package org.apache.sling.auth.saml2.impl;

import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.List;
import java.util.Objects;
import javax.jcr.RepositoryException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.saml2.AuthenticationHandlerSAML2;
import org.apache.sling.auth.saml2.AuthenticationHandlerSAML2Config;
import org.apache.sling.auth.saml2.Helpers;
import org.apache.sling.auth.saml2.SAML2RuntimeException;
import org.apache.sling.auth.saml2.Saml2User;
import org.apache.sling.auth.saml2.Saml2UserMgtService;
import org.apache.sling.auth.saml2.sp.KeyPairCredentials;
import org.apache.sling.auth.saml2.sp.SamlReason;
import org.apache.sling.auth.saml2.sp.SessionStorage;
import org.apache.sling.auth.saml2.sp.VerifySignatureCredentials;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeValue;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.wiring.BundleWiring;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.Designate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = AuthenticationHandlerSAML2Config.class, factory = true)
@Component(service = {AuthenticationHandler.class}, name = AuthenticationHandlerSAML2Impl.SERVICE_NAME, configurationPolicy = ConfigurationPolicy.REQUIRE, immediate = true, property = {"sling.servlet.methods={GET, POST}", "path={}", "authtype=SAML2", "service.description=SAML2 Authentication Handler", "service.ranking:Integer=42"})
/* loaded from: input_file:org/apache/sling/auth/saml2/impl/AuthenticationHandlerSAML2Impl.class */
public class AuthenticationHandlerSAML2Impl extends AbstractSamlHandler implements AuthenticationHandlerSAML2 {

    @Reference
    private Saml2UserMgtService saml2UserMgtService;
    public static final String AUTH_STORAGE_SESSION_TYPE = "session";
    public static final String AUTH_TYPE = "SAML2";
    static final String TOKEN_FILENAME = "saml2-cookie-tokens.bin";
    private SessionStorage storageAuthInfo;
    long sessionTimeout;
    private static Logger logger = LoggerFactory.getLogger(AuthenticationHandlerSAML2Impl.class);
    static final String SERVICE_NAME = "org.apache.sling.auth.saml2.AuthenticationHandlerSAML2";
    private Credential spKeypair;
    private Credential idpVerificationCert;
    private static final String REQUEST_METHOD = "POST";
    private static final long MINUTES = 60000;
    private static final long TIMEOUT_MIN = 240;
    private TokenStore tokenStore;

    @Activate
    @Modified
    protected void activate(AuthenticationHandlerSAML2Config authenticationHandlerSAML2Config, ComponentContext componentContext) throws InvalidKeyException, NoSuchAlgorithmException, IllegalStateException, IOException {
        setConfigs(authenticationHandlerSAML2Config);
        initializeTokenStore(getTokenFile(componentContext.getBundleContext()));
        if (getSaml2SPEncryptAndSign()) {
            this.idpVerificationCert = VerifySignatureCredentials.getCredential(getJksFileLocation(), getJksStorePassword().toCharArray(), getIdpCertAlias());
            this.spKeypair = KeyPairCredentials.getCredential(getJksFileLocation(), getJksStorePassword().toCharArray(), getSpKeysAlias(), getSpKeysPassword().toCharArray());
        }
    }

    void initializeTokenStore(File file) throws NoSuchAlgorithmException, InvalidKeyException, UnsupportedEncodingException {
        this.storageAuthInfo = new SessionStorage(AbstractSamlHandler.AUTHENTICATED_SESSION_ATTRIBUTE);
        this.sessionTimeout = 14400000L;
        this.tokenStore = new TokenStore(file, this.sessionTimeout, false);
    }

    TokenStore getTokenStore() {
        return this.tokenStore;
    }

    Credential getSpKeypair() {
        return this.spKeypair;
    }

    Credential getIdpVerificationCert() {
        return this.idpVerificationCert;
    }

    SessionStorage getStorageAuthInfo() {
        return this.storageAuthInfo;
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String string;
        if (!getSaml2SPEnabled()) {
            return null;
        }
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI.equals(getAcsPath())) {
            return processAssertionConsumerService(httpServletRequest);
        }
        if (getSaml2Path().isEmpty() || !requestURI.startsWith(getSaml2Path()) || (string = getStorageAuthInfo().getString(httpServletRequest)) == null) {
            return null;
        }
        if (this.tokenStore.isValid(string)) {
            return buildAuthInfo(string);
        }
        clearSessionAttributes(httpServletRequest);
        if (!AuthUtil.isValidateRequest(httpServletRequest)) {
            return null;
        }
        httpServletRequest.setAttribute("j_reason", SamlReason.TIMEOUT);
        return AuthenticationInfo.FAIL_AUTH;
    }

    private void clearSessionAttributes(HttpServletRequest httpServletRequest) {
        getStorageAuthInfo().clear(httpServletRequest);
    }

    private AuthenticationInfo processAssertionConsumerService(HttpServletRequest httpServletRequest) {
        Assertion assertion;
        doClassloading();
        MessageContext decodeHttpPostSamlResp = decodeHttpPostSamlResp(httpServletRequest);
        if (!validateRelayState(httpServletRequest, decodeHttpPostSamlResp)) {
            return null;
        }
        Response response = (Response) decodeHttpPostSamlResp.getMessage();
        if (getSaml2SPEncryptAndSign()) {
            assertion = decryptAssertion(response.getEncryptedAssertions().get(0));
            verifyAssertionSignature(assertion);
        } else {
            assertion = response.getAssertions().get(0);
        }
        if (validateSaml2Conditions(httpServletRequest, assertion)) {
            logger.debug("Decrypted Assertion: ");
            return buildAuthInfo(doUserManagement(assertion));
        }
        logger.error("Validation of SubjectConfirmation failed");
        return null;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (ignoreRequestCredentials(httpServletRequest) || !getSaml2SPEnabled()) {
            return false;
        }
        doClassloading();
        setGotoURLOnSession(httpServletRequest);
        redirectUserForAuthentication(httpServletRequest, httpServletResponse);
        return true;
    }

    void doClassloading() {
        Thread.currentThread().setContextClassLoader(((BundleWiring) FrameworkUtil.getBundle(AuthenticationHandlerSAML2Impl.class).adapt(BundleWiring.class)).getClassLoader());
    }

    private void setGotoURLOnSession(HttpServletRequest httpServletRequest) {
        new SessionStorage(AbstractSamlHandler.GOTO_URL_SESSION_ATTRIBUTE).setString(httpServletRequest, httpServletRequest.getRequestURL().toString());
    }

    private void redirectUserForAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        redirectUserWithRequest(httpServletRequest, httpServletResponse, buildAuthnRequest());
    }

    boolean ignoreRequestCredentials(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("sling:authRequestLogin");
        return (parameter == null || AUTH_TYPE.equals(parameter)) ? false : true;
    }

    private void redirectUserWithRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestAbstractType requestAbstractType) {
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(requestAbstractType);
        SAMLBindingContext sAMLBindingContext = (SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class, true);
        SAMLEndpointContext sAMLEndpointContext = (SAMLEndpointContext) ((SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class, true)).getSubcontext(SAMLEndpointContext.class, true);
        if (requestAbstractType instanceof AuthnRequest) {
            setRelayStateOnSession(httpServletRequest, sAMLBindingContext);
            setRequestIDOnSession(httpServletRequest, (AuthnRequest) requestAbstractType);
            sAMLEndpointContext.setEndpoint(getIPDEndpoint());
        }
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(getSpKeypair());
        signatureSigningParameters.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
        ((SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class, true)).setSignatureSigningParameters(signatureSigningParameters);
        HTTPRedirectDeflateEncoder hTTPRedirectDeflateEncoder = new HTTPRedirectDeflateEncoder();
        hTTPRedirectDeflateEncoder.setMessageContext(messageContext);
        hTTPRedirectDeflateEncoder.setHttpServletResponse(httpServletResponse);
        try {
            hTTPRedirectDeflateEncoder.initialize();
            logger.info("Request: {}", requestAbstractType.getClass());
            logger.info("Redirecting to IDP");
            try {
                hTTPRedirectDeflateEncoder.encode();
            } catch (MessageEncodingException e) {
                throw new SAML2RuntimeException(e);
            }
        } catch (ComponentInitializationException e2) {
            throw new SAML2RuntimeException(e2);
        }
    }

    Endpoint getIPDEndpoint() {
        SingleSignOnService singleSignOnService = (SingleSignOnService) Helpers.buildSAMLObject(SingleSignOnService.class);
        singleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
        singleSignOnService.setLocation(getSaml2IDPDestination());
        return singleSignOnService;
    }

    Endpoint getSLOEndpoint() {
        SingleLogoutService singleLogoutService = (SingleLogoutService) Helpers.buildSAMLObject(SingleLogoutService.class);
        singleLogoutService.setBinding(SAMLConstants.SAML2_PAOS_BINDING_URI);
        singleLogoutService.setLocation(getSaml2LogoutURL());
        return singleLogoutService;
    }

    AuthnRequest buildAuthnRequest() {
        AuthnRequest authnRequest = (AuthnRequest) Helpers.buildSAMLObject(AuthnRequest.class);
        authnRequest.setIssueInstant(Instant.now());
        authnRequest.setDestination(getSaml2IDPDestination());
        authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
        authnRequest.setAssertionConsumerServiceURL(getACSURL());
        authnRequest.setID(Helpers.generateSecureRandomId());
        authnRequest.setIssuer(buildIssuer());
        authnRequest.setNameIDPolicy(buildNameIdPolicy());
        return authnRequest;
    }

    Issuer buildIssuer() {
        Issuer issuer = (Issuer) Helpers.buildSAMLObject(Issuer.class);
        issuer.setValue(getEntityID());
        return issuer;
    }

    NameIDPolicy buildNameIdPolicy() {
        NameIDPolicy nameIDPolicy = (NameIDPolicy) Helpers.buildSAMLObject(NameIDPolicy.class);
        nameIDPolicy.setAllowCreate((Boolean) true);
        nameIDPolicy.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
        return nameIDPolicy;
    }

    MessageContext decodeHttpPostSamlResp(HttpServletRequest httpServletRequest) {
        HTTPPostDecoder hTTPPostDecoder = new HTTPPostDecoder();
        hTTPPostDecoder.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
        hTTPPostDecoder.setHttpServletRequest(httpServletRequest);
        try {
            hTTPPostDecoder.initialize();
            hTTPPostDecoder.decode();
            return hTTPPostDecoder.getMessageContext();
        } catch (ComponentInitializationException e) {
            throw new SAML2RuntimeException(e);
        } catch (MessageDecodingException e2) {
            logger.error("MessageDecodingException");
            throw new SAML2RuntimeException(e2);
        }
    }

    private Assertion decryptAssertion(EncryptedAssertion encryptedAssertion) {
        Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(getSpKeypair()), new InlineEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        try {
            return decrypter.decrypt(encryptedAssertion);
        } catch (DecryptionException e) {
            throw new SAML2RuntimeException(e);
        }
    }

    private void verifyAssertionSignature(Assertion assertion) {
        if (!assertion.isSigned()) {
            logger.error("Halting");
            throw new SAML2RuntimeException("The SAML Assertion was not signed!");
        }
        try {
            new SAMLSignatureProfileValidator().validate(assertion.getSignature());
            SignatureValidator.validate(assertion.getSignature(), getIdpVerificationCert());
            logger.info("SAML Assertion signature verified");
        } catch (SignatureException e) {
            throw new SAML2RuntimeException("SAML Assertion signature problem", e);
        }
    }

    User doUserManagement(Assertion assertion) {
        if (assertion == null || assertion.getAttributeStatements().isEmpty() || assertion.getAttributeStatements().get(0).getAttributes().isEmpty()) {
            logger.warn("SAML Assertion Attribute Statement or Attributes was null ");
            return null;
        }
        Saml2User saml2User = new Saml2User();
        for (Attribute attribute : assertion.getAttributeStatements().get(0).getAttributes()) {
            if (attribute.getName().equals(getSaml2userIDAttr())) {
                setUserId(attribute, saml2User);
            } else if (attribute.getName().equals(getSaml2groupMembershipAttr())) {
                setGroupMembership(attribute, saml2User);
            } else if (getSyncAttrMap() != null && getSyncAttrMap().containsKey(attribute.getName())) {
                syncUserAttributes(attribute, saml2User, getSyncAttrMap().get(attribute.getName()));
            }
        }
        if (this.saml2UserMgtService.setUp() && saml2User != null && saml2User.getId() != null) {
            User orCreateSamlUser = (!Objects.nonNull(getSaml2userHome()) || getSaml2userHome().isEmpty()) ? this.saml2UserMgtService.getOrCreateSamlUser(saml2User) : this.saml2UserMgtService.getOrCreateSamlUser(saml2User, getSaml2userHome());
            this.saml2UserMgtService.updateGroupMembership(saml2User);
            this.saml2UserMgtService.updateUserProperties(saml2User);
            return orCreateSamlUser;
        }
        if (saml2User == null || saml2User.getId() != null) {
            this.saml2UserMgtService.cleanUp();
            return null;
        }
        this.saml2UserMgtService.cleanUp();
        throw new SAML2RuntimeException("SAML2 User ID attribute name (saml2userIDAttr) is not correctly configured.");
    }

    private void setUserId(Attribute attribute, Saml2User saml2User) {
        logger.debug("username attr name: {}", attribute.getName());
        for (XMLObject xMLObject : attribute.getAttributeValues()) {
            if ((xMLObject instanceof AttributeValue) && ((AttributeValue) xMLObject).getTextContent() != null) {
                saml2User.setId(((AttributeValue) xMLObject).getTextContent());
                logger.debug("username value: {}", saml2User.getId());
            }
            if ((xMLObject instanceof XSString) && ((XSString) xMLObject).getValue() != null) {
                saml2User.setId(((XSString) xMLObject).getValue());
                logger.debug("username value: {}", saml2User.getId());
            }
        }
    }

    private void setGroupMembership(Attribute attribute, Saml2User saml2User) {
        logger.debug("group attr name: {}", attribute.getName());
        for (XMLObject xMLObject : attribute.getAttributeValues()) {
            if (((XSString) xMLObject).getValue() != null) {
                saml2User.addGroupMembership(((XSString) xMLObject).getValue());
                logger.debug("managed group {} added: ", ((XSString) xMLObject).getValue());
            }
        }
    }

    private void syncUserAttributes(Attribute attribute, Saml2User saml2User, String str) {
        for (XMLObject xMLObject : attribute.getAttributeValues()) {
            if (((XSString) xMLObject).getValue() != null) {
                saml2User.addUserProperty(str, xMLObject);
                logger.debug("sync attr name: {}", str);
                logger.debug("attribute value: {}", ((XSString) xMLObject).getValue());
            }
        }
    }

    AuthenticationInfo buildAuthInfo(User user) {
        try {
            AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE, user.getID());
            authenticationInfo.put("user.jcr.credentials", new Saml2Credentials(user.getID()));
            return authenticationInfo;
        } catch (RepositoryException e) {
            logger.error("failed to build Authentication Info");
            throw new SAML2RuntimeException((Throwable) e);
        }
    }

    AuthenticationInfo buildAuthInfo(String str) {
        String userId = getUserId(str);
        if (userId == null) {
            return null;
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE, userId);
        authenticationInfo.put("user.jcr.credentials", new Saml2Credentials(userId));
        return authenticationInfo;
    }

    private void setRelayStateOnSession(HttpServletRequest httpServletRequest, SAMLBindingContext sAMLBindingContext) {
        String bigInteger = new BigInteger(130, new SecureRandom()).toString(32);
        sAMLBindingContext.setRelayState(bigInteger);
        new SessionStorage(getSaml2SessionAttr()).setString(httpServletRequest, bigInteger);
    }

    private void setRequestIDOnSession(HttpServletRequest httpServletRequest, AuthnRequest authnRequest) {
        new SessionStorage(AbstractSamlHandler.SAML2_REQUEST_ID).setString(httpServletRequest, authnRequest.getID());
    }

    private boolean validateRelayState(HttpServletRequest httpServletRequest, MessageContext messageContext) {
        String relayState = ((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class, true)).getRelayState();
        String string = new SessionStorage(getSaml2SessionAttr()).getString(httpServletRequest);
        return (string == null || string.isEmpty() || !string.equals(relayState)) ? false : true;
    }

    private boolean validateSaml2Conditions(HttpServletRequest httpServletRequest, Assertion assertion) {
        List<SubjectConfirmation> subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
        if (subjectConfirmations.isEmpty()) {
            return false;
        }
        SubjectConfirmationData subjectConfirmationData = subjectConfirmations.get(0).getSubjectConfirmationData();
        boolean isAfter = subjectConfirmationData.getNotOnOrAfter().isAfter(Instant.now());
        if (!isAfter) {
            logger.error("SAML2 Subject Confirmation failed validation: Expired.");
        }
        boolean equals = subjectConfirmationData.getRecipient().equals(getACSURL());
        if (!equals) {
            logger.error("SAML2 Subject Confirmation failed validation: Invalid Recipient.");
        }
        return isAfter && equals && new SessionStorage(AbstractSamlHandler.SAML2_REQUEST_ID).getString(httpServletRequest).equals(subjectConfirmationData.getInResponseTo());
    }

    private void redirectToGotoURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = (String) httpServletRequest.getSession().getAttribute(AbstractSamlHandler.GOTO_URL_SESSION_ATTRIBUTE);
        logger.info("Redirecting to requested URL: {}", str);
        try {
            httpServletResponse.sendRedirect(str);
        } catch (IOException e) {
            throw new SAML2RuntimeException(e);
        }
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        clearSessionAttributes(httpServletRequest);
        if (getSaml2LogoutURL().isEmpty()) {
            return;
        }
        httpServletResponse.sendRedirect(getSaml2LogoutURL());
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        clearSessionAttributes(httpServletRequest);
        httpServletRequest.setAttribute("j_reason", SamlReason.INVALID_CREDENTIALS);
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        boolean z;
        refreshAuthData(httpServletRequest, httpServletResponse, authenticationInfo);
        if ("POST".equals(httpServletRequest.getMethod()) && httpServletRequest.getRequestURI().endsWith(getAcsPath())) {
            redirectToGotoURL(httpServletRequest, httpServletResponse);
            z = true;
        } else {
            z = false;
        }
        return z;
    }

    void refreshAuthData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (needsRefresh(getStorageAuthInfo().getString(httpServletRequest))) {
            try {
                String encode = this.tokenStore.encode(System.currentTimeMillis() + this.sessionTimeout, authenticationInfo.getUser());
                if (encode != null) {
                    getStorageAuthInfo().setString(httpServletRequest, encode);
                } else {
                    clearSessionAttributes(httpServletRequest);
                }
            } catch (UnsupportedEncodingException | IllegalStateException | InvalidKeyException | NoSuchAlgorithmException e) {
                throw new SAML2RuntimeException(e);
            }
        }
    }

    boolean needsRefresh(String str) {
        boolean z = false;
        if (str == null) {
            z = true;
        } else {
            String[] split = TokenStore.split(str);
            if (split != null && split.length == 3) {
                if (System.currentTimeMillis() > Long.parseLong(split[1].substring(1))) {
                    z = true;
                }
            }
        }
        return z;
    }

    String getUserId(String str) {
        String[] split;
        if (str == null || (split = TokenStore.split(str)) == null) {
            return null;
        }
        return split[2];
    }

    File getTokenFile(BundleContext bundleContext) {
        File dataFile = bundleContext.getDataFile(TOKEN_FILENAME);
        if (dataFile == null) {
            String property = bundleContext.getProperty("sling.home");
            dataFile = property != null ? new File(property, TOKEN_FILENAME) : new File(TOKEN_FILENAME);
        }
        return dataFile.getAbsoluteFile();
    }
}
