exception e) {
                throw new IllegalArgumentException(e);
            }
        });
        entityDescriptorType.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor().add(iDPSSODescriptorType);
        return new String(marshallToBytes(METADATA_OBJECT_FACTORY.createEntityDescriptor(entityDescriptorType), EntityDescriptorType.class), StandardCharsets.UTF_8);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public MetaData parseMetaData(String str) throws SAMLException {
        EntityDescriptorType entityDescriptorType = (EntityDescriptorType) unmarshallFromDocument(parseFromBytes(str.getBytes(StandardCharsets.UTF_8)), EntityDescriptorType.class);
        MetaData metaData = new MetaData();
        metaData.id = entityDescriptorType.getID();
        metaData.entityId = entityDescriptorType.getEntityID();
        Optional<RoleDescriptorType> findFirst = entityDescriptorType.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor().stream().filter(roleDescriptorType -> {
            return roleDescriptorType instanceof IDPSSODescriptorType;
        }).findFirst();
        if (!findFirst.isPresent()) {
            return metaData;
        }
        IDPSSODescriptorType iDPSSODescriptorType = (IDPSSODescriptorType) findFirst.get();
        metaData.idp.signInEndpoint = iDPSSODescriptorType.getSingleSignOnService().size() > 0 ? iDPSSODescriptorType.getSingleSignOnService().get(0).getLocation() : null;
        metaData.idp.logoutEndpoint = iDPSSODescriptorType.getSingleLogoutService().size() > 0 ? iDPSSODescriptorType.getSingleLogoutService().get(0).getLocation() : null;
        try {
            metaData.idp.certificates = (List) iDPSSODescriptorType.getKeyDescriptor().stream().filter(keyDescriptorType -> {
                return keyDescriptorType.getUse() == KeyTypes.SIGNING;
            }).map(this::toCertificate).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList());
            return metaData;
        } catch (IllegalArgumentException e) {
            throw new SAMLException(e.getCause());
        }
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public AuthenticationRequest parseRequest(String str, String str2, String str3, boolean z, PublicKey publicKey, Algorithm algorithm) throws SAMLException {
        byte[] decodeAndInflate = decodeAndInflate(str);
        String str4 = new String(decodeAndInflate, StandardCharsets.UTF_8);
        if (logger.isDebugEnabled()) {
            logger.debug("SAMLRequest XML is\n{}", str4);
        }
        AuthnRequestType authnRequestType = (AuthnRequestType) unmarshallFromDocument(parseFromBytes(decodeAndInflate), AuthnRequestType.class);
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.xml = str4;
        authenticationRequest.id = authnRequestType.getID();
        authenticationRequest.issuer = authnRequestType.getIssuer().getValue();
        authenticationRequest.issueInstant = authnRequestType.getIssueInstant().toGregorianCalendar().toZonedDateTime();
        authenticationRequest.nameIdFormat = NameIDFormat.fromSAMLFormat(authnRequestType.getNameIDPolicy().getFormat());
        authenticationRequest.version = authnRequestType.getVersion();
        if (z) {
            if (str3 == null || publicKey == null || algorithm == null) {
                throw new NullPointerException("You must specify a signature, key and algorithm if you want to verify the SAML request signature");
            }
            try {
                String str5 = "SAMLRequest=" + URLEncoder.encode(str, "UTF-8");
                if (str2 != null) {
                    str5 = str5 + "&RelayState=" + URLEncoder.encode(str2, "UTF-8");
                }
                String str6 = str5 + "&SigAlg=" + URLEncoder.encode(algorithm.uri, "UTF-8");
                Signature signature = Signature.getInstance(algorithm.name);
                signature.initVerify(publicKey);
                signature.update(str6.getBytes(StandardCharsets.UTF_8));
                if (!signature.verify(Base64.getDecoder().decode(str3))) {
                    throw new SAMLException("Invalid signature");
                }
            } catch (Exception e) {
                throw new SAMLException("Unable to verify signature", e);
            }
        }
        return authenticationRequest;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public AuthenticationResponse parseResponse(String str, boolean z, PublicKey publicKey) throws SAMLException {
        Document parseFromBytes = parseFromBytes(Base64.getDecoder().decode(str));
        if (z) {
            verifySignature(parseFromBytes, publicKey);
        }
        AuthenticationResponse authenticationResponse = new AuthenticationResponse();
        ResponseType responseType = (ResponseType) unmarshallFromDocument(parseFromBytes, ResponseType.class);
        authenticationResponse.status.code = ResponseStatus.fromSAMLFormat(responseType.getStatus().getStatusCode().getValue());
        authenticationResponse.id = responseType.getID();
        authenticationResponse.issuer = responseType.getIssuer() != null ? responseType.getIssuer().getValue() : null;
        authenticationResponse.issueInstant = toZonedDateTime(responseType.getIssueInstant());
        authenticationResponse.destination = responseType.getDestination();
        authenticationResponse.version = responseType.getVersion();
        for (Object obj : responseType.getAssertionOrEncryptedAssertion()) {
            if (obj instanceof EncryptedElementType) {
                logger.warn("SAML response contained encrypted attribute. It was ignored.");
            } else {
                AssertionType assertionType = (AssertionType) obj;
                SubjectType subject = assertionType.getSubject();
                if (subject != null) {
                    authenticationResponse.assertion.subject = new Subject();
                    for (JAXBElement<?> jAXBElement : subject.getContent()) {
                        Class declaredType = jAXBElement.getDeclaredType();
                        if (declaredType == NameIDType.class) {
                            if (authenticationResponse.assertion.subject.nameID != null) {
                                logger.warn("SAML response contained multiple NameID elements. Only the first one was used.");
                            } else {
                                authenticationResponse.assertion.subject.nameID = parseNameId((NameIDType) jAXBElement.getValue());
                            }
                        } else if (declaredType == SubjectConfirmationType.class) {
                            authenticationResponse.assertion.subject.subjectConfirmation = parseConfirmation((SubjectConfirmationType) jAXBElement.getValue());
                        } else if (declaredType == EncryptedElementType.class) {
                            throw new SAMLException("This library currently doesn't handle encrypted assertions");
                        }
                    }
                }
                ConditionsType conditions = assertionType.getConditions();
                if (conditions != null) {
                    authenticationResponse.assertion.conditions = new Conditions();
                    authenticationResponse.assertion.conditions.notBefore = convertToZonedDateTime(conditions.getNotBefore());
                    authenticationResponse.assertion.conditions.notOnOrAfter = convertToZonedDateTime(conditions.getNotOnOrAfter());
                    for (ConditionAbstractType conditionAbstractType : conditions.getConditionOrAudienceRestrictionOrOneTimeUse()) {
                        if (conditionAbstractType instanceof AudienceRestrictionType) {
                            authenticationResponse.assertion.conditions.audiences.addAll(((AudienceRestrictionType) conditionAbstractType).getAudience());
                        }
                    }
                }
                for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
                    if (statementAbstractType instanceof AttributeStatementType) {
                        for (Object obj2 : ((AttributeStatementType) statementAbstractType).getAttributeOrEncryptedAttribute()) {
                            if (!(obj2 instanceof AttributeType)) {
                                throw new SAMLException("This library currently doesn't support encrypted attributes");
                            }
                            AttributeType attributeType = (AttributeType) obj2;
                            authenticationResponse.assertion.attributes.computeIfAbsent(attributeType.getName(), str2 -> {
                                return new ArrayList();
                            }).addAll((List) attributeType.getAttributeValue().stream().map(this::attributeToString).collect(Collectors.toList()));
                        }
                    }
                }
            }
        }
        return authenticationResponse;
    }

    private String _buildAuthnRequest(AuthenticationRequest authenticationRequest, String str, String str2, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        AuthnRequestType authnRequestType = new AuthnRequestType();
        authnRequestType.setAssertionConsumerServiceURL(authenticationRequest.acsURL);
        authnRequestType.setIssuer(new NameIDType());
        authnRequestType.getIssuer().setValue(authenticationRequest.issuer);
        authnRequestType.setNameIDPolicy(new NameIDPolicyType());
        authnRequestType.getNameIDPolicy().setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
        authnRequestType.getNameIDPolicy().setAllowCreate(false);
        authnRequestType.setID(authenticationRequest.id);
        authnRequestType.setVersion(str);
        authnRequestType.setIssueInstant(new XMLGregorianCalendarImpl(GregorianCalendar.from(ZonedDateTime.now())));
        try {
            String str3 = "SAMLRequest=" + URLEncoder.encode(deflateAndEncode(marshallToBytes(PROTOCOL_OBJECT_FACTORY.createAuthnRequest(authnRequestType), AuthnRequestType.class)), "UTF-8");
            if (str2 != null) {
                str3 = str3 + "&RelayState=" + URLEncoder.encode(str2, "UTF-8");
            }
            if (z && privateKey != null && algorithm != null) {
                String str4 = str3 + "&SigAlg=" + URLEncoder.encode(algorithm.uri, "UTF-8");
                Signature signature = Signature.getInstance(algorithm.name);
                signature.initSign(privateKey);
                signature.update(str4.getBytes(StandardCharsets.UTF_8));
                str3 = str4 + "&Signature=" + URLEncoder.encode(Base64.getEncoder().encodeToString(signature.sign()), "UTF-8");
            }
            return str3;
        } catch (Exception e) {
            throw new SAMLException(e);
        }
    }

    private String attributeToString(Object obj) {
        if (obj instanceof Number) {
            return obj.toString();
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        if (obj instanceof Element) {
            return ((Element) obj).getTextContent();
        }
        logger.warn("This library currently doesn't handle attributes of type [" + obj.getClass() + "]");
        return null;
    }

    private ZonedDateTime convertToZonedDateTime(XMLGregorianCalendar xMLGregorianCalendar) {
        if (xMLGregorianCalendar != null) {
            return xMLGregorianCalendar.toGregorianCalendar().toZonedDateTime();
        }
        return null;
    }

    private byte[] decodeAndInflate(String str) throws SAMLException {
        byte[] decode = Base64.getDecoder().decode(str);
        Inflater inflater = new Inflater(true);
        inflater.setInput(decode);
        inflater.finished();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[decode.length];
            while (!inflater.finished()) {
                int inflate = inflater.inflate(bArr);
                if (inflate > 0) {
                    byteArrayOutputStream.write(bArr, 0, inflate);
                }
            }
            return byteArrayOutputStream.toByteArray();
        } catch (DataFormatException e) {
            throw new SAMLException("Invalid AuthnRequest. Inflating the bytes failed.", e);
        }
    }

    private String deflateAndEncode(byte[] bArr) {
        Deflater deflater = new Deflater(8, true);
        deflater.setInput(bArr);
        deflater.finish();
        byte[] bArr2 = new byte[bArr.length];
        int deflate = deflater.deflate(bArr2);
        deflater.end();
        return Base64.getEncoder().encodeToString(Arrays.copyOf(bArr2, deflate));
    }

    private void fixIDs(Element element) {
        NamedNodeMap attributes = element.getAttributes();
        for (int i = 0; i < attributes.getLength(); i++) {
            Attr attr = (Attr) attributes.item(i);
            if (attr.getLocalName().toLowerCase().equals("id")) {
                element.setIdAttributeNode(attr, true);
            }
        }
        NodeList childNodes = element.getChildNodes();
        for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
            Node item = childNodes.item(i2);
            if (item.getNodeType() == 1) {
                fixIDs((Element) item);
            }
        }
    }

    private <T> byte[] marshallToBytes(JAXBElement<T> jAXBElement, Class<T> cls) throws SAMLException {
        try {
            Marshaller createMarshaller = JAXBContext.newInstance(new Class[]{cls}).createMarshaller();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            createMarshaller.marshal(jAXBElement, byteArrayOutputStream);
            return byteArrayOutputStream.toByteArray();
        } catch (JAXBException e) {
            throw new SAMLException("Unable to marshallRequest JAXB SAML object to bytes.", e);
        }
    }

    private <T> Document marshallToDocument(JAXBElement<T> jAXBElement, Class<T> cls) throws SAMLException {
        try {
            Marshaller createMarshaller = JAXBContext.newInstance(new Class[]{cls}).createMarshaller();
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            Document newDocument = newInstance.newDocumentBuilder().newDocument();
            createMarshaller.marshal(jAXBElement, newDocument);
            return newDocument;
        } catch (JAXBException | ParserConfigurationException e) {
            throw new SAMLException("Unable to marshallRequest JAXB SAML object to DOM.", e);
        }
    }

    private SubjectConfirmation parseConfirmation(SubjectConfirmationType subjectConfirmationType) {
        SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
        SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
        if (subjectConfirmationData != null) {
            subjectConfirmation.inResponseTo = subjectConfirmationData.getInResponseTo();
            subjectConfirmation.notBefore = toZonedDateTime(subjectConfirmationData.getNotBefore());
            subjectConfirmation.notOnOrAfter = toZonedDateTime(subjectConfirmationData.getNotOnOrAfter());
            subjectConfirmation.recipient = subjectConfirmationData.getRecipient();
        }
        subjectConfirmation.method = ConfirmationMethod.fromSAMLFormat(subjectConfirmationType.getMethod());
        return subjectConfirmation;
    }

    private Document parseFromBytes(byte[] bArr) throws SAMLException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            return newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(bArr));
        } catch (IOException | ParserConfigurationException | SAXException e) {
            throw new SAMLException("Unable to parse SAML v2.0 authentication response", e);
        }
    }

    private NameID parseNameId(NameIDType nameIDType) {
        NameID nameID = new NameID();
        nameID.format = NameIDFormat.fromSAMLFormat(nameIDType.getFormat());
        nameID.id = nameIDType.getValue();
        return nameID;
    }

    private Certificate toCertificate(KeyDescriptorType keyDescriptorType) {
        try {
            for (Object obj : keyDescriptorType.getKeyInfo().getContent()) {
                if (obj instanceof JAXBElement) {
                    JAXBElement jAXBElement = (JAXBElement) obj;
                    if (jAXBElement.getDeclaredType() == X509DataType.class) {
                        Iterator<Object> it = ((X509DataType) jAXBElement.getValue()).getX509IssuerSerialOrX509SKIOrX509SubjectName().iterator();
                        while (it.hasNext()) {
                            JAXBElement jAXBElement2 = (JAXBElement) it.next();
                            if (jAXBElement2.getName().getLocalPart().equals("X509Certificate")) {
                                return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream((byte[]) jAXBElement2.getValue()));
                            }
                        }
                    } else {
                        continue;
                    }
                }
            }
            return null;
        } catch (CertificateException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private XMLGregorianCalendar toXMLGregorianCalendar(ZonedDateTime zonedDateTime) {
        if (zonedDateTime == null) {
            return null;
        }
        return new XMLGregorianCalendarImpl(GregorianCalendar.from(zonedDateTime));
    }

    private ZonedDateTime toZonedDateTime(XMLGregorianCalendar xMLGregorianCalendar) {
        if (xMLGregorianCalendar == null) {
            return null;
        }
        return xMLGregorianCalendar.toGregorianCalendar().toZonedDateTime();
    }

    private <T> T unmarshallFromDocument(Document document, Class<T> cls) throws SAMLException {
        try {
            return (T) JAXBContext.newInstance(new Class[]{cls}).createUnmarshaller().unmarshal(document, cls).getValue();
        } catch (JAXBException e) {
            throw new SAMLException("Unable to unmarshall SAML response", e);
        }
    }

    private void verifySignature(Document document, Key key) throws SAMLException {
        fixIDs(document.getDocumentElement());
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            return;
        }
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            DOMValidateContext dOMValidateContext = new DOMValidateContext(key, elementsByTagNameNS.item(i));
            try {
                if (!XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext)) {
                    throw new SAMLException("Invalid SAML v2.0 authentication response. The signature is invalid.");
                }
            } catch (MarshalException e) {
                throw new SAMLException("Unable to verify XML signature in the SAML v2.0 authentication response because we couldn't unmarshall the XML Signature element", e);
            } catch (XMLSignatureException e2) {
                throw new SAMLException("Unable to verify XML signature in the SAML v2.0 authentication response. The signature was unmarshalled we couldn't validate it for an unknown reason", e2);
            }
        }
    }

    static {
        try {
            Field declaredField = Class.forName("com.sun.org.apache.xml.internal.security.utils.XMLUtils").getDeclaredField("ignoreLineBreaks");
            declaredField.setAccessible(true);
            declaredField.set(null, Boolean.TRUE);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
