package org.picketlink.identity.federation.bindings.tomcat.idp;

import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.servlet.ServletException;
import org.apache.catalina.Context;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.connector.Response;
import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.valves.ValveBase;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.bindings.tomcat.TomcatRoleGenerator;
import org.picketlink.identity.federation.core.config.IDPType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.impl.DelegatedAttributeManager;
import org.picketlink.identity.federation.core.interfaces.AttributeManager;
import org.picketlink.identity.federation.core.interfaces.RoleGenerator;
import org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.factories.SAML2HandlerChainFactory;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.web.core.IdentityServer;
import org.picketlink.identity.federation.web.util.ConfigurationUtil;
import org.picketlink.identity.federation.web.util.IDPWebRequestUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.w3c.dom.Document;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.class */
public class IDPWebBrowserSSOValve extends ValveBase implements Lifecycle {
    private static Logger log = Logger.getLogger(IDPWebBrowserSSOValve.class);
    private TrustKeyManager keyManager;
    private boolean trace = log.isTraceEnabled();
    protected IDPType idpConfiguration = null;
    private RoleGenerator roleGenerator = new TomcatRoleGenerator();
    private long assertionValidity = 5000;
    private String identityURL = null;
    private Boolean ignoreIncomingSignatures = false;
    private Boolean signOutgoingMessages = true;
    private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager();
    private List<String> attributeKeys = new ArrayList();
    private transient SAML2HandlerChain chain = null;
    private Context context = null;
    private transient String samlHandlerChainClass = null;
    private Lock chainLock = new ReentrantLock();
    protected LifecycleSupport lifecycle = new LifecycleSupport(this);
    private boolean started = false;

    /* loaded from: input_file:org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve$SessionHolder.class */
    protected static class SessionHolder {
        String samlRequest;
        String signature;
        String sigAlg;

        public SessionHolder(String str, String str2, String str3) {
            this.samlRequest = str;
            this.signature = str2;
            this.sigAlg = str3;
        }
    }

    public void setAttributeList(String str) {
        if (str == null || "".equals(str)) {
            return;
        }
        this.attributeKeys.clear();
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        while (stringTokenizer != null && stringTokenizer.hasMoreTokens()) {
            this.attributeKeys.add(stringTokenizer.nextToken());
        }
    }

    public Boolean getIgnoreIncomingSignatures() {
        return this.ignoreIncomingSignatures;
    }

    public void setIgnoreIncomingSignatures(Boolean bool) {
        this.ignoreIncomingSignatures = bool;
    }

    public Boolean getSignOutgoingMessages() {
        return this.signOutgoingMessages;
    }

    public void setSignOutgoingMessages(Boolean bool) {
        this.signOutgoingMessages = bool;
    }

    public void setRoleGenerator(String str) {
        try {
            this.roleGenerator = (RoleGenerator) SecurityActions.getContextClassLoader().loadClass(str).newInstance();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void setSamlHandlerChainClass(String str) {
        this.samlHandlerChainClass = str;
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockProcessor
        jadx.core.utils.exceptions.JadxRuntimeException: Unreachable block: B:87:0x074d
        	at jadx.core.dex.visitors.blocks.BlockProcessor.checkForUnreachableBlocks(BlockProcessor.java:88)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.processBlocksTree(BlockProcessor.java:52)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.visit(BlockProcessor.java:44)
        */
    public void invoke(org.apache.catalina.connector.Request r10, org.apache.catalina.connector.Response r11) throws java.io.IOException, javax.servlet.ServletException {
        /*
            Method dump skipped, instructions count: 2929
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response):void");
    }

    protected void sendErrorResponseToSP(String str, Response response, String str2, IDPWebRequestUtil iDPWebRequestUtil) throws ServletException, IOException, ConfigurationException {
        if (this.trace) {
            log.trace("About to send error response to SP:" + str);
        }
        Document errorResponse = iDPWebRequestUtil.getErrorResponse(str, JBossSAMLURIConstants.STATUS_RESPONDER.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
        try {
            boolean hasSAMLRequestInPostProfile = iDPWebRequestUtil.hasSAMLRequestInPostProfile();
            if (hasSAMLRequestInPostProfile) {
                recycle(response);
            }
            IDPWebRequestUtil.WebRequestUtilHolder holder = iDPWebRequestUtil.getHolder();
            holder.setResponseDoc(errorResponse).setDestination(str).setRelayState(str2).setAreWeSendingRequest(false).setPrivateKey((PrivateKey) null).setSupportSignature(false).setServletResponse(response);
            holder.setPostBindingRequested(hasSAMLRequestInPostProfile);
            if (this.signOutgoingMessages.booleanValue()) {
                holder.setPrivateKey(this.keyManager.getSigningKey()).setSupportSignature(true);
            }
            iDPWebRequestUtil.send(holder);
        } catch (ParsingException e) {
            throw new ServletException(e);
        } catch (GeneralSecurityException e2) {
            throw new ServletException(e2);
        }
    }

    protected boolean validate(String str, String str2, SessionHolder sessionHolder, boolean z) throws IOException, GeneralSecurityException {
        if (!StringUtil.isNotNull(sessionHolder.samlRequest)) {
            return false;
        }
        if (this.ignoreIncomingSignatures.booleanValue() || z) {
            return true;
        }
        if (!StringUtil.isNotNull(sessionHolder.signature)) {
            log.error("Signature received from SP is null:" + str);
            return false;
        }
        byte[] signatureValueFromSignedURL = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(str2);
        if (signatureValueFromSignedURL == null) {
            return false;
        }
        try {
            return RedirectBindingSignatureUtil.validateSignature(str2, this.keyManager.getValidatingKey(str), signatureValueFromSignedURL);
        } catch (TrustKeyConfigurationException e) {
            throw new GeneralSecurityException(e.getCause());
        } catch (TrustKeyProcessingException e2) {
            throw new GeneralSecurityException(e2.getCause());
        }
    }

    public void addLifecycleListener(LifecycleListener lifecycleListener) {
        this.lifecycle.addLifecycleListener(lifecycleListener);
    }

    public LifecycleListener[] findLifecycleListeners() {
        return this.lifecycle.findLifecycleListeners();
    }

    public void removeLifecycleListener(LifecycleListener lifecycleListener) {
        this.lifecycle.removeLifecycleListener(lifecycleListener);
    }

    public void start() throws LifecycleException {
        if (this.started) {
            throw new LifecycleException("IDPWebBrowserSSOValve already Started");
        }
        this.lifecycle.fireLifecycleEvent("start", (Object) null);
        this.started = true;
        if (StringUtil.isNullOrEmpty(this.samlHandlerChainClass)) {
            this.chain = SAML2HandlerChainFactory.createChain();
        } else {
            try {
                this.chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
            } catch (ProcessingException e) {
                throw new LifecycleException(e);
            }
        }
        this.context = getContainer();
        InputStream resourceAsStream = this.context.getServletContext().getResourceAsStream("/WEB-INF/picketlink-idfed.xml");
        if (resourceAsStream == null) {
            throw new RuntimeException("/WEB-INF/picketlink-idfed.xml missing");
        }
        try {
            this.idpConfiguration = ConfigurationUtil.getIDPConfiguration(resourceAsStream);
            this.identityURL = this.idpConfiguration.getIdentityURL();
            if (this.trace) {
                log.trace("Identity Provider URL=" + this.identityURL);
            }
            this.assertionValidity = this.idpConfiguration.getAssertionValidity();
            String attributeManager = this.idpConfiguration.getAttributeManager();
            if (attributeManager != null && !"".equals(attributeManager)) {
                this.attribManager.setDelegate((AttributeManager) SecurityActions.getContextClassLoader().loadClass(attributeManager).newInstance());
            }
            if (this.signOutgoingMessages.booleanValue()) {
                KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
                if (keyProvider == null) {
                    throw new LifecycleException("Key Provider is null for context=" + this.context.getName());
                }
                try {
                    this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider);
                    this.keyManager.setAuthProperties(keyProvider.getAuth());
                    this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
                    if (this.trace) {
                        log.trace("Key Provider=" + keyProvider.getClassName());
                    }
                } catch (Exception e2) {
                    log.error("Exception reading configuration:", e2);
                    throw new LifecycleException(e2.getLocalizedMessage());
                }
            }
            try {
                this.chain.addAll(HandlerUtil.getHandlers(ConfigurationUtil.getHandlers(this.context.getServletContext().getResourceAsStream("/WEB-INF/picketlink-handlers.xml"))));
                HashMap hashMap = new HashMap();
                hashMap.put("ROLE_GENERATOR", this.roleGenerator);
                hashMap.put("CONFIGURATION", this.idpConfiguration);
                if (this.keyManager != null) {
                    hashMap.put("KEYPAIR", this.keyManager.getSigningKeyPair());
                }
                DefaultSAML2HandlerChainConfig defaultSAML2HandlerChainConfig = new DefaultSAML2HandlerChainConfig(hashMap);
                Iterator it = this.chain.handlers().iterator();
                while (it.hasNext()) {
                    ((SAML2Handler) it.next()).initChainConfig(defaultSAML2HandlerChainConfig);
                }
                this.attributeKeys.addAll(Arrays.asList("mail", "cn", "commonname", "givenname", "surname", "employeeType", "employeeNumber", "facsimileTelephoneNumber"));
                if (((IdentityServer) this.context.getServletContext().getAttribute("IDENTITY_SERVER")) == null) {
                    this.context.getServletContext().setAttribute("IDENTITY_SERVER", new IdentityServer());
                }
            } catch (Exception e3) {
                log.error("Exception dealing with handler configuration:", e3);
                throw new LifecycleException(e3.getLocalizedMessage());
            }
        } catch (Exception e4) {
            throw new RuntimeException(e4);
        }
    }

    public void stop() throws LifecycleException {
        if (!this.started) {
            throw new LifecycleException("IDPWebBrowserSSOValve NotStarted");
        }
        this.lifecycle.fireLifecycleEvent("stop", (Object) null);
        this.started = false;
    }

    private void recycle(Response response) {
        response.recycle();
    }
}
