package org.wso2.carbon.identity.provider.openid.handlers;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.URLEncoder;
import java.util.Enumeration;
import java.util.Map;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.openid4java.message.DirectError;
import org.openid4java.message.ParameterList;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCache;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheKey;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.provider.OpenIDProviderService;
import org.wso2.carbon.identity.provider.dto.OpenIDAuthRequestDTO;
import org.wso2.carbon.identity.provider.dto.OpenIDAuthResponseDTO;
import org.wso2.carbon.identity.provider.openid.OpenIDConstants;
import org.wso2.carbon.identity.provider.openid.client.OpenIDAdminClient;
import org.wso2.carbon.identity.provider.openid.util.OpenIDUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;

/* loaded from: input_file:org/wso2/carbon/identity/provider/openid/handlers/OpenIDHandler.class */
public class OpenIDHandler {
    private static final String TRUE = "true";
    private static final String NULL = "null";
    private static OpenIDHandler provider;
    private static Log log = LogFactory.getLog(OpenIDHandler.class);
    private String frontEndUrl;
    private String opAddress;
    private OpenIDProviderService openIDProviderService = new OpenIDProviderService();

    private OpenIDHandler(String str) {
        this.opAddress = str;
    }

    public static OpenIDHandler getInstance(String str) {
        if (provider == null) {
            provider = new OpenIDHandler(str);
        }
        return provider;
    }

    public void setFrontEndUrl(String str) {
        this.frontEndUrl = str;
        if (log.isDebugEnabled()) {
            log.debug("Authentication page set to :" + this.frontEndUrl);
        }
    }

    public String getOpAddress() {
        return this.opAddress;
    }

    public String processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IdentityException {
        String errorResponseText;
        if (httpServletRequest.getParameter(OpenIDConstants.RequestParameter.LOGOU_URL) != null) {
            return handleSingleLogout(httpServletRequest, httpServletResponse);
        }
        if (httpServletRequest.getAttribute("nonlogin") == null && httpServletRequest.getParameter("sessionDataKey") != null) {
            handleRequestFromLoginPage(httpServletRequest, httpServletResponse, null);
            return null;
        }
        String parameter = httpServletRequest.getParameter("hasApprovedAlways");
        if (parameter != null) {
            httpServletRequest.getSession().setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED_ALWAYS, parameter);
            httpServletRequest.getSession().setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED, TRUE);
        }
        try {
            OpenIDAdminClient openIDAdminClient = OpenIDUtil.getOpenIDAdminClient(httpServletRequest.getSession());
            ParameterList parameterList = getParameterList(httpServletRequest);
            String openIDMessageMode = getOpenIDMessageMode(parameterList, httpServletResponse, httpServletRequest);
            if (OpenIDConstants.ASSOCIATE.equals(openIDMessageMode)) {
                errorResponseText = openIDAdminClient.getOpenIDAssociationResponse(OpenIDUtil.getOpenIDAuthRequest(httpServletRequest));
                if (log.isDebugEnabled()) {
                    log.debug("Association created successfully");
                }
            } else {
                if (OpenIDConstants.CHECKID_SETUP.equals(openIDMessageMode) || OpenIDConstants.CHECKID_IMMEDIATE.equals(openIDMessageMode)) {
                    return checkSetupOrImmediate(httpServletRequest, httpServletResponse, parameterList, openIDAdminClient);
                }
                if (OpenIDConstants.CHECK_AUTHENTICATION.equals(openIDMessageMode)) {
                    errorResponseText = openIDAdminClient.verify(OpenIDUtil.getOpenIDAuthRequest(httpServletRequest));
                    if (log.isDebugEnabled()) {
                        log.debug("Authentication verified successfully");
                    }
                } else {
                    errorResponseText = getErrorResponseText("Not a valid OpenID request");
                    if (log.isDebugEnabled()) {
                        log.debug("No valid MODE found : " + httpServletRequest.getQueryString());
                    }
                }
            }
        } catch (Exception e) {
            errorResponseText = getErrorResponseText(e.getMessage());
        }
        try {
            directResponse(httpServletResponse, errorResponseText);
            return null;
        } catch (IOException e2) {
            log.error(e2.getMessage());
            throw new IdentityException("OpenID redirect reponse failed");
        }
    }

    private String getOpenIDMessageMode(ParameterList parameterList, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws IOException {
        if (parameterList == null) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid OpenID message :" + httpServletRequest.getQueryString());
            }
            directResponse(httpServletResponse, getErrorResponseText("Invalid OpenID message"));
            return null;
        }
        String parameterValue = parameterList.hasParameter(OpenIDConstants.ATTR_MODE) ? parameterList.getParameterValue(OpenIDConstants.ATTR_MODE) : null;
        if (log.isDebugEnabled()) {
            log.debug("OpenID authentication mode :" + parameterValue);
        }
        return parameterValue;
    }

    private ParameterList getParameterList(HttpServletRequest httpServletRequest) {
        return ("authenticated".equals(httpServletRequest.getSession().getAttribute("_action")) || OpenIDConstants.CANCEL.equals(httpServletRequest.getSession().getAttribute("_action"))) ? (ParameterList) httpServletRequest.getSession().getAttribute(OpenIDConstants.PARAM_LIST) : new ParameterList(httpServletRequest.getParameterMap());
    }

    private String handleSingleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        log.info("OpenID Single Logout for " + httpServletRequest.getSession().getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID));
        httpServletRequest.getSession().setAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID, (Object) null);
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int i = 0;
            while (true) {
                if (i >= cookies.length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookie.getName().equalsIgnoreCase(OpenIDConstants.Cookie.OPENID_TOKEN)) {
                    cookie.setMaxAge(0);
                    httpServletResponse.addCookie(cookie);
                    break;
                }
                i++;
            }
        }
        return httpServletRequest.getParameter(OpenIDConstants.RequestParameter.LOGOU_URL);
    }

    private String checkSetupOrImmediate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ParameterList parameterList, OpenIDAdminClient openIDAdminClient) throws Exception {
        String str;
        boolean z = false;
        String str2 = null;
        HttpSession session = httpServletRequest.getSession();
        String parameterValue = parameterList.getParameterValue(OpenIDConstants.ATTR_IDENTITY);
        if (parameterValue == null) {
            throw new IdentityException("Required attribute openid.identity is missing");
        }
        if (parameterValue.endsWith("/openid/") && (str = (String) session.getAttribute("openId")) != null && !"".equals(str.trim())) {
            parameterValue = str;
        }
        if (log.isDebugEnabled()) {
            log.debug("Authentication check for user " + parameterValue);
        }
        boolean equals = "authenticated".equals(session.getAttribute("_action"));
        boolean equals2 = TRUE.equals(session.getAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED));
        if (equals && equals2) {
            session.removeAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED);
            session.removeAttribute("_action");
            session.removeAttribute(OpenIDConstants.SessionAttribute.PROFILE);
            z = true;
            if (log.isDebugEnabled()) {
                log.debug("Authenticated and user confirmed :" + parameterValue);
            }
            str2 = (String) session.getAttribute(OpenIDConstants.SessionAttribute.PROFILE);
            if (str2 == null) {
                str2 = OpenIDConstants.SessionAttribute.DEFAULT_PROFILE;
            }
            if (log.isDebugEnabled()) {
                log.debug("Selected profile : " + str2);
            }
            updateRPInfo(parameterValue, str2, parameterList, openIDAdminClient, session);
        }
        if (OpenIDConstants.CANCEL.equals(session.getAttribute("_action"))) {
            if (log.isDebugEnabled()) {
                log.debug("User cancelled :" + parameterValue);
            }
            z = false;
        } else if (!z) {
            if (log.isDebugEnabled()) {
                log.debug(parameterValue + " not authenticated. Redirecting for authentication");
            }
            session.setAttribute(OpenIDConstants.PARAM_LIST, parameterList);
            return getLoginPageUrl(parameterValue, httpServletRequest, httpServletResponse, parameterList);
        }
        OpenIDAuthRequestDTO openIDAuthRequestDTO = new OpenIDAuthRequestDTO();
        if (TRUE.equals(session.getAttribute("phishingResistanceAuthentication"))) {
            openIDAuthRequestDTO.setPhishiingResistanceAuthRequest(true);
            session.removeAttribute("phishingResistanceAuthentication");
        }
        if (TRUE.equals(session.getAttribute("multifactorlogin"))) {
            openIDAuthRequestDTO.setMultiFactorAuthRequested(true);
            session.removeAttribute("multifactorlogin");
        }
        openIDAuthRequestDTO.setParams(OpenIDUtil.getOpenIDAuthRequest(parameterList));
        openIDAuthRequestDTO.setOpLocalId(parameterValue);
        openIDAuthRequestDTO.setUserSelectedClaimedId(parameterValue);
        openIDAuthRequestDTO.setAuthenticated(z);
        openIDAuthRequestDTO.setOpenID(parameterValue);
        openIDAuthRequestDTO.setProfileName(str2);
        String str3 = "";
        if (session.getAttribute(OpenIDConstants.AUTHENTICATION_RESULT) != null) {
            AuthenticationResult authenticationResult = (AuthenticationResult) session.getAttribute(OpenIDConstants.AUTHENTICATION_RESULT);
            openIDAuthRequestDTO.setResponseClaims(authenticationResult.getSubject().getUserAttributes());
            String authenticatedIdPs = authenticationResult.getAuthenticatedIdPs();
            if (authenticatedIdPs != null && !authenticatedIdPs.isEmpty()) {
                str3 = "&AuthenticatedIdPs=" + URLEncoder.encode(authenticatedIdPs, "UTF-8");
            }
        }
        session.removeAttribute("openId");
        OpenIDAuthResponseDTO openIDAuthResponse = openIDAdminClient.getOpenIDAuthResponse(openIDAuthRequestDTO);
        if (openIDAuthResponse != null) {
            return openIDAuthResponse.getDestinationUrl() + str3;
        }
        return null;
    }

    private void updateRPInfo(String str, String str2, ParameterList parameterList, OpenIDAdminClient openIDAdminClient, HttpSession httpSession) throws Exception {
        if (openIDAdminClient.isOpenIDUserApprovalBypassEnabled()) {
            return;
        }
        openIDAdminClient.updateOpenIDUserRPInfo(parameterList.getParameterValue(OpenIDConstants.ATTR_RETURN_TO), Boolean.parseBoolean((String) httpSession.getAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED_ALWAYS)), str2, str);
    }

    private String getLoginPageUrl(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ParameterList parameterList) throws IdentityException, IOException {
        String str2 = this.frontEndUrl;
        httpServletRequest.getSession().setAttribute("openId", str);
        String replace = OpenIDUtil.getAdminConsoleURL(httpServletRequest).replace("carbon/", "commonauth");
        String encode = URLEncoder.encode("/openidserver", "UTF-8");
        String generateUUID = UUIDGenerator.generateUUID();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.setRelyingParty(getRelyingParty(httpServletRequest));
        authenticationRequest.setCommonAuthCallerPath(encode);
        if (parameterList.getParameterValue(OpenIDConstants.ATTR_IDENTITY) != null) {
            authenticationRequest.addRequestQueryParam("username", new String[]{OpenIDUtil.getUserName(parameterList.getParameterValue(OpenIDConstants.ATTR_IDENTITY))});
        }
        boolean z = false;
        if (!str.endsWith("/openid/")) {
            String str3 = (String) httpServletRequest.getSession().getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID);
            if (log.isDebugEnabled()) {
                log.debug("claimedID : " + str + ", authenticated user : " + str3);
            }
            if (str3 != null && !"".equals(str3.trim()) && !str.equals(str3.trim())) {
                if (log.isDebugEnabled()) {
                    log.debug("Overriding previously authenticated OpenID : " + str3 + " with the OpenID in the current request :" + str + " and setting forceAuthenticate.");
                }
                z = true;
            }
        }
        authenticationRequest.setForceAuth(z);
        authenticationRequest.setRequestQueryParams(httpServletRequest.getParameterMap());
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String obj = headerNames.nextElement().toString();
            authenticationRequest.addHeader(obj, httpServletRequest.getHeader(obj));
        }
        FrameworkUtils.addAuthenticationRequestToCache(generateUUID, new AuthenticationRequestCacheEntry(authenticationRequest), httpServletRequest.getSession().getMaxInactiveInterval());
        StringBuilder sb = new StringBuilder();
        sb.append(replace).append("?").append("sessionDataKey").append("=").append(generateUUID).append("&").append("type").append("=").append(OpenIDConstants.PREFIX);
        FrameworkUtils.setRequestPathCredentials(httpServletRequest);
        return sb.toString();
    }

    private String getErrorResponseText(String str) {
        log.error(str);
        return DirectError.createDirectError(str).keyValueFormEncoding();
    }

    private void directResponse(HttpServletResponse httpServletResponse, String str) throws IOException {
        ServletOutputStream servletOutputStream = null;
        try {
            servletOutputStream = httpServletResponse.getOutputStream();
            servletOutputStream.write(str.getBytes());
            if (servletOutputStream != null) {
                servletOutputStream.close();
            }
        } catch (Throwable th) {
            if (servletOutputStream != null) {
                servletOutputStream.close();
            }
            throw th;
        }
    }

    private void handleRequestFromLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IdentityException {
        try {
            HttpSession session = httpServletRequest.getSession();
            if (httpServletRequest.getParameter("chkRemember") == null || httpServletRequest.getParameter("chkRemember").equals("on")) {
            }
            String str2 = (String) session.getAttribute("openId");
            if (str2 == null) {
                throw new IdentityException("No valid OpenID Identifier found. Terminating authentication flow");
            }
            String str3 = null;
            AuthenticationResult authenticationResult = null;
            if (httpServletRequest.getParameter("sessionDataKey") != null) {
                authenticationResult = getAuthenticationResultFromCache(httpServletRequest.getParameter("sessionDataKey"));
            }
            if (str2.endsWith("/openid/")) {
                if (authenticationResult != null && authenticationResult.isAuthenticated()) {
                    str3 = authenticationResult.getSubject().getAuthenticatedSubjectIdentifier();
                    session.setAttribute(OpenIDConstants.AUTHENTICATION_RESULT, authenticationResult);
                }
                String str4 = (String) session.getAttribute("userName");
                if (str3 != null && !"".equals(str3.trim())) {
                    if (str4 != null && str4.equals(str3)) {
                        log.debug("Username in request is different from the authenticated username in the session. Starting new session ");
                        session.removeAttribute("userName");
                    }
                    session.setAttribute("userName", str3);
                    str2 = str2 + str3;
                }
                if (str3 == null || "".equals(str3.trim())) {
                }
            }
            session.setAttribute("openId", str2);
            boolean z = false;
            String str5 = (String) session.getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID);
            if (str5 != null && str5.equals(str2)) {
                z = true;
            }
            OpenIDAdminClient openIDAdminClient = OpenIDUtil.getOpenIDAdminClient(session);
            if (!z && !z && authenticationResult != null) {
                z = authenticationResult.isAuthenticated();
            }
            if (z) {
                session.setAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID, str2);
                if (openIDAdminClient.isOpenIDUserApprovalBypassEnabled()) {
                    session.setAttribute("_action", "authenticated");
                    session.setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED, TRUE);
                    session.setAttribute(OpenIDConstants.SessionAttribute.SELECTED_PROFILE, OpenIDConstants.SessionAttribute.DEFAULT_PROFILE);
                    httpServletRequest.setAttribute("nonlogin", TRUE);
                    httpServletRequest.getRequestDispatcher("../../openidserver").forward(httpServletRequest, httpServletResponse);
                } else {
                    String[] openIDUserRPInfo = openIDAdminClient.getOpenIDUserRPInfo(str2, ((ParameterList) session.getAttribute(OpenIDConstants.PARAM_LIST)).getParameterValue(OpenIDConstants.ATTR_RETURN_TO));
                    if (openIDUserRPInfo[0].equals(TRUE)) {
                        session.setAttribute("_action", "authenticated");
                        session.setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED, TRUE);
                        session.setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED_ALWAYS, TRUE);
                        session.setAttribute(OpenIDConstants.SessionAttribute.SELECTED_PROFILE, openIDUserRPInfo[1]);
                        httpServletRequest.setAttribute("nonlogin", TRUE);
                        httpServletRequest.getRequestDispatcher("../../openidserver").forward(httpServletRequest, httpServletResponse);
                    } else {
                        session.setAttribute("_action", "authenticated");
                        sendToApprovalPage(httpServletRequest, httpServletResponse);
                    }
                }
            } else {
                OpenIDUtil.deleteCookie(OpenIDConstants.Cookie.OPENID_TOKEN, "/", httpServletRequest);
                OpenIDUtil.deleteCookie(OpenIDConstants.Cookie.OPENID_REMEMBER_ME, "/", httpServletRequest);
                session.removeAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID);
                httpServletResponse.sendRedirect(OpenIDUtil.getAdminConsoleURL(httpServletRequest).replace("carbon/", "authenticationendpoint/openid_login.do") + OpenIDUtil.getLoginPageQueryParams((ParameterList) httpServletRequest.getSession().getAttribute(OpenIDConstants.PARAM_LIST)) + "&errorMsg=error.while.user.auth");
            }
        } catch (Exception e) {
            throw new IdentityException("Exception while handling request from the login page", e);
        }
    }

    private void sendToApprovalPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session = httpServletRequest.getSession();
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html>");
        writer.println("<body>");
        writer.println("<p>You are now redirected back to Approval Page.");
        writer.println(" If the redirection fails, please click the post button.</p>");
        writer.println("<form method='post' action='authenticationendpoint/openid_profile.do'>");
        writer.println("<p>");
        Map userAttributes = (httpServletRequest.getParameter("sessionDataKey") != null ? getAuthenticationResultFromCache(httpServletRequest.getParameter("sessionDataKey")) : null).getSubject().getUserAttributes();
        writer.println("<input type='hidden' name='openid.identity' value='" + session.getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID) + "'>");
        writer.println("<input type='hidden' name='openid.return_to' value='" + ((ParameterList) session.getAttribute(OpenIDConstants.PARAM_LIST)).getParameterValue(OpenIDConstants.ATTR_RETURN_TO) + "'>");
        if (userAttributes != null) {
            for (ClaimMapping claimMapping : userAttributes.keySet()) {
                if (((String) userAttributes.get(claimMapping)) != null) {
                    writer.println("<input type='hidden' name='claimTag' value='" + claimMapping.getLocalClaim().getClaimUri() + "'>");
                    writer.println("<input type='hidden' name='claimValue' value='" + ((String) userAttributes.get(claimMapping)) + "'>");
                }
            }
        }
        writer.println("<button type='submit'>POST</button>");
        writer.println("</p>");
        writer.println("</form>");
        writer.println("<script type='text/javascript'>");
        writer.println("document.forms[0].submit();");
        writer.println("</script>");
        writer.println("</body>");
        writer.println("</html>");
    }

    private AuthenticationResult getAuthenticationResultFromCache(String str) {
        AuthenticationResultCacheEntry valueFromCache = AuthenticationResultCache.getInstance(0).getValueFromCache(new AuthenticationResultCacheKey(str));
        AuthenticationResult authenticationResult = null;
        if (valueFromCache != null) {
            authenticationResult = valueFromCache.getResult();
        } else {
            log.error("Cannot find AuthenticationResult from the cache");
        }
        return authenticationResult;
    }

    private String getRelyingParty(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("openid.realm");
    }
}
