package org.wso2.carbon.webapp.mgt.sso;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.charset.Charset;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.authenticator.SingleSignOn;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.xml.util.Base64;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.identity.sso.agent.SSOAgentException;
import org.wso2.carbon.identity.sso.agent.SSOAgentRequestResolver;
import org.wso2.carbon.identity.sso.agent.bean.LoggedInSessionBean;
import org.wso2.carbon.identity.sso.agent.bean.SSOAgentConfig;
import org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager;
import org.wso2.carbon.identity.sso.agent.saml.SSOAgentCarbonX509Credential;
import org.wso2.carbon.identity.sso.agent.util.SSOAgentUtils;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.webapp.mgt.WebappsConstants;

/* loaded from: input_file:org/wso2/carbon/webapp/mgt/sso/SAMLSSOValve.class */
public class SAMLSSOValve extends SingleSignOn {
    private static Log log = LogFactory.getLog(SAMLSSOValve.class);
    private static final String MEDIA_TYPE_TEXT_HTML = "text/html";
    private Properties ssoSPConfigProperties = new Properties();

    public SAMLSSOValve() throws IOException {
        log.info("Initializing SAMLSSOValve..");
        if (!SSOUtils.isSSOSPConfigExists()) {
            throw new FileNotFoundException("Unable to find SSO SP config properties file in" + WebappSSOConstants.SSO_SP_CONFIG_PATH);
        }
        FileInputStream fileInputStream = new FileInputStream(WebappSSOConstants.SSO_SP_CONFIG_PATH);
        Throwable th = null;
        try {
            this.ssoSPConfigProperties.load(fileInputStream);
            log.info("Successfully loaded SSO SP Config.");
            if (fileInputStream != null) {
                if (0 == 0) {
                    fileInputStream.close();
                    return;
                }
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        String buildPostRequest;
        LoggedInSessionBean loggedInSessionBean;
        LoggedInSessionBean.SAML2SSO saml2sso;
        String subjectId;
        String str;
        if (log.isDebugEnabled()) {
            log.debug("Invoking SAMLSSOValve. Request URI : " + request.getRequestURI());
        }
        if (!Boolean.parseBoolean(request.getContext().findParameter(WebappSSOConstants.ENABLE_SAML2_SSO))) {
            if (log.isDebugEnabled()) {
                log.debug("Saml2 SSO not enabled in webapp " + request.getContext().getName());
            }
            getNext().invoke(request, response);
            return;
        }
        SSOAgentConfig sSOAgentConfig = (SSOAgentConfig) request.getSessionInternal().getNote(WebappSSOConstants.SSO_AGENT_CONFIG);
        if (log.isDebugEnabled()) {
            Enumeration headerNames = request.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                String str2 = (String) headerNames.nextElement();
                log.debug("Request header : " + str2 + " : value : " + request.getHeader(str2) + " request hash : " + request.hashCode());
            }
            if (request.getCookies() != null && request.getCookies().length > 0) {
                for (Cookie cookie : request.getCookies()) {
                    log.debug("Request cookie : " + cookie.getName() + " : value : " + cookie.getValue() + " : domain : " + cookie.getDomain() + " request hash : " + request.hashCode());
                }
            }
        }
        if (sSOAgentConfig == null) {
            try {
                sSOAgentConfig = new SSOAgentConfig();
                sSOAgentConfig.initConfig(this.ssoSPConfigProperties);
                String tenantDomain = MultitenantUtils.getTenantDomain(request);
                sSOAgentConfig.getSAML2().setSSOAgentX509Credential(new SSOAgentCarbonX509Credential(CarbonContext.getThreadLocalCarbonContext().getTenantId(), tenantDomain));
                sSOAgentConfig.getSAML2().setSPEntityId(SSOUtils.generateIssuerID(request.getContextPath()));
                sSOAgentConfig.getSAML2().setACSURL(SSOUtils.generateConsumerUrl(request, this.ssoSPConfigProperties));
                sSOAgentConfig.verifyConfig();
                String findParameter = request.getContext().findParameter(WebappSSOConstants.ENABLE_SAML2_SSO_WITH_TENANT);
                if (findParameter != null && !findParameter.isEmpty()) {
                    sSOAgentConfig.getQueryParams().put("tenantDomain", new String[]{findParameter});
                }
                if (log.isDebugEnabled()) {
                    log.debug("Creating SSOAgentConfig, IssuerId=" + sSOAgentConfig.getSAML2().getSPEntityId() + ", CurrentTenant=" + tenantDomain + ", SSOTenant=" + findParameter);
                }
                request.getSessionInternal().setNote(WebappSSOConstants.SSO_AGENT_CONFIG, sSOAgentConfig);
            } catch (Exception e) {
                log.error("Error on initializing SAML2SSOManager", e);
                return;
            }
        }
        try {
            SSOAgentRequestResolver sSOAgentRequestResolver = new SSOAgentRequestResolver(request, response, sSOAgentConfig);
            if (sSOAgentRequestResolver.isURLToSkip()) {
                if (log.isDebugEnabled()) {
                    log.debug("Request matched a skip URL. Skipping..");
                }
                getNext().invoke(request, response);
                return;
            }
            String findParameter2 = request.getContext().findParameter(WebappSSOConstants.SKIP_URIS);
            if (!StringUtils.isBlank(findParameter2) && findParameter2.contains(request.getRequestURI())) {
                if (log.isDebugEnabled()) {
                    log.debug("Request matched a skip URL on the webapp. Skipping : " + request.getRequestURI());
                }
                getNext().invoke(request, response);
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Request did not match a skip URL on the webapp. : " + request.getRequestURI());
            }
            String findParameter3 = request.getContext().findParameter(WebappSSOConstants.ENABLE_SAML2_SSO_WITH_TENANT);
            String header = request.getHeader(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.CUSTOM_ACS_HEADER));
            if (sSOAgentRequestResolver.isSLORequest()) {
                if (log.isDebugEnabled()) {
                    log.debug("Processing Single Log Out Request");
                }
                new SAML2SSOManager(sSOAgentConfig).doSLO(request);
            } else if (sSOAgentRequestResolver.isSAML2SSOResponse()) {
                if (log.isDebugEnabled()) {
                    log.debug("Processing SSO Response.");
                }
                SAML2SSOManager sAML2SSOManager = new SAML2SSOManager(sSOAgentConfig);
                try {
                    String readAndForgetRedirectPathAfterSLO = readAndForgetRedirectPathAfterSLO(request, header, findParameter3);
                    sAML2SSOManager.processResponse(request, response);
                    String relayState = sSOAgentConfig.getSAML2().getRelayState();
                    if (relayState != null && request.getSession(Boolean.FALSE.booleanValue()) != null) {
                        RelayState relayState2 = (RelayState) request.getSession(Boolean.FALSE.booleanValue()).getAttribute(relayState);
                        if (relayState2 == null) {
                            response.sendRedirect(SSOUtils.removeTenantFromURI(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.APP_SERVER_URL) + request.getContextPath(), header, findParameter3));
                            return;
                        }
                        request.getSession(Boolean.FALSE.booleanValue()).removeAttribute(relayState);
                        String requestedURL = relayState2.getRequestedURL();
                        if (relayState2.getRequestQueryString() != null) {
                            requestedURL = requestedURL.concat("?").concat(relayState2.getRequestQueryString());
                        }
                        if (relayState2.getRequestParameters() != null) {
                            request.getSession(Boolean.FALSE.booleanValue()).setAttribute("REQUEST_PARAM_MAP", relayState2.getRequestParameters());
                        }
                        response.sendRedirect(SSOUtils.removeTenantFromURI(requestedURL, header, findParameter3));
                        return;
                    }
                    if (request.getRequestURI().endsWith(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.CONSUMER_URL_POSTFIX)) && Boolean.parseBoolean(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.HANDLE_CONSUMER_URL_AFTER_SLO))) {
                        if (!Boolean.valueOf(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.ENABLE_IDP_SESSION_VALIDATION_BEFORE_LOGOUT, "false")).booleanValue() || !sSOAgentConfig.getSAML2().isPassiveAuthn().booleanValue()) {
                            String removeTenantFromURI = SSOUtils.removeTenantFromURI(readAndForgetRedirectPathAfterSLO, header, findParameter3);
                            if (log.isDebugEnabled()) {
                                log.debug("Redirect path after log out = " + removeTenantFromURI);
                            }
                            response.sendRedirect(removeTenantFromURI);
                            return;
                        }
                        org.opensaml.saml2.core.Response response2 = (org.opensaml.saml2.core.Response) SSOAgentUtils.unmarshall(new String(Base64.decode(request.getParameter("SAMLResponse")), Charset.forName("UTF-8")));
                        sSOAgentConfig.getSAML2().setPassiveAuthn(false);
                        String buildPostRequest2 = isNoPassive(response2) ? sAML2SSOManager.buildPostRequest(request, response, false) : sAML2SSOManager.buildPostRequest(request, response, true);
                        response.addHeader("Content-Type", MEDIA_TYPE_TEXT_HTML);
                        SSOAgentUtils.sendPostResponse(request, response, buildPostRequest2);
                        return;
                    }
                } catch (SSOAgentException e2) {
                    log.error("An exception occurred during SSO flow : ", e2);
                    handleException(request, e2);
                }
            } else {
                if (sSOAgentRequestResolver.isSLOURL()) {
                    if (log.isDebugEnabled()) {
                        log.debug("Processing Single Log Out URL");
                    }
                    SAML2SSOManager sAML2SSOManager2 = new SAML2SSOManager(sSOAgentConfig);
                    if (!sSOAgentRequestResolver.isHttpPostBinding()) {
                        if (log.isDebugEnabled()) {
                            log.debug("HTTP_BINDING_PARAM is not defined. Therefore redirecting to : ");
                        }
                        if (!Boolean.valueOf(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.ENABLE_IDP_SESSION_VALIDATION_BEFORE_LOGOUT, "false")).booleanValue()) {
                            sSOAgentConfig.getSAML2().setPassiveAuthn(false);
                            response.sendRedirect(sAML2SSOManager2.buildRedirectRequest(request, true));
                            return;
                        } else {
                            sSOAgentConfig.getSAML2().setPassiveAuthn(true);
                            sSOAgentConfig.getSAML2().setRelayState((String) null);
                            response.sendRedirect(sAML2SSOManager2.buildRedirectRequest(request, false));
                            return;
                        }
                    }
                    if (request.getSession(false).getAttribute("org.wso2.carbon.identity.sso.agent.LoggedInSessionBean") == null) {
                        log.warn("Attempt to logout from a already logout session.");
                        response.sendRedirect(request.getContext().getPath());
                        return;
                    }
                    if (Boolean.valueOf(this.ssoSPConfigProperties.getProperty(WebappSSOConstants.ENABLE_IDP_SESSION_VALIDATION_BEFORE_LOGOUT, "false")).booleanValue()) {
                        sSOAgentConfig.getSAML2().setPassiveAuthn(true);
                        sSOAgentConfig.getSAML2().setRelayState((String) null);
                        buildPostRequest = sAML2SSOManager2.buildPostRequest(request, response, false);
                    } else {
                        sSOAgentConfig.getSAML2().setPassiveAuthn(false);
                        buildPostRequest = sAML2SSOManager2.buildPostRequest(request, response, true);
                    }
                    response.addHeader("Content-Type", MEDIA_TYPE_TEXT_HTML);
                    SSOAgentUtils.sendPostResponse(request, response, buildPostRequest);
                    return;
                }
                if (sSOAgentRequestResolver.isSAML2SSOURL() || (sSOAgentConfig.isSAML2SSOLoginEnabled().booleanValue() && (request.getSession(false) == null || request.getSession(false).getAttribute("org.wso2.carbon.identity.sso.agent.LoggedInSessionBean") == null))) {
                    if (log.isDebugEnabled()) {
                        log.debug("Processing SSO URL");
                    }
                    SAML2SSOManager sAML2SSOManager3 = new SAML2SSOManager(sSOAgentConfig);
                    String createID = SSOAgentUtils.createID();
                    RelayState relayState3 = new RelayState();
                    relayState3.setRequestedURL(SSOUtils.removeTenantFromURI(request.getRequestURI(), header, findParameter3));
                    relayState3.setRequestQueryString(request.getQueryString());
                    relayState3.setRequestParameters(request.getParameterMap());
                    sSOAgentConfig.getSAML2().setRelayState(createID);
                    request.getSession(Boolean.FALSE.booleanValue()).setAttribute(createID, relayState3);
                    if (!sSOAgentRequestResolver.isHttpPostBinding()) {
                        sSOAgentConfig.getSAML2().setPassiveAuthn(false);
                        response.sendRedirect(sAML2SSOManager3.buildRedirectRequest(request, false));
                        return;
                    } else {
                        sSOAgentConfig.getSAML2().setPassiveAuthn(false);
                        String buildPostRequest3 = sAML2SSOManager3.buildPostRequest(request, response, false);
                        response.addHeader("Content-Type", MEDIA_TYPE_TEXT_HTML);
                        SSOAgentUtils.sendPostResponse(request, response, buildPostRequest3);
                        return;
                    }
                }
            }
            if (request.getSession(false) != null && (loggedInSessionBean = (LoggedInSessionBean) request.getSession(false).getAttribute("org.wso2.carbon.identity.sso.agent.LoggedInSessionBean")) != null && (subjectId = (saml2sso = loggedInSessionBean.getSAML2SSO()).getSubjectId()) != null) {
                List list = null;
                Map subjectAttributes = saml2sso.getSubjectAttributes();
                if (subjectAttributes != null && !subjectAttributes.isEmpty() && (str = (String) subjectAttributes.get("http://wso2.org/claims/role")) != null && !str.isEmpty()) {
                    list = Arrays.asList(str.split(WebappsConstants.ENVIRONMENTS_SPILIT_CHAR));
                }
                request.setUserPrincipal(new GenericPrincipal(subjectId, (String) null, list));
            }
            if (log.isDebugEnabled()) {
                log.debug("End of SAMLSSOValve invoke.");
            }
            getNext().invoke(request, response);
        } catch (SSOAgentException e3) {
            log.error("An error has occurred", e3);
            throw e3;
        }
    }

    public void backgroundProcess() {
        super.backgroundProcess();
    }

    protected void handleException(HttpServletRequest httpServletRequest, SSOAgentException sSOAgentException) throws SSOAgentException {
        if (httpServletRequest.getSession(false) != null) {
            httpServletRequest.getSession(false).removeAttribute("org.wso2.carbon.identity.sso.agent.LoggedInSessionBean");
        }
        throw sSOAgentException;
    }

    private String readAndForgetRedirectPathAfterSLO(Request request, String str, String str2) {
        String str3 = null;
        if (request.getSession(false) != null) {
            str3 = (String) request.getSession(false).getAttribute(WebappSSOConstants.REDIRECT_PATH_AFTER_SLO);
            request.getSession(false).removeAttribute(WebappSSOConstants.REDIRECT_PATH_AFTER_SLO);
        }
        if (str3 == null) {
            str3 = request.getContext().findParameter(WebappSSOConstants.REDIRECT_PATH_AFTER_SLO);
        }
        if (str3 == null) {
            str3 = this.ssoSPConfigProperties.getProperty(WebappSSOConstants.REDIRECT_PATH_AFTER_SLO);
        }
        return (str3 == null || str3.isEmpty()) ? request.getContext().getPath() : request.getContext().getPath().concat(str3);
    }

    private boolean isNoPassive(org.opensaml.saml2.core.Response response) {
        return (response.getStatus() == null || response.getStatus().getStatusCode() == null || !response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Responder") || response.getStatus().getStatusCode().getStatusCode() == null || !response.getStatus().getStatusCode().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:NoPassive")) ? false : true;
    }
}
