package org.wso2.carbon.appmgt.gateway.handlers.security.authentication;

import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.ManagedLifecycle;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.apache.synapse.rest.AbstractHandler;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.impl.ResponseImpl;
import org.opensaml.xml.XMLObject;
import org.wso2.carbon.appmgt.api.AppManagementException;
import org.wso2.carbon.appmgt.api.model.URITemplate;
import org.wso2.carbon.appmgt.api.model.WebApp;
import org.wso2.carbon.appmgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.appmgt.gateway.handlers.security.Session;
import org.wso2.carbon.appmgt.gateway.handlers.security.SessionStore;
import org.wso2.carbon.appmgt.gateway.handlers.security.saml2.IDPMessage;
import org.wso2.carbon.appmgt.gateway.handlers.security.saml2.SAMLException;
import org.wso2.carbon.appmgt.gateway.handlers.security.saml2.SAMLUtils;
import org.wso2.carbon.appmgt.gateway.handlers.throttling.APIThrottleConstants;
import org.wso2.carbon.appmgt.gateway.token.JWTGenerator;
import org.wso2.carbon.appmgt.gateway.token.TokenGenerator;
import org.wso2.carbon.appmgt.gateway.utils.CacheManager;
import org.wso2.carbon.appmgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.appmgt.impl.AppManagerConfiguration;
import org.wso2.carbon.appmgt.impl.DefaultAppRepository;
import org.wso2.carbon.appmgt.impl.service.ServiceReferenceHolder;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2SSOException;
import org.wso2.carbon.registry.core.Registry;

/* loaded from: input_file:org/wso2/carbon/appmgt/gateway/handlers/security/authentication/SAML2AuthenticationHandler.class */
public class SAML2AuthenticationHandler extends AbstractHandler implements ManagedLifecycle {
    private static final Log log = LogFactory.getLog(SAML2AuthenticationHandler.class);
    private static final String SET_COOKIE_PATTERN = "%s=%s; Path=%s;";
    private static final String SESSION_ATTRIBUTE_JWTS = "jwts";
    public static final String HTTP_HEADER_SAML_RESPONSE = "AppMgtSAML2Response";
    private WebApp webApp;
    private AppManagerConfiguration configuration;

    public void init(SynapseEnvironment synapseEnvironment) {
        this.configuration = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration();
    }

    public boolean handleRequest(MessageContext messageContext) {
        String str;
        String str2;
        Session session = getSession(messageContext);
        org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
        String str3 = (String) messageContext.getProperty("REST_API_CONTEXT");
        String str4 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String str5 = (String) messageContext.getProperty("REST_FULL_REQUEST_PATH");
        String redirectionReadyFullRequestPath = getRedirectionReadyFullRequestPath(messageContext);
        messageContext.setProperty("appm.gateway.redirectionFriendlyFullRequestPath", redirectionReadyFullRequestPath);
        String substringAfter = StringUtils.substringAfter(str5, String.format("%s/%s/", str3, str4));
        String str6 = (String) axis2MessageContext.getProperty("HTTP_METHOD");
        try {
            if (this.webApp == null) {
                this.webApp = new DefaultAppRepository((Registry) null).getWebAppByContextAndVersion(str3, str4, CarbonContext.getThreadLocalCarbonContext().getTenantId());
            }
        } catch (AppManagementException e) {
            GatewayUtils.logAndThrowException(log, String.format("Can't fetch the web for '%s' from the repository.", str5), e);
        }
        messageContext.setProperty("appm.gateway.appID", Integer.valueOf(this.webApp.getDatabaseId()));
        URITemplate findMatchedURITemplate = GatewayUtils.findMatchedURITemplate(this.webApp, str6, substringAfter);
        messageContext.setProperty("appm.gateway.matchedURITemplate", findMatchedURITemplate);
        if (isACSURL(substringAfter)) {
            handleRequestToACSEndpoint(messageContext, session);
            return false;
        }
        if (GatewayUtils.isLogoutURL(this.webApp, substringAfter)) {
            doLogout(session);
            redirectToIDPWithLogoutRequest(messageContext, session);
            return false;
        }
        if (GatewayUtils.isAnonymousAccessAllowed(this.webApp, findMatchedURITemplate)) {
            if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Request to '%s' is allowed for anonymous access", str5));
            }
            messageContext.setProperty("appm.gateway.skipSecurity", true);
            return true;
        }
        AuthenticationContext authenticationContext = session.getAuthenticationContext();
        if (!authenticationContext.isAuthenticated()) {
            if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Request to '%s' is not authenticated", str5));
            }
            session.setRequestedURL(redirectionReadyFullRequestPath);
            SessionStore.getInstance().updateSession(session);
            setSessionCookie(messageContext, session.getUuid());
            requestAuthentication(messageContext);
            return false;
        }
        if (log.isDebugEnabled()) {
            GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Request to '%s' is authenticated. Subject = '%s'", str5, authenticationContext.getSubject()));
        }
        if (!session.hasAppBeenAccessedBefore(this.webApp.getUUID())) {
            GatewayUtils.logWithRequestInfo(log, messageContext, "This web app has not been accessed before in the current session. Doing SSO through IDP since it is needed to make SLO work.");
            session.setRequestedURL(redirectionReadyFullRequestPath);
            SessionStore.getInstance().updateSession(session);
            requestAuthentication(messageContext);
            return false;
        }
        messageContext.setProperty("APPMSESSIONID", session.getUuid());
        if (shouldSendSAMLResponseToBackend()) {
            Map map = (Map) session.getAttribute(SAMLUtils.SESSION_ATTRIBUTE_RAW_SAML_RESPONSES);
            if (map != null && (str2 = (String) map.get(this.webApp.getUUID())) != null) {
                addTransportHeader(messageContext, HTTP_HEADER_SAML_RESPONSE, str2);
                if (log.isDebugEnabled()) {
                    GatewayUtils.logWithRequestInfo(log, messageContext, "SAML response has been set in the request to the backend.");
                }
            } else if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, "Couldn't find the SAML response for the app in the session.");
            }
        }
        if (!isJWTEnabled()) {
            return true;
        }
        String firstProperty = this.configuration.getFirstProperty(APISecurityConstants.API_SECURITY_CONTEXT_HEADER);
        Map map2 = (Map) session.getAttribute(SESSION_ATTRIBUTE_JWTS);
        if (map2 == null || (str = (String) map2.get(this.webApp.getUUID())) == null) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            GatewayUtils.logWithRequestInfo(log, messageContext, "Couldn't find the generated JWT for the app in the session.");
            return true;
        }
        addTransportHeader(messageContext, firstProperty, str);
        if (!log.isDebugEnabled()) {
            return true;
        }
        GatewayUtils.logWithRequestInfo(log, messageContext, "JWT has been set in the request to the backend.");
        return true;
    }

    private String getRedirectionReadyFullRequestPath(MessageContext messageContext) {
        String str = (String) messageContext.getProperty("REST_FULL_REQUEST_PATH");
        String str2 = (String) ((Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS")).get("WSO2_APPM_INVOKED_WITHOUT_VERSION");
        if (str2 == null || !Boolean.parseBoolean(str2)) {
            return str;
        }
        return str.replaceFirst(APIThrottleConstants.URL_MAPPING_SEPERATOR + ((String) messageContext.getProperty("SYNAPSE_REST_API_VERSION")), "");
    }

    private void doLogout(Session session) {
        SessionStore.getInstance().removeSession(session.getUuid());
    }

    private OMElement handleSLORequest(MessageContext messageContext, LogoutRequest logoutRequest) {
        String sessionIndex = ((SessionIndex) logoutRequest.getSessionIndexes().get(0)).getSessionIndex();
        String str = (String) CacheManager.getInstance().getSessionIndexMappingCache().get(sessionIndex);
        if (str != null) {
            GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Found a session id (md5 : '%s')for the given session index in the SLO request: '%s'. Clearing the session", GatewayUtils.getMD5Hash(str), sessionIndex));
            SessionStore.getInstance().removeSession(str);
            CacheManager.getInstance().getSessionIndexMappingCache().remove(sessionIndex);
        } else {
            GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Couldn't find a session id for the given session index : '%s'", sessionIndex));
        }
        OMFactory oMFactory = OMAbstractFactory.getOMFactory();
        OMNamespace createOMNamespace = oMFactory.createOMNamespace("http://wso2.org/appm", "appm");
        OMElement createOMElement = oMFactory.createOMElement("SLOResponse", createOMNamespace);
        OMElement createOMElement2 = oMFactory.createOMElement("message", createOMNamespace);
        createOMElement2.setText("SLORequest has been successfully processed by WSO2 App Manager");
        createOMElement.addChild(createOMElement2);
        return createOMElement;
    }

    private boolean handleRequestToACSEndpoint(MessageContext messageContext, Session session) {
        String str = (String) messageContext.getProperty("REST_FULL_REQUEST_PATH");
        GatewayUtils.buildIncomingMessage(messageContext);
        IDPMessage iDPMessage = null;
        try {
            iDPMessage = SAMLUtils.processIDPMessage(messageContext);
            if (iDPMessage.getSAMLResponse() == null && iDPMessage.getSAMLRequest() == null) {
                GatewayUtils.logAndThrowException(log, String.format("A SAML request or response was not there in the request to the ACS URL ('%s')", str), null);
            }
            if (!iDPMessage.validateSignature(GatewayUtils.getIDPCertificate("carbon.super", this.configuration.getFirstProperty("SSOConfiguration.ResponseSigningKeyAlias")))) {
                GatewayUtils.logAndThrowException(log, String.format("The signature of the SAML message received by the ASC URL ('%s'), can't be validated.", str), null);
            }
        } catch (IdentitySAML2SSOException e) {
            GatewayUtils.logAndThrowException(log, String.format("Error while processing the IDP call back request to the ACS URL ('%s')", str), e);
        } catch (SAMLException e2) {
            GatewayUtils.logAndThrowException(log, String.format("Error while processing the IDP call back request to the ACS URL ('%s')", str), e2);
        }
        Log log2 = log;
        Object[] objArr = new Object[1];
        objArr[0] = iDPMessage.getSAMLRequest() != null ? "SAMLRequest" : "SAMLResponse";
        GatewayUtils.logWithRequestInfo(log2, messageContext, String.format("%s is available in request.", objArr));
        if (iDPMessage.isSLOResponse()) {
            GatewayUtils.logWithRequestInfo(log, messageContext, "SAMLResponse in an SLO response.");
            GatewayUtils.redirectToURL(messageContext, GatewayUtils.getAppRootURL(messageContext));
            return false;
        }
        if (iDPMessage.isSLORequest()) {
            GatewayUtils.logWithRequestInfo(log, messageContext, "SAMLRequest in an SLO request.");
            GatewayUtils.send200(messageContext, handleSLORequest(messageContext, (LogoutRequest) iDPMessage.getSAMLRequest()));
            return false;
        }
        if (iDPMessage.isResponseValidityPeriodExpired()) {
            if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, "The validity period of the SAML Response is expired.");
            }
            requestAuthentication(messageContext);
            return false;
        }
        AuthenticationContext authenticationContextFromIDPCallback = getAuthenticationContextFromIDPCallback(iDPMessage);
        if (!authenticationContextFromIDPCallback.isAuthenticated()) {
            if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, "SAML response is not authenticated.");
            }
            requestAuthentication(messageContext);
            return false;
        }
        if (log.isDebugEnabled()) {
            GatewayUtils.logWithRequestInfo(log, messageContext, String.format("SAML response is authenticated. Subject = '%s'", authenticationContextFromIDPCallback.getSubject()));
        }
        session.setAuthenticationContext(authenticationContextFromIDPCallback);
        if (shouldSendSAMLResponseToBackend()) {
            Map map = (Map) session.getAttribute(SAMLUtils.SESSION_ATTRIBUTE_RAW_SAML_RESPONSES);
            if (map == null) {
                map = new HashMap();
                session.addAttribute(SAMLUtils.SESSION_ATTRIBUTE_RAW_SAML_RESPONSES, map);
            }
            map.put(this.webApp.getUUID(), iDPMessage.getRawSAMLResponse());
        }
        String str2 = (String) SAMLUtils.getSessionIndex(iDPMessage.getSAMLResponse());
        session.addAttribute(SAMLUtils.SESSION_ATTRIBUTE_SAML_SESSION_INDEX, str2);
        GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Session index : %s", str2));
        CacheManager.getInstance().getSessionIndexMappingCache().put(str2, session.getUuid());
        session.addAccessedWebAppUUID(this.webApp.getUUID());
        Map<String, Object> userAttributes = getUserAttributes((ResponseImpl) iDPMessage.getSAMLResponse());
        session.getAuthenticationContext().setAttributes(userAttributes);
        String str3 = (String) userAttributes.get(APISecurityConstants.CLAIM_ROLES);
        if (str3 != null) {
            for (String str4 : str3.split(",")) {
                session.getAuthenticationContext().addRole(str4);
            }
        }
        if (isJWTEnabled()) {
            try {
                Map map2 = (Map) session.getAttribute(SESSION_ATTRIBUTE_JWTS);
                if (map2 == null) {
                    map2 = new HashMap();
                    session.addAttribute(SESSION_ATTRIBUTE_JWTS, map2);
                }
                map2.put(this.webApp.getUUID(), getJWTGenerator().generateToken(userAttributes, this.webApp, messageContext));
            } catch (AppManagementException e3) {
                GatewayUtils.logAndThrowException(log, String.format("Can't generate JWT for the subject : '%s'", authenticationContextFromIDPCallback.getSubject()), e3);
            }
        }
        SessionStore.getInstance().updateSession(session);
        if (session.getRequestedURL() != null) {
            GatewayUtils.redirectToURL(messageContext, session.getRequestedURL());
            return false;
        }
        log.warn(String.format("Original requested URL in the session is null. Redirecting to the app root URL.", new Object[0]));
        GatewayUtils.redirectToURL(messageContext, GatewayUtils.getAppRootURL(messageContext));
        return false;
    }

    public boolean handleResponse(MessageContext messageContext) {
        return true;
    }

    public void destroy() {
    }

    private Session getSession(MessageContext messageContext) {
        String str = (String) ((Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS")).get("Cookie");
        if (str != null) {
            Map<String, String> parseRequestCookieHeader = parseRequestCookieHeader(str);
            if (parseRequestCookieHeader.get("APPMSESSIONID") != null) {
                if (log.isDebugEnabled()) {
                    GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Cookie '%s' is available in the request.", "APPMSESSIONID"));
                }
                messageContext.setProperty("APPMSESSIONID", parseRequestCookieHeader.get("APPMSESSIONID"));
            } else if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Cookie '%s' is not available in the request.", "APPMSESSIONID"));
            }
        }
        return GatewayUtils.getSession(messageContext, true);
    }

    private Map<String, String> parseRequestCookieHeader(String str) {
        String[] split;
        HashMap hashMap = new HashMap();
        if (str != null && (split = str.split(";")) != null && split.length > 0) {
            for (String str2 : split) {
                String[] split2 = str2.split("=");
                if (split2 != null && split2.length == 2) {
                    hashMap.put(split2[0].trim(), split2[1].trim());
                }
            }
        }
        return hashMap;
    }

    private void redirectToIDPWithLogoutRequest(MessageContext messageContext, Session session) {
        LogoutRequest buildLogoutRequest = SAMLUtils.buildLogoutRequest(this.webApp.getSaml2SsoIssuer(), session);
        GatewayUtils.logWithRequestInfo(log, messageContext, "Redirecting to the IDP for logging out.");
        GatewayUtils.redirectToIDPWithSAMLRequest(messageContext, buildLogoutRequest);
    }

    private void setSessionCookie(MessageContext messageContext, String str) {
        addTransportHeader(messageContext, "Set-Cookie", String.format(SET_COOKIE_PATTERN, "APPMSESSIONID", str, APIThrottleConstants.URL_MAPPING_SEPERATOR));
        if (log.isDebugEnabled()) {
            GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Cookie '%s' has been set in the response", "APPMSESSIONID"));
        }
    }

    private void addTransportHeader(MessageContext messageContext, String str, String str2) {
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS");
        map.put(str, str2);
        messageContext.setProperty("TRANSPORT_HEADERS", map);
    }

    private void requestAuthentication(MessageContext messageContext) {
        GatewayUtils.redirectToIDPWithSAMLRequest(messageContext, SAMLUtils.buildAuthenticationRequest(messageContext, this.webApp));
    }

    private AuthenticationContext getAuthenticationContextFromIDPCallback(IDPMessage iDPMessage) {
        return SAMLUtils.getAuthenticationContext(iDPMessage);
    }

    private boolean isACSURL(String str) {
        return str.equals(this.configuration.getFirstProperty("SSOConfiguration.ACSURLPostfix")) || str.equals("acs/");
    }

    private boolean shouldSendSAMLResponseToBackend() {
        return Boolean.valueOf(this.configuration.getFirstProperty("AppConsumerAuthConfiguration.AddSAMLResponseHeaderToOutMessage")).booleanValue();
    }

    private TokenGenerator getJWTGenerator() {
        TokenGenerator tokenGenerator = org.wso2.carbon.appmgt.gateway.internal.ServiceReferenceHolder.getInstance().getTokenGenerator();
        return tokenGenerator != null ? tokenGenerator : new JWTGenerator();
    }

    private Map<String, Object> getUserAttributes(ResponseImpl responseImpl) {
        HashMap hashMap = new HashMap();
        Assertion assertion = (Assertion) responseImpl.getAssertions().get(0);
        hashMap.put(APISecurityConstants.SUBJECT, assertion.getSubject().getNameID().getValue());
        List attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements != null) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    hashMap.put(attribute.getName(), ((XMLObject) attribute.getAttributeValues().get(0)).getDOM().getTextContent());
                }
            }
        }
        return hashMap;
    }

    private boolean isJWTEnabled() {
        if (this.configuration != null) {
            return this.configuration.isJWTEnabled();
        }
        return false;
    }
}
