package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
import edu.internet2.middleware.shibboleth.idp.authn.PassiveAuthenticationException;
import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext;
import edu.internet2.middleware.shibboleth.idp.session.Session;
import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.binding.AuthnResponseEndpointSelector;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectLocality;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.class */
public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
    private final Logger log = LoggerFactory.getLogger(SSOProfileHandler.class);
    private SAMLObjectBuilder<AuthnStatement> authnStatementBuilder = getBuilderFactory().getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AuthnContext> authnContextBuilder = getBuilderFactory().getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder = getBuilderFactory().getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AuthnContextDeclRef> authnContextDeclRefBuilder = getBuilderFactory().getBuilder(AuthnContextDeclRef.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<SubjectLocality> subjectLocalityBuilder = getBuilderFactory().getBuilder(SubjectLocality.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Endpoint> endpointBuilder = getBuilderFactory().getBuilder(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
    private String authenticationManagerPath;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler$SSORequestContext.class */
    public class SSORequestContext extends BaseSAML2ProfileRequestContext<AuthnRequest, Response, SSOConfiguration> {
        private Saml2LoginContext loginContext;

        protected SSORequestContext() {
        }

        public Saml2LoginContext getLoginContext() {
            return this.loginContext;
        }

        public void setLoginContext(Saml2LoginContext saml2LoginContext) {
            this.loginContext = saml2LoginContext;
        }
    }

    public SSOProfileHandler(String str) {
        this.authenticationManagerPath = str;
    }

    public String getProfileId() {
        return "urn:mace:shibboleth:2.0:profiles:saml2:sso";
    }

    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (((LoginContext) ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest().getAttribute(LoginContext.LOGIN_CONTEXT_KEY)) == null) {
            this.log.debug("Incoming request does not contain a login context, processing as first leg of request");
            performAuthentication(hTTPInTransport, hTTPOutTransport);
        } else {
            this.log.debug("Incoming request contains a login context, processing as second leg of request");
            completeAuthenticationRequest(hTTPInTransport, hTTPOutTransport);
        }
    }

    protected void performAuthentication(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest();
        SSORequestContext sSORequestContext = new SSORequestContext();
        try {
            decodeRequest(sSORequestContext, hTTPInTransport, hTTPOutTransport);
            String inboundMessageIssuer = sSORequestContext.getInboundMessageIssuer();
            RelyingPartyConfiguration relyingPartyConfiguration = getRelyingPartyConfiguration(inboundMessageIssuer);
            if (relyingPartyConfiguration.getProfileConfiguration("urn:mace:shibboleth:2.0:profiles:saml2:sso") == null) {
                this.log.error("SAML 2 SSO profile is not configured for relying party " + sSORequestContext.getInboundMessageIssuer());
                throw new ProfileException("SAML 2 SSO profile is not configured for relying party " + sSORequestContext.getInboundMessageIssuer());
            }
            this.log.debug("Creating login context and transferring control to authentication engine");
            Saml2LoginContext saml2LoginContext = new Saml2LoginContext(inboundMessageIssuer, sSORequestContext.getRelayState(), sSORequestContext.getInboundSAMLMessage());
            saml2LoginContext.setAuthenticationEngineURL(this.authenticationManagerPath);
            saml2LoginContext.setProfileHandlerURL(HttpHelper.getRequestUriWithoutContext(wrappedRequest));
            if (saml2LoginContext.getRequestedAuthenticationMethods().size() == 0 && relyingPartyConfiguration.getDefaultAuthenticationMethod() != null) {
                saml2LoginContext.getRequestedAuthenticationMethods().add(relyingPartyConfiguration.getDefaultAuthenticationMethod());
            }
            wrappedRequest.setAttribute(LoginContext.LOGIN_CONTEXT_KEY, saml2LoginContext);
            wrappedRequest.getRequestDispatcher(this.authenticationManagerPath).forward(wrappedRequest, ((HttpServletResponseAdapter) hTTPOutTransport).getWrappedResponse());
        } catch (IOException e) {
            this.log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", e);
            throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", e);
        } catch (MarshallingException e2) {
            this.log.error("Unable to marshall authentication request context");
            throw new ProfileException("Unable to marshall authentication request context", e2);
        } catch (ServletException e3) {
            this.log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", e3);
            throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", e3);
        }
    }

    protected void completeAuthenticationRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        SAMLObject buildErrorResponse;
        AttributeStatement buildAttributeStatement;
        Saml2LoginContext saml2LoginContext = (Saml2LoginContext) ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest().getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
        SSORequestContext buildRequestContext = buildRequestContext(saml2LoginContext, hTTPInTransport, hTTPOutTransport);
        checkSamlVersion(buildRequestContext);
        try {
        } catch (ProfileException e) {
            buildErrorResponse = buildErrorResponse(buildRequestContext);
        }
        if (saml2LoginContext.getAuthenticationFailure() != null) {
            if (saml2LoginContext.getAuthenticationFailure() instanceof PassiveAuthenticationException) {
                buildRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:NoPassive", null));
            } else {
                buildRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed", null));
            }
            throw new ProfileException("Authentication failure", saml2LoginContext.getAuthenticationFailure());
        }
        if (buildRequestContext.getSubjectNameIdentifier() != null) {
            this.log.debug("Authentication request contained a subject with a name identifier, resolving principal from NameID");
            resolvePrincipal(buildRequestContext);
            String principalName = buildRequestContext.getPrincipalName();
            if (!DatatypeHelper.safeEquals(saml2LoginContext.getPrincipalName(), principalName)) {
                this.log.error("Authentication request identified principal {} but authentication mechanism identified principal {}", principalName, saml2LoginContext.getPrincipalName());
                buildRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed", null));
                throw new ProfileException("User failed authentication");
            }
        }
        resolveAttributes(buildRequestContext);
        ArrayList arrayList = new ArrayList();
        arrayList.add(buildAuthnStatement(buildRequestContext));
        if (((SSOConfiguration) buildRequestContext.getProfileConfiguration()).includeAttributeStatement() && (buildAttributeStatement = buildAttributeStatement(buildRequestContext)) != null) {
            buildRequestContext.setReleasedAttributes(buildRequestContext.getAttributes().keySet());
            arrayList.add(buildAttributeStatement);
        }
        buildErrorResponse = buildResponse(buildRequestContext, "urn:oasis:names:tc:SAML:2.0:cm:bearer", arrayList);
        buildRequestContext.setOutboundSAMLMessage(buildErrorResponse);
        buildRequestContext.setOutboundSAMLMessageId(buildErrorResponse.getID());
        buildRequestContext.setOutboundSAMLMessageIssueInstant(buildErrorResponse.getIssueInstant());
        encodeResponse(buildRequestContext);
        writeAuditLogEntry(buildRequestContext);
    }

    protected void decodeRequest(SSORequestContext sSORequestContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        this.log.debug("Decoding message with decoder binding {}", getInboundBinding());
        sSORequestContext.setCommunicationProfileId(getProfileId());
        sSORequestContext.setMetadataProvider(getMetadataProvider());
        sSORequestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        sSORequestContext.setCommunicationProfileId("urn:mace:shibboleth:2.0:profiles:saml2:sso");
        sSORequestContext.setInboundMessageTransport(hTTPInTransport);
        sSORequestContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        sSORequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        sSORequestContext.setOutboundMessageTransport(hTTPOutTransport);
        sSORequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        try {
            SAMLMessageDecoder sAMLMessageDecoder = getMessageDecoders().get(getInboundBinding());
            sSORequestContext.setMessageDecoder(sAMLMessageDecoder);
            sAMLMessageDecoder.decode(sSORequestContext);
            this.log.debug("Decoded request");
            if (sSORequestContext.getInboundMessage() instanceof AuthnRequest) {
                return;
            }
            this.log.error("Incomming message was not a AuthnRequest, it was a {}", sSORequestContext.getInboundMessage().getClass().getName());
            sSORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", null, "Invalid SAML AuthnRequest message."));
            throw new ProfileException("Invalid SAML AuthnRequest message.");
        } catch (SecurityException e) {
            this.log.error("Message did not meet security requirements", e);
            throw new ProfileException("Message did not meet security requirements", e);
        } catch (MessageDecodingException e2) {
            this.log.error("Error decoding authentication request message", e2);
            throw new ProfileException("Error decoding authentication request message", e2);
        }
    }

    protected SSORequestContext buildRequestContext(Saml2LoginContext saml2LoginContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        SSORequestContext sSORequestContext = new SSORequestContext();
        sSORequestContext.setCommunicationProfileId(getProfileId());
        sSORequestContext.setMessageDecoder(getMessageDecoders().get(getInboundBinding()));
        sSORequestContext.setLoginContext(saml2LoginContext);
        sSORequestContext.setInboundMessageTransport(hTTPInTransport);
        sSORequestContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        sSORequestContext.setOutboundMessageTransport(hTTPOutTransport);
        sSORequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        sSORequestContext.setMetadataProvider(getMetadataProvider());
        String relyingPartyId = saml2LoginContext.getRelyingPartyId();
        sSORequestContext.setPeerEntityId(relyingPartyId);
        sSORequestContext.setInboundMessageIssuer(relyingPartyId);
        populateRequestContext(sSORequestContext);
        return sSORequestContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRelyingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateRelyingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor peerEntityMetadata = baseSAMLProfileRequestContext.getPeerEntityMetadata();
        if (peerEntityMetadata != null) {
            baseSAMLProfileRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setPeerEntityRoleMetadata(peerEntityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateAssertingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateAssertingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor localEntityMetadata = baseSAMLProfileRequestContext.getLocalEntityMetadata();
        if (localEntityMetadata != null) {
            baseSAMLProfileRequestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setLocalEntityRoleMetadata(localEntityMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        SSORequestContext sSORequestContext = (SSORequestContext) baseSAMLProfileRequestContext;
        try {
            Saml2LoginContext loginContext = sSORequestContext.getLoginContext();
            baseSAMLProfileRequestContext.setRelayState(loginContext.getRelayState());
            AuthnRequest deserializeRequest = deserializeRequest(loginContext.getAuthenticationRequest());
            baseSAMLProfileRequestContext.setInboundMessage(deserializeRequest);
            baseSAMLProfileRequestContext.setInboundSAMLMessage(deserializeRequest);
            baseSAMLProfileRequestContext.setInboundSAMLMessageId(deserializeRequest.getID());
            Subject subject = deserializeRequest.getSubject();
            if (subject != null) {
                baseSAMLProfileRequestContext.setSubjectNameIdentifier(subject.getNameID());
            }
        } catch (UnmarshallingException e) {
            this.log.error("Unable to unmarshall authentication request context");
            sSORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Error recovering request state"));
            throw new ProfileException("Error recovering request state", e);
        }
    }

    protected AuthnStatement buildAuthnStatement(SSORequestContext sSORequestContext) {
        Saml2LoginContext loginContext = sSORequestContext.getLoginContext();
        AuthnContext buildAuthnContext = buildAuthnContext(sSORequestContext);
        AuthnStatement buildObject = this.authnStatementBuilder.buildObject();
        buildObject.setAuthnContext(buildAuthnContext);
        buildObject.setAuthnInstant(loginContext.getAuthenticationInstant());
        Session userSession = getUserSession(sSORequestContext.getInboundMessageTransport());
        if (userSession != null) {
            buildObject.setSessionIndex(userSession.getSessionID());
        }
        long maximumSPSessionLifetime = sSORequestContext.getProfileConfiguration().getMaximumSPSessionLifetime();
        if (maximumSPSessionLifetime > 0) {
            DateTime plus = new DateTime(DateTimeZone.UTC).plus(maximumSPSessionLifetime);
            this.log.debug("Explicitly setting SP session expiration time to {}", plus.toString());
            buildObject.setSessionNotOnOrAfter(plus);
        }
        buildObject.setSubjectLocality(buildSubjectLocality(sSORequestContext));
        return buildObject;
    }

    protected AuthnContext buildAuthnContext(SSORequestContext sSORequestContext) {
        AuthnContext buildObject = this.authnContextBuilder.buildObject();
        Saml2LoginContext loginContext = sSORequestContext.getLoginContext();
        RequestedAuthnContext requestedAuthnContext = sSORequestContext.getInboundSAMLMessage().getRequestedAuthnContext();
        if (requestedAuthnContext != null) {
            if (requestedAuthnContext.getAuthnContextClassRefs() != null) {
                Iterator it = requestedAuthnContext.getAuthnContextClassRefs().iterator();
                while (it.hasNext()) {
                    if (((AuthnContextClassRef) it.next()).getAuthnContextClassRef().equals(loginContext.getAuthenticationMethod())) {
                        AuthnContextClassRef buildObject2 = this.authnContextClassRefBuilder.buildObject();
                        buildObject2.setAuthnContextClassRef(loginContext.getAuthenticationMethod());
                        buildObject.setAuthnContextClassRef(buildObject2);
                    }
                }
            } else if (requestedAuthnContext.getAuthnContextDeclRefs() != null) {
                Iterator it2 = requestedAuthnContext.getAuthnContextDeclRefs().iterator();
                while (it2.hasNext()) {
                    if (((AuthnContextDeclRef) it2.next()).getAuthnContextDeclRef().equals(loginContext.getAuthenticationMethod())) {
                        AuthnContextDeclRef buildObject3 = this.authnContextDeclRefBuilder.buildObject();
                        buildObject3.setAuthnContextDeclRef(loginContext.getAuthenticationMethod());
                        buildObject.setAuthnContextDeclRef(buildObject3);
                    }
                }
            }
        }
        if (buildObject.getAuthnContextClassRef() == null || buildObject.getAuthnContextDeclRef() == null) {
            AuthnContextDeclRef buildObject4 = this.authnContextDeclRefBuilder.buildObject();
            buildObject4.setAuthnContextDeclRef(loginContext.getAuthenticationMethod());
            buildObject.setAuthnContextDeclRef(buildObject4);
        }
        return buildObject;
    }

    protected SubjectLocality buildSubjectLocality(SSORequestContext sSORequestContext) {
        HTTPInTransport inboundMessageTransport = sSORequestContext.getInboundMessageTransport();
        SubjectLocality buildObject = this.subjectLocalityBuilder.buildObject();
        buildObject.setAddress(inboundMessageTransport.getPeerAddress());
        return buildObject;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        AuthnRequest inboundSAMLMessage = ((SSORequestContext) baseSAMLProfileRequestContext).getInboundSAMLMessage();
        Endpoint endpoint = null;
        if (baseSAMLProfileRequestContext.getRelyingPartyConfiguration().getRelyingPartyId() != "anonymous") {
            AuthnResponseEndpointSelector authnResponseEndpointSelector = new AuthnResponseEndpointSelector();
            authnResponseEndpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            authnResponseEndpointSelector.setMetadataProvider(getMetadataProvider());
            authnResponseEndpointSelector.setEntityMetadata(baseSAMLProfileRequestContext.getPeerEntityMetadata());
            authnResponseEndpointSelector.setEntityRoleMetadata(baseSAMLProfileRequestContext.getPeerEntityRoleMetadata());
            authnResponseEndpointSelector.setSamlRequest(baseSAMLProfileRequestContext.getInboundSAMLMessage());
            authnResponseEndpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
            endpoint = authnResponseEndpointSelector.selectEndpoint();
        } else if (inboundSAMLMessage.getAssertionConsumerServiceURL() != null) {
            endpoint = (Endpoint) this.endpointBuilder.buildObject();
            endpoint.setLocation(inboundSAMLMessage.getAssertionConsumerServiceURL());
            if (inboundSAMLMessage.getProtocolBinding() != null) {
                endpoint.setBinding(inboundSAMLMessage.getProtocolBinding());
            } else {
                endpoint.setBinding(getSupportedOutboundBindings().get(0));
            }
            this.log.warn("Generating endpoint for anonymous relying party. ACS url {} and binding {}", new Object[]{baseSAMLProfileRequestContext.getInboundMessageIssuer(), endpoint.getLocation(), endpoint.getBinding()});
        } else {
            this.log.warn("Unable to generate endpoint for anonymous party.  No ACS url provided.");
        }
        return endpoint;
    }

    protected AuthnRequest deserializeRequest(String str) throws UnmarshallingException {
        try {
            Element documentElement = getParserPool().parse(new StringReader(str)).getDocumentElement();
            return Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (Exception e) {
            throw new UnmarshallingException("Unable to read serialized authentication request");
        }
    }
}
