package org.picketlink.identity.federation.bindings.tomcat.sp;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.xml.bind.JAXBException;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext;
import org.picketlink.identity.federation.bindings.util.ValveUtil;
import org.picketlink.identity.federation.core.config.TrustType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor;
import org.picketlink.identity.federation.web.process.ServiceProviderSAMLRequestProcessor;
import org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor;
import org.picketlink.identity.federation.web.util.HTTPRedirectUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.picketlink.identity.federation.web.util.ServerDetector;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.class */
public class SPRedirectFormAuthenticator extends BaseFormAuthenticator {
    private static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
    private boolean jbossEnv;
    private boolean trace = log.isTraceEnabled();
    private String logOutPage = "/logout.jsp";

    public SPRedirectFormAuthenticator() {
        this.jbossEnv = false;
        this.jbossEnv = new ServerDetector().isJboss();
    }

    public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        SAML2HandlerResponse process;
        Principal authenticate;
        String parameter = request.getParameter("GLO");
        boolean z = StringUtil.isNotNull(parameter) && "true".equalsIgnoreCase(parameter);
        String parameter2 = request.getParameter("SAMLRequest");
        String parameter3 = request.getParameter("SAMLResponse");
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal != null && !z && !StringUtil.isNotNull(parameter2) && !StringUtil.isNotNull(parameter3)) {
            return true;
        }
        Session sessionInternal = request.getSessionInternal(true);
        request.getParameter("RelayState");
        HTTPContext hTTPContext = new HTTPContext(request, response, this.context.getServletContext());
        Set handlers = this.chain.handlers();
        if (!StringUtil.isNotNull(parameter2) && !StringUtil.isNotNull(parameter3)) {
            try {
                ServiceProviderBaseProcessor serviceProviderBaseProcessor = new ServiceProviderBaseProcessor(false, this.serviceURL);
                initializeSAMLProcessor(serviceProviderBaseProcessor);
                SAML2HandlerResponse process2 = serviceProviderBaseProcessor.process(hTTPContext, handlers, this.chainLock);
                process2.setDestination(this.identityURL);
                Document resultingDocument = process2.getResultingDocument();
                String relayState = process2.getRelayState();
                String destination = process2.getDestination();
                if (destination != null && resultingDocument != null) {
                    try {
                        String documentAsString = DocumentUtil.getDocumentAsString(resultingDocument);
                        if (this.trace) {
                            log.trace("SAML Document=" + documentAsString);
                        }
                        String destinationQueryString = getDestinationQueryString(RedirectBindingUtil.deflateBase64URLEncode(documentAsString.getBytes("UTF-8")), relayState, process2.getSendRequest());
                        RedirectBindingUtil.RedirectBindingUtilDestHolder redirectBindingUtilDestHolder = new RedirectBindingUtil.RedirectBindingUtilDestHolder();
                        redirectBindingUtilDestHolder.setDestination(destination).setDestinationQueryString(destinationQueryString);
                        String destinationURL = RedirectBindingUtil.getDestinationURL(redirectBindingUtilDestHolder);
                        if (this.trace) {
                            log.trace("URL used for sending:" + destinationURL);
                        }
                        HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
                        return false;
                    } catch (Exception e) {
                        if (this.trace) {
                            log.trace("Exception:", e);
                        }
                        throw new IOException("Server Error");
                    }
                }
            } catch (ParsingException e2) {
                log.error("Parsing Exception:", e2);
                throw new RuntimeException((Throwable) e2);
            } catch (ConfigurationException e3) {
                log.error("Config Exception:", e3);
                throw new RuntimeException((Throwable) e3);
            } catch (ProcessingException e4) {
                log.error("Processing Exception:", e4);
                throw new RuntimeException((Throwable) e4);
            }
        }
        if (StringUtil.isNotNull(parameter3)) {
            try {
                if (!validate(request)) {
                    throw new IOException("Validity check failed");
                }
                try {
                    ServiceProviderSAMLResponseProcessor serviceProviderSAMLResponseProcessor = new ServiceProviderSAMLResponseProcessor(false, this.serviceURL);
                    initializeSAMLProcessor(serviceProviderSAMLResponseProcessor);
                    try {
                        process = serviceProviderSAMLResponseProcessor.process(parameter3, hTTPContext, handlers, this.chainLock);
                    } catch (ProcessingException e5) {
                        if (!(e5.getCause() instanceof AssertionExpiredException)) {
                            throw e5;
                        }
                        ServiceProviderBaseProcessor serviceProviderBaseProcessor2 = new ServiceProviderBaseProcessor(false, this.serviceURL);
                        initializeSAMLProcessor(serviceProviderBaseProcessor2);
                        process = serviceProviderBaseProcessor2.process(hTTPContext, handlers, this.chainLock);
                        process.setDestination(this.identityURL);
                    }
                    Document resultingDocument2 = process.getResultingDocument();
                    String relayState2 = process.getRelayState();
                    String destination2 = process.getDestination();
                    if (destination2 == null || resultingDocument2 == null) {
                        if (!sessionInternal.isValid()) {
                            RequestDispatcher requestDispatcher = this.context.getServletContext().getRequestDispatcher(this.logOutPage);
                            if (requestDispatcher == null) {
                                log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
                                return false;
                            }
                            requestDispatcher.forward(request, response);
                            return false;
                        }
                        List<String> roles = process.getRoles();
                        if (userPrincipal == null) {
                            userPrincipal = (Principal) sessionInternal.getSession().getAttribute("jboss_identity.principal");
                        }
                        String name = userPrincipal.getName();
                        if (new ServerDetector().isJboss() || this.jbossEnv) {
                            ServiceProviderSAMLContext.push(name, roles);
                            authenticate = this.context.getRealm().authenticate(name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
                            ServiceProviderSAMLContext.clear();
                        } else {
                            authenticate = new SPUtil().createGenericPrincipal(request, userPrincipal.getName(), roles);
                        }
                        sessionInternal.setNote("org.apache.catalina.session.USERNAME", name);
                        sessionInternal.setNote("org.apache.catalina.session.PASSWORD", ServiceProviderSAMLContext.EMPTY_PASSWORD);
                        request.setUserPrincipal(authenticate);
                        register(request, response, authenticate, "FORM", name, ServiceProviderSAMLContext.EMPTY_PASSWORD);
                        return true;
                    }
                    String destinationQueryString2 = getDestinationQueryString(RedirectBindingUtil.deflateBase64URLEncode(DocumentUtil.getDocumentAsString(resultingDocument2).getBytes("UTF-8")), relayState2, process.getSendRequest());
                    RedirectBindingUtil.RedirectBindingUtilDestHolder redirectBindingUtilDestHolder2 = new RedirectBindingUtil.RedirectBindingUtilDestHolder();
                    redirectBindingUtilDestHolder2.setDestination(destination2).setDestinationQueryString(destinationQueryString2);
                    HTTPRedirectUtil.sendRedirectForRequestor(RedirectBindingUtil.getDestinationURL(redirectBindingUtilDestHolder2), response);
                } catch (Exception e6) {
                    if (this.trace) {
                        log.trace("Server Exception:", e6);
                    }
                    throw new IOException("Server Exception:" + e6.getLocalizedMessage());
                }
            } catch (Exception e7) {
                log.error("Exception:", e7);
                throw new IOException();
            }
        }
        if (StringUtil.isNotNull(parameter2)) {
            try {
                boolean process3 = new ServiceProviderSAMLRequestProcessor(false, this.serviceURL).process(parameter2, hTTPContext, handlers, this.chainLock);
                if (process3) {
                    return process3;
                }
            } catch (Exception e8) {
                if (this.trace) {
                    log.trace("Server Exception:", e8);
                }
                throw new IOException("Server Exception");
            }
        }
        return super.authenticate(request, response, loginConfig);
    }

    protected String createSAMLRequestMessage(String str, Response response) throws ServletException, ConfigurationException, SAXException, JAXBException, IOException {
        if (this.serviceURL == null) {
            throw new ServletException("serviceURL is not configured");
        }
        SAML2Request sAML2Request = new SAML2Request();
        AuthnRequestType createSAMLRequest = new SPUtil().createSAMLRequest(this.serviceURL, this.identityURL);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        sAML2Request.marshall(createSAMLRequest, byteArrayOutputStream);
        String deflateBase64URLEncode = RedirectBindingUtil.deflateBase64URLEncode(byteArrayOutputStream.toByteArray());
        String destination = createSAMLRequest.getDestination();
        String destinationQueryString = getDestinationQueryString(deflateBase64URLEncode, str, true);
        RedirectBindingUtil.RedirectBindingUtilDestHolder redirectBindingUtilDestHolder = new RedirectBindingUtil.RedirectBindingUtilDestHolder();
        redirectBindingUtilDestHolder.setDestinationQueryString(destinationQueryString).setDestination(destination);
        return RedirectBindingUtil.getDestinationURL(redirectBindingUtilDestHolder);
    }

    protected String getDestinationQueryString(String str, String str2, boolean z) {
        return RedirectBindingUtil.getDestinationQueryString(str, str2, z);
    }

    protected void isTrusted(String str) throws IssuerNotTrustedException {
        try {
            String domain = ValveUtil.getDomain(str);
            TrustType trust = this.spConfiguration.getTrust();
            if (trust != null) {
                String domains = trust.getDomains();
                if (this.trace) {
                    log.trace("Domains that SP trusts=" + domains + " and issuer domain=" + domain);
                }
                if (domains.indexOf(domain) < 0) {
                    StringTokenizer stringTokenizer = new StringTokenizer(domains, ",");
                    while (stringTokenizer != null && stringTokenizer.hasMoreTokens()) {
                        String nextToken = stringTokenizer.nextToken();
                        if (this.trace) {
                            log.trace("Matching uri bit=" + nextToken);
                        }
                        if (domain.indexOf(nextToken) > 0) {
                            if (this.trace) {
                                log.trace("Matched " + nextToken + " trust for " + domain);
                                return;
                            }
                            return;
                        }
                    }
                    throw new IssuerNotTrustedException(str);
                }
            }
        } catch (Exception e) {
            throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initializeSAMLProcessor(ServiceProviderBaseProcessor serviceProviderBaseProcessor) {
        serviceProviderBaseProcessor.setConfiguration(this.spConfiguration);
    }

    protected ResponseType decryptAssertion(ResponseType responseType) throws IOException, GeneralSecurityException, ConfigurationException, ParsingException {
        throw new RuntimeException("This authenticator does not handle encryption");
    }
}
