package org.wso2.carbon.identity.authenticator.saml2.sso.ui;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.Subject;
import org.opensaml.xml.XMLObject;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.FederatedSSOToken;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.SAML2SSOUIAuthenticatorException;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.SSOSessionManager;
import org.wso2.carbon.identity.authenticator.saml2.sso.common.Util;
import org.wso2.carbon.identity.authenticator.saml2.sso.ui.authenticator.SAML2SSOUIAuthenticator;
import org.wso2.carbon.identity.authenticator.saml2.sso.ui.client.SAMLSSOServiceClient;
import org.wso2.carbon.identity.authenticator.saml2.sso.ui.internal.SAML2SSOAuthFEDataHolder;
import org.wso2.carbon.identity.sso.saml.stub.IdentityException;
import org.wso2.carbon.identity.sso.saml.stub.types.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.stub.types.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.stub.types.SAMLSSORespDTO;
import org.wso2.carbon.ui.CarbonSSOSessionManager;
import org.wso2.carbon.ui.CarbonUIAuthenticator;
import org.wso2.carbon.ui.CarbonUIUtil;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/saml2/sso/ui/SSOAssertionConsumerService.class */
public class SSOAssertionConsumerService extends HttpServlet {
    private static final long serialVersionUID = 5451353570561170887L;
    public static final Log log = LogFactory.getLog(SSOAssertionConsumerService.class);
    private static final int SSO_SESSION_EXPIRE = 36000;
    public static final String SSO_TOKEN_ID = "ssoTokenId";

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        doPost(httpServletRequest, httpServletResponse);
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String parameter = httpServletRequest.getParameter("SAMLResponse");
        if (log.isDebugEnabled()) {
            log.debug("Processing SAML Response");
        }
        if (httpServletRequest.getParameter("SAMLRequest") != null) {
            handleSingleLogoutRequest(httpServletRequest, httpServletResponse);
            return;
        }
        if (parameter == null) {
            log.error("SAML Response is not present in the request.");
            handleMalformedResponses(httpServletRequest, httpServletResponse, "response.not.present");
            return;
        }
        try {
            XMLObject unmarshall = Util.unmarshall(Util.decode(parameter));
            if (unmarshall instanceof LogoutResponse) {
                httpServletResponse.sendRedirect(getAdminConsoleURL(httpServletRequest) + "admin/logout_action.jsp?logoutcomplete=true");
            } else if (unmarshall instanceof Response) {
                handleSAMLResponses(httpServletRequest, httpServletResponse, unmarshall);
            }
        } catch (IdentityException e) {
            log.error("Error when processing the Federated SAML Assertion in the request.", e);
            handleMalformedResponses(httpServletRequest, httpServletResponse, "response.malformed");
        } catch (SAML2SSOUIAuthenticatorException e2) {
            log.error("Error when processing the SAML Assertion in the request.", e2);
            handleMalformedResponses(httpServletRequest, httpServletResponse, "response.malformed");
        }
    }

    private void handleSAMLResponses(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, XMLObject xMLObject) throws ServletException, IOException, SAML2SSOUIAuthenticatorException, IdentityException {
        FederatedSSOToken federatedToken;
        Response response = (Response) xMLObject;
        List assertions = response.getAssertions();
        Assertion assertion = null;
        if (assertions != null && assertions.size() > 0) {
            assertion = (Assertion) assertions.get(0);
        }
        if (assertion == null) {
            if (response.getStatus() == null || response.getStatus().getStatusMessage() == null) {
                log.error("SAML Assertion not found in the Response.");
            } else {
                log.error(response.getStatus().getStatusMessage().getMessage());
            }
            throw new SAML2SSOUIAuthenticatorException("SAML Authentication Failed.");
        }
        String str = null;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            str = Util.getUsernameFromResponse(response);
        }
        if (log.isDebugEnabled()) {
            log.debug("A username is extracted from the response. : " + str);
        }
        if (str == null) {
            log.error("SAMLResponse does not contain the name of the subject");
            throw new SAML2SSOUIAuthenticatorException("SAMLResponse does not contain the name of the subject");
        }
        String parameter = httpServletRequest.getParameter("RelayState");
        boolean z = false;
        if (parameter != null && (federatedToken = SSOSessionManager.getFederatedToken(parameter)) != null) {
            z = true;
            HttpServletRequest httpServletRequest2 = federatedToken.getHttpServletRequest();
            federatedToken.getHttpServletResponse();
            String parameter2 = httpServletRequest2.getParameter("SAMLRequest");
            String parameter3 = httpServletRequest2.getParameter("RelayState");
            String parameter4 = httpServletRequest2.getParameter("SSOAuthSessionID");
            Enumeration attributeNames = httpServletRequest2.getAttributeNames();
            while (attributeNames.hasMoreElements()) {
                String str2 = (String) attributeNames.nextElement();
                httpServletRequest.setAttribute(str2, httpServletRequest2.getAttribute(str2));
            }
            Cookie[] cookies = httpServletRequest2.getCookies();
            if (cookies != null) {
                for (Cookie cookie : cookies) {
                    httpServletResponse.addCookie(cookie);
                }
            }
            String id = httpServletRequest2.getSession().getId();
            Cookie sSOTokenCookie = getSSOTokenCookie(httpServletRequest2);
            if (sSOTokenCookie != null) {
                id = sSOTokenCookie.getValue();
            }
            handleFederatedSAMLRequest(httpServletRequest, httpServletResponse, id, parameter2, parameter3, "usernamePasswordBasedAuthn", assertion.getSubject(), parameter4);
        }
        if (z) {
            return;
        }
        httpServletRequest.setAttribute("SAML2ResponseToken", response);
        RequestDispatcher requestDispatcher = httpServletRequest.getRequestDispatcher(httpServletRequest.getRequestURI().replace("acs", "carbon/admin/login_action.jsp?username=" + URLEncoder.encode(str)));
        httpServletRequest.getSession().setAttribute("CarbonAuthenticator", new SAML2SSOUIAuthenticator());
        requestDispatcher.forward(httpServletRequest, httpServletResponse);
    }

    private void handleMalformedResponses(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletRequest.getSession().setAttribute("ErrorMessage", str);
        httpServletResponse.sendRedirect(getAdminConsoleURL(httpServletRequest) + "sso-acs/notifications.jsp");
    }

    private void handleSingleLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String decodeHTMLCharacters = decodeHTMLCharacters(httpServletRequest.getParameter("SAMLRequest"));
        CarbonSSOSessionManager carbonSSOSessionManager = null;
        XMLObject xMLObject = null;
        try {
            carbonSSOSessionManager = SAML2SSOAuthFEDataHolder.getInstance().getCarbonSSOSessionManager();
            xMLObject = Util.unmarshall(Util.decode(decodeHTMLCharacters));
        } catch (SAML2SSOUIAuthenticatorException e) {
            log.error("Error handling the single logout request", e);
        }
        if (xMLObject instanceof LogoutRequest) {
            List sessionIndexes = ((LogoutRequest) xMLObject).getSessionIndexes();
            if (sessionIndexes.size() > 0) {
                carbonSSOSessionManager.makeSessionInvalid(((SessionIndex) sessionIndexes.get(0)).getSessionIndex());
                clearHttpSession(httpServletRequest);
            }
        }
    }

    private void clearHttpSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        log.info("Invalidating session for user " + ((String) session.getAttribute("logged-user")));
        try {
            CarbonUIAuthenticator carbonUIAuthenticator = (CarbonUIAuthenticator) session.getAttribute("CarbonAuthenticator");
            if (carbonUIAuthenticator != null) {
                carbonUIAuthenticator.unauthenticate(httpServletRequest);
                log.debug("Backend session invalidated");
            }
        } catch (Exception e) {
            log.error(e.getMessage());
        }
        session.setAttribute("authenticated", false);
        session.removeAttribute("logged-user");
        session.getServletContext().removeAttribute("logged-user");
        try {
            session.invalidate();
        } catch (Exception e2) {
            log.error(e2.getMessage());
        }
        if (log.isDebugEnabled()) {
            log.debug("Cleared authenticated session " + session.getId());
        }
    }

    private String getAdminConsoleURL(HttpServletRequest httpServletRequest) {
        String adminConsoleURL = CarbonUIUtil.getAdminConsoleURL(httpServletRequest);
        if (!adminConsoleURL.endsWith("/")) {
            adminConsoleURL = adminConsoleURL + "/";
        }
        if (adminConsoleURL.indexOf("/acs") != -1) {
            adminConsoleURL = adminConsoleURL.replace("/acs", "");
        }
        return adminConsoleURL;
    }

    private String decodeHTMLCharacters(String str) {
        return str.replaceAll("&amp;", "&").replaceAll("&lt;", "<").replaceAll("&gt;", ">").replaceAll("&quot;", "\"").replaceAll("&apos;", "'");
    }

    private void handleFederatedSAMLRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, Subject subject, String str5) throws IdentityException, IOException, ServletException {
        HttpSession session = httpServletRequest.getSession();
        SAMLSSOServiceClient sAMLSSOServiceClient = new SAMLSSOServiceClient(CarbonUIUtil.getServerURL(session.getServletContext(), session), (ConfigurationContext) session.getServletContext().getAttribute("ConfigurationContext"));
        boolean z = false;
        if ("post".equalsIgnoreCase(httpServletRequest.getMethod())) {
            z = true;
        }
        SAMLSSOReqValidationResponseDTO validate = sAMLSSOServiceClient.validate(str2, null, str, str5, str4, z);
        if (validate.getValid()) {
            handleRequestFromLoginPage(httpServletRequest, httpServletResponse, str, validate.getAssertionConsumerURL(), validate.getId(), validate.getIssuer(), subject.getNameID().getValue(), subject.getNameID().getValue(), validate.getRpSessionId(), validate.getRequestMessageString(), str3);
        }
    }

    private void handleRequestFromLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9) throws IdentityException, IOException, ServletException {
        HttpSession session = httpServletRequest.getSession();
        SAMLSSOServiceClient sAMLSSOServiceClient = new SAMLSSOServiceClient(CarbonUIUtil.getServerURL(session.getServletContext(), session), (ConfigurationContext) session.getServletContext().getAttribute("ConfigurationContext"));
        SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO = new SAMLSSOAuthnReqDTO();
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(str2);
        sAMLSSOAuthnReqDTO.setId(str3);
        sAMLSSOAuthnReqDTO.setIssuer(str4);
        sAMLSSOAuthnReqDTO.setUsername(str5);
        sAMLSSOAuthnReqDTO.setPassword("federated_idp_login");
        sAMLSSOAuthnReqDTO.setSubject(str6);
        sAMLSSOAuthnReqDTO.setRpSessionId(str7);
        sAMLSSOAuthnReqDTO.setRequestMessageString(str8);
        SAMLSSORespDTO authenticate = sAMLSSOServiceClient.authenticate(sAMLSSOAuthnReqDTO, str);
        if (authenticate.getSessionEstablished()) {
            storeSSOTokenCookie(str, httpServletRequest, httpServletResponse);
            httpServletRequest.setAttribute("RelayState", str9);
            httpServletRequest.setAttribute("assertionString", authenticate.getRespString());
            httpServletRequest.setAttribute("assertnConsumerURL", authenticate.getAssertionConsumerURL());
            httpServletRequest.setAttribute("subject", authenticate.getSubject());
            httpServletRequest.getRequestDispatcher("/carbon/sso-acs/federation_ajaxprocessor.jsp").forward(httpServletRequest, httpServletResponse);
        }
    }

    private void storeSSOTokenCookie(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie sSOTokenCookie = getSSOTokenCookie(httpServletRequest);
        if (sSOTokenCookie == null) {
            sSOTokenCookie = new Cookie(SSO_TOKEN_ID, str);
        }
        sSOTokenCookie.setMaxAge(SSO_SESSION_EXPIRE);
        httpServletResponse.addCookie(sSOTokenCookie);
    }

    private Cookie getSSOTokenCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(SSO_TOKEN_ID)) {
                return cookie;
            }
        }
        return null;
    }
}
