package org.picketlink.identity.federation.web.servlets;

import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.core.config.IDPType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.impl.DelegatedAttributeManager;
import org.picketlink.identity.federation.core.interfaces.AttributeManager;
import org.picketlink.identity.federation.core.interfaces.RoleGenerator;
import org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChain;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.core.IdentityServer;
import org.picketlink.identity.federation.web.roles.DefaultRoleGenerator;
import org.picketlink.identity.federation.web.util.ConfigurationUtil;
import org.picketlink.identity.federation.web.util.IDPWebRequestUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.w3c.dom.Document;

/* loaded from: input_file:org/picketlink/identity/federation/web/servlets/IDPServlet.class */
public class IDPServlet extends HttpServlet {
    private static final long serialVersionUID = 1;
    private static Logger log = Logger.getLogger(IDPServlet.class);
    private transient TrustKeyManager keyManager;
    private boolean trace = log.isTraceEnabled();
    protected transient IDPType idpConfiguration = null;
    private transient RoleGenerator roleGenerator = new DefaultRoleGenerator();
    private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager();
    private List<String> attributeKeys = new ArrayList();
    private long assertionValidity = 5000;
    private String identityURL = null;
    private Boolean ignoreIncomingSignatures = false;
    private Boolean signOutgoingMessages = true;
    private transient ServletContext context = null;
    private transient SAML2HandlerChain chain = null;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/picketlink/identity/federation/web/servlets/IDPServlet$SessionHolder.class */
    public static class SessionHolder {
        String samlRequest;
        String signature;

        public SessionHolder(String str, String str2) {
            this.samlRequest = str;
            this.signature = str2;
        }
    }

    public Boolean getIgnoreIncomingSignatures() {
        return this.ignoreIncomingSignatures;
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        this.context = servletConfig.getServletContext();
        InputStream resourceAsStream = this.context.getResourceAsStream(GeneralConstants.CONFIG_FILE_LOCATION);
        if (resourceAsStream == null) {
            throw new RuntimeException(GeneralConstants.CONFIG_FILE_LOCATION + " missing");
        }
        this.chain = new DefaultSAML2HandlerChain();
        try {
            this.idpConfiguration = ConfigurationUtil.getIDPConfiguration(resourceAsStream);
            this.identityURL = this.idpConfiguration.getIdentityURL();
            log.trace("Identity Provider URL=" + this.identityURL);
            this.assertionValidity = this.idpConfiguration.getAssertionValidity();
            String attributeManager = this.idpConfiguration.getAttributeManager();
            if (attributeManager != null && !"".equals(attributeManager)) {
                this.attribManager.setDelegate((AttributeManager) SecurityActions.getContextClassLoader().loadClass(attributeManager).newInstance());
            }
            this.chain.addAll(HandlerUtil.getHandlers(ConfigurationUtil.getHandlers(this.context.getResourceAsStream(GeneralConstants.HANDLER_CONFIG_FILE_LOCATION))));
            HashMap hashMap = new HashMap();
            hashMap.put(GeneralConstants.ROLE_GENERATOR, this.roleGenerator);
            hashMap.put(GeneralConstants.CONFIGURATION, this.idpConfiguration);
            DefaultSAML2HandlerChainConfig defaultSAML2HandlerChainConfig = new DefaultSAML2HandlerChainConfig(hashMap);
            Iterator<SAML2Handler> it = this.chain.handlers().iterator();
            while (it.hasNext()) {
                it.next().initChainConfig(defaultSAML2HandlerChainConfig);
            }
            String initParameter = servletConfig.getInitParameter(GeneralConstants.SIGN_OUTGOING_MESSAGES);
            if (initParameter != null && !"".equals(initParameter)) {
                this.signOutgoingMessages = Boolean.valueOf(Boolean.parseBoolean(initParameter));
            }
            if (this.signOutgoingMessages.booleanValue()) {
                KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
                if (keyProvider == null) {
                    throw new RuntimeException("Key Provider is null for context=" + this.context.getContextPath());
                }
                try {
                    ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
                    String className = keyProvider.getClassName();
                    if (className == null) {
                        throw new RuntimeException("KeyManager class name is null");
                    }
                    this.keyManager = (TrustKeyManager) contextClassLoader.loadClass(className).newInstance();
                    this.keyManager.setAuthProperties(keyProvider.getAuth());
                    this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
                    if (this.trace) {
                        log.trace("Key Provider=" + keyProvider.getClassName());
                    }
                } catch (Exception e) {
                    log.error("Exception reading configuration:", e);
                    throw new RuntimeException(e.getLocalizedMessage());
                }
            }
            String initParameter2 = servletConfig.getInitParameter(GeneralConstants.ROLE_GENERATOR);
            if (initParameter2 != null && !"".equals(initParameter2)) {
                setRoleGenerator(initParameter2);
            }
            String initParameter3 = servletConfig.getInitParameter(GeneralConstants.ATTRIBUTE_KEYS);
            if (initParameter3 != null && !"".equals(initParameter3)) {
                StringTokenizer stringTokenizer = new StringTokenizer(initParameter3, ",");
                while (stringTokenizer != null && stringTokenizer.hasMoreTokens()) {
                    this.attributeKeys.add(stringTokenizer.nextToken());
                }
            }
            if (((IdentityServer) this.context.getAttribute(GeneralConstants.IDENTITY_SERVER)) == null) {
                this.context.setAttribute(GeneralConstants.IDENTITY_SERVER, new IdentityServer());
            }
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        HttpSession session = httpServletRequest.getSession(false);
        String str = (String) session.getAttribute(GeneralConstants.SAML_REQUEST_KEY);
        String str2 = (String) session.getAttribute(GeneralConstants.SAML_RESPONSE_KEY);
        String str3 = (String) session.getAttribute(GeneralConstants.RELAY_STATE);
        String header = httpServletRequest.getHeader("Referer");
        Principal principal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
        if (principal == null) {
            if (this.trace) {
                log.trace("Login Filters have not been configured");
            }
            httpServletResponse.sendError(500);
        }
        IDPWebRequestUtil iDPWebRequestUtil = new IDPWebRequestUtil(httpServletRequest, this.idpConfiguration, this.keyManager);
        iDPWebRequestUtil.setAttributeManager(this.attribManager);
        iDPWebRequestUtil.setAttributeKeys(this.attributeKeys);
        boolean z = true;
        if (principal != null) {
            if (this.trace) {
                log.trace("Retrieved saml message and relay state from session");
                log.trace("saml Request message=" + str + "::relay state=" + str3);
                log.trace("saml Response message=" + str2 + "::relay state=" + str3);
            }
            session.removeAttribute(GeneralConstants.SAML_REQUEST_KEY);
            session.removeAttribute(GeneralConstants.SAML_RESPONSE_KEY);
            if (StringUtil.isNotNull(str3)) {
                session.removeAttribute(GeneralConstants.RELAY_STATE);
            }
            String str4 = null;
            Document document = null;
            if (str2 != null) {
                try {
                    SAMLDocumentHolder sAMLDocumentHolder = iDPWebRequestUtil.getSAMLDocumentHolder(str2);
                    SAML2Object samlObject = sAMLDocumentHolder.getSamlObject();
                    if (!validate(httpServletRequest.getRemoteAddr(), httpServletRequest.getQueryString(), new SessionHolder(str2, null), iDPWebRequestUtil.hasSAMLRequestInPostProfile())) {
                        throw new GeneralSecurityException("Validation check failed");
                    }
                    DefaultSAML2HandlerRequest defaultSAML2HandlerRequest = new DefaultSAML2HandlerRequest(new HTTPContext(httpServletRequest, httpServletResponse, this.context), new IssuerInfoHolder(this.identityURL).getIssuer(), sAMLDocumentHolder, SAML2Handler.HANDLER_TYPE.IDP);
                    defaultSAML2HandlerRequest.setRelayState(str3);
                    DefaultSAML2HandlerResponse defaultSAML2HandlerResponse = new DefaultSAML2HandlerResponse();
                    Set<SAML2Handler> handlers = this.chain.handlers();
                    if (!(samlObject instanceof StatusResponseType)) {
                        throw new RuntimeException("Unknown type:" + samlObject.getClass().getName());
                    }
                    iDPWebRequestUtil.isTrusted(((StatusResponseType) samlObject).getIssuer().getValue());
                    if (handlers != null) {
                        for (SAML2Handler sAML2Handler : handlers) {
                            sAML2Handler.reset();
                            sAML2Handler.handleStatusResponseType(defaultSAML2HandlerRequest, defaultSAML2HandlerResponse);
                            z = defaultSAML2HandlerResponse.getSendRequest();
                        }
                    }
                    document = defaultSAML2HandlerResponse.getResultingDocument();
                    str3 = defaultSAML2HandlerResponse.getRelayState();
                    str4 = defaultSAML2HandlerResponse.getDestination();
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } else if (str != null) {
                try {
                    SAMLDocumentHolder sAMLDocumentHolder2 = iDPWebRequestUtil.getSAMLDocumentHolder(str);
                    SAML2Object samlObject2 = sAMLDocumentHolder2.getSamlObject();
                    if (!validate(httpServletRequest.getRemoteAddr(), httpServletRequest.getQueryString(), new SessionHolder(str, null), iDPWebRequestUtil.hasSAMLRequestInPostProfile())) {
                        throw new GeneralSecurityException("Validation check failed");
                    }
                    DefaultSAML2HandlerRequest defaultSAML2HandlerRequest2 = new DefaultSAML2HandlerRequest(new HTTPContext(httpServletRequest, httpServletResponse, this.context), new IssuerInfoHolder(this.identityURL).getIssuer(), sAMLDocumentHolder2, SAML2Handler.HANDLER_TYPE.IDP);
                    defaultSAML2HandlerRequest2.setRelayState(str3);
                    HashMap hashMap = new HashMap();
                    hashMap.put(GeneralConstants.ROLE_GENERATOR, this.roleGenerator);
                    hashMap.put(GeneralConstants.ASSERTIONS_VALIDITY, Long.valueOf(this.assertionValidity));
                    hashMap.put(GeneralConstants.CONFIGURATION, this.idpConfiguration);
                    hashMap.put(GeneralConstants.ATTRIBUTES, this.attribManager.getAttributes(principal, this.attributeKeys));
                    defaultSAML2HandlerRequest2.setOptions(hashMap);
                    if (((List) session.getAttribute(GeneralConstants.ROLES_ID)) == null) {
                        session.setAttribute(GeneralConstants.ROLES_ID, this.roleGenerator.generateRoles(principal));
                    }
                    DefaultSAML2HandlerResponse defaultSAML2HandlerResponse2 = new DefaultSAML2HandlerResponse();
                    Set<SAML2Handler> handlers2 = this.chain.handlers();
                    if (!(samlObject2 instanceof RequestAbstractType)) {
                        throw new RuntimeException("Unknown type:" + samlObject2.getClass().getName());
                    }
                    iDPWebRequestUtil.isTrusted(((RequestAbstractType) samlObject2).getIssuer().getValue());
                    if (handlers2 != null) {
                        Iterator<SAML2Handler> it = handlers2.iterator();
                        while (it.hasNext()) {
                            it.next().handleRequestType(defaultSAML2HandlerRequest2, defaultSAML2HandlerResponse2);
                            z = defaultSAML2HandlerResponse2.getSendRequest();
                        }
                    }
                    document = defaultSAML2HandlerResponse2.getResultingDocument();
                    str3 = defaultSAML2HandlerResponse2.getRelayState();
                    str4 = defaultSAML2HandlerResponse2.getDestination();
                } catch (ConfigurationException e2) {
                    if (this.trace) {
                        log.trace("Exception:", e2);
                    }
                    document = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
                } catch (ParsingException e3) {
                    if (this.trace) {
                        log.trace("Exception:", e3);
                    }
                    document = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
                } catch (IssueInstantMissingException e4) {
                    if (this.trace) {
                        log.trace("Exception:", e4);
                    }
                    document = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
                } catch (IssuerNotTrustedException e5) {
                    if (this.trace) {
                        log.trace("Exception:", e5);
                    }
                    document = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
                } catch (GeneralSecurityException e6) {
                    if (this.trace) {
                        log.trace("Security Exception:", e6);
                    }
                    document = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
                } catch (Exception e7) {
                    if (this.trace) {
                        log.trace("Exception:", e7);
                    }
                    document = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
                }
            } else {
                log.error("No SAML Request Message");
                if (this.trace) {
                    log.trace("Referer=" + header);
                }
                try {
                    sendErrorResponseToSP(header, httpServletResponse, str3, iDPWebRequestUtil);
                    return;
                } catch (ConfigurationException e8) {
                    if (this.trace) {
                        log.trace(e8);
                    }
                }
            }
            try {
                if (document == null) {
                    throw new ServletException("SAML Response has not been generated");
                }
                if (this.signOutgoingMessages.booleanValue()) {
                    iDPWebRequestUtil.send(document, str4, str3, httpServletResponse, true, this.keyManager.getSigningKey(), z);
                } else {
                    iDPWebRequestUtil.send(document, str4, str3, httpServletResponse, false, null, z);
                }
            } catch (ParsingException e9) {
                if (this.trace) {
                    log.trace(e9);
                }
            } catch (GeneralSecurityException e10) {
                if (this.trace) {
                    log.trace(e10);
                }
            }
        }
    }

    protected void sendErrorResponseToSP(String str, HttpServletResponse httpServletResponse, String str2, IDPWebRequestUtil iDPWebRequestUtil) throws ServletException, IOException, ConfigurationException {
        if (this.trace) {
            log.trace("About to send error response to SP:" + str);
        }
        Document errorResponse = iDPWebRequestUtil.getErrorResponse(str, JBossSAMLURIConstants.STATUS_RESPONDER.get(), this.identityURL, this.signOutgoingMessages.booleanValue());
        try {
            if (this.signOutgoingMessages.booleanValue()) {
                iDPWebRequestUtil.send(errorResponse, str, str2, httpServletResponse, true, this.keyManager.getSigningKey(), false);
            } else {
                iDPWebRequestUtil.send(errorResponse, str, str2, httpServletResponse, false, null, false);
            }
        } catch (ParsingException e) {
            throw new ServletException(e);
        } catch (GeneralSecurityException e2) {
            throw new ServletException(e2);
        }
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        httpServletResponse.sendError(405);
    }

    protected boolean validate(String str, String str2, SessionHolder sessionHolder, boolean z) throws IOException, GeneralSecurityException {
        if (sessionHolder.samlRequest == null || sessionHolder.samlRequest.length() == 0) {
            return false;
        }
        if (this.ignoreIncomingSignatures.booleanValue() || z) {
            return true;
        }
        String str3 = sessionHolder.signature;
        if (str3 == null || str3.length() == 0) {
            log.error("Signature received from SP is null:" + str);
            return false;
        }
        byte[] signatureValueFromSignedURL = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(str2);
        if (signatureValueFromSignedURL == null) {
            return false;
        }
        try {
            return RedirectBindingSignatureUtil.validateSignature(str2, this.keyManager.getValidatingKey(str), signatureValueFromSignedURL);
        } catch (TrustKeyConfigurationException e) {
            throw new GeneralSecurityException(e.getCause());
        } catch (TrustKeyProcessingException e2) {
            throw new GeneralSecurityException(e2.getCause());
        }
    }

    public void testPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        doPost(httpServletRequest, httpServletResponse);
    }

    private void setRoleGenerator(String str) {
        try {
            this.roleGenerator = (RoleGenerator) SecurityActions.getContextClassLoader().loadClass(str).newInstance();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
