package org.wso2.carbon.identity.application.authentication.framework.handler.request.impl;

import java.io.IOException;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.slf4j.MDC;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticationDataPublisher;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticationFlowHandler;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.context.SessionContext;
import org.wso2.carbon.identity.application.authentication.framework.context.TransientObjectWrapper;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.exception.JsFailureException;
import org.wso2.carbon.identity.application.authentication.framework.exception.MisconfigurationException;
import org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.RequestCoordinator;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authentication.framework.util.LoginContextManagementUtil;
import org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.user.api.Tenant;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/DefaultRequestCoordinator.class */
public class DefaultRequestCoordinator extends AbstractRequestCoordinator implements RequestCoordinator {
    private static final Log log = LogFactory.getLog(DefaultRequestCoordinator.class);
    private static final Log diagnosticLog = LogFactory.getLog("diagnostics");
    private static volatile DefaultRequestCoordinator instance;
    private static final String ACR_VALUES_ATTRIBUTE = "acr_values";
    private static final String REQUESTED_ATTRIBUTES = "requested_attributes";
    private static final String SERVICE_PROVIDER_QUERY_KEY = "serviceProvider";

    public static DefaultRequestCoordinator getInstance() {
        if (instance == null) {
            synchronized (DefaultRequestCoordinator.class) {
                if (instance == null) {
                    instance = new DefaultRequestCoordinator();
                }
            }
        }
        return instance;
    }

    private AuthenticationRequestCacheEntry getAuthenticationRequestFromRequest(HttpServletRequest httpServletRequest) {
        return (AuthenticationRequestCacheEntry) httpServletRequest.getAttribute(FrameworkConstants.RequestAttribute.AUTH_REQUEST);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r12v1, types: [java.lang.Throwable, org.wso2.carbon.identity.application.authentication.framework.exception.JsFailureException] */
    /* JADX WARN: Type inference failed for: r12v2, types: [java.lang.Throwable, org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException] */
    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.RequestCoordinator
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        CommonAuthResponseWrapper commonAuthResponseWrapper;
        AuthenticationContext contextData;
        if (httpServletResponse instanceof CommonAuthResponseWrapper) {
            commonAuthResponseWrapper = (CommonAuthResponseWrapper) httpServletResponse;
        } else {
            commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
            commonAuthResponseWrapper.setWrappedByFramework(true);
        }
        AuthenticationContext authenticationContext = null;
        String parameter = httpServletRequest.getParameter("sessionDataKey");
        try {
            try {
                try {
                    AuthenticationRequestCacheEntry authenticationRequestCacheEntry = null;
                    boolean z = false;
                    if (httpServletRequest.getParameter("type") != null) {
                        if (parameter != null) {
                            if (log.isDebugEnabled()) {
                                log.debug("Retrieving authentication request from cache for the sessionDataKey: " + parameter);
                            }
                            authenticationRequestCacheEntry = getAuthenticationRequest(httpServletRequest, parameter);
                            if (authenticationRequestCacheEntry == null) {
                                if (log.isDebugEnabled()) {
                                    log.debug("No authentication request found in the cache for sessionDataKey: " + parameter);
                                }
                                if (!isCommonAuthLogoutRequest(httpServletRequest)) {
                                    diagnosticLog.error("Invalid authentication request with sessionDataKey: " + parameter);
                                    throw new FrameworkException("Invalid authentication request with sessionDataKey: " + parameter);
                                }
                                if (log.isDebugEnabled()) {
                                    log.debug("Ignoring the invalid sessionDataKey: " + parameter + " in the CommonAuthLogout request.");
                                }
                            }
                        } else if (!isCommonAuthLogoutRequest(httpServletRequest)) {
                            if (log.isDebugEnabled()) {
                                log.debug("Session data key is null in the request and not a logout request.");
                            }
                            diagnosticLog.info("Session data key is null in the request and not a logout request. Sending to retry page..");
                            FrameworkUtils.sendToRetryPage(httpServletRequest, httpServletResponse, null);
                        }
                        if (authenticationRequestCacheEntry != null) {
                            httpServletRequest = FrameworkUtils.getCommonAuthReqWithParams(httpServletRequest, authenticationRequestCacheEntry);
                            FrameworkUtils.removeAuthenticationRequestFromCache(parameter);
                        }
                        contextData = initializeFlow(httpServletRequest, commonAuthResponseWrapper);
                        contextData.initializeAnalyticsData();
                    } else {
                        z = true;
                        contextData = FrameworkUtils.getContextData(httpServletRequest);
                        associateTransientRequestData(httpServletRequest, commonAuthResponseWrapper, contextData);
                    }
                    if (contextData != null) {
                        if (StringUtils.isNotBlank(contextData.getServiceProviderName())) {
                            MDC.put("serviceProvider", contextData.getServiceProviderName());
                        }
                        synchronized (contextData) {
                            if (contextData.isActiveInAThread()) {
                                log.error("Same context is currently in used by a different thread. Possible double submit.");
                                diagnosticLog.error("Same context is currently in used by a different thread. Possible double submit. Sending to retry page..");
                                if (log.isDebugEnabled()) {
                                    log.debug("Same context is currently in used by a different thread. Possible double submit.\nContext id: " + contextData.getContextIdentifier() + "\nOriginating address: " + httpServletRequest.getRemoteAddr() + "\nRequest Headers: " + getHeaderString(httpServletRequest) + "\nThread Id: " + Thread.currentThread().getId());
                                }
                                FrameworkUtils.sendToRetryPage(httpServletRequest, commonAuthResponseWrapper, contextData);
                                UserCoreUtil.setDomainInThreadLocal((String) null);
                                FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
                                if (contextData != null) {
                                    contextData.setActiveInAThread(false);
                                    if (log.isDebugEnabled()) {
                                        log.debug("Context id: " + contextData.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                                    }
                                    if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(contextData) || contextData.isLogoutRequest()) {
                                        FrameworkUtils.addAuthenticationContextToCache(contextData.getContextIdentifier(), contextData);
                                        if (log.isDebugEnabled()) {
                                            log.debug("Context with id: " + contextData.getContextIdentifier() + " added to the cache.");
                                        }
                                    }
                                }
                                unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, contextData);
                                return;
                            }
                            contextData.setActiveInAThread(true);
                            if (log.isDebugEnabled()) {
                                log.debug("Context id: " + contextData.getContextIdentifier() + " is active in the thread with id: " + Thread.currentThread().getId());
                            }
                            if (isBackToFirstStepRequest(httpServletRequest) || (isIdentifierFirstRequest(httpServletRequest) && !isFlowHandlerInCurrentStepCanHandleRequest(contextData, httpServletRequest))) {
                                if (!isCompletedStepsAreFlowHandlersOnly(contextData)) {
                                    String str = "Restarting the authentication flow failed because there is/are authenticator/s available in the completed steps for  " + contextData.getContextIdentifier();
                                    if (log.isDebugEnabled()) {
                                        log.debug(str);
                                    }
                                    diagnosticLog.info(str);
                                    throw new MisconfigurationException(str);
                                }
                                if (log.isDebugEnabled()) {
                                    log.debug("Restarting the authentication flow from step 1 for  " + contextData.getContextIdentifier());
                                }
                                diagnosticLog.info("Restarting the authentication flow from step 1 for  " + contextData.getContextIdentifier());
                                contextData.setCurrentStep(0);
                                contextData.setProperty(FrameworkConstants.BACK_TO_FIRST_STEP, true);
                                contextData.getAuthenticatorParams(FrameworkConstants.JSAttributes.JS_COMMON_OPTIONS).clear();
                                FrameworkUtils.resetAuthenticationContext(contextData);
                                z = false;
                                contextData.getCurrentAuthenticatedIdPs().clear();
                            }
                            setSPAttributeToRequest(httpServletRequest, contextData);
                            contextData.setReturning(z);
                            if (!contextData.isReturning() && authenticationRequestCacheEntry != null) {
                                contextData.setAuthenticationRequest(authenticationRequestCacheEntry.getAuthenticationRequest());
                            }
                            if (contextData.isLogoutRequest()) {
                                diagnosticLog.info("Handling logout flow for " + contextData.getContextIdentifier());
                                FrameworkUtils.getLogoutRequestHandler().handle(httpServletRequest, commonAuthResponseWrapper, contextData);
                            } else {
                                diagnosticLog.info("Handling authentication flow for " + contextData.getContextIdentifier());
                                FrameworkUtils.getAuthenticationRequestHandler().handle(httpServletRequest, commonAuthResponseWrapper, contextData);
                            }
                        }
                    } else {
                        if (log.isDebugEnabled()) {
                            String parameter2 = httpServletRequest.getParameter("sessionDataKey");
                            if (parameter2 == null) {
                                log.debug("Session data key is null in the request");
                            } else {
                                log.debug("Session data key  :  " + parameter2);
                            }
                        }
                        String str2 = "Requested client: " + httpServletRequest.getRemoteAddr() + ", URI :" + httpServletRequest.getMethod() + ":" + httpServletRequest.getRequestURI() + ", User-Agent: " + httpServletRequest.getHeader("User-Agent") + " , Referer: " + httpServletRequest.getHeader("Referer");
                        log.error("Context does not exist. Probably due to invalidated cache. " + str2);
                        diagnosticLog.error("Context does not exist. Probably due to invalidated cache. " + str2 + ". Sending to retry page.");
                        FrameworkUtils.sendToRetryPage(httpServletRequest, commonAuthResponseWrapper, contextData);
                    }
                    UserCoreUtil.setDomainInThreadLocal((String) null);
                    FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
                    if (contextData != null) {
                        contextData.setActiveInAThread(false);
                        if (log.isDebugEnabled()) {
                            log.debug("Context id: " + contextData.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                        }
                        if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(contextData) || contextData.isLogoutRequest()) {
                            FrameworkUtils.addAuthenticationContextToCache(contextData.getContextIdentifier(), contextData);
                            if (log.isDebugEnabled()) {
                                log.debug("Context with id: " + contextData.getContextIdentifier() + " added to the cache.");
                            }
                        }
                    }
                    unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, contextData);
                } catch (MisconfigurationException e) {
                    diagnosticLog.error("Misconfiguration exception occurred. Error message: " + e.getMessage());
                    FrameworkUtils.sendToRetryPage(httpServletRequest, commonAuthResponseWrapper, null, "misconfiguration.error", "something.went.wrong.contact.admin");
                    UserCoreUtil.setDomainInThreadLocal((String) null);
                    FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
                    if (0 != 0) {
                        authenticationContext.setActiveInAThread(false);
                        if (log.isDebugEnabled()) {
                            log.debug("Context id: " + authenticationContext.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                        }
                        if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(null) || authenticationContext.isLogoutRequest()) {
                            FrameworkUtils.addAuthenticationContextToCache(authenticationContext.getContextIdentifier(), null);
                            if (log.isDebugEnabled()) {
                                log.debug("Context with id: " + authenticationContext.getContextIdentifier() + " added to the cache.");
                            }
                        }
                    }
                    unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, null);
                } catch (PostAuthenticationFailedException e2) {
                    if (log.isDebugEnabled()) {
                        log.debug("Error occurred while evaluating post authentication", e2);
                    }
                    diagnosticLog.error("Error occurred during post authentication. Sending to retry page. Error message: " + e2.getMessage());
                    FrameworkUtils.removeCookie(httpServletRequest, commonAuthResponseWrapper, FrameworkUtils.getPASTRCookieName(authenticationContext.getContextIdentifier()));
                    publishAuthenticationFailure(httpServletRequest, null, authenticationContext.getSequenceConfig().getAuthenticatedUser(), e2.getErrorCode());
                    FrameworkUtils.sendToRetryPage(httpServletRequest, commonAuthResponseWrapper, null, "Authentication attempt failed.", e2.getErrorCode());
                    UserCoreUtil.setDomainInThreadLocal((String) null);
                    FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
                    if (0 != 0) {
                        authenticationContext.setActiveInAThread(false);
                        if (log.isDebugEnabled()) {
                            log.debug("Context id: " + authenticationContext.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                        }
                        if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(null) || authenticationContext.isLogoutRequest()) {
                            FrameworkUtils.addAuthenticationContextToCache(authenticationContext.getContextIdentifier(), null);
                            if (log.isDebugEnabled()) {
                                log.debug("Context with id: " + authenticationContext.getContextIdentifier() + " added to the cache.");
                            }
                        }
                    }
                    unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, null);
                }
            } catch (JsFailureException e3) {
                if (log.isDebugEnabled()) {
                    log.debug("Script initiated Exception occured.", e3);
                }
                publishAuthenticationFailure(httpServletRequest, null, authenticationContext.getSequenceConfig().getAuthenticatedUser(), e3.getErrorCode());
                if (log.isDebugEnabled()) {
                    log.debug("User will be redirected to retry page or the error page provided by script.");
                }
                diagnosticLog.error("Script initiated Exception occurred. Redirecting to retry/error page provided by the script. Error message: " + e3.getMessage());
                UserCoreUtil.setDomainInThreadLocal((String) null);
                FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
                if (0 != 0) {
                    authenticationContext.setActiveInAThread(false);
                    if (log.isDebugEnabled()) {
                        log.debug("Context id: " + authenticationContext.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                    }
                    if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(null) || authenticationContext.isLogoutRequest()) {
                        FrameworkUtils.addAuthenticationContextToCache(authenticationContext.getContextIdentifier(), null);
                        if (log.isDebugEnabled()) {
                            log.debug("Context with id: " + authenticationContext.getContextIdentifier() + " added to the cache.");
                        }
                    }
                }
                unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, null);
            } catch (Throwable th) {
                log.error("Exception in Authentication Framework", th);
                diagnosticLog.error("Exception in Authentication Framework. Error message: " + th.getMessage());
                if ((th instanceof FrameworkException) && SessionNonceCookieUtil.NONCE_ERROR_CODE.equals(((FrameworkException) th).getErrorCode())) {
                    if (log.isDebugEnabled()) {
                        log.debug(th.getMessage(), th);
                    }
                    FrameworkUtils.sendToRetryPage(httpServletRequest, httpServletResponse, null, "suspicious.authentication.attempts", "suspicious.authentication.attempts.description");
                } else {
                    FrameworkUtils.sendToRetryPage(httpServletRequest, commonAuthResponseWrapper, null);
                }
                UserCoreUtil.setDomainInThreadLocal((String) null);
                FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
                if (0 != 0) {
                    authenticationContext.setActiveInAThread(false);
                    if (log.isDebugEnabled()) {
                        log.debug("Context id: " + authenticationContext.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                    }
                    if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(null) || authenticationContext.isLogoutRequest()) {
                        FrameworkUtils.addAuthenticationContextToCache(authenticationContext.getContextIdentifier(), null);
                        if (log.isDebugEnabled()) {
                            log.debug("Context with id: " + authenticationContext.getContextIdentifier() + " added to the cache.");
                        }
                    }
                }
                unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, null);
            }
        } catch (Throwable th2) {
            UserCoreUtil.setDomainInThreadLocal((String) null);
            FrameworkUtils.removeALORCookie(httpServletRequest, httpServletResponse);
            if (0 != 0) {
                authenticationContext.setActiveInAThread(false);
                if (log.isDebugEnabled()) {
                    log.debug("Context id: " + authenticationContext.getContextIdentifier() + " left the thread with id: " + Thread.currentThread().getId());
                }
                if (!LoginContextManagementUtil.isPostAuthenticationExtensionCompleted(null) || authenticationContext.isLogoutRequest()) {
                    FrameworkUtils.addAuthenticationContextToCache(authenticationContext.getContextIdentifier(), null);
                    if (log.isDebugEnabled()) {
                        log.debug("Context with id: " + authenticationContext.getContextIdentifier() + " added to the cache.");
                    }
                }
            }
            unwrapResponse(commonAuthResponseWrapper, parameter, httpServletResponse, null);
            throw th2;
        }
    }

    protected void unwrapResponse(CommonAuthResponseWrapper commonAuthResponseWrapper, String str, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws IOException {
        String redirectURL;
        if (!commonAuthResponseWrapper.isRedirect()) {
            if (commonAuthResponseWrapper.isWrappedByFramework()) {
                commonAuthResponseWrapper.write();
                return;
            }
            return;
        }
        if (authenticationContext != null) {
            redirectURL = FrameworkUtils.getRedirectURLWithFilteredParams(commonAuthResponseWrapper.getRedirectURL(), authenticationContext);
        } else {
            log.warn("Authentication context is null, redirect parameter filtering will not be done for " + str);
            redirectURL = commonAuthResponseWrapper.getRedirectURL();
        }
        if (commonAuthResponseWrapper.isWrappedByFramework()) {
            httpServletResponse.sendRedirect(redirectURL);
        } else {
            commonAuthResponseWrapper.sendRedirect(redirectURL);
        }
    }

    private boolean isIdentifierFirstRequest(HttpServletRequest httpServletRequest) {
        return "idf".equals(httpServletRequest.getParameter(FrameworkConstants.RequestParams.AUTH_TYPE)) || httpServletRequest.getParameter(FrameworkConstants.RequestParams.IDENTIFIER_CONSENT) != null;
    }

    private boolean isFlowHandlerInCurrentStepCanHandleRequest(AuthenticationContext authenticationContext, HttpServletRequest httpServletRequest) {
        StepConfig stepConfig = authenticationContext.getSequenceConfig().getStepMap().get(Integer.valueOf(authenticationContext.getCurrentStep()));
        if (stepConfig == null) {
            return false;
        }
        for (AuthenticatorConfig authenticatorConfig : stepConfig.getAuthenticatorList()) {
            if ((authenticatorConfig.getApplicationAuthenticator() instanceof AuthenticationFlowHandler) && authenticatorConfig.getApplicationAuthenticator().canHandle(httpServletRequest)) {
                return true;
            }
        }
        return false;
    }

    private boolean isBackToFirstStepRequest(HttpServletRequest httpServletRequest) {
        return Boolean.parseBoolean(httpServletRequest.getParameter(FrameworkConstants.RequestParams.RESTART_FLOW));
    }

    private boolean isCompletedStepsAreFlowHandlersOnly(AuthenticationContext authenticationContext) {
        Map<Integer, StepConfig> stepMap = authenticationContext.getSequenceConfig().getStepMap();
        for (int currentStep = authenticationContext.getCurrentStep() - 1; currentStep >= 0; currentStep--) {
            StepConfig stepConfig = stepMap.get(Integer.valueOf(currentStep));
            if (stepConfig != null && !(stepConfig.getAuthenticatedAutenticator().getApplicationAuthenticator() instanceof AuthenticationFlowHandler)) {
                return false;
            }
        }
        return true;
    }

    private String getHeaderString(HttpServletRequest httpServletRequest) {
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        StringBuilder sb = new StringBuilder();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            sb.append("Header Name: ").append(str).append(", ").append("Value: ").append(httpServletRequest.getHeader(str)).append(". ");
        }
        return sb.toString();
    }

    private void associateTransientRequestData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) {
        if (authenticationContext == null) {
            return;
        }
        authenticationContext.setProperty(FrameworkConstants.RequestAttribute.HTTP_REQUEST, new TransientObjectWrapper(httpServletRequest));
        authenticationContext.setProperty(FrameworkConstants.RequestAttribute.HTTP_RESPONSE, new TransientObjectWrapper(httpServletResponse));
    }

    private boolean isCommonAuthLogoutRequest(HttpServletRequest httpServletRequest) {
        return Boolean.parseBoolean(httpServletRequest.getParameter("commonAuthLogout"));
    }

    private AuthenticationRequestCacheEntry getAuthenticationRequest(HttpServletRequest httpServletRequest, String str) {
        AuthenticationRequestCacheEntry authenticationRequestFromRequest = getAuthenticationRequestFromRequest(httpServletRequest);
        if (authenticationRequestFromRequest == null) {
            authenticationRequestFromRequest = FrameworkUtils.getAuthenticationRequestFromCache(str);
        }
        return authenticationRequestFromRequest;
    }

    protected AuthenticationContext initializeFlow(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws FrameworkException {
        if (log.isDebugEnabled()) {
            log.debug("Initializing the flow");
        }
        String parameter = httpServletRequest.getParameter("sessionDataKey");
        String callerPath = getCallerPath(httpServletRequest);
        String parameter2 = httpServletRequest.getParameter("type");
        String parameter3 = httpServletRequest.getParameter(FrameworkConstants.RequestParams.ISSUER);
        String tenantDomain = getTenantDomain(httpServletRequest);
        String parameter4 = httpServletRequest.getParameter(FrameworkConstants.RequestParams.LOGIN_TENANT_DOMAIN);
        String parameter5 = httpServletRequest.getParameter(FrameworkConstants.RequestParams.USER_TENANT_DOMAIN_HINT);
        AuthenticationContext authenticationContext = new AuthenticationContext();
        authenticationContext.setCallerSessionKey(parameter);
        authenticationContext.setRequestType(parameter2);
        authenticationContext.setRelyingParty(parameter3);
        authenticationContext.setTenantDomain(tenantDomain);
        authenticationContext.setLoginTenantDomain(parameter4);
        authenticationContext.setUserTenantDomainHint(parameter5);
        if (IdentityTenantUtil.isTenantedSessionsEnabled()) {
            String loginTenantDomain = authenticationContext.getLoginTenantDomain();
            if (!callerPath.startsWith(FrameworkConstants.TENANT_CONTEXT_PREFIX + loginTenantDomain + FrameworkUtils.ROOT_DOMAIN)) {
                callerPath = FrameworkConstants.TENANT_CONTEXT_PREFIX + loginTenantDomain + callerPath;
            }
        }
        authenticationContext.setCallerPath(callerPath);
        String generateUUID = UUIDGenerator.generateUUID();
        authenticationContext.setContextIdentifier(generateUUID);
        if (log.isDebugEnabled()) {
            log.debug("Framework contextId: " + generateUUID);
        }
        if (httpServletRequest.getParameter("commonAuthLogout") != null) {
            if (log.isDebugEnabled()) {
                log.debug("Starting a logout flow");
            }
            authenticationContext.setLogoutRequest(true);
            if (authenticationContext.getRelyingParty() == null || authenticationContext.getRelyingParty().trim().length() == 0) {
                if (log.isDebugEnabled()) {
                    log.debug("relyingParty param is null. This is a possible logout scenario.");
                }
                Cookie authCookie = FrameworkUtils.getAuthCookie(httpServletRequest);
                authenticationContext.setSessionIdentifier(authCookie != null ? DigestUtils.sha256Hex(authCookie.getValue()) : httpServletRequest.getParameter(FrameworkConstants.AnalyticsAttributes.SESSION_ID));
                return authenticationContext;
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Starting an authentication flow");
        }
        authenticationContext.setProperty(FrameworkConstants.SP_REQUESTED_CLAIMS_IN_REQUEST, (List) httpServletRequest.getAttribute(REQUESTED_ATTRIBUTES));
        associateTransientRequestData(httpServletRequest, httpServletResponse, authenticationContext);
        findPreviousAuthenticatedSession(httpServletRequest, authenticationContext);
        buildOutboundQueryString(httpServletRequest, authenticationContext);
        return authenticationContext;
    }

    private List<String> getAcrRequested(HttpServletRequest httpServletRequest) {
        List<String> list = (List) httpServletRequest.getAttribute(ACR_VALUES_ATTRIBUTE);
        if (list == null) {
            list = Collections.emptyList();
        }
        return list;
    }

    private String getCallerPath(HttpServletRequest httpServletRequest) throws FrameworkException {
        String parameter = httpServletRequest.getParameter(FrameworkConstants.RequestParams.CALLER_PATH);
        if (parameter != null) {
            try {
                parameter = URLDecoder.decode(parameter, FrameworkUtils.UTF_8);
            } catch (UnsupportedEncodingException e) {
                throw new FrameworkException(e.getMessage(), e);
            }
        }
        return parameter;
    }

    private String getTenantDomain(HttpServletRequest httpServletRequest) throws FrameworkException {
        String tenantDomainFromContext = getTenantDomainFromContext();
        if (!StringUtils.isNotBlank(tenantDomainFromContext)) {
            tenantDomainFromContext = httpServletRequest.getParameter("tenantDomain");
            if (log.isDebugEnabled()) {
                log.debug("Tenant domain resolved from request parameter: " + tenantDomainFromContext);
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Tenant domain resolved from the thread local context: " + tenantDomainFromContext);
        }
        if (tenantDomainFromContext == null || tenantDomainFromContext.isEmpty() || "null".equals(tenantDomainFromContext)) {
            String parameter = httpServletRequest.getParameter(FrameworkConstants.RequestParams.TENANT_ID);
            if (parameter == null || "-1234".equals(parameter)) {
                tenantDomainFromContext = "carbon.super";
            } else {
                try {
                    Tenant tenant = FrameworkServiceComponent.getRealmService().getTenantManager().getTenant(Integer.parseInt(parameter));
                    if (tenant != null) {
                        tenantDomainFromContext = tenant.getDomain();
                    }
                } catch (Exception e) {
                    throw new FrameworkException(e.getMessage(), e);
                }
            }
        }
        return tenantDomainFromContext;
    }

    private String getTenantDomainFromContext() {
        if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
            return IdentityTenantUtil.getTenantDomainFromContext();
        }
        return null;
    }

    protected void findPreviousAuthenticatedSession(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) throws FrameworkException {
        List<String> acrRequested = getAcrRequested(httpServletRequest);
        if (acrRequested != null) {
            Iterator<String> it = acrRequested.iterator();
            while (it.hasNext()) {
                authenticationContext.addRequestedAcr(it.next());
            }
        }
        SequenceConfig sequenceConfig = getSequenceConfig(authenticationContext, httpServletRequest.getParameterMap());
        if (acrRequested != null) {
            Iterator<String> it2 = acrRequested.iterator();
            while (it2.hasNext()) {
                sequenceConfig.addRequestedAcr(it2.next());
            }
        }
        Cookie authCookie = FrameworkUtils.getAuthCookie(httpServletRequest);
        if (authCookie != null) {
            if (log.isDebugEnabled()) {
                log.debug("commonAuthId cookie is available with the value: " + authCookie.getValue());
            }
            String sha256Hex = DigestUtils.sha256Hex(authCookie.getValue());
            try {
                FrameworkUtils.startTenantFlow(authenticationContext.getTenantDomain());
                SessionContext sessionContextFromCache = FrameworkUtils.getSessionContextFromCache(httpServletRequest, authenticationContext, sha256Hex);
                FrameworkUtils.endTenantFlow();
                if (sessionContextFromCache != null) {
                    authenticationContext.setSessionIdentifier(sha256Hex);
                    String applicationName = sequenceConfig.getApplicationConfig().getApplicationName();
                    if (log.isDebugEnabled()) {
                        log.debug("Service Provider is: " + applicationName);
                    }
                    SequenceConfig sequenceConfig2 = sessionContextFromCache.getAuthenticatedSequences().get(applicationName);
                    if (sequenceConfig2 != null) {
                        if (log.isDebugEnabled()) {
                            log.debug("A previously authenticated sequence found for the SP: " + applicationName);
                        }
                        authenticationContext.setPreviousSessionFound(true);
                        sequenceConfig.setStepMap(new HashMap(sequenceConfig2.getStepMap()));
                        sequenceConfig.setReqPathAuthenticators(new ArrayList(sequenceConfig2.getReqPathAuthenticators()));
                        sequenceConfig.setAuthenticatedUser(sequenceConfig2.getAuthenticatedUser());
                        sequenceConfig.setAuthenticatedIdPs(sequenceConfig2.getAuthenticatedIdPs());
                        sequenceConfig.setAuthenticatedReqPathAuthenticator(sequenceConfig2.getAuthenticatedReqPathAuthenticator());
                        AuthenticatedUser authenticatedUser = sequenceConfig2.getAuthenticatedUser();
                        if (authenticatedUser != null) {
                            if (isUserAllowedToLogin(authenticatedUser)) {
                                String tenantDomain = authenticatedUser.getTenantDomain();
                                authenticationContext.setSubject(authenticatedUser);
                                if (log.isDebugEnabled()) {
                                    log.debug("Already authenticated by username: " + authenticatedUser.getAuthenticatedSubjectIdentifier());
                                }
                                if (tenantDomain != null) {
                                    authenticationContext.setProperty(FrameworkConstants.USER_TENANT_DOMAIN, tenantDomain);
                                    if (log.isDebugEnabled()) {
                                        log.debug("Authenticated user tenant domain: " + tenantDomain);
                                    }
                                }
                            } else {
                                if (log.isDebugEnabled()) {
                                    log.debug(String.format("User %s is not allowed to authenticate from previous session.", authenticatedUser.toString()));
                                }
                                authenticationContext.setPreviousSessionFound(false);
                                FrameworkUtils.removeSessionContextFromCache(sha256Hex);
                                sessionContextFromCache.setAuthenticatedIdPs(new HashMap());
                            }
                        }
                        refreshAppConfig(sequenceConfig, httpServletRequest.getParameter(FrameworkConstants.RequestParams.ISSUER), authenticationContext.getRequestType(), authenticationContext.getTenantDomain());
                        authenticationContext.setAuthenticatedIdPsOfApp(sessionContextFromCache.getAuthenticatedIdPsOfApp(applicationName));
                    }
                    authenticationContext.setPreviousAuthenticatedIdPs(sessionContextFromCache.getAuthenticatedIdPs());
                    authenticationContext.setProperty(FrameworkConstants.RUNTIME_CLAIMS, sessionContextFromCache.getProperty(FrameworkConstants.RUNTIME_CLAIMS));
                } else if (log.isDebugEnabled()) {
                    log.debug("Failed to find the SessionContext from the cache. Possible cache timeout.");
                }
            } catch (Throwable th) {
                FrameworkUtils.endTenantFlow();
                throw th;
            }
        }
        authenticationContext.setServiceProviderName(sequenceConfig.getApplicationConfig().getApplicationName());
        authenticationContext.setSequenceConfig(sequenceConfig);
    }

    private boolean isReinitialize(SequenceConfig sequenceConfig, SequenceConfig sequenceConfig2, HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) {
        List<String> acrRequested = getAcrRequested(httpServletRequest);
        return (acrRequested == null || acrRequested.isEmpty() || !isDifferent(acrRequested, sequenceConfig.getRequestedAcr())) ? false : true;
    }

    private boolean isDifferent(List<String> list, List<String> list2) {
        if (list2 == null || list2.size() != list.size()) {
            return true;
        }
        for (int i = 0; i < list2.size(); i++) {
            if (!list.get(i).equals(list2.get(i))) {
                return true;
            }
        }
        return false;
    }

    private void buildOutboundQueryString(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) throws FrameworkException {
        StringBuilder sb = new StringBuilder();
        sb.append(FrameworkUtils.getQueryStringWithConfiguredParams(httpServletRequest));
        if (StringUtils.isNotEmpty(sb.toString())) {
            sb.append(FrameworkUtils.QUERY_SEPARATOR);
        }
        try {
            sb.append("sessionDataKey=").append(authenticationContext.getContextIdentifier()).append("&relyingParty=").append(URLEncoder.encode(authenticationContext.getRelyingParty(), FrameworkUtils.UTF_8)).append("&type=").append(authenticationContext.getRequestType()).append(FrameworkUtils.QUERY_SEPARATOR).append(FrameworkConstants.REQUEST_PARAM_SP).append("=").append(URLEncoder.encode(authenticationContext.getServiceProviderName(), FrameworkUtils.UTF_8)).append("&isSaaSApp=").append(authenticationContext.getSequenceConfig().getApplicationConfig().isSaaSApp());
            if (log.isDebugEnabled()) {
                log.debug("Outbound Query String: " + sb.toString());
            }
            authenticationContext.setContextIdIncludedQueryParams(sb.toString());
            authenticationContext.setOrignalRequestQueryParams(sb.toString());
        } catch (UnsupportedEncodingException e) {
            throw new FrameworkException("Error while URL Encoding", e);
        }
    }

    private void refreshAppConfig(SequenceConfig sequenceConfig, String str, String str2, String str3) throws FrameworkException {
        try {
            sequenceConfig.setApplicationConfig(new ApplicationConfig(getServiceProvider(str2, str, str3)));
            if (log.isDebugEnabled()) {
                log.debug("Refresh application config in sequence config for application id: " + sequenceConfig.getApplicationId() + " in tenant: " + str3);
            }
        } catch (FrameworkException e) {
            throw new FrameworkException("No application found for application id: " + sequenceConfig.getApplicationId() + " in tenant: " + str3 + " Probably, the Service Provider would have been removed.", (Throwable) e);
        }
    }

    private void publishAuthenticationFailure(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext, AuthenticatedUser authenticatedUser, String str) {
        Serializable analyticsData = authenticationContext.getAnalyticsData(FrameworkConstants.AnalyticsData.AUTHENTICATION_START_TIME);
        if (analyticsData instanceof Long) {
            authenticationContext.setAnalyticsData(FrameworkConstants.AnalyticsData.AUTHENTICATION_DURATION, Long.valueOf(System.currentTimeMillis() - ((Long) analyticsData).longValue()));
        }
        authenticationContext.setAnalyticsData(FrameworkConstants.AnalyticsData.AUTHENTICATION_ERROR_CODE, str);
        AuthenticationDataPublisher authnDataPublisherProxy = FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy();
        if (authnDataPublisherProxy == null || !authnDataPublisherProxy.isEnabled(authenticationContext)) {
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(FrameworkConstants.AnalyticsAttributes.USER, authenticatedUser);
        authnDataPublisherProxy.publishAuthenticationFailure(httpServletRequest, authenticationContext, Collections.unmodifiableMap(hashMap));
    }

    private void setSPAttributeToRequest(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) {
        httpServletRequest.setAttribute(FrameworkConstants.REQUEST_PARAM_SP, authenticationContext.getServiceProviderName());
        httpServletRequest.setAttribute("tenantDomain", authenticationContext.getTenantDomain());
    }

    private boolean isUserAllowedToLogin(AuthenticatedUser authenticatedUser) {
        if (authenticatedUser.isFederatedUser()) {
            return true;
        }
        try {
            AbstractUserStoreManager abstractUserStoreManager = (AbstractUserStoreManager) FrameworkServiceComponent.getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain())).getUserStoreManager();
            if (abstractUserStoreManager.isExistingUserWithID(authenticatedUser.getUserId())) {
                return (isUserDisabled(abstractUserStoreManager, authenticatedUser) || isUserLocked(abstractUserStoreManager, authenticatedUser)) ? false : true;
            }
            log.error("Trying to authenticate non existing user: " + authenticatedUser.getUserId());
            return false;
        } catch (UserStoreException e) {
            log.error("Error while checking existence of user: " + authenticatedUser.getUserId(), e);
            return false;
        } catch (FrameworkException e2) {
            log.error("Error while validating user: " + authenticatedUser.getUserId(), e2);
            return false;
        }
    }

    private boolean isUserLocked(AbstractUserStoreManager abstractUserStoreManager, AuthenticatedUser authenticatedUser) throws FrameworkException {
        if (!isAccountLockingEnabled(authenticatedUser.getTenantDomain())) {
            return false;
        }
        boolean parseBoolean = Boolean.parseBoolean(getClaimValue(authenticatedUser.getUserId(), abstractUserStoreManager, FrameworkConstants.ACCOUNT_LOCKED_CLAIM_URI));
        if (parseBoolean) {
            long j = 0;
            String claimValue = getClaimValue(authenticatedUser.getUserId(), abstractUserStoreManager, FrameworkConstants.ACCOUNT_UNLOCK_TIME_CLAIM);
            if (NumberUtils.isNumber(claimValue)) {
                j = Long.parseLong(claimValue);
            }
            if (j != 0 && System.currentTimeMillis() >= j) {
                return false;
            }
        }
        return parseBoolean;
    }

    private boolean isUserDisabled(AbstractUserStoreManager abstractUserStoreManager, AuthenticatedUser authenticatedUser) throws FrameworkException {
        if (isAccountDisablingEnabled(authenticatedUser.getTenantDomain())) {
            return Boolean.parseBoolean(getClaimValue(authenticatedUser.getUserId(), abstractUserStoreManager, FrameworkConstants.ACCOUNT_DISABLED_CLAIM_URI));
        }
        return false;
    }

    private boolean isAccountLockingEnabled(String str) throws FrameworkException {
        Property residentIdpConfiguration = FrameworkUtils.getResidentIdpConfiguration(FrameworkConstants.ResidentIdpPropertyName.ACCOUNT_LOCK_HANDLER_ENABLE_PROPERTY, str);
        return residentIdpConfiguration != null && Boolean.parseBoolean(residentIdpConfiguration.getValue());
    }

    private boolean isAccountDisablingEnabled(String str) throws FrameworkException {
        Property residentIdpConfiguration = FrameworkUtils.getResidentIdpConfiguration(FrameworkConstants.ResidentIdpPropertyName.ACCOUNT_DISABLE_HANDLER_ENABLE_PROPERTY, str);
        return residentIdpConfiguration != null && Boolean.parseBoolean(residentIdpConfiguration.getValue());
    }

    private String getClaimValue(String str, AbstractUserStoreManager abstractUserStoreManager, String str2) throws FrameworkException {
        try {
            Map userClaimValuesWithID = abstractUserStoreManager.getUserClaimValuesWithID(str, new String[]{str2}, FrameworkConstants.DEFAULT_SEQUENCE);
            if (log.isDebugEnabled()) {
                log.debug(String.format("%s claim value of user %s is set to: " + ((String) userClaimValuesWithID.get(str2)), str2, str));
            }
            return (String) userClaimValuesWithID.get(str2);
        } catch (UserStoreException e) {
            throw new FrameworkException("Error occurred while retrieving claim: " + str2, (Throwable) e);
        }
    }
}
