package org.picketlink.identity.federation.bindings.tomcat.idp;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Session;
import org.apache.catalina.Valve;
import org.apache.catalina.authenticator.SSLAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;
import org.apache.coyote.ActionCode;
import org.apache.log4j.helpers.DateLayout;
import org.jboss.security.audit.AuditLevel;
import org.jboss.ws.api.annotation.AuthMethod;
import org.opensaml.saml.saml2.ecp.RelayState;
import org.picketlink.common.PicketLinkLogger;
import org.picketlink.common.PicketLinkLoggerFactory;
import org.picketlink.common.constants.JBossSAMLConstants;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ParsingException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.exceptions.fed.IssuerNotTrustedException;
import org.picketlink.common.util.StaxUtil;
import org.picketlink.common.util.StringUtil;
import org.picketlink.common.util.SystemPropertiesUtil;
import org.picketlink.config.federation.IDPType;
import org.picketlink.config.federation.PicketLinkType;
import org.picketlink.config.federation.handler.Handlers;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.bindings.tomcat.TomcatRoleGenerator;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditEvent;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditEventType;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper;
import org.picketlink.identity.federation.core.constants.AttributeConstants;
import org.picketlink.identity.federation.core.impl.DelegatedAttributeManager;
import org.picketlink.identity.federation.core.interfaces.AttributeManager;
import org.picketlink.identity.federation.core.interfaces.RoleGenerator;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v1.SAML11ProtocolContext;
import org.picketlink.identity.federation.core.saml.v1.writers.SAML11ResponseWriter;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.factories.SAML2HandlerChainFactory;
import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.wstrust.PicketLinkSTSConfiguration;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AttributeStatementType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11AttributeType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11NameIdentifierType;
import org.picketlink.identity.federation.saml.v1.assertion.SAML11SubjectType;
import org.picketlink.identity.federation.saml.v1.protocol.SAML11ResponseType;
import org.picketlink.identity.federation.saml.v1.protocol.SAML11StatusType;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType;
import org.picketlink.identity.federation.saml.v2.metadata.SPSSODescriptorType;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
import org.picketlink.identity.federation.web.config.AbstractSAMLConfigurationProvider;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.core.IdentityParticipantStack;
import org.picketlink.identity.federation.web.core.IdentityServer;
import org.picketlink.identity.federation.web.util.ConfigurationUtil;
import org.picketlink.identity.federation.web.util.IDPWebRequestUtil;
import org.picketlink.identity.federation.web.util.SAMLConfigurationProvider;
import org.w3c.dom.Document;

/* loaded from: input_file:eap7/api-jars/picketlink-wildfly8-2.5.5.SP1.jar:org/picketlink/identity/federation/bindings/tomcat/idp/AbstractIDPValve.class */
public abstract class AbstractIDPValve extends ValveBase {
    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
    private static final String IDP_SESSION_USER = "org.picketlink.idp.session.user";
    private TrustKeyManager keyManager;
    private String configFile;
    private SSLAuthenticator sslAuthenticator;
    private Handlers handlers;
    protected boolean enableAudit = false;
    protected PicketLinkAuditHelper auditHelper = null;
    protected IDPType idpConfiguration = null;
    protected PicketLinkType picketLinkConfiguration = null;
    private RoleGenerator roleGenerator = new TomcatRoleGenerator();
    private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager();
    private final List<String> attributeKeys = new ArrayList();
    private transient SAML2HandlerChain chain = null;
    protected SAMLConfigurationProvider configProvider = null;
    protected int timerInterval = -1;
    protected Timer timer = null;
    private final Lock chainLock = new ReentrantLock();
    private Map<String, SPSSODescriptorType> spSSOMetadataMap = new HashMap();
    protected String characterEncoding = null;
    private Boolean passUserPrincipalToAttributeManager = false;

    public String getCharacterEncoding() {
        return this.characterEncoding;
    }

    public void setCharacterEncoding(String str) {
        this.characterEncoding = str;
    }

    public void setAttributeList(String str) {
        if (StringUtil.isNotNull(str)) {
            this.attributeKeys.clear();
            this.attributeKeys.addAll(StringUtil.tokenize(str));
        }
    }

    public void setTimerInterval(String str) {
        if (StringUtil.isNotNull(str)) {
            this.timerInterval = Integer.parseInt(str);
        }
    }

    public void setConfigProvider(String str) {
        if (str == null) {
            throw logger.nullArgumentError("configProvider");
        }
        Class<?> loadClass = SecurityActions.loadClass(getClass(), str);
        if (loadClass == null) {
            throw new RuntimeException((Throwable) logger.classNotLoadedError(str));
        }
        try {
            this.configProvider = (SAMLConfigurationProvider) loadClass.newInstance();
        } catch (Exception e) {
            throw new RuntimeException((Throwable) logger.couldNotCreateInstance(str, e));
        }
    }

    public void setConfigFile(String str) {
        this.configFile = str;
    }

    public void setConfigProvider(SAMLConfigurationProvider sAMLConfigurationProvider) {
        this.configProvider = sAMLConfigurationProvider;
    }

    @Deprecated
    public void setRoleGenerator(String str) {
        logger.warn("Option 'roleGenerator' is deprecated and should not be used. This configuration is now set in picketlink.xml.");
    }

    @Deprecated
    public void setSamlHandlerChainClass(String str) {
        logger.warn("Option 'samlHandlerChainClass' is deprecated and should not be used. This configuration is now set in picketlink.xml.");
    }

    @Deprecated
    public void setIdentityParticipantStack(String str) {
        logger.warn("Option 'identityParticipantStack' is deprecated and should not be used. This configuration is now set in picketlink.xml.");
    }

    @Deprecated
    public void setStrictPostBinding(Boolean bool) {
        logger.warn("Option 'strictPostBinding' is deprecated and should not be used. This configuration is now set in picketlink.xml.");
    }

    @Deprecated
    public Boolean getIgnoreIncomingSignatures() {
        logger.warn("Option 'ignoreIncomingSignatures' is deprecated and should not be used. Signatures are verified if SAML2SignatureValidationHandler is available.");
        return false;
    }

    @Deprecated
    public void setIgnoreIncomingSignatures(Boolean bool) {
        logger.warn("Option 'ignoreIncomingSignatures' is deprecated and not used. Signatures are verified if SAML2SignatureValidationHandler is available.");
    }

    @Deprecated
    public void setValidatingAliasToTokenIssuer(Boolean bool) {
        logger.warn("Option 'validatingAliasToTokenIssuer' is deprecated and not used. The IDP will always use the issuer host to validate signatures.");
    }

    public void setIgnoreAttributesGeneration(Boolean bool) {
        if (bool == Boolean.TRUE) {
            this.attribManager = null;
        }
    }

    @Deprecated
    public Boolean getSignOutgoingMessages() {
        logger.warn("Option signOutgoingMessages is used for signing of error messages. Normal SAML messages are signed by SAML2SignatureGenerationHandler.");
        return true;
    }

    @Deprecated
    public void setSignOutgoingMessages(Boolean bool) {
        logger.warn("Option signOutgoingMessages is used for signing of error messages. Normal SAML messages are signed by SAML2SignatureGenerationHandler.");
    }

    public void setPassUserPrincipalToAttributeManager(Boolean bool) {
        this.passUserPrincipalToAttributeManager = bool;
    }

    public PicketLinkType getConfiguration() {
        return this.picketLinkConfiguration;
    }

    public TrustKeyManager getKeyManager() {
        return this.keyManager;
    }

    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.Valve
    public void invoke(Request request, Response response) throws IOException, ServletException {
        Principal userPrincipal;
        String characterEncoding = getCharacterEncoding();
        if (characterEncoding != null) {
            request.setCharacterEncoding(characterEncoding);
        }
        if (isUnauthorized(response)) {
            handleUnauthorizedResponse(request, response);
            return;
        }
        populateSessionWithSAMLParameters(request);
        if (request.getPrincipal() == null && this.idpConfiguration.isSSLClientAuthentication() && request.isSecure()) {
            getSSLAuthenticator().invoke(request, response);
            response.resetBuffer();
            response.recycle();
        }
        HttpSession session = request.getSession();
        if (isAjaxRequest(request) && session.getAttribute(IDP_SESSION_USER) == null) {
            response.sendError(403);
            return;
        }
        invokeNextValve(request, response);
        if (isUnauthorized(response) || (userPrincipal = request.getUserPrincipal()) == null) {
            return;
        }
        if (session.getAttribute(IDP_SESSION_USER) == null) {
            session.setAttribute(IDP_SESSION_USER, userPrincipal);
        }
        handleSAMLMessage(request, response);
    }

    private void handleSAMLMessage(Request request, Response response) throws IOException, ServletException {
        if (isUnsolicitedResponse(request)) {
            String parameter = request.getParameter(JBossSAMLConstants.UNSOLICITED_RESPONSE_SAML_VERSION.get());
            if (parameter == null || !JBossSAMLConstants.VERSION_2_0.get().equals(parameter)) {
                handleSAML11UnsolicitedResponse(request, response);
                return;
            } else {
                handleSAML2UnsolicitedResponse(request, response);
                return;
            }
        }
        Session sessionInternal = request.getSessionInternal();
        String str = (String) sessionInternal.getNote("SAMLRequest");
        String str2 = (String) sessionInternal.getNote("SAMLResponse");
        String str3 = (String) sessionInternal.getNote(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        String str4 = (String) sessionInternal.getNote("Signature");
        String str5 = (String) sessionInternal.getNote("SigAlg");
        if (logger.isTraceEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Retrieved saml messages and relay state from session");
            sb.append("saml Request message=").append(str);
            sb.append(org.picketbox.util.StringUtil.PROPERTY_DEFAULT_SEPARATOR).append("SAMLResponseMessage=");
            sb.append(str2).append(":").append("relay state=").append(str3);
            sb.append("Signature=").append(str4).append("::sigAlg=").append(str5);
            logger.trace(sb.toString());
        }
        if (StringUtil.isNotNull(str)) {
            processSAMLRequestMessage(request, response, null, false);
        } else if (StringUtil.isNotNull(str2)) {
            processSAMLResponseMessage(request, response);
        } else if (request.getRequestURI().equals(request.getContextPath() + "/")) {
            forwardHosted(request, response);
        }
    }

    private boolean isUnsolicitedResponse(Request request) {
        return StringUtil.isNotNull(request.getParameter(JBossSAMLConstants.UNSOLICITED_RESPONSE_TARGET.get()));
    }

    private void forwardHosted(Request request, Response response) throws ServletException, IOException {
        logger.trace("SAML 1.1::Proceeding to IDP index page");
        RequestDispatcher requestDispatcher = getContext().getServletContext().getRequestDispatcher(this.idpConfiguration.getHostedURI());
        recycle(response);
        try {
            includeResource(request, response, requestDispatcher);
        } catch (ClassCastException e) {
            includeResource(request.getRequest(), response, requestDispatcher);
        }
    }

    private void includeResource(ServletRequest servletRequest, Response response, RequestDispatcher requestDispatcher) throws ServletException, IOException {
        requestDispatcher.forward(servletRequest, response);
        response.getCoyoteResponse().setContentLength(response.getContentCount());
    }

    private void populateSessionWithSAMLParameters(Request request) throws IOException {
        String parameter = request.getParameter("SAMLRequest");
        String parameter2 = request.getParameter("SAMLResponse");
        boolean isNotNull = StringUtil.isNotNull(parameter);
        boolean isNotNull2 = StringUtil.isNotNull(parameter2);
        String parameter3 = request.getParameter("Signature");
        String parameter4 = request.getParameter("SigAlg");
        String parameter5 = request.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        Session sessionInternal = request.getSessionInternal();
        if (isNotNull || isNotNull2) {
            logger.trace("Storing the SAMLRequest/SAMLResponse and RelayState in session");
            if (StringUtil.isNotNull(parameter)) {
                sessionInternal.setNote("SAMLRequest", parameter);
                sessionInternal.setNote(JBossSAMLConstants.BINDING.get(), request.getMethod());
            }
            if (StringUtil.isNotNull(parameter2)) {
                sessionInternal.setNote("SAMLResponse", parameter2);
            }
            if (StringUtil.isNotNull(parameter5)) {
                sessionInternal.setNote(RelayState.DEFAULT_ELEMENT_LOCAL_NAME, parameter5.trim());
            }
            if (StringUtil.isNotNull(parameter3)) {
                sessionInternal.setNote("Signature", parameter3.trim());
            }
            if (StringUtil.isNotNull(parameter4)) {
                sessionInternal.setNote("SigAlg", parameter4.trim());
            }
        }
    }

    private void handleUnauthorizedResponse(Request request, Response response) throws IOException, ServletException {
        IDPWebRequestUtil iDPWebRequestUtil = new IDPWebRequestUtil(request, this.idpConfiguration, this.keyManager);
        String header = request.getHeader("Referer");
        String parameter = request.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        try {
            Document errorResponse = iDPWebRequestUtil.getErrorResponse(header, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), getIdentityURL(), this.idpConfiguration.isSupportsSignature());
            IDPWebRequestUtil.WebRequestUtilHolder holder = iDPWebRequestUtil.getHolder();
            holder.setResponseDoc(errorResponse).setDestination(header).setRelayState(parameter).setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false).setServletResponse(response).setErrorResponse(true);
            holder.setPostBindingRequested(iDPWebRequestUtil.hasSAMLRequestInPostProfile());
            if (this.idpConfiguration.isSupportsSignature()) {
                holder.setSupportSignature(true).setPrivateKey(this.keyManager.getSigningKey());
            }
            holder.setStrictPostBinding(this.idpConfiguration.isStrictPostBinding());
            iDPWebRequestUtil.send(holder);
        } catch (GeneralSecurityException e) {
            throw new ServletException(e);
        }
    }

    private boolean isUnauthorized(Response response) {
        return response.getStatus() == 403;
    }

    private void invokeNextValve(Request request, Response response) throws IOException, ServletException {
        getNext().invoke(request, response);
    }

    public Principal authenticateSSL(Request request, Response response) throws IOException {
        if (this.containerLog.isDebugEnabled()) {
            this.containerLog.debug(" Looking up certificates");
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            try {
                request.getCoyoteRequest().action(ActionCode.ACTION_REQ_SSL_CERTIFICATE, null);
                x509CertificateArr = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
            } catch (IllegalStateException e) {
                response.sendError(401, sm.getString("authenticator.certificates"));
                return null;
            }
        }
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("  No certificates included with this request");
            }
            response.sendError(401, sm.getString("authenticator.certificates"));
            return null;
        }
        Principal authenticate = getContext().getRealm().authenticate(x509CertificateArr);
        if (authenticate != null) {
            return authenticate;
        }
        if (this.containerLog.isDebugEnabled()) {
            this.containerLog.debug("  Realm.authenticate() returned false");
        }
        response.sendError(401, sm.getString("authenticator.unauthorized"));
        return null;
    }

    protected void handleSAML11UnsolicitedResponse(Request request, Response response) throws ServletException, IOException {
        try {
            IDPWebRequestUtil iDPWebRequestUtil = new IDPWebRequestUtil(request, this.idpConfiguration, this.keyManager);
            Principal principal = request.getPrincipal();
            String contextPath = getContextPath();
            String parameter = request.getParameter(JBossSAMLConstants.UNSOLICITED_RESPONSE_TARGET.get());
            Session sessionInternal = request.getSessionInternal();
            SAML11AssertionType sAML11AssertionType = (SAML11AssertionType) sessionInternal.getNote("SAML11");
            if (sAML11AssertionType == null) {
                SAML11ProtocolContext sAML11ProtocolContext = new SAML11ProtocolContext();
                sAML11ProtocolContext.setIssuerID(getIdentityURL());
                SAML11SubjectType sAML11SubjectType = new SAML11SubjectType();
                sAML11SubjectType.setChoice(new SAML11SubjectType.SAML11SubjectTypeChoice(new SAML11NameIdentifierType(principal.getName())));
                sAML11ProtocolContext.setSubjectType(sAML11SubjectType);
                PicketLinkCoreSTS.instance().issueToken(sAML11ProtocolContext);
                sAML11AssertionType = sAML11ProtocolContext.getIssuedAssertion();
                sessionInternal.setNote("SAML11", sAML11AssertionType);
                if (AssertionUtil.hasExpired(sAML11AssertionType)) {
                    sAML11ProtocolContext.setIssuedAssertion(sAML11AssertionType);
                    PicketLinkCoreSTS.instance().renewToken(sAML11ProtocolContext);
                    sAML11AssertionType = sAML11ProtocolContext.getIssuedAssertion();
                    sessionInternal.setNote("SAML11", sAML11AssertionType);
                }
            }
            SAML11AttributeStatementType createAttributeStatement = createAttributeStatement(Arrays.asList(((GenericPrincipal) principal).getRoles()));
            if (createAttributeStatement != null) {
                sAML11AssertionType.add(createAttributeStatement);
            }
            SAML11ResponseType sAML11ResponseType = new SAML11ResponseType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
            sAML11ResponseType.add(sAML11AssertionType);
            sAML11ResponseType.setStatus(SAML11StatusType.successType());
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new SAML11ResponseWriter(StaxUtil.getXMLStreamWriter(byteArrayOutputStream)).write(sAML11ResponseType);
            Document document = DocumentUtil.getDocument(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
            IDPWebRequestUtil.WebRequestUtilHolder holder = iDPWebRequestUtil.getHolder();
            holder.setResponseDoc(document).setDestination(parameter).setRelayState("").setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
            if (this.enableAudit) {
                PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
                picketLinkAuditEvent.setType(PicketLinkAuditEventType.RESPONSE_TO_SP);
                picketLinkAuditEvent.setDestination(parameter);
                picketLinkAuditEvent.setWhoIsAuditing(contextPath);
                this.auditHelper.audit(picketLinkAuditEvent);
            }
            response.getCoyoteResponse().recycle();
            iDPWebRequestUtil.send(holder);
        } catch (GeneralSecurityException e) {
            logger.samlIDPHandlingSAML11Error(e);
            throw new ServletException();
        }
    }

    private void handleSAML2UnsolicitedResponse(Request request, Response response) throws ServletException {
        SAML2Request sAML2Request = new SAML2Request();
        String create = IDGenerator.create("ID_");
        String parameter = request.getParameter(JBossSAMLConstants.UNSOLICITED_RESPONSE_TARGET.get());
        try {
            AuthnRequestType createAuthnRequestType = sAML2Request.createAuthnRequestType(create, parameter, getIdentityURL(), parameter);
            createAuthnRequestType.setProtocolBinding(URI.create(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get()));
            request.setMethod("POST");
            processSAMLRequestMessage(request, response, createAuthnRequestType, true);
        } catch (Exception e) {
            throw new ServletException("Could not handle SAML 2.0 Unsolicited Response.", e);
        }
    }

    /* JADX WARN: Finally extract failed */
    protected void processSAMLRequestMessage(Request request, Response response, RequestAbstractType requestAbstractType, boolean z) throws IOException {
        Document errorResponse;
        SAMLDocumentHolder sAMLDocumentHolder;
        Principal principal = request.getPrincipal();
        Session sessionInternal = request.getSessionInternal();
        boolean z2 = false;
        String str = null;
        String str2 = null;
        Boolean bool = null;
        String str3 = (String) sessionInternal.getNote("SAMLRequest");
        String str4 = (String) sessionInternal.getNote(JBossSAMLConstants.BINDING.get());
        String str5 = (String) sessionInternal.getNote(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        String contextPath = getContextPath();
        boolean z3 = false;
        String header = request.getHeader("Referer");
        cleanUpSessionNote(request);
        String determineLoginType = determineLoginType(request.isSecure());
        IDPWebRequestUtil iDPWebRequestUtil = new IDPWebRequestUtil(request, this.idpConfiguration, this.keyManager);
        if (str4 != null && "POST".equals(str4)) {
            iDPWebRequestUtil.setRedirectProfile(false);
        }
        SAML2Object sAML2Object = null;
        try {
            if (requestAbstractType != null) {
                sAMLDocumentHolder = new SAMLDocumentHolder(requestAbstractType);
                sAMLDocumentHolder.setSamlDocument(new SAML2Request().convert(requestAbstractType));
            } else {
                if (str3 == null) {
                    throw logger.samlIDPValidationCheckFailed();
                }
                sAMLDocumentHolder = iDPWebRequestUtil.getSAMLDocumentHolder(str3);
            }
        } catch (Exception e) {
            String str6 = JBossSAMLURIConstants.STATUS_AUTHNFAILED.get();
            if ((e instanceof IssuerNotTrustedException) || (e.getCause() instanceof IssuerNotTrustedException)) {
                str6 = JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get();
            }
            logger.samlIDPRequestProcessingError(e);
            errorResponse = iDPWebRequestUtil.getErrorResponse(header, str6, getIdentityURL(), this.idpConfiguration.isSupportsSignature());
            z2 = true;
        }
        if (sAMLDocumentHolder == null) {
            return;
        }
        sAML2Object = sAMLDocumentHolder.getSamlObject();
        if (!(sAML2Object instanceof RequestAbstractType)) {
            throw logger.wrongTypeError(sAML2Object.getClass().getName());
        }
        RequestAbstractType requestAbstractType2 = (RequestAbstractType) sAML2Object;
        String value = requestAbstractType2.getIssuer().getValue();
        DefaultSAML2HandlerRequest defaultSAML2HandlerRequest = new DefaultSAML2HandlerRequest(new HTTPContext(request, response, getContext().getServletContext()), new IssuerInfoHolder(getIdentityURL()).getIssuer(), sAMLDocumentHolder, SAML2Handler.HANDLER_TYPE.IDP);
        defaultSAML2HandlerRequest.setRelayState(str5);
        if (StringUtil.isNotNull(determineLoginType)) {
            defaultSAML2HandlerRequest.addOption("LOGIN_TYPE", determineLoginType);
        }
        String str7 = (String) sessionInternal.getSession().getAttribute("ASSERTION_ID");
        HashMap hashMap = new HashMap();
        Boolean willIgnoreSignatureOfCurrentRequest = willIgnoreSignatureOfCurrentRequest(value);
        if (z) {
            willIgnoreSignatureOfCurrentRequest = Boolean.valueOf(z);
        }
        hashMap.put("IGNORE_SIGNATURES", willIgnoreSignatureOfCurrentRequest);
        hashMap.put("SP_SSO_METADATA_DESCRIPTOR", this.spSSOMetadataMap.get(value));
        hashMap.put("ROLE_GENERATOR", this.roleGenerator);
        hashMap.put("CONFIGURATION", this.idpConfiguration);
        hashMap.put("SAML_IDP_STRICT_POST_BINDING", Boolean.valueOf(this.idpConfiguration.isStrictPostBinding()));
        hashMap.put("SUPPORTS_SIGNATURES", Boolean.valueOf(this.idpConfiguration.isSupportsSignature()));
        if (str7 != null) {
            hashMap.put("ASSERTION_ID", str7);
        }
        if (this.keyManager != null) {
            hashMap.put("SENDER_PUBLIC_KEY", getIssuerPublicKey(request, value));
            hashMap.put("DECRYPTING_KEY", this.keyManager.getSigningKey());
        }
        if (requestAbstractType2 instanceof AuthnRequestType) {
            sessionInternal.getSession().setAttribute("picketlink.roles", this.roleGenerator.generateRoles(principal));
            hashMap.put("ATTRIBUTES", this.attribManager.getAttributes(this.passUserPrincipalToAttributeManager.booleanValue() ? request.getUserPrincipal() : principal, this.attributeKeys));
        }
        if (this.auditHelper != null) {
            hashMap.put("org.picketlink.federation.saml.AUDIT_HELPER", this.auditHelper);
            hashMap.put("CONTEXT_PATH", contextPath);
        }
        defaultSAML2HandlerRequest.setOptions(hashMap);
        DefaultSAML2HandlerResponse defaultSAML2HandlerResponse = new DefaultSAML2HandlerResponse();
        Set<SAML2Handler> handlers = this.chain.handlers();
        logger.trace("Handlers are=" + handlers);
        if (handlers != null) {
            try {
                if (getConfiguration().getHandlers().isLocking()) {
                    this.chainLock.lock();
                }
                Iterator<SAML2Handler> it = handlers.iterator();
                while (it.hasNext()) {
                    it.next().handleRequestType(defaultSAML2HandlerRequest, defaultSAML2HandlerResponse);
                    z3 = defaultSAML2HandlerResponse.getSendRequest();
                }
                if (getConfiguration().getHandlers().isLocking()) {
                    this.chainLock.unlock();
                }
            } catch (Throwable th) {
                if (getConfiguration().getHandlers().isLocking()) {
                    this.chainLock.unlock();
                }
                throw th;
            }
        }
        errorResponse = defaultSAML2HandlerResponse.getResultingDocument();
        str5 = defaultSAML2HandlerResponse.getRelayState();
        str = defaultSAML2HandlerResponse.getDestination();
        bool = Boolean.valueOf(defaultSAML2HandlerResponse.isPostBindingForResponse());
        str2 = defaultSAML2HandlerResponse.getDestinationQueryStringWithSignature();
        if (str == null) {
            try {
                if (sAML2Object instanceof AuthnRequestType) {
                    str = ((AuthnRequestType) sAML2Object).getSenderURL().toASCIIString();
                }
            } catch (GeneralSecurityException e2) {
                logger.trace("Security Exception:", e2);
                return;
            } catch (Exception e3) {
                logger.error(e3);
                return;
            } catch (ParsingException e4) {
                logger.samlAssertionPasingFailed(e4);
                return;
            }
        }
        if (str == null) {
            response.sendRedirect(getIdentityURL());
        } else {
            IDPWebRequestUtil.WebRequestUtilHolder holder = iDPWebRequestUtil.getHolder();
            holder.setResponseDoc(errorResponse).setDestination(str).setRelayState(str5).setAreWeSendingRequest(z3).setPrivateKey(null).setSupportSignature(false).setErrorResponse(z2).setServletResponse(response).setDestinationQueryStringWithSignature(str2);
            holder.setStrictPostBinding(this.idpConfiguration.isStrictPostBinding());
            if (bool != null) {
                holder.setPostBindingRequested(bool.booleanValue());
            } else {
                holder.setPostBindingRequested(iDPWebRequestUtil.hasSAMLRequestInPostProfile());
            }
            if (this.idpConfiguration.isSupportsSignature()) {
                holder.setPrivateKey(this.keyManager.getSigningKey()).setSupportSignature(true);
            }
            if (holder.isPostBinding()) {
                recycle(response);
            }
            if (this.enableAudit) {
                PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
                picketLinkAuditEvent.setType(PicketLinkAuditEventType.RESPONSE_TO_SP);
                picketLinkAuditEvent.setDestination(str);
                picketLinkAuditEvent.setWhoIsAuditing(contextPath);
                this.auditHelper.audit(picketLinkAuditEvent);
            }
            iDPWebRequestUtil.send(holder);
        }
    }

    private PublicKey getIssuerPublicKey(Request request, String str) throws ConfigurationException, ProcessingException {
        String str2;
        PublicKey publicKey = null;
        try {
            str2 = new URL(str).getHost();
        } catch (MalformedURLException e) {
            logger.trace("Token issuer is not a valid URL: " + str, e);
            str2 = str;
        }
        logger.trace("Trying to find a PK for issuer: " + str2);
        try {
            publicKey = CoreConfigUtil.getValidatingKey(this.keyManager, str2);
        } catch (IllegalStateException e2) {
            logger.trace("Token issuer is not found for: " + str, e2);
        }
        if (publicKey == null) {
            str2 = request.getRemoteAddr();
            logger.trace("Trying to find a PK for issuer " + str2);
            publicKey = CoreConfigUtil.getValidatingKey(this.keyManager, str2);
        }
        logger.trace("Using Validating Alias=" + str2 + " to check signatures.");
        return publicKey;
    }

    /* JADX WARN: Finally extract failed */
    protected void processSAMLResponseMessage(Request request, Response response) throws ServletException, IOException {
        IDPWebRequestUtil.WebRequestUtilHolder holder;
        Session sessionInternal = request.getSessionInternal();
        String contextPath = getContextPath();
        String str = (String) sessionInternal.getNote("SAMLResponse");
        String str2 = (String) sessionInternal.getNote(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        boolean z = false;
        String header = request.getHeader("Referer");
        cleanUpSessionNote(request);
        IDPWebRequestUtil iDPWebRequestUtil = new IDPWebRequestUtil(request, this.idpConfiguration, this.keyManager);
        try {
            try {
                SAMLDocumentHolder sAMLDocumentHolder = iDPWebRequestUtil.getSAMLDocumentHolder(str);
                SAML2Object samlObject = sAMLDocumentHolder.getSamlObject();
                if (!(samlObject instanceof StatusResponseType)) {
                    throw logger.wrongTypeError(samlObject.getClass().getName());
                }
                String value = ((StatusResponseType) samlObject).getIssuer().getValue();
                if (!(str != null)) {
                    throw logger.samlIDPValidationCheckFailed();
                }
                DefaultSAML2HandlerRequest defaultSAML2HandlerRequest = new DefaultSAML2HandlerRequest(new HTTPContext(request, response, getContext().getServletContext()), new IssuerInfoHolder(getIdentityURL()).getIssuer(), sAMLDocumentHolder, SAML2Handler.HANDLER_TYPE.IDP);
                HashMap hashMap = new HashMap();
                if (this.idpConfiguration.isSupportsSignature() || this.idpConfiguration.isEncrypt()) {
                    hashMap.put("SENDER_PUBLIC_KEY", getIssuerPublicKey(request, value));
                }
                hashMap.put("SAML_IDP_STRICT_POST_BINDING", Boolean.valueOf(this.idpConfiguration.isStrictPostBinding()));
                hashMap.put("SUPPORTS_SIGNATURES", Boolean.valueOf(this.idpConfiguration.isSupportsSignature()));
                if (this.auditHelper != null) {
                    hashMap.put("org.picketlink.federation.saml.AUDIT_HELPER", this.auditHelper);
                    hashMap.put("CONTEXT_PATH", contextPath);
                }
                defaultSAML2HandlerRequest.setOptions(hashMap);
                defaultSAML2HandlerRequest.setRelayState(str2);
                DefaultSAML2HandlerResponse defaultSAML2HandlerResponse = new DefaultSAML2HandlerResponse();
                Set<SAML2Handler> handlers = this.chain.handlers();
                if (handlers != null) {
                    try {
                        this.chainLock.lock();
                        for (SAML2Handler sAML2Handler : handlers) {
                            sAML2Handler.reset();
                            sAML2Handler.handleStatusResponseType(defaultSAML2HandlerRequest, defaultSAML2HandlerResponse);
                            z = defaultSAML2HandlerResponse.getSendRequest();
                        }
                        this.chainLock.unlock();
                    } catch (Throwable th) {
                        this.chainLock.unlock();
                        throw th;
                    }
                }
                Document resultingDocument = defaultSAML2HandlerResponse.getResultingDocument();
                String relayState = defaultSAML2HandlerResponse.getRelayState();
                String destination = defaultSAML2HandlerResponse.getDestination();
                boolean isPostBindingForResponse = defaultSAML2HandlerResponse.isPostBindingForResponse();
                String destinationQueryStringWithSignature = defaultSAML2HandlerResponse.getDestinationQueryStringWithSignature();
                try {
                    IDPWebRequestUtil.WebRequestUtilHolder holder2 = iDPWebRequestUtil.getHolder();
                    if (destination == null) {
                        throw new ServletException(logger.nullValueError("Destination"));
                    }
                    holder2.setResponseDoc(resultingDocument).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest(z).setPrivateKey(null).setSupportSignature(false).setErrorResponse(false).setServletResponse(response).setPostBindingRequested(isPostBindingForResponse).setDestinationQueryStringWithSignature(destinationQueryStringWithSignature);
                    if (this.idpConfiguration.isSupportsSignature()) {
                        holder2.setPrivateKey(this.keyManager.getSigningKey()).setSupportSignature(true);
                    }
                    holder2.setStrictPostBinding(this.idpConfiguration.isStrictPostBinding());
                    if (holder2.isPostBinding()) {
                        recycle(response);
                    }
                    if (this.enableAudit) {
                        PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
                        picketLinkAuditEvent.setType(PicketLinkAuditEventType.RESPONSE_TO_SP);
                        picketLinkAuditEvent.setWhoIsAuditing(contextPath);
                        picketLinkAuditEvent.setDestination(destination);
                        this.auditHelper.audit(picketLinkAuditEvent);
                    }
                    iDPWebRequestUtil.send(holder2);
                } catch (GeneralSecurityException e) {
                    logger.trace("Security Exception:", e);
                } catch (ParsingException e2) {
                    logger.samlAssertionPasingFailed(e2);
                }
            } catch (Throwable th2) {
                try {
                    holder = iDPWebRequestUtil.getHolder();
                } catch (GeneralSecurityException e3) {
                    logger.trace("Security Exception:", e3);
                } catch (ParsingException e4) {
                    logger.samlAssertionPasingFailed(e4);
                }
                if (0 == 0) {
                    throw new ServletException(logger.nullValueError("Destination"));
                }
                holder.setResponseDoc(null).setDestination(null).setRelayState(str2).setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false).setErrorResponse(false).setServletResponse(response).setPostBindingRequested(false).setDestinationQueryStringWithSignature(null);
                if (this.idpConfiguration.isSupportsSignature()) {
                    holder.setPrivateKey(this.keyManager.getSigningKey()).setSupportSignature(true);
                }
                holder.setStrictPostBinding(this.idpConfiguration.isStrictPostBinding());
                if (holder.isPostBinding()) {
                    recycle(response);
                }
                if (this.enableAudit) {
                    PicketLinkAuditEvent picketLinkAuditEvent2 = new PicketLinkAuditEvent(AuditLevel.INFO);
                    picketLinkAuditEvent2.setType(PicketLinkAuditEventType.RESPONSE_TO_SP);
                    picketLinkAuditEvent2.setWhoIsAuditing(contextPath);
                    picketLinkAuditEvent2.setDestination(null);
                    this.auditHelper.audit(picketLinkAuditEvent2);
                }
                iDPWebRequestUtil.send(holder);
                throw th2;
            }
        } catch (Exception e5) {
            String str3 = JBossSAMLURIConstants.STATUS_AUTHNFAILED.get();
            if (e5 instanceof IssuerNotTrustedException) {
                str3 = JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get();
            }
            logger.samlIDPRequestProcessingError(e5);
            Document errorResponse = iDPWebRequestUtil.getErrorResponse(header, str3, getIdentityURL(), this.idpConfiguration.isSupportsSignature());
            try {
                IDPWebRequestUtil.WebRequestUtilHolder holder3 = iDPWebRequestUtil.getHolder();
                if (0 == 0) {
                    throw new ServletException(logger.nullValueError("Destination"));
                }
                holder3.setResponseDoc(errorResponse).setDestination(null).setRelayState(str2).setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false).setErrorResponse(true).setServletResponse(response).setPostBindingRequested(false).setDestinationQueryStringWithSignature(null);
                if (this.idpConfiguration.isSupportsSignature()) {
                    holder3.setPrivateKey(this.keyManager.getSigningKey()).setSupportSignature(true);
                }
                holder3.setStrictPostBinding(this.idpConfiguration.isStrictPostBinding());
                if (holder3.isPostBinding()) {
                    recycle(response);
                }
                if (this.enableAudit) {
                    PicketLinkAuditEvent picketLinkAuditEvent3 = new PicketLinkAuditEvent(AuditLevel.INFO);
                    picketLinkAuditEvent3.setType(PicketLinkAuditEventType.RESPONSE_TO_SP);
                    picketLinkAuditEvent3.setWhoIsAuditing(contextPath);
                    picketLinkAuditEvent3.setDestination(null);
                    this.auditHelper.audit(picketLinkAuditEvent3);
                }
                iDPWebRequestUtil.send(holder3);
            } catch (GeneralSecurityException e6) {
                logger.trace("Security Exception:", e6);
            } catch (ParsingException e7) {
                logger.samlAssertionPasingFailed(e7);
            }
        }
    }

    protected void cleanUpSessionNote(Request request) {
        Session sessionInternal = request.getSessionInternal();
        String str = (String) sessionInternal.getNote("SAMLRequest");
        String str2 = (String) sessionInternal.getNote(JBossSAMLConstants.BINDING.get());
        String str3 = (String) sessionInternal.getNote("SAMLResponse");
        String str4 = (String) sessionInternal.getNote(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        String str5 = (String) sessionInternal.getNote("Signature");
        String str6 = (String) sessionInternal.getNote("SigAlg");
        if (logger.isTraceEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Retrieved saml messages and relay state from session");
            sb.append("saml Request message=").append(str);
            sb.append("Binding=").append(str2);
            sb.append(org.picketbox.util.StringUtil.PROPERTY_DEFAULT_SEPARATOR).append("SAMLResponseMessage=");
            sb.append(str3).append(":").append("relay state=").append(str4);
            sb.append("Signature=").append(str5).append("::sigAlg=").append(str6);
            logger.trace(sb.toString());
        }
        if (StringUtil.isNotNull(str)) {
            sessionInternal.removeNote("SAMLRequest");
            sessionInternal.removeNote(JBossSAMLConstants.BINDING.get());
        }
        if (StringUtil.isNotNull(str3)) {
            sessionInternal.removeNote("SAMLResponse");
        }
        if (StringUtil.isNotNull(str4)) {
            sessionInternal.removeNote(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
        }
        if (StringUtil.isNotNull(str5)) {
            sessionInternal.removeNote("Signature");
        }
        if (StringUtil.isNotNull(str6)) {
            sessionInternal.removeNote("SigAlg");
        }
    }

    protected void sendErrorResponseToSP(String str, Response response, String str2, IDPWebRequestUtil iDPWebRequestUtil) throws ServletException, IOException, ConfigurationException {
        logger.trace("About to send error response to SP:" + str);
        String contextPath = getContextPath();
        Document errorResponse = iDPWebRequestUtil.getErrorResponse(str, JBossSAMLURIConstants.STATUS_RESPONDER.get(), getIdentityURL(), this.idpConfiguration.isSupportsSignature());
        try {
            IDPWebRequestUtil.WebRequestUtilHolder holder = iDPWebRequestUtil.getHolder();
            holder.setResponseDoc(errorResponse).setDestination(str).setRelayState(str2).setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
            holder.setPostBindingRequested(iDPWebRequestUtil.hasSAMLRequestInPostProfile());
            if (this.idpConfiguration.isSupportsSignature()) {
                holder.setPrivateKey(this.keyManager.getSigningKey()).setSupportSignature(true);
            }
            holder.setStrictPostBinding(this.idpConfiguration.isStrictPostBinding());
            if (holder.isPostBinding()) {
                recycle(response);
            }
            if (this.enableAudit) {
                PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
                picketLinkAuditEvent.setType(PicketLinkAuditEventType.ERROR_RESPONSE_TO_SP);
                picketLinkAuditEvent.setWhoIsAuditing(contextPath);
                picketLinkAuditEvent.setDestination(str);
                this.auditHelper.audit(picketLinkAuditEvent);
            }
            iDPWebRequestUtil.send(holder);
        } catch (ParsingException e) {
            throw new ServletException((Throwable) e);
        } catch (GeneralSecurityException e2) {
            throw new ServletException(e2);
        }
    }

    protected void initIdentityServer() {
        if (((IdentityServer) getContext().getServletContext().getAttribute("IDENTITY_SERVER")) == null) {
            IdentityServer identityServer = new IdentityServer();
            getContext().getServletContext().setAttribute("IDENTITY_SERVER", identityServer);
            if (StringUtil.isNotNull(this.idpConfiguration.getIdentityParticipantStack())) {
                try {
                    Class<?> loadClass = SecurityActions.loadClass(getClass(), this.idpConfiguration.getIdentityParticipantStack());
                    if (loadClass == null) {
                        throw logger.classNotLoadedError(this.idpConfiguration.getIdentityParticipantStack());
                    }
                    identityServer.setStack((IdentityParticipantStack) loadClass.newInstance());
                } catch (Exception e) {
                    logger.samlIDPUnableToSetParticipantStackUsingDefault(e);
                }
            }
        }
    }

    protected void initHandlersChain() throws LifecycleException {
        try {
            if (this.picketLinkConfiguration != null) {
                this.handlers = this.picketLinkConfiguration.getHandlers();
            } else {
                this.handlers = ConfigurationUtil.getHandlers(getContext().getServletContext().getResourceAsStream("/WEB-INF/picketlink-handlers.xml"));
            }
            String handlerChainClass = this.handlers.getHandlerChainClass();
            if (StringUtil.isNullOrEmpty(handlerChainClass)) {
                this.chain = SAML2HandlerChainFactory.createChain();
            } else {
                try {
                    this.chain = SAML2HandlerChainFactory.createChain(handlerChainClass);
                } catch (ProcessingException e) {
                    throw new LifecycleException((Throwable) e);
                }
            }
            this.chain.addAll(HandlerUtil.getHandlers(this.handlers));
            HashMap hashMap = new HashMap();
            hashMap.put("ROLE_GENERATOR", this.roleGenerator);
            hashMap.put("CONFIGURATION", this.idpConfiguration);
            if (this.keyManager != null) {
                hashMap.put("KEYPAIR", this.keyManager.getSigningKeyPair());
                String str = (String) this.keyManager.getAdditionalOption("X509CERTIFICATE");
                if (str != null) {
                    hashMap.put("X509CERTIFICATE", this.keyManager.getCertificate(str));
                }
            }
            DefaultSAML2HandlerChainConfig defaultSAML2HandlerChainConfig = new DefaultSAML2HandlerChainConfig(hashMap);
            Iterator<SAML2Handler> it = this.chain.handlers().iterator();
            while (it.hasNext()) {
                it.next().initChainConfig(defaultSAML2HandlerChainConfig);
            }
        } catch (Exception e2) {
            logger.samlHandlerConfigurationError(e2);
            throw new LifecycleException(e2.getLocalizedMessage());
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:21:0x00a1, code lost:
    
        r6.keyManager.addAdditionalOption("X509CERTIFICATE", r0.getValue());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected void initKeyManager() throws org.apache.catalina.LifecycleException {
        /*
            Method dump skipped, instructions count: 266
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.initKeyManager():void");
    }

    protected void initIDPConfiguration() {
        InputStream fileInputStream;
        if (StringUtil.isNullOrEmpty(this.configFile)) {
            fileInputStream = getContext().getServletContext().getResourceAsStream("/WEB-INF/picketlink.xml");
        } else {
            try {
                fileInputStream = new FileInputStream(this.configFile);
            } catch (FileNotFoundException e) {
                throw logger.samlIDPConfigurationError(e);
            }
        }
        if (this.configProvider != null) {
            try {
                if (fileInputStream == null) {
                    fileInputStream = getContext().getServletContext().getResourceAsStream("/WEB-INF/picketlink-idfed.xml");
                    if (fileInputStream != null && (this.configProvider instanceof AbstractSAMLConfigurationProvider)) {
                        ((AbstractSAMLConfigurationProvider) this.configProvider).setConfigFile(fileInputStream);
                    }
                } else if (fileInputStream != null && (this.configProvider instanceof AbstractSAMLConfigurationProvider)) {
                    ((AbstractSAMLConfigurationProvider) this.configProvider).setConsolidatedConfigFile(fileInputStream);
                }
                this.picketLinkConfiguration = this.configProvider.getPicketLinkConfiguration();
                this.idpConfiguration = this.configProvider.getIDPConfiguration();
            } catch (ProcessingException e2) {
                throw logger.samlIDPConfigurationError(e2);
            } catch (ParsingException e3) {
                throw logger.samlIDPConfigurationError(e3);
            }
        }
        if (this.idpConfiguration == null) {
            if (fileInputStream != null) {
                try {
                    this.picketLinkConfiguration = ConfigurationUtil.getConfiguration(fileInputStream);
                    this.idpConfiguration = this.picketLinkConfiguration.getIdpOrSP();
                } catch (ParsingException e4) {
                    logger.trace(e4);
                    logger.samlIDPConfigurationError(e4);
                }
            }
            if (fileInputStream == null) {
                InputStream resourceAsStream = getContext().getServletContext().getResourceAsStream("/WEB-INF/picketlink-idfed.xml");
                if (resourceAsStream == null) {
                    throw logger.configurationFileMissing("/WEB-INF/picketlink-idfed.xml");
                }
                try {
                    this.idpConfiguration = ConfigurationUtil.getIDPConfiguration(resourceAsStream);
                } catch (ParsingException e5) {
                    logger.samlIDPConfigurationError(e5);
                }
            }
        }
        try {
            if (this.picketLinkConfiguration != null) {
                this.enableAudit = this.picketLinkConfiguration.isEnableAudit();
                if (!this.enableAudit) {
                    String systemProperty = SecurityActions.getSystemProperty("picketlink.audit.enable", DateLayout.NULL_DATE_FORMAT);
                    if (!DateLayout.NULL_DATE_FORMAT.equals(systemProperty)) {
                        this.enableAudit = Boolean.parseBoolean(systemProperty);
                    }
                }
                if (this.enableAudit && this.auditHelper == null) {
                    this.auditHelper = new PicketLinkAuditHelper(PicketLinkAuditHelper.getSecurityDomainName(getContext().getServletContext()));
                }
            }
            logger.trace("Identity Provider URL=" + getIdentityURL());
            String attributeManager = this.idpConfiguration.getAttributeManager();
            if (attributeManager != null && !"".equals(attributeManager)) {
                Class<?> loadClass = SecurityActions.loadClass(getClass(), attributeManager);
                if (loadClass == null) {
                    throw new RuntimeException((Throwable) logger.classNotLoadedError(attributeManager));
                }
                this.attribManager.setDelegate((AttributeManager) loadClass.newInstance());
            }
            String roleGenerator = this.idpConfiguration.getRoleGenerator();
            if (roleGenerator != null && !"".equals(roleGenerator)) {
                Class<?> loadClass2 = SecurityActions.loadClass(getClass(), roleGenerator);
                if (loadClass2 == null) {
                    throw new RuntimeException((Throwable) logger.classNotLoadedError(roleGenerator));
                }
                this.roleGenerator = (RoleGenerator) loadClass2.newInstance();
            }
            List<EntityDescriptorType> metadataConfiguration = CoreConfigUtil.getMetadataConfiguration(this.idpConfiguration, getContext().getServletContext());
            if (metadataConfiguration != null) {
                for (EntityDescriptorType entityDescriptorType : metadataConfiguration) {
                    SPSSODescriptorType sPDescriptor = CoreConfigUtil.getSPDescriptor(entityDescriptorType);
                    if (sPDescriptor != null) {
                        this.spSSOMetadataMap.put(entityDescriptorType.getEntityID(), sPDescriptor);
                    }
                }
            }
            initHostedURI();
        } catch (Exception e6) {
            throw logger.samlIDPConfigurationError(e6);
        }
    }

    protected void initSTSConfiguration() {
        if (this.picketLinkConfiguration != null && this.picketLinkConfiguration.getStsType() != null) {
            PicketLinkCoreSTS.instance().initialize(new PicketLinkSTSConfiguration(this.picketLinkConfiguration.getStsType()));
            return;
        }
        PicketLinkCoreSTS instance = PicketLinkCoreSTS.instance();
        String realPath = getContext().getServletContext().getRealPath("/WEB-INF/picketlink-sts.xml");
        File file = realPath != null ? new File(realPath) : null;
        if (file != null && file.exists()) {
            instance.installDefaultConfiguration(file.toURI().toString());
        } else {
            logger.samlIDPInstallingDefaultSTSConfig();
            instance.installDefaultConfiguration(new String[0]);
        }
    }

    protected String getIdentityURL() {
        return this.idpConfiguration.getIdentityURL();
    }

    protected Context getContext() {
        return (Context) getContainer();
    }

    protected abstract String getContextPath();

    protected void recycle(Response response) {
        response.recycle();
    }

    protected String determineLoginType(boolean z) {
        String str = JBossSAMLURIConstants.AC_PASSWORD.get();
        LoginConfig loginConfig = getContext().getLoginConfig();
        if (loginConfig != null) {
            String authMethod = loginConfig.getAuthMethod();
            if (StringUtil.isNotNull(authMethod)) {
                if (AuthMethod.CLIENT_CERT.equals(authMethod)) {
                    str = JBossSAMLURIConstants.AC_TLS_CLIENT.get();
                } else if (z) {
                    str = JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get();
                }
            }
        }
        return str;
    }

    protected void startPicketLink() throws LifecycleException {
        SystemPropertiesUtil.ensure();
        if (this.timerInterval > 0) {
            if (this.timer == null) {
                this.timer = new Timer();
            }
            this.timer.scheduleAtFixedRate(new TimerTask() { // from class: org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.1
                @Override // java.util.TimerTask, java.lang.Runnable
                public void run() {
                    AbstractIDPValve.this.picketLinkConfiguration = null;
                    AbstractIDPValve.this.idpConfiguration = null;
                    AbstractIDPValve.this.initIDPConfiguration();
                    try {
                        AbstractIDPValve.this.initKeyManager();
                        AbstractIDPValve.this.initHandlersChain();
                    } catch (LifecycleException e) {
                        AbstractIDPValve.logger.trace(e.getMessage());
                    }
                }
            }, this.timerInterval, this.timerInterval);
        }
        initIDPConfiguration();
        initSTSConfiguration();
        initKeyManager();
        initHandlersChain();
        initIdentityServer();
        this.attributeKeys.addAll(Arrays.asList("mail", "cn", "commonname", "givenname", "surname", "employeeType", "employeeNumber", "facsimileTelephoneNumber"));
        if (this.picketLinkConfiguration == null) {
            this.picketLinkConfiguration = new PicketLinkType();
            this.picketLinkConfiguration.setIdpOrSP(this.idpConfiguration);
            this.picketLinkConfiguration.setHandlers(this.handlers);
        }
    }

    private SAML11AttributeStatementType createAttributeStatement(List<String> list) {
        SAML11AttributeStatementType sAML11AttributeStatementType = null;
        for (String str : list) {
            if (sAML11AttributeStatementType == null) {
                sAML11AttributeStatementType = new SAML11AttributeStatementType();
            }
            SAML11AttributeType sAML11AttributeType = new SAML11AttributeType(AttributeConstants.ROLE_IDENTIFIER_ASSERTION, URI.create("urn:picketlink:role"));
            sAML11AttributeType.add(str);
            sAML11AttributeStatementType.add(sAML11AttributeType);
        }
        return sAML11AttributeStatementType;
    }

    public void setAuditHelper(PicketLinkAuditHelper picketLinkAuditHelper) {
        this.auditHelper = picketLinkAuditHelper;
    }

    private Boolean willIgnoreSignatureOfCurrentRequest(String str) {
        SPSSODescriptorType sPSSODescriptorType = this.spSSOMetadataMap.get(str);
        if (sPSSODescriptorType == null) {
            return false;
        }
        Boolean isAuthnRequestsSigned = sPSSODescriptorType.isAuthnRequestsSigned();
        logger.trace("Issuer: " + str + ", isRequestSigned: " + isAuthnRequestsSigned);
        if (isAuthnRequestsSigned == null) {
            isAuthnRequestsSigned = Boolean.FALSE;
        }
        return Boolean.valueOf(!isAuthnRequestsSigned.booleanValue());
    }

    private void initHostedURI() {
        String hostedURI = this.idpConfiguration.getHostedURI();
        if (StringUtil.isNullOrEmpty(hostedURI)) {
            hostedURI = "/hosted/";
        } else if (!hostedURI.contains(".") && !hostedURI.endsWith("/")) {
            hostedURI = hostedURI + "/";
        }
        this.idpConfiguration.setHostedURI(hostedURI);
    }

    private SSLAuthenticator getSSLAuthenticator() {
        if (this.sslAuthenticator == null) {
            this.sslAuthenticator = new SSLAuthenticator() { // from class: org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.2
                @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.Valve
                public Valve getNext() {
                    return new ValveBase() { // from class: org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.2.1
                        @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.Valve
                        public void invoke(Request request, Response response) throws IOException, ServletException {
                        }
                    };
                }
            };
            this.sslAuthenticator.setContainer(getContainer());
            try {
                this.sslAuthenticator.start();
            } catch (LifecycleException e) {
                throw new RuntimeException("Error starting SSL authenticator.", e);
            }
        }
        return this.sslAuthenticator;
    }

    private boolean isAjaxRequest(Request request) {
        String header = request.getHeader("X-Requested-With");
        return header != null && "XMLHttpRequest".equalsIgnoreCase(header);
    }
}
