package org.wso2.appserver.webapp.security.saml;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Stream;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Extensions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.wso2.appserver.configuration.context.WebAppSingleSignOn;
import org.wso2.appserver.configuration.listeners.ServerConfigurationLoader;
import org.wso2.appserver.configuration.server.AppServerSingleSignOn;
import org.wso2.appserver.webapp.security.Constants;
import org.wso2.appserver.webapp.security.agent.SSOAgentSessionManager;
import org.wso2.appserver.webapp.security.bean.LoggedInSession;
import org.wso2.appserver.webapp.security.saml.signature.SSOX509Credential;
import org.wso2.appserver.webapp.security.saml.signature.SignatureValidator;
import org.wso2.appserver.webapp.security.saml.signature.X509CredentialImplementation;
import org.wso2.appserver.webapp.security.utils.DataHolder;
import org.wso2.appserver.webapp.security.utils.SSOUtils;
import org.wso2.appserver.webapp.security.utils.exception.SSOException;

/* loaded from: input_file:org/wso2/appserver/webapp/security/saml/SAML2SSOManager.class */
public class SAML2SSOManager {
    private AppServerSingleSignOn serverConfiguration = ServerConfigurationLoader.getServerConfiguration().getSingleSignOnConfiguration();
    private WebAppSingleSignOn contextConfiguration;

    public SAML2SSOManager(WebAppSingleSignOn webAppSingleSignOn) throws SSOException {
        this.contextConfiguration = webAppSingleSignOn;
        loadCustomSignatureValidatorClass();
        SSOUtils.doBootstrap();
    }

    private void loadCustomSignatureValidatorClass() throws SSOException {
        try {
            if (this.serverConfiguration != null) {
                DataHolder.getInstance().setObject(Class.forName((String) Optional.ofNullable(this.serverConfiguration.getSignatureValidatorImplClass()).orElse(Constants.DEFAULT_SIGN_VALIDATOR_IMPL)).newInstance());
            }
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            throw new SSOException("Error loading custom signature validator class", e);
        }
    }

    public String handleAuthenticationRequestForPOSTBinding(Request request) throws SSOException {
        RequestAbstractType buildAuthnRequest = buildAuthnRequest(request);
        if (this.contextConfiguration.isRequestSigningEnabled().booleanValue()) {
            buildAuthnRequest = SSOUtils.setSignature(buildAuthnRequest, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", new X509CredentialImplementation(SSOX509Credential.getInstance()));
        }
        return preparePOSTRequest(buildAuthnRequest);
    }

    public String handleAuthenticationRequestForRedirectBinding(Request request) throws SSOException {
        return prepareRedirectRequest(buildAuthnRequest(request));
    }

    public String handleLogoutRequestForPOSTBinding(Request request) throws SSOException {
        LoggedInSession loggedInSession = (LoggedInSession) request.getSession(false).getAttribute(Constants.SESSION_BEAN);
        if (loggedInSession == null) {
            throw new SSOException("Single-logout (SLO) Request cannot be built, single-sign-on (SSO) session is null");
        }
        RequestAbstractType buildLogoutRequest = buildLogoutRequest(loggedInSession.getSAML2SSO().getSubjectId(), loggedInSession.getSAML2SSO().getSessionIndex());
        if (this.contextConfiguration.isRequestSigningEnabled().booleanValue()) {
            buildLogoutRequest = SSOUtils.setSignature(buildLogoutRequest, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", new X509CredentialImplementation(SSOX509Credential.getInstance()));
        }
        return preparePOSTRequest(buildLogoutRequest);
    }

    public String handleLogoutRequestForRedirectBinding(Request request) throws SSOException {
        LoggedInSession loggedInSession = (LoggedInSession) request.getSession(false).getAttribute(Constants.SESSION_BEAN);
        if (loggedInSession != null) {
            return prepareRedirectRequest(buildLogoutRequest(loggedInSession.getSAML2SSO().getSubjectId(), loggedInSession.getSAML2SSO().getSessionIndex()));
        }
        throw new SSOException("Single Logout Request can not be built, single-sign-on session is null");
    }

    private String preparePOSTRequest(RequestAbstractType requestAbstractType) throws SSOException {
        String encodeRequestMessage = SSOUtils.encodeRequestMessage(requestAbstractType, Constants.SAML2_HTTP_POST_BINDING);
        HashMap hashMap = new HashMap();
        hashMap.put(Constants.HTTP_POST_PARAM_SAML_REQUEST, new String[]{encodeRequestMessage});
        Map<String, String[]> splitQueryParameters = SSOUtils.getSplitQueryParameters(this.contextConfiguration.getOptionalParams());
        splitQueryParameters.entrySet().stream().forEach(entry -> {
        });
        if (!splitQueryParameters.isEmpty()) {
            hashMap.putAll(splitQueryParameters);
        }
        StringBuilder sb = new StringBuilder();
        hashMap.entrySet().stream().filter(entry2 -> {
            return (entry2.getKey() == null || entry2.getValue() == null || ((String[]) entry2.getValue()).length <= 0) ? false : true;
        }).forEach(entry3 -> {
            Stream.of((Object[]) entry3.getValue()).forEach(str -> {
                sb.append("<input type='hidden' name='").append((String) entry3.getKey()).append("' value='").append(str).append("'>\n");
            });
        });
        return "<html>\n<body>\n<p>You are now redirected back to " + this.serverConfiguration.getIdpURL() + " \nIf the redirection fails, please click the post button.</p>\n<form method='post' action='" + this.serverConfiguration.getIdpURL() + "'>\n<p>\n" + sb.toString() + "<button type='submit'>POST</button>\n</p>\n</form>\n<script type='text/javascript'>\ndocument.forms[0].submit();\n</script>\n</body>\n</html>";
    }

    private String prepareRedirectRequest(RequestAbstractType requestAbstractType) throws SSOException {
        StringBuilder sb = new StringBuilder("SAMLRequest=" + SSOUtils.encodeRequestMessage(requestAbstractType, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"));
        Map<String, String[]> splitQueryParameters = SSOUtils.getSplitQueryParameters(this.contextConfiguration.getOptionalParams());
        if (!splitQueryParameters.isEmpty()) {
            StringBuilder sb2 = new StringBuilder();
            splitQueryParameters.entrySet().stream().filter(entry -> {
                return (entry.getKey() == null || entry.getValue() == null || ((String[]) entry.getValue()).length <= 0) ? false : true;
            }).forEach(entry2 -> {
                Stream.of((Object[]) entry2.getValue()).forEach(str -> {
                    try {
                        sb2.append("&").append((String) entry2.getKey()).append("=").append(URLEncoder.encode(str, StandardCharsets.UTF_8.name()));
                    } catch (UnsupportedEncodingException e) {
                    }
                });
            });
            sb.append((CharSequence) sb2);
        }
        if (this.contextConfiguration.isRequestSigningEnabled().booleanValue()) {
            SSOUtils.addDeflateSignatureToHTTPQueryString(sb, new X509CredentialImplementation(SSOX509Credential.getInstance()));
        }
        return this.serverConfiguration.getIdpURL().contains("?") ? this.serverConfiguration.getIdpURL().concat("&").concat(sb.toString()) : this.serverConfiguration.getIdpURL().concat("?").concat(sb.toString());
    }

    private AuthnRequest buildAuthnRequest(Request request) {
        Issuer buildObject = new IssuerBuilder().buildObject();
        if (this.contextConfiguration.getIssuerId() == null) {
            this.contextConfiguration.setIssuerId(SSOUtils.generateIssuerID(request.getContextPath(), request.getHost().getAppBase()).orElse(""));
        }
        buildObject.setValue(this.contextConfiguration.getIssuerId());
        NameIDPolicy buildObject2 = new NameIDPolicyBuilder().buildObject();
        buildObject2.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
        buildObject2.setSPNameQualifier("Issuer");
        buildObject2.setAllowCreate(true);
        AuthnContextClassRef buildObject3 = new AuthnContextClassRefBuilder().buildObject();
        buildObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
        RequestedAuthnContext buildObject4 = new RequestedAuthnContextBuilder().buildObject();
        buildObject4.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        buildObject4.getAuthnContextClassRefs().add(buildObject3);
        AuthnRequest buildObject5 = new AuthnRequestBuilder().buildObject();
        buildObject5.setID(SSOUtils.createID());
        buildObject5.setVersion(SAMLVersion.VERSION_20);
        buildObject5.setIssueInstant(new DateTime());
        buildObject5.setForceAuthn((Boolean) Optional.ofNullable((Boolean) request.getAttribute(Constants.IS_FORCE_AUTH_ENABLED)).orElse(false));
        buildObject5.setIsPassive((Boolean) Optional.ofNullable((Boolean) request.getAttribute(Constants.IS_PASSIVE_AUTH_ENABLED)).orElse(false));
        buildObject5.setProtocolBinding(this.contextConfiguration.getHttpBinding());
        if (this.contextConfiguration.getConsumerURL() == null) {
            this.contextConfiguration.setConsumerURL(SSOUtils.generateConsumerURL(request.getContextPath(), (String) Optional.ofNullable(this.serverConfiguration.getACSBase()).orElse(SSOUtils.constructApplicationServerURL(request).orElse("")), (String) Optional.ofNullable(this.contextConfiguration.getConsumerURLPostfix()).orElse(Constants.DEFAULT_CONSUMER_URL_POSTFIX)).orElse(""));
        }
        buildObject5.setAssertionConsumerServiceURL(this.contextConfiguration.getConsumerURL());
        buildObject5.setIssuer(buildObject);
        buildObject5.setNameIDPolicy(buildObject2);
        buildObject5.setRequestedAuthnContext(buildObject4);
        buildObject5.setDestination(this.serverConfiguration.getIdpURL());
        Optional.ofNullable(request.getAttribute("Extensions")).ifPresent(obj -> {
            buildObject5.setExtensions((Extensions) obj);
        });
        return buildObject5;
    }

    private LogoutRequest buildLogoutRequest(String str, String str2) {
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        DateTime dateTime = new DateTime();
        Issuer buildObject2 = new IssuerBuilder().buildObject();
        buildObject2.setValue(this.contextConfiguration.getIssuerId());
        NameID buildObject3 = new NameIDBuilder().buildObject();
        buildObject3.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        buildObject3.setValue(str);
        SessionIndex buildObject4 = new SessionIndexBuilder().buildObject();
        buildObject4.setSessionIndex(str2);
        buildObject.setID(SSOUtils.createID());
        buildObject.setIssueInstant(dateTime);
        buildObject.setDestination(this.serverConfiguration.getIdpURL());
        buildObject.setNotOnOrAfter(new DateTime(dateTime.getMillis() + 300000));
        buildObject.setIssuer(buildObject2);
        buildObject.setNameID(buildObject3);
        buildObject.getSessionIndexes().add(buildObject4);
        buildObject.setReason("Single Logout");
        return buildObject;
    }

    public void processResponse(Request request) throws SSOException {
        String parameter = request.getParameter(Constants.HTTP_POST_PARAM_SAML_RESPONSE);
        if (parameter == null) {
            throw new SSOException("Invalid SAML 2.0 Response, SAML Response cannot be null");
        }
        Optional<XMLObject> unmarshall = SSOUtils.unmarshall(new String(Base64Support.decode(parameter), StandardCharsets.UTF_8));
        if (unmarshall.isPresent()) {
            if (unmarshall.get() instanceof LogoutResponse) {
                performSingleLogout(request);
            } else {
                processSingleSignInResponse(request);
            }
        }
    }

    private void processSingleSignInResponse(Request request) throws SSOException {
        LoggedInSession loggedInSession = new LoggedInSession();
        loggedInSession.setSAML2SSO(new LoggedInSession.SAML2SSO());
        String str = new String(Base64Support.decode(request.getParameter(Constants.HTTP_POST_PARAM_SAML_RESPONSE)), StandardCharsets.UTF_8);
        Optional<XMLObject> unmarshall = SSOUtils.unmarshall(str);
        if (unmarshall.isPresent()) {
            Response response = (Response) unmarshall.get();
            loggedInSession.getSAML2SSO().setResponseString(str);
            loggedInSession.getSAML2SSO().setSAMLResponse(response);
            Assertion assertion = null;
            if (this.contextConfiguration.isAssertionEncryptionEnabled().booleanValue()) {
                List encryptedAssertions = response.getEncryptedAssertions();
                if (encryptedAssertions != null && !encryptedAssertions.isEmpty()) {
                    try {
                        assertion = SSOUtils.decryptAssertion(SSOX509Credential.getInstance(), (EncryptedAssertion) encryptedAssertions.stream().findFirst().orElse(null));
                    } catch (Exception e) {
                        throw new SSOException("Unable to decrypt the SAML 2.0 Assertion");
                    }
                }
            } else {
                List assertions = response.getAssertions();
                if (assertions != null && !assertions.isEmpty()) {
                    assertion = (Assertion) assertions.stream().findFirst().orElse(null);
                }
            }
            if (assertion == null) {
                if (!isNoPassive(response)) {
                    throw new SSOException("SAML 2.0 Assertion not found in the Response");
                }
                Log logger = request.getHost().getLogger();
                if (logger.isDebugEnabled()) {
                    logger.debug("Cannot authenticate in passive mode");
                    return;
                }
                return;
            }
            String value = assertion.getIssuer().getValue();
            if (value == null || value.isEmpty()) {
                throw new SSOException("SAML 2.0 Response does not contain an Issuer value");
            }
            if (!value.equals(this.serverConfiguration.getIdpEntityId())) {
                throw new SSOException("SAML 2.0 Response Issuer verification failed");
            }
            loggedInSession.getSAML2SSO().setAssertion(assertion);
            String str2 = null;
            if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
                str2 = assertion.getSubject().getNameID().getValue();
            }
            if (str2 == null) {
                throw new SSOException("SAML 2.0 Response does not contain the name of the subject");
            }
            loggedInSession.getSAML2SSO().setSubjectId(str2);
            request.getSession().setAttribute(Constants.SESSION_BEAN, loggedInSession);
            validateAudienceRestriction(assertion);
            validateSignature(response, assertion);
            loggedInSession.getSAML2SSO().setAssertionString(SSOUtils.marshall(assertion));
            ((LoggedInSession) request.getSession().getAttribute(Constants.SESSION_BEAN)).getSAML2SSO().setSubjectAttributes(SSOUtils.getAssertionStatements(assertion));
            if (this.contextConfiguration.isSLOEnabled().booleanValue()) {
                Optional findFirst = assertion.getAuthnStatements().stream().findFirst();
                String str3 = null;
                if (findFirst.isPresent()) {
                    str3 = ((AuthnStatement) findFirst.get()).getSessionIndex();
                }
                if (str3 == null) {
                    throw new SSOException("Single Logout is enabled but IdP Session ID not found in SAML 2.0 Assertion");
                }
                ((LoggedInSession) request.getSession().getAttribute(Constants.SESSION_BEAN)).getSAML2SSO().setSessionIndex(str3);
                SSOAgentSessionManager.addAuthenticatedSession(request.getSession(false));
            }
        }
    }

    private void performSingleLogout(Request request) throws SSOException {
        XMLObject xMLObject = null;
        if (request.getParameter(Constants.HTTP_POST_PARAM_SAML_REQUEST) != null) {
            Optional<XMLObject> unmarshall = SSOUtils.unmarshall(new String(Base64Support.decode(request.getParameter(Constants.HTTP_POST_PARAM_SAML_REQUEST)), StandardCharsets.UTF_8));
            if (unmarshall.isPresent()) {
                xMLObject = unmarshall.get();
            }
        }
        if (xMLObject == null) {
            Optional<XMLObject> unmarshall2 = SSOUtils.unmarshall(new String(Base64Support.decode(request.getParameter(Constants.HTTP_POST_PARAM_SAML_RESPONSE)), StandardCharsets.UTF_8));
            if (unmarshall2.isPresent()) {
                xMLObject = unmarshall2.get();
            }
        }
        if (xMLObject instanceof LogoutResponse) {
            Optional.ofNullable(request.getSession(false)).ifPresent(httpSession -> {
                SSOAgentSessionManager.getAllInvalidatableSessions(httpSession).stream().forEach(httpSession -> {
                    try {
                        httpSession.invalidate();
                    } catch (IllegalStateException e) {
                        Log logger = request.getHost().getLogger();
                        if (logger.isDebugEnabled()) {
                            logger.debug("Ignoring exception : ", e);
                        }
                    }
                });
            });
        } else {
            if (!(xMLObject instanceof LogoutRequest)) {
                throw new SSOException("Invalid SAML 2.0 Single Logout Request/Response.");
            }
            ((LogoutRequest) xMLObject).getSessionIndexes().stream().findFirst().ifPresent(sessionIndex -> {
                SSOAgentSessionManager.getAllInvalidatableSessions(sessionIndex.getSessionIndex()).stream().forEach((v0) -> {
                    v0.invalidate();
                });
            });
        }
    }

    private boolean isNoPassive(Response response) {
        return (response.getStatus() == null || response.getStatus().getStatusCode() == null || !response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Responder") || response.getStatus().getStatusCode().getStatusCode() == null || !response.getStatus().getStatusCode().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:NoPassive")) ? false : true;
    }

    private void validateAudienceRestriction(Assertion assertion) throws SSOException {
        if (assertion == null) {
            return;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            throw new SSOException("SAML 2.0 Response doesn't contain Conditions");
        }
        List audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
            throw new SSOException("SAML 2.0 Response doesn't contain AudienceRestrictions");
        }
        if (audienceRestrictions.stream().filter(audienceRestriction -> {
            return (audienceRestriction.getAudiences() == null || audienceRestriction.getAudiences().isEmpty() || audienceRestriction.getAudiences().stream().filter(audience -> {
                return this.contextConfiguration.getIssuerId().equals(audience.getAudienceURI());
            }).count() <= 0) ? false : true;
        }).count() == 0) {
            throw new SSOException("SAML 2.0 Assertion Audience Restriction validation failed");
        }
    }

    private void validateSignature(Response response, Assertion assertion) throws SSOException {
        if (DataHolder.getInstance().getObject() != null) {
            ((SignatureValidator) DataHolder.getInstance().getObject()).validateSignature(response, assertion, this.contextConfiguration.isResponseSigningEnabled().booleanValue(), this.contextConfiguration.isAssertionSigningEnabled().booleanValue());
            return;
        }
        SSOX509Credential sSOX509Credential = SSOX509Credential.getInstance();
        if (this.contextConfiguration.isResponseSigningEnabled().booleanValue()) {
            if (response.getSignature() == null) {
                throw new SSOException("SAML 2.0 Response signing is enabled, but signature element not found in SAML 2.0 Response element");
            }
            try {
                org.opensaml.xmlsec.signature.support.SignatureValidator.validate(response.getSignature(), new X509CredentialImplementation(sSOX509Credential.getEntityCertificate()));
            } catch (SignatureException e) {
                throw new SSOException("Signature validation failed for SAML 2.0 Response", e);
            }
        }
        if (this.contextConfiguration.isAssertionSigningEnabled().booleanValue()) {
            if (assertion.getSignature() == null) {
                throw new SSOException("SAML 2.0 Assertion signing is enabled, but signature element not found in SAML 2.0 Assertion element");
            }
            try {
                org.opensaml.xmlsec.signature.support.SignatureValidator.validate(assertion.getSignature(), new X509CredentialImplementation(sSOX509Credential.getEntityCertificate()));
            } catch (SignatureException e2) {
                throw new SSOException("Signature validation failed for SAML 2.0 Assertion", e2);
            }
        }
    }
}
