package org.picketlink.identity.federation.web.handlers.saml2;

import java.io.StringWriter;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpSession;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.saml.v2.assertion.EncryptedElementType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusType;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.core.IdentityServer;
import org.picketlink.identity.federation.web.interfaces.IRoleValidator;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;

/* loaded from: input_file:WEB-INF/lib/picketlink-web-1.0.0.jar:org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.class */
public class SAML2AuthenticationHandler extends BaseSAML2Handler {
    private static Logger log = Logger.getLogger(SAML2AuthenticationHandler.class);
    private boolean trace = log.isTraceEnabled();
    private IDPAuthenticationHandler idp = new IDPAuthenticationHandler();
    private SPAuthenticationHandler sp = new SPAuthenticationHandler();

    /* loaded from: input_file:WEB-INF/lib/picketlink-web-1.0.0.jar:org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler$IDPAuthenticationHandler.class */
    private class IDPAuthenticationHandler {
        private IDPAuthenticationHandler() {
        }

        public void generateSAMLRequest(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        }

        public void handleStatusResponseType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        }

        public void handleRequestType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
            HTTPContext hTTPContext = (HTTPContext) sAML2HandlerRequest.getContext();
            ServletContext servletContext = hTTPContext.getServletContext();
            AuthnRequestType sAML2Object = sAML2HandlerRequest.getSAML2Object();
            HttpSession httpSession = BaseSAML2Handler.getHttpSession(sAML2HandlerRequest);
            Principal principal = (Principal) httpSession.getAttribute(GeneralConstants.PRINCIPAL_ID);
            if (principal == null) {
                principal = hTTPContext.getRequest().getUserPrincipal();
            }
            List<String> list = (List) httpSession.getAttribute(GeneralConstants.ROLES_ID);
            try {
                Map<String, Object> map = (Map) sAML2HandlerRequest.getOptions().get(GeneralConstants.ATTRIBUTES);
                long longValue = ((Long) sAML2HandlerRequest.getOptions().get(GeneralConstants.ASSERTIONS_VALIDITY)).longValue();
                String assertionConsumerServiceURL = sAML2Object.getAssertionConsumerServiceURL();
                Document response = getResponse(assertionConsumerServiceURL, principal, list, sAML2HandlerRequest.getIssuer().getValue(), map, longValue);
                ((IdentityServer) servletContext.getAttribute(GeneralConstants.IDENTITY_SERVER)).stack().register(httpSession.getId(), assertionConsumerServiceURL);
                sAML2HandlerResponse.setDestination(assertionConsumerServiceURL);
                sAML2HandlerResponse.setResultingDocument(response);
            } catch (Exception e) {
                SAML2AuthenticationHandler.log.error("Exception in processing authentication:", e);
                throw new ProcessingException("authentication issue");
            }
        }

        public Document getResponse(String str, Principal principal, List<String> list, String str2, Map<String, Object> map, long j) throws ConfigurationException, IssueInstantMissingException {
            Document document = null;
            if (SAML2AuthenticationHandler.this.trace) {
                SAML2AuthenticationHandler.log.trace("AssertionConsumerURL=" + str + "::assertion validity=" + j);
            }
            SAML2Response sAML2Response = new SAML2Response();
            String create = IDGenerator.create("ID_");
            IssuerInfoHolder issuerInfoHolder = new IssuerInfoHolder(str2);
            issuerInfoHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
            IDPInfoHolder iDPInfoHolder = new IDPInfoHolder();
            iDPInfoHolder.setNameIDFormatValue(principal.getName());
            iDPInfoHolder.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
            SPInfoHolder sPInfoHolder = new SPInfoHolder();
            sPInfoHolder.setResponseDestinationURI(str);
            ResponseType createResponseType = sAML2Response.createResponseType(create, sPInfoHolder, iDPInfoHolder, issuerInfoHolder);
            AssertionType assertionType = (AssertionType) createResponseType.getAssertionOrEncryptedAssertion().get(0);
            assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(StatementUtil.createAttributeStatement(list));
            sAML2Response.createTimedConditions(assertionType, j);
            if (map != null) {
                assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(StatementUtil.createAttributeStatement(map));
            }
            if (SAML2AuthenticationHandler.log.isTraceEnabled()) {
                StringWriter stringWriter = new StringWriter();
                try {
                    sAML2Response.marshall(createResponseType, stringWriter);
                } catch (JAXBException e) {
                    SAML2AuthenticationHandler.log.trace(e);
                } catch (SAXException e2) {
                    SAML2AuthenticationHandler.log.trace(e2);
                }
                SAML2AuthenticationHandler.log.trace("Response=" + stringWriter.toString());
            }
            try {
                document = sAML2Response.convert(createResponseType);
            } catch (Exception e3) {
                if (SAML2AuthenticationHandler.this.trace) {
                    SAML2AuthenticationHandler.log.trace(e3);
                }
            }
            return document;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/picketlink-web-1.0.0.jar:org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler$SPAuthenticationHandler.class */
    private class SPAuthenticationHandler {
        private SPAuthenticationHandler() {
        }

        public void generateSAMLRequest(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
            String value = sAML2HandlerRequest.getIssuer().getValue();
            SAML2Request sAML2Request = new SAML2Request();
            try {
                sAML2HandlerResponse.setResultingDocument(sAML2Request.convert(sAML2Request.createAuthnRequestType(IDGenerator.create("ID_"), value, sAML2HandlerResponse.getDestination(), value)));
                sAML2HandlerResponse.setSendRequest(true);
            } catch (Exception e) {
                throw new ProcessingException(e);
            }
        }

        public void handleStatusResponseType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
            HTTPContext hTTPContext = (HTTPContext) sAML2HandlerRequest.getContext();
            ResponseType responseType = (ResponseType) sAML2HandlerRequest.getSAML2Object();
            List assertionOrEncryptedAssertion = responseType.getAssertionOrEncryptedAssertion();
            if (assertionOrEncryptedAssertion.size() == 0) {
                throw new IllegalStateException("No assertions in reply from IDP");
            }
            if (assertionOrEncryptedAssertion.get(0) instanceof EncryptedElementType) {
                responseType = decryptAssertion(responseType);
            }
            Principal handleSAMLResponse = handleSAMLResponse(responseType, sAML2HandlerResponse);
            if (handleSAMLResponse == null) {
                sAML2HandlerResponse.setError(403, "User Principal not determined: Forbidden");
            } else {
                hTTPContext.getRequest().getSession(false).setAttribute(GeneralConstants.PRINCIPAL_ID, handleSAMLResponse);
            }
        }

        public void handleRequestType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        }

        private ResponseType decryptAssertion(ResponseType responseType) {
            throw new RuntimeException("This authenticator does not handle encryption");
        }

        private Principal handleSAMLResponse(ResponseType responseType, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
            if (responseType == null) {
                throw new IllegalArgumentException("response type is null");
            }
            StatusType status = responseType.getStatus();
            if (status == null) {
                throw new IllegalArgumentException("Status Type from the IDP is null");
            }
            if (!JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(status.getStatusCode().getValue())) {
                throw new SecurityException("IDP forbid the user");
            }
            List assertionOrEncryptedAssertion = responseType.getAssertionOrEncryptedAssertion();
            if (assertionOrEncryptedAssertion.size() == 0) {
                throw new IllegalStateException("No assertions in reply from IDP");
            }
            AssertionType assertionType = (AssertionType) assertionOrEncryptedAssertion.get(0);
            try {
                if (AssertionUtil.hasExpired(assertionType)) {
                    throw new ProcessingException("Assertion has expired");
                }
                final String value = ((NameIDType) ((JAXBElement) assertionType.getSubject().getContent().get(0)).getValue()).getValue();
                ArrayList arrayList = new ArrayList();
                Iterator it = ((AttributeStatementType) assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0)).getAttributeOrEncryptedAttribute().iterator();
                while (it.hasNext()) {
                    arrayList.add((String) ((AttributeType) it.next()).getAttributeValue().get(0));
                }
                sAML2HandlerResponse.setRoles(arrayList);
                Principal principal = new Principal() { // from class: org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.SPAuthenticationHandler.1
                    @Override // java.security.Principal
                    public String getName() {
                        return value;
                    }
                };
                if (SAML2AuthenticationHandler.this.handlerChainConfig.getParameter(GeneralConstants.ROLE_VALIDATOR_IGNORE) == null) {
                    IRoleValidator iRoleValidator = (IRoleValidator) SAML2AuthenticationHandler.this.handlerChainConfig.getParameter(GeneralConstants.ROLE_VALIDATOR);
                    if (iRoleValidator == null) {
                        throw new ProcessingException("Role Validator not provided");
                    }
                    if (!iRoleValidator.userInRole(principal, arrayList)) {
                        if (SAML2AuthenticationHandler.this.trace) {
                            SAML2AuthenticationHandler.log.trace("Invalid role:" + arrayList);
                        }
                        principal = null;
                    }
                }
                return principal;
            } catch (ConfigurationException e) {
                throw new ProcessingException(e);
            }
        }
    }

    public void handleRequestType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        if (sAML2HandlerRequest.getSAML2Object() instanceof AuthnRequestType) {
            if (getType() == SAML2Handler.HANDLER_TYPE.IDP) {
                this.idp.handleRequestType(sAML2HandlerRequest, sAML2HandlerResponse);
            } else {
                this.sp.handleRequestType(sAML2HandlerRequest, sAML2HandlerResponse);
            }
        }
    }

    @Override // org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler
    public void handleStatusResponseType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        if (sAML2HandlerRequest.getSAML2Object() instanceof ResponseType) {
            if (getType() == SAML2Handler.HANDLER_TYPE.IDP) {
                this.idp.handleStatusResponseType(sAML2HandlerRequest, sAML2HandlerResponse);
            } else {
                this.sp.handleStatusResponseType(sAML2HandlerRequest, sAML2HandlerResponse);
            }
        }
    }

    @Override // org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler
    public void generateSAMLRequest(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        if (SAML2HandlerRequest.GENERATE_REQUEST_TYPE.AUTH != sAML2HandlerRequest.getTypeOfRequestToBeGenerated()) {
            return;
        }
        if (getType() == SAML2Handler.HANDLER_TYPE.IDP) {
            this.idp.generateSAMLRequest(sAML2HandlerRequest, sAML2HandlerResponse);
            sAML2HandlerResponse.setSendRequest(true);
        } else {
            this.sp.generateSAMLRequest(sAML2HandlerRequest, sAML2HandlerResponse);
            sAML2HandlerResponse.setSendRequest(true);
        }
    }
}
