package org.picketlink.identity.seam.federation;

import java.io.IOException;
import java.util.LinkedList;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBElement;
import javax.xml.datatype.XMLGregorianCalendar;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.Import;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Identity;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.saml.v2.assertion.AuthnStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationDataType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusType;
import org.picketlink.identity.seam.federation.configuration.SamlIdentityProvider;
import org.picketlink.identity.seam.federation.configuration.ServiceProvider;

@Import({"org.picketlink.identity.seam.federation"})
@Name("org.picketlink.identity.seam.federation.samlSingleSignOnReceiver")
@AutoCreate
/* loaded from: input_file:WEB-INF/lib/picketlink-seam-1.0.3.CR4.jar:org/picketlink/identity/seam/federation/SamlSingleSignOnReceiver.class */
public class SamlSingleSignOnReceiver {

    @Logger
    private Log log;

    @In
    private Requests requests;

    @In
    private Identity identity;

    @In
    private InternalAuthenticator internalAuthenticator;

    @In
    private ServiceProvider serviceProvider;

    public void processIDPResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, StatusResponseType statusResponseType, RequestContext requestContext, SamlIdentityProvider samlIdentityProvider) throws InvalidRequestException {
        StatusType status = statusResponseType.getStatus();
        if (status == null) {
            throw new InvalidRequestException("Response does not contain a status");
        }
        String value = status.getStatusCode().getValue();
        if (!JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(value)) {
            throw new RuntimeException("IDP returned status " + value);
        }
        if (!(statusResponseType instanceof ResponseType)) {
            throw new InvalidRequestException("Response does not have type ResponseType");
        }
        ResponseType responseType = (ResponseType) statusResponseType;
        if (responseType.getAssertionOrEncryptedAssertion().size() == 0) {
            throw new RuntimeException("IDP response does not contain assertions");
        }
        SeamSamlPrincipal authenticatedUser = getAuthenticatedUser(responseType, requestContext);
        if (authenticatedUser != null) {
            authenticatedUser.setIdentityProvider(samlIdentityProvider);
            loginUser(httpServletRequest, httpServletResponse, authenticatedUser, requestContext);
        } else {
            try {
                httpServletResponse.sendRedirect(this.serviceProvider.getFailedAuthenticationUrl());
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
    }

    private SeamSamlPrincipal getAuthenticatedUser(ResponseType responseType, RequestContext requestContext) {
        SeamSamlPrincipal seamSamlPrincipal = null;
        for (Object obj : responseType.getAssertionOrEncryptedAssertion()) {
            if (obj instanceof AssertionType) {
                SeamSamlPrincipal handleAssertion = handleAssertion((AssertionType) obj, requestContext);
                if (seamSamlPrincipal == null) {
                    seamSamlPrincipal = handleAssertion;
                } else {
                    this.log.warn("Multiple authenticated users found in assertions. Using the first one.", new Object[0]);
                }
            } else {
                this.log.warn("Encountered encrypted assertion. Skipping it because decryption is not yet supported.", new Object[0]);
            }
        }
        return seamSamlPrincipal;
    }

    private SeamSamlPrincipal handleAssertion(AssertionType assertionType, RequestContext requestContext) {
        try {
            if (AssertionUtil.hasExpired(assertionType)) {
                this.log.warn("Received assertion not processed because it has expired.", new Object[0]);
                return null;
            }
            AuthnStatementType extractValidAuthnStatement = extractValidAuthnStatement(assertionType);
            if (extractValidAuthnStatement == null) {
                this.log.warn("Received assertion not processed because it doesn't contain a valid authnStatement.", new Object[0]);
                return null;
            }
            NameIDType validateSubjectAndExtractNameID = validateSubjectAndExtractNameID(assertionType, requestContext);
            if (validateSubjectAndExtractNameID == null) {
                this.log.warn("Received assertion not processed because it doesn't contain a valid subject.", new Object[0]);
                return null;
            }
            SeamSamlPrincipal seamSamlPrincipal = new SeamSamlPrincipal();
            seamSamlPrincipal.setAssertion(assertionType);
            seamSamlPrincipal.setSessionIndex(extractValidAuthnStatement.getSessionIndex());
            seamSamlPrincipal.setNameId(validateSubjectAndExtractNameID);
            for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
                if (statementAbstractType instanceof AttributeStatementType) {
                    AttributeStatementType attributeStatementType = (AttributeStatementType) statementAbstractType;
                    LinkedList linkedList = new LinkedList();
                    for (Object obj : attributeStatementType.getAttributeOrEncryptedAttribute()) {
                        if (obj instanceof AttributeType) {
                            linkedList.add((AttributeType) obj);
                        } else {
                            this.log.warn("Encrypted attributes are not supported. Ignoring the attribute.", new Object[0]);
                        }
                    }
                    seamSamlPrincipal.setAttributes(linkedList);
                }
            }
            return seamSamlPrincipal;
        } catch (ConfigurationException e) {
            throw new RuntimeException(e);
        }
    }

    private AuthnStatementType extractValidAuthnStatement(AssertionType assertionType) {
        for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
            if (statementAbstractType instanceof AuthnStatementType) {
                return (AuthnStatementType) statementAbstractType;
            }
        }
        return null;
    }

    private NameIDType validateSubjectAndExtractNameID(AssertionType assertionType, RequestContext requestContext) {
        NameIDType nameIDType = null;
        boolean z = false;
        for (JAXBElement<?> jAXBElement : assertionType.getSubject().getContent()) {
            if (jAXBElement.getValue() instanceof NameIDType) {
                nameIDType = (NameIDType) jAXBElement.getValue();
            }
            if (jAXBElement.getValue() instanceof SubjectConfirmationType) {
                SubjectConfirmationType subjectConfirmationType = (SubjectConfirmationType) jAXBElement.getValue();
                if (subjectConfirmationType.getMethod().equals("urn:oasis:names:tc:SAML:2.0:cm:bearer")) {
                    SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
                    boolean equals = subjectConfirmationData.getRecipient().equals(this.serviceProvider.getServiceURL(ExternalAuthenticationService.SAML_ASSERTION_CONSUMER_SERVICE));
                    boolean z2 = subjectConfirmationData.getNotOnOrAfter().compare(getCurrentTime()) == 1;
                    boolean z3 = requestContext == null || subjectConfirmationData.getInResponseTo().equals(requestContext.getId());
                    if (equals && z2 && z3) {
                        z = true;
                    }
                }
            }
        }
        if (z) {
            return nameIDType;
        }
        return null;
    }

    private XMLGregorianCalendar getCurrentTime() {
        try {
            return XMLTimeUtil.getIssueInstant();
        } catch (ConfigurationException e) {
            throw new RuntimeException(e);
        }
    }

    private void loginUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SeamSamlPrincipal seamSamlPrincipal, RequestContext requestContext) {
        if (this.identity.isLoggedIn()) {
            throw new RuntimeException("User is already logged in.");
        }
        try {
            if (!this.internalAuthenticator.authenticate(seamSamlPrincipal, httpServletRequest)) {
                httpServletResponse.sendRedirect(this.serviceProvider.getFailedAuthenticationUrl());
            } else if (requestContext == null) {
                redirectForUnsolicitedAuthentication(httpServletRequest, httpServletResponse);
            } else {
                this.requests.redirect(requestContext.getId(), httpServletResponse);
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void redirectForUnsolicitedAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String parameter = httpServletRequest.getParameter("RelayState");
        if (parameter != null) {
            httpServletResponse.sendRedirect(parameter);
            return;
        }
        String unsolicitedAuthenticationUrl = this.serviceProvider.getUnsolicitedAuthenticationUrl();
        if (unsolicitedAuthenticationUrl == null) {
            throw new RuntimeException("Unsolicited login could not be handled because the unsolicitedAuthenticationViewId property has not been configured");
        }
        httpServletResponse.sendRedirect(unsolicitedAuthenticationUrl);
    }
}
