package edu.internet2.middleware.shibboleth.idp.provider;

import edu.internet2.middleware.shibboleth.aa.AAException;
import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
import edu.internet2.middleware.shibboleth.common.RelyingParty;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
import edu.internet2.middleware.shibboleth.metadata.Endpoint;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.Vector;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.apache.log4j.Logger;
import org.bouncycastle.util.encoders.Base64;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAudienceRestrictionCondition;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLAuthorityBinding;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.opensaml.artifact.Artifact;
import org.w3c.dom.Element;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.class */
public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHandler {
    private static Logger log;
    public static boolean pushAttributeDefault;
    static Class class$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
        pushAttributeDefault = false;
    }

    public ShibbolethV1SSOHandler(Element element) throws ShibbolethConfigurationException {
        super(element);
    }

    @Override // edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler
    public SAMLResponse processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLRequest sAMLRequest, IdPProtocolSupport idPProtocolSupport) throws SAMLException, ServletException, IOException {
        RelyingParty relyingParty;
        if (httpServletRequest == null) {
            log.error("Protocol Handler received a SAML Request, but is unable to handle it.");
            throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
        }
        httpServletRequest.setAttribute("shire", httpServletRequest.getParameter("shire"));
        httpServletRequest.setAttribute("target", httpServletRequest.getParameter("target"));
        try {
            validateEngineData(httpServletRequest);
            validateShibSpecificData(httpServletRequest);
            String remoteUser = idPProtocolSupport.getIdPConfig().getAuthHeaderName().equalsIgnoreCase("REMOTE_USER") ? httpServletRequest.getRemoteUser() : httpServletRequest.getHeader(idPProtocolSupport.getIdPConfig().getAuthHeaderName());
            if (remoteUser == null || remoteUser.equals("")) {
                throw new InvalidClientDataException("Unauthenticated principal. This protocol handler requires that authentication information be provided from the servlet container.");
            }
            LocalPrincipal localPrincipal = new LocalPrincipal(remoteUser);
            String parameter = httpServletRequest.getParameter("providerId");
            if (parameter == null) {
                relyingParty = idPProtocolSupport.getServiceProviderMapper().getLegacyRelyingParty();
            } else {
                if (parameter.equals("")) {
                    throw new InvalidClientDataException("Invalid service provider id.");
                }
                log.debug(new StringBuffer("Remote provider has identified itself as: (").append(parameter).append(").").toString());
                relyingParty = idPProtocolSupport.getServiceProviderMapper().getRelyingParty(parameter);
            }
            EntityDescriptor lookup = idPProtocolSupport.lookup(relyingParty.getProviderId());
            String parameter2 = httpServletRequest.getParameter("shire");
            if (!relyingParty.isLegacyProvider()) {
                if (lookup == null) {
                    log.info(new StringBuffer("No metadata found for provider: (").append(relyingParty.getProviderId()).append(").").toString());
                    relyingParty = idPProtocolSupport.getServiceProviderMapper().getRelyingParty(null);
                } else {
                    if (!isValidAssertionConsumerURL(lookup, parameter2)) {
                        log.error(new StringBuffer("Assertion consumer service URL (").append(parameter2).append(") is NOT valid for provider (").append(relyingParty.getProviderId()).append(").").toString());
                        throw new InvalidClientDataException("Invalid assertion consumer service URL.");
                    }
                    log.info("Supplied consumer URL validated for this provider.");
                }
            }
            try {
                SAMLNameIdentifier nameIdentifier = getNameIdentifier(idPProtocolSupport.getNameMapper(), localPrincipal, relyingParty, lookup);
                String header = httpServletRequest.getHeader("SAMLAuthenticationMethod");
                if (header == null || header.equals("")) {
                    header = relyingParty.getDefaultAuthMethod().toString();
                    log.debug(new StringBuffer("User was authenticated via the default method for this relying party (").append(header).append(").").toString());
                } else {
                    log.debug(new StringBuffer("User was authenticated via the method (").append(header).append(").").toString());
                }
                SAMLSubject sAMLSubject = new SAMLSubject(nameIdentifier, (Collection) null, (Element) null, (Object) null);
                boolean useArtifactProfile = useArtifactProfile(lookup, parameter2, relyingParty);
                if (relyingParty.isLegacyProvider() || !useArtifactProfile) {
                    respondWithPOST(httpServletRequest, httpServletResponse, idPProtocolSupport, localPrincipal, relyingParty, lookup, parameter2, nameIdentifier, header, sAMLSubject);
                    return null;
                }
                respondWithArtifact(httpServletRequest, httpServletResponse, idPProtocolSupport, localPrincipal, relyingParty, lookup, parameter2, nameIdentifier, header, sAMLSubject);
                return null;
            } catch (NameIdentifierMappingException e) {
                log.error(new StringBuffer("Error converting principal to SAML Name Identifier: ").append(e).toString());
                throw new SAMLException("Error converting principal to SAML Name Identifier.", e);
            }
        } catch (InvalidClientDataException e2) {
            throw new SAMLException(SAMLException.RESPONDER, e2.getMessage());
        }
    }

    private void respondWithArtifact(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IdPProtocolSupport idPProtocolSupport, LocalPrincipal localPrincipal, RelyingParty relyingParty, EntityDescriptor entityDescriptor, String str, SAMLNameIdentifier sAMLNameIdentifier, String str2, SAMLSubject sAMLSubject) throws SAMLException, IOException, UnsupportedEncodingException {
        SPSSODescriptor sPSSODescriptor;
        log.debug("Responding with Artifact profile.");
        ArrayList arrayList = new ArrayList();
        sAMLSubject.addConfirmationMethod("urn:oasis:names:tc:SAML:1.0:cm:artifact");
        arrayList.add(generateAuthNAssertion(httpServletRequest, relyingParty, entityDescriptor, sAMLNameIdentifier, str2, getAuthNTime(httpServletRequest), sAMLSubject));
        if (!relyingParty.isLegacyProvider() && pushAttributes(true, relyingParty)) {
            log.info("Resolving attributes for push.");
            generateAttributes(idPProtocolSupport, localPrincipal, relyingParty, arrayList, httpServletRequest);
        }
        boolean z = false;
        if (entityDescriptor != null && (sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol")) != null && sPSSODescriptor.getWantAssertionsSigned()) {
            z = true;
        }
        if (relyingParty.wantsAssertionsSigned() || z) {
            idPProtocolSupport.signAssertions((SAMLAssertion[]) arrayList.toArray(new SAMLAssertion[0]), relyingParty);
        }
        ArrayList arrayList2 = new ArrayList();
        for (int i = 0; i < arrayList.size(); i++) {
            SAMLAssertion sAMLAssertion = (SAMLAssertion) arrayList.get(i);
            Artifact generateArtifact = idPProtocolSupport.getArtifactMapper().generateArtifact(sAMLAssertion, relyingParty);
            arrayList2.add(generateArtifact);
            if (idPProtocolSupport.getTransactionLog().isDebugEnabled()) {
                Iterator statements = sAMLAssertion.getStatements();
                while (statements.hasNext()) {
                    SAMLAttributeStatement sAMLAttributeStatement = (SAMLStatement) statements.next();
                    if (sAMLAttributeStatement instanceof SAMLAttributeStatement) {
                        Iterator attributes = sAMLAttributeStatement.getAttributes();
                        StringBuffer stringBuffer = new StringBuffer();
                        while (attributes.hasNext()) {
                            stringBuffer.append(new StringBuffer("(").append(((SAMLAttribute) attributes.next()).getName()).append(")").toString());
                            idPProtocolSupport.getTransactionLog().debug(new StringBuffer("Artifact (").append(generateArtifact.encode()).append(") created with the following attributes: ").append(stringBuffer.toString()).toString());
                        }
                    }
                }
            }
        }
        StringBuffer stringBuffer2 = new StringBuffer(str);
        stringBuffer2.append("?TARGET=");
        stringBuffer2.append(URLEncoder.encode(httpServletRequest.getParameter("target"), "UTF-8"));
        Iterator it = arrayList2.iterator();
        StringBuffer stringBuffer3 = new StringBuffer();
        while (it.hasNext()) {
            Artifact artifact = (Artifact) it.next();
            stringBuffer3.append(new StringBuffer("(").append(artifact.encode()).append(")").toString());
            stringBuffer2.append("&SAMLart=");
            stringBuffer2.append(URLEncoder.encode(artifact.encode(), "UTF-8"));
        }
        log.debug(new StringBuffer("Redirecting to (").append(stringBuffer2.toString()).append(").").toString());
        httpServletResponse.sendRedirect(stringBuffer2.toString());
        idPProtocolSupport.getTransactionLog().info(new StringBuffer("Assertion artifact(s) (").append(stringBuffer3.toString()).append(") issued to provider (").append(relyingParty.getProviderId()).append(") on behalf of principal (").append(localPrincipal.getName()).append("). Name Identifier: (").append(sAMLNameIdentifier.getName()).append("). Name Identifier Format: (").append(sAMLNameIdentifier.getFormat()).append(").").toString());
    }

    private void respondWithPOST(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IdPProtocolSupport idPProtocolSupport, LocalPrincipal localPrincipal, RelyingParty relyingParty, EntityDescriptor entityDescriptor, String str, SAMLNameIdentifier sAMLNameIdentifier, String str2, SAMLSubject sAMLSubject) throws SAMLException, IOException, ServletException {
        SPSSODescriptor sPSSODescriptor;
        log.debug("Responding with POST profile.");
        ArrayList arrayList = new ArrayList();
        sAMLSubject.addConfirmationMethod("urn:oasis:names:tc:SAML:1.0:cm:bearer");
        arrayList.add(generateAuthNAssertion(httpServletRequest, relyingParty, entityDescriptor, sAMLNameIdentifier, str2, getAuthNTime(httpServletRequest), sAMLSubject));
        if (!relyingParty.isLegacyProvider() && pushAttributes(pushAttributeDefault, relyingParty)) {
            log.info("Resolving attributes for push.");
            generateAttributes(idPProtocolSupport, localPrincipal, relyingParty, arrayList, httpServletRequest);
        }
        boolean z = false;
        if (entityDescriptor != null && (sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol")) != null && sPSSODescriptor.getWantAssertionsSigned()) {
            z = true;
        }
        if (relyingParty.wantsAssertionsSigned() || z) {
            idPProtocolSupport.signAssertions((SAMLAssertion[]) arrayList.toArray(new SAMLAssertion[0]), relyingParty);
        }
        httpServletRequest.setAttribute("acceptanceURL", str);
        httpServletRequest.setAttribute("target", httpServletRequest.getParameter("target"));
        SAMLResponse sAMLResponse = new SAMLResponse((String) null, str, arrayList, (SAMLException) null);
        idPProtocolSupport.signResponse(sAMLResponse, relyingParty);
        createPOSTForm(httpServletRequest, httpServletResponse, sAMLResponse.toBase64());
        if (relyingParty.isLegacyProvider()) {
            idPProtocolSupport.getTransactionLog().info(new StringBuffer("Authentication assertion issued to legacy provider (SHIRE: ").append(httpServletRequest.getParameter("shire")).append(") on behalf of principal (").append(localPrincipal.getName()).append(") for resource (").append(httpServletRequest.getParameter("target")).append("). Name Identifier: (").append(sAMLNameIdentifier.getName()).append("). Name Identifier Format: (").append(sAMLNameIdentifier.getFormat()).append(").").toString());
        } else {
            idPProtocolSupport.getTransactionLog().info(new StringBuffer("Authentication assertion issued to provider (").append(relyingParty.getProviderId()).append(") on behalf of principal (").append(localPrincipal.getName()).append("). Name Identifier: (").append(sAMLNameIdentifier.getName()).append("). Name Identifier Format: (").append(sAMLNameIdentifier.getFormat()).append(").").toString());
        }
    }

    private void generateAttributes(IdPProtocolSupport idPProtocolSupport, LocalPrincipal localPrincipal, RelyingParty relyingParty, ArrayList arrayList, HttpServletRequest httpServletRequest) throws SAMLException {
        try {
            SAMLAttribute[] releaseAttributes = idPProtocolSupport.getReleaseAttributes(localPrincipal, relyingParty, relyingParty.getProviderId(), null);
            log.info(new StringBuffer("Found ").append(releaseAttributes.length).append(" attribute(s) for ").append(localPrincipal.getName()).toString());
            if (releaseAttributes == null || releaseAttributes.length < 1) {
                log.info("No attributes resolved.");
                return;
            }
            SAMLSubject sAMLSubject = (SAMLSubject) ((SAMLSubjectStatement) ((SAMLAssertion) arrayList.get(0)).getStatements().next()).getSubject().clone();
            if (relyingParty.singleAssertion()) {
                log.debug("merging attributes into existing authn assertion");
                ((SAMLAssertion) arrayList.get(0)).addStatement(new SAMLAttributeStatement(sAMLSubject, Arrays.asList(releaseAttributes)));
                if (log.isDebugEnabled()) {
                    log.debug(new StringBuffer("Dumping combined Assertion:").append(System.getProperty("line.separator")).append(arrayList.get(0).toString()).toString());
                    return;
                }
                return;
            }
            ArrayList arrayList2 = new ArrayList();
            if (relyingParty.getProviderId() != null) {
                arrayList2.add(relyingParty.getProviderId());
            }
            if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
                arrayList2.add(relyingParty.getName());
            }
            String parameter = httpServletRequest.getParameter("providerId");
            if (parameter != null && !parameter.equals("") && !arrayList2.contains(parameter)) {
                arrayList2.add(parameter);
            }
            SAMLAudienceRestrictionCondition sAMLAudienceRestrictionCondition = new SAMLAudienceRestrictionCondition(arrayList2);
            SAMLAttributeStatement sAMLAttributeStatement = new SAMLAttributeStatement(sAMLSubject, Arrays.asList(releaseAttributes));
            long j = 0;
            for (int i = 0; i < releaseAttributes.length; i++) {
                if (j < releaseAttributes[i].getLifetime()) {
                    j = releaseAttributes[i].getLifetime();
                }
            }
            Date date = new Date();
            SAMLAssertion sAMLAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(), date, new Date(date.getTime() + (j * 1000)), Collections.singleton(sAMLAudienceRestrictionCondition), (Collection) null, Collections.singleton(sAMLAttributeStatement));
            arrayList.add(sAMLAssertion);
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer("Dumping generated Attribute Assertion:").append(System.getProperty("line.separator")).append(sAMLAssertion.toString()).toString());
            }
        } catch (AAException e) {
            log.error(new StringBuffer("An error was encountered while generating assertion for attribute push: ").append(e).toString());
            throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
        } catch (CloneNotSupportedException e2) {
            log.error(new StringBuffer("An error was encountered while generating assertion for attribute push: ").append(e2).toString());
            throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
        }
    }

    private SAMLAssertion generateAuthNAssertion(HttpServletRequest httpServletRequest, RelyingParty relyingParty, EntityDescriptor entityDescriptor, SAMLNameIdentifier sAMLNameIdentifier, String str, Date date, SAMLSubject sAMLSubject) throws SAMLException, IOException {
        String providerId;
        ArrayList arrayList = new ArrayList();
        if (relyingParty.getProviderId() != null) {
            arrayList.add(relyingParty.getProviderId());
        }
        if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
            arrayList.add(relyingParty.getName());
        }
        String parameter = httpServletRequest.getParameter("providerId");
        if (parameter != null && !parameter.equals("") && !arrayList.contains(parameter)) {
            arrayList.add(parameter);
        }
        if (relyingParty.isLegacyProvider()) {
            log.debug("Service Provider is running Shibboleth <= 1.1. Using old style issuer.");
            if (relyingParty.getIdentityProvider().getSigningCredential() == null || relyingParty.getIdentityProvider().getSigningCredential().getX509Certificate() == null) {
                throw new SAMLException("Cannot serve legacy style assertions without an X509 certificate");
            }
            providerId = getHostNameFromDN(relyingParty.getIdentityProvider().getSigningCredential().getX509Certificate().getSubjectX500Principal());
            if (providerId == null || providerId.equals("")) {
                throw new SAMLException("Error parsing certificate DN while determining legacy issuer name.");
            }
        } else {
            providerId = relyingParty.getIdentityProvider().getProviderId();
        }
        ArrayList arrayList2 = new ArrayList();
        if (relyingParty.isLegacyProvider()) {
            arrayList2.add(new SAMLAuthorityBinding("urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding", relyingParty.getAAUrl().toString(), new QName("urn:oasis:names:tc:SAML:1.0:protocol", "AttributeQuery")));
        }
        Vector vector = new Vector(1);
        if (arrayList != null && arrayList.size() > 0) {
            vector.add(new SAMLAudienceRestrictionCondition(arrayList));
        }
        SAMLAssertion sAMLAssertion = new SAMLAssertion(providerId, new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + 300000), vector, (Collection) null, Arrays.asList(new SAMLAuthenticationStatement(sAMLSubject, str, date, httpServletRequest.getRemoteAddr(), (String) null, arrayList2)));
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer("Dumping generated AuthN Assertion:").append(System.getProperty("line.separator")).append(sAMLAssertion.toString()).toString());
        }
        return sAMLAssertion;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler
    public String getHandlerName() {
        return "Shibboleth v1.x SSO";
    }

    private void validateShibSpecificData(HttpServletRequest httpServletRequest) throws InvalidClientDataException {
        if (httpServletRequest.getParameter("target") == null || httpServletRequest.getParameter("target").equals("")) {
            throw new InvalidClientDataException("Invalid data from Service Provider: no target URL received.");
        }
        if (httpServletRequest.getParameter("shire") == null || httpServletRequest.getParameter("shire").equals("")) {
            throw new InvalidClientDataException("Invalid data from Service Provider: No acceptance URL received.");
        }
    }

    private static void createPOSTForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, byte[] bArr) throws IOException, ServletException {
        httpServletRequest.setAttribute("assertion", new String(bArr, "ASCII"));
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer("Dumping generated SAML Response:").append(System.getProperty("line.separator")).append(new String(Base64.decode(bArr))).toString());
        }
        httpServletRequest.getRequestDispatcher("/IdP.jsp").forward(httpServletRequest, httpServletResponse);
    }

    private static boolean useArtifactProfile(EntityDescriptor entityDescriptor, String str, RelyingParty relyingParty) {
        SPSSODescriptor sPSSODescriptor;
        boolean z = false;
        boolean z2 = false;
        if (entityDescriptor != null && (sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol")) != null) {
            Endpoint defaultEndpoint = sPSSODescriptor.getAssertionConsumerServiceManager().getDefaultEndpoint();
            if (defaultEndpoint.getLocation().equals(str)) {
                if (defaultEndpoint.getBinding().equals("urn:oasis:names:tc:SAML:1.0:profiles:browser-post")) {
                    return false;
                }
                if (defaultEndpoint.getBinding().equals("urn:oasis:names:tc:SAML:1.0:profiles:artifact-01")) {
                    return true;
                }
            }
            Iterator endpoints = sPSSODescriptor.getAssertionConsumerServiceManager().getEndpoints();
            while (endpoints.hasNext()) {
                Endpoint endpoint = (Endpoint) endpoints.next();
                if (str.equals(endpoint.getLocation()) && "urn:oasis:names:tc:SAML:1.0:profiles:browser-post".equals(endpoint.getBinding())) {
                    log.debug("Metadata indicates support for POST profile.");
                    z2 = true;
                }
            }
            Iterator endpoints2 = sPSSODescriptor.getAssertionConsumerServiceManager().getEndpoints();
            while (endpoints2.hasNext()) {
                Endpoint endpoint2 = (Endpoint) endpoints2.next();
                if (str.equals(endpoint2.getLocation()) && "urn:oasis:names:tc:SAML:1.0:profiles:artifact-01".equals(endpoint2.getBinding())) {
                    log.debug("Metadata indicates support for Artifact profile.");
                    z = true;
                }
            }
        }
        if (!z || !z2) {
            if (z) {
                return true;
            }
            if (z2) {
                return false;
            }
        }
        return !relyingParty.defaultToPOSTProfile();
    }

    private static boolean pushAttributes(boolean z, RelyingParty relyingParty) {
        if (relyingParty.forceAttributePush()) {
            return true;
        }
        return !relyingParty.forceAttributeNoPush() && z;
    }

    private static boolean isValidAssertionConsumerURL(EntityDescriptor entityDescriptor, String str) throws InvalidClientDataException {
        SPSSODescriptor sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
        if (sPSSODescriptor == null) {
            log.info("Inappropriate metadata for provider.");
            return false;
        }
        Iterator endpoints = sPSSODescriptor.getAssertionConsumerServiceManager().getEndpoints();
        while (endpoints.hasNext()) {
            if (str.equals(((Endpoint) endpoints.next()).getLocation())) {
                return true;
            }
        }
        log.info("Supplied consumer URL not found in metadata.");
        return false;
    }
}
