package org.keycloak.adapters.saml.profile;

import java.io.IOException;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyManagementException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.xml.namespace.QName;
import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.AbstractInitiateLogin;
import org.keycloak.adapters.saml.OnSessionCreated;
import org.keycloak.adapters.saml.SamlAuthenticationError;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlPrincipal;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.assertion.SubjectType;
import org.keycloak.dom.saml.v2.protocol.ExtensionsType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusType;
import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.BaseSAML2BindingBuilder;
import org.keycloak.saml.SAML2AuthnRequestBuilder;
import org.keycloak.saml.SAMLRequestParser;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.Base64;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
import org.keycloak.saml.processing.web.util.PostBindingUtil;
import org.keycloak.saml.validators.ConditionsValidator;
import org.keycloak.saml.validators.DestinationValidator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.class */
public abstract class AbstractSamlAuthenticationHandler implements SamlAuthenticationHandler {
    protected static Logger log = Logger.getLogger(WebBrowserSsoAuthenticationHandler.class);
    protected final HttpFacade facade;
    protected final SamlSessionStore sessionStore;
    protected final SamlDeployment deployment;
    protected AuthChallenge challenge;
    private final DestinationValidator destinationValidator = DestinationValidator.forProtocolMap((String[]) null);

    public AbstractSamlAuthenticationHandler(HttpFacade httpFacade, SamlDeployment samlDeployment, SamlSessionStore samlSessionStore) {
        this.facade = httpFacade;
        this.deployment = samlDeployment;
        this.sessionStore = samlSessionStore;
    }

    public AuthOutcome doHandle(SamlInvocationContext samlInvocationContext, OnSessionCreated onSessionCreated) {
        String samlRequest = samlInvocationContext.getSamlRequest();
        String samlResponse = samlInvocationContext.getSamlResponse();
        String relayState = samlInvocationContext.getRelayState();
        if (samlRequest != null) {
            return handleSamlRequest(samlRequest, relayState);
        }
        if (samlResponse != null) {
            return handleSamlResponse(samlResponse, relayState, onSessionCreated);
        }
        if (!this.sessionStore.isLoggedIn()) {
            return initiateLogin();
        }
        if (verifySSL()) {
            return AuthOutcome.FAILED;
        }
        log.debug("AUTHENTICATED: was cached");
        return handleRequest();
    }

    protected AuthOutcome handleRequest() {
        return AuthOutcome.AUTHENTICATED;
    }

    @Override // org.keycloak.adapters.saml.profile.SamlAuthenticationHandler
    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthOutcome handleSamlRequest(String str, String str2) {
        SAMLDocumentHolder parseRequestPostBinding;
        boolean z = false;
        String uri = this.facade.getRequest().getURI();
        if (this.facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
            int indexOf = uri.indexOf(63);
            if (indexOf > -1) {
                uri = uri.substring(0, indexOf);
            }
            parseRequestPostBinding = SAMLRequestParser.parseRequestRedirectBinding(str);
        } else {
            z = true;
            parseRequestPostBinding = SAMLRequestParser.parseRequestPostBinding(str);
        }
        if (parseRequestPostBinding == null) {
            log.error("Error parsing SAML document");
            return AuthOutcome.FAILED;
        }
        RequestAbstractType samlObject = parseRequestPostBinding.getSamlObject();
        if (!this.destinationValidator.validate(uri, samlObject.getDestination())) {
            log.error("expected destination '" + uri + "' got '" + samlObject.getDestination() + "'");
            return AuthOutcome.FAILED;
        }
        if (!(samlObject instanceof LogoutRequestType)) {
            log.error("unknown SAML request type");
            return AuthOutcome.FAILED;
        }
        if (this.deployment.getIDP().getSingleLogoutService().validateRequestSignature()) {
            try {
                validateSamlSignature(parseRequestPostBinding, z, "SAMLRequest");
            } catch (VerificationException e) {
                log.error("Failed to verify saml request signature", e);
                return AuthOutcome.FAILED;
            }
        }
        return logoutRequest((LogoutRequestType) samlObject, str2);
    }

    protected abstract AuthOutcome logoutRequest(LogoutRequestType logoutRequestType, String str);

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthOutcome handleSamlResponse(String str, String str2, OnSessionCreated onSessionCreated) {
        SAMLDocumentHolder extractPostBindingResponse;
        boolean z = false;
        String uri = this.facade.getRequest().getURI();
        if (this.facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
            int indexOf = uri.indexOf(63);
            if (indexOf > -1) {
                uri = uri.substring(0, indexOf);
            }
            extractPostBindingResponse = extractRedirectBindingResponse(str);
        } else {
            z = true;
            extractPostBindingResponse = extractPostBindingResponse(str);
        }
        if (extractPostBindingResponse == null) {
            log.error("Error parsing SAML document");
            this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.1
                public boolean challenge(HttpFacade httpFacade) {
                    httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE));
                    httpFacade.getResponse().sendError(403);
                    return true;
                }

                public int getResponseCode() {
                    return 403;
                }
            };
            return AuthOutcome.FAILED;
        }
        final StatusResponseType statusResponseType = (StatusResponseType) extractPostBindingResponse.getSamlObject();
        if (!this.destinationValidator.validate(uri, statusResponseType.getDestination())) {
            log.error("Request URI '" + uri + "' does not match SAML request destination '" + statusResponseType.getDestination() + "'");
            return AuthOutcome.FAILED;
        }
        if (statusResponseType instanceof ResponseType) {
            try {
                if (this.deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
                    try {
                        validateSamlSignature(extractPostBindingResponse, z, "SAMLResponse");
                    } catch (VerificationException e) {
                        log.error("Failed to verify saml response signature", e);
                        this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.2
                            public boolean challenge(HttpFacade httpFacade) {
                                httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE, statusResponseType));
                                httpFacade.getResponse().sendError(403);
                                return true;
                            }

                            public int getResponseCode() {
                                return 403;
                            }
                        };
                        return AuthOutcome.FAILED;
                    }
                }
                AuthOutcome handleLoginResponse = handleLoginResponse(extractPostBindingResponse, z, onSessionCreated);
                this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                return handleLoginResponse;
            } catch (Throwable th) {
                this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                throw th;
            }
        }
        if (this.sessionStore.isLoggingOut()) {
            try {
                if (this.deployment.getIDP().getSingleLogoutService().validateResponseSignature()) {
                    try {
                        validateSamlSignature(extractPostBindingResponse, z, "SAMLResponse");
                    } catch (VerificationException e2) {
                        log.error("Failed to verify saml response signature", e2);
                        AuthOutcome authOutcome = AuthOutcome.FAILED;
                        this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                        return authOutcome;
                    }
                }
                AuthOutcome handleLogoutResponse = handleLogoutResponse(extractPostBindingResponse, statusResponseType, str2);
                this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                return handleLogoutResponse;
            } catch (Throwable th2) {
                this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                throw th2;
            }
        }
        if (!this.sessionStore.isLoggingIn()) {
            return AuthOutcome.NOT_ATTEMPTED;
        }
        try {
            StatusType status = statusResponseType.getStatus();
            if (checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())) {
                log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
                AuthOutcome authOutcome2 = AuthOutcome.NOT_AUTHENTICATED;
                this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                return authOutcome2;
            }
            this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.3
                public boolean challenge(HttpFacade httpFacade) {
                    httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.ERROR_STATUS, statusResponseType));
                    httpFacade.getResponse().sendError(403);
                    return true;
                }

                public int getResponseCode() {
                    return 403;
                }
            };
            AuthOutcome authOutcome3 = AuthOutcome.FAILED;
            this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
            return authOutcome3;
        } finally {
            this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
        }
    }

    private void validateSamlSignature(SAMLDocumentHolder sAMLDocumentHolder, boolean z, String str) throws VerificationException {
        KeyLocator signatureValidationKeyLocator = this.deployment.getIDP().getSignatureValidationKeyLocator();
        if (z) {
            verifyPostBindingSignature(sAMLDocumentHolder.getSamlDocument(), signatureValidationKeyLocator);
        } else {
            verifyRedirectBindingSignature(str, signatureValidationKeyLocator, getMessageSigningKeyId(sAMLDocumentHolder.getSamlObject()));
        }
    }

    private String getMessageSigningKeyId(SAML2Object sAML2Object) {
        ExtensionsType extensions;
        String messageSigningKeyIdFromElement;
        if (sAML2Object instanceof RequestAbstractType) {
            extensions = ((RequestAbstractType) sAML2Object).getExtensions();
        } else {
            if (!(sAML2Object instanceof StatusResponseType)) {
                return null;
            }
            extensions = ((StatusResponseType) sAML2Object).getExtensions();
        }
        if (extensions == null) {
            return null;
        }
        for (Object obj : extensions.getAny()) {
            if ((obj instanceof Element) && (messageSigningKeyIdFromElement = KeycloakKeySamlExtensionGenerator.getMessageSigningKeyIdFromElement((Element) obj)) != null) {
                return messageSigningKeyIdFromElement;
            }
        }
        return null;
    }

    private boolean checkStatusCodeValue(StatusCodeType statusCodeType, String str) {
        if (statusCodeType == null || statusCodeType.getValue() == null) {
            return false;
        }
        return str.equals(statusCodeType.getValue().toString());
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected AuthOutcome handleLoginResponse(SAMLDocumentHolder sAMLDocumentHolder, boolean z, OnSessionCreated onSessionCreated) {
        final ResponseType responseType = (ResponseType) sAMLDocumentHolder.getSamlObject();
        if (!isSuccessfulSamlResponse(responseType) || responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) {
            this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.4
                public boolean challenge(HttpFacade httpFacade) {
                    httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.ERROR_STATUS, responseType));
                    httpFacade.getResponse().sendError(403);
                    return true;
                }

                public int getResponseCode() {
                    return 403;
                }
            };
            return AuthOutcome.FAILED;
        }
        try {
            AssertionType assertion = AssertionUtil.getAssertion(sAMLDocumentHolder, responseType, this.deployment.getDecryptionKey());
            ConditionsValidator.Builder builder = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), this.destinationValidator);
            try {
                builder.clockSkewInMillis(this.deployment.getIDP().getAllowedClockSkew());
                builder.addAllowedAudience(new URI[]{URI.create(this.deployment.getEntityID())});
                if (responseType.getDestination() != null) {
                    builder.addAllowedAudience(new URI[]{URI.create(responseType.getDestination())});
                }
            } catch (IllegalArgumentException e) {
            }
            if (!builder.build().isValid()) {
                return initiateLogin();
            }
            Element element = null;
            if (this.deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) {
                try {
                    element = getAssertionFromResponse(sAMLDocumentHolder);
                    if (!AssertionUtil.isSignatureValid(element, this.deployment.getIDP().getSignatureValidationKeyLocator())) {
                        log.error("Failed to verify saml assertion signature");
                        this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.6
                            public boolean challenge(HttpFacade httpFacade) {
                                httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE, responseType));
                                httpFacade.getResponse().sendError(403);
                                return true;
                            }

                            public int getResponseCode() {
                                return 403;
                            }
                        };
                        return AuthOutcome.FAILED;
                    }
                } catch (Exception e2) {
                    log.error("Error processing validation of SAML assertion: " + e2.getMessage());
                    this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.7
                        public boolean challenge(HttpFacade httpFacade) {
                            httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE));
                            httpFacade.getResponse().sendError(403);
                            return true;
                        }

                        public int getResponseCode() {
                            return 403;
                        }
                    };
                    return AuthOutcome.FAILED;
                }
            }
            SubjectType.STSubType subType = assertion.getSubject().getSubType();
            NameIDType baseID = subType == null ? null : subType.getBaseID();
            String value = baseID == null ? null : baseID.getValue();
            Set hashSet = new HashSet();
            MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
            MultivaluedHashMap multivaluedHashMap2 = new MultivaluedHashMap();
            for (AttributeStatementType attributeStatementType : assertion.getStatements()) {
                if (attributeStatementType instanceof AttributeStatementType) {
                    Iterator it = attributeStatementType.getAttributes().iterator();
                    while (it.hasNext()) {
                        AttributeType attribute = ((AttributeStatementType.ASTChoiceType) it.next()).getAttribute();
                        if (isRole(attribute)) {
                            List attributeValue = attribute.getAttributeValue();
                            if (attributeValue != null) {
                                Iterator it2 = attributeValue.iterator();
                                while (it2.hasNext()) {
                                    String attributeValue2 = getAttributeValue(it2.next());
                                    log.debugv("Add role: {0}", attributeValue2);
                                    hashSet.add(attributeValue2);
                                }
                            }
                        } else {
                            List attributeValue3 = attribute.getAttributeValue();
                            if (attributeValue3 != null) {
                                Iterator it3 = attributeValue3.iterator();
                                while (it3.hasNext()) {
                                    String attributeValue4 = getAttributeValue(it3.next());
                                    if (attribute.getName() != null) {
                                        multivaluedHashMap.add(attribute.getName(), attributeValue4);
                                    }
                                    if (attribute.getFriendlyName() != null) {
                                        multivaluedHashMap2.add(attribute.getFriendlyName(), attributeValue4);
                                    }
                                }
                            }
                        }
                    }
                }
            }
            if (this.deployment.getPrincipalNamePolicy() == SamlDeployment.PrincipalNamePolicy.FROM_ATTRIBUTE && this.deployment.getPrincipalAttributeName() != null) {
                String str = (String) multivaluedHashMap.getFirst(this.deployment.getPrincipalAttributeName());
                if (str != null) {
                    value = str;
                } else {
                    String str2 = (String) multivaluedHashMap2.getFirst(this.deployment.getPrincipalAttributeName());
                    if (str2 != null) {
                        value = str2;
                    }
                }
            }
            if (this.deployment.getRoleMappingsProvider() != null) {
                hashSet = this.deployment.getRoleMappingsProvider().map(value, hashSet);
            }
            multivaluedHashMap.put("Roles", new ArrayList(hashSet));
            AuthnStatementType authnStatementType = null;
            Iterator it4 = assertion.getStatements().iterator();
            while (true) {
                if (!it4.hasNext()) {
                    break;
                }
                Object next = it4.next();
                if (next instanceof AuthnStatementType) {
                    authnStatementType = (AuthnStatementType) next;
                    break;
                }
            }
            URI format = baseID == null ? null : baseID.getFormat();
            String uri = format == null ? JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get() : format.toString();
            if (this.deployment.isKeepDOMAssertion() && element == null) {
                element = getAssertionFromResponseNoException(sAMLDocumentHolder);
            }
            SamlSession samlSession = new SamlSession(new SamlPrincipal(assertion, this.deployment.isKeepDOMAssertion() ? getAssertionDocumentFromElement(element) : null, value, value, uri, multivaluedHashMap, multivaluedHashMap2), hashSet, authnStatementType == null ? null : authnStatementType.getSessionIndex(), authnStatementType == null ? null : authnStatementType.getSessionNotOnOrAfter());
            this.sessionStore.saveAccount(samlSession);
            onSessionCreated.onSessionCreated(samlSession);
            String redirectUri = this.sessionStore.getRedirectUri();
            if (redirectUri != null) {
                this.facade.getResponse().setHeader("Location", redirectUri);
                this.facade.getResponse().setStatus(302);
                this.facade.getResponse().end();
            } else {
                log.debug("IDP initiated invocation");
            }
            log.debug("AUTHENTICATED authn");
            return AuthOutcome.AUTHENTICATED;
        } catch (Exception e3) {
            log.error("Error extracting SAML assertion: " + e3.getMessage());
            this.challenge = new AuthChallenge() { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.5
                public boolean challenge(HttpFacade httpFacade) {
                    httpFacade.getRequest().setError(new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE));
                    httpFacade.getResponse().sendError(403);
                    return true;
                }

                public int getResponseCode() {
                    return 403;
                }
            };
            return AuthOutcome.FAILED;
        }
    }

    private boolean isSuccessfulSamlResponse(ResponseType responseType) {
        return (responseType == null || responseType.getStatus() == null || responseType.getStatus().getStatusCode() == null || responseType.getStatus().getStatusCode().getValue() == null || !Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get())) ? false : true;
    }

    private Element getAssertionFromResponse(SAMLDocumentHolder sAMLDocumentHolder) throws ConfigurationException, ProcessingException {
        Element element = DocumentUtil.getElement(sAMLDocumentHolder.getSamlDocument(), new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get()));
        if (element == null) {
            return DocumentUtil.getElement(sAMLDocumentHolder.getSamlDocument(), new QName(JBossSAMLConstants.ASSERTION.get()));
        }
        Document createDocument = DocumentUtil.createDocument();
        createDocument.appendChild(createDocument.importNode(element, true));
        return XMLEncryptionUtil.decryptElementInDocument(createDocument, this.deployment.getDecryptionKey());
    }

    private Element getAssertionFromResponseNoException(SAMLDocumentHolder sAMLDocumentHolder) {
        try {
            return getAssertionFromResponse(sAMLDocumentHolder);
        } catch (ConfigurationException | ProcessingException e) {
            log.warn("Cannot obtain DOM assertion element", e);
            return null;
        }
    }

    private Document getAssertionDocumentFromElement(Element element) {
        if (element == null) {
            return null;
        }
        try {
            Document createDocument = DocumentUtil.createDocument();
            createDocument.adoptNode(element);
            createDocument.appendChild(element);
            return createDocument;
        } catch (ConfigurationException e) {
            log.warn("Cannot obtain DOM assertion document", e);
            return null;
        }
    }

    private String getAttributeValue(Object obj) {
        if (obj == null) {
            return "";
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        if (obj instanceof Node) {
            return ((Node) obj).getFirstChild().getNodeValue();
        }
        if (obj instanceof NameIDType) {
            return ((NameIDType) obj).getValue();
        }
        log.warn("Unable to extract unknown SAML assertion attribute value type: " + obj.getClass().getName());
        return null;
    }

    protected boolean isRole(AttributeType attributeType) {
        return (attributeType.getName() != null && this.deployment.getRoleAttributeNames().contains(attributeType.getName())) || (attributeType.getFriendlyName() != null && this.deployment.getRoleAttributeNames().contains(attributeType.getFriendlyName()));
    }

    protected AuthOutcome handleLogoutResponse(SAMLDocumentHolder sAMLDocumentHolder, StatusResponseType statusResponseType, String str) {
        if (!this.sessionStore.isLoggedIn() || !"logout".equals(str)) {
            return AuthOutcome.NOT_ATTEMPTED;
        }
        this.sessionStore.logoutAccount();
        return AuthOutcome.LOGGED_OUT;
    }

    protected SAMLDocumentHolder extractRedirectBindingResponse(String str) {
        return SAMLRequestParser.parseRequestRedirectBinding(str);
    }

    protected SAMLDocumentHolder extractPostBindingResponse(String str) {
        return SAMLRequestParser.parseResponseDocument(PostBindingUtil.base64Decode(str));
    }

    protected AuthOutcome initiateLogin() {
        this.challenge = createChallenge();
        return AuthOutcome.NOT_ATTEMPTED;
    }

    protected AbstractInitiateLogin createChallenge() {
        return new AbstractInitiateLogin(this.deployment, this.sessionStore) { // from class: org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.8
            @Override // org.keycloak.adapters.saml.AbstractInitiateLogin
            protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder sAML2AuthnRequestBuilder, BaseSAML2BindingBuilder baseSAML2BindingBuilder) throws ProcessingException, ConfigurationException, IOException {
                if (AbstractSamlAuthenticationHandler.this.isAutodetectedBearerOnly(httpFacade.getRequest())) {
                    httpFacade.getResponse().setStatus(401);
                    httpFacade.getResponse().end();
                } else {
                    SamlUtil.sendSaml(true, httpFacade, this.deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), baseSAML2BindingBuilder, sAML2AuthnRequestBuilder.toDocument(), this.deployment.getIDP().getSingleSignOnService().getRequestBinding());
                }
            }
        };
    }

    protected boolean verifySSL() {
        if (this.facade.getRequest().isSecure() || !this.deployment.getSslRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            return false;
        }
        log.warn("SSL is required to authenticate");
        return true;
    }

    public void verifyPostBindingSignature(Document document, KeyLocator keyLocator) throws VerificationException {
        try {
            if (new SAML2Signature().validate(document, keyLocator)) {
            } else {
                throw new VerificationException("Invalid signature on document");
            }
        } catch (ProcessingException e) {
            throw new VerificationException("Error validating signature", e);
        }
    }

    private void verifyRedirectBindingSignature(String str, KeyLocator keyLocator, String str2) throws VerificationException {
        String queryParamValue = this.facade.getRequest().getQueryParamValue(str);
        String queryParamValue2 = this.facade.getRequest().getQueryParamValue("SigAlg");
        String queryParamValue3 = this.facade.getRequest().getQueryParamValue("Signature");
        String queryParamValue4 = this.facade.getRequest().getQueryParamValue("SigAlg");
        if (queryParamValue == null) {
            throw new VerificationException("SAML Request was null");
        }
        if (queryParamValue2 == null) {
            throw new VerificationException("SigAlg was null");
        }
        if (queryParamValue3 == null) {
            throw new VerificationException("Signature was null");
        }
        String queryParamValue5 = this.facade.getRequest().getQueryParamValue("RelayState");
        KeycloakUriBuilder queryParam = KeycloakUriBuilder.fromPath("/").queryParam(str, new Object[]{queryParamValue});
        if (queryParamValue5 != null) {
            queryParam.queryParam("RelayState", new Object[]{queryParamValue5});
        }
        queryParam.queryParam("SigAlg", new Object[]{queryParamValue2});
        String rawQuery = queryParam.build(new Object[0]).getRawQuery();
        try {
            if (validateRedirectBindingSignature(SignatureAlgorithm.getFromXmlMethod(queryParamValue4), rawQuery.getBytes("UTF-8"), Base64.decode(queryParamValue3), keyLocator, str2)) {
            } else {
                throw new VerificationException("Invalid query param signature");
            }
        } catch (Exception e) {
            throw new VerificationException(e);
        }
    }

    private boolean validateRedirectBindingSignature(SignatureAlgorithm signatureAlgorithm, byte[] bArr, byte[] bArr2, KeyLocator keyLocator, String str) throws KeyManagementException, VerificationException {
        Key key;
        try {
            key = keyLocator.getKey(str);
        } catch (KeyManagementException e) {
        } catch (SignatureException e2) {
            log.debug("Verification failed for key %s: %s", str, e2);
            log.trace(e2);
        }
        if (key != null) {
            return validateRedirectBindingSignatureForKey(signatureAlgorithm, bArr, bArr2, key);
        }
        if (!(keyLocator instanceof Iterable)) {
            return false;
        }
        log.trace("Trying hard to validate XML signature using all available keys.");
        Iterator it = ((Iterable) keyLocator).iterator();
        while (it.hasNext()) {
            try {
            } catch (SignatureException e3) {
                log.debug("Verification failed: %s", e3);
            }
            if (validateRedirectBindingSignatureForKey(signatureAlgorithm, bArr, bArr2, (Key) it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean validateRedirectBindingSignatureForKey(SignatureAlgorithm signatureAlgorithm, byte[] bArr, byte[] bArr2, Key key) throws SignatureException {
        if (key == null) {
            return false;
        }
        if (!(key instanceof PublicKey)) {
            log.warnf("Unusable key for signature validation: %s", key);
            return false;
        }
        Signature createSignature = signatureAlgorithm.createSignature();
        try {
            createSignature.initVerify((PublicKey) key);
            createSignature.update(bArr);
            return createSignature.verify(bArr2);
        } catch (InvalidKeyException e) {
            log.warnf(e, "Unusable key for signature validation: %s", key);
            return false;
        }
    }

    protected boolean isAutodetectedBearerOnly(HttpFacade.Request request) {
        if (!this.deployment.isAutodetectBearerOnly()) {
            return false;
        }
        String header = this.facade.getRequest().getHeader("X-Requested-With");
        if (header != null && header.equalsIgnoreCase("XMLHttpRequest")) {
            return true;
        }
        String header2 = this.facade.getRequest().getHeader("Faces-Request");
        if ((header2 != null && header2.startsWith("partial/")) || this.facade.getRequest().getHeader("SOAPAction") != null) {
            return true;
        }
        List<String> headers = this.facade.getRequest().getHeaders("Accept");
        if (headers == null) {
            headers = Collections.emptyList();
        }
        for (String str : headers) {
            if (str.contains("text/html") || str.contains("text/*") || str.contains("*/*")) {
                return false;
            }
        }
        return true;
    }
}
