package com.bea.security.saml2.service.spinitiator;

import com.bea.common.security.utils.CSSPlatformProxy;
import com.bea.security.saml2.Saml2Logger;
import com.bea.security.saml2.config.SAML2ConfigSpi;
import com.bea.security.saml2.providers.registry.Endpoint;
import com.bea.security.saml2.providers.registry.WebSSOIdPPartner;
import com.bea.security.saml2.service.AbstractService;
import com.bea.security.saml2.service.SAML2Exception;
import com.bea.security.saml2.util.SAML2Constants;
import com.bea.security.saml2.util.SAML2Utils;
import com.bea.security.saml2.util.SAMLObjectBuilder;
import com.bea.security.saml2.util.cache.SAML2Cache;
import com.bea.security.saml2.util.cache.SAML2CacheFactory;
import com.bea.security.saml2.util.key.SAML2KeyManager;
import java.io.IOException;
import java.net.URL;
import java.security.PrivateKey;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.io.MarshallingException;

/* loaded from: input_file:com/bea/security/saml2/service/spinitiator/SPInitiatorImpl.class */
public class SPInitiatorImpl extends AbstractService {
    private SAML2Cache<String, String> authnReqCache;
    private PrivateKey signkey;
    private boolean allowDiffHostAccess;

    public SPInitiatorImpl(SAML2ConfigSpi sAML2ConfigSpi) {
        super(sAML2ConfigSpi);
        this.authnReqCache = null;
        this.signkey = null;
        this.allowDiffHostAccess = false;
        this.authnReqCache = SAML2CacheFactory.createAuthRequestCache(sAML2ConfigSpi);
        SAML2KeyManager.KeyInfo sSOKeyInfo = sAML2ConfigSpi.getSAML2KeyManager().getSSOKeyInfo();
        if (sSOKeyInfo != null) {
            this.signkey = sSOKeyInfo.getKey();
        }
        this.allowDiffHostAccess = Boolean.valueOf(System.getProperty("css.saml.AllowDiffHostAccess", "false")).booleanValue();
    }

    @Override // com.bea.security.saml2.service.Service
    public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String str;
        WebSSOIdPPartner idPByRedirectURI;
        logDebug("SP initiating authn request: processing");
        try {
            if (!this.config.getLocalConfiguration().isServiceProviderEnabled()) {
                if (!this.log.isDebugEnabled()) {
                    return false;
                }
                this.log.debug("Service provider is not enabled.");
                return false;
            }
            String requestURI = httpServletRequest.getRequestURI();
            String str2 = null;
            if (requestURI.endsWith(SAML2Constants.SP_SSO_INITIATOR_PATH)) {
                str2 = httpServletRequest.getParameter("IdpName");
                str = httpServletRequest.getParameter("RequestURL");
                if (str2 == null || str2.length() == 0 || str == null || str.length() == 0) {
                    throw new SAML2Exception("Idp or request URL not specified in the request", 400);
                }
                Set<String> keySet = httpServletRequest.getParameterMap().keySet();
                if (keySet.size() > 2) {
                    StringBuffer stringBuffer = new StringBuffer();
                    for (String str3 : keySet) {
                        if (!"IdpName".equals(str3) && !"RequestURL".equals(str3)) {
                            stringBuffer.append('&').append(str3).append('=').append(httpServletRequest.getParameter(str3));
                        }
                    }
                    if (stringBuffer.length() > 0) {
                        stringBuffer.setCharAt(0, '?');
                    }
                    str = str + stringBuffer.toString();
                }
                idPByRedirectURI = this.config.getPartnerManager().getIdPPartner(str2);
            } else {
                StringBuffer requestURL = httpServletRequest.getRequestURL();
                if (httpServletRequest.getQueryString() != null) {
                    requestURL.append(SAML2Utils.NO_QUERY_PARAMS_DELIMITER).append(httpServletRequest.getQueryString());
                }
                str = new String(requestURL);
                idPByRedirectURI = PartnerCacheManager.getPartnerCache(this.config).getIdPByRedirectURI(requestURI);
                if (idPByRedirectURI == null || !idPByRedirectURI.isEnabled()) {
                    return false;
                }
                if (!CSSPlatformProxy.getInstance().isOnWLS() && !this.allowDiffHostAccess) {
                    if (!new URL(this.config.getLocalConfiguration().getPublishedSiteURL()).getHost().equalsIgnoreCase(new URL(str).getHost())) {
                        this.log.debug("The host name in the request URL is not same as the host configured by published site URL.");
                        throw new SAML2Exception(Saml2Logger.getNoPartnerForRequest(null, requestURI), 400);
                    }
                }
            }
            if (idPByRedirectURI == null) {
                throw new SAML2Exception(Saml2Logger.getNoPartnerForRequest(str2, requestURI), 404);
            }
            if (!idPByRedirectURI.isEnabled()) {
                throw new SAML2Exception(Saml2Logger.getIdPNotEnabled(idPByRedirectURI.getName()), 404);
            }
            Endpoint[] singleSignOnService = idPByRedirectURI.getSingleSignOnService();
            if (singleSignOnService == null || singleSignOnService.length == 0) {
                throw new SAML2Exception(Saml2Logger.getNoSSOServicesForPartner(idPByRedirectURI.getName()), 404);
            }
            Endpoint endpoint = singleSignOnService[0];
            logDebug("SP initiating authn request: partner id is " + str2);
            AuthnRequest createRequest = createRequest(idPByRedirectURI, endpoint);
            this.authnReqCache.put(createRequest.getID(), str);
            logDebug("SP initiating authn request: use partner binding " + endpoint.getBinding());
            getSender(httpServletRequest, httpServletResponse, endpoint.getBinding()).sendRequest(createRequest, endpoint, idPByRedirectURI, null, this.signkey);
            return true;
        } catch (SAML2Exception e) {
            logAndSendError(httpServletResponse, e.getHttpStatusCode(), e);
            return true;
        } catch (Exception e2) {
            logAndSendError(httpServletResponse, 500, e2);
            return true;
        }
    }

    public SAML2Cache<String, String> getAuthnReqCache() {
        return this.authnReqCache;
    }

    public void removePartnerCache() {
        PartnerCacheManager.removePartnerCache(this.config);
    }

    private AuthnRequest createRequest(WebSSOIdPPartner webSSOIdPPartner, Endpoint endpoint) throws SAML2Exception {
        AuthnRequest buildObject = Configuration.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setID(new SecureRandomIdentifierGenerator().generateIdentifier());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setDestination(endpoint.getLocation());
        buildObject.setIssueInstant(new DateTime());
        buildObject.setIssuer(SAMLObjectBuilder.buildIssuer(this.config.getLocalConfiguration().getEntityID()));
        buildObject.setForceAuthn(this.config.getLocalConfiguration().isForceAuthn() ? Boolean.TRUE : Boolean.FALSE);
        buildObject.setIsPassive(this.config.getLocalConfiguration().isPassive() ? Boolean.TRUE : Boolean.FALSE);
        if (needSignRequest(webSSOIdPPartner)) {
            signAuthnRequest(buildObject);
        }
        return buildObject;
    }

    private void signAuthnRequest(AuthnRequest authnRequest) throws SAML2Exception {
        if (this.signkey == null) {
            throw new SAML2Exception(Saml2Logger.getNoSignKeyFor("AuthnRequest"), 404);
        }
        try {
            checkSSOCertificate();
            SAML2Utils.signSamlObject(this.signkey, authnRequest);
        } catch (MarshallingException e) {
            throw new SAML2Exception("Sign authn request error.", 500);
        }
    }

    private boolean needSignRequest(WebSSOIdPPartner webSSOIdPPartner) {
        if (this.config.getLocalConfiguration().isSignAuthnRequests()) {
            return true;
        }
        return webSSOIdPPartner.isWantAuthnRequestsSigned();
    }

    private void logDebug(String str) {
        if (this.log == null || !this.log.isDebugEnabled()) {
            return;
        }
        this.log.debug(str);
    }
}
