package org.keycloak.adapters.saml;

import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.security.Principal;
import java.util.regex.Pattern;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.config.parsers.DeploymentBuilder;
import org.keycloak.adapters.saml.config.parsers.ResourceLoader;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.InMemorySessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapperUpdater;
import org.keycloak.adapters.tomcat.CatalinaHttpFacade;
import org.keycloak.adapters.tomcat.CatalinaUserSessionManagement;
import org.keycloak.adapters.tomcat.GenericPrincipalFactory;
import org.keycloak.saml.common.exceptions.ParsingException;

/* loaded from: input_file:org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.class */
public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator implements LifecycleListener {
    public static final String TOKEN_STORE_NOTE = "TOKEN_STORE_NOTE";
    protected SamlDeploymentContext deploymentContext;
    private static final Logger log = Logger.getLogger(AbstractSamlAuthenticatorValve.class);
    private static final Pattern PROTOCOL_PATTERN = Pattern.compile("^[a-zA-Z][a-zA-Z0-9+.-]*:");
    protected CatalinaUserSessionManagement userSessionManagement = new CatalinaUserSessionManagement();
    protected SessionIdMapper mapper = new InMemorySessionIdMapper();
    protected SessionIdMapperUpdater idMapperUpdater = SessionIdMapperUpdater.DIRECT;

    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
        if ("start".equals(lifecycleEvent.getType())) {
            this.cache = false;
        } else if ("after_start".equals(lifecycleEvent.getType())) {
            keycloakInit();
        } else if ("before_stop".equals(lifecycleEvent.getType())) {
            beforeStop();
        }
    }

    protected void logoutInternal(Request request) {
        CatalinaHttpFacade catalinaHttpFacade = new CatalinaHttpFacade((HttpServletResponse) null, request);
        getSessionStore(request, catalinaHttpFacade, this.deploymentContext.resolveDeployment(catalinaHttpFacade)).logoutAccount();
        request.setUserPrincipal((Principal) null);
    }

    public void keycloakInit() {
        DefaultSamlDeployment build;
        String initParameter = this.context.getServletContext().getInitParameter("keycloak.config.resolver");
        if (initParameter != null) {
            try {
                this.deploymentContext = new SamlDeploymentContext((SamlConfigResolver) this.context.getLoader().getClassLoader().loadClass(initParameter).newInstance());
                log.infov("Using {0} to resolve Keycloak configuration on a per-request basis.", initParameter);
            } catch (Exception e) {
                log.errorv("The specified resolver {0} could NOT be loaded. Keycloak is unconfigured and will deny all requests. Reason: {1}", initParameter, e.getMessage());
                this.deploymentContext = new SamlDeploymentContext(new DefaultSamlDeployment());
            }
        } else {
            InputStream configInputStream = getConfigInputStream(this.context);
            if (configInputStream == null) {
                log.error("No adapter configuration. Keycloak is unconfigured and will deny all requests.");
                build = new DefaultSamlDeployment();
            } else {
                try {
                    build = new DeploymentBuilder().build(configInputStream, new ResourceLoader() { // from class: org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.1
                        public InputStream getResourceAsStream(String str) {
                            return AbstractSamlAuthenticatorValve.this.context.getServletContext().getResourceAsStream(str);
                        }
                    });
                } catch (ParsingException e2) {
                    throw new RuntimeException((Throwable) e2);
                }
            }
            this.deploymentContext = new SamlDeploymentContext(build);
            log.debug("Keycloak is using a per-deployment configuration.");
        }
        this.context.getServletContext().setAttribute(SamlDeploymentContext.class.getName(), this.deploymentContext);
        addTokenStoreUpdaters();
    }

    protected void beforeStop() {
    }

    private static InputStream getConfigFromServletContext(ServletContext servletContext) {
        String initParameter = servletContext.getInitParameter("org.keycloak.saml.xml.adapterConfig");
        if (initParameter == null) {
            return null;
        }
        log.trace("**** using org.keycloak.saml.xml.adapterConfig");
        return new ByteArrayInputStream(initParameter.getBytes());
    }

    private static InputStream getConfigInputStream(Context context) {
        InputStream configFromServletContext = getConfigFromServletContext(context.getServletContext());
        if (configFromServletContext == null) {
            String initParameter = context.getServletContext().getInitParameter("keycloak.config.file");
            if (initParameter == null) {
                log.trace("**** using /WEB-INF/keycloak-saml.xml");
                configFromServletContext = context.getServletContext().getResourceAsStream("/WEB-INF/keycloak-saml.xml");
            } else {
                try {
                    configFromServletContext = new FileInputStream(initParameter);
                } catch (FileNotFoundException e) {
                    log.errorv("NOT FOUND {0}", initParameter);
                    throw new RuntimeException(e);
                }
            }
        }
        return configFromServletContext;
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        log.trace("*********************** SAML ************");
        CatalinaHttpFacade catalinaHttpFacade = new CatalinaHttpFacade(response, request);
        SamlDeployment resolveDeployment = this.deploymentContext.resolveDeployment(catalinaHttpFacade);
        if (request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml") && resolveDeployment != null && resolveDeployment.isConfigured()) {
            executeAuthenticator(request, response, catalinaHttpFacade, resolveDeployment, new CatalinaSamlEndpoint(catalinaHttpFacade, resolveDeployment, getSessionStore(request, catalinaHttpFacade, resolveDeployment)));
        } else {
            getSessionStore(request, catalinaHttpFacade, resolveDeployment).isLoggedIn();
            super.invoke(request, response);
        }
    }

    protected abstract GenericPrincipalFactory createPrincipalFactory();

    protected abstract boolean forwardToErrorPageInternal(Request request, HttpServletResponse httpServletResponse, Object obj) throws IOException;

    protected void forwardToLogoutPage(Request request, HttpServletResponse httpServletResponse, SamlDeployment samlDeployment) {
        String logoutPage = samlDeployment.getLogoutPage();
        try {
            httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.setHeader("Expires", "0");
            if (logoutPage == null) {
                log.warn("Logout page not set.");
                httpServletResponse.sendError(404);
            } else if (PROTOCOL_PATTERN.matcher(logoutPage).find()) {
                httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(logoutPage));
            } else {
                request.getRequestDispatcher(logoutPage).forward(request.getRequest(), httpServletResponse);
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (ServletException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }

    protected boolean authenticateInternal(Request request, HttpServletResponse httpServletResponse, Object obj) throws IOException {
        log.trace("authenticateInternal");
        CatalinaHttpFacade catalinaHttpFacade = new CatalinaHttpFacade(httpServletResponse, request);
        SamlDeployment resolveDeployment = this.deploymentContext.resolveDeployment(catalinaHttpFacade);
        if (resolveDeployment != null && resolveDeployment.isConfigured()) {
            return executeAuthenticator(request, httpServletResponse, catalinaHttpFacade, resolveDeployment, new CatalinaSamlAuthenticator(catalinaHttpFacade, resolveDeployment, getSessionStore(request, catalinaHttpFacade, resolveDeployment)));
        }
        log.trace("deployment not configured");
        return false;
    }

    protected boolean executeAuthenticator(Request request, HttpServletResponse httpServletResponse, CatalinaHttpFacade catalinaHttpFacade, SamlDeployment samlDeployment, SamlAuthenticator samlAuthenticator) {
        AuthOutcome authenticate = samlAuthenticator.authenticate();
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            log.trace("AUTHENTICATED");
            return !catalinaHttpFacade.isEnded();
        }
        if (authenticate == AuthOutcome.LOGGED_OUT) {
            logoutInternal(request);
            if (samlDeployment.getLogoutPage() != null) {
                forwardToLogoutPage(request, httpServletResponse, samlDeployment);
            }
            log.trace("Logging OUT");
            return false;
        }
        AuthChallenge challenge = samlAuthenticator.getChallenge();
        if (challenge == null) {
            return false;
        }
        log.trace("challenge");
        challenge.challenge(catalinaHttpFacade);
        return false;
    }

    public void keycloakSaveRequest(Request request) throws IOException {
        saveRequest(request, request.getSessionInternal(true));
    }

    public boolean keycloakRestoreRequest(Request request) {
        try {
            return restoreRequest(request, request.getSessionInternal());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    protected SamlSessionStore getSessionStore(Request request, HttpFacade httpFacade, SamlDeployment samlDeployment) {
        SamlSessionStore samlSessionStore = (SamlSessionStore) request.getNote(TOKEN_STORE_NOTE);
        if (samlSessionStore != null) {
            return samlSessionStore;
        }
        SamlSessionStore createSessionStore = createSessionStore(request, httpFacade, samlDeployment);
        request.setNote(TOKEN_STORE_NOTE, createSessionStore);
        return createSessionStore;
    }

    protected SamlSessionStore createSessionStore(Request request, HttpFacade httpFacade, SamlDeployment samlDeployment) {
        return new CatalinaSamlSessionStore(this.userSessionManagement, createPrincipalFactory(), this.mapper, this.idMapperUpdater, request, this, httpFacade, samlDeployment);
    }

    protected void addTokenStoreUpdaters() {
        SessionIdMapperUpdater idMapperUpdater = getIdMapperUpdater();
        try {
            String initParameter = this.context.getServletContext().getInitParameter("keycloak.sessionIdMapperUpdater.classes");
            if (initParameter == null) {
                setIdMapperUpdater(idMapperUpdater);
                return;
            }
            for (String str : initParameter.split("\\s*,\\s*")) {
                if (!str.isEmpty()) {
                    idMapperUpdater = invokeAddTokenStoreUpdaterMethod(str, idMapperUpdater);
                }
            }
        } finally {
            setIdMapperUpdater(idMapperUpdater);
        }
    }

    private SessionIdMapperUpdater invokeAddTokenStoreUpdaterMethod(String str, SessionIdMapperUpdater sessionIdMapperUpdater) {
        try {
            Method method = this.context.getLoader().getClassLoader().loadClass(str).getMethod("addTokenStoreUpdaters", Context.class, SessionIdMapper.class, SessionIdMapperUpdater.class);
            if (Modifier.isStatic(method.getModifiers()) && Modifier.isPublic(method.getModifiers()) && SessionIdMapperUpdater.class.isAssignableFrom(method.getReturnType())) {
                log.debugv("Initializing sessionIdMapperUpdater class {0}", str);
                return (SessionIdMapperUpdater) method.invoke(null, this.context, this.mapper, sessionIdMapperUpdater);
            }
            log.errorv("addTokenStoreUpdaters method in class {0} has to be public static. Ignoring class.", str);
            return sessionIdMapperUpdater;
        } catch (ClassNotFoundException e) {
            log.warnv(e, "Cannot use sessionIdMapperUpdater class {0}", str);
            return sessionIdMapperUpdater;
        } catch (IllegalAccessException e2) {
            log.warnv(e2, "Cannot use {0}.addTokenStoreUpdaters(DeploymentInfo, SessionIdMapper) method", str);
            return sessionIdMapperUpdater;
        } catch (IllegalArgumentException e3) {
            log.warnv(e3, "Cannot use {0}.addTokenStoreUpdaters(DeploymentInfo, SessionIdMapper) method", str);
            return sessionIdMapperUpdater;
        } catch (NoSuchMethodException e4) {
            log.warnv(e4, "Cannot use sessionIdMapperUpdater class {0}", str);
            return sessionIdMapperUpdater;
        } catch (SecurityException e5) {
            log.warnv(e5, "Cannot use sessionIdMapperUpdater class {0}", str);
            return sessionIdMapperUpdater;
        } catch (InvocationTargetException e6) {
            log.warnv(e6, "Cannot use {0}.addTokenStoreUpdaters(DeploymentInfo, SessionIdMapper) method", str);
            return sessionIdMapperUpdater;
        }
    }

    public SessionIdMapperUpdater getIdMapperUpdater() {
        return this.idMapperUpdater;
    }

    public void setIdMapperUpdater(SessionIdMapperUpdater sessionIdMapperUpdater) {
        this.idMapperUpdater = sessionIdMapperUpdater;
    }
}
