package org.wso2.carbon.identity.sso.saml.processors;

import java.util.ArrayList;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.persistence.IdentityPersistenceManager;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.builders.ErrorResponseBuilder;
import org.wso2.carbon.identity.sso.saml.builders.ResponseBuilder;
import org.wso2.carbon.identity.sso.saml.builders.SAMLArtifactBuilder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSORespDTO;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.class */
public class SPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {
    private static final Log log = LogFactory.getLog(SPInitSSOAuthnRequestProcessor.class);

    @Override // org.wso2.carbon.identity.sso.saml.processors.SSOAuthnRequestProcessor
    public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, String str, boolean z, String str2, String str3) throws Exception {
        String generateUUID;
        String authenticatedSubjectIdentifier;
        try {
            SAMLSSOServiceProviderDO serviceProviderConfig = SAMLSSOUtil.getServiceProviderConfig(sAMLSSOAuthnReqDTO.getIssuer(), sAMLSSOAuthnReqDTO.getTenantDomain());
            if (serviceProviderConfig == null) {
                String str4 = "A SAML Service Provider with the Issuer '" + sAMLSSOAuthnReqDTO.getIssuer() + "' is not registered. Service Provider should be registered in advance.";
                log.warn(str4);
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str4, (String) null);
            }
            if (isECPReqfromECPEnabledSP(sAMLSSOAuthnReqDTO, serviceProviderConfig)) {
                String str5 = "The SAML Service Provider with the Issuer '" + sAMLSSOAuthnReqDTO.getIssuer() + "' is not ECP enabled.";
                log.warn(str5);
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str5, (String) null);
            }
            populateServiceProviderConfigs(serviceProviderConfig, sAMLSSOAuthnReqDTO);
            if (sAMLSSOAuthnReqDTO.getSubject() != null && sAMLSSOAuthnReqDTO.getUser() != null && (authenticatedSubjectIdentifier = sAMLSSOAuthnReqDTO.getUser().getAuthenticatedSubjectIdentifier()) != null && !authenticatedSubjectIdentifier.equals(sAMLSSOAuthnReqDTO.getSubject())) {
                log.warn("Provided username does not match with the requested subject");
                ArrayList arrayList = new ArrayList();
                arrayList.add(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE);
                arrayList.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), arrayList, "Provided username does not match with the requested subject", sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
            }
            SSOSessionPersistenceManager persistenceManager = SSOSessionPersistenceManager.getPersistenceManager();
            SAMLSSORespDTO sAMLSSORespDTO = null;
            if (z) {
                if (str == null || !persistenceManager.isExistingTokenId(str, sAMLSSOAuthnReqDTO.getLoggedInTenantDomain())) {
                    generateUUID = UUIDGenerator.generateUUID();
                    persistenceManager.persistSession(str, generateUUID, sAMLSSOAuthnReqDTO.getLoggedInTenantDomain());
                } else {
                    generateUUID = persistenceManager.getSessionIndexFromTokenId(str, sAMLSSOAuthnReqDTO.getLoggedInTenantDomain());
                }
                if (str3.equals("usernamePasswordBasedAuthn")) {
                    SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO = new SAMLSSOServiceProviderDO();
                    sAMLSSOServiceProviderDO.setIssuer(sAMLSSOAuthnReqDTO.getIssuer());
                    sAMLSSOServiceProviderDO.setAssertionConsumerUrl(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                    sAMLSSOServiceProviderDO.setCertAlias(sAMLSSOAuthnReqDTO.getCertAlias());
                    sAMLSSOServiceProviderDO.setSloResponseURL(sAMLSSOAuthnReqDTO.getSloResponseURL());
                    sAMLSSOServiceProviderDO.setSloRequestURL(sAMLSSOAuthnReqDTO.getSloRequestURL());
                    sAMLSSOServiceProviderDO.setTenantDomain(sAMLSSOAuthnReqDTO.getTenantDomain());
                    sAMLSSOServiceProviderDO.setNameIDFormat(sAMLSSOAuthnReqDTO.getNameIDFormat());
                    sAMLSSOServiceProviderDO.setDoSingleLogout(sAMLSSOAuthnReqDTO.isDoSingleLogout());
                    sAMLSSOServiceProviderDO.setDoFrontChannelLogout(sAMLSSOAuthnReqDTO.isDoFrontChannelLogout());
                    sAMLSSOServiceProviderDO.setFrontChannelLogoutBinding(sAMLSSOAuthnReqDTO.getFrontChannelLogoutBinding());
                    sAMLSSOServiceProviderDO.setIdPInitSLOEnabled(sAMLSSOAuthnReqDTO.isIdPInitSLOEnabled());
                    sAMLSSOServiceProviderDO.setAssertionConsumerUrls(sAMLSSOAuthnReqDTO.getAssertionConsumerURLs());
                    sAMLSSOServiceProviderDO.setIdpInitSLOReturnToURLs(sAMLSSOAuthnReqDTO.getIdpInitSLOReturnToURLs());
                    sAMLSSOServiceProviderDO.setDoSignResponse(sAMLSSOAuthnReqDTO.isDoSignResponse());
                    sAMLSSOServiceProviderDO.setSigningAlgorithmUri(sAMLSSOAuthnReqDTO.getSigningAlgorithmUri());
                    sAMLSSOServiceProviderDO.setDigestAlgorithmUri(sAMLSSOAuthnReqDTO.getDigestAlgorithmUri());
                    sAMLSSOServiceProviderDO.setAssertionEncryptionAlgorithmUri(sAMLSSOAuthnReqDTO.getAssertionEncryptionAlgorithmUri());
                    sAMLSSOServiceProviderDO.setEnableSAML2ArtifactBinding(sAMLSSOAuthnReqDTO.isSAML2ArtifactBindingEnabled());
                    sAMLSSOServiceProviderDO.setDoValidateSignatureInRequests(sAMLSSOAuthnReqDTO.isDoValidateSignatureInRequests());
                    sAMLSSOServiceProviderDO.setDoValidateSignatureInArtifactResolve(sAMLSSOAuthnReqDTO.isDoValidateSignatureInArtifactResolve());
                    sAMLSSOServiceProviderDO.setKeyEncryptionAlgorithmUri(sAMLSSOAuthnReqDTO.getKeyEncryptionAlgorithmUri());
                    persistenceManager.persistSession(generateUUID, sAMLSSOAuthnReqDTO.getUser().getAuthenticatedSubjectIdentifier(), sAMLSSOServiceProviderDO, sAMLSSOAuthnReqDTO.getRpSessionId(), sAMLSSOAuthnReqDTO.getIssuer(), sAMLSSOAuthnReqDTO.getAssertionConsumerURL(), sAMLSSOAuthnReqDTO.getLoggedInTenantDomain());
                }
                sAMLSSORespDTO = new SAMLSSORespDTO();
                if (sAMLSSOAuthnReqDTO.isSAML2ArtifactBindingEnabled()) {
                    String buildSAML2Artifact = new SAMLArtifactBuilder().buildSAML2Artifact(sAMLSSOAuthnReqDTO, generateUUID);
                    if (log.isDebugEnabled()) {
                        log.debug("Built SAML2 artifact for [SP: " + sAMLSSOAuthnReqDTO.getIssuer() + ", subject: " + sAMLSSOAuthnReqDTO.getSubject() + ", tenant: " + sAMLSSOAuthnReqDTO.getTenantDomain() + "] -> Artifact: " + buildSAML2Artifact);
                    }
                    sAMLSSORespDTO.setRespString(buildSAML2Artifact);
                } else {
                    ResponseBuilder responseBuilder = SAMLSSOUtil.getResponseBuilder();
                    if (responseBuilder == null) {
                        throw new Exception("Response builder was null.");
                    }
                    String marshall = SAMLSSOUtil.marshall(responseBuilder.buildResponse(sAMLSSOAuthnReqDTO, generateUUID));
                    if (log.isDebugEnabled()) {
                        log.debug(marshall);
                    }
                    sAMLSSORespDTO.setRespString(SAMLSSOUtil.encode(marshall));
                }
                sAMLSSORespDTO.setSessionEstablished(true);
                sAMLSSORespDTO.setAssertionConsumerURL(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                sAMLSSORespDTO.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
                sAMLSSORespDTO.setSubject(sAMLSSOAuthnReqDTO.getUser());
            }
            return sAMLSSORespDTO;
        } catch (Exception e) {
            log.error("Error processing the authentication request", e);
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE);
            arrayList2.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
            SAMLSSORespDTO buildErrorResponse = buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), arrayList2, "Error processing the authentication request.", (String) null);
            buildErrorResponse.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
            buildErrorResponse.setAssertionConsumerURL(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
            return buildErrorResponse;
        }
    }

    private SAMLSSOServiceProviderDO getServiceProviderConfig(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentityException {
        try {
            SAMLSSOServiceProviderDO serviceProvider = SSOServiceProviderConfigManager.getInstance().getServiceProvider(sAMLSSOAuthnReqDTO.getIssuer());
            if (serviceProvider == null) {
                IdentityTenantUtil.initializeRegistry(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(), PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain());
                serviceProvider = IdentityPersistenceManager.getPersistanceManager().getServiceProvider(PrivilegedCarbonContext.getThreadLocalCarbonContext().getRegistry(RegistryType.SYSTEM_CONFIGURATION), sAMLSSOAuthnReqDTO.getIssuer());
                sAMLSSOAuthnReqDTO.setStratosDeployment(false);
            } else {
                sAMLSSOAuthnReqDTO.setStratosDeployment(true);
            }
            return serviceProvider;
        } catch (Exception e) {
            throw IdentityException.error("Error while reading Service Provider configurations", e);
        }
    }

    private void populateServiceProviderConfigs(SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentityException {
        if (StringUtils.isBlank(sAMLSSOAuthnReqDTO.getAssertionConsumerURL())) {
            sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO.getDefaultAssertionConsumerUrl());
        }
        sAMLSSOAuthnReqDTO.setLoginPageURL(sAMLSSOServiceProviderDO.getLoginPageURL());
        sAMLSSOAuthnReqDTO.setCertAlias(sAMLSSOServiceProviderDO.getCertAlias());
        sAMLSSOAuthnReqDTO.setNameIdClaimUri(sAMLSSOServiceProviderDO.getNameIdClaimUri());
        sAMLSSOAuthnReqDTO.setNameIDFormat(sAMLSSOServiceProviderDO.getNameIDFormat());
        sAMLSSOAuthnReqDTO.setDoSingleLogout(sAMLSSOServiceProviderDO.isDoSingleLogout());
        sAMLSSOAuthnReqDTO.setDoFrontChannelLogout(sAMLSSOServiceProviderDO.isDoFrontChannelLogout());
        sAMLSSOAuthnReqDTO.setFrontChannelLogoutBinding(sAMLSSOServiceProviderDO.getFrontChannelLogoutBinding());
        sAMLSSOAuthnReqDTO.setSloResponseURL(sAMLSSOServiceProviderDO.getSloResponseURL());
        sAMLSSOAuthnReqDTO.setSloRequestURL(sAMLSSOServiceProviderDO.getSloRequestURL());
        sAMLSSOAuthnReqDTO.setDoSignResponse(sAMLSSOServiceProviderDO.isDoSignResponse());
        sAMLSSOAuthnReqDTO.setDoSignAssertions(sAMLSSOServiceProviderDO.isDoSignAssertions());
        sAMLSSOAuthnReqDTO.setRequestedClaims(sAMLSSOServiceProviderDO.getRequestedClaims());
        sAMLSSOAuthnReqDTO.setRequestedAudiences(sAMLSSOServiceProviderDO.getRequestedAudiences());
        sAMLSSOAuthnReqDTO.setRequestedRecipients(sAMLSSOServiceProviderDO.getRequestedRecipients());
        sAMLSSOAuthnReqDTO.setDoEnableEncryptedAssertion(sAMLSSOServiceProviderDO.isDoEnableEncryptedAssertion());
        sAMLSSOAuthnReqDTO.setDoValidateSignatureInRequests(sAMLSSOServiceProviderDO.isDoValidateSignatureInRequests());
        sAMLSSOAuthnReqDTO.setIdPInitSLOEnabled(sAMLSSOServiceProviderDO.isIdPInitSLOEnabled());
        sAMLSSOAuthnReqDTO.setAssertionConsumerURLs(sAMLSSOServiceProviderDO.getAssertionConsumerUrls());
        sAMLSSOAuthnReqDTO.setIdpInitSLOReturnToURLs(sAMLSSOServiceProviderDO.getIdpInitSLOReturnToURLs());
        sAMLSSOAuthnReqDTO.setSigningAlgorithmUri(sAMLSSOServiceProviderDO.getSigningAlgorithmUri());
        sAMLSSOAuthnReqDTO.setDigestAlgorithmUri(sAMLSSOServiceProviderDO.getDigestAlgorithmUri());
        sAMLSSOAuthnReqDTO.setAssertionEncryptionAlgorithmUri(sAMLSSOServiceProviderDO.getAssertionEncryptionAlgorithmUri());
        sAMLSSOAuthnReqDTO.setKeyEncryptionAlgorithmUri(sAMLSSOServiceProviderDO.getKeyEncryptionAlgorithmUri());
        sAMLSSOAuthnReqDTO.setAssertionQueryRequestProfileEnabled(sAMLSSOServiceProviderDO.isAssertionQueryRequestProfileEnabled());
        sAMLSSOAuthnReqDTO.setEnableSAML2ArtifactBinding(sAMLSSOServiceProviderDO.isEnableSAML2ArtifactBinding());
        sAMLSSOAuthnReqDTO.setDoValidateSignatureInArtifactResolve(sAMLSSOServiceProviderDO.isDoValidateSignatureInArtifactResolve());
    }

    private SAMLSSORespDTO buildErrorResponse(String str, String str2, String str3, String str4) throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str2);
        return buildErrorResponse(str, arrayList, str3, str4);
    }

    private SAMLSSORespDTO buildErrorResponse(String str, List<String> list, String str2, String str3) throws Exception {
        SAMLSSORespDTO sAMLSSORespDTO = new SAMLSSORespDTO();
        sAMLSSORespDTO.setRespString(SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(new ErrorResponseBuilder().buildResponse(str, list, str2, str3))));
        sAMLSSORespDTO.setSessionEstablished(false);
        return sAMLSSORespDTO;
    }

    private boolean isECPReqfromECPEnabledSP(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO) {
        return sAMLSSOAuthnReqDTO.isSamlECPEnabled() && !sAMLSSOServiceProviderDO.isSamlECP();
    }
}
