package org.picketlink.identity.federation.bindings.wildfly.sp;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.form.FormParserFactory;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism;
import io.undertow.servlet.spec.ServletContextImpl;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.picketlink.common.PicketLinkLogger;
import org.picketlink.common.PicketLinkLoggerFactory;
import org.picketlink.common.constants.JBossSAMLConstants;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ParsingException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.exceptions.fed.AssertionExpiredException;
import org.picketlink.common.util.DocumentUtil;
import org.picketlink.common.util.StringUtil;
import org.picketlink.common.util.SystemPropertiesUtil;
import org.picketlink.config.federation.AuthPropertyType;
import org.picketlink.config.federation.KeyProviderType;
import org.picketlink.config.federation.PicketLinkType;
import org.picketlink.config.federation.SPType;
import org.picketlink.config.federation.handler.Handlers;
import org.picketlink.identity.federation.api.saml.v2.metadata.MetaDataExtractor;
import org.picketlink.identity.federation.bindings.wildfly.ServiceProviderSAMLContext;
import org.picketlink.identity.federation.core.SerializablePrincipal;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditEvent;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditEventType;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
import org.picketlink.identity.federation.core.saml.v2.factories.SAML2HandlerChainFactory;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
import org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AuthenticationStatementType;
import org.picketlink.identity.federation.saml.v1.protocol.SAML11ResponseType;
import org.picketlink.identity.federation.saml.v2.metadata.EndpointType;
import org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType;
import org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType;
import org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType;
import org.picketlink.identity.federation.saml.v2.metadata.KeyDescriptorType;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor;
import org.picketlink.identity.federation.web.process.ServiceProviderSAMLRequestProcessor;
import org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor;
import org.picketlink.identity.federation.web.util.ConfigurationUtil;
import org.picketlink.identity.federation.web.util.PostBindingUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.picketlink.identity.federation.web.util.SAMLConfigurationProvider;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.wildfly.extension.undertow.security.AccountImpl;

@WebListener
/* loaded from: input_file:org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.class */
public class SPFormAuthenticationMechanism extends ServletFormAuthenticationMechanism {
    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
    protected transient String samlHandlerChainClass;
    protected final ServletContext servletContext;
    protected Map<String, Object> chainConfigOptions;
    protected SAMLConfigurationProvider configProvider;
    protected transient X509Certificate idpCertificate;
    protected int timerInterval;
    protected Timer timer;
    public static final String EMPTY_PASSWORD = "EMPTY_STR";
    protected boolean enableAudit;
    public static final String FORM_ACCOUNT_NOTE = "picketlink.form.account";
    public static final String FORM_REQUEST_NOTE = "picketlink.REQUEST";
    protected transient SAML2HandlerChain chain;
    protected SPType spConfiguration;
    protected PicketLinkType picketLinkConfiguration;
    protected String serviceURL;
    protected String identityURL;
    protected String issuerID;
    protected String configFile;
    protected boolean saveRestoreRequest;
    protected Lock chainLock;
    protected String canonicalizationMethod;
    protected PicketLinkAuditHelper auditHelper;
    protected TrustKeyManager keyManager;

    public SPFormAuthenticationMechanism(FormParserFactory formParserFactory, String str, String str2, String str3, ServletContext servletContext, SAMLConfigurationProvider sAMLConfigurationProvider, PicketLinkAuditHelper picketLinkAuditHelper) {
        super(formParserFactory, str, str2, str3);
        this.samlHandlerChainClass = null;
        this.chainConfigOptions = new HashMap();
        this.idpCertificate = null;
        this.timerInterval = -1;
        this.timer = null;
        this.enableAudit = false;
        this.chain = null;
        this.spConfiguration = null;
        this.picketLinkConfiguration = null;
        this.serviceURL = null;
        this.identityURL = null;
        this.issuerID = null;
        this.saveRestoreRequest = true;
        this.chainLock = new ReentrantLock();
        this.canonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments";
        this.servletContext = servletContext;
        this.configProvider = sAMLConfigurationProvider;
        this.auditHelper = picketLinkAuditHelper;
        startPicketLink();
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return httpServerExchange.isResponseComplete() ? new AuthenticationMechanism.ChallengeResult(true) : new AuthenticationMechanism.ChallengeResult(true, 302);
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        Account account;
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        ServletContextImpl currentServletContext = servletRequestContext.getCurrentServletContext();
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequestContext.getServletRequest();
        HttpServletResponse servletResponse = servletRequestContext.getServletResponse();
        HttpSession session = httpServletRequest.getSession(true);
        if (this.saveRestoreRequest && (account = (Account) session.getAttribute(FORM_ACCOUNT_NOTE)) != null) {
            register(securityContext, account);
        }
        ServiceProviderSAMLWorkflow serviceProviderSAMLWorkflow = new ServiceProviderSAMLWorkflow();
        if (serviceProviderSAMLWorkflow.isLocalLogoutRequest(httpServletRequest)) {
            try {
                serviceProviderSAMLWorkflow.sendToLogoutPage(httpServletRequest, servletResponse, session, currentServletContext, this.spConfiguration.getLogOutPage());
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            } catch (ServletException e) {
                logger.samlLogoutError(e);
                throw new RuntimeException((Throwable) e);
            } catch (IOException e2) {
                logger.samlLogoutError(e2);
                throw new RuntimeException(e2);
            }
        }
        String parameter = httpServletRequest.getParameter("SAMLRequest");
        String parameter2 = httpServletRequest.getParameter("SAMLResponse");
        if (httpServletRequest.getUserPrincipal() != null) {
            try {
                if (!serviceProviderSAMLWorkflow.isLocalLogoutRequest(httpServletRequest) && !isGlobalLogout(httpServletRequest) && !StringUtil.isNotNull(parameter) && !StringUtil.isNotNull(parameter2)) {
                    return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
                }
            } catch (IOException e3) {
                if (!StringUtil.isNotNull(this.spConfiguration.getErrorPage())) {
                    throw new RuntimeException(e3);
                }
                try {
                    httpServletRequest.getRequestDispatcher(this.spConfiguration.getErrorPage()).forward(httpServletRequest, servletResponse);
                } catch (IOException e4) {
                    logger.samlErrorPageForwardError(this.spConfiguration.getErrorPage(), e4);
                } catch (ServletException e5) {
                    logger.samlErrorPageForwardError(this.spConfiguration.getErrorPage(), e5);
                }
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
        }
        if (StringUtil.isNotNull(parameter) || StringUtil.isNotNull(parameter2)) {
            return StringUtil.isNotNull(parameter2) ? handleSAMLResponse(httpServerExchange, securityContext) : StringUtil.isNotNull(parameter) ? handleSAMLRequest(httpServerExchange, securityContext) : super.authenticate(httpServerExchange, securityContext);
        }
        storeInitialLocation(httpServerExchange);
        return generalUserRequest(httpServerExchange, securityContext);
    }

    private AuthenticationMechanism.AuthenticationMechanismOutcome handleSAMLResponse(HttpServerExchange httpServerExchange, SecurityContext securityContext) throws IOException {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequestContext.getServletRequest();
        return !JBossSAMLConstants.VERSION_2_0.get().equals(getSAMLVersion(httpServletRequest)) ? handleSAML11UnsolicitedResponse(httpServletRequest, (HttpServletResponse) servletRequestContext.getServletResponse(), securityContext) : handleSAML2Response(httpServerExchange, securityContext);
    }

    private AuthenticationMechanism.AuthenticationMechanismOutcome generalUserRequest(HttpServerExchange httpServerExchange, SecurityContext securityContext) throws IOException {
        ServiceProviderSAMLWorkflow serviceProviderSAMLWorkflow = new ServiceProviderSAMLWorkflow();
        serviceProviderSAMLWorkflow.setRedirectionHandler(new UndertowRedirectionHandler(httpServerExchange));
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        ServletContextImpl currentServletContext = servletRequestContext.getCurrentServletContext();
        HttpServletRequest servletRequest = servletRequestContext.getServletRequest();
        HttpServletResponse servletResponse = servletRequestContext.getServletResponse();
        servletRequest.getSession(true);
        HTTPContext hTTPContext = new HTTPContext(servletRequest, servletResponse, currentServletContext);
        Set handlers = this.chain.handlers();
        try {
            ServiceProviderBaseProcessor serviceProviderBaseProcessor = new ServiceProviderBaseProcessor(this.spConfiguration.getBindingType().equals("POST"), this.serviceURL, this.picketLinkConfiguration);
            if (this.issuerID != null) {
                serviceProviderBaseProcessor.setIssuer(this.issuerID);
            }
            serviceProviderBaseProcessor.setIdentityURL(this.identityURL);
            serviceProviderBaseProcessor.setAuditHelper(this.auditHelper);
            SAML2HandlerResponse process = serviceProviderBaseProcessor.process(hTTPContext, handlers, this.chainLock);
            boolean sendRequest = process.getSendRequest();
            Document resultingDocument = process.getResultingDocument();
            String relayState = process.getRelayState();
            String destination = process.getDestination();
            String destinationQueryStringWithSignature = process.getDestinationQueryStringWithSignature();
            if (destination == null || resultingDocument == null) {
                return localAuthentication(httpServerExchange, securityContext);
            }
            try {
                if (this.saveRestoreRequest) {
                    storeInitialLocation(httpServerExchange);
                }
                if (this.enableAudit) {
                    PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent("Info");
                    picketLinkAuditEvent.setType(PicketLinkAuditEventType.REQUEST_TO_IDP);
                    picketLinkAuditEvent.setWhoIsAuditing(currentServletContext.getContextPath());
                    this.auditHelper.audit(picketLinkAuditEvent);
                }
                serviceProviderSAMLWorkflow.sendRequestToIDP(destination, resultingDocument, relayState, servletResponse, sendRequest, destinationQueryStringWithSignature, isHttpPostBinding());
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            } catch (Exception e) {
                logger.samlSPHandleRequestError(e);
                throw logger.samlSPProcessingExceptionError(e);
            }
        } catch (ParsingException e2) {
            logger.samlSPHandleRequestError(e2);
            throw new RuntimeException((Throwable) e2);
        } catch (ConfigurationException e3) {
            logger.samlSPHandleRequestError(e3);
            throw new RuntimeException((Throwable) e3);
        } catch (ProcessingException e4) {
            logger.samlSPHandleRequestError(e4);
            throw new RuntimeException((Throwable) e4);
        }
    }

    protected boolean matchRequest(HttpServletRequest httpServletRequest) {
        return false;
    }

    protected void register(SecurityContext securityContext, Account account) {
        securityContext.authenticationComplete(account, "FORM", false);
    }

    protected AuthenticationMechanism.AuthenticationMechanismOutcome localAuthentication(HttpServerExchange httpServerExchange, SecurityContext securityContext) throws IOException {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        servletRequestContext.getCurrentServletContext();
        HttpServletRequest servletRequest = servletRequestContext.getServletRequest();
        servletRequestContext.getServletResponse();
        if (servletRequest.getUserPrincipal() != null) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        }
        logger.samlSPFallingBackToLocalFormAuthentication();
        try {
            return super.authenticate(httpServerExchange, securityContext);
        } catch (NoSuchMethodError e) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    private AuthenticationMechanism.AuthenticationMechanismOutcome handleSAMLRequest(HttpServerExchange httpServerExchange, SecurityContext securityContext) throws IOException {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        ServletContextImpl currentServletContext = servletRequestContext.getCurrentServletContext();
        HttpServletRequest servletRequest = servletRequestContext.getServletRequest();
        HttpServletResponse servletResponse = servletRequestContext.getServletResponse();
        String parameter = servletRequest.getParameter("SAMLRequest");
        HTTPContext hTTPContext = new HTTPContext(servletRequest, servletResponse, currentServletContext);
        Set handlers = this.chain.handlers();
        try {
            ServiceProviderSAMLRequestProcessor serviceProviderSAMLRequestProcessor = new ServiceProviderSAMLRequestProcessor(servletRequest.getMethod().equals("POST"), this.serviceURL, this.picketLinkConfiguration);
            serviceProviderSAMLRequestProcessor.setTrustKeyManager(this.keyManager);
            boolean process = serviceProviderSAMLRequestProcessor.process(parameter, hTTPContext, handlers, this.chainLock);
            if (this.enableAudit) {
                PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent("Info");
                picketLinkAuditEvent.setType(PicketLinkAuditEventType.REQUEST_FROM_IDP);
                picketLinkAuditEvent.setWhoIsAuditing(currentServletContext.getContextPath());
                this.auditHelper.audit(picketLinkAuditEvent);
            }
            return servletResponse.isCommitted() ? AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED : process ? AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED : localAuthentication(httpServerExchange, securityContext);
        } catch (Exception e) {
            logger.samlSPHandleRequestError(e);
            throw logger.samlSPProcessingExceptionError(e);
        }
    }

    private AuthenticationMechanism.AuthenticationMechanismOutcome handleSAML2Response(HttpServerExchange httpServerExchange, SecurityContext securityContext) throws IOException {
        ServiceProviderSAMLWorkflow serviceProviderSAMLWorkflow = new ServiceProviderSAMLWorkflow();
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        ServletContextImpl currentServletContext = servletRequestContext.getCurrentServletContext();
        HttpServletRequest servletRequest = servletRequestContext.getServletRequest();
        HttpServletResponse servletResponse = servletRequestContext.getServletResponse();
        HttpSession session = servletRequest.getSession(true);
        String parameter = servletRequest.getParameter("SAMLResponse");
        HTTPContext hTTPContext = new HTTPContext(servletRequest, servletResponse, currentServletContext);
        Set handlers = this.chain.handlers();
        Principal userPrincipal = servletRequest.getUserPrincipal();
        try {
            if (!serviceProviderSAMLWorkflow.validate(servletRequest)) {
                throw new IOException("PL00019: Validation check failed");
            }
            try {
                ServiceProviderSAMLResponseProcessor serviceProviderSAMLResponseProcessor = new ServiceProviderSAMLResponseProcessor(servletRequest.getMethod().equals("POST"), this.serviceURL, this.picketLinkConfiguration);
                if (this.auditHelper != null) {
                    serviceProviderSAMLResponseProcessor.setAuditHelper(this.auditHelper);
                }
                serviceProviderSAMLResponseProcessor.setTrustKeyManager(this.keyManager);
                SAML2HandlerResponse process = serviceProviderSAMLResponseProcessor.process(parameter, hTTPContext, handlers, this.chainLock);
                Document resultingDocument = process.getResultingDocument();
                String relayState = process.getRelayState();
                String destination = process.getDestination();
                boolean sendRequest = process.getSendRequest();
                String destinationQueryStringWithSignature = process.getDestinationQueryStringWithSignature();
                if (destination != null && resultingDocument != null) {
                    serviceProviderSAMLWorkflow.sendRequestToIDP(destination, resultingDocument, relayState, servletResponse, sendRequest, destinationQueryStringWithSignature, this.spConfiguration.getBindingType().equalsIgnoreCase("POST"));
                    ServiceProviderSAMLContext.clear();
                    return localAuthentication(httpServerExchange, securityContext);
                }
                if (!sessionIsValid(session)) {
                    serviceProviderSAMLWorkflow.sendToLogoutPage(servletRequest, servletResponse, session, currentServletContext, this.spConfiguration.getLogOutPage());
                    AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                    ServiceProviderSAMLContext.clear();
                    return authenticationMechanismOutcome;
                }
                List roles = process.getRoles();
                if (userPrincipal == null) {
                    userPrincipal = (Principal) session.getAttribute("picketlink.principal");
                }
                String name = userPrincipal.getName();
                if (logger.isTraceEnabled()) {
                    logger.trace("Roles determined for username=" + name + "=" + Arrays.toString(roles.toArray()));
                }
                ServiceProviderSAMLContext.push(name, roles);
                Account verify = securityContext.getIdentityManager().verify(new AccountImpl(userPrincipal, new HashSet(roles), "EMPTY_STR"));
                register(securityContext, verify);
                if (this.enableAudit) {
                    PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent("Info");
                    picketLinkAuditEvent.setType(PicketLinkAuditEventType.RESPONSE_FROM_IDP);
                    picketLinkAuditEvent.setSubjectName(name);
                    picketLinkAuditEvent.setWhoIsAuditing(currentServletContext.getContextPath());
                    this.auditHelper.audit(picketLinkAuditEvent);
                }
                if (this.saveRestoreRequest) {
                    session.setAttribute(FORM_ACCOUNT_NOTE, verify);
                    handleRedirectBack(httpServerExchange);
                    httpServerExchange.endExchange();
                }
                AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome2 = AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
                ServiceProviderSAMLContext.clear();
                return authenticationMechanismOutcome2;
            } catch (Exception e) {
                logger.samlSPHandleRequestError(e);
                throw logger.samlSPProcessingExceptionError(e);
            } catch (ProcessingException e2) {
                AssertionExpiredException cause = e2.getCause();
                if (cause == null || !(cause instanceof AssertionExpiredException)) {
                    logger.samlSPHandleRequestError(e2);
                    throw logger.samlSPProcessingExceptionError(e2);
                }
                logger.error("Assertion has expired. Asking IDP for reissue");
                if (this.enableAudit) {
                    PicketLinkAuditEvent picketLinkAuditEvent2 = new PicketLinkAuditEvent("Info");
                    picketLinkAuditEvent2.setType(PicketLinkAuditEventType.EXPIRED_ASSERTION);
                    picketLinkAuditEvent2.setAssertionID(cause.getId());
                    this.auditHelper.audit(picketLinkAuditEvent2);
                }
                AuthenticationMechanism.AuthenticationMechanismOutcome generalUserRequest = generalUserRequest(httpServerExchange, securityContext);
                ServiceProviderSAMLContext.clear();
                return generalUserRequest;
            }
        } catch (Throwable th) {
            ServiceProviderSAMLContext.clear();
            throw th;
        }
    }

    protected boolean isHttpPostBinding() {
        return this.spConfiguration.getBindingType().equalsIgnoreCase("POST");
    }

    protected boolean sessionIsValid(HttpSession httpSession) {
        try {
            httpSession.getCreationTime();
            return true;
        } catch (IllegalStateException e) {
            return false;
        }
    }

    protected String savedRequestURL(HttpSession httpSession) {
        StringBuilder sb = new StringBuilder();
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpSession.getAttribute(FORM_REQUEST_NOTE);
        if (httpServletRequest != null) {
            sb.append(httpServletRequest.getRequestURI());
            if (httpServletRequest.getQueryString() != null) {
                sb.append("?").append(httpServletRequest.getQueryString());
            }
        }
        return sb.toString();
    }

    protected void startPicketLink() {
        SystemPropertiesUtil.ensure();
        if (this.timerInterval > 0) {
            if (this.timer == null) {
                this.timer = new Timer();
            }
            this.timer.scheduleAtFixedRate(new TimerTask() { // from class: org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.1
                @Override // java.util.TimerTask, java.lang.Runnable
                public void run() {
                    SPFormAuthenticationMechanism.this.processConfiguration();
                    SPFormAuthenticationMechanism.this.initKeyProvider(SPFormAuthenticationMechanism.this.servletContext);
                }
            }, this.timerInterval, this.timerInterval);
        }
        if (StringUtil.isNullOrEmpty(this.samlHandlerChainClass)) {
            this.chain = SAML2HandlerChainFactory.createChain();
        } else {
            try {
                this.chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
            } catch (ProcessingException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
        processConfiguration();
        try {
            Handlers handlers = this.picketLinkConfiguration != null ? this.picketLinkConfiguration.getHandlers() : ConfigurationUtil.getHandlers(this.servletContext.getResourceAsStream("/WEB-INF/picketlink-handlers.xml"));
            this.chain.addAll(HandlerUtil.getHandlers(handlers));
            initKeyProvider(this.servletContext);
            populateChainConfig();
            initializeHandlerChain();
            if (this.picketLinkConfiguration == null) {
                this.picketLinkConfiguration = new PicketLinkType();
                this.picketLinkConfiguration.setIdpOrSP(this.spConfiguration);
                this.picketLinkConfiguration.setHandlers(handlers);
            }
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    protected void initKeyProvider(ServletContext servletContext) {
        if (doSupportSignature()) {
            KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
            if (keyProvider == null && doSupportSignature()) {
                throw new RuntimeException("PL00092: Null Value:KeyProvider is null for context=" + servletContext.getContextPath());
            }
            try {
                String className = keyProvider.getClassName();
                if (className == null) {
                    throw new RuntimeException("PL00092: Null Value:KeyManager class name");
                }
                Class<?> loadClass = SecurityActions.loadClass(getClass(), className);
                if (loadClass == null) {
                    throw new ClassNotFoundException("PL00085: Class Not Loaded:" + className);
                }
                this.keyManager = (TrustKeyManager) loadClass.newInstance();
                List keyProviderProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
                this.keyManager.setAuthProperties(keyProviderProperties);
                this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
                String identityURL = this.spConfiguration.getIdentityURL();
                if (keyProviderProperties != null) {
                    Iterator it = keyProviderProperties.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        AuthPropertyType authPropertyType = (AuthPropertyType) it.next();
                        if ("X509CERTIFICATE".equals(authPropertyType.getKey())) {
                            this.keyManager.addAdditionalOption("X509CERTIFICATE", authPropertyType.getValue());
                            break;
                        }
                    }
                }
                this.keyManager.addAdditionalOption("idp.key", new URL(identityURL).getHost());
                logger.trace("Key Provider=" + keyProvider.getClassName());
            } catch (Exception e) {
                logger.trustKeyManagerCreationError(e);
                throw new RuntimeException(e.getLocalizedMessage());
            }
        }
    }

    protected boolean doSupportSignature() {
        if (this.spConfiguration != null) {
            return this.spConfiguration.isSupportsSignature();
        }
        return false;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Removed duplicated region for block: B:18:0x0119 A[Catch: Exception -> 0x01d7, TryCatch #4 {Exception -> 0x01d7, blocks: (B:5:0x003d, B:10:0x0048, B:12:0x0058, B:14:0x0062, B:15:0x0089, B:16:0x0112, B:18:0x0119, B:20:0x012b, B:22:0x013c, B:23:0x0144, B:25:0x014b, B:27:0x0152, B:28:0x0166, B:30:0x0173, B:31:0x018c, B:34:0x0181, B:38:0x0074, B:40:0x007e, B:55:0x00c0, B:49:0x00ed, B:51:0x00fd, B:52:0x0109, B:53:0x010a, B:58:0x00da, B:59:0x00ec, B:42:0x00a7, B:43:0x00b0, B:45:0x00b2, B:46:0x00bb), top: B:4:0x003d, inners: #0, #5 }] */
    /* JADX WARN: Removed duplicated region for block: B:30:0x0173 A[Catch: Exception -> 0x01d7, TryCatch #4 {Exception -> 0x01d7, blocks: (B:5:0x003d, B:10:0x0048, B:12:0x0058, B:14:0x0062, B:15:0x0089, B:16:0x0112, B:18:0x0119, B:20:0x012b, B:22:0x013c, B:23:0x0144, B:25:0x014b, B:27:0x0152, B:28:0x0166, B:30:0x0173, B:31:0x018c, B:34:0x0181, B:38:0x0074, B:40:0x007e, B:55:0x00c0, B:49:0x00ed, B:51:0x00fd, B:52:0x0109, B:53:0x010a, B:58:0x00da, B:59:0x00ec, B:42:0x00a7, B:43:0x00b0, B:45:0x00b2, B:46:0x00bb), top: B:4:0x003d, inners: #0, #5 }] */
    /* JADX WARN: Removed duplicated region for block: B:34:0x0181 A[Catch: Exception -> 0x01d7, TryCatch #4 {Exception -> 0x01d7, blocks: (B:5:0x003d, B:10:0x0048, B:12:0x0058, B:14:0x0062, B:15:0x0089, B:16:0x0112, B:18:0x0119, B:20:0x012b, B:22:0x013c, B:23:0x0144, B:25:0x014b, B:27:0x0152, B:28:0x0166, B:30:0x0173, B:31:0x018c, B:34:0x0181, B:38:0x0074, B:40:0x007e, B:55:0x00c0, B:49:0x00ed, B:51:0x00fd, B:52:0x0109, B:53:0x010a, B:58:0x00da, B:59:0x00ec, B:42:0x00a7, B:43:0x00b0, B:45:0x00b2, B:46:0x00bb), top: B:4:0x003d, inners: #0, #5 }] */
    /* JADX WARN: Type inference failed for: r0v80, types: [java.io.InputStream] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected void processConfiguration() {
        /*
            Method dump skipped, instructions count: 482
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.processConfiguration():void");
    }

    protected void processIDPMetadataFile(String str) {
        InputStream resourceAsStream = this.servletContext.getResourceAsStream(str);
        if (resourceAsStream == null) {
            return;
        }
        try {
            Object parse = new SAMLParser().parse(DocumentUtil.getNodeAsStream(DocumentUtil.getDocument(resourceAsStream)));
            IDPSSODescriptorType handleMetadata = parse instanceof EntitiesDescriptorType ? handleMetadata((EntitiesDescriptorType) parse) : handleMetadata((EntityDescriptorType) parse);
            if (handleMetadata == null) {
                logger.samlSPUnableToGetIDPDescriptorFromMetadata();
                return;
            }
            Iterator it = handleMetadata.getSingleSignOnService().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                EndpointType endpointType = (EndpointType) it.next();
                String uri = endpointType.getBinding().toString();
                if (uri.contains("HTTP-POST")) {
                    uri = "POST";
                } else if (uri.contains("HTTP-Redirect")) {
                    uri = "REDIRECT";
                }
                if (this.spConfiguration.getBindingType().equals(uri)) {
                    this.identityURL = endpointType.getLocation().toString();
                    break;
                }
            }
            List keyDescriptor = handleMetadata.getKeyDescriptor();
            if (keyDescriptor.size() > 0) {
                this.idpCertificate = MetaDataExtractor.getCertificate((KeyDescriptorType) keyDescriptor.get(0));
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected IDPSSODescriptorType handleMetadata(EntitiesDescriptorType entitiesDescriptorType) {
        IDPSSODescriptorType iDPSSODescriptorType = null;
        for (Object obj : entitiesDescriptorType.getEntityDescriptor()) {
            iDPSSODescriptorType = obj instanceof EntitiesDescriptorType ? getIDPSSODescriptor(entitiesDescriptorType) : handleMetadata((EntityDescriptorType) obj);
            if (iDPSSODescriptorType != null) {
                break;
            }
        }
        return iDPSSODescriptorType;
    }

    protected IDPSSODescriptorType handleMetadata(EntityDescriptorType entityDescriptorType) {
        return CoreConfigUtil.getIDPDescriptor(entityDescriptorType);
    }

    protected IDPSSODescriptorType getIDPSSODescriptor(EntitiesDescriptorType entitiesDescriptorType) {
        Iterator it = entitiesDescriptorType.getEntityDescriptor().iterator();
        if (!it.hasNext()) {
            return null;
        }
        Object next = it.next();
        return next instanceof EntitiesDescriptorType ? getIDPSSODescriptor((EntitiesDescriptorType) next) : CoreConfigUtil.getIDPDescriptor((EntityDescriptorType) next);
    }

    protected void initializeHandlerChain() throws ConfigurationException, ProcessingException {
        populateChainConfig();
        DefaultSAML2HandlerChainConfig defaultSAML2HandlerChainConfig = new DefaultSAML2HandlerChainConfig(this.chainConfigOptions);
        Iterator it = this.chain.handlers().iterator();
        while (it.hasNext()) {
            ((SAML2Handler) it.next()).initChainConfig(defaultSAML2HandlerChainConfig);
        }
    }

    protected void populateChainConfig() throws ConfigurationException, ProcessingException {
        this.chainConfigOptions.put("CONFIGURATION", this.spConfiguration);
        this.chainConfigOptions.put("ROLE_VALIDATOR_IGNORE", "false");
        if (doSupportSignature()) {
            this.chainConfigOptions.put("KEYPAIR", this.keyManager.getSigningKeyPair());
            String str = (String) this.keyManager.getAdditionalOption("X509CERTIFICATE");
            if (str != null) {
                this.chainConfigOptions.put("X509CERTIFICATE", this.keyManager.getCertificate(str));
            }
        }
    }

    private boolean isGlobalLogout(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("GLO");
        return StringUtil.isNotNull(parameter) && "true".equalsIgnoreCase(parameter);
    }

    private String getSAMLVersion(HttpServletRequest httpServletRequest) {
        try {
            Element documentElement = toSAMLResponseDocument(httpServletRequest.getParameter("SAMLResponse"), "POST".equalsIgnoreCase(httpServletRequest.getMethod())).getDocumentElement();
            String attribute = documentElement.getAttribute("Version");
            if (StringUtil.isNullOrEmpty(attribute)) {
                attribute = documentElement.getAttribute("MinorVersion") + "." + documentElement.getAttribute("MajorVersion");
            }
            return attribute;
        } catch (Exception e) {
            throw new RuntimeException("Could not extract version from SAML Response.", e);
        }
    }

    private Document toSAMLResponseDocument(String str, boolean z) throws ParsingException {
        try {
            return DocumentUtil.getDocument(z ? PostBindingUtil.base64DecodeAsStream(str) : RedirectBindingUtil.base64DeflateDecode(str));
        } catch (Exception e) {
            logger.samlResponseFromIDPParsingFailed();
            throw new ParsingException("", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v52, types: [java.util.List] */
    public AuthenticationMechanism.AuthenticationMechanismOutcome handleSAML11UnsolicitedResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        String parameter = httpServletRequest.getParameter("SAMLResponse");
        SerializablePrincipal userPrincipal = httpServletRequest.getUserPrincipal();
        if (StringUtil.isNotNull(parameter)) {
            try {
                List list = ((SAML11ResponseType) new SAMLParser().parse(RedirectBindingUtil.base64DeflateDecode(parameter))).get();
                if (list.size() > 1) {
                    logger.trace("More than one assertion from IDP. Considering the first one.");
                }
                ArrayList arrayList = new ArrayList();
                SAML11AssertionType sAML11AssertionType = (SAML11AssertionType) list.get(0);
                if (sAML11AssertionType != null) {
                    for (SAML11AuthenticationStatementType sAML11AuthenticationStatementType : sAML11AssertionType.getStatements()) {
                        if (sAML11AuthenticationStatementType instanceof SAML11AuthenticationStatementType) {
                            userPrincipal = new SerializablePrincipal(sAML11AuthenticationStatementType.getSubject().getChoice().getNameID().getValue());
                        }
                    }
                    arrayList = AssertionUtil.getRoles(sAML11AssertionType, (List) null);
                }
                String name = userPrincipal.getName();
                if (logger.isTraceEnabled()) {
                    logger.trace("Roles determined for username=" + name + "=" + Arrays.toString(arrayList.toArray()));
                }
                ServiceProviderSAMLContext.push(name, arrayList);
                register(securityContext, securityContext.getIdentityManager().verify(new AccountImpl(userPrincipal, new HashSet(arrayList), "EMPTY_STR")));
                if (this.enableAudit) {
                    PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent("Info");
                    picketLinkAuditEvent.setType(PicketLinkAuditEventType.RESPONSE_FROM_IDP);
                    picketLinkAuditEvent.setSubjectName(name);
                    picketLinkAuditEvent.setWhoIsAuditing(this.servletContext.getContextPath());
                    this.auditHelper.audit(picketLinkAuditEvent);
                }
                return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
            } catch (Exception e) {
                logger.samlSPHandleRequestError(e);
            }
        }
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
}
