package edu.internet2.middleware.shibboleth.idp.authn;

import edu.internet2.middleware.shibboleth.common.session.SessionManager;
import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
import edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager;
import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
import edu.internet2.middleware.shibboleth.idp.session.Session;
import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
import edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
import org.opensaml.common.IdentifierGenerator;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.util.storage.StorageService;
import org.opensaml.ws.transport.http.HTTPTransportUtils;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.class */
public class AuthenticationEngine extends HttpServlet {
    public static final String LOGIN_CONTEXT_PARTITION_NAME_INIT_PARAM_NAME = "loginContextPartitionName";
    public static final String LOGIN_CONTEXT_LIFETIME_INIT_PARAM_NAME = "loginContextEntryLifetime";
    public static final String IDP_SESSION_COOKIE_NAME = "_idp_session";
    public static final String LOGIN_CONTEXT_KEY_NAME = "_idp_authn_lc_key";
    private static final long serialVersionUID = -8479060989001890156L;
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationEngine.class);
    private static StorageService<String, LoginContextEntry> storageService;
    private static String loginContextPartitionName;
    private static long loginContextEntryLifetime;
    private static IdentifierGenerator idGen;
    private IdPProfileHandlerManager handlerManager;
    private SessionManager<Session> sessionManager;

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        String initParameter = servletConfig.getInitParameter("handlerManagerId");
        if (DatatypeHelper.isEmpty(initParameter)) {
            initParameter = "shibboleth.HandlerManager";
        }
        this.handlerManager = (IdPProfileHandlerManager) getServletContext().getAttribute(initParameter);
        String initParameter2 = servletConfig.getInitParameter("sessionManagedId");
        if (DatatypeHelper.isEmpty(initParameter2)) {
            initParameter2 = "shibboleth.SessionManager";
        }
        this.sessionManager = (SessionManager) getServletContext().getAttribute(initParameter2);
        String initParameter3 = servletConfig.getInitParameter("storageServiceId");
        if (DatatypeHelper.isEmpty(initParameter3)) {
            initParameter3 = "shibboleth.StorageService";
        }
        storageService = (StorageService) getServletContext().getAttribute(initParameter3);
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(servletConfig.getInitParameter(LOGIN_CONTEXT_PARTITION_NAME_INIT_PARAM_NAME));
        if (safeTrimOrNullString != null) {
            loginContextPartitionName = safeTrimOrNullString;
        } else {
            loginContextPartitionName = "loginContexts";
        }
        String safeTrimOrNullString2 = DatatypeHelper.safeTrimOrNullString(servletConfig.getInitParameter(LOGIN_CONTEXT_LIFETIME_INIT_PARAM_NAME));
        if (safeTrimOrNullString2 != null) {
            loginContextEntryLifetime = Long.parseLong(safeTrimOrNullString2);
        } else {
            loginContextEntryLifetime = 1800000L;
        }
        try {
            idGen = new SecureRandomIdentifierGenerator();
        } catch (NoSuchAlgorithmException e) {
            throw new ServletException("Error create random number generator", e);
        }
    }

    protected static LoginContext retrieveLoginContext(HttpServletRequest httpServletRequest, boolean z) {
        Cookie[] cookies;
        LoginContext loginContext = (LoginContext) httpServletRequest.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
        if (loginContext != null) {
            LOG.trace("Login context retrieved from HTTP request attribute");
            return loginContext;
        }
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LOGIN_CONTEXT_KEY_NAME));
        if (safeTrimOrNullString == null && (cookies = httpServletRequest.getCookies()) != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (DatatypeHelper.safeEquals(cookie.getName(), LOGIN_CONTEXT_KEY_NAME)) {
                    LOG.trace("Located cookie with login context key");
                    safeTrimOrNullString = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        LOG.trace("Using login context key {} to look up login context", safeTrimOrNullString);
        LoginContextEntry loginContextEntry = z ? (LoginContextEntry) storageService.remove(loginContextPartitionName, safeTrimOrNullString) : (LoginContextEntry) storageService.get(loginContextPartitionName, safeTrimOrNullString);
        if (loginContextEntry == null) {
            LOG.trace("No entry for login context found in storage service.");
            return null;
        }
        if (loginContextEntry.isExpired()) {
            LOG.trace("Login context entry found in storage service but it was expired.");
            return null;
        }
        LOG.trace("Login context entry found in storage service.");
        return loginContextEntry.getLoginContext();
    }

    public static void returnToAuthenticationEngine(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Returning control to authentication engine");
        LoginContext retrieveLoginContext = retrieveLoginContext(httpServletRequest, false);
        if (retrieveLoginContext != null) {
            forwardRequest(retrieveLoginContext.getAuthenticationEngineURL(), httpServletRequest, httpServletResponse);
        } else {
            LOG.error("No login context available, unable to return to authentication engine");
            forwardRequest("/idp-error.jsp", httpServletRequest, httpServletResponse);
        }
    }

    public static void returnToProfileHandler(LoginContext loginContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Returning control to profile handler at: {}", loginContext.getProfileHandlerURL());
        httpServletRequest.setAttribute(LoginContext.LOGIN_CONTEXT_KEY, loginContext);
        Cookie cookie = new Cookie(LOGIN_CONTEXT_KEY_NAME, "");
        cookie.setMaxAge(0);
        httpServletResponse.addCookie(cookie);
        forwardRequest(loginContext.getProfileHandlerURL(), httpServletRequest, httpServletResponse);
    }

    protected static void forwardRequest(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
        } catch (ServletException e) {
            LOG.error("Unable to return control back to authentication engine", e);
        } catch (IOException e2) {
            LOG.error("Unable to return control back to authentication engine", e2);
        }
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        LOG.debug("Processing incoming request");
        if (httpServletResponse.isCommitted()) {
            LOG.error("HTTP Response already committed");
        }
        LoginContext retrieveLoginContext = retrieveLoginContext(httpServletRequest, true);
        if (retrieveLoginContext == null) {
            LOG.error("Incoming request does not have attached login context");
            throw new ServletException("Incoming request does not have attached login context");
        }
        if (retrieveLoginContext.getAuthenticationAttempted()) {
            completeAuthentication(retrieveLoginContext, httpServletRequest, httpServletResponse);
        } else {
            startUserAuthentication(retrieveLoginContext, httpServletRequest, httpServletResponse);
        }
    }

    protected void startUserAuthentication(LoginContext loginContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LoginHandler value;
        LOG.debug("Beginning user authentication process.");
        try {
            Session session = (Session) httpServletRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
            if (session != null) {
                LOG.debug("Existing IdP session available for principal {}", session.getPrincipalName());
            }
            Map<String, LoginHandler> determinePossibleLoginHandlers = determinePossibleLoginHandlers(session, loginContext);
            LOG.debug("Possible authentication handlers for this request: {}", determinePossibleLoginHandlers);
            if (loginContext.isForceAuthRequired()) {
                filterByForceAuthentication(session, loginContext, determinePossibleLoginHandlers);
            }
            if (loginContext.isPassiveAuthRequired()) {
                filterByPassiveAuthentication(session, loginContext, determinePossibleLoginHandlers);
            }
            LOG.debug("Possible authentication handlers after filtering: {}", determinePossibleLoginHandlers);
            if (session == null || !determinePossibleLoginHandlers.containsKey("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession")) {
                determinePossibleLoginHandlers.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
                Map.Entry<String, LoginHandler> next = determinePossibleLoginHandlers.entrySet().iterator().next();
                loginContext.setAttemptedAuthnMethod(next.getKey());
                value = next.getValue();
            } else {
                loginContext.setAttemptedAuthnMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
                value = determinePossibleLoginHandlers.get("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
            }
            LOG.debug("Authenticating user with login handler of type {}", value.getClass().getName());
            loginContext.setAuthenticationAttempted();
            loginContext.setAuthenticationEngineURL(HttpHelper.getRequestUriWithoutContext(httpServletRequest));
            storeLoginContext(loginContext, httpServletRequest, httpServletResponse);
            value.login(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            loginContext.setAuthenticationFailure(e);
            returnToProfileHandler(loginContext, httpServletRequest, httpServletResponse);
        }
    }

    protected Map<String, LoginHandler> determinePossibleLoginHandlers(Session session, LoginContext loginContext) throws AuthenticationException {
        HashMap hashMap = new HashMap(this.handlerManager.getLoginHandlers());
        LOG.debug("Filtering configured login handlers by requested athentication methods.");
        LOG.debug("Configured LoginHandlers: {}", hashMap);
        LOG.debug("Requested authentication methods: {}", loginContext.getRequestedAuthenticationMethods());
        if (loginContext.getRequestedAuthenticationMethods().isEmpty()) {
            LOG.trace("No preference given for authentication methods");
            return hashMap;
        }
        if (hashMap.containsKey("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession") && session != null && loginContext.getRequestedAuthenticationMethods() != null) {
            boolean z = false;
            Iterator<String> it = session.getAuthenticationMethods().keySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (loginContext.getRequestedAuthenticationMethods().contains(it.next())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                hashMap.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
            }
        }
        Iterator it2 = hashMap.entrySet().iterator();
        while (it2.hasNext()) {
            Map.Entry entry = (Map.Entry) it2.next();
            if (!((String) entry.getKey()).equals("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession") && !loginContext.getRequestedAuthenticationMethods().contains(entry.getKey())) {
                it2.remove();
            }
        }
        if (!hashMap.isEmpty()) {
            return hashMap;
        }
        LOG.error("No authentication method, requested by the service provider, is supported");
        throw new AuthenticationException("No authentication method, requested by the service provider, is supported");
    }

    protected void filterByForceAuthentication(Session session, LoginContext loginContext, Map<String, LoginHandler> map) throws ForceAuthenticationException {
        LOG.debug("Forced authentication is required, filtering possible login handlers accordingly");
        ArrayList arrayList = new ArrayList();
        if (session != null) {
            arrayList.addAll(session.getAuthenticationMethods().values());
        }
        map.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            LoginHandler loginHandler = map.get(((AuthenticationMethodInformation) it.next()).getAuthenticationMethod());
            if (loginHandler != null && !loginHandler.supportsForceAuthentication()) {
                Iterator<String> it2 = loginHandler.getSupportedAuthenticationMethods().iterator();
                while (it2.hasNext()) {
                    map.remove(it2.next());
                }
            }
        }
        LOG.debug("Authentication handlers remaining after forced authentication requirement filtering: {}", map);
        if (map.isEmpty()) {
            LOG.info("Force authentication requested but no login handlers available to support it");
            throw new ForceAuthenticationException();
        }
    }

    protected void filterByPassiveAuthentication(Session session, LoginContext loginContext, Map<String, LoginHandler> map) throws PassiveAuthenticationException {
        LOG.debug("Passive authentication is required, filtering poassible login handlers accordingly.");
        if (session == null) {
            map.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
        }
        Iterator<Map.Entry<String, LoginHandler>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            if (!it.next().getValue().supportsPassive()) {
                it.remove();
            }
        }
        LOG.debug("Authentication handlers remaining after passive authentication requirement filtering: {}", map);
        if (map.isEmpty()) {
            LOG.error("Passive authentication required but no login handlers available to support it");
            throw new PassiveAuthenticationException();
        }
    }

    protected void storeLoginContext(LoginContext loginContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String generateIdentifier = idGen.generateIdentifier();
        storageService.put(loginContextPartitionName, generateIdentifier, new LoginContextEntry(loginContext, loginContextEntryLifetime));
        httpServletRequest.setAttribute(LOGIN_CONTEXT_KEY_NAME, generateIdentifier);
        Cookie cookie = new Cookie(LOGIN_CONTEXT_KEY_NAME, generateIdentifier);
        String contextPath = httpServletRequest.getContextPath();
        if (DatatypeHelper.isEmpty(contextPath)) {
            cookie.setPath("/");
        } else {
            cookie.setPath(contextPath);
        }
        cookie.setSecure(httpServletRequest.isSecure());
        cookie.setMaxAge(-1);
        httpServletResponse.addCookie(cookie);
    }

    protected void completeAuthentication(LoginContext loginContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Completing user authentication process");
        Session session = (Session) httpServletRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
        try {
            String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY));
            if (safeTrimOrNullString == null) {
                safeTrimOrNullString = loginContext.getAttemptedAuthnMethod();
            } else {
                LOG.debug("Authentication method overriden by LoginHandler.  It was {} and is now {}", loginContext.getAttemptedAuthnMethod(), safeTrimOrNullString);
            }
            validateSuccessfulAuthentication(loginContext, httpServletRequest, safeTrimOrNullString);
            Subject loginHandlerSubject = getLoginHandlerSubject(httpServletRequest);
            if (loginContext.isForceAuthRequired()) {
                validateForcedReauthentication(session, safeTrimOrNullString, loginHandlerSubject);
            }
            loginContext.setPrincipalAuthenticated(true);
            updateUserSession(loginContext, loginHandlerSubject, safeTrimOrNullString, httpServletRequest, httpServletResponse);
            LOG.debug("User {} authenticated with method {}", loginContext.getPrincipalName(), loginContext.getAuthenticationMethod());
        } catch (AuthenticationException e) {
            LOG.error("Authentication failed with the error:", e);
            loginContext.setPrincipalAuthenticated(false);
            loginContext.setAuthenticationFailure(e);
        }
        returnToProfileHandler(loginContext, httpServletRequest, httpServletResponse);
    }

    protected void validateSuccessfulAuthentication(LoginContext loginContext, HttpServletRequest httpServletRequest, String str) throws AuthenticationException {
        LOG.debug("Validating authentication was performed successfully");
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
        if (safeTrimOrNullString != null) {
            LOG.error("Error returned from login handler for authentication method {}:\n{}", loginContext.getAttemptedAuthnMethod(), safeTrimOrNullString);
            throw new AuthenticationException(safeTrimOrNullString);
        }
        Subject subject = (Subject) httpServletRequest.getAttribute(LoginHandler.SUBJECT_KEY);
        Principal principal = (Principal) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
        String safeTrimOrNullString2 = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
        if (subject == null && principal == null && safeTrimOrNullString2 == null) {
            LOG.error("No user identified by login handler.");
            throw new AuthenticationException("No user identified by login handler.");
        }
    }

    protected Subject getLoginHandlerSubject(HttpServletRequest httpServletRequest) throws AuthenticationException {
        Subject subject = (Subject) httpServletRequest.getAttribute(LoginHandler.SUBJECT_KEY);
        Principal principal = (Principal) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
        if (subject == null && (principal != null || safeTrimOrNullString != null)) {
            subject = new Subject();
            if (principal == null) {
                principal = new UsernamePrincipal(safeTrimOrNullString);
            }
            subject.getPrincipals().add(principal);
        }
        return subject;
    }

    protected void validateForcedReauthentication(Session session, String str, Subject subject) throws AuthenticationException {
        AuthenticationMethodInformation authenticationMethodInformation;
        if (session == null || (authenticationMethodInformation = session.getAuthenticationMethods().get(str)) == null) {
            return;
        }
        boolean z = false;
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (authenticationMethodInformation.getAuthenticationPrincipal().equals(it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new ForceAuthenticationException("Authenticated principal does not match previously authenticated principal");
        }
    }

    protected void updateUserSession(LoginContext loginContext, Subject subject, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal next = subject.getPrincipals().iterator().next();
        LOG.debug("Updating session information for principal {}", next.getName());
        Session session = (Session) httpServletRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
        if (session == null) {
            LOG.debug("Creating shibboleth session for principal {}", next.getName());
            session = (Session) this.sessionManager.createSession();
            loginContext.setSessionID(session.getSessionID());
            addSessionCookie(httpServletRequest, httpServletResponse, session);
        }
        session.setSubject(mergeSubjects(session.getSubject(), subject));
        LOG.debug("Recording authentication and service information in Shibboleth session for principal: {}", next.getName());
        AuthenticationMethodInformationImpl authenticationMethodInformationImpl = new AuthenticationMethodInformationImpl(session.getSubject(), next, str, new DateTime(), this.handlerManager.getLoginHandlers().get(loginContext.getAttemptedAuthnMethod()).getAuthenticationDuration());
        loginContext.setAuthenticationMethodInformation(authenticationMethodInformationImpl);
        session.getAuthenticationMethods().put(authenticationMethodInformationImpl.getAuthenticationMethod(), authenticationMethodInformationImpl);
        this.sessionManager.indexSession(session, authenticationMethodInformationImpl.getAuthenticationPrincipal().getName());
        ServiceInformationImpl serviceInformationImpl = new ServiceInformationImpl(loginContext.getRelyingPartyId(), new DateTime(), authenticationMethodInformationImpl);
        session.getServicesInformation().put(serviceInformationImpl.getEntityID(), serviceInformationImpl);
    }

    protected Subject mergeSubjects(Subject subject, Subject subject2) {
        if (subject == null) {
            return subject2;
        }
        if (subject2 == null) {
            return subject;
        }
        if (subject == null && subject2 == null) {
            return new Subject();
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(subject.getPrincipals());
        hashSet.addAll(subject2.getPrincipals());
        HashSet hashSet2 = new HashSet();
        hashSet2.addAll(subject.getPublicCredentials());
        hashSet2.addAll(subject2.getPublicCredentials());
        HashSet hashSet3 = new HashSet();
        hashSet3.addAll(subject.getPrivateCredentials());
        hashSet3.addAll(subject2.getPrivateCredentials());
        return new Subject(false, hashSet, hashSet2, hashSet3);
    }

    protected void addSessionCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Session session) {
        httpServletRequest.setAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE, session);
        byte[] bytes = httpServletRequest.getRemoteAddr().getBytes();
        byte[] bytes2 = session.getSessionID().getBytes();
        String str = null;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA");
            messageDigest.update(session.getSessionSecret());
            messageDigest.update(bytes);
            messageDigest.update(bytes2);
            str = Base64.encodeBytes(messageDigest.digest());
        } catch (GeneralSecurityException e) {
            LOG.error("Unable to compute signature over session cookie material", e);
        }
        LOG.debug("Adding IdP session cookie to HTTP response");
        StringBuilder sb = new StringBuilder();
        sb.append(Base64.encodeBytes(bytes, 8)).append("|");
        sb.append(Base64.encodeBytes(bytes2, 8)).append("|");
        sb.append(str);
        Cookie cookie = new Cookie(IDP_SESSION_COOKIE_NAME, HTTPTransportUtils.urlEncode(sb.toString()));
        String contextPath = httpServletRequest.getContextPath();
        if (DatatypeHelper.isEmpty(contextPath)) {
            cookie.setPath("/");
        } else {
            cookie.setPath(contextPath);
        }
        cookie.setSecure(httpServletRequest.isSecure());
        cookie.setMaxAge(-1);
        httpServletResponse.addCookie(cookie);
    }
}
