package org.owasp.webscarab.plugin.saml;

import flex.messaging.io.amf.client.AMFConnection;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Base64;
import org.apache.xml.security.utils.Constants;
import org.owasp.webscarab.httpclient.HTTPClient;
import org.owasp.webscarab.model.NamedValue;
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.util.Encoding;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:main/WebScarab-1.0.0-SNAPSHOT.jar:org/owasp/webscarab/plugin/saml/SamlHTTPClient.class */
public class SamlHTTPClient implements HTTPClient {
    private Logger _logger = Logger.getLogger(getClass().getName());
    private final HTTPClient in;
    private final SamlProxyConfig samlProxyConfig;

    public SamlHTTPClient(HTTPClient hTTPClient, SamlProxyConfig samlProxyConfig) {
        this.in = hTTPClient;
        this.samlProxyConfig = samlProxyConfig;
    }

    @Override // org.owasp.webscarab.httpclient.HTTPClient
    public Response fetchResponse(Request request) throws IOException {
        if (!this.samlProxyConfig.doSomething()) {
            return this.in.fetchResponse(request);
        }
        changeSamlResponse(request);
        return this.in.fetchResponse(request);
    }

    private void changeSamlResponse(Request request) {
        String header;
        byte[] content;
        if (!"POST".equals(request.getMethod()) || (header = request.getHeader("Content-Type")) == null || !"application/x-www-form-urlencoded".equals(header) || (content = request.getContent()) == null || content.length == 0) {
            return;
        }
        NamedValue[] splitNamedValues = NamedValue.splitNamedValues(new String(content), "&", AMFConnection.COOKIE_NAMEVALUE_SEPERATOR);
        boolean z = false;
        String str = "";
        for (int i = 0; i < splitNamedValues.length; i++) {
            if ("RelayState".equals(splitNamedValues[i].getName()) && this.samlProxyConfig.doInjectRelayState()) {
                splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), getInjectedRelayState());
                str = String.valueOf(str) + "injected relay state;";
            }
            if ("SAMLResponse".equals(splitNamedValues[i].getName())) {
                z = true;
                try {
                    if (this.samlProxyConfig.doReplay()) {
                        splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), replaySamlResponse());
                        str = String.valueOf(str) + "replayed;";
                    }
                    if (this.samlProxyConfig.doInjectAttribute()) {
                        splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), injectAttribute(splitNamedValues[i].getValue()));
                        str = String.valueOf(str) + "injected attribute;";
                    }
                    if (this.samlProxyConfig.doInjectSubject()) {
                        splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), injectSubject(splitNamedValues[i].getValue()));
                        str = String.valueOf(str) + "injected subject;";
                    }
                    if (this.samlProxyConfig.doInjectPublicDoctype()) {
                        splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), injectPublicDoctype(splitNamedValues[i].getValue()));
                        str = String.valueOf(str) + "injected public doctype;";
                    }
                    if (this.samlProxyConfig.doSignSamlMessage()) {
                        splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), signSamlMessage(splitNamedValues[i].getValue()));
                        str = String.valueOf(str) + "sign;";
                    } else if (this.samlProxyConfig.doRemoveSignature()) {
                        splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), removeSamlResponseSignature(splitNamedValues[i].getValue()));
                        str = String.valueOf(str) + "removed signature;";
                    } else {
                        if (this.samlProxyConfig.doCorruptSignature()) {
                            splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), corruptSamlResponseSignature(splitNamedValues[i].getValue()));
                            str = String.valueOf(str) + "corrupted signature;";
                        }
                        if (this.samlProxyConfig.doInjectRemoteReference()) {
                            splitNamedValues[i] = new NamedValue(splitNamedValues[i].getName(), injectRemoteReference(splitNamedValues[i].getValue()));
                            str = String.valueOf(str) + "injected remote reference;";
                        }
                    }
                } catch (Exception e) {
                    this._logger.log(Level.WARNING, "could not corrupt the SAML Response signature: {0}", e.getMessage());
                }
            }
        }
        if (z) {
            StringBuffer stringBuffer = new StringBuffer();
            for (NamedValue namedValue : splitNamedValues) {
                if (stringBuffer.length() != 0) {
                    stringBuffer.append("&");
                }
                stringBuffer.append(namedValue.getName());
                stringBuffer.append(AMFConnection.COOKIE_NAMEVALUE_SEPERATOR);
                stringBuffer.append(namedValue.getValue());
            }
            request.setContent(stringBuffer.toString().getBytes());
            if (str.length() > 0) {
                request.addHeader("X-SAMLProxy", str);
            }
        }
    }

    private String corruptSamlResponseSignature(String str) throws TransformerConfigurationException, TransformerException, IOException, ParserConfigurationException, SAXException, Base64DecodingException {
        Document parseDocument = parseDocument(str);
        Element findProtocolSignatureElement = SamlModel.findProtocolSignatureElement(parseDocument);
        if (findProtocolSignatureElement == null) {
            this._logger.warning("no XML signature found");
            return str;
        }
        NodeList elementsByTagNameNS = findProtocolSignatureElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_REFERENCE);
        if (elementsByTagNameNS.getLength() == 0) {
            this._logger.warning("no XMLDSig Reference element present");
            return str;
        }
        Element element = (Element) ((Element) elementsByTagNameNS.item(0)).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_DIGESTVALUE).item(0);
        element.setTextContent("12345678" + element.getTextContent());
        return outputDocument(parseDocument);
    }

    private String removeSamlResponseSignature(String str) throws IOException, ParserConfigurationException, SAXException, TransformerConfigurationException, TransformerException, Base64DecodingException {
        Document parseDocument = parseDocument(str);
        Node findProtocolSignatureElement = SamlModel.findProtocolSignatureElement(parseDocument);
        if (findProtocolSignatureElement == null) {
            return str;
        }
        findProtocolSignatureElement.getParentNode().removeChild(findProtocolSignatureElement);
        return outputDocument(parseDocument);
    }

    private String outputDocument(Document document) throws TransformerConfigurationException, TransformerException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        TransformerFactory.newInstance().newTransformer().transform(new DOMSource(document), new StreamResult(byteArrayOutputStream));
        return Encoding.urlEncode(Base64.encode(byteArrayOutputStream.toByteArray()));
    }

    private Document parseDocument(String str) throws IOException, ParserConfigurationException, SAXException, Base64DecodingException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.decode(Encoding.urlDecode(str)));
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        return newInstance.newDocumentBuilder().parse(byteArrayInputStream);
    }

    private String replaySamlResponse() {
        return this.samlProxyConfig.getReplaySamlResponse();
    }

    private String injectRemoteReference(String str) throws IOException, ParserConfigurationException, SAXException, Base64DecodingException, TransformerConfigurationException, TransformerException {
        Document parseDocument = parseDocument(str);
        Element findProtocolSignatureElement = SamlModel.findProtocolSignatureElement(parseDocument);
        if (findProtocolSignatureElement == null) {
            this._logger.warning("no XML signature found");
            return str;
        }
        NodeList elementsByTagNameNS = findProtocolSignatureElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_SIGNEDINFO);
        if (elementsByTagNameNS.getLength() == 0) {
            this._logger.warning("no SignedInfo present in XML signature");
            return str;
        }
        Element element = (Element) elementsByTagNameNS.item(0);
        String prefix = findProtocolSignatureElement.getPrefix();
        String str2 = prefix == null ? "" : String.valueOf(prefix) + ":";
        Element createElementNS = parseDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", String.valueOf(str2) + Constants._TAG_REFERENCE);
        element.appendChild(createElementNS);
        createElementNS.setAttributeNS(null, "URI", this.samlProxyConfig.getRemoteReference());
        Element createElementNS2 = parseDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", String.valueOf(str2) + Constants._TAG_DIGESTMETHOD);
        createElementNS.appendChild(createElementNS2);
        createElementNS2.setAttributeNS(null, "Algorithm", "http://www.w3.org/2000/09/xmldsig#sha1");
        Element createElementNS3 = parseDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", String.valueOf(str2) + Constants._TAG_DIGESTVALUE);
        createElementNS.appendChild(createElementNS3);
        createElementNS3.appendChild(parseDocument.createTextNode("12345678"));
        return outputDocument(parseDocument);
    }

    private String injectAttribute(String str) throws IOException, ParserConfigurationException, SAXException, Base64DecodingException, TransformerConfigurationException, TransformerException {
        Document parseDocument = parseDocument(str);
        String injectionAttributeName = this.samlProxyConfig.getInjectionAttributeName();
        String injectionAttributeValue = this.samlProxyConfig.getInjectionAttributeValue();
        NodeList elementsByTagNameNS = parseDocument.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Attribute");
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            Element element = (Element) elementsByTagNameNS.item(i);
            if (element.getAttribute("AttributeName").equals(injectionAttributeName)) {
                NodeList elementsByTagNameNS2 = element.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "AttributeValue");
                for (int i2 = 0; i2 < elementsByTagNameNS2.getLength(); i2++) {
                    ((Element) elementsByTagNameNS2.item(i2)).getChildNodes().item(0).setNodeValue(injectionAttributeValue);
                }
            }
        }
        NodeList elementsByTagNameNS3 = parseDocument.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Attribute");
        for (int i3 = 0; i3 < elementsByTagNameNS3.getLength(); i3++) {
            Element element2 = (Element) elementsByTagNameNS3.item(i3);
            if (element2.getAttribute(SchemaSymbols.ATTVAL_NAME).equals(injectionAttributeName)) {
                NodeList elementsByTagNameNS4 = element2.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "AttributeValue");
                for (int i4 = 0; i4 < elementsByTagNameNS4.getLength(); i4++) {
                    ((Element) elementsByTagNameNS4.item(i4)).getChildNodes().item(0).setNodeValue(injectionAttributeValue);
                }
            }
        }
        return outputDocument(parseDocument);
    }

    private String getInjectedRelayState() {
        return Encoding.urlEncode(this.samlProxyConfig.getRelayState());
    }

    private String injectSubject(String str) throws IOException, ParserConfigurationException, SAXException, Base64DecodingException, TransformerConfigurationException, TransformerException {
        Document parseDocument = parseDocument(str);
        String injectionSubject = this.samlProxyConfig.getInjectionSubject();
        NodeList elementsByTagNameNS = parseDocument.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Subject");
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            NodeList elementsByTagNameNS2 = ((Element) elementsByTagNameNS.item(i)).getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "NameIdentifier");
            if (elementsByTagNameNS2.getLength() != 0) {
                elementsByTagNameNS2.item(0).getChildNodes().item(0).setNodeValue(injectionSubject);
            }
        }
        NodeList elementsByTagNameNS3 = parseDocument.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Subject");
        for (int i2 = 0; i2 < elementsByTagNameNS3.getLength(); i2++) {
            NodeList elementsByTagNameNS4 = ((Element) elementsByTagNameNS3.item(i2)).getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "NameID");
            if (elementsByTagNameNS4.getLength() != 0) {
                elementsByTagNameNS4.item(0).getChildNodes().item(0).setNodeValue(injectionSubject);
            }
        }
        return outputDocument(parseDocument);
    }

    private String injectPublicDoctype(String str) throws Base64DecodingException {
        return Encoding.urlEncode(Base64.encode(("<!DOCTYPE SomeElement SYSTEM \"" + this.samlProxyConfig.getDtdUri() + "\">" + new String(Base64.decode(Encoding.urlDecode(str)))).getBytes()));
    }

    private String signSamlMessage(String str) throws IOException, ParserConfigurationException, SAXException, Base64DecodingException, TransformerConfigurationException, TransformerException, XMLSecurityException {
        Document parseDocument = parseDocument(str);
        Node findProtocolSignatureElement = SamlModel.findProtocolSignatureElement(parseDocument);
        if (findProtocolSignatureElement == null) {
            return str;
        }
        findProtocolSignatureElement.getParentNode().removeChild(findProtocolSignatureElement);
        XMLSignature xMLSignature = new XMLSignature(parseDocument, null, "http://www.w3.org/2000/09/xmldsig#rsa-sha1");
        parseDocument.getDocumentElement().insertBefore(xMLSignature.getElement(), parseDocument.getDocumentElement().getFirstChild());
        Transforms transforms = new Transforms(parseDocument);
        transforms.addTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature");
        transforms.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
        xMLSignature.addDocument("", transforms, "http://www.w3.org/2000/09/xmldsig#sha1");
        KeyStore.PrivateKeyEntry privateKeyEntry = this.samlProxyConfig.getPrivateKeyEntry();
        KeyInfo keyInfo = xMLSignature.getKeyInfo();
        X509Data x509Data = new X509Data(parseDocument);
        for (Certificate certificate : privateKeyEntry.getCertificateChain()) {
            x509Data.addCertificate((X509Certificate) certificate);
        }
        keyInfo.add(x509Data);
        xMLSignature.sign(privateKeyEntry.getPrivateKey());
        return outputDocument(parseDocument);
    }
}
