package org.wso2.carbon.identity.sso.saml.cloud.handler.auth;

import java.io.IOException;
import java.util.ArrayList;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.inbound.IdentityRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.sso.saml.cloud.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.cloud.context.SAMLMessageContext;
import org.wso2.carbon.identity.sso.saml.cloud.request.SAMLIdpInitRequest;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLErrorResponse;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLLoginResponse;
import org.wso2.carbon.identity.sso.saml.cloud.response.SAMLResponse;
import org.wso2.carbon.identity.sso.saml.cloud.util.SAMLSSOUtil;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/cloud/handler/auth/IDPInitAuthHandler.class */
public class IDPInitAuthHandler extends AuthHandler {
    private static final Log log = LogFactory.getLog(IDPInitAuthHandler.class);

    @Override // org.wso2.carbon.identity.sso.saml.cloud.handler.auth.AuthHandler
    public boolean canHandle(SAMLMessageContext sAMLMessageContext) {
        return sAMLMessageContext.m10getRequest() instanceof SAMLIdpInitRequest;
    }

    @Override // org.wso2.carbon.identity.sso.saml.cloud.handler.auth.AuthHandler
    public SAMLResponse.SAMLResponseBuilder validateAuthnResponseFromFramework(SAMLMessageContext sAMLMessageContext, AuthenticationResult authenticationResult, IdentityRequest identityRequest) throws IdentityException, IOException {
        if (authenticationResult == null || !authenticationResult.isAuthenticated()) {
            if (log.isDebugEnabled() && authenticationResult != null) {
                log.debug("Unauthenticated User.");
            }
            if (authenticationResult.isAuthenticated()) {
                throw IdentityException.error("Session data is not found for authenticated user");
            }
            String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "User authentication failed", sAMLMessageContext.getDestination());
            SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            sAMLErrorResponseBuilder.setErrorResponse(buildErrorResponse);
            sAMLErrorResponseBuilder.setStatus(SAMLSSOConstants.Notification.EXCEPTION_STATUS);
            sAMLErrorResponseBuilder.setMessageLog(SAMLSSOConstants.Notification.EXCEPTION_MESSAGE);
            sAMLErrorResponseBuilder.setAcsUrl(((SAMLIdpInitRequest) sAMLMessageContext.m10getRequest()).getAcs());
            return sAMLErrorResponseBuilder;
        }
        sAMLMessageContext.setTenantDomain(authenticationResult.getSubject().getTenantDomain());
        SAMLSSOUtil.setIsSaaSApplication(authenticationResult.isSaaSApp());
        try {
            SAMLSSOUtil.setUserTenantDomain(authenticationResult.getSubject().getTenantDomain());
            SAMLSSOUtil.setTenantDomainInThreadLocal(sAMLMessageContext.getTenantDomain());
            String parameter = identityRequest.getParameter(SAMLSSOConstants.RELAY_STATE);
            if (StringUtils.isBlank(parameter)) {
                parameter = sAMLMessageContext.getRelayState();
            }
            SAMLResponse.SAMLResponseBuilder authenticate = authenticate(sAMLMessageContext, authenticationResult.isAuthenticated(), authenticationResult.getAuthenticatedAuthenticators(), SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);
            if (!(authenticate instanceof SAMLLoginResponse.SAMLLoginResponseBuilder)) {
                ((SAMLErrorResponse.SAMLErrorResponseBuilder) authenticate).setStatus(SAMLSSOConstants.Notification.EXCEPTION_STATUS);
                ((SAMLErrorResponse.SAMLErrorResponseBuilder) authenticate).setMessageLog(SAMLSSOConstants.Notification.EXCEPTION_MESSAGE);
                ((SAMLErrorResponse.SAMLErrorResponseBuilder) authenticate).setAcsUrl(sAMLMessageContext.getSamlssoServiceProviderDO().getDefaultAssertionConsumerUrl());
                return authenticate;
            }
            ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setRelayState(parameter);
            ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setAcsUrl(sAMLMessageContext.getAssertionConsumerURL());
            ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setSubject(sAMLMessageContext.getUser().getAuthenticatedSubjectIdentifier());
            ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setAuthenticatedIdPs(sAMLMessageContext.getAuthenticationResult().getAuthenticatedIdPs());
            ((SAMLLoginResponse.SAMLLoginResponseBuilder) authenticate).setTenantDomain(sAMLMessageContext.getTenantDomain());
            return authenticate;
        } catch (UserStoreException e) {
            return new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
        } catch (IdentityException e2) {
            return new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
        }
    }

    private SAMLResponse.SAMLResponseBuilder authenticate(SAMLMessageContext sAMLMessageContext, boolean z, String str, String str2) throws IdentityException {
        SAMLSSOServiceProviderDO serviceProviderConfig = SAMLSSOUtil.getServiceProviderConfig(sAMLMessageContext);
        sAMLMessageContext.setSamlssoServiceProviderDO(serviceProviderConfig);
        if (serviceProviderConfig == null) {
            String str3 = "A Service Provider with the Issuer '" + sAMLMessageContext.getIssuer() + "' is not registered. Service Provider should be registered in advance.";
            if (log.isDebugEnabled()) {
                log.debug(str3);
            }
            SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            sAMLErrorResponseBuilder.setErrorResponse(buildErrorResponse(null, SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str3, null));
            return sAMLErrorResponseBuilder;
        }
        if (!serviceProviderConfig.isIdPInitSSOEnabled()) {
            String str4 = "IdP initiated SSO not enabled for service provider '" + sAMLMessageContext.getIssuer() + "'.";
            if (log.isDebugEnabled()) {
                log.debug(str4);
            }
            SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder2 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            sAMLErrorResponseBuilder2.setErrorResponse(buildErrorResponse(null, SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str4, null));
            return sAMLErrorResponseBuilder2;
        }
        if (serviceProviderConfig.isEnableAttributesByDefault() && serviceProviderConfig.getAttributeConsumingServiceIndex() != null) {
            sAMLMessageContext.setAttributeConsumingServiceIndex(Integer.parseInt(serviceProviderConfig.getAttributeConsumingServiceIndex()));
        }
        String acs = StringUtils.isNotBlank(((SAMLIdpInitRequest) sAMLMessageContext.m10getRequest()).getAcs()) ? ((SAMLIdpInitRequest) sAMLMessageContext.m10getRequest()).getAcs() : serviceProviderConfig.getDefaultAssertionConsumerUrl();
        if (StringUtils.isBlank(acs) || !serviceProviderConfig.getAssertionConsumerUrlList().contains(acs)) {
            String str5 = "ALERT: Invalid Assertion Consumer URL value '" + acs + "' in the AuthnRequest message from  the issuer '" + serviceProviderConfig.getIssuer() + "'. Possibly an attempt for a spoofing attack";
            if (log.isDebugEnabled()) {
                log.debug(str5);
            }
            SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder3 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
            sAMLErrorResponseBuilder3.setErrorResponse(buildErrorResponse(null, SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str5, acs));
            sAMLErrorResponseBuilder3.setAcsUrl(acs);
            return sAMLErrorResponseBuilder3;
        }
        if (z) {
            SAMLLoginResponse.SAMLLoginResponseBuilder sAMLLoginResponseBuilder = new SAMLLoginResponse.SAMLLoginResponseBuilder(sAMLMessageContext);
            String buildResponse = sAMLLoginResponseBuilder.buildResponse();
            if (log.isDebugEnabled()) {
                log.debug("Authentication successfully processed. The SAMLResponse is :" + buildResponse);
            }
            return sAMLLoginResponseBuilder;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(SAMLSSOConstants.StatusCodes.AUTHN_FAILURE);
        arrayList.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
        if (log.isDebugEnabled()) {
            log.debug("Error processing the authentication request.");
        }
        SAMLErrorResponse.SAMLErrorResponseBuilder sAMLErrorResponseBuilder4 = new SAMLErrorResponse.SAMLErrorResponseBuilder(sAMLMessageContext);
        sAMLErrorResponseBuilder4.setErrorResponse(SAMLSSOUtil.buildErrorResponse(null, arrayList, "Authentication Failure, invalid username or password.", null));
        sAMLErrorResponseBuilder4.setAcsUrl(serviceProviderConfig.getLoginPageURL());
        return sAMLErrorResponseBuilder4;
    }

    private String buildErrorResponse(String str, String str2, String str3, String str4) throws IdentityException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str2);
        return SAMLSSOUtil.buildErrorResponse(str, arrayList, str3, str4);
    }
}
