package org.picketlink.identity.federation.bindings.tomcat.sp;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext;
import org.picketlink.identity.federation.bindings.util.ValveUtil;
import org.picketlink.identity.federation.core.ErrorCodes;
import org.picketlink.identity.federation.core.config.TrustType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor;
import org.picketlink.identity.federation.web.process.ServiceProviderSAMLRequestProcessor;
import org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor;
import org.picketlink.identity.federation.web.util.HTTPRedirectUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.picketlink.identity.federation.web.util.ServerDetector;
import org.w3c.dom.Document;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.class */
public class SPRedirectFormAuthenticator extends BaseFormAuthenticator {
    protected static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
    protected boolean jbossEnv;

    public SPRedirectFormAuthenticator() {
        this.jbossEnv = false;
        this.jbossEnv = new ServerDetector().isJboss();
    }

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        if (httpServletResponse instanceof Response) {
            return authenticate(request, (Response) httpServletResponse, loginConfig);
        }
        throw new RuntimeException(ErrorCodes.SERVICE_PROVIDER_NOT_CATALINA_RESPONSE);
    }

    public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        Session sessionInternal = request.getSessionInternal(true);
        String parameter = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
        if (StringUtil.isNotNull(parameter) && "true".equalsIgnoreCase(parameter)) {
            try {
                sendToLogoutPage(request, response, sessionInternal);
                return false;
            } catch (ServletException e) {
                log.error("Exception in logout::", e);
                throw new IOException((Throwable) e);
            }
        }
        String parameter2 = request.getParameter(GeneralConstants.GLOBAL_LOGOUT);
        boolean z = StringUtil.isNotNull(parameter2) && "true".equalsIgnoreCase(parameter2);
        String parameter3 = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
        String parameter4 = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
        if (request.getUserPrincipal() == null || z || StringUtil.isNotNull(parameter3) || StringUtil.isNotNull(parameter4)) {
            return (StringUtil.isNotNull(parameter3) || StringUtil.isNotNull(parameter4)) ? StringUtil.isNotNull(parameter4) ? handleSAMLResponse(request, response, loginConfig) : StringUtil.isNotNull(parameter3) ? handleSAMLRequest(request, response, loginConfig) : localAuthentication(request, response, loginConfig) : generalUserRequest(request, response, loginConfig);
        }
        return true;
    }

    protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException {
        try {
            boolean process = new ServiceProviderSAMLRequestProcessor(false, this.serviceURL).process(request.getParameter(GeneralConstants.SAML_REQUEST_KEY), new HTTPContext(request, response, this.context.getServletContext()), this.chain.handlers(), this.chainLock);
            return process ? process : localAuthentication(request, response, loginConfig);
        } catch (Exception e) {
            log.error("Server Exception:", e);
            throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION);
        }
    }

    protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException {
        SAML2HandlerResponse process;
        Principal authenticate;
        Session sessionInternal = request.getSessionInternal(true);
        String parameter = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
        Principal userPrincipal = request.getUserPrincipal();
        request.getParameter(GeneralConstants.RELAY_STATE);
        HTTPContext hTTPContext = new HTTPContext(request, response, this.context.getServletContext());
        Set<SAML2Handler> handlers = this.chain.handlers();
        try {
            if (!validate(request)) {
                throw new IOException(ErrorCodes.VALIDATION_CHECK_FAILED);
            }
            try {
                ServiceProviderSAMLResponseProcessor serviceProviderSAMLResponseProcessor = new ServiceProviderSAMLResponseProcessor(false, this.serviceURL);
                initializeSAMLProcessor(serviceProviderSAMLResponseProcessor);
                try {
                    process = serviceProviderSAMLResponseProcessor.process(parameter, hTTPContext, handlers, this.chainLock);
                } catch (ProcessingException e) {
                    if (!(e.getCause() instanceof AssertionExpiredException)) {
                        throw e;
                    }
                    ServiceProviderBaseProcessor serviceProviderBaseProcessor = new ServiceProviderBaseProcessor(false, this.serviceURL);
                    initializeSAMLProcessor(serviceProviderBaseProcessor);
                    process = serviceProviderBaseProcessor.process(hTTPContext, handlers, this.chainLock);
                    process.setDestination(this.identityURL);
                }
                Document resultingDocument = process.getResultingDocument();
                String relayState = process.getRelayState();
                String destination = process.getDestination();
                if (destination != null && resultingDocument != null) {
                    String destinationQueryString = getDestinationQueryString(RedirectBindingUtil.deflateBase64URLEncode(DocumentUtil.getDocumentAsString(resultingDocument).getBytes("UTF-8")), relayState, process.getSendRequest());
                    RedirectBindingUtil.RedirectBindingUtilDestHolder redirectBindingUtilDestHolder = new RedirectBindingUtil.RedirectBindingUtilDestHolder();
                    redirectBindingUtilDestHolder.setDestination(destination).setDestinationQueryString(destinationQueryString);
                    HTTPRedirectUtil.sendRedirectForRequestor(RedirectBindingUtil.getDestinationURL(redirectBindingUtilDestHolder), response);
                    return localAuthentication(request, response, loginConfig);
                }
                if (!sessionInternal.isValid()) {
                    sendToLogoutPage(request, response, sessionInternal);
                    return false;
                }
                List<String> roles = process.getRoles();
                if (userPrincipal == null) {
                    userPrincipal = (Principal) sessionInternal.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
                }
                String name = userPrincipal.getName();
                if (new ServerDetector().isJboss() || this.jbossEnv) {
                    ServiceProviderSAMLContext.push(name, roles);
                    authenticate = this.context.getRealm().authenticate(name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
                    ServiceProviderSAMLContext.clear();
                } else {
                    authenticate = new SPUtil().createGenericPrincipal(request, userPrincipal.getName(), roles);
                }
                sessionInternal.setNote("org.apache.catalina.session.USERNAME", name);
                sessionInternal.setNote("org.apache.catalina.session.PASSWORD", ServiceProviderSAMLContext.EMPTY_PASSWORD);
                request.setUserPrincipal(authenticate);
                if (this.saveRestoreRequest) {
                    restoreRequest(request, sessionInternal);
                }
                register(request, response, authenticate, "FORM", name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
                return true;
            } catch (ProcessingException e2) {
                Throwable cause = e2.getCause();
                if (cause == null || !(cause instanceof AssertionExpiredException)) {
                    throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION + e2.getLocalizedMessage());
                }
                log.error("Assertion has expired. Asking IDP for reissue");
                return generalUserRequest(request, response, loginConfig);
            } catch (Exception e3) {
                if (this.trace) {
                    log.trace("Server Exception:", e3);
                }
                throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION + e3.getLocalizedMessage());
            }
        } catch (Exception e4) {
            log.error("Exception:", e4);
            throw new IOException();
        }
    }

    protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException {
        Session sessionInternal = request.getSessionInternal(true);
        HTTPContext hTTPContext = new HTTPContext(request, response, this.context.getServletContext());
        Set<SAML2Handler> handlers = this.chain.handlers();
        request.getParameter(GeneralConstants.RELAY_STATE);
        try {
            ServiceProviderBaseProcessor serviceProviderBaseProcessor = new ServiceProviderBaseProcessor(false, this.serviceURL);
            initializeSAMLProcessor(serviceProviderBaseProcessor);
            SAML2HandlerResponse process = serviceProviderBaseProcessor.process(hTTPContext, handlers, this.chainLock);
            process.setDestination(this.identityURL);
            Document resultingDocument = process.getResultingDocument();
            String relayState = process.getRelayState();
            String destination = process.getDestination();
            if (destination == null || resultingDocument == null) {
                return localAuthentication(request, response, loginConfig);
            }
            try {
                String documentAsString = DocumentUtil.getDocumentAsString(resultingDocument);
                if (this.trace) {
                    log.trace("SAML Document=" + documentAsString);
                }
                String destinationQueryString = getDestinationQueryString(RedirectBindingUtil.deflateBase64URLEncode(documentAsString.getBytes("UTF-8")), relayState, process.getSendRequest());
                RedirectBindingUtil.RedirectBindingUtilDestHolder redirectBindingUtilDestHolder = new RedirectBindingUtil.RedirectBindingUtilDestHolder();
                redirectBindingUtilDestHolder.setDestination(destination).setDestinationQueryString(destinationQueryString);
                String destinationURL = RedirectBindingUtil.getDestinationURL(redirectBindingUtilDestHolder);
                if (this.trace) {
                    log.trace("URL used for sending:" + destinationURL);
                }
                if (this.saveRestoreRequest) {
                    saveRequest(request, sessionInternal);
                }
                HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
                return false;
            } catch (Exception e) {
                if (this.trace) {
                    log.trace("Exception:", e);
                }
                throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION);
            }
        } catch (ConfigurationException e2) {
            log.error("Config Exception:", e2);
            throw new RuntimeException(e2);
        } catch (ParsingException e3) {
            log.error("Parsing Exception:", e3);
            throw new RuntimeException(e3);
        } catch (ProcessingException e4) {
            log.error("Processing Exception:", e4);
            throw new RuntimeException(e4);
        }
    }

    protected String createSAMLRequestMessage(String str, Response response) throws ServletException, ConfigurationException, IOException, ProcessingException {
        if (this.serviceURL == null) {
            throw new ServletException("PL00092: Null Value:serviceURL");
        }
        SAML2Request sAML2Request = new SAML2Request();
        AuthnRequestType createSAMLRequest = new SPUtil().createSAMLRequest(this.serviceURL, this.identityURL);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        sAML2Request.marshall(createSAMLRequest, byteArrayOutputStream);
        String deflateBase64URLEncode = RedirectBindingUtil.deflateBase64URLEncode(byteArrayOutputStream.toByteArray());
        String aSCIIString = createSAMLRequest.getDestination().toASCIIString();
        String destinationQueryString = getDestinationQueryString(deflateBase64URLEncode, str, true);
        RedirectBindingUtil.RedirectBindingUtilDestHolder redirectBindingUtilDestHolder = new RedirectBindingUtil.RedirectBindingUtilDestHolder();
        redirectBindingUtilDestHolder.setDestinationQueryString(destinationQueryString).setDestination(aSCIIString);
        return RedirectBindingUtil.getDestinationURL(redirectBindingUtilDestHolder);
    }

    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator
    protected String getBinding() {
        return JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
    }

    protected String getDestinationQueryString(String str, String str2, boolean z) {
        return RedirectBindingUtil.getDestinationQueryString(str, str2, z);
    }

    protected void isTrusted(String str) throws IssuerNotTrustedException {
        try {
            String domain = ValveUtil.getDomain(str);
            TrustType trust = this.spConfiguration.getTrust();
            if (trust != null) {
                String domains = trust.getDomains();
                if (this.trace) {
                    log.trace("Domains that SP trusts=" + domains + " and issuer domain=" + domain);
                }
                if (domains.indexOf(domain) < 0) {
                    StringTokenizer stringTokenizer = new StringTokenizer(domains, ",");
                    while (stringTokenizer != null && stringTokenizer.hasMoreTokens()) {
                        String nextToken = stringTokenizer.nextToken();
                        if (this.trace) {
                            log.trace("Matching uri bit=" + nextToken);
                        }
                        if (domain.indexOf(nextToken) > 0) {
                            if (this.trace) {
                                log.trace("Matched " + nextToken + " trust for " + domain);
                                return;
                            }
                            return;
                        }
                    }
                    throw new IssuerNotTrustedException(str);
                }
            }
        } catch (Exception e) {
            throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initializeSAMLProcessor(ServiceProviderBaseProcessor serviceProviderBaseProcessor) {
        if (this.issuerID != null) {
            serviceProviderBaseProcessor.setIssuer(this.issuerID);
        }
        serviceProviderBaseProcessor.setConfiguration(this.spConfiguration);
    }

    protected ResponseType decryptAssertion(ResponseType responseType) throws IOException, GeneralSecurityException, ConfigurationException, ParsingException {
        throw new RuntimeException(ErrorCodes.AUTHENTICATOR_DOES_NOT_HANDLE_ENC);
    }
}
