package edu.internet2.middleware.shibboleth.idp.provider;

import edu.internet2.middleware.shibboleth.aa.AAException;
import edu.internet2.middleware.shibboleth.common.InvalidNameIdentifierException;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
import edu.internet2.middleware.shibboleth.common.RelyingParty;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.idp.provider.BaseServiceHandler;
import edu.internet2.middleware.shibboleth.metadata.AttributeRequesterDescriptor;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeDesignator;
import org.opensaml.SAMLAttributeQuery;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAudienceRestrictionCondition;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.w3c.dom.Element;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.class */
public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements IdPProtocolHandler {
    private static Logger log;
    static Class class$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    public SAMLv1_AttributeQueryHandler(Element element) throws ShibbolethConfigurationException {
        super(element);
    }

    @Override // edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler
    public String getHandlerName() {
        return "SAML v1.1 Attribute Query";
    }

    private String authenticateAs(String str, X509Certificate[] x509CertificateArr, IdPProtocolSupport idPProtocolSupport) throws BaseServiceHandler.InvalidProviderCredentialException {
        EntityDescriptor lookup = idPProtocolSupport.lookup(str);
        if (lookup == null) {
            log.info(new StringBuffer("No metadata found for providerId: (").append(str).append(").").toString());
            return null;
        }
        log.info(new StringBuffer("Metadata found for providerId: (").append(str).append(").").toString());
        AttributeRequesterDescriptor attributeRequesterDescriptor = lookup.getAttributeRequesterDescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
        SPSSODescriptor sPSSODescriptor = lookup.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
        if (attributeRequesterDescriptor == null && sPSSODescriptor == null) {
            log.info(new StringBuffer("SPSSO and Stand-Alone Requester roles not found in metadata for provider: (").append(str).append(").").toString());
            return null;
        }
        if ((attributeRequesterDescriptor == null || !idPProtocolSupport.getTrust().validate(x509CertificateArr[0], x509CertificateArr, attributeRequesterDescriptor)) && (sPSSODescriptor == null || !idPProtocolSupport.getTrust().validate(x509CertificateArr[0], x509CertificateArr, sPSSODescriptor))) {
            log.error(new StringBuffer("Supplied credentials (").append(x509CertificateArr[0].getSubjectX500Principal().getName("RFC2253")).append(") are NOT valid for provider (").append(str).append(").").toString());
            throw new BaseServiceHandler.InvalidProviderCredentialException(this, "Invalid credentials.");
        }
        log.info("Supplied credentials validated for this provider.");
        return str;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler
    public SAMLResponse processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLRequest sAMLRequest, IdPProtocolSupport idPProtocolSupport) throws SAMLException, IOException, ServletException {
        RelyingParty relyingParty;
        SAMLAttribute[] releaseAttributes;
        SAMLResponse sAMLResponse;
        SPSSODescriptor sPSSODescriptor;
        if (sAMLRequest == null || sAMLRequest.getQuery() == null || !(sAMLRequest.getQuery() instanceof SAMLAttributeQuery)) {
            log.error("Protocol Handler can only respond to SAML Attribute Queries.");
            throw new SAMLException("General error processing request.");
        }
        SAMLAttributeQuery query = sAMLRequest.getQuery();
        String str = null;
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0].getSubjectX500Principal().getName("RFC2253").equals("")) {
            log.info("Request contained no credentials, treating as an unauthenticated service provider.");
        } else {
            log.info(new StringBuffer("Request contains credentials: (").append(x509CertificateArr[0].getSubjectX500Principal().getName("RFC2253")).append(").").toString());
            try {
                if (query.getResource() != null) {
                    log.info(new StringBuffer("Remote provider has identified itself as: (").append(query.getResource()).append(").").toString());
                    str = authenticateAs(query.getResource(), x509CertificateArr, idPProtocolSupport);
                }
                if (str == null) {
                    log.info("Remote provider not yet identified, attempting to derive requesting provider from credentials.");
                    String[] credentialNames = getCredentialNames(x509CertificateArr[0]);
                    int i = 0;
                    while (str == null) {
                        if (i >= credentialNames.length) {
                            break;
                        }
                        str = authenticateAs(credentialNames[i], x509CertificateArr, idPProtocolSupport);
                        i++;
                    }
                }
            } catch (BaseServiceHandler.InvalidProviderCredentialException e) {
                throw new SAMLException(SAMLException.REQUESTER, "Invalid credentials for request.");
            }
        }
        if (str == null) {
            log.info("Unable to locate metadata about provider, treating as an unauthenticated service provider.");
            log.debug("Using default Relying Party for unauthenticated provider.");
            relyingParty = idPProtocolSupport.getServiceProviderMapper().getRelyingParty(null);
        } else {
            log.debug(new StringBuffer("Mapping authenticated provider (").append(str).append(") to Relying Party.").toString());
            relyingParty = idPProtocolSupport.getServiceProviderMapper().getRelyingParty(str);
        }
        boolean z = false;
        boolean z2 = true;
        Iterator confirmationMethods = query.getSubject().getConfirmationMethods();
        while (confirmationMethods.hasNext()) {
            String str2 = (String) confirmationMethods.next();
            log.info(new StringBuffer("Request contains SAML Subject Confirmation method: (").append(str2).append(").").toString());
            z = true;
            if (!str2.equals("urn:oasis:names:tc:SAML:1.0:cm:bearer")) {
                z2 = false;
            }
        }
        if (z && !z2) {
            throw new SAMLException(SAMLException.REQUESTER, "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s).");
        }
        try {
            SAMLNameIdentifier nameIdentifier = query.getSubject().getNameIdentifier();
            log.debug(new StringBuffer("Name Identifier format: (").append(nameIdentifier.getFormat()).append(").").toString());
            NameIdentifierMapping nameIdentifierMapping = null;
            try {
                nameIdentifierMapping = idPProtocolSupport.getNameMapper().getNameIdentifierMapping(new URI(nameIdentifier.getFormat()));
            } catch (URISyntaxException e2) {
                log.error("Invalid Name Identifier format.");
            }
            if (nameIdentifierMapping == null) {
                throw new NameIdentifierMappingException("Name Identifier format not registered.");
            }
            if (!Arrays.asList(relyingParty.getNameMapperIds()).contains(nameIdentifierMapping.getId())) {
                throw new NameIdentifierMappingException("Name Identifier format not valid for this relying party.");
            }
            Principal principal = nameIdentifierMapping.getPrincipal(nameIdentifier, relyingParty, relyingParty.getIdentityProvider());
            log.info(new StringBuffer("Request is for principal (").append(principal.getName()).append(").").toString());
            Iterator designators = query.getDesignators();
            if (designators.hasNext()) {
                log.info("Request designates specific attributes, resolving this set.");
                ArrayList arrayList = new ArrayList();
                while (designators.hasNext()) {
                    SAMLAttributeDesignator sAMLAttributeDesignator = (SAMLAttributeDesignator) designators.next();
                    try {
                        log.debug(new StringBuffer("Designated attribute: (").append(sAMLAttributeDesignator.getName()).append(")").toString());
                        arrayList.add(new URI(sAMLAttributeDesignator.getName()));
                    } catch (URISyntaxException e3) {
                        log.error(new StringBuffer("Request designated an attribute name that does not conform to the required URI syntax (").append(sAMLAttributeDesignator.getName()).append(").  Ignoring this attribute").toString());
                    }
                }
                releaseAttributes = idPProtocolSupport.getReleaseAttributes(principal, relyingParty, str, null, (URI[]) arrayList.toArray(new URI[0]));
            } else {
                log.info("Request does not designate specific attributes, resolving all available.");
                releaseAttributes = idPProtocolSupport.getReleaseAttributes(principal, relyingParty, str, null);
            }
            log.info(new StringBuffer("Found ").append(releaseAttributes.length).append(" attribute(s) for ").append(principal.getName()).toString());
            if (idPProtocolSupport.getTransactionLog().isDebugEnabled() && releaseAttributes.length > 0) {
                StringBuffer stringBuffer = new StringBuffer();
                for (SAMLAttribute sAMLAttribute : releaseAttributes) {
                    stringBuffer.append(new StringBuffer("(").append(sAMLAttribute.getName()).append(")").toString());
                }
                idPProtocolSupport.getTransactionLog().debug(new StringBuffer("Attribute assertion generated for provider (").append(str).append(") on behalf of principal (").append(principal.getName()).append(") with the following attributes: ").append(stringBuffer.toString()).toString());
            }
            if (releaseAttributes == null || releaseAttributes.length == 0) {
                sAMLResponse = new SAMLResponse(sAMLRequest.getId(), (String) null, (Collection) null, (SAMLException) null);
            } else {
                SAMLSubject sAMLSubject = (SAMLSubject) query.getSubject().clone();
                ArrayList arrayList2 = new ArrayList();
                if (relyingParty.getProviderId() != null) {
                    arrayList2.add(relyingParty.getProviderId());
                }
                if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
                    arrayList2.add(relyingParty.getName());
                }
                SAMLAudienceRestrictionCondition sAMLAudienceRestrictionCondition = new SAMLAudienceRestrictionCondition(arrayList2);
                SAMLAttributeStatement sAMLAttributeStatement = new SAMLAttributeStatement(sAMLSubject, Arrays.asList(releaseAttributes));
                long j = 0;
                for (int i2 = 0; i2 < releaseAttributes.length; i2++) {
                    if (j < releaseAttributes[i2].getLifetime()) {
                        j = releaseAttributes[i2].getLifetime();
                    }
                }
                Date date = new Date();
                SAMLAssertion sAMLAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(), date, new Date(date.getTime() + (j * 1000)), Collections.singleton(sAMLAudienceRestrictionCondition), (Collection) null, Collections.singleton(sAMLAttributeStatement));
                boolean z3 = false;
                EntityDescriptor lookup = idPProtocolSupport.lookup(relyingParty.getProviderId());
                if (lookup != null) {
                    AttributeRequesterDescriptor attributeRequesterDescriptor = lookup.getAttributeRequesterDescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
                    if (attributeRequesterDescriptor != null && attributeRequesterDescriptor.getWantAssertionsSigned()) {
                        z3 = true;
                    }
                    if (!z3 && (sPSSODescriptor = lookup.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol")) != null && sPSSODescriptor.getWantAssertionsSigned()) {
                        z3 = true;
                    }
                }
                if (relyingParty.wantsAssertionsSigned() || z3) {
                    idPProtocolSupport.signAssertions(new SAMLAssertion[]{sAMLAssertion}, relyingParty);
                }
                sAMLResponse = new SAMLResponse(sAMLRequest.getId(), (String) null, Collections.singleton(sAMLAssertion), (SAMLException) null);
            }
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer("Dumping generated SAML Response:").append(System.getProperty("line.separator")).append(sAMLResponse.toString()).toString());
            }
            log.info(new StringBuffer("Successfully created response for principal (").append(principal.getName()).append(").").toString());
            if (str == null) {
                idPProtocolSupport.getTransactionLog().info(new StringBuffer("Attribute assertion issued to anonymous provider at (").append(httpServletRequest.getRemoteAddr()).append(") on behalf of principal (").append(principal.getName()).append(").").toString());
            } else {
                idPProtocolSupport.getTransactionLog().info(new StringBuffer("Attribute assertion issued to provider (").append(str).append(") on behalf of principal (").append(principal.getName()).append(").").toString());
            }
            return sAMLResponse;
        } catch (AAException e4) {
            log.error(new StringBuffer("Encountered an error while resolving resolving attributes: ").append(e4).toString());
            if (relyingParty.passThruErrors()) {
                throw new SAMLException("General error processing request.", e4);
            }
            throw new SAMLException("General error processing request.");
        } catch (InvalidNameIdentifierException e5) {
            log.error(new StringBuffer("Could not associate the request's subject with a principal: ").append(e5).toString());
            if (relyingParty.passThruErrors()) {
                throw new SAMLException(Arrays.asList(e5.getSAMLErrorCodes()), "The supplied Subject was unrecognized.", e5);
            }
            throw new SAMLException(Arrays.asList(e5.getSAMLErrorCodes()), "The supplied Subject was unrecognized.");
        } catch (NameIdentifierMappingException e6) {
            log.error(new StringBuffer("Encountered an error while mapping the name identifier from the request: ").append(e6).toString());
            if (relyingParty.passThruErrors()) {
                throw new SAMLException("General error processing request.", e6);
            }
            throw new SAMLException("General error processing request.");
        } catch (SAMLException e7) {
            if (relyingParty.passThruErrors()) {
                throw new SAMLException("General error processing request.", e7);
            }
            throw new SAMLException("General error processing request.");
        } catch (CloneNotSupportedException e8) {
            log.error(new StringBuffer("Encountered an error while cloning request subject for use in response: ").append(e8).toString());
            if (relyingParty.passThruErrors()) {
                throw new SAMLException("General error processing request.", e8);
            }
            throw new SAMLException("General error processing request.");
        }
    }
}
