package org.jboss.seam.security.external.saml.sp;

import java.util.LinkedList;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBElement;
import org.jboss.logging.Logger;
import org.jboss.seam.security.external.InvalidRequestException;
import org.jboss.seam.security.external.ResponseHandler;
import org.jboss.seam.security.external.SamlNameIdImpl;
import org.jboss.seam.security.external.SamlPrincipalImpl;
import org.jboss.seam.security.external.dialogues.DialogueBean;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.AssertionType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.AttributeStatementType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.AttributeType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.AuthnStatementType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.NameIDType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.StatementAbstractType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.SubjectConfirmationDataType;
import org.jboss.seam.security.external.jaxb.samlv2.assertion.SubjectConfirmationType;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.AuthnRequestType;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.ResponseType;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.StatusResponseType;
import org.jboss.seam.security.external.jaxb.samlv2.protocol.StatusType;
import org.jboss.seam.security.external.saml.SamlConstants;
import org.jboss.seam.security.external.saml.SamlDialogue;
import org.jboss.seam.security.external.saml.SamlEntityBean;
import org.jboss.seam.security.external.saml.SamlMessage;
import org.jboss.seam.security.external.saml.SamlMessageFactory;
import org.jboss.seam.security.external.saml.SamlMessageSender;
import org.jboss.seam.security.external.saml.SamlProfile;
import org.jboss.seam.security.external.saml.SamlServiceType;
import org.jboss.seam.security.external.saml.SamlUtils;
import org.jboss.seam.security.external.spi.SamlServiceProviderSpi;

/* loaded from: input_file:WEB-INF/lib/seam-security-external-3.0.0-SNAPSHOT.jar:org/jboss/seam/security/external/saml/sp/SamlSpSingleSignOnService.class */
public class SamlSpSingleSignOnService {

    @Inject
    private Logger log;

    @Inject
    private SamlSpSessions samlSpSessions;

    @Inject
    private Instance<SamlServiceProviderSpi> samlServiceProviderSpi;

    @Inject
    private Instance<SamlEntityBean> samlEntityBean;

    @Inject
    private DialogueBean dialogue;

    @Inject
    private SamlMessageSender samlMessageSender;

    @Inject
    private SamlDialogue samlDialogue;

    @Inject
    private SamlMessageFactory samlMessageFactory;

    @Inject
    private ResponseHandler responseHandler;

    public void processIDPResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, StatusResponseType statusResponseType) throws InvalidRequestException {
        SamlExternalIdentityProvider samlExternalIdentityProvider = (SamlExternalIdentityProvider) this.samlDialogue.getExternalProvider();
        StatusType status = statusResponseType.getStatus();
        if (status == null) {
            throw new InvalidRequestException("Response does not contain a status");
        }
        String value = status.getStatusCode().getValue();
        if (!SamlConstants.STATUS_SUCCESS.equals(value)) {
            String str = null;
            if (status.getStatusCode().getStatusCode() != null) {
                str = status.getStatusCode().getStatusCode().getValue();
            }
            ((SamlServiceProviderSpi) this.samlServiceProviderSpi.get()).loginFailed(value, str, this.responseHandler.createResponseHolder(httpServletResponse));
        }
        if (!(statusResponseType instanceof ResponseType)) {
            throw new InvalidRequestException("Response does not have type ResponseType");
        }
        ResponseType responseType = (ResponseType) statusResponseType;
        if (responseType.getAssertionOrEncryptedAssertion().size() == 0) {
            throw new RuntimeException("IDP response does not contain assertions");
        }
        SamlSpSessionImpl createSession = createSession(responseType, samlExternalIdentityProvider);
        if (createSession == null) {
            throw new InvalidRequestException("Not possible to login based on the supplied assertions");
        }
        createSession.setIdentityProvider(samlExternalIdentityProvider);
        loginUser(httpServletRequest, httpServletResponse, createSession, statusResponseType.getInResponseTo() == null, httpServletRequest.getParameter(SamlMessage.QSP_RELAY_STATE));
        this.dialogue.setFinished(true);
    }

    private SamlSpSessionImpl createSession(ResponseType responseType, SamlExternalIdentityProvider samlExternalIdentityProvider) {
        SamlSpSessionImpl samlSpSessionImpl = null;
        for (Object obj : responseType.getAssertionOrEncryptedAssertion()) {
            if (obj instanceof AssertionType) {
                SamlSpSessionImpl handleAssertion = handleAssertion((AssertionType) obj, samlExternalIdentityProvider);
                if (samlSpSessionImpl == null) {
                    samlSpSessionImpl = handleAssertion;
                } else {
                    this.log.warn("Multiple authenticated users found in assertions. Using the first one.");
                }
            } else {
                this.log.warn("Encountered encrypted assertion. Skipping it because decryption is not yet supported.");
            }
        }
        return samlSpSessionImpl;
    }

    private SamlSpSessionImpl handleAssertion(AssertionType assertionType, SamlExternalIdentityProvider samlExternalIdentityProvider) {
        if (SamlUtils.hasAssertionExpired(assertionType)) {
            this.log.warn("Received assertion not processed because it has expired.");
            return null;
        }
        AuthnStatementType extractValidAuthnStatement = extractValidAuthnStatement(assertionType);
        if (extractValidAuthnStatement == null) {
            this.log.warn("Received assertion not processed because it doesn't contain a valid authnStatement.");
            return null;
        }
        NameIDType validateSubjectAndExtractNameID = validateSubjectAndExtractNameID(assertionType);
        if (validateSubjectAndExtractNameID == null) {
            this.log.warn("Received assertion not processed because it doesn't contain a valid subject.");
            return null;
        }
        SamlPrincipalImpl samlPrincipalImpl = new SamlPrincipalImpl();
        samlPrincipalImpl.setAssertion(assertionType);
        samlPrincipalImpl.setNameId(new SamlNameIdImpl(validateSubjectAndExtractNameID.getValue(), validateSubjectAndExtractNameID.getFormat(), validateSubjectAndExtractNameID.getNameQualifier()));
        SamlSpSessionImpl samlSpSessionImpl = new SamlSpSessionImpl();
        samlSpSessionImpl.setSessionIndex(extractValidAuthnStatement.getSessionIndex());
        samlSpSessionImpl.setPrincipal(samlPrincipalImpl);
        samlSpSessionImpl.setIdentityProvider(samlExternalIdentityProvider);
        for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
            if (statementAbstractType instanceof AttributeStatementType) {
                AttributeStatementType attributeStatementType = (AttributeStatementType) statementAbstractType;
                LinkedList linkedList = new LinkedList();
                for (Object obj : attributeStatementType.getAttributeOrEncryptedAttribute()) {
                    if (obj instanceof AttributeType) {
                        linkedList.add((AttributeType) obj);
                    } else {
                        this.log.warn("Encrypted attributes are not supported. Ignoring the attribute.");
                    }
                }
                samlPrincipalImpl.setAttributes(linkedList);
            }
        }
        return samlSpSessionImpl;
    }

    private AuthnStatementType extractValidAuthnStatement(AssertionType assertionType) {
        for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
            if (statementAbstractType instanceof AuthnStatementType) {
                return (AuthnStatementType) statementAbstractType;
            }
        }
        return null;
    }

    private NameIDType validateSubjectAndExtractNameID(AssertionType assertionType) {
        NameIDType nameIDType = null;
        boolean z = false;
        for (JAXBElement<?> jAXBElement : assertionType.getSubject().getContent()) {
            if (jAXBElement.getValue() instanceof NameIDType) {
                nameIDType = (NameIDType) jAXBElement.getValue();
            }
            if (jAXBElement.getValue() instanceof SubjectConfirmationType) {
                SubjectConfirmationType subjectConfirmationType = (SubjectConfirmationType) jAXBElement.getValue();
                if (subjectConfirmationType.getMethod().equals(SamlConstants.CONFIRMATION_METHOD_BEARER)) {
                    SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
                    boolean equals = subjectConfirmationData.getRecipient().equals(((SamlEntityBean) this.samlEntityBean.get()).getServiceURL(SamlServiceType.SAML_ASSERTION_CONSUMER_SERVICE));
                    boolean z2 = subjectConfirmationData.getNotOnOrAfter().compare(SamlUtils.getXMLGregorianCalendarNow()) == 1;
                    boolean z3 = subjectConfirmationData.getInResponseTo() == null || subjectConfirmationData.getInResponseTo().equals(this.dialogue.getId());
                    if (equals && z2 && z3) {
                        z = true;
                    } else {
                        this.log.debugf("Validation of assertion failed: validRecipient: %b; notTootLate: %b; validInResponseTo: %b", Boolean.valueOf(equals), Boolean.valueOf(z2), Boolean.valueOf(z3));
                    }
                }
            }
        }
        if (z) {
            return nameIDType;
        }
        return null;
    }

    private void loginUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSpSessionImpl samlSpSessionImpl, boolean z, String str) {
        this.samlSpSessions.addSession(samlSpSessionImpl);
        if (z) {
            ((SamlServiceProviderSpi) this.samlServiceProviderSpi.get()).loggedIn(samlSpSessionImpl, str, this.responseHandler.createResponseHolder(httpServletResponse));
        } else {
            ((SamlServiceProviderSpi) this.samlServiceProviderSpi.get()).loginSucceeded(samlSpSessionImpl, this.responseHandler.createResponseHolder(httpServletResponse));
        }
    }

    public void sendAuthenticationRequestToIDP(SamlExternalIdentityProvider samlExternalIdentityProvider, HttpServletResponse httpServletResponse) {
        AuthnRequestType createAuthnRequest = this.samlMessageFactory.createAuthnRequest();
        this.samlDialogue.setExternalProvider(samlExternalIdentityProvider);
        this.samlMessageSender.sendRequest(samlExternalIdentityProvider, SamlProfile.SINGLE_SIGN_ON, createAuthnRequest, httpServletResponse);
    }
}
