package org.jboss.identity.federation.bindings.tomcat.sp;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import javax.servlet.ServletException;
import javax.xml.bind.JAXBException;
import javax.xml.datatype.DatatypeConfigurationException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.bindings.config.SPType;
import org.jboss.identity.federation.bindings.config.TrustType;
import org.jboss.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.class */
public class SPPostFormAuthenticator extends FormAuthenticator {
    private static Logger log = Logger.getLogger(SPPostFormAuthenticator.class);
    protected SPType spConfiguration = null;
    private String serviceURL = null;
    private String identityURL = null;

    public void start() throws LifecycleException {
        super.start();
        InputStream resourceAsStream = this.context.getServletContext().getResourceAsStream("/WEB-INF/jboss-idfed.xml");
        if (resourceAsStream == null) {
            throw new RuntimeException("/WEB-INF/jboss-idfed.xml missing");
        }
        try {
            this.spConfiguration = ValveUtil.getSPConfiguration(resourceAsStream);
            this.identityURL = this.spConfiguration.getIdentityURL();
            this.serviceURL = this.spConfiguration.getServiceURL();
            log.trace("Identity Provider URL=" + this.identityURL);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        SPUtil sPUtil = new SPUtil();
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal != null) {
            log.debug("Already authenticated '" + userPrincipal.getName() + "'");
            return true;
        }
        Session sessionInternal = request.getSessionInternal(true);
        String parameter = request.getParameter("RelayState");
        try {
            Principal principal = (GenericPrincipal) process(request, response);
            if (principal == null) {
                sendRequestToIDP(sPUtil.createSAMLRequest(this.serviceURL, this.identityURL), parameter, response);
                return false;
            }
            String name = principal.getName();
            if (this.spConfiguration.getServerEnvironment().equalsIgnoreCase("JBOSS")) {
                ServiceProviderSAMLContext.push(name, Arrays.asList(((GenericPrincipal) principal).getRoles()));
                principal = this.context.getRealm().authenticate(name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
                ServiceProviderSAMLContext.clear();
            }
            sessionInternal.setNote("org.apache.catalina.session.USERNAME", name);
            sessionInternal.setNote("org.apache.catalina.session.PASSWORD", ServiceProviderSAMLContext.EMPTY_PASSWORD);
            request.setUserPrincipal(principal);
            register(request, response, principal, "FORM", name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
            return true;
        } catch (AssertionExpiredException e) {
            log.debug("Assertion has expired. Issuing a new saml2 request to the IDP");
            try {
                sendRequestToIDP(sPUtil.createSAMLRequest(this.serviceURL, this.identityURL), parameter, response);
                return false;
            } catch (Exception e2) {
                log.trace("Exception:", e2);
                return false;
            }
        } catch (Exception e3) {
            log.debug("Exception :", e3);
            return super.authenticate(request, response, loginConfig);
        }
    }

    protected void sendRequestToIDP(AuthnRequestType authnRequestType, String str, Response response) throws IOException, SAXException, JAXBException {
        SAML2Request sAML2Request = new SAML2Request();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        sAML2Request.marshall(authnRequestType, byteArrayOutputStream);
        PostBindingUtil.sendPost(authnRequestType.getDestination(), PostBindingUtil.base64Encode(byteArrayOutputStream.toString()), str, response, true);
    }

    protected AuthnRequestType createSAMLRequestMessage(String str, Response response) throws ServletException, ConfigurationException {
        if (this.serviceURL == null) {
            throw new ServletException("serviceURL is not configured");
        }
        return new SPUtil().createSAMLRequest(this.serviceURL, this.identityURL);
    }

    protected String getDestination(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        sb.append("?SAMLRequest=").append(str);
        if (str2 != null && str2.length() > 0) {
            sb.append("&RelayState=").append(str2);
        }
        return sb.toString();
    }

    protected void isTrusted(String str) throws IssuerNotTrustedException {
        try {
            String domain = ValveUtil.getDomain(str);
            TrustType trust = this.spConfiguration.getTrust();
            if (trust == null || trust.getDomains().indexOf(domain) >= 0) {
            } else {
                throw new IssuerNotTrustedException(str);
            }
        } catch (Exception e) {
            throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
        }
    }

    protected boolean validate(Request request) {
        return request.getParameter("SAMLResponse") != null;
    }

    protected ResponseType decryptAssertion(ResponseType responseType) {
        throw new RuntimeException("This authenticator does not handle encryption");
    }

    private Principal process(Request request, Response response) throws JAXBException, SAXException, IssuerNotTrustedException, AssertionExpiredException, DatatypeConfigurationException, ConfigurationException {
        String parameter = request.getParameter("SAMLResponse");
        if (parameter == null || parameter.length() <= 0) {
            return null;
        }
        validate(request);
        ResponseType responseType = new SAML2Response().getResponseType(new ByteArrayInputStream(PostBindingUtil.base64Decode(parameter)));
        isTrusted(responseType.getIssuer().getValue());
        List assertionOrEncryptedAssertion = responseType.getAssertionOrEncryptedAssertion();
        if (assertionOrEncryptedAssertion.size() == 0) {
            throw new IllegalStateException("No assertions in reply from IDP");
        }
        if (assertionOrEncryptedAssertion.get(0) instanceof EncryptedElementType) {
            responseType = decryptAssertion(responseType);
        }
        return new SPUtil().handleSAMLResponse(request, responseType);
    }
}
