package org.wso2.carbon.identity.sso.saml.servlet;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Enumeration;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthRequestWrapper;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SAMLSSOService;
import org.wso2.carbon.identity.sso.saml.cache.SessionDataCache;
import org.wso2.carbon.identity.sso.saml.cache.SessionDataCacheEntry;
import org.wso2.carbon.identity.sso.saml.cache.SessionDataCacheKey;
import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSORespDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOSessionDTO;
import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponent;
import org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.idp.mgt.util.IdPManagementUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.class */
public class SAMLSSOProviderServlet extends HttpServlet {
    private static final long serialVersionUID = -5182312441482721905L;
    private static Log log = LogFactory.getLog(SAMLSSOProviderServlet.class);
    private SAMLSSOService samlSsoService = new SAMLSSOService();
    private boolean isCacheAvailable = false;

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            handleRequest(httpServletRequest, httpServletResponse, false);
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
        } catch (Throwable th) {
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
            throw th;
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            handleRequest(httpServletRequest, httpServletResponse, true);
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
        } catch (Throwable th) {
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
            throw th;
        }
    }

    private void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws ServletException, IOException {
        String str = null;
        Cookie tokenIdCookie = getTokenIdCookie(httpServletRequest);
        if (tokenIdCookie != null) {
            str = tokenIdCookie.getValue();
        }
        String queryString = httpServletRequest.getQueryString();
        if (log.isDebugEnabled()) {
            log.debug("Query string : " + queryString);
        }
        String parameter = httpServletRequest.getParameter(SAMLSSOConstants.AUTH_MODE);
        if (!SAMLSSOConstants.AuthnModes.OPENID.equals(parameter)) {
            parameter = SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD;
        }
        String parameter2 = httpServletRequest.getParameter(SAMLSSOConstants.RELAY_STATE);
        String parameter3 = httpServletRequest.getParameter(SAMLSSOConstants.QueryParameter.SP_ENTITY_ID.toString());
        String parameter4 = httpServletRequest.getParameter("SAMLRequest");
        String sessionDataKey = getSessionDataKey(httpServletRequest);
        String parameter5 = httpServletRequest.getParameter(SAMLSSOConstants.QueryParameter.SLO.toString());
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        try {
            if ("true".equals(httpServletRequest.getParameter("tocommonauth")) && attribute == null) {
                sendRequestToFramework(httpServletRequest, httpServletResponse);
                return;
            }
            SAMLSSOUtil.setTenantDomainInThreadLocal(httpServletRequest.getParameter("tenantDomain"));
            if (sessionDataKey != null) {
                SAMLSSOSessionDTO sessionDataFromCache = getSessionDataFromCache(sessionDataKey);
                if (sessionDataFromCache == null) {
                    log.error("Failed to retrieve sessionDTO from the cache for key " + sessionDataKey);
                    sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, SAMLSSOConstants.Notification.EXCEPTION_STATUS, null), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null, httpServletRequest, httpServletResponse);
                    return;
                }
                SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDataFromCache.getTenantDomain());
                if (sessionDataFromCache.isInvalidLogout()) {
                    log.warn("Redirecting to default logout page due to an invalid logout request");
                    httpServletResponse.sendRedirect(SAMLSSOUtil.getDefaultLogoutEndpoint());
                } else if (sessionDataFromCache.isLogoutReq()) {
                    handleLogoutResponseFromFramework(httpServletRequest, httpServletResponse, sessionDataFromCache);
                } else {
                    handleAuthenticationReponseFromFramework(httpServletRequest, httpServletResponse, str, sessionDataFromCache);
                }
                removeAuthenticationResult(httpServletRequest, sessionDataKey);
            } else if (parameter3 != null || parameter5 != null) {
                handleIdPInitSSO(httpServletRequest, httpServletResponse, parameter2, queryString, parameter, str, z, parameter5 != null);
            } else if (parameter4 != null) {
                handleSPInitSSO(httpServletRequest, httpServletResponse, queryString, parameter2, parameter, parameter4, str, z);
            } else {
                log.debug("Invalid request message or single logout message ");
                if (str == null) {
                    sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request message", null), SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, null, httpServletRequest, httpServletResponse);
                } else {
                    sendToFrameworkForLogout(httpServletRequest, httpServletResponse, null, null, str, true, false);
                }
            }
        } catch (IdentityException e) {
            log.error(SAMLSSOConstants.Notification.EXCEPTION_STATUS, e);
            String str2 = null;
            try {
                str2 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error when processing the authentication request", null);
            } catch (IdentityException e2) {
                log.error("Error while building SAML response", e2);
            }
            sendNotification(str2, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null, httpServletRequest, httpServletResponse);
        } catch (UserStoreException e3) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while handling SAML2 SSO request", e3);
            }
            String str3 = null;
            try {
                str3 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error occurred while handling SAML2 SSO request", null);
            } catch (IdentityException e4) {
                log.error("Error while building SAML response", e4);
            }
            sendNotification(str3, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null, httpServletRequest, httpServletResponse);
        }
    }

    private String getSessionDataKey(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute(SAMLSSOConstants.SESSION_DATA_KEY);
        if (str == null) {
            str = httpServletRequest.getParameter(SAMLSSOConstants.SESSION_DATA_KEY);
        }
        return str;
    }

    private void sendNotification(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String notificationEndpoint = SAMLSSOUtil.getNotificationEndpoint();
        String str5 = "?status=" + URLEncoder.encode(str2, "UTF-8") + "&" + SAMLSSOConstants.STATUS_MSG + "=" + URLEncoder.encode(str3, "UTF-8");
        if (str != null) {
            str5 = str5 + "&SAMLResponse=" + URLEncoder.encode(str, "UTF-8");
        }
        if (str4 != null) {
            str5 = str5 + "&ACSUrl=" + URLEncoder.encode(str4, "UTF-8");
        }
        httpServletResponse.sendRedirect(notificationEndpoint + str5);
    }

    private void handleIdPInitSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, boolean z, boolean z2) throws UserStoreException, IdentityException, IOException, ServletException {
        String parameter = httpServletRequest.getParameter("SSOAuthSessionID");
        SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest = new SAMLSSOService().validateIdPInitSSORequest(str, str2, getQueryParams(httpServletRequest), SAMLSSOUtil.getDefaultLogoutEndpoint(), str4, parameter, str3, z2);
        if (!validateIdPInitSSORequest.isLogOutReq()) {
            if (validateIdPInitSSORequest.isValid()) {
                sendToFrameworkForAuthentication(httpServletRequest, httpServletResponse, validateIdPInitSSORequest, str, false);
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Invalid IdP initiated SAML SSO Request");
            }
            sendNotification(validateIdPInitSSORequest.getResponse(), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, validateIdPInitSSORequest.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
            return;
        }
        if (validateIdPInitSSORequest.isValid()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, validateIdPInitSSORequest, str, str4, false, z);
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Invalid IdP initiated SAML Single Logout Request");
        }
        if (validateIdPInitSSORequest.isLogoutFromAuthFramework()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, null, null, str4, true, z);
        } else {
            sendNotification(validateIdPInitSSORequest.getResponse(), SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, validateIdPInitSSORequest.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
        }
    }

    private void handleSPInitSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, boolean z) throws UserStoreException, IdentityException, IOException, ServletException {
        SAMLSSOReqValidationResponseDTO validateSPInitSSORequest = new SAMLSSOService().validateSPInitSSORequest(str4, str, str5, httpServletRequest.getParameter("SSOAuthSessionID"), str3, z);
        if (!validateSPInitSSORequest.isLogOutReq()) {
            if (validateSPInitSSORequest.isValid()) {
                sendToFrameworkForAuthentication(httpServletRequest, httpServletResponse, validateSPInitSSORequest, str2, z);
                return;
            }
            if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Request")) {
                log.debug("Invalid SAML SSO Request : " + str4);
            }
            sendNotification(validateSPInitSSORequest.getResponse(), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, validateSPInitSSORequest.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
            return;
        }
        if (validateSPInitSSORequest.isValid()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, validateSPInitSSORequest, str2, str5, false, z);
            return;
        }
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Request")) {
            log.debug("Invalid SAML SSO Logout Request : " + str4);
        }
        if (validateSPInitSSORequest.isLogoutFromAuthFramework()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, null, null, str5, true, z);
        } else {
            sendNotification(validateSPInitSSORequest.getResponse(), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, validateSPInitSSORequest.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
        }
    }

    private void sendToFrameworkForAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, boolean z) throws ServletException, IOException, UserStoreException, IdentityException {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = new SAMLSSOSessionDTO();
        sAMLSSOSessionDTO.setHttpQueryString(httpServletRequest.getQueryString());
        sAMLSSOSessionDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
        sAMLSSOSessionDTO.setRelayState(str);
        sAMLSSOSessionDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
        sAMLSSOSessionDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
        sAMLSSOSessionDTO.setRequestID(sAMLSSOReqValidationResponseDTO.getId());
        sAMLSSOSessionDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
        sAMLSSOSessionDTO.setRelyingPartySessionId(sAMLSSOReqValidationResponseDTO.getRpSessionId());
        sAMLSSOSessionDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
        sAMLSSOSessionDTO.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal());
        sAMLSSOSessionDTO.setAttributeConsumingServiceIndex(sAMLSSOReqValidationResponseDTO.getAttributeConsumingServiceIndex());
        sAMLSSOSessionDTO.setForceAuth(sAMLSSOReqValidationResponseDTO.isForceAuthn());
        sAMLSSOSessionDTO.setPassiveAuth(sAMLSSOReqValidationResponseDTO.isPassive());
        sAMLSSOSessionDTO.setValidationRespDTO(sAMLSSOReqValidationResponseDTO);
        sAMLSSOSessionDTO.setIdPInitSSO(sAMLSSOReqValidationResponseDTO.isIdPInitSSO());
        String generateUUID = UUIDGenerator.generateUUID();
        addSessionDataToCache(generateUUID, sAMLSSOSessionDTO);
        IdentityUtil.getServerURL("commonauth", false, true);
        String contextPath = httpServletRequest.getContextPath();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.appendRequestQueryParams(httpServletRequest.getParameterMap());
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String obj = headerNames.nextElement().toString();
            authenticationRequest.addHeader(obj, httpServletRequest.getHeader(obj));
        }
        authenticationRequest.setRelyingParty(sAMLSSOReqValidationResponseDTO.getIssuer());
        authenticationRequest.setCommonAuthCallerPath(contextPath);
        authenticationRequest.setForceAuth(sAMLSSOReqValidationResponseDTO.isForceAuthn());
        if (!authenticationRequest.getForceAuth() && authenticationRequest.getRequestQueryParam("forceAuth") != null) {
            String[] requestQueryParam = authenticationRequest.getRequestQueryParam("forceAuth");
            if (!requestQueryParam[0].trim().isEmpty() && Boolean.parseBoolean(requestQueryParam[0].trim())) {
                authenticationRequest.setForceAuth(Boolean.parseBoolean(requestQueryParam[0].trim()));
            }
        }
        authenticationRequest.setPassiveAuth(sAMLSSOReqValidationResponseDTO.isPassive());
        authenticationRequest.setTenantDomain(sAMLSSOSessionDTO.getTenantDomain());
        authenticationRequest.setPost(z);
        addAuthenticationRequestToRequest(httpServletRequest, new AuthenticationRequestCacheEntry(authenticationRequest));
        FrameworkUtils.setRequestPathCredentials(httpServletRequest);
        sendRequestToFramework(httpServletRequest, httpServletResponse, generateUUID, "samlsso");
    }

    private void addAuthenticationRequestToRequest(HttpServletRequest httpServletRequest, AuthenticationRequestCacheEntry authenticationRequestCacheEntry) {
        httpServletRequest.setAttribute("authRequest", authenticationRequestCacheEntry);
    }

    private void sendToFrameworkForLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, String str2, boolean z, boolean z2) throws ServletException, IOException {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = new SAMLSSOSessionDTO();
        sAMLSSOSessionDTO.setHttpQueryString(httpServletRequest.getQueryString());
        sAMLSSOSessionDTO.setRelayState(str);
        sAMLSSOSessionDTO.setSessionId(str2);
        sAMLSSOSessionDTO.setLogoutReq(true);
        sAMLSSOSessionDTO.setInvalidLogout(z);
        if (sAMLSSOReqValidationResponseDTO != null) {
            sAMLSSOSessionDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
            sAMLSSOSessionDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
            sAMLSSOSessionDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
            sAMLSSOSessionDTO.setRequestID(sAMLSSOReqValidationResponseDTO.getId());
            sAMLSSOSessionDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
            sAMLSSOSessionDTO.setRelyingPartySessionId(sAMLSSOReqValidationResponseDTO.getRpSessionId());
            sAMLSSOSessionDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
            sAMLSSOSessionDTO.setValidationRespDTO(sAMLSSOReqValidationResponseDTO);
        }
        String generateUUID = UUIDGenerator.generateUUID();
        addSessionDataToCache(generateUUID, sAMLSSOSessionDTO);
        IdentityUtil.getServerURL("commonauth", false, true);
        String contextPath = httpServletRequest.getContextPath();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.addRequestQueryParam("commonAuthLogout", new String[]{"true"});
        authenticationRequest.setRequestQueryParams(httpServletRequest.getParameterMap());
        authenticationRequest.setCommonAuthCallerPath(contextPath);
        authenticationRequest.setPost(z2);
        if (sAMLSSOReqValidationResponseDTO != null) {
            authenticationRequest.setRelyingParty(sAMLSSOReqValidationResponseDTO.getIssuer());
        }
        authenticationRequest.appendRequestQueryParams(httpServletRequest.getParameterMap());
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String obj = headerNames.nextElement().toString();
            authenticationRequest.addHeader(obj, httpServletRequest.getHeader(obj));
        }
        addAuthenticationRequestToRequest(httpServletRequest, new AuthenticationRequestCacheEntry(authenticationRequest));
        sendRequestToFramework(httpServletRequest, httpServletResponse, generateUUID, "samlsso");
    }

    private void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, String str6) throws ServletException, IOException, IdentityException {
        String aCSUrlWithTenantPartitioning = getACSUrlWithTenantPartitioning(str3, str6);
        if (aCSUrlWithTenantPartitioning == null || aCSUrlWithTenantPartitioning.trim().length() == 0) {
            log.error("ACS Url is Null");
            throw new IdentityException("Unexpected error in sending message out");
        }
        if (str2 == null || str2.trim().length() == 0) {
            log.error("Response message is Null");
            throw new IdentityException("Unexpected error in sending message out");
        }
        if (IdentitySAMLSSOServiceComponent.getSsoRedirectHtml() != null) {
            String replace = IdentitySAMLSSOServiceComponent.getSsoRedirectHtml().replace("$acUrl", aCSUrlWithTenantPartitioning).replace("<!--$params-->", "<!--$params-->\n<input type='hidden' name='SAMLResponse' value='" + Encode.forHtmlAttribute(str2) + "'>");
            String str7 = replace;
            if (str != null) {
                str7 = replace.replace("<!--$params-->", "<!--$params-->\n<input type='hidden' name='RelayState' value='" + Encode.forHtmlAttribute(str) + "'>");
            }
            String replace2 = (str5 == null || str5.isEmpty()) ? str7 : str7.replace("<!--$additionalParams-->", "<input type='hidden' name='AuthenticatedIdPs' value='" + Encode.forHtmlAttribute(str5) + "'>");
            httpServletResponse.getWriter().print(replace2);
            if (log.isDebugEnabled()) {
                log.debug("samlsso_response.html " + replace2);
                return;
            }
            return;
        }
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html>");
        writer.println("<body>");
        writer.println("<p>You are now redirected back to " + Encode.forHtmlContent(aCSUrlWithTenantPartitioning));
        writer.println(" If the redirection fails, please click the post button.</p>");
        writer.println("<form method='post' action='" + aCSUrlWithTenantPartitioning + "'>");
        writer.println("<p>");
        writer.println("<input type='hidden' name='SAMLResponse' value='" + Encode.forHtmlAttribute(str2) + "'>");
        if (str != null) {
            writer.println("<input type='hidden' name='RelayState' value='" + Encode.forHtmlAttribute(str) + "'>");
        }
        if (str5 != null && !str5.isEmpty()) {
            writer.println("<input type='hidden' name='AuthenticatedIdPs' value='" + Encode.forHtmlAttribute(str5) + "'>");
        }
        writer.println("<button type='submit'>POST</button>");
        writer.println("</p>");
        writer.println("</form>");
        writer.println("<script type='text/javascript'>");
        writer.println("document.forms[0].submit();");
        writer.println("</script>");
        writer.println("</body>");
        writer.println("</html>");
    }

    private void handleAuthenticationReponseFromFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, SAMLSSOSessionDTO sAMLSSOSessionDTO) throws UserStoreException, IdentityException, IOException, ServletException {
        String sessionDataKey = getSessionDataKey(httpServletRequest);
        AuthenticationResult authenticationResult = getAuthenticationResult(httpServletRequest, sessionDataKey);
        if (log.isDebugEnabled() && authenticationResult == null) {
            log.debug("Session data is not found for key : " + sessionDataKey);
        }
        SAMLSSOReqValidationResponseDTO validationRespDTO = sAMLSSOSessionDTO.getValidationRespDTO();
        SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO = new SAMLSSOAuthnReqDTO();
        if (authenticationResult == null || !authenticationResult.isAuthenticated()) {
            if (log.isDebugEnabled() && authenticationResult != null) {
                log.debug("Unauthenticated User");
            }
            if (!validationRespDTO.isPassive()) {
                if (authenticationResult.isAuthenticated()) {
                    throw new IdentityException("Session data is not found for authenticated user");
                }
                sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "User authentication failed", validationRespDTO.getDestination()), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, validationRespDTO.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
                return;
            } else {
                ArrayList arrayList = new ArrayList();
                arrayList.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE);
                arrayList.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
                validationRespDTO.setResponse(SAMLSSOUtil.buildErrorResponse(validationRespDTO.getId(), arrayList, "Cannot authenticate Subject in Passive Mode", validationRespDTO.getDestination()));
                sendResponse(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO.getRelayState(), validationRespDTO.getResponse(), validationRespDTO.getAssertionConsumerURL(), validationRespDTO.getSubject(), null, sAMLSSOSessionDTO.getTenantDomain());
                return;
            }
        }
        populateAuthnReqDTO(httpServletRequest, sAMLSSOAuthnReqDTO, sAMLSSOSessionDTO, authenticationResult);
        httpServletRequest.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authenticationResult);
        String parameter = httpServletRequest.getParameter(SAMLSSOConstants.RELAY_STATE) != null ? httpServletRequest.getParameter(SAMLSSOConstants.RELAY_STATE) : sAMLSSOSessionDTO.getRelayState();
        startTenantFlow(sAMLSSOAuthnReqDTO.getTenantDomain());
        if (str == null) {
            str = UUIDGenerator.generateUUID();
        }
        SAMLSSORespDTO authenticate = new SAMLSSOService().authenticate(sAMLSSOAuthnReqDTO, str, authenticationResult.isAuthenticated(), authenticationResult.getAuthenticatedAuthenticators(), SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);
        if (!authenticate.isSessionEstablished()) {
            sendNotification(authenticate.getRespString(), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, authenticate.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
            return;
        }
        storeTokenIdCookie(str, httpServletRequest, httpServletResponse, sAMLSSOAuthnReqDTO.getTenantDomain());
        removeSessionDataFromCache(httpServletRequest.getParameter(SAMLSSOConstants.SESSION_DATA_KEY));
        sendResponse(httpServletRequest, httpServletResponse, parameter, authenticate.getRespString(), authenticate.getAssertionConsumerURL(), authenticate.getSubject().getAuthenticatedSubjectIdentifier(), authenticationResult.getAuthenticatedIdPs(), sAMLSSOSessionDTO.getTenantDomain());
    }

    private void handleLogoutResponseFromFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOSessionDTO sAMLSSOSessionDTO) throws ServletException, IOException, IdentityException {
        SAMLSSOReqValidationResponseDTO validationRespDTO = sAMLSSOSessionDTO.getValidationRespDTO();
        if (validationRespDTO == null) {
            try {
                this.samlSsoService.doSingleLogout(httpServletRequest.getSession().getId());
            } catch (IdentityException e) {
                log.error("Error when processing the logout request!", e);
            }
            sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request", sAMLSSOSessionDTO.getAssertionConsumerURL()), SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, sAMLSSOSessionDTO.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
            return;
        }
        LogoutRequestSender.getInstance().sendLogoutRequests(validationRespDTO.getLogoutRespDTO());
        SAMLSSOUtil.removeSession(sAMLSSOSessionDTO.getSessionId(), validationRespDTO.getIssuer());
        removeSessionDataFromCache(httpServletRequest.getParameter(SAMLSSOConstants.SESSION_DATA_KEY));
        if (validationRespDTO.isIdPInitSLO()) {
            httpServletResponse.sendRedirect(validationRespDTO.getReturnToURL());
        } else {
            sendResponse(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO.getRelayState(), validationRespDTO.getLogoutResponse(), validationRespDTO.getAssertionConsumerURL(), validationRespDTO.getSubject(), null, sAMLSSOSessionDTO.getTenantDomain());
        }
    }

    private void populateAuthnReqDTO(HttpServletRequest httpServletRequest, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, SAMLSSOSessionDTO sAMLSSOSessionDTO, AuthenticationResult authenticationResult) throws UserStoreException, IdentityException {
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOSessionDTO.getAssertionConsumerURL());
        sAMLSSOAuthnReqDTO.setId(sAMLSSOSessionDTO.getRequestID());
        sAMLSSOAuthnReqDTO.setIssuer(sAMLSSOSessionDTO.getIssuer());
        sAMLSSOAuthnReqDTO.setSubject(sAMLSSOSessionDTO.getSubject());
        sAMLSSOAuthnReqDTO.setRpSessionId(sAMLSSOSessionDTO.getRelyingPartySessionId());
        sAMLSSOAuthnReqDTO.setRequestMessageString(sAMLSSOSessionDTO.getRequestMessageString());
        sAMLSSOAuthnReqDTO.setQueryString(sAMLSSOSessionDTO.getHttpQueryString());
        sAMLSSOAuthnReqDTO.setDestination(sAMLSSOSessionDTO.getDestination());
        sAMLSSOAuthnReqDTO.setUser(authenticationResult.getSubject());
        sAMLSSOAuthnReqDTO.setIdPInitSSOEnabled(sAMLSSOSessionDTO.isIdPInitSSO());
        sAMLSSOAuthnReqDTO.setClaimMapping(authenticationResult.getClaimMapping());
        sAMLSSOAuthnReqDTO.setTenantDomain(sAMLSSOSessionDTO.getTenantDomain());
        sAMLSSOAuthnReqDTO.setIdPInitSLOEnabled(sAMLSSOSessionDTO.isIdPInitSLO());
        if (sAMLSSOSessionDTO.getAttributeConsumingServiceIndex() >= 1) {
            sAMLSSOAuthnReqDTO.setAttributeConsumingServiceIndex(sAMLSSOSessionDTO.getAttributeConsumingServiceIndex());
        }
        SAMLSSOUtil.setIsSaaSApplication(authenticationResult.isSaaSApp());
        SAMLSSOUtil.setUserTenantDomain(authenticationResult.getSubject().getTenantDomain());
    }

    private Cookie getTokenIdCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (StringUtils.equals(cookie.getName(), "samlssoTokenId")) {
                return cookie;
            }
        }
        return null;
    }

    private void storeTokenIdCookie(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str2) {
        Cookie cookie = new Cookie("samlssoTokenId", str);
        cookie.setMaxAge(IdPManagementUtil.getIdleSessionTimeOut(str2) * 60);
        cookie.setSecure(true);
        cookie.setHttpOnly(true);
        httpServletResponse.addCookie(cookie);
    }

    public void removeTokenIdCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (StringUtils.equals(cookie.getName(), "samlssoTokenId")) {
                    cookie.setMaxAge(0);
                    httpServletResponse.addCookie(cookie);
                    return;
                }
            }
        }
    }

    private String getACSUrlWithTenantPartitioning(String str, String str2) {
        String str3 = str;
        if (str2 != null && "true".equals(IdentityUtil.getProperty("SSOService.TenantPartitioningEnabled"))) {
            str3 = str3 + "?tenantDomain=" + str2;
        }
        return str3;
    }

    private void addSessionDataToCache(String str, SAMLSSOSessionDTO sAMLSSOSessionDTO) {
        SessionDataCacheKey sessionDataCacheKey = new SessionDataCacheKey(str);
        SessionDataCacheEntry sessionDataCacheEntry = new SessionDataCacheEntry();
        sessionDataCacheEntry.setSessionDTO(sAMLSSOSessionDTO);
        SessionDataCache.getInstance().addToCache(sessionDataCacheKey, sessionDataCacheEntry);
    }

    private SAMLSSOSessionDTO getSessionDataFromCache(String str) {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = null;
        SessionDataCacheEntry valueFromCache = SessionDataCache.getInstance().getValueFromCache(new SessionDataCacheKey(str));
        if (valueFromCache != null) {
            sAMLSSOSessionDTO = valueFromCache.getSessionDTO();
        }
        return sAMLSSOSessionDTO;
    }

    private void removeSessionDataFromCache(String str) {
        if (str != null) {
            SessionDataCache.getInstance().clearCacheEntry(new SessionDataCacheKey(str));
        }
    }

    private AuthenticationResult getAuthenticationResult(HttpServletRequest httpServletRequest, String str) {
        AuthenticationResult authenticationResultFromRequest = getAuthenticationResultFromRequest(httpServletRequest);
        if (authenticationResultFromRequest == null) {
            this.isCacheAvailable = true;
            authenticationResultFromRequest = getAuthenticationResultFromCache(str);
        }
        return authenticationResultFromRequest;
    }

    private AuthenticationResult getAuthenticationResultFromCache(String str) {
        AuthenticationResult authenticationResult = null;
        AuthenticationResultCacheEntry authenticationResultFromCache = FrameworkUtils.getAuthenticationResultFromCache(str);
        if (authenticationResultFromCache != null) {
            authenticationResult = authenticationResultFromCache.getResult();
        } else {
            log.error("Cannot find AuthenticationResult from the cache");
        }
        return authenticationResult;
    }

    private AuthenticationResult getAuthenticationResultFromRequest(HttpServletRequest httpServletRequest) {
        return (AuthenticationResult) httpServletRequest.getAttribute("authResult");
    }

    private void removeAuthenticationResult(HttpServletRequest httpServletRequest, String str) {
        FrameworkUtils.removeAuthenticationResultFromCache(str);
        httpServletRequest.removeAttribute("authResult");
    }

    private void removeAuthenticationResultFromRequest(HttpServletRequest httpServletRequest) {
        httpServletRequest.removeAttribute("authResult");
    }

    private void startTenantFlow(String str) throws IdentityException {
        int i = -1234;
        if (str == null || str.trim().isEmpty() || "null".equalsIgnoreCase(str.trim())) {
            str = "carbon.super";
        } else {
            try {
                i = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(str);
                if (i == -1) {
                    String str2 = "Invalid Tenant Domain : " + str;
                    if (log.isDebugEnabled()) {
                        log.debug(str2);
                    }
                    throw new IdentityException(str2);
                }
            } catch (UserStoreException e) {
                String str3 = "Error occurred while getting tenant ID from tenantDomain " + str;
                log.error(str3, e);
                throw new IdentityException(str3, e);
            }
        }
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        threadLocalCarbonContext.setTenantId(i);
        threadLocalCarbonContext.setTenantDomain(str);
    }

    private QueryParamDTO[] getQueryParams(HttpServletRequest httpServletRequest) {
        ArrayList arrayList = new ArrayList();
        for (SAMLSSOConstants.QueryParameter queryParameter : SAMLSSOConstants.QueryParameter.values()) {
            arrayList.add(new QueryParamDTO(queryParameter.toString(), httpServletRequest.getParameter(queryParameter.toString())));
        }
        return (QueryParamDTO[]) arrayList.toArray(new QueryParamDTO[arrayList.size()]);
    }

    private void sendRequestToFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
        CommonAuthResponseWrapper commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
        commonAuthenticationHandler.doGet(httpServletRequest, commonAuthResponseWrapper);
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if (attribute == null) {
            httpServletRequest.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.UNKNOWN);
            doGet(httpServletRequest, httpServletResponse);
        } else if (((AuthenticatorFlowStatus) attribute) == AuthenticatorFlowStatus.INCOMPLETE) {
            httpServletResponse.sendRedirect(commonAuthResponseWrapper.getRedirectURL());
        } else {
            doGet(httpServletRequest, httpServletResponse);
        }
    }

    private void sendRequestToFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws ServletException, IOException {
        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
        CommonAuthRequestWrapper commonAuthRequestWrapper = new CommonAuthRequestWrapper(httpServletRequest);
        commonAuthRequestWrapper.setParameter(SAMLSSOConstants.SESSION_DATA_KEY, str);
        commonAuthRequestWrapper.setParameter("type", str2);
        CommonAuthResponseWrapper commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
        commonAuthenticationHandler.doGet(commonAuthRequestWrapper, commonAuthResponseWrapper);
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if (attribute == null) {
            commonAuthRequestWrapper.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.UNKNOWN);
            doGet(commonAuthRequestWrapper, httpServletResponse);
        } else if (((AuthenticatorFlowStatus) attribute) == AuthenticatorFlowStatus.INCOMPLETE) {
            httpServletResponse.sendRedirect(commonAuthResponseWrapper.getRedirectURL());
        } else {
            doGet(commonAuthRequestWrapper, httpServletResponse);
        }
    }
}
