package org.wso2.carbon.appmgt.gateway.handlers.security.saml2;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.cache.Cache;
import javax.cache.Caching;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.soap.SOAPBody;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.AxisFault;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.ManagedLifecycle;
import org.apache.synapse.Mediator;
import org.apache.synapse.MessageContext;
import org.apache.synapse.SynapseException;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.apache.synapse.core.axis2.Axis2Sender;
import org.apache.synapse.rest.AbstractHandler;
import org.apache.synapse.transport.passthru.util.RelayUtils;
import org.joda.time.DateTime;
import org.json.simple.JSONArray;
import org.json.simple.JSONObject;
import org.json.simple.JSONValue;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.w3c.dom.Element;
import org.wso2.carbon.appmgt.api.AppManagementException;
import org.wso2.carbon.appmgt.api.model.AuthenticatedIDP;
import org.wso2.carbon.appmgt.api.model.WebApp;
import org.wso2.carbon.appmgt.gateway.handlers.Utils;
import org.wso2.carbon.appmgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.appmgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.appmgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.appmgt.gateway.handlers.security.oauth.OAuthAuthenticator;
import org.wso2.carbon.appmgt.gateway.handlers.throttling.APIThrottleConstants;
import org.wso2.carbon.appmgt.gateway.token.JWTGenerator;
import org.wso2.carbon.appmgt.gateway.token.TokenGenerator;
import org.wso2.carbon.appmgt.gateway.utils.AppContextCacheUtil;
import org.wso2.carbon.appmgt.impl.AppManagerConfiguration;
import org.wso2.carbon.appmgt.impl.dao.AppMDAO;
import org.wso2.carbon.appmgt.impl.dto.SAMLTokenInfoDTO;
import org.wso2.carbon.appmgt.impl.dto.VerbInfoDTO;
import org.wso2.carbon.appmgt.impl.dto.WebAppInfoDTO;
import org.wso2.carbon.appmgt.impl.service.ServiceReferenceHolder;
import org.wso2.carbon.appmgt.impl.utils.AppManagerUtil;
import org.wso2.carbon.appmgt.impl.utils.NamedMatchList;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;

/* loaded from: input_file:org/wso2/carbon/appmgt/gateway/handlers/security/saml2/SAML2AuthenticationHandler.class */
public class SAML2AuthenticationHandler extends AbstractHandler implements ManagedLifecycle {
    private static final Log log = LogFactory.getLog(SAML2AuthenticationHandler.class);
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE = "SAMLResponse";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_AUTHENTICATED_IDPS = "AuthenticatedIdPs";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_SAML_ASSERTION = "Assertion";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_SAML_ASSERTION_NOT_ON_OR_AFTER = "NotOnOrAfter";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_SAML_REQUEST = "SAMLRequest";
    private static final String IDP_CALLBACK_ATTRIBUTE_NAME_RELAY_STATE = "RelayState";
    private Authenticator authenticator;
    private SAML2Authenticator saml2Authenticator;
    private WebAppInfoDTO webAppInfoDTO;
    private WebApp webApp;
    private boolean isJWTEnabled = false;
    private TokenGenerator defaultTokenGenerator;

    public void init(SynapseEnvironment synapseEnvironment) {
        if (log.isDebugEnabled()) {
            log.debug("Initializing WebApp authentication handler instance");
        }
        try {
            this.authenticator = new OAuthAuthenticator();
            this.saml2Authenticator = new SAML2Authenticator();
            this.webApp = new WebApp();
            initJWTCapabilities();
            AppContextCacheUtil.getTenantContextVersionUrlMap();
            this.authenticator.init(synapseEnvironment);
            this.saml2Authenticator.init(synapseEnvironment);
            this.defaultTokenGenerator = new JWTGenerator();
        } catch (Exception e) {
            throw new SynapseException("Error while initializing SAML or OAuth authenticator", e);
        }
    }

    public boolean handleRequest(MessageContext messageContext) {
        String str = (String) messageContext.getProperty("REST_API_CONTEXT");
        String str2 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String str3 = (String) messageContext.getProperty("HTTP_METHOD");
        if (str3 == null) {
            str3 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("HTTP_METHOD");
        }
        String str4 = (String) messageContext.getProperty("REST_FULL_REQUEST_PATH");
        try {
            if (this.webAppInfoDTO == null) {
                WebAppInfoDTO sSOInfoForApp = getSSOInfoForApp(str, str2);
                constructAndSetFullyQualifiedSamlIssuerId(messageContext, sSOInfoForApp);
                this.webAppInfoDTO = sSOInfoForApp;
                populateWebAppFromWebAppInfoDTO();
            }
            if ((String.format("%s/%s/", str, str2).equals(str4) || isLogoutRequest(messageContext)) && isSLORequestFromIDP(messageContext)) {
                if (log.isDebugEnabled()) {
                    log.debug("Request is an SLO request from the IDP");
                }
                handleSLORequest(messageContext);
                if (log.isDebugEnabled()) {
                    log.debug("Sending SLO response to the IDP");
                }
                sendSLOResponse(messageContext);
                return false;
            }
            boolean isAllowAnonymousApplication = isAllowAnonymousApplication();
            messageContext.setProperty("overview_allowAnonymous", Boolean.valueOf(isAllowAnonymousApplication));
            if (isAllowAnonymousApplication) {
                return true;
            }
            boolean isAllowAnonymousUrlPattern = isAllowAnonymousUrlPattern(str3, str4);
            messageContext.setProperty("URITemplate_allowAnonymous", Boolean.valueOf(isAllowAnonymousUrlPattern));
            if (isAllowAnonymousUrlPattern || !isSSOEnabled()) {
                return true;
            }
            boolean z = false;
            if (shouldAuthenticateWithCookie(messageContext)) {
                messageContext.setProperty("appmSamlCacheHit", 1);
                z = handleSecurityUsingCookie(messageContext);
            } else if (shouldAuthenticateWithSAMLResponse(messageContext)) {
                if (log.isDebugEnabled()) {
                    log.debug("Processing SAML response");
                }
                messageContext.setProperty("appmSamlCacheHit", 0);
                z = handleAuthorizationUsingSAMLResponse(messageContext);
                if (z) {
                    String str5 = (String) messageContext.getProperty("appmSamlSsoTokenId");
                    Map map = (Map) getAxis2MessageContext(messageContext).getProperty("TRANSPORT_HEADERS");
                    String str6 = (String) map.get("Set-Cookie");
                    map.put("Set-Cookie", str6 == null ? "appmSamlSsoTokenId=" + str5 + "; path=" + APIThrottleConstants.URL_MAPPING_SEPERATOR : str6 + " ;\nSet-Cookie:appmSamlSsoTokenId=" + str5 + "; Path=" + APIThrottleConstants.URL_MAPPING_SEPERATOR);
                    messageContext.setProperty("TRANSPORT_HEADERS", map);
                    getAxis2MessageContext(messageContext).setProperty("HTTP_METHOD", "GET");
                    try {
                        SOAPEnvelope createSOAPEnvelope = OMAbstractFactory.getSOAP12Factory().createSOAPEnvelope();
                        createSOAPEnvelope.addChild(OMAbstractFactory.getSOAP12Factory().createSOAPBody());
                        getAxis2MessageContext(messageContext).setEnvelope(createSOAPEnvelope);
                    } catch (AxisFault e) {
                        String str7 = "Error occurred while constructing SOAPEnvelope for " + messageContext.getProperty("REST_API_CONTEXT") + APIThrottleConstants.URL_MAPPING_SEPERATOR + messageContext.getProperty("SYNAPSE_REST_API_VERSION");
                        log.error(str7, e);
                        throw new SynapseException(str7, e);
                    }
                }
            }
            if (!z) {
                redirectToIDPLogin(messageContext);
                return false;
            }
            if (isLogoutRequest(messageContext)) {
                return true;
            }
            if (checkResourceAccessible(messageContext)) {
                setAppmSamlSsoCookie(messageContext);
                return true;
            }
            handleAuthFailure(messageContext, new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "You have no access to this Resource"));
            return false;
        } catch (AppManagementException e2) {
            log.error("Error while handling authentication.");
            throw new SynapseException("Error while handling authentication.", e2);
        }
    }

    private void populateWebAppFromWebAppInfoDTO() {
        if (this.webAppInfoDTO != null) {
            this.webApp.setContext(this.webAppInfoDTO.getContext());
            this.webApp.setAllowAnonymous(this.webAppInfoDTO.getAllowAnonymous());
            this.webApp.setSaml2SsoIssuer(this.webAppInfoDTO.getSaml2SsoIssuer());
            this.webApp.setIdpProviderURL(this.webAppInfoDTO.getIdpProviderUrl());
            this.webApp.setLogoutURL(this.webAppInfoDTO.getLogoutUrl());
        }
    }

    private void initJWTCapabilities() {
        AppManagerConfiguration aPIManagerConfiguration = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration();
        if (aPIManagerConfiguration == null) {
            log.error("App Manager configuration is not initialized");
        } else {
            this.isJWTEnabled = aPIManagerConfiguration.isJWTEnabled();
        }
    }

    private boolean isAllowAnonymousApplication() {
        return this.webAppInfoDTO.getAllowAnonymous().booleanValue();
    }

    private boolean isAllowAnonymousUrlPattern(String str, String str2) throws AppManagementException {
        Boolean valueOf;
        VerbInfoDTO verbInfoForApp = getVerbInfoForApp(this.webAppInfoDTO.getContext(), this.webAppInfoDTO.getVersion());
        if (verbInfoForApp == null || verbInfoForApp.isEmptyAllowAnonymousUrlMap()) {
            return false;
        }
        NamedMatchList namedMatchList = new NamedMatchList();
        for (String str3 : verbInfoForApp.getAllowAnonymousUrlList()) {
            namedMatchList.add(str3, str3);
        }
        String str4 = (String) namedMatchList.match(str + str2);
        if (str4 == null || (valueOf = Boolean.valueOf(verbInfoForApp.getAllowAnonymousUrl(str4))) == null) {
            return false;
        }
        return valueOf.booleanValue();
    }

    public boolean handleResponse(MessageContext messageContext) {
        try {
            if (isAllowAnonymousApplication() || isAllowAnonymousUrlPattern((String) messageContext.getProperty("REST_METHOD"), (String) messageContext.getProperty("REST_FULL_REQUEST_PATH"))) {
                return true;
            }
            String str = (String) messageContext.getProperty("appmSamlSsoTokenId");
            if (log.isDebugEnabled()) {
                log.debug("Reading AppMConstants.APPM_SAML2_COOKIE from msg context");
                log.debug("appmSamlSsoTokenId : " + str);
            }
            Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS");
            String str2 = (String) map.get("Set-Cookie");
            if (log.isDebugEnabled()) {
                log.debug("Exisiting set cookie string in transport headers : " + str2);
            }
            String str3 = str2 == null ? "appmSamlSsoTokenId=" + str + "; path=" + APIThrottleConstants.URL_MAPPING_SEPERATOR : str2 + " ;\nSet-Cookie:appmSamlSsoTokenId=" + str + "; Path=" + APIThrottleConstants.URL_MAPPING_SEPERATOR;
            if (log.isDebugEnabled()) {
                log.debug("Updated set cookie string in transport headers : " + str3);
            }
            map.put("Set-Cookie", str3);
            messageContext.setProperty("TRANSPORT_HEADERS", map);
            return true;
        } catch (AppManagementException e) {
            log.error("Error while handling authentication.");
            throw new SynapseException("Error while handling authentication.", e);
        }
    }

    public void destroy() {
        if (log.isDebugEnabled()) {
            log.debug("Destroying WebApp authentication handler instance");
        }
    }

    private void sendSLOResponse(MessageContext messageContext) {
        org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
        Object property = axis2MessageContext.getProperty("TRANSPORT_HEADERS");
        if (property == null || !(property instanceof Map)) {
            return;
        }
        ((Map) property).clear();
        axis2MessageContext.setProperty("HTTP_SC", "200");
        axis2MessageContext.setProperty("NO_ENTITY_BODY", new Boolean("true"));
        messageContext.setProperty("RESPONSE", "true");
        messageContext.setTo((EndpointReference) null);
        Axis2Sender.sendBack(messageContext);
    }

    private void handleSLORequest(MessageContext messageContext) throws AppManagementException {
        try {
            String str = null;
            Iterator childElements = messageContext.getEnvelope().getBody().getChildElements();
            while (childElements.hasNext()) {
                OMElement firstChildWithName = ((OMElement) childElements.next()).getFirstChildWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_REQUEST));
                if (firstChildWithName != null) {
                    str = firstChildWithName.getText();
                }
            }
            if (str == null) {
                throw new AppManagementException("Couldn't find single logout request.");
            }
            LogoutRequest unmarshall = SAMLSSOUtil.unmarshall(new String(Base64.decode(str), "UTF-8"));
            if (!(unmarshall instanceof LogoutRequest)) {
                throw new AppManagementException("Invalid single logout request.");
            }
            String sessionIndex = ((SessionIndex) unmarshall.getSessionIndexes().get(0)).getSessionIndex();
            if (sessionIndex == null) {
                throw new AppManagementException("SessionIndex not found in single logout request.");
            }
            String str2 = (String) getSAML2SessionIndexCache().get(sessionIndex);
            getSAML2SessionIndexCache().remove(sessionIndex);
            if (str2 != null) {
                getSAML2ConfigCache().remove(str2);
            }
        } catch (UnsupportedEncodingException e) {
            log.error("Couldn't decode the single logout request.");
            throw new AppManagementException("Couldn't decode the single logout request.", e);
        } catch (IdentityException e2) {
            log.error("Couldn't unmarshal the  single logout request.");
            throw new AppManagementException("Couldn't unmarshal the  single logout request.", e2);
        }
    }

    private boolean isSLORequestFromIDP(MessageContext messageContext) {
        try {
            RelayUtils.buildMessage(((Axis2MessageContext) messageContext).getAxis2MessageContext());
            SOAPBody body = messageContext.getEnvelope().getBody();
            if (body == null || !body.getChildren().hasNext()) {
                return false;
            }
            return ((OMElement) body.getChildren().next()).getChildrenWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_REQUEST)).hasNext();
        } catch (Exception e) {
            log.error("Error while building the message.", e);
            throw new SynapseException("Error while building the message.", e);
        }
    }

    private boolean shouldAuthenticateWithCookie(MessageContext messageContext) {
        String sAMLCookie = getSAMLCookie(messageContext);
        return sAMLCookie != null && isSamlResponseInCache(sAMLCookie);
    }

    private boolean shouldAuthenticateWithSAMLResponse(MessageContext messageContext) {
        Map<String, String> iDPResponseAttributes = getIDPResponseAttributes(messageContext);
        if (log.isDebugEnabled()) {
            log.debug("shouldAuthenticateWithSAMLResponse" + messageContext);
            log.debug("idpResponseAttributes.get(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE) : " + iDPResponseAttributes.get(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE));
        }
        return iDPResponseAttributes.get(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE) != null;
    }

    private String getCookieString(MessageContext messageContext) {
        return getTransportHeaders(messageContext).get("Cookie");
    }

    private String getSAMLCookie(MessageContext messageContext) {
        String cookieString = getCookieString(messageContext);
        if (log.isDebugEnabled()) {
            log.debug("Requesting cookie : appmSamlSsoTokenId value : " + cookieString + " getCookieValue() : " + getCookieValue(cookieString, "appmSamlSsoTokenId"));
        }
        return getCookieValue(cookieString, "appmSamlSsoTokenId");
    }

    private boolean isSamlResponseInCache(String str) {
        return getCachedSAMLResponse(str) != null;
    }

    public String getCachedSAMLResponse(String str) {
        Object obj = getSAML2ConfigCache().get(str);
        if (obj == null) {
            return null;
        }
        String str2 = null;
        SAMLTokenInfoDTO sAMLTokenInfoDTO = (SAMLTokenInfoDTO) ((HashMap) obj).get(this.webAppInfoDTO.getSaml2SsoIssuer());
        if (sAMLTokenInfoDTO != null) {
            str2 = sAMLTokenInfoDTO.getEncodedSamlToken();
        }
        if (str2 != null) {
            return str2;
        }
        return null;
    }

    private String getCachedSessionIndex(String str) {
        SAMLTokenInfoDTO sAMLTokenInfoDTO;
        Object obj = getSAML2ConfigCache().get(str);
        String str2 = null;
        if (obj != null && (sAMLTokenInfoDTO = (SAMLTokenInfoDTO) ((HashMap) obj).get(this.webAppInfoDTO.getSaml2SsoIssuer())) != null) {
            str2 = sAMLTokenInfoDTO.getSessionIndex();
        }
        return str2;
    }

    public boolean isSamlTokenExpired(String str) {
        DateTime notOnOrAfter;
        Object obj = getSAML2ConfigCache().get(str);
        if (obj == null || (notOnOrAfter = ((SAMLTokenInfoDTO) ((HashMap) obj).get(this.webAppInfoDTO.getSaml2SsoIssuer())).getNotOnOrAfter()) == null || notOnOrAfter.compareTo(new DateTime()) >= 1) {
            return false;
        }
        log.debug("NotOnOrAfter is having an expired timestamp in the cache for the SAML issuer = " + this.webAppInfoDTO.getSaml2SsoIssuer());
        return true;
    }

    public String getCachedUserRoles(String str) {
        Object obj = getSAML2ConfigCache().get(str);
        if (obj != null) {
            return (String) obj;
        }
        return null;
    }

    private String getCachedLoggedInUser(String str) {
        return (String) this.saml2Authenticator.getKeyCache().get(str);
    }

    public boolean isSAMLResponseAuthenticated(Map<String, Object> map) {
        return (map == null || map.get(APISecurityConstants.SUBJECT) == null) ? false : true;
    }

    private org.apache.axis2.context.MessageContext getAxis2MessageContext(MessageContext messageContext) {
        return ((Axis2MessageContext) messageContext).getAxis2MessageContext();
    }

    private boolean isLogoutRequest(MessageContext messageContext) {
        String obj = getAxis2MessageContext(messageContext).getProperty("TransportInURL").toString();
        String logoutUrl = this.webAppInfoDTO.getLogoutUrl();
        if (logoutUrl == null || !logoutUrl.endsWith(obj)) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Logout URL Encountered");
        return true;
    }

    private boolean isSSOEnabled() {
        return getIDPUrl() != null;
    }

    private WebAppInfoDTO getSSOInfoForApp(String str, String str2) throws AppManagementException {
        try {
            return AppMDAO.getSAML2SSOConfigInfo(str, str2);
        } catch (AppManagementException e) {
            return null;
        }
    }

    private VerbInfoDTO getVerbInfoForApp(String str, String str2) throws AppManagementException {
        return AppMDAO.getVerbConfigInfo(str, str2);
    }

    private boolean isSubscribed(MessageContext messageContext) throws APISecurityException {
        return this.saml2Authenticator.authenticate(messageContext);
    }

    private void addCachedJWTToTransportHeaders(MessageContext messageContext) {
        String str = (String) Caching.getCacheManager("API_MANAGER_CACHE").getCache("jwtCache").get((String) messageContext.getProperty("appmSamlSsoTokenId"));
        if (str != null) {
            getTransportHeaders(messageContext).put(this.authenticator.getSecurityContextHeader(), str);
        }
    }

    private void generateJWTAndAddToTransportHeaders(MessageContext messageContext, Map<String, Object> map, WebApp webApp) throws AppManagementException {
        String str = (String) messageContext.getProperty("appmSamlSsoTokenId");
        Cache cache = Caching.getCacheManager("API_MANAGER_CACHE").getCache("jwtCache");
        String generateToken = getTokenGenerator().generateToken(map, webApp, messageContext);
        cache.put(str, generateToken);
        getTransportHeaders(messageContext).put(this.authenticator.getSecurityContextHeader(), generateToken);
    }

    private boolean handleSecurityUsingCookie(MessageContext messageContext) {
        Map<String, String> transportHeaders = getTransportHeaders(messageContext);
        String sAMLCookie = getSAMLCookie(messageContext);
        if (!isSamlResponseInCache(sAMLCookie)) {
            return false;
        }
        if (isSamlTokenExpired(sAMLCookie)) {
            String cachedSessionIndex = getCachedSessionIndex(sAMLCookie);
            if (cachedSessionIndex != null) {
                getSAML2SessionIndexCache().remove(cachedSessionIndex);
            }
            getSAML2ConfigCache().remove(sAMLCookie);
            return false;
        }
        String cachedLoggedInUser = getCachedLoggedInUser(sAMLCookie);
        AuthenticatedIDP[] cachedAuthenticatedIDP = getCachedAuthenticatedIDP(sAMLCookie);
        try {
            messageContext.setProperty(APISecurityConstants.SUBJECT, cachedLoggedInUser);
            messageContext.setProperty(APISecurityConstants.AUTHENTICATED_IDP, cachedAuthenticatedIDP);
            messageContext.setProperty("appmSamlSsoTokenId", sAMLCookie);
            if (isLogoutRequest(messageContext)) {
                handleLogoutRequest(messageContext);
                return true;
            }
            if (!isSubscribed(messageContext)) {
                handleAuthFailure(messageContext, new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "You have not subscribed to this Application"));
                return false;
            }
            if (this.isJWTEnabled) {
                addCachedJWTToTransportHeaders(messageContext);
            }
            if (!shouldAddSAMLResponseAsTransportHeader()) {
                return true;
            }
            transportHeaders.put("AppMgtSAML2Response", getCachedSAMLResponse(sAMLCookie));
            messageContext.setProperty("TRANSPORT_HEADERS", transportHeaders);
            return true;
        } catch (APISecurityException e) {
            handleAuthFailure(messageContext, new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "You have not subscribe to this Application"));
            return false;
        }
    }

    private boolean checkResourceAccessible(MessageContext messageContext) {
        String obj = getAxis2MessageContext(messageContext).getProperty("TransportInURL").toString();
        String str = (String) messageContext.getProperty("REST_API_CONTEXT");
        String str2 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String cachedUserRoles = getCachedUserRoles("userRolesCacheKey");
        String str3 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("HTTP_METHOD");
        int appID = this.webAppInfoDTO.getAppID();
        new ArrayList();
        ArrayList<String> arrayList = new ArrayList<>();
        try {
            Iterator it = new AppMDAO().getInUrlMappingById(appID).iterator();
            while (it.hasNext()) {
                arrayList.add(str + APIThrottleConstants.URL_MAPPING_SEPERATOR + str2 + ((String) it.next()));
            }
            Collections.sort(arrayList);
            Collections.reverse(arrayList);
            String matchedURLPattern = getMatchedURLPattern(arrayList, obj);
            if (matchedURLPattern == null) {
                return true;
            }
            String substring = matchedURLPattern.substring((str + APIThrottleConstants.URL_MAPPING_SEPERATOR + str2).length(), matchedURLPattern.length());
            messageContext.setProperty("appm.matchedUrlPattern", substring);
            messageContext.setProperty("appm.matchedAppId", Integer.valueOf(appID));
            return checkResourseAccessibleByRole(substring, cachedUserRoles, appID, str3);
        } catch (AppManagementException e) {
            log.error("Failed to check resources for user");
            return false;
        }
    }

    private String getUserRolesFromTheSAMLResponse(Map<String, Object> map) {
        return (map == null || map.get(APISecurityConstants.CLAIM_ROLES) == null) ? "" : (String) map.get(APISecurityConstants.CLAIM_ROLES);
    }

    private boolean checkResourseAccessibleByRole(String str, String str2, int i, String str3) throws AppManagementException {
        String inUrlMappingRoles = new AppMDAO().getInUrlMappingRoles(i, str, str3);
        if (str2 == null || str2.equalsIgnoreCase("") || inUrlMappingRoles == null || inUrlMappingRoles.equals("")) {
            return true;
        }
        String[] delimitedRoles = getDelimitedRoles(inUrlMappingRoles);
        for (String str4 : getDelimitedRoles(str2)) {
            for (String str5 : delimitedRoles) {
                if (str4.equalsIgnoreCase(str5)) {
                    return true;
                }
            }
        }
        return false;
    }

    private String[] getDelimitedRoles(String str) {
        return str.split(",");
    }

    private String getMatchedURLPattern(ArrayList<String> arrayList, String str) {
        NamedMatchList namedMatchList = new NamedMatchList();
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            String next = it.next();
            namedMatchList.add(next, next);
        }
        return (String) namedMatchList.match(str);
    }

    private boolean handleAuthorizationUsingSAMLResponse(MessageContext messageContext) {
        Map<String, String> transportHeaders = getTransportHeaders(messageContext);
        Map<String, String> iDPResponseAttributes = getIDPResponseAttributes(messageContext);
        Map<String, Object> attributesOfSAMLResponse = getAttributesOfSAMLResponse(iDPResponseAttributes);
        if (!isSAMLResponseAuthenticated(attributesOfSAMLResponse)) {
            return false;
        }
        String sAMLCookie = getSAMLCookie(messageContext);
        String str = iDPResponseAttributes.get(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE);
        String str2 = (String) attributesOfSAMLResponse.get("SAML2_SESSION_INDEX");
        SAMLTokenInfoDTO sAMLTokenInfoDTO = new SAMLTokenInfoDTO();
        sAMLTokenInfoDTO.setEncodedSamlToken(str);
        sAMLTokenInfoDTO.setNotOnOrAfter((DateTime) attributesOfSAMLResponse.get(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_ASSERTION_NOT_ON_OR_AFTER));
        sAMLTokenInfoDTO.setSessionIndex(str2);
        if (sAMLCookie == null) {
            sAMLCookie = UUID.randomUUID().toString();
            if (log.isDebugEnabled()) {
                log.debug("generating samlCookieValue : " + sAMLCookie);
            }
            messageContext.setProperty("appmSamlSsoTokenId", sAMLCookie);
            HashMap hashMap = new HashMap();
            hashMap.put(this.webAppInfoDTO.getSaml2SsoIssuer(), sAMLTokenInfoDTO);
            getSAML2ConfigCache().put(sAMLCookie, hashMap);
            if (str2 != null) {
                getSAML2SessionIndexCache().put(str2, sAMLCookie);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("samlCookie already exists : " + sAMLCookie);
            }
            HashMap hashMap2 = (HashMap) getSAML2ConfigCache().get(sAMLCookie);
            String saml2SsoIssuer = this.webAppInfoDTO.getSaml2SsoIssuer();
            if (hashMap2 == null || hashMap2.containsKey(saml2SsoIssuer)) {
                HashMap hashMap3 = new HashMap();
                hashMap3.put(saml2SsoIssuer, sAMLTokenInfoDTO);
                getSAML2ConfigCache().put(sAMLCookie, hashMap3);
                if (str2 != null) {
                    getSAML2SessionIndexCache().put(str2, sAMLCookie);
                }
            } else {
                hashMap2.put(saml2SsoIssuer, sAMLTokenInfoDTO);
                getSAML2ConfigCache().put(sAMLCookie, hashMap2);
                if (str2 != null) {
                    getSAML2SessionIndexCache().put(str2, sAMLCookie);
                }
            }
            messageContext.setProperty("appmSamlSsoTokenId", sAMLCookie);
        }
        messageContext.setProperty(APISecurityConstants.SUBJECT, attributesOfSAMLResponse.get(APISecurityConstants.SUBJECT));
        getSAML2ConfigCache().put("userRolesCacheKey", getUserRolesFromTheSAMLResponse(attributesOfSAMLResponse));
        AuthenticatedIDP[] authenticatedIDP = getAuthenticatedIDP(iDPResponseAttributes, attributesOfSAMLResponse);
        if (authenticatedIDP != null) {
            cacheAuthenticatedIDP(sAMLCookie, authenticatedIDP);
            messageContext.setProperty(APISecurityConstants.AUTHENTICATED_IDP, authenticatedIDP);
        }
        try {
            if (isLogoutRequest(messageContext)) {
                handleLogoutRequest(messageContext);
                return true;
            }
            if (!isSubscribed(messageContext)) {
                handleAuthFailure(messageContext, new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "You have not subscribe to this Application"));
                return false;
            }
            if (this.isJWTEnabled) {
                generateJWTAndAddToTransportHeaders(messageContext, attributesOfSAMLResponse, this.webApp);
            }
            if (!shouldAddSAMLResponseAsTransportHeader()) {
                return true;
            }
            transportHeaders.put("AppMgtSAML2Response", str);
            messageContext.setProperty("TRANSPORT_HEADERS", transportHeaders);
            return true;
        } catch (AppManagementException e) {
            e.printStackTrace();
            return false;
        } catch (APISecurityException e2) {
            log.error("WebApp authentication failure", e2);
            handleAuthFailure(messageContext, e2);
            return false;
        }
    }

    private void cacheAuthenticatedIDP(String str, AuthenticatedIDP[] authenticatedIDPArr) {
        Caching.getCacheManager("APPMGT.GATEWAY.AUTHENTICATED_IDP_CACHE_MANAGER").getCache("APPMGT.GATEWAY.authenticatedIDPCache").put(str, authenticatedIDPArr);
    }

    private AuthenticatedIDP[] getCachedAuthenticatedIDP(String str) {
        Object obj = Caching.getCacheManager("APPMGT.GATEWAY.AUTHENTICATED_IDP_CACHE_MANAGER").getCache("APPMGT.GATEWAY.authenticatedIDPCache").get(str);
        if (obj == null || !(obj instanceof AuthenticatedIDP[])) {
            return null;
        }
        return (AuthenticatedIDP[]) obj;
    }

    private Map<String, String> getTransportHeaders(MessageContext messageContext) {
        return (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS");
    }

    private Map<String, Object> getAttributesOfSAMLResponse(Map<String, String> map) {
        XMLObject xMLObject = null;
        try {
            xMLObject = SAMLSSOUtil.unmarshall(new String(Base64.decode(map.get(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE))));
        } catch (IdentityException e) {
            e.printStackTrace();
        }
        return getResult(xMLObject);
    }

    private void handleLogoutRequest(MessageContext messageContext) throws SynapseException {
        String str = (String) messageContext.getProperty("appmSamlSsoTokenId");
        messageContext.setProperty("isLogoutRequest", true);
        String cachedSAMLResponse = getCachedSAMLResponse(str);
        if (cachedSAMLResponse != null) {
            try {
                Assertion unmarshall = SAMLSSOUtil.unmarshall(getSamlAssetionString(new String(Base64.decode(cachedSAMLResponse))));
                if (unmarshall != null) {
                    String value = unmarshall.getSubject().getNameID().getValue();
                    String sessionIndex = ((AuthnStatement) unmarshall.getAuthnStatements().get(0)).getSessionIndex();
                    String encodeRequestMessage = encodeRequestMessage(buildLogoutRequest(value, sessionIndex, this.webAppInfoDTO.getSaml2SsoIssuer()));
                    if (encodeRequestMessage == null) {
                        throw new SynapseException("Error while sending logout request to IDP.");
                    }
                    getSAML2ConfigCache().remove(str);
                    getSAML2SessionIndexCache().remove(sessionIndex);
                    sendSAMLRequestToIdP(messageContext, encodeRequestMessage);
                }
            } catch (IdentityException e) {
                e.printStackTrace();
            }
        }
    }

    private String encodeRequestMessage(RequestAbstractType requestAbstractType) {
        try {
            DefaultBootstrap.bootstrap();
            try {
                Element marshall = Configuration.getMarshallerFactory().getMarshaller(requestAbstractType).marshall(requestAbstractType);
                Deflater deflater = new Deflater(8, true);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
                StringWriter stringWriter = new StringWriter();
                XMLHelper.writeNode(marshall, stringWriter);
                deflaterOutputStream.write(stringWriter.toString().getBytes());
                deflaterOutputStream.close();
                return URLEncoder.encode(Base64.encodeBytes(byteArrayOutputStream.toByteArray(), 8), "UTF-8").trim();
            } catch (MarshallingException e) {
                log.error("Error occurred while encoding SAML request", e);
                return null;
            } catch (UnsupportedEncodingException e2) {
                log.error("Error occurred while encoding SAML request", e2);
                return null;
            } catch (IOException e3) {
                log.error("Error occurred while encoding SAML request", e3);
                return null;
            }
        } catch (ConfigurationException e4) {
            log.error("Error while initializing opensaml library", e4);
            return null;
        }
    }

    private AuthenticatedIDP[] getAuthenticatedIDP(Map<String, String> map, Map<String, Object> map2) {
        String str = (String) map2.get(APISecurityConstants.CLAIM_EMAIL);
        String str2 = map.get(IDP_CALLBACK_ATTRIBUTE_NAME_AUTHENTICATED_IDPS);
        if (str2 == null) {
            return null;
        }
        String str3 = str2.split("\\.")[1];
        try {
            str3 = new String(Base64.decode(URLDecoder.decode(str3, "UTF-8")));
            JSONArray jSONArray = (JSONArray) ((JSONObject) JSONValue.parse(str3)).get("idps");
            AuthenticatedIDP[] authenticatedIDPArr = new AuthenticatedIDP[jSONArray.size()];
            for (int i = 0; i < jSONArray.size(); i++) {
                String obj = ((JSONObject) jSONArray.get(i)).get("idp").toString();
                AuthenticatedIDP authenticatedIDP = new AuthenticatedIDP();
                authenticatedIDP.setIdentity(str);
                authenticatedIDP.setIdpName(obj);
                authenticatedIDPArr[i] = authenticatedIDP;
            }
            return authenticatedIDPArr;
        } catch (Exception e) {
            log.error(String.format("Error while decoding 'AuthenticatedIdps' string value : %s", str3), e);
            return null;
        }
    }

    private Map<String, Object> getResult(XMLObject xMLObject) {
        if (xMLObject.getDOM().getNodeName().equals("saml2p:LogoutResponse")) {
            return null;
        }
        Assertion assertion = (Assertion) ((Response) xMLObject).getAssertions().get(0);
        HashMap hashMap = new HashMap();
        if (assertion != null) {
            hashMap.put(APISecurityConstants.SUBJECT, assertion.getSubject().getNameID().getValue());
            if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
                hashMap.put(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_ASSERTION_NOT_ON_OR_AFTER, assertion.getConditions().getNotOnOrAfter());
            }
            List attributeStatements = assertion.getAttributeStatements();
            if (attributeStatements != null) {
                Iterator it = attributeStatements.iterator();
                while (it.hasNext()) {
                    for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                        hashMap.put(attribute.getName(), ((XMLObject) attribute.getAttributeValues().get(0)).getDOM().getTextContent());
                    }
                }
            }
            hashMap.put("SAML2_SESSION_INDEX", ((AuthnStatement) assertion.getAuthnStatements().get(0)).getSessionIndex());
        }
        return hashMap;
    }

    private Cache getSAML2ConfigCache() {
        return Caching.getCacheManager("SAML2_CONFIG_CACHE_MANAGER").getCache("saml2ConfigCache");
    }

    private Cache getSAML2SessionIndexCache() {
        return Caching.getCacheManager("SAML2_SESSION_INDEX_CACHE_MANAGER").getCache("saml2SessionIndexCache");
    }

    private Cache getAppContextVersionConfigCache() {
        return Caching.getCacheManager("APP_CONTEXT_VERSION_CACHE_MANAGER").getCache("APP_CONTEXT_VERSION_CONFIG_CACHE");
    }

    private Cache getUserRolesCacheConfig() {
        return Caching.getCacheManager("USER_ROLES_CACHE_MANAGER").getCache("userRolesConfigCache");
    }

    private Cache getSAML2RelayStateCache() {
        return Caching.getCacheManager("SAML2_RELAY_STATE_CACHE_MANAGER").getCache("saml2RelayStateCache");
    }

    private void redirectToIDPLogin(MessageContext messageContext) {
        sendSAMLRequestToIdP(messageContext, encodeRequestMessage(buildAuthnRequestObject(messageContext)));
    }

    private AuthnRequest buildAuthnRequestObject(MessageContext messageContext) {
        Issuer buildObject = new IssuerBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
        buildObject.setValue(this.webAppInfoDTO.getSaml2SsoIssuer());
        NameIDPolicy buildObject2 = new NameIDPolicyBuilder().buildObject();
        buildObject2.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
        buildObject2.setSPNameQualifier("Issuer");
        buildObject2.setAllowCreate(true);
        AuthnContextClassRef buildObject3 = new AuthnContextClassRefBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml");
        buildObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
        RequestedAuthnContext buildObject4 = new RequestedAuthnContextBuilder().buildObject();
        buildObject4.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        buildObject4.getAuthnContextClassRefs().add(buildObject3);
        DateTime dateTime = new DateTime();
        String hexString = Integer.toHexString(new Double(Math.random()).intValue());
        AuthnRequest buildObject5 = new AuthnRequestBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
        buildObject5.setForceAuthn(false);
        buildObject5.setIsPassive(false);
        buildObject5.setIssueInstant(dateTime);
        buildObject5.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        buildObject5.setAssertionConsumerServiceURL(constructAssertionConsumerUrl(messageContext));
        buildObject5.setIssuer(buildObject);
        buildObject5.setNameIDPolicy(buildObject2);
        buildObject5.setRequestedAuthnContext(buildObject4);
        buildObject5.setID(hexString);
        buildObject5.setDestination(getIDPUrl());
        buildObject5.setVersion(SAMLVersion.VERSION_20);
        return buildObject5;
    }

    private void sendSAMLRequestToIdP(MessageContext messageContext, String str) {
        org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
        axis2MessageContext.setProperty("HTTP_SC", "302");
        messageContext.setResponse(true);
        messageContext.setProperty("RESPONSE", "true");
        messageContext.setTo((EndpointReference) null);
        axis2MessageContext.removeProperty("NO_ENTITY_BODY");
        if (((String) axis2MessageContext.getProperty("HTTP_METHOD")).matches("^(?!.*(POST|PUT)).*$")) {
            axis2MessageContext.setProperty("messageType", "application/xml");
        }
        axis2MessageContext.removeProperty("ContentType");
        Map map = (Map) axis2MessageContext.getProperty("TRANSPORT_HEADERS");
        map.put("Location", getIDPUrl() + "?SAMLRequest=" + str);
        if (messageContext.getProperty("error_message_type") != null && messageContext.getProperty("error_message_type").toString().equalsIgnoreCase("application/json")) {
            axis2MessageContext.setProperty("messageType", "application/json");
        }
        map.remove("Host");
        Axis2Sender.sendBack(messageContext);
    }

    private LogoutRequest buildLogoutRequest(String str, String str2, String str3) {
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        buildObject.setID(UUID.randomUUID().toString());
        buildObject.setDestination(getIDPUrl());
        DateTime dateTime = new DateTime();
        buildObject.setIssueInstant(dateTime);
        buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        Issuer buildObject2 = new IssuerBuilder().buildObject();
        buildObject2.setValue(str3);
        buildObject.setIssuer(buildObject2);
        NameID buildObject3 = new NameIDBuilder().buildObject();
        buildObject3.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        buildObject3.setValue(str);
        buildObject.setNameID(buildObject3);
        SessionIndex buildObject4 = new SessionIndexBuilder().buildObject();
        buildObject4.setSessionIndex(str2);
        buildObject.getSessionIndexes().add(buildObject4);
        buildObject.setReason("Single Logout");
        return buildObject;
    }

    private String getCookieValue(String str, String str2) {
        int indexOf;
        if (str == null || str.isEmpty() || (indexOf = str.indexOf(str2 + "=")) == -1) {
            return null;
        }
        int length = indexOf + str2.length() + 1;
        int indexOf2 = str.indexOf(";", length);
        if (indexOf2 == -1) {
            indexOf2 = str.length();
        }
        return str.substring(length, indexOf2);
    }

    private void handleAuthFailure(MessageContext messageContext, APISecurityException aPISecurityException) {
        int i;
        messageContext.setProperty("ERROR_CODE", Integer.valueOf(aPISecurityException.getErrorCode()));
        messageContext.setProperty("ERROR_MESSAGE", APISecurityConstants.getAuthenticationFailureMessage(aPISecurityException.getErrorCode()));
        messageContext.setProperty("ERROR_EXCEPTION", aPISecurityException);
        Mediator sequence = messageContext.getSequence(APISecurityConstants.API_AUTH_FAILURE_HANDLER);
        if (sequence == null || sequence.mediate(messageContext)) {
            org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
            axis2MessageContext.setProperty("messageType", "application/soap+xml");
            if (aPISecurityException.getErrorCode() == 900900) {
                i = 500;
            } else if (aPISecurityException.getErrorCode() == 900906 || aPISecurityException.getErrorCode() == 900908) {
                i = 403;
            } else {
                i = 401;
                HashMap hashMap = new HashMap();
                hashMap.put("WWW-Authenticate", this.authenticator.getChallengeString());
                axis2MessageContext.setProperty("TRANSPORT_HEADERS", hashMap);
            }
            if (messageContext.isDoingPOX() || messageContext.isDoingGET()) {
                Utils.setFaultPayload(messageContext, getFaultPayload(aPISecurityException));
            } else {
                Utils.setSOAPFault(messageContext, "Client", "Authentication Failure", aPISecurityException.getMessage());
            }
            if (Utils.isCORSEnabled()) {
                Map map = (Map) axis2MessageContext.getProperty("TRANSPORT_HEADERS");
                map.put("Access-Control-Allow-Origin", Utils.getAllowedOrigin(this.authenticator.getRequestOrigin()));
                map.put("Access-Control-Allow-Methods", Utils.getAllowedMethods());
                map.put("Access-Control-Allow-Headers", Utils.getAllowedHeaders());
                axis2MessageContext.setProperty("TRANSPORT_HEADERS", map);
            }
            Utils.sendFault(messageContext, i);
        }
    }

    private OMElement getFaultPayload(APISecurityException aPISecurityException) {
        OMFactory oMFactory = OMAbstractFactory.getOMFactory();
        OMNamespace createOMNamespace = oMFactory.createOMNamespace(APISecurityConstants.API_SECURITY_NS, APISecurityConstants.API_SECURITY_NS_PREFIX);
        OMElement createOMElement = oMFactory.createOMElement("fault", createOMNamespace);
        OMElement createOMElement2 = oMFactory.createOMElement("code", createOMNamespace);
        createOMElement2.setText(String.valueOf(aPISecurityException.getErrorCode()));
        OMElement createOMElement3 = oMFactory.createOMElement("message", createOMNamespace);
        createOMElement3.setText(APISecurityConstants.getAuthenticationFailureMessage(aPISecurityException.getErrorCode()));
        OMElement createOMElement4 = oMFactory.createOMElement("description", createOMNamespace);
        createOMElement4.setText(aPISecurityException.getMessage());
        createOMElement.addChild(createOMElement2);
        createOMElement.addChild(createOMElement3);
        createOMElement.addChild(createOMElement4);
        return createOMElement;
    }

    private String getSamlAssetionString(String str) {
        return str.substring(str.indexOf("<saml2:Assertion"), str.indexOf("</saml2:Assertion>")) + "</saml2:Assertion>";
    }

    private String getIDPUrl() {
        return org.wso2.carbon.appmgt.gateway.internal.ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getFirstProperty("SSOConfiguration.IdentityProviderUrl");
    }

    private boolean getSamlSSOConfiguration() {
        return Boolean.parseBoolean(org.wso2.carbon.appmgt.gateway.internal.ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getFirstProperty("SSOConfiguration.EnableSamlSSOConfig"));
    }

    private boolean shouldAddSAMLResponseAsTransportHeader() {
        return Boolean.parseBoolean(org.wso2.carbon.appmgt.gateway.internal.ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getFirstProperty("AppConsumerAuthConfiguration.AddSAMLResponseHeaderToOutMessage"));
    }

    private Map<String, String> getIDPResponseAttributes(MessageContext messageContext) {
        org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
        HashMap hashMap = new HashMap();
        try {
            RelayUtils.buildMessage(axis2MessageContext);
            Iterator childElements = messageContext.getEnvelope().getBody().getChildElements();
            while (childElements.hasNext()) {
                OMElement oMElement = (OMElement) childElements.next();
                Iterator childrenWithName = oMElement.getChildrenWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE));
                while (childrenWithName.hasNext()) {
                    hashMap.put(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_RESPONSE, ((OMElement) childrenWithName.next()).getText());
                }
                Iterator childrenWithName2 = oMElement.getChildrenWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_ASSERTION));
                while (childrenWithName2.hasNext()) {
                    hashMap.put(IDP_CALLBACK_ATTRIBUTE_NAME_SAML_ASSERTION, ((OMElement) childrenWithName2.next()).getText());
                }
                Iterator childrenWithName3 = oMElement.getChildrenWithName(new QName(IDP_CALLBACK_ATTRIBUTE_NAME_AUTHENTICATED_IDPS));
                while (childrenWithName3.hasNext()) {
                    hashMap.put(IDP_CALLBACK_ATTRIBUTE_NAME_AUTHENTICATED_IDPS, ((OMElement) childrenWithName3.next()).getText());
                }
                if (hashMap.size() == 2) {
                    break;
                }
            }
            return hashMap;
        } catch (Exception e) {
            log.error("Error while retrieving IDP response attributes.", e);
            return hashMap;
        }
    }

    private String getTenantDomainFromGatewayUrl(String str) {
        String str2 = "";
        if (str.contains("/t/")) {
            String substring = str.substring(str.indexOf("/t/") + 3);
            str2 = substring.substring(0, substring.indexOf(APIThrottleConstants.URL_MAPPING_SEPERATOR));
        }
        return str2;
    }

    private void constructAndSetFullyQualifiedSamlIssuerId(MessageContext messageContext, WebAppInfoDTO webAppInfoDTO) {
        String tenantDomainFromGatewayUrl = getTenantDomainFromGatewayUrl(constructAssertionConsumerUrl(messageContext));
        String str = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String saml2SsoIssuer = webAppInfoDTO.getSaml2SsoIssuer();
        if (!tenantDomainFromGatewayUrl.equals("")) {
            saml2SsoIssuer = saml2SsoIssuer + "-" + tenantDomainFromGatewayUrl;
        }
        webAppInfoDTO.setSaml2SsoIssuer(saml2SsoIssuer + "-" + str);
    }

    private String constructAssertionConsumerUrl(MessageContext messageContext) {
        String obj = ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("SERVICE_PREFIX").toString();
        return getGatewayUrl(obj.substring(0, obj.indexOf(APIThrottleConstants.URL_MAPPING_SEPERATOR) - 1)) + messageContext.getProperty("REST_API_CONTEXT") + APIThrottleConstants.URL_MAPPING_SEPERATOR + messageContext.getProperty("SYNAPSE_REST_API_VERSION") + APIThrottleConstants.URL_MAPPING_SEPERATOR;
    }

    private void setAppmSamlSsoCookie(MessageContext messageContext) {
        String str = (String) messageContext.getProperty("appmSamlSsoTokenId");
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS");
        String str2 = (String) map.get("Cookie");
        if (log.isDebugEnabled()) {
            log.debug("Exisiting cookie string in transport headers : " + str2);
        }
        String str3 = str2 == null ? "appmSamlSsoTokenId=" + str + "; path=" + APIThrottleConstants.URL_MAPPING_SEPERATOR : str2 + " ;appmSamlSsoTokenId=" + str + "; Path=" + APIThrottleConstants.URL_MAPPING_SEPERATOR;
        if (log.isDebugEnabled()) {
            log.debug("Updated cookie string in transport headers : " + str3);
        }
        map.put("Cookie", str3);
        messageContext.setProperty("TRANSPORT_HEADERS", map);
    }

    private TokenGenerator getTokenGenerator() {
        TokenGenerator tokenGenerator = org.wso2.carbon.appmgt.gateway.internal.ServiceReferenceHolder.getInstance().getTokenGenerator();
        return tokenGenerator != null ? tokenGenerator : this.defaultTokenGenerator;
    }

    public static String getGatewayUrl(String str) {
        return str.equals("http") ? AppManagerUtil.getGatewayendpoints().split(",")[0] : AppManagerUtil.getGatewayendpoints().split(",")[1];
    }
}
