package com.vmware.vapi.internal.saml;

import com.rsa.names._2009._12.std_ext.saml2_.RSAAdviceType;
import com.rsa.names._2009._12.std_ext.saml2_.RenewRestrictionType;
import com.rsa.names._2010._04.std_prof.saml2_.AttributeNames;
import com.vmware.vapi.internal.saml.exception.ParserException;
import com.vmware.vapi.saml.Advice;
import com.vmware.vapi.saml.ConfirmationType;
import com.vmware.vapi.saml.IssuerNameId;
import com.vmware.vapi.saml.PrincipalId;
import com.vmware.vapi.saml.SamlToken;
import com.vmware.vapi.saml.SubjectNameId;
import com.vmware.vapi.saml.ValidatableSamlTokenEx;
import com.vmware.vapi.saml.XmlParserFactory;
import com.vmware.vapi.saml.exception.InvalidSignatureException;
import com.vmware.vapi.saml.exception.InvalidTimingException;
import com.vmware.vapi.saml.exception.InvalidTokenException;
import com.vmware.vapi.saml.exception.MalformedTokenException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.math.BigInteger;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Result;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import oasis.names.tc.saml._2_0.assertion_.AdviceType;
import oasis.names.tc.saml._2_0.assertion_.AssertionType;
import oasis.names.tc.saml._2_0.assertion_.AttributeStatementType;
import oasis.names.tc.saml._2_0.assertion_.AttributeType;
import oasis.names.tc.saml._2_0.assertion_.AudienceRestrictionType;
import oasis.names.tc.saml._2_0.assertion_.ConditionAbstractType;
import oasis.names.tc.saml._2_0.assertion_.ConditionsType;
import oasis.names.tc.saml._2_0.assertion_.KeyInfoConfirmationDataType;
import oasis.names.tc.saml._2_0.assertion_.NameIDType;
import oasis.names.tc.saml._2_0.assertion_.ProxyRestrictionType;
import oasis.names.tc.saml._2_0.assertion_.StatementAbstractType;
import oasis.names.tc.saml._2_0.assertion_.SubjectConfirmationDataType;
import oasis.names.tc.saml._2_0.assertion_.SubjectConfirmationType;
import oasis.names.tc.saml._2_0.assertion_.SubjectType;
import oasis.names.tc.saml._2_0.conditions.delegation_.DelegateType;
import oasis.names.tc.saml._2_0.conditions.delegation_.DelegationRestrictionType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3._2000._09.xmldsig_.KeyInfoType;
import org.w3._2000._09.xmldsig_.X509DataType;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

/* loaded from: input_file:com/vmware/vapi/internal/saml/SamlTokenImpl.class */
public class SamlTokenImpl implements ValidatableSamlTokenEx {
    private long _startTime;
    private long _expirationTime;
    private boolean _isRenewable;
    private boolean _isDelegable;
    private ConfirmationType _confirmationType;
    private PrincipalId _subjectUPN;
    private SubjectNameId _subjectId;
    private IssuerNameId _issuerId;
    private final Document _parsedToken;
    private long _issueInstant;
    private String _id;
    private List<SamlToken.TokenDelegate> _delegationChain;
    private List<ValidatableSamlTokenEx.TokenDelegateEx> _delegationChainEx;
    private Set<String> _audienceRestrictionList;
    private X509Certificate _confirmationCertificate;
    private List<Advice> _advice;
    private List<PrincipalId> _groups;
    private boolean _isSolution;
    private final AtomicBoolean _tokenValidated;
    private final AtomicBoolean _allowTokenAccess;
    private static final Schema SAML_SCHEMA;
    private XMLGregorianCalendar _subjConfExp;
    private static final String SAML_SCHEMA_FILENAME = "profiled-saml-schema-assertion-2.0.xsd";
    private static final String DEFAULT_TIME_ZONE = "GMT";
    private static final String BEARER_CONFIRMATION = "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    private static final String HOLDER_OF_KEY_CONFIRMATION = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
    private static final String XMLNS_NS_URI = "http://www.w3.org/2000/xmlns/";
    private static final String SIGNATURE_ELEMENT_NAME = "Signature";
    private static final String ASSERTION_ID_ATTR_NAME = "ID";
    private static final String SIGNATURE_VALIDATION_ERROR_MSG = "Signature validation failed";
    private static final String PARSING_TOKEN_ERROR_MSG = "Error parsing SAML token.";
    private static final String PARSE_DELEGATION_ERR_MSG = "Cannot parse delegation restrictions.";
    private static final String X509_CERT_FACTORY_TYPE = "X.509";
    private static final String CERTIFICATE_PARSE_ERR_MSG = "Cannot parse user's confirmation certificate";
    private static final String SUBJ_CONF_DATA_NOT_FOUNT_MSG = "Cannot find subject confirmation data";
    private static final String SUBJ_CONF_DATA_WRONG_TYPE_MSG = "SubjectConfirmationData is not instance of KeyInfoConfirmationData type which is necessary for this kind of tokens (HOK).";
    private static final String ERR_LOADNIG_SAML_SCHEMA = "An error occured while loading SAML schema.";
    private static final String PARSE_GROUPS_ERR_MSG = "Cannot parse group information";
    private static final String PARSE_ISSOLUTION_ERR_MSG = "Value for attribute isSolution is not valid.";
    private static final String UPN_FORMAT_URI = "http://schemas.xmlsoap.org/claims/UPN";
    private static final long MILLISECONDS_PER_SECOND = 1000;
    private static final XmlParserFactory xmlParserFactory;
    private final Logger _log;
    private final JAXBContext _jaxbContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/vmware/vapi/internal/saml/SamlTokenImpl$DeploymentError.class */
    public static class DeploymentError extends Error {
        private static final long serialVersionUID = -6610749680263268064L;

        public DeploymentError(String str, Throwable th) {
            super(str, th);
        }

        public DeploymentError(String str) {
            super(str);
        }
    }

    /* loaded from: input_file:com/vmware/vapi/internal/saml/SamlTokenImpl$TokenDelegateExImpl.class */
    public static class TokenDelegateExImpl implements ValidatableSamlTokenEx.TokenDelegateEx {
        protected SubjectNameId _subjectNameId;
        protected PrincipalId _subject;
        protected long _delegationDate;
        static final /* synthetic */ boolean $assertionsDisabled;

        public TokenDelegateExImpl(SubjectNameId subjectNameId, PrincipalId principalId, long j) {
            if (!$assertionsDisabled && subjectNameId == null) {
                throw new AssertionError();
            }
            this._subjectNameId = subjectNameId;
            this._subject = principalId;
            this._delegationDate = j;
        }

        @Override // com.vmware.vapi.saml.SamlToken.TokenDelegate
        public PrincipalId getSubject() {
            return this._subject;
        }

        @Override // com.vmware.vapi.saml.SamlToken.TokenDelegate
        public Date getDelegationDate() {
            return new Date(this._delegationDate);
        }

        @Override // com.vmware.vapi.saml.ValidatableSamlTokenEx.TokenDelegateEx
        public SubjectNameId getSubjectNameId() {
            return this._subjectNameId;
        }

        public String toString() {
            return String.format("TokenDelegateImpl [subject=%s, delegationDate=%s]", this._subjectNameId, Long.valueOf(this._delegationDate));
        }

        static {
            $assertionsDisabled = !SamlTokenImpl.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:com/vmware/vapi/internal/saml/SamlTokenImpl$TokenDelegateImpl.class */
    public static class TokenDelegateImpl implements SamlToken.TokenDelegate {
        private final PrincipalId _subject;
        private final long _delegationDate;
        static final /* synthetic */ boolean $assertionsDisabled;

        public TokenDelegateImpl(PrincipalId principalId, long j) {
            if (!$assertionsDisabled && principalId == null) {
                throw new AssertionError();
            }
            this._subject = principalId;
            this._delegationDate = j;
        }

        @Override // com.vmware.vapi.saml.SamlToken.TokenDelegate
        public PrincipalId getSubject() {
            return this._subject;
        }

        @Override // com.vmware.vapi.saml.SamlToken.TokenDelegate
        public Date getDelegationDate() {
            return new Date(this._delegationDate);
        }

        public String toString() {
            return String.format("TokenDelegateImpl [subject=%s, delegationDate=%s]", this._subject, Long.valueOf(this._delegationDate));
        }

        static {
            $assertionsDisabled = !SamlTokenImpl.class.desiredAssertionStatus();
        }
    }

    private SamlTokenImpl(String str, Document document, JAXBContext jAXBContext, Boolean bool) throws InvalidTokenException {
        this._delegationChain = Collections.emptyList();
        this._delegationChainEx = Collections.emptyList();
        this._audienceRestrictionList = Collections.emptySet();
        this._advice = Collections.emptyList();
        this._groups = Collections.emptyList();
        this._tokenValidated = new AtomicBoolean(false);
        this._allowTokenAccess = new AtomicBoolean(false);
        this._log = LoggerFactory.getLogger((Class<?>) SamlTokenImpl.class);
        ValidateUtil.validateNotNull(document, "token " + str);
        ValidateUtil.validateNotNull(jAXBContext, "JAXBContext");
        this._jaxbContext = jAXBContext;
        this._parsedToken = document;
        validateAndPopulate(bool);
        markAssertionIdAttribute(this._parsedToken.getDocumentElement());
        this._log.info("SAML token for " + this._subjectId + " successfully parsed from " + str);
    }

    public SamlTokenImpl(String str, JAXBContext jAXBContext) throws InvalidTokenException {
        this("XML", parseTokenXmlToDom(str), jAXBContext, false);
    }

    public SamlTokenImpl(Element element, JAXBContext jAXBContext) throws InvalidTokenException {
        this("Element", createStandaloneCopy(element), jAXBContext, false);
    }

    public SamlTokenImpl(String str, JAXBContext jAXBContext, Boolean bool) throws InvalidTokenException {
        this("XML", parseTokenXmlToDom(str), jAXBContext, bool);
    }

    public SamlTokenImpl(Element element, JAXBContext jAXBContext, Boolean bool) throws InvalidTokenException {
        this("Element", createStandaloneCopy(element), jAXBContext, bool);
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public Date getStartTime() {
        checkAccessAllowed();
        return new Date(this._startTime);
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public Date getExpirationTime() {
        checkAccessAllowed();
        return new Date(this._expirationTime);
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public boolean isRenewable() {
        checkAccessAllowed();
        return this._isRenewable;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public boolean isDelegable() {
        checkAccessAllowed();
        return this._isDelegable;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public ConfirmationType getConfirmationType() {
        checkAccessAllowed();
        return this._confirmationType;
    }

    @Override // com.vmware.vapi.saml.XmlPresentable
    public String toXml() {
        checkAccessAllowed();
        try {
            return Util.serializeToString(this._parsedToken.getDocumentElement());
        } catch (ParserException e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // com.vmware.vapi.saml.XmlPresentable
    public Node importTo(Document document) {
        ValidateUtil.validateNotNull(document, "Host document");
        Element element = (Element) document.importNode(this._parsedToken.getDocumentElement(), true);
        markAssertionIdAttribute(element);
        return element;
    }

    public void export(Result result) {
        checkAccessAllowed();
        try {
            try {
                TransformerFactory.newInstance().newTransformer().transform(new DOMSource(this._parsedToken), result);
            } catch (TransformerException e) {
                throw new IllegalArgumentException("Exporting SAML XML failed with the supplied destination", e);
            }
        } catch (TransformerConfigurationException e2) {
            throw new IllegalStateException("Failed to create XML identity transformer (incompliant Java implementation?)", e2);
        }
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public PrincipalId getSubject() {
        checkAccessAllowed();
        return this._subjectUPN;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public SubjectNameId getSubjectNameId() {
        checkAccessAllowed();
        return this._subjectId;
    }

    @Override // com.vmware.vapi.saml.ValidatableSamlTokenEx
    public IssuerNameId getIssuerNameId() {
        checkAccessAllowed();
        return this._issuerId;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public String getId() {
        checkAccessAllowed();
        return this._id;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public List<SamlToken.TokenDelegate> getDelegationChain() {
        checkAccessAllowed();
        return this._delegationChain;
    }

    @Override // com.vmware.vapi.saml.ValidatableSamlTokenEx
    public List<ValidatableSamlTokenEx.TokenDelegateEx> getDelegationChainEx() {
        checkAccessAllowed();
        return this._delegationChainEx;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public Set<String> getAudience() {
        checkAccessAllowed();
        return this._audienceRestrictionList;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public X509Certificate getConfirmationCertificate() {
        checkAccessAllowed();
        return this._confirmationCertificate;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public List<Advice> getAdvice() {
        checkAccessAllowed();
        return this._advice;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public List<PrincipalId> getGroupList() {
        checkAccessAllowed();
        return this._groups;
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public boolean isSolution() {
        checkAccessAllowed();
        return this._isSolution;
    }

    @Override // com.vmware.vapi.saml.ValidatableSamlToken
    public void validate(X509Certificate[] x509CertificateArr, long j) throws InvalidTokenException {
        ValidateUtil.validateNotEmpty(x509CertificateArr, "Trusted root certificates");
        if (!validateSignature(new X509TrustChainKeySelector(x509CertificateArr))) {
            this._log.info("SAML token cannot be constructed: Signature validation failed");
            throw new InvalidSignatureException(SIGNATURE_VALIDATION_ERROR_MSG);
        }
        validateWithinTokenLifePeriod(j);
        validateSubjectConfirmationExpDate();
        this._tokenValidated.set(true);
        this._log.debug("Token is successfully validated");
    }

    public void allowTokenAccess() {
        this._allowTokenAccess.set(true);
    }

    private void validateAndPopulate(Boolean bool) throws InvalidTokenException {
        try {
            Unmarshaller createUnmarshaller = this._jaxbContext.createUnmarshaller();
            createUnmarshaller.setSchema(SAML_SCHEMA);
            AssertionType assertionType = (AssertionType) ((JAXBElement) createUnmarshaller.unmarshal(this._parsedToken)).getValue();
            parseAssertionAttributes(assertionType);
            parseConditions(assertionType.getConditions(), bool);
            parseSubject(assertionType.getSubject());
            parseIssuer(assertionType.getIssuer());
            parseAuthnStatement(assertionType.getAuthnStatementOrAttributeStatement());
            if (assertionType.getAuthnStatementOrAttributeStatement() != null) {
                parseAttributeStatement(assertionType.getAuthnStatementOrAttributeStatement());
            }
            if (assertionType.getAdvice() != null) {
                parseAdvice(assertionType.getAdvice());
            }
            this._log.debug("Token fields are successfully populated");
        } catch (JAXBException e) {
            this._log.info(PARSING_TOKEN_ERROR_MSG, e);
            throw new MalformedTokenException(PARSING_TOKEN_ERROR_MSG, e);
        }
    }

    private void parseAssertionAttributes(AssertionType assertionType) {
        this._issueInstant = assertionType.getIssueInstant().toGregorianCalendar(TimeZone.getTimeZone("GMT"), null, null).getTimeInMillis();
        this._id = assertionType.getID();
        if (!$assertionsDisabled && this._id == null) {
            throw new AssertionError("assertion ID is required attribute");
        }
        if (this._log.isDebugEnabled()) {
            this._log.debug("SAML assertion attributes successfully parsed. Got issueInstant: " + new Date(this._issueInstant));
        }
    }

    private boolean validateSignature(KeySelector keySelector) throws MalformedTokenException {
        NodeList elementsByTagNameNS = this._parsedToken.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance();
        DOMValidateContext dOMValidateContext = new DOMValidateContext(keySelector, elementsByTagNameNS.item(0));
        try {
            boolean validate = xMLSignatureFactory.unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext);
            this._log.debug("SAML token signature is valid status: " + validate);
            return validate;
        } catch (XMLSignatureException e) {
            this._log.error(SIGNATURE_VALIDATION_ERROR_MSG, e);
            throw new MalformedTokenException(SIGNATURE_VALIDATION_ERROR_MSG, e);
        } catch (MarshalException e2) {
            this._log.error(SIGNATURE_VALIDATION_ERROR_MSG, e2);
            throw new MalformedTokenException(SIGNATURE_VALIDATION_ERROR_MSG, e2);
        }
    }

    private static Document parseTokenXmlToDom(String str) throws MalformedTokenException {
        if (str == null) {
            return null;
        }
        Logger logger = LoggerFactory.getLogger((Class<?>) SamlTokenImpl.class);
        try {
            return xmlParserFactory.newDocumentBuilder().parse(new InputSource(new StringReader(str)));
        } catch (IOException e) {
            logger.error("Error reading from in-memory stream (heap space exhausted?)", (Throwable) e);
            throw new IllegalStateException("Error reading from in-memory stream (heap space exhausted?)", e);
        } catch (ParserConfigurationException e2) {
            logger.error("DOM Document builder is not available (incompatible Java implementation?)", (Throwable) e2);
            throw new IllegalStateException("DOM Document builder is not available (incompatible Java implementation?)", e2);
        } catch (SAXException e3) {
            logger.info(PARSING_TOKEN_ERROR_MSG, (Throwable) e3);
            throw new MalformedTokenException(PARSING_TOKEN_ERROR_MSG, e3);
        }
    }

    private static Document createStandaloneCopy(Element element) {
        HashMap hashMap = new HashMap();
        Node parentNode = element.getParentNode();
        while (true) {
            Node node = parentNode;
            if (node == null || node.getNodeType() != 1) {
                try {
                    Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
                    DOMResult dOMResult = new DOMResult();
                    try {
                        newTransformer.transform(new DOMSource(element), dOMResult);
                        Document document = (Document) dOMResult.getNode();
                        Element documentElement = document.getDocumentElement();
                        for (Map.Entry entry : hashMap.entrySet()) {
                            documentElement.setAttributeNS("http://www.w3.org/2000/xmlns/", (String) entry.getKey(), (String) entry.getValue());
                        }
                        return document;
                    } catch (TransformerException e) {
                        throw new IllegalStateException("Unexpected failure in Identity DOM-to-DOM transformation", e);
                    }
                } catch (TransformerException e2) {
                    throw new IllegalStateException("Failed to create identity XML transformer. Incompatible Java platform?", e2);
                }
            }
            NamedNodeMap attributes = node.getAttributes();
            for (int i = 0; i < attributes.getLength(); i++) {
                Attr attr = (Attr) attributes.item(i);
                if ("http://www.w3.org/2000/xmlns/".equals(attr.getNamespaceURI()) && !hashMap.containsKey(attr.getName())) {
                    hashMap.put(attr.getName(), attr.getValue());
                }
            }
            parentNode = node.getParentNode();
        }
    }

    private void parseConditions(ConditionsType conditionsType, Boolean bool) throws MalformedTokenException {
        this._startTime = conditionsType.getNotBefore().toGregorianCalendar(TimeZone.getTimeZone("GMT"), null, null).getTimeInMillis();
        this._expirationTime = conditionsType.getNotOnOrAfter().toGregorianCalendar(TimeZone.getTimeZone("GMT"), null, null).getTimeInMillis();
        for (ConditionAbstractType conditionAbstractType : conditionsType.getConditionOrAudienceRestrictionOrOneTimeUseOrProxyRestriction()) {
            if (conditionAbstractType instanceof ProxyRestrictionType) {
                BigInteger count = ((ProxyRestrictionType) conditionAbstractType).getCount();
                this._isDelegable = count != null && count.longValue() > 0;
            } else if (conditionAbstractType instanceof AudienceRestrictionType) {
                HashSet hashSet = new HashSet();
                hashSet.addAll(((AudienceRestrictionType) conditionAbstractType).getAudience());
                this._audienceRestrictionList = Collections.unmodifiableSet(hashSet);
            } else if (conditionAbstractType instanceof RenewRestrictionType) {
                BigInteger count2 = ((RenewRestrictionType) conditionAbstractType).getCount();
                this._isRenewable = count2 != null && count2.longValue() > 0;
            } else if (conditionAbstractType instanceof DelegationRestrictionType) {
                parseDelegationChain((DelegationRestrictionType) conditionAbstractType, bool);
            }
        }
        if (this._log.isDebugEnabled()) {
            this._log.debug("Conditions parsed successfully. Got startTime: " + new Date(this._startTime) + " expirationTime: " + new Date(this._expirationTime));
        }
    }

    private void validateWithinTokenLifePeriod(long j) throws InvalidTimingException {
        if (this._expirationTime < this._startTime) {
            String str = "Start time / Expiration time not valid: StartTime: " + new Date(this._startTime) + " ExpirationTime: " + new Date(this._expirationTime);
            this._log.error(str);
            throw new InvalidTimingException(str);
        }
        if (this._expirationTime + (j * 1000) < Calendar.getInstance(TimeZone.getTimeZone("GMT")).getTimeInMillis()) {
            String str2 = "Token expiration date: " + new Date(this._expirationTime) + " is in the past.";
            this._log.info(str2);
            throw new InvalidTimingException(str2);
        }
    }

    private void parseDelegationChain(DelegationRestrictionType delegationRestrictionType, Boolean bool) throws MalformedTokenException {
        ArrayList arrayList = new ArrayList();
        for (DelegateType delegateType : delegationRestrictionType.getDelegate()) {
            try {
                arrayList.add(new TokenDelegateExImpl(new SubjectNameId(delegateType.getNameID().getValue(), delegateType.getNameID().getFormat()), parseSubject(delegateType.getNameID(), bool), delegateType.getDelegationInstant().toGregorianCalendar(TimeZone.getTimeZone("GMT"), null, null).getTimeInMillis()));
            } catch (ParserException e) {
                this._log.error(PARSE_DELEGATION_ERR_MSG, (Throwable) e);
                throw new MalformedTokenException(PARSE_DELEGATION_ERR_MSG, e);
            }
        }
        Collections.sort(arrayList, new Comparator<SamlToken.TokenDelegate>() { // from class: com.vmware.vapi.internal.saml.SamlTokenImpl.1
            @Override // java.util.Comparator
            public int compare(SamlToken.TokenDelegate tokenDelegate, SamlToken.TokenDelegate tokenDelegate2) {
                long time = tokenDelegate.getDelegationDate().getTime();
                long time2 = tokenDelegate2.getDelegationDate().getTime();
                if (time < time2) {
                    return -1;
                }
                return time == time2 ? 0 : 1;
            }
        });
        this._delegationChainEx = Collections.unmodifiableList(arrayList);
        this._delegationChain = Collections.unmodifiableList(arrayList);
    }

    private void parseSubject(SubjectType subjectType) throws MalformedTokenException {
        NameIDType nameID = subjectType.getNameID();
        this._subjectId = getSubjectId(nameID);
        try {
            if (this._subjectId.getFormat().equalsIgnoreCase(UPN_FORMAT_URI)) {
                this._subjectUPN = PrincipalIdParser.parseUpn(nameID.getValue());
            }
            SubjectConfirmationType subjectConfirmation = subjectType.getSubjectConfirmation();
            if (subjectConfirmation.getMethod().equalsIgnoreCase(BEARER_CONFIRMATION)) {
                this._subjConfExp = subjectConfirmation.getSubjectConfirmationData().getNotOnOrAfter();
                this._confirmationType = ConfirmationType.BEARER;
            } else if (subjectConfirmation.getMethod().equalsIgnoreCase(HOLDER_OF_KEY_CONFIRMATION)) {
                parseHolderOfKeyConfirmation(subjectType);
                this._confirmationType = ConfirmationType.HOLDER_OF_KEY;
            }
            if (this._log.isDebugEnabled()) {
                this._log.debug(this._subjectId + " successfully extracted from the token");
                this._log.debug("Got confirmation type: " + this._confirmationType);
            }
        } catch (ParserException e) {
            this._log.debug("Cannot parse subject because its value is not in UPN format", (Throwable) e);
            throw new MalformedTokenException("Cannot parse subject because its value is not in UPN format", e);
        }
    }

    private void parseIssuer(NameIDType nameIDType) throws MalformedTokenException {
        this._issuerId = null;
        if (nameIDType != null) {
            try {
                this._issuerId = new IssuerNameId(nameIDType.getValue(), nameIDType.getFormat());
                if (this._log.isDebugEnabled()) {
                    this._log.debug(this._issuerId + " successfully extracted from the token");
                }
            } catch (Exception e) {
                this._log.debug("Cannot parse issuer.", (Throwable) e);
                throw new MalformedTokenException("Invalid issuer.", e);
            }
        }
    }

    private void validateSubjectConfirmationExpDate() throws InvalidTimingException {
        if (this._subjConfExp != null) {
            long timeInMillis = this._subjConfExp.toGregorianCalendar(TimeZone.getTimeZone("GMT"), null, null).getTimeInMillis();
            if (timeInMillis > this._expirationTime) {
                String str = "Subject confirmation expiration time is not valid: Subject time: " + new Date(timeInMillis) + " Token ExpirationTime: " + new Date(this._expirationTime);
                this._log.error(str);
                throw new InvalidTimingException(str);
            }
        }
    }

    private static PrincipalId parseSubject(NameIDType nameIDType, Boolean bool) throws ParserException {
        String format = nameIDType.getFormat();
        String nameQualifier = nameIDType.getNameQualifier();
        if (!bool.booleanValue() && (!format.equalsIgnoreCase(UPN_FORMAT_URI) || nameQualifier != null)) {
            throw new ParserException(String.format("Failed to parse subject: format = '%s', name qualifier = '%s'", format, nameQualifier));
        }
        PrincipalId principalId = null;
        if (format.equalsIgnoreCase(UPN_FORMAT_URI)) {
            principalId = PrincipalIdParser.parseUpn(nameIDType.getValue());
        }
        return principalId;
    }

    private static SubjectNameId getSubjectId(NameIDType nameIDType) {
        if ($assertionsDisabled || nameIDType != null) {
            return new SubjectNameId(nameIDType.getValue(), nameIDType.getFormat());
        }
        throw new AssertionError();
    }

    private void parseHolderOfKeyConfirmation(SubjectType subjectType) throws MalformedTokenException {
        SubjectConfirmationDataType subjectConfirmationData = subjectType.getSubjectConfirmation().getSubjectConfirmationData();
        if (!(subjectConfirmationData instanceof KeyInfoConfirmationDataType)) {
            this._log.error(SUBJ_CONF_DATA_WRONG_TYPE_MSG);
            throw new MalformedTokenException(SUBJ_CONF_DATA_WRONG_TYPE_MSG);
        }
        KeyInfoType keyInfoType = (KeyInfoType) getTheValue(subjectConfirmationData.getContent(), KeyInfoType.class);
        X509DataType x509DataType = keyInfoType != null ? (X509DataType) getTheValue(keyInfoType.getContent(), X509DataType.class) : null;
        byte[] bArr = x509DataType != null ? (byte[]) getTheValue(x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName(), byte[].class) : null;
        if (bArr != null) {
            try {
                this._confirmationCertificate = (X509Certificate) CertificateFactory.getInstance(X509_CERT_FACTORY_TYPE).generateCertificate(new ByteArrayInputStream(bArr));
            } catch (CertificateException e) {
                this._log.error(CERTIFICATE_PARSE_ERR_MSG, (Throwable) e);
                throw new MalformedTokenException(CERTIFICATE_PARSE_ERR_MSG, e);
            }
        }
        if (this._confirmationCertificate == null) {
            this._log.error(SUBJ_CONF_DATA_NOT_FOUNT_MSG);
            throw new MalformedTokenException(SUBJ_CONF_DATA_NOT_FOUNT_MSG);
        }
    }

    private static <T> T getTheValue(List<?> list, Class<T> cls) {
        JAXBElement<?> singleJaxbElement = getSingleJaxbElement(list);
        if (cls.isInstance(singleJaxbElement.getValue())) {
            return (T) singleJaxbElement.getValue();
        }
        return null;
    }

    private static JAXBElement<?> getSingleJaxbElement(List<?> list) {
        JAXBElement<?> jAXBElement = null;
        for (Object obj : list) {
            if (obj instanceof JAXBElement) {
                if (jAXBElement != null) {
                    return null;
                }
                jAXBElement = (JAXBElement) obj;
            }
        }
        return jAXBElement;
    }

    private void parseAuthnStatement(List<StatementAbstractType> list) {
    }

    private void parseAdvice(AdviceType adviceType) {
        ArrayList arrayList = new ArrayList();
        for (RSAAdviceType rSAAdviceType : adviceType.getRSAAdvice()) {
            String adviceSource = rSAAdviceType.getAdviceSource();
            ArrayList arrayList2 = new ArrayList();
            if (rSAAdviceType.getAttribute() != null) {
                for (AttributeType attributeType : rSAAdviceType.getAttribute()) {
                    List<String> attributeValue = attributeType.getAttributeValue();
                    String name = attributeType.getName();
                    String friendlyName = attributeType.getFriendlyName();
                    if (attributeValue == null) {
                        attributeValue = new ArrayList();
                    }
                    arrayList2.add(new Advice.AdviceAttribute(name, friendlyName, attributeValue));
                }
            }
            arrayList.add(new Advice(adviceSource, arrayList2));
        }
        this._advice = Collections.unmodifiableList(arrayList);
    }

    private void parseAttributeStatement(List<StatementAbstractType> list) throws MalformedTokenException {
        if (list != null) {
            for (StatementAbstractType statementAbstractType : list) {
                if (statementAbstractType instanceof AttributeStatementType) {
                    List<AttributeType> attribute = ((AttributeStatementType) statementAbstractType).getAttribute();
                    ArrayList arrayList = new ArrayList();
                    for (AttributeType attributeType : attribute) {
                        String name = attributeType.getName();
                        if (name.equals(AttributeNames.HTTP_RSA_COM_SCHEMAS_ATTR_NAMES_2009_01_GROUP_IDENTITY.value())) {
                            try {
                                arrayList.addAll(parseGroup(attributeType.getAttributeValue()));
                                this._log.debug("Groups successfully extracted from token");
                            } catch (ParserException e) {
                                this._log.debug(PARSE_GROUPS_ERR_MSG, (Throwable) e);
                                throw new MalformedTokenException(PARSE_GROUPS_ERR_MSG, e);
                            }
                        } else if (name.equals(AttributeNames.HTTP_VMWARE_COM_SCHEMAS_ATTR_NAMES_2011_07_IS_SOLUTION.value())) {
                            List<String> attributeValue = attributeType.getAttributeValue();
                            if (null == attributeValue || 1 != attributeValue.size()) {
                                throw new MalformedTokenException(PARSE_ISSOLUTION_ERR_MSG);
                            }
                            this._isSolution = Boolean.parseBoolean(attributeValue.get(0));
                            this._log.debug("isSolution attribute parsed successfully from " + attributeValue + " to: " + this._isSolution);
                        } else {
                            continue;
                        }
                    }
                    this._groups = Collections.unmodifiableList(arrayList);
                    this._log.debug("Attribute statements successfully parsed");
                }
            }
        }
    }

    private static List<PrincipalId> parseGroup(List<String> list) throws ParserException {
        if (!$assertionsDisabled && list == null) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(PrincipalIdParser.parseGroupId(it.next()));
        }
        return arrayList;
    }

    private static Schema loadSamlSchema() {
        try {
            return Util.loadXmlSchemaFromResource((Class<?>) SamlTokenImpl.class, SAML_SCHEMA_FILENAME);
        } catch (IllegalArgumentException e) {
            LoggerFactory.getLogger((Class<?>) SamlTokenImpl.class).error(String.format("Schema resource `%s' is missing.", SAML_SCHEMA_FILENAME), (Throwable) e);
            throw new DeploymentError(String.format("Schema resource `%s' is missing.", SAML_SCHEMA_FILENAME));
        } catch (SAXException e2) {
            LoggerFactory.getLogger((Class<?>) SamlTokenImpl.class).error(ERR_LOADNIG_SAML_SCHEMA, (Throwable) e2);
            throw new DeploymentError(ERR_LOADNIG_SAML_SCHEMA, e2);
        }
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public boolean equals(Object obj) {
        return (obj instanceof SamlToken) && getId().equals(((SamlToken) obj).getId());
    }

    @Override // com.vmware.vapi.saml.SamlToken
    public int hashCode() {
        return getId().hashCode();
    }

    private void checkAccessAllowed() {
        if (!this._tokenValidated.get() && !this._allowTokenAccess.get()) {
            throw new IllegalStateException("Until token signature is validated accessors cannot be used.");
        }
    }

    private static void markAssertionIdAttribute(Element element) {
        if (!$assertionsDisabled && element == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !element.hasAttribute("ID")) {
            throw new AssertionError();
        }
        element.setIdAttribute("ID", true);
    }

    static {
        $assertionsDisabled = !SamlTokenImpl.class.desiredAssertionStatus();
        SAML_SCHEMA = loadSamlSchema();
        xmlParserFactory = XmlParserFactory.Factory.createSecureXmlParserFactory();
    }
}
