package org.wso2.carbon.identity.sso.saml.cloud.handler.auth;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.xml.security.SecurityException;
import org.wso2.carbon.identity.application.authentication.framework.inbound.IdentityRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.sso.saml.builders.SingleLogoutMessageBuilder;
import org.wso2.carbon.identity.sso.saml.cloud.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.cloud.builders.signature.DefaultSSOSigner;
import org.wso2.carbon.identity.sso.saml.cloud.context.SAMLMessageContext;
import org.wso2.carbon.identity.sso.saml.cloud.exception.IdentitySAML2SSOException;
import org.wso2.carbon.identity.sso.saml.cloud.exception.SAML2Exception;
import org.wso2.carbon.identity.sso.saml.cloud.request.SAMLSpInitRequest;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLErrorResponse;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLLoginResponse;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLLogoutResponse;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLResponse;
import org.wso2.carbon.identity.sso.saml.cloud.util.SAMLSSOUtil;
import org.wso2.carbon.identity.sso.saml.cloud.validators.SAML2HTTPRedirectDeflateSignatureValidator;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOSessionDTO;
import org.wso2.carbon.identity.sso.saml.dto.SingleLogoutRequestDTO;
import org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/cloud/handler/auth/SPInitAuthHandler.class */
public class SPInitAuthHandler extends AuthHandler {
    private static Log log = LogFactory.getLog(SPInitAuthHandler.class);

    @Override // org.wso2.carbon.identity.sso.saml.cloud.handler.auth.AuthHandler
    public boolean canHandle(SAMLMessageContext sAMLMessageContext) {
        return sAMLMessageContext.m10getRequest() instanceof SAMLSpInitRequest;
    }

    @Override // org.wso2.carbon.identity.sso.saml.cloud.handler.auth.AuthHandler
    public SAMLResponse.SAMLResponseBuilder validateAuthnResponseFromFramework(SAMLMessageContext sAMLMessageContext, AuthenticationResult authenticationResult, IdentityRequest identityRequest) throws IdentityException, IOException {
        if (SAMLSSOUtil.isLogoutRequest()) {
            SAMLLogoutResponse.SAMLLogoutResponseBuilder sAMLLogoutResponseBuilder = new SAMLLogoutResponse.SAMLLogoutResponseBuilder(sAMLMessageContext);
            String parameter = identityRequest.getParameter(SAMLSSOConstants.SESSION_DATA_KEY);
            if (StringUtils.isEmpty(parameter)) {
                log.error("Session Data Key is null of empty.");
                throw new SAML2Exception("Session Data Key is null of empty.");
            }
            SAMLSSOSessionDTO sessionDataFromCache = SAMLSSOUtil.getSessionDataFromCache(parameter);
            if (sessionDataFromCache == null) {
                String str = "Session not found in cache for sessionDataKey : " + parameter;
                log.error(str);
                throw new SAML2Exception(str);
            }
            SAMLSSOReqValidationResponseDTO validationRespDTO = sessionDataFromCache.getValidationRespDTO();
            if (validationRespDTO == null) {
                throw new SAML2Exception("SAML Request validation response not found in session DTO.");
            }
            List<SingleLogoutRequestDTO> singleLogoutRequestDTOs = getSingleLogoutRequestDTOs(sessionDataFromCache.getSessionId(), validationRespDTO);
            LogoutRequestSender.getInstance().sendLogoutRequests((SingleLogoutRequestDTO[]) singleLogoutRequestDTOs.toArray(new SingleLogoutRequestDTO[singleLogoutRequestDTOs.size()]));
            SAMLSSOUtil.removeSession(sessionDataFromCache.getSessionId(), validationRespDTO.getIssuer());
            SAMLSSOUtil.removeSessionDataFromCache(parameter);
            sAMLMessageContext.setIssuer(validationRespDTO.getIssuer());
            sAMLMessageContext.setTenantDomain(sessionDataFromCache.getTenantDomain());
            sAMLMessageContext.setSubject(sessionDataFromCache.getSubject());
            sAMLMessageContext.setAssertionConsumerUrl(sessionDataFromCache.getAssertionConsumerURL());
            sAMLLogoutResponseBuilder.setRelayState(validationRespDTO.getIssuer());
            sAMLLogoutResponseBuilder.setAcsUrl(sessionDataFromCache.getAssertionConsumerURL());
            sAMLLogoutResponseBuilder.setSubject(sessionDataFromCache.getSubject());
            sAMLLogoutResponseBuilder.setAuthenticatedIdPs(null);
            sAMLLogoutResponseBuilder.setTenantDomain(sessionDataFromCache.getTenantDomain());
            sAMLLogoutResponseBuilder.buildResponse();
            return sAMLLogoutResponseBuilder;
        }
        if (authenticationResult != null && authenticationResult.isAuthenticated()) {
            SAMLSSOUtil.setIsSaaSApplication(authenticationResult.isSaaSApp());
            try {
                SAMLSSOUtil.setUserTenantDomain(authenticationResult.getSubject().getTenantDomain());
                SAMLSSOUtil.setTenantDomainInThreadLocal(sAMLMessageContext.getTenantDomain());
                String parameter2 = identityRequest.getParameter(SAMLSSOConstants.RELAY_STATE);
                if (StringUtils.isBlank(parameter2)) {
                    parameter2 = sAMLMessageContext.getRelayState();
                }
                SAMLResponse.SAMLResponseBuilder authenticate = authenticate(sAMLMessageContext, authenticationResult.isAuthenticated(), authenticationResult.getAuthenticatedAuthenticators(), SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);
                if (!(authenticate instanceof SAMLLoginResponse.SAMLLoginResponseBuilder)) {
                    ((SAMLErrorResponse.SAMLErrorResponseBuilder) authenticate).setStatus(SAMLSSOConstants.Notification.EXCEPTION_STATUS);
                    ((SAMLErrorResponse.SAMLErrorResponseBuilder) authenticate).setMessageLog(SAMLSSOConstants.Notification.EXCEPTION_MESSAGE);
                    ((SAMLErrorResponse.SAMLErrorResponseBuilder) authenticate).setAcsUrl(sAMLMessageContext.getSamlssoServiceProviderDO().getDefaultAssertionConsumerUrl());
                    return authenticate;
                }
                ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setRelayState(parameter2);
                ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setAcsUrl(sAMLMessageContext.getAssertionConsumerURL());
                ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setSubject(sAMLMessageContext.getUser().getAuthenticatedSubjectIdentifier());
                ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setAuthenticatedIdPs(sAMLMessageContext.getAuthenticationResult().getAuthenticatedIdPs());
                ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setTenantDomain(sAMLMessageContext.getTenantDomain());
                return authenticate;
            } catch (IdentityException e) {
                return new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            } catch (UserStoreException e2) {
                return new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            }
        }
        if (log.isDebugEnabled() && authenticationResult != null) {
            log.debug("Unauthenticated User.");
        }
        if (!sAMLMessageContext.isPassive()) {
            if (authenticationResult.isAuthenticated()) {
                throw IdentityException.error("Session data is not found for authenticated user");
            }
            String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "User authentication failed", sAMLMessageContext.getDestination());
            SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            sAMLErrorResponseBuilder.setErrorResponse(buildErrorResponse);
            sAMLErrorResponseBuilder.setStatus(SAMLSSOConstants.Notification.EXCEPTION_STATUS);
            sAMLErrorResponseBuilder.setMessageLog(SAMLSSOConstants.Notification.EXCEPTION_MESSAGE);
            sAMLErrorResponseBuilder.setAcsUrl(sAMLMessageContext.getAssertionConsumerURL());
            return sAMLErrorResponseBuilder;
        }
        String assertionConsumerURL = sAMLMessageContext.getAssertionConsumerURL();
        ArrayList arrayList = new ArrayList();
        arrayList.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE);
        arrayList.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
        String buildErrorResponse2 = SAMLSSOUtil.buildErrorResponse(sAMLMessageContext.getId(), arrayList, "Cannot process response from framework Subject in Passive Mode", assertionConsumerURL);
        SAMLLoginResponse.SAMLLoginResponseBuilder sAMLLoginResponseBuilder = new SAMLLoginResponse.SAMLLoginResponseBuilder(sAMLMessageContext);
        sAMLLoginResponseBuilder.setRelayState(sAMLMessageContext.getRelayState());
        sAMLLoginResponseBuilder.setRespString(buildErrorResponse2);
        sAMLLoginResponseBuilder.setAcsUrl(sAMLMessageContext.getAssertionConsumerURL());
        sAMLLoginResponseBuilder.setSubject(sAMLMessageContext.getSubject());
        sAMLLoginResponseBuilder.setAuthenticatedIdPs(null);
        sAMLLoginResponseBuilder.setTenantDomain(sAMLMessageContext.getTenantDomain());
        return sAMLLoginResponseBuilder;
    }

    private List<SingleLogoutRequestDTO> getSingleLogoutRequestDTOs(String str, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) throws IdentityException {
        SSOSessionPersistenceManager persistenceManager = SSOSessionPersistenceManager.getPersistenceManager();
        String sessionIndexFromTokenId = persistenceManager.getSessionIndexFromTokenId(str);
        if (StringUtils.isEmpty(sessionIndexFromTokenId)) {
            return Collections.emptyList();
        }
        SessionInfoData sessionInfo = persistenceManager.getSessionInfo(sessionIndexFromTokenId);
        String sessionIndexFromLogoutRequest = SAMLSSOUtil.getSessionIndexFromLogoutRequest();
        if (StringUtils.isNotEmpty(sessionIndexFromLogoutRequest) && sessionIndexFromLogoutRequest.equals(sessionIndexFromTokenId)) {
            log.error("Session indices from logout request and cache doesn't match");
            throw new SAML2Exception("Session indices from logout request and cache doesn't match");
        }
        if (sessionInfo == null) {
            String str2 = "Session Info Data cannot be found in the session cache. Session Index : " + sessionIndexFromTokenId;
            log.error(str2);
            throw new SAML2Exception(str2);
        }
        Map serviceProviderList = sessionInfo.getServiceProviderList();
        String issuer = sAMLSSOReqValidationResponseDTO.getIssuer();
        SingleLogoutMessageBuilder singleLogoutMessageBuilder = new SingleLogoutMessageBuilder();
        Map rPSessionsList = sessionInfo.getRPSessionsList();
        ArrayList arrayList = new ArrayList();
        for (Map.Entry entry : serviceProviderList.entrySet()) {
            String str3 = (String) entry.getKey();
            SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO = (SAMLSSOServiceProviderDO) entry.getValue();
            if (!str3.equals(issuer)) {
                SingleLogoutRequestDTO singleLogoutRequestDTO = new SingleLogoutRequestDTO();
                if (StringUtils.isNotBlank(sAMLSSOServiceProviderDO.getSloRequestURL())) {
                    singleLogoutRequestDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO.getSloRequestURL());
                } else if (StringUtils.isNotBlank(sAMLSSOServiceProviderDO.getSloResponseURL())) {
                    singleLogoutRequestDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO.getSloResponseURL());
                } else {
                    singleLogoutRequestDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO.getAssertionConsumerUrl());
                }
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Creating logout request for Issuer : %s, ACS : %s, Tenant Domain : %s", str3.toString(), singleLogoutRequestDTO.getAssertionConsumerURL(), sAMLSSOServiceProviderDO.getTenantDomain()));
                }
                singleLogoutRequestDTO.setLogoutResponse(SAMLSSOUtil.marshall(singleLogoutMessageBuilder.buildLogoutRequest(sessionInfo.getSubject(str3), sessionIndexFromTokenId, SAMLSSOConstants.SingleLogoutCodes.LOGOUT_USER, singleLogoutRequestDTO.getAssertionConsumerURL(), sAMLSSOServiceProviderDO.getNameIDFormat(), sAMLSSOServiceProviderDO.getTenantDomain(), sAMLSSOServiceProviderDO.getSigningAlgorithmUri(), sAMLSSOServiceProviderDO.getDigestAlgorithmUri())));
                singleLogoutRequestDTO.setRpSessionId((String) rPSessionsList.get(str3));
                arrayList.add(singleLogoutRequestDTO);
            }
        }
        return arrayList;
    }

    private SAMLResponse.SAMLResponseBuilder authenticate(SAMLMessageContext sAMLMessageContext, boolean z, String str, String str2) throws IdentityException {
        String authenticatedSubjectIdentifier;
        SAMLSSOServiceProviderDO samlssoServiceProviderDO = sAMLMessageContext.getSamlssoServiceProviderDO();
        if (samlssoServiceProviderDO.isDoValidateSignatureInRequests()) {
            List<String> destinationFromTenantDomain = SAMLSSOUtil.getDestinationFromTenantDomain(sAMLMessageContext.getTenantDomain());
            if (sAMLMessageContext.getDestination() == null || !destinationFromTenantDomain.contains(sAMLMessageContext.getDestination())) {
                String str3 = "Destination validation for Authentication Request failed. Received: [" + sAMLMessageContext.getDestination() + "]. Expected one in the list: [" + StringUtils.join(destinationFromTenantDomain, ',') + "]";
                if (log.isDebugEnabled()) {
                    log.debug(str3);
                }
                SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
                sAMLErrorResponseBuilder.setErrorResponse(buildErrorResponse(sAMLMessageContext.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str3, null));
                return sAMLErrorResponseBuilder;
            }
            if (!validateAuthnRequestSignature(sAMLMessageContext)) {
                if (log.isDebugEnabled()) {
                    log.debug("Signature validation for Authentication Request failed.");
                }
                SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder2 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
                sAMLErrorResponseBuilder2.setErrorResponse(buildErrorResponse(sAMLMessageContext.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Signature validation for Authentication Request failed.", null));
                return sAMLErrorResponseBuilder2;
            }
        } else {
            String assertionConsumerURL = sAMLMessageContext.getAssertionConsumerURL();
            if (StringUtils.isBlank(assertionConsumerURL)) {
                sAMLMessageContext.setAssertionConsumerUrl(SAMLSSOUtil.getDefaultACS(sAMLMessageContext.getTenantDomain(), SAMLSSOUtil.splitAppendedTenantDomain(sAMLMessageContext.getIssuer()), assertionConsumerURL));
            } else if (!samlssoServiceProviderDO.getAssertionConsumerUrlList().contains(assertionConsumerURL)) {
                String str4 = "ALERT: Invalid Assertion Consumer URL value '" + assertionConsumerURL + "' in the AuthnRequest message from  the issuer '" + samlssoServiceProviderDO.getIssuer() + "'. Possibly an attempt for a spoofing attack";
                if (log.isDebugEnabled()) {
                    log.debug(str4);
                }
                SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder3 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
                sAMLErrorResponseBuilder3.setErrorResponse(buildErrorResponse(sAMLMessageContext.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str4, assertionConsumerURL));
                return sAMLErrorResponseBuilder3;
            }
        }
        if (sAMLMessageContext.getSubject() != null && sAMLMessageContext.getUser() != null && (authenticatedSubjectIdentifier = sAMLMessageContext.getUser().getAuthenticatedSubjectIdentifier()) != null && !authenticatedSubjectIdentifier.equals(sAMLMessageContext.getSubject())) {
            if (log.isDebugEnabled()) {
                log.debug("Provided username does not match with the requested subject");
            }
            SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder4 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            sAMLErrorResponseBuilder4.setErrorResponse(buildErrorResponse(sAMLMessageContext.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Provided username does not match with the requested subject", samlssoServiceProviderDO.getDefaultAssertionConsumerUrl()));
            return sAMLErrorResponseBuilder4;
        }
        if (z) {
            SAMLLoginResponse.SAMLLoginResponseBuilder sAMLLoginResponseBuilder = new SAMLLoginResponse.SAMLLoginResponseBuilder(sAMLMessageContext);
            String buildResponse = sAMLLoginResponseBuilder.buildResponse();
            if (log.isDebugEnabled()) {
                log.debug("Authentication successfully processed. The SAMLResponse is :" + buildResponse);
            }
            return sAMLLoginResponseBuilder;
        }
        if (log.isDebugEnabled()) {
            log.debug("Error processing the authentication request");
        }
        SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder5 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
        sAMLErrorResponseBuilder5.setErrorResponse(buildErrorResponse(sAMLMessageContext.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "Authentication Failure, invalid username or password.", null));
        return sAMLErrorResponseBuilder5;
    }

    private String buildErrorResponse(String str, String str2, String str3, String str4) throws IdentityException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str2);
        return SAMLSSOUtil.buildErrorResponse(str, arrayList, str3, str4);
    }

    private boolean validateAuthnRequestSignature(SAMLMessageContext sAMLMessageContext) {
        if (log.isDebugEnabled()) {
            log.debug("Validating SAML Request signature");
        }
        SAMLSSOServiceProviderDO samlssoServiceProviderDO = sAMLMessageContext.getSamlssoServiceProviderDO();
        String tenantDomain = sAMLMessageContext.getTenantDomain();
        if (StringUtils.isBlank(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        String certAlias = samlssoServiceProviderDO.getCertAlias();
        RequestAbstractType requestAbstractType = null;
        try {
            requestAbstractType = (RequestAbstractType) SAMLSSOUtil.unmarshall(sAMLMessageContext.m10getRequest().isRedirect() ? SAMLSSOUtil.decode(((SAMLSpInitRequest) sAMLMessageContext.m10getRequest()).getSamlRequest()) : SAMLSSOUtil.decodeForPost(((SAMLSpInitRequest) sAMLMessageContext.m10getRequest()).getSamlRequest()));
        } catch (IdentityException e) {
            if (log.isDebugEnabled()) {
                log.debug("Signature Validation failed for the SAMLRequest : Failed to unmarshall the SAML Assertion", e);
            }
        }
        try {
            return sAMLMessageContext.m10getRequest().isRedirect() ? validateDeflateSignature((SAMLSpInitRequest) sAMLMessageContext.m10getRequest(), sAMLMessageContext.getIssuer(), certAlias, tenantDomain) : validateXMLSignature(requestAbstractType, certAlias, tenantDomain);
        } catch (IdentityException e2) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature Validation failed for the SAMLRequest : Failed to validate the SAML Assertion", e2);
            return false;
        }
    }

    private boolean validateDeflateSignature(SAMLSpInitRequest sAMLSpInitRequest, String str, String str2, String str3) throws IdentityException {
        try {
            return new SAML2HTTPRedirectDeflateSignatureValidator().validateSignature(sAMLSpInitRequest, str, str2, str3);
        } catch (IdentitySAML2SSOException e) {
            log.warn("Signature validation failed for the SAML Message : Failed to construct the X509CredentialImpl for the alias " + str2, e);
            return false;
        } catch (SecurityException e2) {
            log.error("Error validating deflate signature", e2);
            return false;
        }
    }

    private boolean validateXMLSignature(RequestAbstractType requestAbstractType, String str, String str2) throws IdentityException {
        if (requestAbstractType.getSignature() == null) {
            return false;
        }
        try {
            return new DefaultSSOSigner().validateXMLSignature(requestAbstractType, SAMLSSOUtil.getX509CredentialImplForTenant(str2, str), str);
        } catch (IdentitySAML2SSOException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature validation failed for the SAML Message : Failed to construct the X509CredentialImpl for the alias " + str, e);
            return false;
        } catch (IdentityException e2) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature Validation Failed for the SAML Assertion : Signature is invalid.", e2);
            return false;
        }
    }
}
