package org.jboss.identity.federation.bindings.tomcat.sp;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import java.util.StringTokenizer;
import javax.servlet.ServletException;
import javax.xml.bind.JAXBException;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.api.util.Base64;
import org.jboss.identity.federation.api.util.DeflateUtil;
import org.jboss.identity.federation.bindings.config.TrustType;
import org.jboss.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.class */
public class SPRedirectFormAuthenticator extends BaseFormAuthenticator {
    private static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);

    public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal != null) {
            log.debug("Already authenticated '" + userPrincipal.getName() + "'");
            return true;
        }
        Session sessionInternal = request.getSessionInternal(true);
        String parameter = request.getParameter("RelayState");
        try {
            Principal principal = (GenericPrincipal) process(request, response);
            if (principal == null) {
                HTTPRedirectUtil.sendRedirectForRequestor(createSAMLRequestMessage(parameter, response), response);
                return false;
            }
            String name = principal.getName();
            if (this.spConfiguration.getServerEnvironment().equalsIgnoreCase("JBOSS")) {
                ServiceProviderSAMLContext.push(name, Arrays.asList(((GenericPrincipal) principal).getRoles()));
                principal = this.context.getRealm().authenticate(name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
                ServiceProviderSAMLContext.clear();
            }
            sessionInternal.setNote("org.apache.catalina.session.USERNAME", name);
            sessionInternal.setNote("org.apache.catalina.session.PASSWORD", ServiceProviderSAMLContext.EMPTY_PASSWORD);
            request.setUserPrincipal(principal);
            register(request, response, principal, "FORM", name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
            return true;
        } catch (AssertionExpiredException e) {
            log.debug("Assertion has expired. Issuing a new saml2 request to the IDP");
            try {
                HTTPRedirectUtil.sendRedirectForRequestor(createSAMLRequestMessage(parameter, response), response);
                return false;
            } catch (Exception e2) {
                log.trace("Exception:", e2);
                return false;
            }
        } catch (Exception e3) {
            log.debug("Exception :", e3);
            return super.authenticate(request, response, loginConfig);
        }
    }

    protected String createSAMLRequestMessage(String str, Response response) throws ServletException, ConfigurationException, SAXException, JAXBException, IOException {
        if (this.serviceURL == null) {
            throw new ServletException("serviceURL is not configured");
        }
        SAML2Request sAML2Request = new SAML2Request();
        AuthnRequestType createSAMLRequest = new SPUtil().createSAMLRequest(this.serviceURL, this.identityURL);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        sAML2Request.marshall(createSAMLRequest, byteArrayOutputStream);
        String str2 = createSAMLRequest.getDestination() + getDestination(RedirectBindingUtil.deflateBase64URLEncode(byteArrayOutputStream.toByteArray()), str);
        log.debug("Sending to destination=" + str2);
        return str2;
    }

    protected String getDestination(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        sb.append("?SAMLRequest=").append(str);
        if (str2 != null && str2.length() > 0) {
            sb.append("&RelayState=").append(str2);
        }
        return sb.toString();
    }

    protected void isTrusted(String str) throws IssuerNotTrustedException {
        try {
            String domain = ValveUtil.getDomain(str);
            TrustType trust = this.spConfiguration.getTrust();
            if (trust != null) {
                String domains = trust.getDomains();
                log.trace("Domains that SP trusts=" + domains + " and issuer domain=" + domain);
                if (domains.indexOf(domain) < 0) {
                    StringTokenizer stringTokenizer = new StringTokenizer(domains, ",");
                    while (stringTokenizer != null && stringTokenizer.hasMoreTokens()) {
                        String nextToken = stringTokenizer.nextToken();
                        log.trace("Matching uri bit=" + nextToken);
                        if (domain.indexOf(nextToken) > 0) {
                            log.trace("Matched " + nextToken + " trust for " + domain);
                            return;
                        }
                    }
                    throw new IssuerNotTrustedException(str);
                }
            }
        } catch (Exception e) {
            throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validate(Request request) throws IOException, GeneralSecurityException {
        return request.getParameter("SAMLResponse") != null;
    }

    protected ResponseType decryptAssertion(ResponseType responseType) throws IOException, GeneralSecurityException, ConfigurationException, ParsingException {
        throw new RuntimeException("This authenticator does not handle encryption");
    }

    private Principal process(Request request, Response response) throws IOException, GeneralSecurityException, ConfigurationException, ParsingException {
        String parameter = request.getParameter("SAMLResponse");
        if (parameter == null || parameter.length() <= 0) {
            return null;
        }
        validate(request);
        try {
            ResponseType responseType = new SAML2Response().getResponseType(DeflateUtil.decode(Base64.decode(parameter)));
            isTrusted(responseType.getIssuer().getValue());
            List assertionOrEncryptedAssertion = responseType.getAssertionOrEncryptedAssertion();
            if (assertionOrEncryptedAssertion.size() == 0) {
                throw new IllegalStateException("No assertions in reply from IDP");
            }
            if (assertionOrEncryptedAssertion.get(0) instanceof EncryptedElementType) {
                responseType = decryptAssertion(responseType);
            }
            return new SPUtil().handleSAMLResponse(request, responseType);
        } catch (JAXBException e) {
            throw new ParsingException(e);
        } catch (SAXException e2) {
            throw new ParsingException(e2);
        }
    }
}
