package edu.internet2.middleware.shibboleth.idp.provider;

import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.artifact.Artifact;
import org.w3c.dom.Element;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_1ArtifactQueryHandler.class */
public class SAMLv1_1ArtifactQueryHandler extends BaseServiceHandler implements IdPProtocolHandler {
    private static Logger log;
    static Class class$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    public SAMLv1_1ArtifactQueryHandler(Element element) throws ShibbolethConfigurationException {
        super(element);
    }

    @Override // edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler
    public String getHandlerName() {
        return "SAML v1.1 Artifact Query";
    }

    @Override // edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler
    public SAMLResponse processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLRequest sAMLRequest, IdPProtocolSupport idPProtocolSupport) throws SAMLException, IOException, ServletException {
        log.info("Received a request to dereference assertion artifacts.");
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null && x509CertificateArr.length != 0 && !x509CertificateArr[0].getSubjectX500Principal().getName("RFC2253").equals("")) {
            log.info(new StringBuffer("Request contains TLS credential: (").append(x509CertificateArr[0].getSubjectX500Principal().getName("RFC2253")).append(").").toString());
        } else {
            if (!sAMLRequest.isSigned()) {
                log.info("Request is from an unauthenticated serviceprovider.");
                throw new SAMLException(SAMLException.REQUESTER, "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
            }
            log.info("Request is signed, will authenticate it later.");
        }
        ArrayList arrayList = new ArrayList();
        Iterator artifacts = sAMLRequest.getArtifacts();
        if (!artifacts.hasNext()) {
            log.error("Protocol Handler received a SAML Request, but is unable to handle it.  No artifacts were included in the request.");
            throw new SAMLException(SAMLException.REQUESTER, "General error processing request.");
        }
        int i = 0;
        StringBuffer stringBuffer = new StringBuffer();
        while (artifacts.hasNext()) {
            i++;
            Artifact artifact = (Artifact) artifacts.next();
            log.info(new StringBuffer("Dereferencing artifact: (").append(artifact.encode()).append(").").toString());
            ArtifactMapping recoverAssertion = idPProtocolSupport.getArtifactMapper().recoverAssertion(artifact);
            if (recoverAssertion == null) {
                log.info("Could not map artifact to a SAML Assertion.");
            } else if (recoverAssertion.isExpired()) {
                log.error("Artifact is expired.  Skipping...");
            } else {
                SAMLAssertion assertion = recoverAssertion.getAssertion();
                EntityDescriptor lookup = idPProtocolSupport.lookup(recoverAssertion.getServiceProviderId());
                if (lookup == null) {
                    log.info(new StringBuffer("No metadata found for provider: (").append(recoverAssertion.getServiceProviderId()).append(").").toString());
                    throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider.");
                }
                SPSSODescriptor sPSSODescriptor = lookup.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
                if (sPSSODescriptor == null) {
                    log.info(new StringBuffer("SPSSO role not found in metadata for provider: (").append(recoverAssertion.getServiceProviderId()).append(").").toString());
                    throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider role.");
                }
                boolean z = false;
                if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                    if (!idPProtocolSupport.getTrust().validate(x509CertificateArr[0], x509CertificateArr, sPSSODescriptor)) {
                        log.error(new StringBuffer("Supplied TLS credential (").append(x509CertificateArr[0].getSubjectX500Principal().getName("RFC2253")).append(") is NOT valid for provider (").append(recoverAssertion.getServiceProviderId()).append("), to whom this artifact was issued.").toString());
                        throw new SAMLException(SAMLException.REQUESTER, "Invalid credential.");
                    }
                    z = true;
                }
                if (sAMLRequest.isSigned()) {
                    if (!idPProtocolSupport.getTrust().validate(sAMLRequest, sPSSODescriptor)) {
                        log.error(new StringBuffer("Signed SAML request message did NOT contain a valid signature from provider (").append(recoverAssertion.getServiceProviderId()).append("), to whom this artifact was issued.").toString());
                        throw new SAMLException(SAMLException.REQUESTER, "Invalid signature.");
                    }
                    z = true;
                }
                if (!z) {
                    log.info("Request could not be authenticated.");
                    throw new SAMLException(SAMLException.REQUESTER, "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
                }
                log.debug("Supplied credentials validated for the provider to which this artifact was issued.");
                arrayList.add(assertion);
                stringBuffer.append(new StringBuffer("(").append(artifact.encode()).append(")").toString());
            }
        }
        if (arrayList.size() > 0 && arrayList.size() != i) {
            throw new SAMLException(SAMLException.REQUESTER, "Unable to successfully dereference all artifacts.");
        }
        SAMLResponse sAMLResponse = new SAMLResponse(sAMLRequest.getId(), (String) null, arrayList, (SAMLException) null);
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer("Dumping generated SAML Response:").append(System.getProperty("line.separator")).append(sAMLResponse.toString()).toString());
        }
        idPProtocolSupport.getTransactionLog().info(new StringBuffer("Succesfully dereferenced the following artifacts: ").append(stringBuffer.toString()).toString());
        return sAMLResponse;
    }
}
