package org.wso2.carbon.identity.sso.saml.servlet;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import java.util.stream.Collectors;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.soap.SOAPException;
import javax.xml.transform.TransformerException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import org.wso2.carbon.core.SameSiteCookie;
import org.wso2.carbon.core.ServletCookie;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.context.SessionAuthHistory;
import org.wso2.carbon.identity.application.authentication.framework.context.SessionContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationContextProperty;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthRequestWrapper;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.ServiceURLBuilder;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.model.IdentityCookieConfig;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.persistence.IdentityPersistenceManager;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.FrontChannelSLOParticipantInfo;
import org.wso2.carbon.identity.sso.saml.FrontChannelSLOParticipantStore;
import org.wso2.carbon.identity.sso.saml.SAMLECPConstants;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SAMLSSOService;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder;
import org.wso2.carbon.identity.sso.saml.builders.SingleLogoutMessageBuilder;
import org.wso2.carbon.identity.sso.saml.builders.X509CredentialImpl;
import org.wso2.carbon.identity.sso.saml.cache.SAMLSSOParticipantCache;
import org.wso2.carbon.identity.sso.saml.cache.SAMLSSOParticipantCacheKey;
import org.wso2.carbon.identity.sso.saml.cache.SessionDataCache;
import org.wso2.carbon.identity.sso.saml.cache.SessionDataCacheEntry;
import org.wso2.carbon.identity.sso.saml.cache.SessionDataCacheKey;
import org.wso2.carbon.identity.sso.saml.common.SAMLSSOProviderConstants;
import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSORespDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOSessionDTO;
import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2SSOException;
import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponent;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
import org.wso2.carbon.identity.sso.saml.util.SAMLSOAPUtils;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.idp.mgt.util.IdPManagementUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.class */
public class SAMLSSOProviderServlet extends HttpServlet {
    private static final long serialVersionUID = -5182312441482721905L;
    private static final Log log = LogFactory.getLog(SAMLSSOProviderServlet.class);
    private SAMLSSOService samlSsoService = new SAMLSSOService();
    private static final String SAML_SSO_TOKEN_ID_COOKIE = "samlssoTokenId";
    private static final String ACR_VALUES_ATTRIBUTE = "acr_values";
    private static final String REQUEST_PARAM_SP = "sp";
    private static final String HTTPS_SCHEME = "https";
    private static final String HTTP_SCHEME = "http";
    private static final boolean SAML_ECP_ENABLED = false;
    private static final int DEFAULT_HTTPS_PORT = 443;
    private static final int DEFAULT_HTTP_PORT = 80;
    private static final String formPostPageTemplate = "<html>\n<body onload=\"javascript:document.getElementById('samlsso-response-form').submit()\">\n<h2>Please wait while we take you back to $app</h2>\n<p><a href=\"javascript:document.getElementById('samlsso-response-form').submit()\">Click here</a> if you have been waiting for too long.</p>\n<form id=\"samlsso-response-form\" method=\"post\" action=\"$acUrl\">\n    <!--$params-->\n    <!--$additionalParams-->\n</form>\n</body>\n</html>";

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            handleRequest(httpServletRequest, httpServletResponse, false);
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
            SAMLSSOUtil.removeIssuerWithQualifierInThreadLocal();
        } catch (Throwable th) {
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
            SAMLSSOUtil.removeIssuerWithQualifierInThreadLocal();
            throw th;
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            handleRequest(httpServletRequest, httpServletResponse, true);
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
            SAMLSSOUtil.removeIssuerWithQualifierInThreadLocal();
        } catch (Throwable th) {
            SAMLSSOUtil.removeSaaSApplicationThreaLocal();
            SAMLSSOUtil.removeUserTenantDomainThreaLocal();
            SAMLSSOUtil.removeTenantDomainFromThreadLocal();
            SAMLSSOUtil.removeIssuerWithQualifierInThreadLocal();
            throw th;
        }
    }

    private void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws ServletException, IOException {
        String str = SAML_ECP_ENABLED;
        Cookie tokenIdCookie = getTokenIdCookie(httpServletRequest);
        if (tokenIdCookie != null) {
            str = tokenIdCookie.getValue();
        }
        String queryString = httpServletRequest.getQueryString();
        if (log.isDebugEnabled()) {
            log.debug("Query string : " + queryString);
        }
        String parameter = httpServletRequest.getParameter(SAMLSSOConstants.AUTH_MODE);
        if (!"openIDBasedAuthn".equals(parameter)) {
            parameter = "usernamePasswordBasedAuthn";
        }
        String parameter2 = httpServletRequest.getParameter("RelayState");
        String parameter3 = httpServletRequest.getParameter(SAMLSSOConstants.QueryParameter.SP_ENTITY_ID.toString());
        String parameter4 = httpServletRequest.getParameter("SAMLRequest");
        String parameter5 = httpServletRequest.getParameter("SAMLResponse");
        String sessionDataKey = getSessionDataKey(httpServletRequest);
        String parameter6 = httpServletRequest.getParameter(SAMLSSOConstants.QueryParameter.SLO.toString());
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        try {
            if ("true".equals(httpServletRequest.getParameter("tocommonauth")) && attribute == null) {
                sendRequestToFramework(httpServletRequest, httpServletResponse);
                return;
            }
            String str2 = SAML_ECP_ENABLED;
            if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
                str2 = IdentityTenantUtil.getTenantDomainFromContext();
                if (log.isDebugEnabled()) {
                    log.debug("Tenant domain from context: " + str2);
                }
            }
            if (StringUtils.isBlank(str2)) {
                str2 = httpServletRequest.getParameter("tenantDomain");
                if (log.isDebugEnabled()) {
                    log.debug("Tenant domain not available in context. Tenant domain from query param: " + str2);
                }
            }
            SAMLSSOUtil.setTenantDomainInThreadLocal(str2);
            SAMLSSOUtil.setIssuerQualifier(httpServletRequest.getParameter(SAMLSSOConstants.INBOUND_ISSUER_QUALIFIER));
            if (sessionDataKey != null) {
                SAMLSSOSessionDTO sessionDataFromCache = getSessionDataFromCache(sessionDataKey);
                if (sessionDataFromCache == null) {
                    log.error("Failed to retrieve sessionDTO from the cache for key " + sessionDataKey);
                    sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error when processing the authentication request!", null), "Error when processing the authentication request!", "Please try login again.", null, httpServletRequest, httpServletResponse);
                    return;
                }
                setSPAttributeToRequest(httpServletRequest, sessionDataFromCache.getIssuer(), sessionDataFromCache.getTenantDomain());
                SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDataFromCache.getTenantDomain());
                SAMLSSOUtil.setIssuerWithQualifierInThreadLocal(sessionDataFromCache.getIssuer());
                if (sessionDataFromCache.isInvalidLogout()) {
                    String str3 = "?status=" + URLEncoder.encode(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, SAMLSSOConstants.ENCODING_FORMAT) + "&statusMsg=" + URLEncoder.encode("Invalid Logout Request", SAMLSSOConstants.ENCODING_FORMAT);
                    String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid Logout Request", null);
                    String assertionConsumerURL = sessionDataFromCache.getAssertionConsumerURL();
                    if (buildErrorResponse != null) {
                        str3 = str3 + "&logoutResponse=" + URLEncoder.encode(buildErrorResponse, SAMLSSOConstants.ENCODING_FORMAT);
                    }
                    if (assertionConsumerURL != null) {
                        str3 = str3 + "&ACSUrl=" + URLEncoder.encode(assertionConsumerURL, SAMLSSOConstants.ENCODING_FORMAT);
                    }
                    log.warn("Redirecting to default logout page due to an invalid logout request");
                    httpServletResponse.sendRedirect(FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint() + str3, httpServletRequest));
                } else if (sessionDataFromCache.isLogoutReq()) {
                    handleLogoutResponseFromFramework(httpServletRequest, httpServletResponse, sessionDataFromCache);
                } else {
                    handleAuthenticationReponseFromFramework(httpServletRequest, httpServletResponse, str, sessionDataFromCache);
                }
                removeAuthenticationResult(httpServletRequest, sessionDataKey);
            } else if (parameter3 != null || parameter6 != null) {
                handleIdPInitSSO(httpServletRequest, httpServletResponse, parameter2, queryString, parameter, str, z, parameter6 != null);
            } else if (parameter4 != null) {
                handleSPInitSSO(httpServletRequest, httpServletResponse, queryString, parameter2, parameter, parameter4, str, z);
            } else if (parameter5 != null) {
                handleSAMLResponse(httpServletRequest, httpServletResponse, parameter5, str, z);
            } else {
                handleInvalidRequestMessage(httpServletRequest, httpServletResponse, str);
            }
        } catch (IdentityException e) {
            log.error("Error when processing the authentication request!", e);
            String str4 = SAML_ECP_ENABLED;
            try {
                str4 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error when processing the authentication request", null);
            } catch (IdentityException e2) {
                log.error("Error while building SAML response", e2);
            }
            sendNotification(str4, "Error when processing the authentication request!", "Please try login again.", null, httpServletRequest, httpServletResponse);
        } catch (UserStoreException e3) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while handling SAML2 SSO request", e3);
            }
            String str5 = SAML_ECP_ENABLED;
            try {
                str5 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error occurred while handling SAML2 SSO request", null);
            } catch (IdentityException e4) {
                log.error("Error while building SAML response", e4);
            }
            sendNotification(str5, "Error when processing the authentication request!", "Please try login again.", null, httpServletRequest, httpServletResponse);
        }
    }

    private void handleInvalidRequestMessage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, IdentityException, ServletException {
        if (log.isDebugEnabled()) {
            log.debug("An invalid request message or single logout message received with session id : " + str);
        }
        if (str == null) {
            sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request message", null), "Not a valid SAML 2.0 Request Message!", "The message was not recognized by the SAML 2.0 SSO Provider. Please check the logs for more details", null, httpServletRequest, httpServletResponse);
        } else {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, null, null, str, true, false);
        }
    }

    private void handleSAMLResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, boolean z) throws IdentityException, IOException, ServletException {
        XMLObject unmarshall = z ? SAMLSSOUtil.unmarshall(SAMLSSOUtil.decodeForPost(str)) : SAMLSSOUtil.unmarshall(SAMLSSOUtil.decode(str));
        if (unmarshall instanceof LogoutResponse) {
            handleLogoutResponseFromSP(httpServletRequest, httpServletResponse, str2, (LogoutResponse) unmarshall);
        } else {
            handleInvalidRequestMessage(httpServletRequest, httpServletResponse, str2);
        }
    }

    private void handleLogoutResponseFromSP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, LogoutResponse logoutResponse) throws ServletException, IdentityException, IOException {
        String inResponseTo = logoutResponse.getInResponseTo();
        FrontChannelSLOParticipantInfo frontChannelSLOParticipantInfo = getFrontChannelSLOParticipantInfo(inResponseTo);
        String loggedInTenantDomain = getLoggedInTenantDomain(httpServletRequest);
        if (frontChannelSLOParticipantInfo == null || !frontChannelSLOParticipantInfo.getCurrentSLOInvokedParticipant().equals(logoutResponse.getIssuer().getValue())) {
            handleInvalidRequestMessage(httpServletRequest, httpServletResponse, str);
            return;
        }
        removeFrontChannelSLOParticipantInfo(inResponseTo);
        String value = logoutResponse.getIssuer().getValue();
        SAMLSSOServiceProviderDO sPConfig = SAMLSSOUtil.getSPConfig(SAMLSSOUtil.getTenantDomainFromThreadLocal(), value);
        if (!SAMLSSOUtil.validateLogoutResponse(logoutResponse, sPConfig.getCertAlias(), sPConfig.getTenantDomain())) {
            log.warn("Redirecting to default logout page due to an invalid logout response.");
            httpServletResponse.sendRedirect(FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), httpServletRequest));
            if (log.isDebugEnabled()) {
                log.debug("Single logout failed due to failure in logout response validation for logout response issuer: " + value);
                return;
            }
            return;
        }
        removeSPFromSession(frontChannelSLOParticipantInfo.getSessionIndex(), value, loggedInTenantDomain);
        List<SAMLSSOServiceProviderDO> remainingSessionParticipantsForSLO = SAMLSSOUtil.getRemainingSessionParticipantsForSLO(frontChannelSLOParticipantInfo.getSessionIndex(), frontChannelSLOParticipantInfo.getOriginalLogoutRequestIssuer(), frontChannelSLOParticipantInfo.isIdPInitSLO(), loggedInTenantDomain);
        if (remainingSessionParticipantsForSLO.isEmpty()) {
            respondToOriginalLogoutRequestIssuer(httpServletRequest, httpServletResponse, str, frontChannelSLOParticipantInfo);
        } else {
            sendLogoutRequestToSessionParticipant(httpServletRequest, httpServletResponse, remainingSessionParticipantsForSLO, frontChannelSLOParticipantInfo.getOriginalIssuerLogoutRequestId(), frontChannelSLOParticipantInfo.isIdPInitSLO(), frontChannelSLOParticipantInfo.getRelayState(), frontChannelSLOParticipantInfo.getReturnToURL(), frontChannelSLOParticipantInfo.getSessionIndex(), frontChannelSLOParticipantInfo.getOriginalLogoutRequestIssuer(), loggedInTenantDomain);
        }
    }

    private void respondToOriginalLogoutRequestIssuer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, FrontChannelSLOParticipantInfo frontChannelSLOParticipantInfo) throws IOException, IdentityException, ServletException {
        if (SSOSessionPersistenceManager.getSessionIndexFromCache(str, getLoggedInTenantDomain(httpServletRequest)) == null) {
            removeTokenIdCookie(httpServletRequest, httpServletResponse, getLoggedInTenantDomain(httpServletRequest));
        }
        if (frontChannelSLOParticipantInfo.isIdPInitSLO()) {
            httpServletResponse.sendRedirect(frontChannelSLOParticipantInfo.getReturnToURL());
            return;
        }
        LogoutResponse buildLogoutResponseForOriginalIssuer = buildLogoutResponseForOriginalIssuer(frontChannelSLOParticipantInfo.getOriginalIssuerLogoutRequestId(), SAMLSSOUtil.getSPConfig(SAMLSSOUtil.getTenantDomainFromThreadLocal(), frontChannelSLOParticipantInfo.getOriginalLogoutRequestIssuer()));
        sendResponse(httpServletRequest, httpServletResponse, frontChannelSLOParticipantInfo.getRelayState(), SAMLSSOUtil.encode(SAMLSSOUtil.marshall(buildLogoutResponseForOriginalIssuer)), buildLogoutResponseForOriginalIssuer.getDestination(), null, null, SAMLSSOUtil.getTenantDomainFromThreadLocal());
    }

    private LogoutResponse buildLogoutResponseForOriginalIssuer(String str, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO) throws IdentityException {
        String defaultAssertionConsumerUrl;
        if (StringUtils.isNotBlank(sAMLSSOServiceProviderDO.getSloResponseURL())) {
            defaultAssertionConsumerUrl = sAMLSSOServiceProviderDO.getSloResponseURL();
            if (log.isDebugEnabled()) {
                log.debug("Destination of the logout response is set to the SLO response URL of the SP: " + sAMLSSOServiceProviderDO.getSloResponseURL());
            }
        } else {
            defaultAssertionConsumerUrl = sAMLSSOServiceProviderDO.getDefaultAssertionConsumerUrl();
            if (log.isDebugEnabled()) {
                log.debug("Destination of the logout response is set to the ACS URL of the SP: " + sAMLSSOServiceProviderDO.getAssertionConsumerUrl());
            }
        }
        return new SingleLogoutMessageBuilder().buildLogoutResponse(str, SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null, defaultAssertionConsumerUrl, sAMLSSOServiceProviderDO.isDoSignResponse(), SAMLSSOUtil.getTenantDomainFromThreadLocal(), sAMLSSOServiceProviderDO.getSigningAlgorithmUri(), sAMLSSOServiceProviderDO.getDigestAlgorithmUri());
    }

    private void removeSPFromSession(String str, String str2, String str3) {
        if (str == null || str2 == null) {
            return;
        }
        SessionInfoData sessionInfoData = SAMLSSOParticipantCache.getInstance().getValueFromCache(new SAMLSSOParticipantCacheKey(str), str3).getSessionInfoData();
        if (sessionInfoData == null || sessionInfoData.getServiceProviderList() == null) {
            return;
        }
        sessionInfoData.removeServiceProvider(str2);
        SSOSessionPersistenceManager.addSessionInfoDataToCache(str, sessionInfoData, str3);
    }

    private String getSessionDataKey(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute("sessionDataKey");
        if (str == null) {
            str = httpServletRequest.getParameter("sessionDataKey");
        }
        return str;
    }

    private void sendNotification(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (isSAMLECPRequest(httpServletRequest)) {
            sendNotificationForECPRequest(httpServletResponse, str, str4);
            return;
        }
        String notificationEndpoint = SAMLSSOUtil.getNotificationEndpoint();
        String str5 = "?status=" + URLEncoder.encode(str2, SAMLSSOConstants.ENCODING_FORMAT) + "&statusMsg=" + URLEncoder.encode(str3, SAMLSSOConstants.ENCODING_FORMAT);
        if (str != null) {
            str5 = str5 + "&SAMLResponse=" + URLEncoder.encode(str, SAMLSSOConstants.ENCODING_FORMAT);
        }
        if (StringUtils.isBlank(str4)) {
            String sessionDataKey = getSessionDataKey(httpServletRequest);
            SAMLSSOSessionDTO sAMLSSOSessionDTO = SAML_ECP_ENABLED;
            if (StringUtils.isNotBlank(sessionDataKey)) {
                sAMLSSOSessionDTO = getSessionDataFromCache(sessionDataKey);
            }
            if (sAMLSSOSessionDTO != null) {
                str4 = sAMLSSOSessionDTO.getAssertionConsumerURL();
            }
        }
        if (StringUtils.isNotBlank(str4)) {
            str5 = str5 + "&ACSUrl=" + URLEncoder.encode(str4, SAMLSSOConstants.ENCODING_FORMAT);
        }
        String parameter = httpServletRequest.getParameter("RelayState");
        if (StringUtils.isEmpty(parameter)) {
            String sessionDataKey2 = getSessionDataKey(httpServletRequest);
            SAMLSSOSessionDTO sAMLSSOSessionDTO2 = SAML_ECP_ENABLED;
            if (StringUtils.isNotEmpty(sessionDataKey2)) {
                sAMLSSOSessionDTO2 = getSessionDataFromCache(sessionDataKey2);
            }
            if (sAMLSSOSessionDTO2 != null) {
                parameter = sAMLSSOSessionDTO2.getRelayState();
            }
        }
        if (StringUtils.isNotEmpty(parameter)) {
            str5 = str5 + "&RelayState=" + URLEncoder.encode(parameter, SAMLSSOConstants.ENCODING_FORMAT);
        }
        httpServletResponse.sendRedirect(FrameworkUtils.getRedirectURL(FrameworkUtils.appendQueryParamsStringToUrl(notificationEndpoint, str5), httpServletRequest));
    }

    private void handleIdPInitSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, boolean z, boolean z2) throws UserStoreException, IdentityException, IOException, ServletException {
        SAMLSSOServiceProviderDO sPConfig;
        SAMLSSOServiceProviderDO sPConfig2;
        SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest = new SAMLSSOService().validateIdPInitSSORequest(str, str2, getQueryParams(httpServletRequest), FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), httpServletRequest), str4, httpServletRequest.getParameter("SSOAuthSessionID"), str3, z2, getLoggedInTenantDomain(httpServletRequest));
        setSPAttributeToRequest(httpServletRequest, validateIdPInitSSORequest.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal());
        if (!validateIdPInitSSORequest.isLogOutReq()) {
            if (validateIdPInitSSORequest.isValid()) {
                sendToFrameworkForAuthentication(httpServletRequest, httpServletResponse, validateIdPInitSSORequest, str, false);
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Invalid IdP initiated SAML SSO Request");
            }
            String response = validateIdPInitSSORequest.getResponse();
            String assertionConsumerURL = validateIdPInitSSORequest.getAssertionConsumerURL();
            if (StringUtils.isBlank(assertionConsumerURL)) {
                String issuer = validateIdPInitSSORequest.getIssuer();
                if (StringUtils.isBlank(issuer) && httpServletRequest.getParameter("spEntityID") != null) {
                    issuer = httpServletRequest.getParameter("spEntityID");
                }
                if (StringUtils.isNotBlank(issuer) && (sPConfig2 = SAMLSSOUtil.getSPConfig(SAMLSSOUtil.getTenantDomainFromThreadLocal(), SAMLSSOUtil.splitAppendedTenantDomain(issuer))) != null) {
                    assertionConsumerURL = sPConfig2.getSloResponseURL();
                    if (StringUtils.isBlank(assertionConsumerURL)) {
                        assertionConsumerURL = sPConfig2.getDefaultAssertionConsumerUrl();
                    }
                }
            }
            sendNotification(response, "Error when processing the authentication request!", "Please try login again.", assertionConsumerURL, httpServletRequest, httpServletResponse);
            return;
        }
        if (validateIdPInitSSORequest.isValid()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, validateIdPInitSSORequest, str, str4, false, z);
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Invalid IdP initiated SAML Single Logout Request");
        }
        if (validateIdPInitSSORequest.isLogoutFromAuthFramework()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, null, null, str4, true, z);
            return;
        }
        String response2 = validateIdPInitSSORequest.getResponse();
        String assertionConsumerURL2 = validateIdPInitSSORequest.getAssertionConsumerURL();
        if (StringUtils.isBlank(assertionConsumerURL2)) {
            String issuer2 = validateIdPInitSSORequest.getIssuer();
            String returnToURL = validateIdPInitSSORequest.getReturnToURL();
            if (StringUtils.isBlank(issuer2) && httpServletRequest.getParameter("spEntityID") != null) {
                issuer2 = httpServletRequest.getParameter("spEntityID");
            }
            if (StringUtils.isBlank(returnToURL) && httpServletRequest.getParameter("returnTo") != null) {
                returnToURL = httpServletRequest.getParameter("returnTo");
            }
            if (StringUtils.isNotBlank(issuer2) && (sPConfig = SAMLSSOUtil.getSPConfig(SAMLSSOUtil.getTenantDomainFromThreadLocal(), SAMLSSOUtil.splitAppendedTenantDomain(issuer2))) != null) {
                assertionConsumerURL2 = sPConfig.getSloResponseURL();
                if (StringUtils.isBlank(assertionConsumerURL2)) {
                    assertionConsumerURL2 = sPConfig.getDefaultAssertionConsumerUrl();
                }
                if (StringUtils.isNotBlank(returnToURL) && sPConfig.getIdpInitSLOReturnToURLList().contains(returnToURL)) {
                    assertionConsumerURL2 = assertionConsumerURL2 + "&returnTo=" + URLEncoder.encode(returnToURL, SAMLSSOConstants.ENCODING_FORMAT);
                }
            }
        }
        sendNotification(response2, "Not a valid SAML 2.0 Request Message!", "Please try login again.", assertionConsumerURL2, httpServletRequest, httpServletResponse);
    }

    private void handleSPInitSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, boolean z) throws UserStoreException, IdentityException, IOException, ServletException {
        SAMLSSOReqValidationResponseDTO validateSPInitSSORequest = new SAMLSSOService().validateSPInitSSORequest(str4, str, str5, httpServletRequest.getParameter("SSOAuthSessionID"), str3, z, getLoggedInTenantDomain(httpServletRequest));
        setSPAttributeToRequest(httpServletRequest, validateSPInitSSORequest.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal());
        if (!validateSPInitSSORequest.isLogOutReq()) {
            if (validateSPInitSSORequest.isValid()) {
                sendToFrameworkForAuthentication(httpServletRequest, httpServletResponse, validateSPInitSSORequest, str2, z);
                return;
            }
            if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Request")) {
                log.debug("Invalid SAML SSO Request : " + str4);
            }
            sendNotification(validateSPInitSSORequest.getResponse(), "Error when processing the authentication request!", "Please try login again.", validateSPInitSSORequest.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
            return;
        }
        if (validateSPInitSSORequest.isValid()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, validateSPInitSSORequest, str2, str5, false, z);
            return;
        }
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Request")) {
            log.debug("Invalid SAML SSO Logout Request : " + str4);
        }
        if (validateSPInitSSORequest.isLogoutFromAuthFramework()) {
            sendToFrameworkForLogout(httpServletRequest, httpServletResponse, validateSPInitSSORequest, null, str5, true, z);
        } else {
            sendNotification(validateSPInitSSORequest.getResponse(), "Error when processing the authentication request!", "Please try login again.", validateSPInitSSORequest.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
        }
    }

    private void sendToFrameworkForAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, boolean z) throws ServletException, IOException, UserStoreException, IdentityException {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = new SAMLSSOSessionDTO();
        sAMLSSOSessionDTO.setHttpQueryString(httpServletRequest.getQueryString());
        sAMLSSOSessionDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
        sAMLSSOSessionDTO.setRelayState(str);
        sAMLSSOSessionDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
        sAMLSSOSessionDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
        sAMLSSOSessionDTO.setIssuerQualifier(sAMLSSOReqValidationResponseDTO.getIssuerQualifier());
        sAMLSSOSessionDTO.setRequestID(sAMLSSOReqValidationResponseDTO.getId());
        sAMLSSOSessionDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
        sAMLSSOSessionDTO.setRelyingPartySessionId(sAMLSSOReqValidationResponseDTO.getRpSessionId());
        sAMLSSOSessionDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
        sAMLSSOSessionDTO.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal());
        sAMLSSOSessionDTO.setAttributeConsumingServiceIndex(sAMLSSOReqValidationResponseDTO.getAttributeConsumingServiceIndex());
        sAMLSSOSessionDTO.setForceAuth(sAMLSSOReqValidationResponseDTO.isForceAuthn());
        sAMLSSOSessionDTO.setPassiveAuth(sAMLSSOReqValidationResponseDTO.isPassive());
        sAMLSSOSessionDTO.setValidationRespDTO(sAMLSSOReqValidationResponseDTO);
        sAMLSSOSessionDTO.setIdPInitSSO(sAMLSSOReqValidationResponseDTO.isIdPInitSSO());
        addRequestedAuthenticationContextClassReferences(sAMLSSOSessionDTO, sAMLSSOReqValidationResponseDTO);
        sAMLSSOSessionDTO.setRequestedAttributes(sAMLSSOReqValidationResponseDTO.getRequestedAttributes());
        sAMLSSOSessionDTO.setRequestedAuthnContextComparison(sAMLSSOReqValidationResponseDTO.getRequestedAuthnContextComparison());
        sAMLSSOSessionDTO.setProperties(sAMLSSOReqValidationResponseDTO.getProperties());
        sAMLSSOSessionDTO.setLoggedInTenantDomain(getLoggedInTenantDomain(httpServletRequest));
        String generateUUID = UUIDGenerator.generateUUID();
        addSessionDataToCache(generateUUID, sAMLSSOSessionDTO);
        String relativeInternalURL = ServiceURLBuilder.create().addPath(new String[]{httpServletRequest.getContextPath()}).build().getRelativeInternalURL();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.appendRequestQueryParams(httpServletRequest.getParameterMap());
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String obj = headerNames.nextElement().toString();
            authenticationRequest.addHeader(obj, httpServletRequest.getHeader(obj));
        }
        authenticationRequest.setRelyingParty(sAMLSSOReqValidationResponseDTO.getIssuer());
        authenticationRequest.setCommonAuthCallerPath(relativeInternalURL);
        authenticationRequest.setForceAuth(sAMLSSOReqValidationResponseDTO.isForceAuthn());
        if (!authenticationRequest.getForceAuth() && authenticationRequest.getRequestQueryParam("forceAuth") != null) {
            String[] requestQueryParam = authenticationRequest.getRequestQueryParam("forceAuth");
            if (!requestQueryParam[SAML_ECP_ENABLED].trim().isEmpty() && Boolean.parseBoolean(requestQueryParam[SAML_ECP_ENABLED].trim())) {
                authenticationRequest.setForceAuth(Boolean.parseBoolean(requestQueryParam[SAML_ECP_ENABLED].trim()));
            }
        }
        authenticationRequest.setPassiveAuth(sAMLSSOReqValidationResponseDTO.isPassive());
        authenticationRequest.setTenantDomain(sAMLSSOSessionDTO.getTenantDomain());
        authenticationRequest.setPost(z);
        addAuthenticationRequestToRequest(httpServletRequest, new AuthenticationRequestCacheEntry(authenticationRequest));
        if (sAMLSSOReqValidationResponseDTO.getAuthenticationContextClassRefList() != null) {
            httpServletRequest.setAttribute(ACR_VALUES_ATTRIBUTE, (List) sAMLSSOReqValidationResponseDTO.getAuthenticationContextClassRefList().stream().map(sAMLAuthenticationContextClassRefDTO -> {
                return sAMLAuthenticationContextClassRefDTO.getAuthenticationContextClassReference();
            }).collect(Collectors.toList()));
        }
        httpServletRequest.setAttribute(SAMLSSOConstants.REQUESTED_ATTRIBUTES, sAMLSSOReqValidationResponseDTO.getRequestedAttributes());
        sendRequestToFramework(httpServletRequest, httpServletResponse, generateUUID, "samlsso");
    }

    private void addRequestedAuthenticationContextClassReferences(SAMLSSOSessionDTO sAMLSSOSessionDTO, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) {
        if (sAMLSSOReqValidationResponseDTO.getAuthenticationContextClassRefList() != null) {
            sAMLSSOReqValidationResponseDTO.getAuthenticationContextClassRefList().forEach(sAMLAuthenticationContextClassRefDTO -> {
                sAMLSSOSessionDTO.addAuthenticationContextClassRef(sAMLAuthenticationContextClassRefDTO);
            });
        }
    }

    private void addAuthenticationRequestToRequest(HttpServletRequest httpServletRequest, AuthenticationRequestCacheEntry authenticationRequestCacheEntry) {
        httpServletRequest.setAttribute("authRequest", authenticationRequestCacheEntry);
    }

    private void sendToFrameworkForLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, String str2, boolean z, boolean z2) throws ServletException, IOException, URLBuilderException {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = new SAMLSSOSessionDTO();
        sAMLSSOSessionDTO.setHttpQueryString(httpServletRequest.getQueryString());
        sAMLSSOSessionDTO.setRelayState(str);
        sAMLSSOSessionDTO.setSessionId(str2);
        sAMLSSOSessionDTO.setLogoutReq(true);
        sAMLSSOSessionDTO.setInvalidLogout(z);
        sAMLSSOSessionDTO.setLoggedInTenantDomain(getLoggedInTenantDomain(httpServletRequest));
        Properties properties = new Properties();
        properties.put(SAMLSSOConstants.IS_POST, Boolean.valueOf(z2));
        sAMLSSOSessionDTO.setProperties(properties);
        if (sAMLSSOReqValidationResponseDTO != null) {
            sAMLSSOSessionDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
            sAMLSSOSessionDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
            sAMLSSOSessionDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
            sAMLSSOSessionDTO.setRequestID(sAMLSSOReqValidationResponseDTO.getId());
            sAMLSSOSessionDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
            sAMLSSOSessionDTO.setRelyingPartySessionId(sAMLSSOReqValidationResponseDTO.getRpSessionId());
            sAMLSSOSessionDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
            sAMLSSOSessionDTO.setValidationRespDTO(sAMLSSOReqValidationResponseDTO);
        }
        String generateUUID = UUIDGenerator.generateUUID();
        addSessionDataToCache(generateUUID, sAMLSSOSessionDTO);
        String relativeInternalURL = ServiceURLBuilder.create().addPath(new String[]{httpServletRequest.getContextPath()}).build().getRelativeInternalURL();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.addRequestQueryParam("commonAuthLogout", new String[]{"true"});
        authenticationRequest.setRequestQueryParams(httpServletRequest.getParameterMap());
        authenticationRequest.setCommonAuthCallerPath(relativeInternalURL);
        authenticationRequest.setPost(z2);
        authenticationRequest.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal());
        if (sAMLSSOReqValidationResponseDTO != null) {
            authenticationRequest.setRelyingParty(sAMLSSOReqValidationResponseDTO.getIssuer());
        }
        authenticationRequest.appendRequestQueryParams(httpServletRequest.getParameterMap());
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String obj = headerNames.nextElement().toString();
            authenticationRequest.addHeader(obj, httpServletRequest.getHeader(obj));
        }
        addAuthenticationRequestToRequest(httpServletRequest, new AuthenticationRequestCacheEntry(authenticationRequest));
        removeTokenIdCookie(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO.getLoggedInTenantDomain());
        sendRequestToFramework(httpServletRequest, httpServletResponse, generateUUID, "samlsso");
    }

    private void sendArtifact(HttpServletResponse httpServletResponse, String str, String str2, String str3) throws IOException {
        httpServletResponse.addHeader(SAMLSSOConstants.PRAGMA_PARAM_KEY, SAMLSSOConstants.CACHE_CONTROL_VALUE_NO_CACHE);
        httpServletResponse.addHeader(SAMLSSOConstants.CACHE_CONTROL_PARAM_KEY, SAMLSSOConstants.CACHE_CONTROL_VALUE_NO_CACHE);
        HashMap hashMap = new HashMap();
        hashMap.put(SAMLSSOConstants.SAML_ART, URLEncoder.encode(str2, StandardCharsets.UTF_8.name()));
        if (str != null) {
            hashMap.put("RelayState", URLEncoder.encode(str, StandardCharsets.UTF_8.name()));
        }
        httpServletResponse.sendRedirect(FrameworkUtils.appendQueryParamsToUrl(str3, hashMap));
    }

    private void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, String str6) throws ServletException, IOException, IdentityException {
        String resolveAppName = resolveAppName();
        String aCSUrlWithTenantPartitioning = getACSUrlWithTenantPartitioning(str3, str6);
        if (aCSUrlWithTenantPartitioning == null || aCSUrlWithTenantPartitioning.trim().length() == 0) {
            log.error("ACS Url is Null");
            throw IdentityException.error("Unexpected error in sending message out");
        }
        if (str2 == null || str2.trim().length() == 0) {
            log.error("Response message is Null");
            throw IdentityException.error("Unexpected error in sending message out");
        }
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        if (isSAMLECPRequest(httpServletRequest)) {
            generateResponseForECPRequest(httpServletResponse, str2, aCSUrlWithTenantPartitioning);
            return;
        }
        if (IdentitySAMLSSOServiceComponent.isSAMLSSOResponseJspPageAvailable()) {
            generateSamlPostPageFromJSP(httpServletRequest, httpServletResponse, aCSUrlWithTenantPartitioning, str2, str, str5, "SAMLResponse", resolveAppName);
        } else if (IdentitySAMLSSOServiceComponent.isSAMLSSOResponseHtmlPageAvailable()) {
            generateSamlPostPage(IdentitySAMLSSOServiceComponent.getSsoRedirectHtml(), httpServletResponse, aCSUrlWithTenantPartitioning, str2, str, str5, "SAMLResponse", resolveAppName);
        } else {
            generateSamlPostPage(formPostPageTemplate, httpServletResponse, aCSUrlWithTenantPartitioning, str2, str, str5, "SAMLResponse", resolveAppName);
        }
    }

    private void generateSamlPostPage(String str, HttpServletResponse httpServletResponse, String str2, String str3, String str4, String str5, String str6, String str7) throws IOException {
        String replace = str.replace("$acUrl", str2);
        String replace2 = replace.replace("$app", str2);
        if (StringUtils.isNotBlank(str7)) {
            replace2 = replace.replace("$app", str7);
        }
        String replace3 = replace2.replace("<!--$params-->", buildPostPageInputs(str6, str3));
        String str8 = replace3;
        if (str4 != null) {
            str8 = replace3.replace("<!--$params-->", buildPostPageInputs("RelayState", str4));
        }
        String str9 = str8;
        if (str5 != null && !str5.isEmpty()) {
            str9 = str8.replace("<!--$additionalParams-->", "<input type='hidden' name='AuthenticatedIdPs' value='" + Encode.forHtmlAttribute(str5) + "'/>");
        }
        httpServletResponse.getWriter().print(str9);
        if (log.isDebugEnabled()) {
            log.debug("samlsso_response.html " + str9);
        }
    }

    private void generateSamlPostPage(String str, HttpServletResponse httpServletResponse, String str2, String str3, String str4, String str5) throws IOException {
        generateSamlPostPage(str, httpServletResponse, str2, str3, null, null, str4, str5);
    }

    private void generateSamlPostPageFromJSP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, String str6) throws ServletException, IOException {
        httpServletRequest.setAttribute(SAMLSSOConstants.ATTR_NAME_AC_URL, str);
        httpServletRequest.setAttribute(SAMLSSOConstants.ATTR_NAME_SP_NAME, str6);
        httpServletRequest.setAttribute(SAMLSSOConstants.ATTR_NAME_SAML_MESSAGE_TYPE, str5);
        httpServletRequest.setAttribute(SAMLSSOConstants.ATTR_NAME_SAML_MESSAGE, str2);
        httpServletRequest.setAttribute(SAMLSSOConstants.ATTR_NAME_RELAY_STATE, str3);
        httpServletRequest.setAttribute(SAMLSSOConstants.ATTR_NAME_AUTHENTICATED_IDPS, str4);
        getServletContext().getContext("/authenticationendpoint").getRequestDispatcher("/samlsso_response.jsp").include(httpServletRequest, httpServletResponse);
    }

    private void generateSamlPostPageFromJSP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4) throws ServletException, IOException {
        generateSamlPostPageFromJSP(httpServletRequest, httpServletResponse, str, str2, null, null, str3, str4);
    }

    private void handleAuthenticationReponseFromFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, SAMLSSOSessionDTO sAMLSSOSessionDTO) throws UserStoreException, IdentityException, IOException, ServletException {
        String sessionDataKey = getSessionDataKey(httpServletRequest);
        AuthenticationResult authenticationResult = getAuthenticationResult(httpServletRequest, sessionDataKey);
        SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO = new SAMLSSOAuthnReqDTO();
        populateAuthnReqDTOWithCachedSessionEntry(sAMLSSOAuthnReqDTO, sAMLSSOSessionDTO);
        populateAuthenticationContextClassRefResult(authenticationResult, sAMLSSOSessionDTO, sAMLSSOAuthnReqDTO);
        String tenantDomain = sAMLSSOAuthnReqDTO.getTenantDomain();
        String issuer = sAMLSSOAuthnReqDTO.getIssuer();
        String id = sAMLSSOAuthnReqDTO.getId();
        String assertionConsumerURL = sAMLSSOAuthnReqDTO.getAssertionConsumerURL();
        sAMLSSOAuthnReqDTO.setSamlECPEnabled(Boolean.valueOf(httpServletRequest.getParameter(SAMLECPConstants.IS_ECP_REQUEST)).booleanValue());
        SAMLSSOServiceProviderDO serviceProviderConfig = getServiceProviderConfig(sAMLSSOAuthnReqDTO);
        if (serviceProviderConfig != null) {
            populateAuthnReqDTOWithRequiredServiceProviderConfigs(sAMLSSOAuthnReqDTO, serviceProviderConfig);
            if (assertionConsumerURL == null) {
                assertionConsumerURL = sAMLSSOAuthnReqDTO.getAssertionConsumerURL();
            }
        }
        if (authenticationResult != null && authenticationResult.isAuthenticated()) {
            populateAuthnReqDTOWithAuthenticationResult(sAMLSSOAuthnReqDTO, authenticationResult);
            httpServletRequest.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authenticationResult);
            String parameter = httpServletRequest.getParameter("RelayState") != null ? httpServletRequest.getParameter("RelayState") : sAMLSSOSessionDTO.getRelayState();
            startTenantFlow(sAMLSSOAuthnReqDTO.getTenantDomain());
            if (str == null) {
                str = getSamlSSOTokenIdFromSessionContext(authenticationResult, sAMLSSOAuthnReqDTO.getLoggedInTenantDomain());
            }
            SAMLSSORespDTO authenticate = new SAMLSSOService().authenticate(sAMLSSOAuthnReqDTO, str, authenticationResult.isAuthenticated(), authenticationResult.getAuthenticatedAuthenticators(), "usernamePasswordBasedAuthn");
            if (!authenticate.isSessionEstablished()) {
                sendNotification(authenticate.getRespString(), "Error when processing the authentication request!", "Please try login again.", authenticate.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
                return;
            }
            storeTokenIdCookie(str, httpServletRequest, httpServletResponse, sAMLSSOAuthnReqDTO.getTenantDomain(), sAMLSSOSessionDTO.getLoggedInTenantDomain(), (String) authenticationResult.getProperty("sessionId"));
            removeSessionDataFromCache(httpServletRequest.getParameter("sessionDataKey"));
            if (sAMLSSOAuthnReqDTO.isSAML2ArtifactBindingEnabled()) {
                sendArtifact(httpServletResponse, parameter, authenticate.getRespString(), authenticate.getAssertionConsumerURL());
                return;
            } else {
                sendResponse(httpServletRequest, httpServletResponse, parameter, authenticate.getRespString(), authenticate.getAssertionConsumerURL(), authenticate.getSubject().getAuthenticatedSubjectIdentifier(), authenticationResult.getAuthenticatedIdPs(), sAMLSSOSessionDTO.getTenantDomain());
                return;
            }
        }
        if (log.isDebugEnabled()) {
            if (authenticationResult == null) {
                log.debug("Authentication result data not found for key : " + sessionDataKey);
            } else {
                log.debug("User authentication has failed.");
            }
        }
        if (sAMLSSOSessionDTO.getValidationRespDTO().isPassive()) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE);
            arrayList.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
            sendResponse(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO.getRelayState(), SAMLSSOUtil.buildErrorResponse(id, arrayList, "Cannot authenticate Subject in Passive Mode", assertionConsumerURL), assertionConsumerURL, sAMLSSOSessionDTO.getValidationRespDTO().getSubject(), null, sAMLSSOSessionDTO.getTenantDomain());
            return;
        }
        if (authenticationResult == null || authenticationResult.isAuthenticated()) {
            throw IdentityException.error(IdentityException.class, "Could not find session state information for issuer : " + issuer + " in tenant domain : " + tenantDomain + " for session identifier : " + sessionDataKey);
        }
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE);
        arrayList2.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
        sendNotification(SAMLSSOUtil.buildCompressedErrorResponse(id, arrayList2, "User authentication failed", assertionConsumerURL), "Error when processing the authentication request!", "Please try login again.", assertionConsumerURL, httpServletRequest, httpServletResponse);
    }

    private String getSamlSSOTokenIdFromSessionContext(AuthenticationResult authenticationResult, String str) {
        String str2 = (String) authenticationResult.getProperty("sessionId");
        if (StringUtils.isNotBlank(str2)) {
            SessionContext sessionContext = getSessionContext(str2, str);
            if (sessionContext != null) {
                if (authenticationResult.getSubject() != null) {
                    Object property = sessionContext.getProperty("samlssoTokenId");
                    if (property != null) {
                        return (String) property;
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Authenticated user attribute is not found in authentication result");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Session context is not found for the session identifier: " + str2);
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Session context identifier is not found in the authentication result.");
        }
        return UUIDGenerator.generateUUID();
    }

    private void handleLogoutResponseFromFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOSessionDTO sAMLSSOSessionDTO) throws ServletException, IOException, IdentityException {
        SAMLSSOReqValidationResponseDTO validationRespDTO = sAMLSSOSessionDTO.getValidationRespDTO();
        if (validationRespDTO == null) {
            sendErrorResponseToOriginalIssuer(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO);
            return;
        }
        removeSessionDataFromCache(httpServletRequest.getParameter("sessionDataKey"));
        String sessionIndex = validationRespDTO.getSessionIndex();
        List<SAMLSSOServiceProviderDO> remainingSessionParticipantsForSLO = SAMLSSOUtil.getRemainingSessionParticipantsForSLO(sessionIndex, sAMLSSOSessionDTO.getIssuer(), validationRespDTO.isIdPInitSLO(), sAMLSSOSessionDTO.getLoggedInTenantDomain());
        if (remainingSessionParticipantsForSLO.isEmpty()) {
            respondToOriginalIssuer(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO);
            return;
        }
        String str = SAML_ECP_ENABLED;
        if (!validationRespDTO.isIdPInitSLO()) {
            str = validationRespDTO.getId();
        }
        sendLogoutRequestToSessionParticipant(httpServletRequest, httpServletResponse, remainingSessionParticipantsForSLO, str, validationRespDTO.isIdPInitSLO(), sAMLSSOSessionDTO.getRelayState(), validationRespDTO.getReturnToURL(), sessionIndex, sAMLSSOSessionDTO.getIssuer(), sAMLSSOSessionDTO.getLoggedInTenantDomain());
    }

    private void populateAuthenticationContextClassRefResult(AuthenticationResult authenticationResult, SAMLSSOSessionDTO sAMLSSOSessionDTO, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) {
        SessionAuthHistory sessionAuthHistory = SAML_ECP_ENABLED;
        if (authenticationResult != null) {
            sessionAuthHistory = (SessionAuthHistory) authenticationResult.getProperty("SESSION_AUTH_HISTORY");
        }
        if (sessionAuthHistory == null || sessionAuthHistory.getSelectedAcrValue() == null) {
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Found the selected ACR value from the framework as : " + sessionAuthHistory.getSelectedAcrValue() + " , Hence creating the AuthenticationContextProperty");
        }
        List<AuthenticationContextProperty> list = sAMLSSOAuthnReqDTO.getIdpAuthenticationContextProperties().get(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF);
        ArrayList arrayList = new ArrayList();
        arrayList.add(sessionAuthHistory.getSelectedAcrValue());
        if (list == null) {
            list = new ArrayList();
            sAMLSSOAuthnReqDTO.getIdpAuthenticationContextProperties().put(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF, list);
        }
        HashMap hashMap = new HashMap();
        AuthenticationContextProperty authenticationContextProperty = new AuthenticationContextProperty("IdPEntityId", "IdPEntityId", hashMap);
        hashMap.put(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF, arrayList);
        hashMap.put(SAMLSSOConstants.AUTHN_INSTANT, sessionAuthHistory.getSessionCreatedTime());
        if (log.isDebugEnabled()) {
            log.debug("Setting the AuthnInst as session create time : " + sessionAuthHistory.getSessionCreatedTime());
        }
        list.add(authenticationContextProperty);
    }

    private void sendLogoutRequestToSessionParticipant(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, List<SAMLSSOServiceProviderDO> list, String str, boolean z, String str2, String str3, String str4, String str5, String str6) throws IOException, IdentityException, ServletException {
        for (SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO : list) {
            if (sAMLSSOServiceProviderDO.isDoFrontChannelLogout()) {
                doFrontChannelSLO(httpServletRequest, httpServletResponse, sAMLSSOServiceProviderDO, str4, str5, str, z, str2, str3, str6);
                return;
            }
        }
    }

    private void respondToOriginalIssuer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOSessionDTO sAMLSSOSessionDTO) throws ServletException, IOException, IdentityException {
        SAMLSSOReqValidationResponseDTO validationRespDTO = sAMLSSOSessionDTO.getValidationRespDTO();
        if (SSOSessionPersistenceManager.getSessionIndexFromCache(sAMLSSOSessionDTO.getSessionId(), sAMLSSOSessionDTO.getLoggedInTenantDomain()) == null) {
            removeTokenIdCookie(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO.getLoggedInTenantDomain());
        }
        if (validationRespDTO.isIdPInitSLO()) {
            httpServletResponse.sendRedirect(validationRespDTO.getReturnToURL());
        } else {
            sendResponse(httpServletRequest, httpServletResponse, sAMLSSOSessionDTO.getRelayState(), validationRespDTO.getLogoutResponse(), validationRespDTO.getAssertionConsumerURL(), validationRespDTO.getSubject(), null, sAMLSSOSessionDTO.getTenantDomain());
        }
    }

    private void sendErrorResponseToOriginalIssuer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOSessionDTO sAMLSSOSessionDTO) throws IOException, IdentityException, ServletException {
        SAMLSSOServiceProviderDO sPConfig;
        String assertionConsumerURL = sAMLSSOSessionDTO.getAssertionConsumerURL();
        if (StringUtils.isBlank(assertionConsumerURL) && sAMLSSOSessionDTO.getIssuer() != null && (sPConfig = SAMLSSOUtil.getSPConfig(SAMLSSOUtil.getTenantDomainFromThreadLocal(), sAMLSSOSessionDTO.getIssuer())) != null) {
            assertionConsumerURL = sPConfig.getSloResponseURL();
            if (StringUtils.isBlank(assertionConsumerURL)) {
                assertionConsumerURL = sPConfig.getDefaultAssertionConsumerUrl();
            }
        }
        sendNotification(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request", assertionConsumerURL), "Not a valid SAML 2.0 Request Message!", "The message was not recognized by the SAML 2.0 SSO Provider. Please check the logs for more details", assertionConsumerURL, httpServletRequest, httpServletResponse);
    }

    private Cookie getTokenIdCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        int length = cookies.length;
        for (int i = SAML_ECP_ENABLED; i < length; i++) {
            Cookie cookie = cookies[i];
            if (StringUtils.equals(cookie.getName(), "samlssoTokenId")) {
                return cookie;
            }
        }
        return null;
    }

    private void storeTokenIdCookie(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str2, String str3, String str4) {
        ServletCookie servletCookie = new ServletCookie("samlssoTokenId", str);
        IdentityCookieConfig identityCookieConfig = IdentityUtil.getIdentityCookieConfig("samlssoTokenId");
        SessionContext sessionContext = getSessionContext(str4, str3);
        Integer num = SAML_ECP_ENABLED;
        if (sessionContext != null && sessionContext.isRememberMe()) {
            num = Integer.valueOf(IdPManagementUtil.getRememberMeTimeout(str3));
        }
        servletCookie.setSecure(true);
        servletCookie.setHttpOnly(true);
        boolean z = SAML_ECP_ENABLED;
        if (IdentityTenantUtil.isTenantedSessionsEnabled() && str.endsWith(SAMLSSOConstants.TENANT_QUALIFIED_TOKEN_ID_COOKIE_SUFFIX)) {
            if (str3 != null) {
                servletCookie.setPath("/t/" + str3 + SAMLSSOConstants.COOKIE_ROOT_PATH);
            } else {
                servletCookie.setPath("/t/" + str2 + SAMLSSOConstants.COOKIE_ROOT_PATH);
            }
            z = true;
        } else {
            servletCookie.setPath(SAMLSSOConstants.COOKIE_ROOT_PATH);
        }
        servletCookie.setSameSite(SameSiteCookie.NONE);
        if (num != null) {
            servletCookie.setMaxAge(num.intValue());
        }
        if (identityCookieConfig != null) {
            updateSAMLSSOIdCookieConfig(servletCookie, identityCookieConfig, num, z);
        }
        httpServletResponse.addCookie(servletCookie);
    }

    @Deprecated
    public void removeTokenIdCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        removeTokenIdCookie(httpServletRequest, httpServletResponse, SAMLSSOUtil.getTenantDomainFromThreadLocal());
    }

    public void removeTokenIdCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        IdentityCookieConfig identityCookieConfig = IdentityUtil.getIdentityCookieConfig("samlssoTokenId");
        if (cookies != null) {
            int length = cookies.length;
            for (int i = SAML_ECP_ENABLED; i < length; i++) {
                Cookie cookie = cookies[i];
                if (StringUtils.equals(cookie.getName(), "samlssoTokenId")) {
                    ServletCookie servletCookie = new ServletCookie("samlssoTokenId", cookie.getValue());
                    if (log.isDebugEnabled()) {
                        log.debug("SSO tokenId Cookie is removed");
                    }
                    servletCookie.setHttpOnly(true);
                    servletCookie.setSecure(true);
                    boolean z = SAML_ECP_ENABLED;
                    if (IdentityTenantUtil.isTenantedSessionsEnabled() && cookie.getValue() != null && cookie.getValue().endsWith(SAMLSSOConstants.TENANT_QUALIFIED_TOKEN_ID_COOKIE_SUFFIX)) {
                        servletCookie.setPath("/t/" + str + SAMLSSOConstants.COOKIE_ROOT_PATH);
                        z = true;
                    } else {
                        servletCookie.setPath(SAMLSSOConstants.COOKIE_ROOT_PATH);
                    }
                    servletCookie.setSameSite(SameSiteCookie.NONE);
                    if (identityCookieConfig != null) {
                        updateSAMLSSOIdCookieConfig(servletCookie, identityCookieConfig, Integer.valueOf(SAML_ECP_ENABLED), z);
                    }
                    servletCookie.setMaxAge(SAML_ECP_ENABLED);
                    httpServletResponse.addCookie(servletCookie);
                    return;
                }
            }
        }
    }

    private String getACSUrlWithTenantPartitioning(String str, String str2) {
        String str3 = str;
        if (str2 != null && "true".equals(IdentityUtil.getProperty("SSOService.TenantPartitioningEnabled"))) {
            str3 = str3 + "?tenantDomain=" + str2;
        }
        return str3;
    }

    private void addSessionDataToCache(String str, SAMLSSOSessionDTO sAMLSSOSessionDTO) {
        SessionDataCacheKey sessionDataCacheKey = new SessionDataCacheKey(str);
        SessionDataCacheEntry sessionDataCacheEntry = new SessionDataCacheEntry();
        sessionDataCacheEntry.setSessionDTO(sAMLSSOSessionDTO);
        SessionDataCache.getInstance().addToCache(sessionDataCacheKey, sessionDataCacheEntry);
    }

    private SAMLSSOSessionDTO getSessionDataFromCache(String str) {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = SAML_ECP_ENABLED;
        SessionDataCacheEntry valueFromCache = SessionDataCache.getInstance().getValueFromCache(new SessionDataCacheKey(str));
        if (valueFromCache != null) {
            sAMLSSOSessionDTO = valueFromCache.getSessionDTO();
        }
        return sAMLSSOSessionDTO;
    }

    private void removeSessionDataFromCache(String str) {
        if (str != null) {
            SessionDataCache.getInstance().clearCacheEntry(new SessionDataCacheKey(str));
        }
    }

    private AuthenticationResult getAuthenticationResult(HttpServletRequest httpServletRequest, String str) {
        AuthenticationResult authenticationResultFromRequest = getAuthenticationResultFromRequest(httpServletRequest);
        if (authenticationResultFromRequest == null) {
            authenticationResultFromRequest = getAuthenticationResultFromCache(str);
        }
        return authenticationResultFromRequest;
    }

    private AuthenticationResult getAuthenticationResultFromCache(String str) {
        AuthenticationResult authenticationResult = SAML_ECP_ENABLED;
        AuthenticationResultCacheEntry authenticationResultFromCache = FrameworkUtils.getAuthenticationResultFromCache(str);
        if (authenticationResultFromCache != null) {
            authenticationResult = authenticationResultFromCache.getResult();
        } else {
            log.error("Cannot find AuthenticationResult from the cache");
        }
        return authenticationResult;
    }

    private AuthenticationResult getAuthenticationResultFromRequest(HttpServletRequest httpServletRequest) {
        return (AuthenticationResult) httpServletRequest.getAttribute("authResult");
    }

    private void removeAuthenticationResult(HttpServletRequest httpServletRequest, String str) {
        FrameworkUtils.removeAuthenticationResultFromCache(str);
        httpServletRequest.removeAttribute("authResult");
    }

    private void removeAuthenticationResultFromRequest(HttpServletRequest httpServletRequest) {
        httpServletRequest.removeAttribute("authResult");
    }

    private void startTenantFlow(String str) throws IdentityException {
        int i = -1234;
        if (str == null || str.trim().isEmpty() || "null".equalsIgnoreCase(str.trim())) {
            str = "carbon.super";
        } else {
            try {
                i = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(str);
                if (i == -1) {
                    String str2 = "Invalid Tenant Domain : " + str;
                    if (log.isDebugEnabled()) {
                        log.debug(str2);
                    }
                    throw IdentityException.error(str2);
                }
            } catch (UserStoreException e) {
                String str3 = "Error occurred while getting tenant ID from tenantDomain " + str;
                log.error(str3, e);
                throw IdentityException.error(str3, e);
            }
        }
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        threadLocalCarbonContext.setTenantId(i);
        threadLocalCarbonContext.setTenantDomain(str);
    }

    private QueryParamDTO[] getQueryParams(HttpServletRequest httpServletRequest) {
        ArrayList arrayList = new ArrayList();
        SAMLSSOConstants.QueryParameter[] values = SAMLSSOConstants.QueryParameter.values();
        int length = values.length;
        for (int i = SAML_ECP_ENABLED; i < length; i++) {
            SAMLSSOConstants.QueryParameter queryParameter = values[i];
            arrayList.add(new QueryParamDTO(queryParameter.toString(), httpServletRequest.getParameter(queryParameter.toString())));
        }
        return (QueryParamDTO[]) arrayList.toArray(new QueryParamDTO[arrayList.size()]);
    }

    private void sendRequestToFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
        CommonAuthResponseWrapper commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
        commonAuthenticationHandler.doGet(httpServletRequest, commonAuthResponseWrapper);
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if (attribute == null) {
            httpServletRequest.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.UNKNOWN);
            doGet(httpServletRequest, httpServletResponse);
        } else if (((AuthenticatorFlowStatus) attribute) != AuthenticatorFlowStatus.INCOMPLETE) {
            doGet(httpServletRequest, httpServletResponse);
        } else if (commonAuthResponseWrapper.isRedirect()) {
            httpServletResponse.sendRedirect(commonAuthResponseWrapper.getRedirectURL());
        } else if (commonAuthResponseWrapper.getContent().length > 0) {
            commonAuthResponseWrapper.write();
        }
    }

    private void sendRequestToFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws ServletException, IOException {
        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
        CommonAuthRequestWrapper commonAuthRequestWrapper = new CommonAuthRequestWrapper(httpServletRequest);
        commonAuthRequestWrapper.setParameter("sessionDataKey", str);
        commonAuthRequestWrapper.setParameter("type", str2);
        CommonAuthResponseWrapper commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
        commonAuthenticationHandler.doGet(commonAuthRequestWrapper, commonAuthResponseWrapper);
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if (attribute == null) {
            commonAuthRequestWrapper.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.UNKNOWN);
            doGet(commonAuthRequestWrapper, httpServletResponse);
        } else if (((AuthenticatorFlowStatus) attribute) != AuthenticatorFlowStatus.INCOMPLETE) {
            doGet(commonAuthRequestWrapper, httpServletResponse);
        } else if (commonAuthResponseWrapper.isRedirect()) {
            httpServletResponse.sendRedirect(commonAuthResponseWrapper.getRedirectURL());
        } else if (commonAuthResponseWrapper.getContent().length > 0) {
            commonAuthResponseWrapper.write();
        }
    }

    private void updateSAMLSSOIdCookieConfig(ServletCookie servletCookie, IdentityCookieConfig identityCookieConfig, Integer num, boolean z) {
        if (identityCookieConfig.getDomain() != null) {
            servletCookie.setDomain(identityCookieConfig.getDomain());
        }
        if (identityCookieConfig.getPath() != null && !z) {
            servletCookie.setPath(identityCookieConfig.getPath());
        }
        if (identityCookieConfig.getComment() != null) {
            servletCookie.setComment(identityCookieConfig.getComment());
        }
        if (identityCookieConfig.getVersion() > 0) {
            servletCookie.setVersion(identityCookieConfig.getVersion());
        }
        if (identityCookieConfig.getSameSite() != null) {
            servletCookie.setSameSite(identityCookieConfig.getSameSite());
        }
        if (num != null) {
            servletCookie.setMaxAge(num.intValue());
        }
        servletCookie.setHttpOnly(identityCookieConfig.isHttpOnly());
        servletCookie.setSecure(identityCookieConfig.isSecure());
    }

    private SAMLSSOServiceProviderDO getServiceProviderConfig(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentityException {
        int tenantId;
        String issuer = sAMLSSOAuthnReqDTO.getIssuer();
        String tenantDomain = sAMLSSOAuthnReqDTO.getTenantDomain();
        try {
            SAMLSSOServiceProviderDO serviceProvider = SSOServiceProviderConfigManager.getInstance().getServiceProvider(issuer);
            if (serviceProvider == null) {
                if (log.isDebugEnabled()) {
                    log.debug("No SaaS SAML service providers found for the issuer : " + issuer + ". Checking for SAML service providers registered in tenant domain : " + tenantDomain);
                }
                if (StringUtils.isBlank(tenantDomain)) {
                    tenantDomain = "carbon.super";
                    tenantId = -1234;
                } else {
                    try {
                        tenantId = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(tenantDomain);
                    } catch (UserStoreException e) {
                        throw new IdentitySAML2SSOException("Error occurred while retrieving tenant id for the tenant domain : " + tenantDomain, (Throwable) e);
                    }
                }
                try {
                    try {
                        PrivilegedCarbonContext.startTenantFlow();
                        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
                        threadLocalCarbonContext.setTenantId(tenantId);
                        threadLocalCarbonContext.setTenantDomain(tenantDomain);
                        serviceProvider = IdentityPersistenceManager.getPersistanceManager().getServiceProvider(PrivilegedCarbonContext.getThreadLocalCarbonContext().getRegistry(RegistryType.SYSTEM_CONFIGURATION), issuer);
                        sAMLSSOAuthnReqDTO.setStratosDeployment(false);
                        PrivilegedCarbonContext.endTenantFlow();
                    } catch (Throwable th) {
                        PrivilegedCarbonContext.endTenantFlow();
                        throw th;
                    }
                } catch (IdentityException e2) {
                    throw new IdentitySAML2SSOException("Error occurred while retrieving SAML service provider for issuer : " + issuer + " in tenant domain : " + tenantDomain, (Throwable) e2);
                }
            } else {
                sAMLSSOAuthnReqDTO.setStratosDeployment(true);
            }
            return serviceProvider;
        } catch (Exception e3) {
            throw IdentityException.error(IdentityException.class, "Error while reading service provider configurations for issuer : " + issuer + " in tenant domain : " + tenantDomain, e3);
        }
    }

    private void populateAuthnReqDTOWithCachedSessionEntry(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, SAMLSSOSessionDTO sAMLSSOSessionDTO) {
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOSessionDTO.getAssertionConsumerURL());
        sAMLSSOAuthnReqDTO.setId(sAMLSSOSessionDTO.getRequestID());
        sAMLSSOAuthnReqDTO.setIssuer(SAMLSSOUtil.splitAppendedTenantDomain(sAMLSSOSessionDTO.getIssuer()));
        sAMLSSOAuthnReqDTO.setIssuerQualifier(sAMLSSOSessionDTO.getIssuerQualifier());
        sAMLSSOAuthnReqDTO.setSubject(sAMLSSOSessionDTO.getSubject());
        sAMLSSOAuthnReqDTO.setRpSessionId(sAMLSSOSessionDTO.getRelyingPartySessionId());
        sAMLSSOAuthnReqDTO.setRequestMessageString(sAMLSSOSessionDTO.getRequestMessageString());
        sAMLSSOAuthnReqDTO.setQueryString(sAMLSSOSessionDTO.getHttpQueryString());
        sAMLSSOAuthnReqDTO.setDestination(sAMLSSOSessionDTO.getDestination());
        sAMLSSOAuthnReqDTO.setIdPInitSSOEnabled(sAMLSSOSessionDTO.isIdPInitSSO());
        sAMLSSOAuthnReqDTO.setTenantDomain(sAMLSSOSessionDTO.getTenantDomain());
        sAMLSSOAuthnReqDTO.setIdPInitSLOEnabled(sAMLSSOSessionDTO.isIdPInitSLO());
        if (sAMLSSOSessionDTO.getAttributeConsumingServiceIndex() >= 1) {
            sAMLSSOAuthnReqDTO.setAttributeConsumingServiceIndex(sAMLSSOSessionDTO.getAttributeConsumingServiceIndex());
        }
        sAMLSSOAuthnReqDTO.setAuthenticationContextClassRefList(sAMLSSOSessionDTO.getAuthenticationContextClassRefList());
        sAMLSSOAuthnReqDTO.setRequestedAttributes(sAMLSSOSessionDTO.getRequestedAttributes());
        sAMLSSOAuthnReqDTO.setRequestedAuthnContextComparison(sAMLSSOSessionDTO.getRequestedAuthnContextComparison());
        sAMLSSOAuthnReqDTO.setProperties(sAMLSSOSessionDTO.getProperties());
        sAMLSSOAuthnReqDTO.setLoggedInTenantDomain(sAMLSSOSessionDTO.getLoggedInTenantDomain());
    }

    private void populateAuthnReqDTOWithRequiredServiceProviderConfigs(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO) {
        if (StringUtils.isBlank(sAMLSSOAuthnReqDTO.getAssertionConsumerURL())) {
            sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO.getDefaultAssertionConsumerUrl());
        }
        sAMLSSOAuthnReqDTO.setCertAlias(sAMLSSOServiceProviderDO.getCertAlias());
        sAMLSSOAuthnReqDTO.setDoValidateSignatureInRequests(sAMLSSOServiceProviderDO.isDoValidateSignatureInRequests());
    }

    private void populateAuthnReqDTOWithAuthenticationResult(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, AuthenticationResult authenticationResult) throws UserStoreException, IdentityException {
        sAMLSSOAuthnReqDTO.setUser(authenticationResult.getSubject());
        sAMLSSOAuthnReqDTO.setClaimMapping(authenticationResult.getClaimMapping());
        if (authenticationResult.getProperty("AUTHENTICATION_CONTEXT_PROPERTIES") != null) {
            for (AuthenticationContextProperty authenticationContextProperty : (List) authenticationResult.getProperty("AUTHENTICATION_CONTEXT_PROPERTIES")) {
                if (SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF.equals(authenticationContextProperty.getPassThroughDataType())) {
                    sAMLSSOAuthnReqDTO.addIdpAuthenticationContextProperty(SAMLSSOConstants.AUTHN_CONTEXT_CLASS_REF, authenticationContextProperty);
                }
            }
        }
        if (authenticationResult.getProperty("CreatedTimestamp") != null && (authenticationResult.getProperty("CreatedTimestamp") instanceof Long)) {
            sAMLSSOAuthnReqDTO.setCreatedTimeStamp(((Long) authenticationResult.getProperty("CreatedTimestamp")).longValue());
        }
        sAMLSSOAuthnReqDTO.setIdpSessionIdentifier((String) authenticationResult.getProperty("sessionId"));
        SAMLSSOUtil.setIsSaaSApplication(authenticationResult.isSaaSApp());
        SAMLSSOUtil.setUserTenantDomain(authenticationResult.getSubject().getTenantDomain());
    }

    private void setSPAttributeToRequest(HttpServletRequest httpServletRequest, String str, String str2) {
        try {
            if (StringUtils.isBlank(str)) {
                return;
            }
            httpServletRequest.setAttribute(REQUEST_PARAM_SP, ApplicationManagementService.getInstance().getServiceProviderNameByClientId(SAMLSSOUtil.splitAppendedTenantDomain(str), "samlsso", str2));
            httpServletRequest.setAttribute("tenantDomain", str2);
        } catch (IdentityApplicationManagementException e) {
            log.error("Error while getting Service provider name for issuer:" + str + " in tenant: " + str2, e);
        }
    }

    private void doFrontChannelSLO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, String str, String str2, String str3, boolean z, String str4, String str5, String str6) throws IdentityException, IOException, ServletException {
        LogoutRequest buildLogoutRequest = SAMLSSOUtil.buildLogoutRequest(sAMLSSOServiceProviderDO, SAMLSSOUtil.getSessionInfoData(str, str6).getSubject(str2), str);
        storeFrontChannelSLOParticipantInfo(sAMLSSOServiceProviderDO, str2, buildLogoutRequest, str3, str, z, str4, str5);
        if (SAMLSSOProviderConstants.HTTP_POST_BINDING.equals(sAMLSSOServiceProviderDO.getFrontChannelLogoutBinding())) {
            sendPostRequest(httpServletRequest, httpServletResponse, sAMLSSOServiceProviderDO, buildLogoutRequest);
        } else {
            httpServletResponse.sendRedirect(createHttpQueryStringForRedirect(buildLogoutRequest, sAMLSSOServiceProviderDO));
        }
    }

    private void sendPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, LogoutRequest logoutRequest) throws IdentityException, IOException, ServletException {
        LogoutRequest signature = SAMLSSOUtil.setSignature(logoutRequest, sAMLSSOServiceProviderDO.getSigningAlgorithmUri(), sAMLSSOServiceProviderDO.getDigestAlgorithmUri(), new SignKeyDataHolder(null));
        printPostPage(httpServletRequest, httpServletResponse, signature.getDestination(), SAMLSSOUtil.encode(SAMLSSOUtil.marshall(signature)), resolveAppName());
    }

    private void printPostPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3) throws IOException, ServletException {
        httpServletResponse.setContentType("text/html; charset=" + StandardCharsets.UTF_8.name());
        if (IdentitySAMLSSOServiceComponent.isSAMLSSOResponseJspPageAvailable()) {
            generateSamlPostPageFromJSP(httpServletRequest, httpServletResponse, str, str2, "SAMLRequest", str3);
        } else if (IdentitySAMLSSOServiceComponent.isSAMLSSOResponseHtmlPageAvailable()) {
            generateSamlPostPage(IdentitySAMLSSOServiceComponent.getSsoRedirectHtml(), httpServletResponse, str, str2, "SAMLRequest", str3);
        } else {
            generateSamlPostPage(formPostPageTemplate, httpServletResponse, str, str2, "SAMLRequest", str3);
        }
    }

    private String buildPostPageInputs(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        sb.append("<!--$params-->\n").append("<input type='hidden' name='").append(str).append("' value='").append(Encode.forHtmlAttribute(str2)).append("'/>");
        return sb.toString();
    }

    private void storeFrontChannelSLOParticipantInfo(SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, String str, LogoutRequest logoutRequest, String str2, String str3, boolean z, String str4, String str5) {
        FrontChannelSLOParticipantStore.getInstance().addToCache(logoutRequest.getID(), new FrontChannelSLOParticipantInfo(str2, str, sAMLSSOServiceProviderDO.getIssuer(), str3, z, str4, str5));
    }

    private FrontChannelSLOParticipantInfo getFrontChannelSLOParticipantInfo(String str) {
        return FrontChannelSLOParticipantStore.getInstance().getValueFromCache(str);
    }

    private void removeFrontChannelSLOParticipantInfo(String str) {
        FrontChannelSLOParticipantStore.getInstance().clearCacheEntry(str);
    }

    private String createHttpQueryStringForRedirect(LogoutRequest logoutRequest, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO) throws IdentityException {
        String trim = SAMLSSOUtil.marshall(logoutRequest).replaceAll(SAMLSSOConstants.XML_TAG_REGEX, "").trim();
        String signingAlgorithmUri = sAMLSSOServiceProviderDO.getSigningAlgorithmUri();
        String tenantDomain = sAMLSSOServiceProviderDO.getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        try {
            StringBuilder sb = new StringBuilder("SAMLRequest=" + URLEncoder.encode(SAMLSSOUtil.compressResponse(trim), StandardCharsets.UTF_8.name()));
            sb.append("&SigAlg=" + URLEncoder.encode(signingAlgorithmUri, StandardCharsets.UTF_8.name()));
            SAMLSSOUtil.addSignatureToHTTPQueryString(sb, signingAlgorithmUri, new X509CredentialImpl(tenantDomain));
            return FrameworkUtils.appendQueryParamsStringToUrl(logoutRequest.getDestination(), sb.toString());
        } catch (IOException e) {
            throw new IdentityException("Error in compressing the SAML request message.", e);
        }
    }

    protected boolean isDestinationUrlValid(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IdentityException, IOException {
        String tenantDomain = sAMLSSOAuthnReqDTO.getTenantDomain();
        String issuer = sAMLSSOAuthnReqDTO.getIssuer();
        List<String> destinationFromTenantDomain = SAMLSSOUtil.getDestinationFromTenantDomain(tenantDomain);
        String destination = sAMLSSOAuthnReqDTO.getDestination();
        if (destinationFromTenantDomain.contains(destination)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Successfully validated destination of the authentication request of issuer :" + issuer + " in tenant domain : " + tenantDomain);
            return true;
        }
        try {
            URL url = new URL(sAMLSSOAuthnReqDTO.getDestination());
            if (url.getProtocol().equals("https") && url.getPort() == -1) {
                destination = new URL(url.getProtocol(), url.getHost(), DEFAULT_HTTPS_PORT, url.getFile()).toString();
            } else if (url.getProtocol().equals(HTTP_SCHEME) && url.getPort() == -1) {
                destination = new URL(url.getProtocol(), url.getHost(), DEFAULT_HTTP_PORT, url.getFile()).toString();
            }
        } catch (MalformedURLException e) {
        }
        if (!destinationFromTenantDomain.contains(destination)) {
            handleInvalidRequest("Destination validation for authentication request failed. Received: " + destination + ". Expected one in the list: [" + StringUtils.join(destinationFromTenantDomain, ',') + "]", sAMLSSOAuthnReqDTO, httpServletRequest, httpServletResponse);
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Successfully validated destination of the authentication request of issuer :" + issuer + " in tenant domain : " + tenantDomain);
        return true;
    }

    private void handleInvalidRequest(String str, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, IdentityException, ServletException {
        log.warn(str);
        ArrayList arrayList = new ArrayList();
        arrayList.add(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR);
        sendNotification(SAMLSSOUtil.buildCompressedErrorResponse(sAMLSSOAuthnReqDTO.getId(), arrayList, str, sAMLSSOAuthnReqDTO.getAssertionConsumerURL()), "Error when processing the authentication request!", "Please try login again.", sAMLSSOAuthnReqDTO.getAssertionConsumerURL(), httpServletRequest, httpServletResponse);
    }

    private String getLoggedInTenantDomain(HttpServletRequest httpServletRequest) {
        if (!IdentityTenantUtil.isTenantedSessionsEnabled()) {
            return SAMLSSOUtil.getTenantDomainFromThreadLocal();
        }
        String parameter = httpServletRequest.getParameter("t");
        return StringUtils.isBlank(parameter) ? IdentityTenantUtil.getTenantDomainFromContext() : parameter;
    }

    private String resolveAppName() {
        String tenantDomainFromThreadLocal = SAMLSSOUtil.getTenantDomainFromThreadLocal();
        String issuerWithQualifierInThreadLocal = SAMLSSOUtil.getIssuerWithQualifierInThreadLocal();
        if (!StringUtils.isNotBlank(issuerWithQualifierInThreadLocal) || !StringUtils.isNotBlank(tenantDomainFromThreadLocal)) {
            return null;
        }
        try {
            return ApplicationManagementService.getInstance().getServiceProviderNameByClientId(SAMLSSOUtil.splitAppendedTenantDomain(issuerWithQualifierInThreadLocal), "samlsso", tenantDomainFromThreadLocal);
        } catch (IdentityApplicationManagementException e) {
            log.error("Error while getting service provider name for issuer:" + issuerWithQualifierInThreadLocal + " in tenant: " + tenantDomainFromThreadLocal, e);
            return null;
        }
    }

    private boolean isSAMLECPRequest(HttpServletRequest httpServletRequest) {
        return false;
    }

    private void generateResponseForECPRequest(HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        PrintWriter writer = httpServletResponse.getWriter();
        httpServletResponse.setContentType("text/xml");
        httpServletResponse.setHeader(SAMLSSOConstants.CACHE_CONTROL_PARAM_KEY, "no-store, no-cache, must-revalidate, private");
        try {
            String createSOAPMessage = SAMLSOAPUtils.createSOAPMessage(new String(Base64.getDecoder().decode(str)).replace("<?xml version=\"1.0\" encoding=\"UTF-8\"?>", ""), str2);
            if (log.isDebugEnabled()) {
                log.debug(createSOAPMessage);
            }
            writer.print(createSOAPMessage);
        } catch (TransformerException | SOAPException e) {
            SAMLSOAPUtils.sendSOAPFault(httpServletResponse, e.getMessage(), SAMLECPConstants.FaultCodes.SOAP_FAULT_CODE_SERVER);
            log.error("Error Generating the SOAP Response", e);
        }
    }

    private void sendNotificationForECPRequest(HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        PrintWriter writer = httpServletResponse.getWriter();
        try {
            String createSOAPMessage = SAMLSOAPUtils.createSOAPMessage(SAMLSSOUtil.decode(str).replace("<?xml version=\"1.0\" encoding=\"UTF-8\"?>", ""), str2);
            if (log.isDebugEnabled()) {
                log.debug(createSOAPMessage);
            }
            writer.print(createSOAPMessage);
        } catch (IdentityException e) {
            SAMLSOAPUtils.sendSOAPFault(httpServletResponse, e.getMessage(), SAMLECPConstants.FaultCodes.SOAP_FAULT_CODE_CLIENT);
            log.error("Error when decoding the error response.", e);
        } catch (SOAPException | TransformerException e2) {
            SAMLSOAPUtils.sendSOAPFault(httpServletResponse, e2.getMessage(), SAMLECPConstants.FaultCodes.SOAP_FAULT_CODE_SERVER);
            log.error("Error Generating the SOAP Response", e2);
        }
    }

    private SessionContext getSessionContext(String str, String str2) {
        if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2)) {
            return FrameworkUtils.getSessionContextFromCache(str, str2);
        }
        return null;
    }
}
