package com.bea.security.saml2.service.sso;

import com.bea.common.security.saml2.helper.PartnerImportExportHelperInt;
import com.bea.common.security.saml2.utils.SAMLContextHandler;
import com.bea.common.security.service.Identity;
import com.bea.common.security.service.LoginSession;
import com.bea.common.security.store.data.DomainRealmScopeId;
import com.bea.common.security.utils.SAML2ClassLoader;
import com.bea.security.saml2.Saml2Logger;
import com.bea.security.saml2.binding.BindingHandlerException;
import com.bea.security.saml2.binding.BindingReceiver;
import com.bea.security.saml2.config.SAML2ConfigSpi;
import com.bea.security.saml2.providers.registry.IndexedEndpoint;
import com.bea.security.saml2.providers.registry.IndexedEndpointImpl;
import com.bea.security.saml2.providers.registry.WebSSOSPPartner;
import com.bea.security.saml2.registry.PartnerManagerException;
import com.bea.security.saml2.service.AbstractService;
import com.bea.security.saml2.service.SAML2DetailedException;
import com.bea.security.saml2.service.SAML2Exception;
import com.bea.security.saml2.util.SAML2Constants;
import com.bea.security.saml2.util.SAML2Utils;
import com.bea.security.saml2.util.key.SAML2KeyManager;
import com.bea.security.utils.saml2.SSOConstants;
import java.io.IOException;
import java.security.PrivateKey;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.io.UnmarshallingException;
import org.w3c.dom.Element;
import weblogic.security.service.AdminResource;
import weblogic.security.service.ContextElement;

/* loaded from: input_file:com/bea/security/saml2/service/sso/SSOServiceProcessor.class */
class SSOServiceProcessor extends AbstractService {
    private static final String AUTH_REQUEST_ATTRIBUTE = "com.bea.security.saml2.attr.AuthnRequest";
    private static final String RELAY_STATE_ATTRIBUTE = "com.bea.security.saml2.attr.RelayState";
    private static final AdminResource DUMMY_RESOURCE = new AdminResource("Credential Mapping", DomainRealmScopeId.REALM, PartnerImportExportHelperInt.FORMAT_SAML2);
    private final SAMLResponseBuilder respBuilder;
    private final AuthnRequestValidator validator;
    private HttpServletRequest request;
    private HttpServletResponse response;
    private String relayState;
    private WebSSOSPPartner partner;
    private String issuerURI;
    private IndexedEndpoint targetEndpoint;
    private WrappedAuthnRequest wrappedReq;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/bea/security/saml2/service/sso/SSOServiceProcessor$WrappedAuthnRequest.class */
    public class WrappedAuthnRequest {
        private AuthnRequest request;
        private AuthnRequestWrapper wrapper;

        WrappedAuthnRequest(AuthnRequestWrapper authnRequestWrapper) {
            this.request = null;
            this.wrapper = authnRequestWrapper;
        }

        WrappedAuthnRequest(AuthnRequest authnRequest) {
            String str = null;
            String str2 = null;
            String str3 = null;
            Integer num = null;
            String str4 = null;
            boolean z = false;
            boolean z2 = false;
            this.request = authnRequest;
            if (authnRequest != null) {
                str = authnRequest.getID();
                str2 = authnRequest.getProtocolBinding();
                str3 = authnRequest.getAssertionConsumerServiceURL();
                num = authnRequest.getAssertionConsumerServiceIndex();
                str4 = authnRequest.getIssuer() != null ? authnRequest.getIssuer().getValue() : str4;
                z = authnRequest.isForceAuthn() != null ? authnRequest.isForceAuthn().booleanValue() : z;
                if (authnRequest.isPassive() != null) {
                    z2 = authnRequest.isPassive().booleanValue();
                }
            }
            this.wrapper = new AuthnRequestWrapper(str, str2, str3, num, str4, z, z2);
        }

        public AuthnRequest getAuthnRequest() {
            return this.request;
        }

        public AuthnRequestWrapper getAuthnRequestWrapper() {
            return this.wrapper;
        }

        public String getIssuer() throws SAML2Exception {
            String issuer = this.wrapper.getIssuer();
            if (issuer == null) {
                throw new SAML2Exception(Saml2Logger.getInvalidIssuer("<samlp:AuthnRequest>", null));
            }
            return issuer;
        }

        public boolean isForceAuthn() {
            return this.wrapper.isForceAuthn();
        }

        public boolean isPassive() {
            return this.wrapper.isPassive();
        }

        public String getID() {
            return this.wrapper.getID();
        }

        public String getProtocolBinding() {
            return this.wrapper.getProtocolBinding();
        }

        public String getAssertionConsumerServiceURL() {
            return this.wrapper.getAssertionConsumerServiceURL();
        }

        public Integer getAssertionConsumerServiceIndex() {
            return this.wrapper.getAssertionConsumerServiceIndex();
        }
    }

    public SSOServiceProcessor(SAML2ConfigSpi sAML2ConfigSpi) {
        super(sAML2ConfigSpi);
        this.wrappedReq = new WrappedAuthnRequest((AuthnRequest) null);
        this.validator = new AuthnRequestValidator(sAML2ConfigSpi);
        this.respBuilder = new SAMLResponseBuilder();
        this.issuerURI = sAML2ConfigSpi.getLocalConfiguration().getEntityID();
    }

    @Override // com.bea.security.saml2.service.Service
    public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        String requestURI = httpServletRequest.getRequestURI();
        try {
            if (requestURI.endsWith(SAML2Constants.LOGIN_RETURN_URI) || requestURI.endsWith(SAML2Constants.IDP_DEFAULT_LOGIN_PATH)) {
                loginReturn();
            } else if (requestURI.endsWith("/initiator")) {
                doInitiator();
            } else {
                processAuthnRequest();
            }
            return true;
        } catch (SAML2Exception e) {
            logAndSendError(httpServletResponse, e.getHttpStatusCode(), e);
            return true;
        } catch (Exception e2) {
            logAndSendError(httpServletResponse, 500, e2);
            return true;
        }
    }

    private void processAuthnRequest() throws IOException, ServletException, SAML2Exception {
        String bindingTypeFromURI = getBindingTypeFromURI(this.request, this.response);
        checkBindingTypeEnabled(bindingTypeFromURI);
        BindingReceiver receive = receive(bindingTypeFromURI);
        String issuer = this.wrappedReq.getIssuer();
        try {
            this.partner = (WebSSOSPPartner) this.config.getPartnerManager().findServiceProviderByIssuerURI(issuer);
            if (this.partner == null) {
                throw new SAML2Exception(Saml2Logger.getNoSPPartnerWithIssuerURI(issuer), 404);
            }
            if (!this.partner.isEnabled()) {
                throw new SAML2DetailedException(Saml2Logger.getSPPartnerIsDisabled(this.partner.getName()), 404);
            }
            try {
                this.validator.verifySignature(this.partner, receive, this.wrappedReq.getAuthnRequest());
                this.validator.validate(this.partner, this.wrappedReq.getAuthnRequest(), this.request.getRequestURI());
                if (this.wrappedReq.isForceAuthn() && this.wrappedReq.isPassive()) {
                    throw new SAML2DetailedException(Saml2Logger.getCantForceAuthnAndInPassiveBothTrue(), 400);
                }
                if (this.wrappedReq.isForceAuthn()) {
                    logoutUser();
                }
                if (isUserAuthenticated()) {
                    sendResponse();
                } else {
                    if (this.wrappedReq.isPassive()) {
                        throw new SAML2DetailedException(Saml2Logger.getCantAuthnUserInPassiveMode(), 403);
                    }
                    fowardToLoginPage();
                }
            } catch (SAML2DetailedException e) {
                sendErrorResponse(e, this.wrappedReq.getID());
            } catch (SAML2Exception e2) {
                logAndSendError(this.response, e2.getHttpStatusCode(), e2);
            }
        } catch (PartnerManagerException e3) {
            throw new SAML2Exception(Saml2Logger.getFindSPPartnerByIssuerURIError(issuer), 500);
        }
    }

    private void checkBindingTypeEnabled(String str) throws SAML2Exception {
        if (!this.config.getLocalConfiguration().isIdentityProviderArtifactBindingEnabled() && "HTTP/Artifact".equals(str)) {
            throw new SAML2Exception(Saml2Logger.getBindingUnenabled("HTTP/Artifact"));
        }
        if (!this.config.getLocalConfiguration().isIdentityProviderPOSTBindingEnabled() && "HTTP/POST".equals(str)) {
            throw new SAML2Exception(Saml2Logger.getBindingUnenabled("HTTP/POST"));
        }
        if (!this.config.getLocalConfiguration().isIdentityProviderRedirectBindingEnabled() && "HTTP/Redirect".equals(str)) {
            throw new SAML2Exception(Saml2Logger.getBindingUnenabled("HTTP/Redirect"));
        }
    }

    private void loginReturn() throws IOException, SAML2Exception {
        if (!isUserAuthenticated()) {
            throw new SAML2Exception(Saml2Logger.getUnauthenticatedUserAccessingLoginReturn(), 403);
        }
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            if (contextClassLoader instanceof SAML2ClassLoader) {
                currentThread.setContextClassLoader(((SAML2ClassLoader) contextClassLoader).getThreadConextClassLoader());
            }
            HttpSession session = this.request.getSession();
            currentThread.setContextClassLoader(contextClassLoader);
            AuthnRequestWrapper authnRequestWrapper = (AuthnRequestWrapper) session.getAttribute(AUTH_REQUEST_ATTRIBUTE);
            this.wrappedReq = new WrappedAuthnRequest(authnRequestWrapper);
            if (authnRequestWrapper == null) {
                throw new SAML2Exception(Saml2Logger.getNoAuthnRequestInSession(), 404);
            }
            this.relayState = (String) session.getAttribute(RELAY_STATE_ATTRIBUTE);
            try {
                if (contextClassLoader instanceof SAML2ClassLoader) {
                    currentThread.setContextClassLoader(((SAML2ClassLoader) contextClassLoader).getThreadConextClassLoader());
                }
                session.removeAttribute(AUTH_REQUEST_ATTRIBUTE);
                session.removeAttribute(RELAY_STATE_ATTRIBUTE);
                currentThread.setContextClassLoader(contextClassLoader);
                String issuer = this.wrappedReq.getIssuer();
                try {
                    this.partner = (WebSSOSPPartner) this.config.getPartnerManager().findServiceProviderByIssuerURI(issuer);
                    if (this.partner == null) {
                        throw new SAML2Exception(Saml2Logger.getNoSPPartnerWithIssuerURI(issuer), 404);
                    }
                    if (!this.partner.isEnabled()) {
                        throw new SAML2DetailedException(Saml2Logger.getSPPartnerIsDisabled(this.partner.getName()), 404);
                    }
                    sendResponse();
                } catch (PartnerManagerException e) {
                    throw new SAML2Exception(Saml2Logger.getFindSPPartnerByIssuerURIError(issuer), 500);
                }
            } finally {
            }
        } finally {
        }
    }

    private void doInitiator() throws IOException, SAML2Exception {
        if (!isUserAuthenticated()) {
            throw new SAML2Exception(Saml2Logger.getUnauthenticatedUserAccessingIdpInitiator(), 403);
        }
        String parameter = this.request.getParameter(SSOConstants.SP_NAME_PARAM);
        if (parameter == null) {
            throw new SAML2Exception(Saml2Logger.getNoRequiredParamForIdpInitator(SSOConstants.SP_NAME_PARAM));
        }
        try {
            this.partner = (WebSSOSPPartner) this.config.getPartnerManager().getSPPartner(parameter);
            if (this.partner == null) {
                throw new SAML2Exception(Saml2Logger.getCantFindPartnerFromName(parameter), 404);
            }
            if (!this.partner.isEnabled()) {
                throw new SAML2DetailedException(Saml2Logger.getSPPartnerIsDisabled(parameter), 404);
            }
            String parameter2 = this.request.getParameter(SSOConstants.REQUEST_URL_PARAM);
            Set<String> keySet = this.request.getParameterMap().keySet();
            if (keySet.size() > 2) {
                StringBuffer stringBuffer = new StringBuffer();
                for (String str : keySet) {
                    if (!SSOConstants.SP_NAME_PARAM.equals(str) && !SSOConstants.REQUEST_URL_PARAM.equals(str)) {
                        stringBuffer.append('&').append(str).append('=').append(this.request.getParameter(str));
                    }
                }
                if (stringBuffer.length() > 0) {
                    stringBuffer.setCharAt(0, '?');
                }
                parameter2 = parameter2 + stringBuffer.toString();
            }
            if (parameter2 != null) {
                if (parameter2.length() >= 80) {
                    throw new SAML2Exception(Saml2Logger.getRelayStateTooLong());
                }
                this.relayState = parameter2;
            }
            sendResponse();
        } catch (PartnerManagerException e) {
            throw new SAML2Exception(Saml2Logger.getFindSPPartnerByNameError(parameter), 500);
        }
    }

    private BindingReceiver receive(String str) throws SAML2Exception {
        try {
            BindingReceiver newBindingReceiver = this.config.getBindingHandlerFactory().newBindingReceiver(str, this.request, this.response);
            this.relayState = newBindingReceiver.getRelayState();
            AuthnRequest receiveRequest = newBindingReceiver.receiveRequest();
            if (!(receiveRequest instanceof AuthnRequest)) {
                throw new SAML2Exception(Saml2Logger.getReceivedNonAuthnRequestDoc(receiveRequest.getClass().getName()));
            }
            this.wrappedReq = new WrappedAuthnRequest(receiveRequest);
            return newBindingReceiver;
        } catch (BindingHandlerException e) {
            throw new SAML2Exception(Saml2Logger.getFailedToReceiveDocument("AuthnRequest"), e, e.getHttpStatusCode());
        }
    }

    private void fowardToLoginPage() throws IOException, ServletException, SAML2Exception {
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            if (contextClassLoader instanceof SAML2ClassLoader) {
                currentThread.setContextClassLoader(((SAML2ClassLoader) contextClassLoader).getThreadConextClassLoader());
            }
            HttpSession session = this.request.getSession();
            session.setAttribute(AUTH_REQUEST_ATTRIBUTE, this.wrappedReq.getAuthnRequestWrapper());
            session.setAttribute(RELAY_STATE_ATTRIBUTE, this.relayState);
            currentThread.setContextClassLoader(contextClassLoader);
            String loginURL = this.config.getLocalConfiguration().getLoginURL();
            String loginReturnQueryParameter = this.config.getLocalConfiguration().getLoginReturnQueryParameter();
            String str = this.config.getLocalConfiguration().getPublishedSiteURL() + "/idp/sso/login-return";
            if (loginURL == null || loginURL.trim().length() == 0) {
                throw new SAML2Exception(Saml2Logger.getNoLoginURLIsConfigured(), 404);
            }
            if (loginReturnQueryParameter != null && loginReturnQueryParameter.trim().length() > 0) {
                loginURL = loginURL + "?" + loginReturnQueryParameter + "=" + str;
            }
            this.response.sendRedirect(SAML2Utils.ENABLE_URL_REWRITING ? this.response.encodeRedirectURL(loginURL) : loginURL);
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    private void sendResponse() throws IOException {
        Identity currentIdentity = getCurrentIdentity();
        String id = this.wrappedReq.getID();
        try {
            IndexedEndpoint aCSEndpoint = getACSEndpoint();
            Assertion assertionForUser = getAssertionForUser(currentIdentity, this.wrappedReq, aCSEndpoint.getLocation());
            checkSSOCertificate();
            getSender(this.request, this.response, aCSEndpoint.getBinding()).sendResponse(this.respBuilder.buildResponse(assertionForUser, aCSEndpoint.getLocation(), id, this.issuerURI, getPrivateKey()), aCSEndpoint, this.partner, this.relayState, getPrivateKey());
        } catch (BindingHandlerException e) {
            logAndSendError(this.response, e.getHttpStatusCode(), e);
        } catch (SAML2DetailedException e2) {
            sendErrorResponse(e2, id);
        } catch (SAML2Exception e3) {
            logAndSendError(this.response, e3.getHttpStatusCode(), e3);
        }
    }

    private PrivateKey getPrivateKey() {
        SAML2KeyManager.KeyInfo sSOKeyInfo = this.config.getSAML2KeyManager().getSSOKeyInfo();
        if (sSOKeyInfo != null) {
            return sSOKeyInfo.getKey();
        }
        this.log.warn(Saml2Logger.getNoSignKeyFor("<Response>"));
        return null;
    }

    private Assertion getAssertionForUser(Identity identity, WrappedAuthnRequest wrappedAuthnRequest, String str) throws SAML2DetailedException {
        SAMLContextHandler sAMLContextHandler = new SAMLContextHandler();
        if (wrappedAuthnRequest.getID() != null) {
            sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.InResponseTo", wrappedAuthnRequest.getID()));
        }
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.RecipientEndpoint", str));
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.PartnerName", this.partner.getName()));
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.EntityID", this.config.getLocalConfiguration().getEntityID()));
        Object[] credentials = this.config.getCredentialMappingService().getCredentials(identity, identity, DUMMY_RESOURCE, sAMLContextHandler, "SAML2.Assertion.DOM");
        if (credentials == null || credentials.length == 0 || !(credentials[0] instanceof Element)) {
            throw new SAML2DetailedException(Saml2Logger.getCantGenerateAssertion(), 404);
        }
        Element element = (Element) credentials[0];
        try {
            return Configuration.getUnmarshallerFactory().getUnmarshaller(element).unmarshall(element);
        } catch (UnmarshallingException e) {
            throw new SAML2DetailedException(Saml2Logger.getFailedToUnmashallAssertion(), e, 500);
        }
    }

    private void sendErrorResponse(SAML2DetailedException sAML2DetailedException, String str) throws IOException {
        if (this.log.isDebugEnabled()) {
            this.log.debug(sAML2DetailedException.getMessage(), sAML2DetailedException);
        }
        try {
            IndexedEndpoint aCSEndpoint = getACSEndpoint();
            checkSSOCertificate();
            getSender(this.request, this.response, aCSEndpoint.getBinding()).sendResponse(this.respBuilder.buildErrorResponse(aCSEndpoint.getLocation(), str, this.issuerURI, getPrivateKey(), sAML2DetailedException.getStatus(), sAML2DetailedException.getMessage()), aCSEndpoint, this.partner, this.relayState, getPrivateKey());
        } catch (SAML2Exception e) {
            logAndSendError(this.response, e.getHttpStatusCode(), e);
        }
    }

    private IndexedEndpoint getACSEndpoint() throws SAML2Exception {
        if (this.targetEndpoint != null) {
            return this.targetEndpoint;
        }
        IndexedEndpoint[] assertionConsumerService = this.partner.getAssertionConsumerService();
        if (assertionConsumerService == null || assertionConsumerService.length == 0) {
            throw new SAML2Exception(Saml2Logger.getNoACSServiceInPartner(this.partner.getName()), 404);
        }
        if (this.wrappedReq != null) {
            Integer assertionConsumerServiceIndex = this.wrappedReq.getAssertionConsumerServiceIndex();
            if (assertionConsumerServiceIndex != null) {
                for (IndexedEndpoint indexedEndpoint : assertionConsumerService) {
                    if (indexedEndpoint.getIndex() == assertionConsumerServiceIndex.intValue()) {
                        this.targetEndpoint = indexedEndpoint;
                        return indexedEndpoint;
                    }
                }
            }
            String convertSAMLBinding = convertSAMLBinding(this.wrappedReq.getProtocolBinding());
            String assertionConsumerServiceURL = this.wrappedReq.getAssertionConsumerServiceURL();
            if (convertSAMLBinding != null && assertionConsumerServiceURL != null) {
                this.targetEndpoint = new IndexedEndpointImpl();
                this.targetEndpoint.setLocation(assertionConsumerServiceURL);
                this.targetEndpoint.setBinding(convertSAMLBinding);
                return this.targetEndpoint;
            }
        }
        for (IndexedEndpoint indexedEndpoint2 : assertionConsumerService) {
            if (indexedEndpoint2.isDefaultSet() && indexedEndpoint2.isDefault()) {
                this.targetEndpoint = indexedEndpoint2;
                return indexedEndpoint2;
            }
        }
        this.targetEndpoint = assertionConsumerService[0];
        return this.targetEndpoint;
    }

    private boolean isUserAuthenticated() {
        return getCurrentIdentity() != null;
    }

    private Identity getCurrentIdentity() {
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            if (contextClassLoader instanceof SAML2ClassLoader) {
                currentThread.setContextClassLoader(((SAML2ClassLoader) contextClassLoader).getThreadConextClassLoader());
            }
            Identity currentIdentity = this.config.getIdentityService().getCurrentIdentity();
            if (currentIdentity != null) {
                if (!currentIdentity.isAnonymous()) {
                    return currentIdentity;
                }
            }
            currentThread.setContextClassLoader(contextClassLoader);
            return null;
        } finally {
            currentThread.setContextClassLoader(contextClassLoader);
        }
    }

    private void logoutUser() {
        LoginSession session;
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            if (contextClassLoader instanceof SAML2ClassLoader) {
                currentThread.setContextClassLoader(((SAML2ClassLoader) contextClassLoader).getThreadConextClassLoader());
            }
            Identity currentIdentity = this.config.getIdentityService().getCurrentIdentity();
            if (currentIdentity != null && !currentIdentity.isAnonymous() && (session = this.config.getSessionService().getSession(currentIdentity)) != null) {
                this.config.getSessionService().logout(session);
            }
        } finally {
            currentThread.setContextClassLoader(contextClassLoader);
        }
    }

    private static String convertSAMLBinding(String str) {
        if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact".equals(str)) {
            return "HTTP/Artifact";
        }
        if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(str)) {
            return "HTTP/Redirect";
        }
        if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(str)) {
            return "HTTP/POST";
        }
        if ("urn:oasis:names:tc:SAML:2.0:bindings:SOAP".equals(str)) {
            return "SOAP";
        }
        return null;
    }
}
