package org.wso2.carbon.identity.sso.saml.processors;

import java.util.ArrayList;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml2.core.Response;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.persistence.IdentityPersistenceManager;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.builders.ErrorResponseBuilder;
import org.wso2.carbon.identity.sso.saml.builders.ResponseBuilder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSORespDTO;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.class */
public class SPInitSSOAuthnRequestProcessor {
    private static Log log = LogFactory.getLog(SPInitSSOAuthnRequestProcessor.class);

    public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, String str, boolean z, String str2) throws Exception {
        String generateUUID;
        try {
            SAMLSSOServiceProviderDO serviceProviderConfig = getServiceProviderConfig(sAMLSSOAuthnReqDTO);
            if (serviceProviderConfig == null) {
                String str3 = "A Service Provider with the Issuer '" + sAMLSSOAuthnReqDTO.getIssuer() + "' is not registered. Service Provider should be registered in advance.";
                log.warn(str3);
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str3);
            }
            if (serviceProviderConfig.isEnableAttributesByDefault() && serviceProviderConfig.getAttributeConsumingServiceIndex() != null) {
                sAMLSSOAuthnReqDTO.setAttributeConsumingServiceIndex(Integer.parseInt(serviceProviderConfig.getAttributeConsumingServiceIndex()));
            }
            String assertionConsumerURL = sAMLSSOAuthnReqDTO.getAssertionConsumerURL();
            if (assertionConsumerURL != null && !serviceProviderConfig.getAssertionConsumerUrl().equals(assertionConsumerURL)) {
                String str4 = "ALERT: Invalid Assertion Consumer URL value '" + assertionConsumerURL + "' in the AuthnRequest message from  the issuer '" + serviceProviderConfig.getIssuer() + "'. Possibly an attempt for a spoofing attack";
                log.error(str4);
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str4);
            }
            populateServiceProviderConfigs(serviceProviderConfig, sAMLSSOAuthnReqDTO);
            if (sAMLSSOAuthnReqDTO.getCertAlias() != null) {
                String property = IdentityUtil.getProperty("SSOService.IdentityProviderURL");
                if (sAMLSSOAuthnReqDTO.getDestination() == null || !property.equals(sAMLSSOAuthnReqDTO.getDestination())) {
                    String str5 = "Destination validation for Authentication Request failed. Received: [" + sAMLSSOAuthnReqDTO.getDestination() + "]. Expected: [" + property + "]";
                    log.warn(str5);
                    return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str5);
                }
                if (!SAMLSSOUtil.validateAuthnRequestSignature(sAMLSSOAuthnReqDTO)) {
                    log.warn("Signature validation for Authentication Request failed.");
                    return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Signature validation for Authentication Request failed.");
                }
            }
            if (sAMLSSOAuthnReqDTO.getSubject() != null && sAMLSSOAuthnReqDTO.getUsername() != null && !sAMLSSOAuthnReqDTO.getUsername().equals(sAMLSSOAuthnReqDTO.getSubject())) {
                log.warn("Provided username does not match with the requested subject");
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "Provided username does not match with the requested subject");
            }
            SSOSessionPersistenceManager persistenceManager = SSOSessionPersistenceManager.getPersistenceManager();
            SAMLSSORespDTO sAMLSSORespDTO = null;
            if (z) {
                if (persistenceManager.isExistingTokenId(str)) {
                    generateUUID = persistenceManager.getSessionIndexFromTokenId(str);
                } else {
                    generateUUID = UUIDGenerator.generateUUID();
                    persistenceManager.persistSession(str, generateUUID);
                }
                if (str2.equals(SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD)) {
                    SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO = new SAMLSSOServiceProviderDO();
                    sAMLSSOServiceProviderDO.setIssuer(sAMLSSOAuthnReqDTO.getIssuer());
                    sAMLSSOServiceProviderDO.setAssertionConsumerUrl(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                    sAMLSSOServiceProviderDO.setCertAlias(sAMLSSOAuthnReqDTO.getCertAlias());
                    sAMLSSOServiceProviderDO.setLogoutURL(sAMLSSOAuthnReqDTO.getLogoutURL());
                    persistenceManager.persistSession(str, generateUUID, sAMLSSOAuthnReqDTO.getUsername(), sAMLSSOServiceProviderDO, sAMLSSOAuthnReqDTO.getRpSessionId());
                    sAMLSSOAuthnReqDTO.setUsername(persistenceManager.getSessionInfo(generateUUID).getSubject());
                    persistenceManager.persistSession(str, generateUUID, sAMLSSOAuthnReqDTO.getIssuer(), sAMLSSOAuthnReqDTO.getAssertionConsumerURL(), sAMLSSOAuthnReqDTO.getRpSessionId());
                }
                if (str2.equals(SAMLSSOConstants.AuthnModes.OPENID)) {
                    SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO2 = new SAMLSSOServiceProviderDO();
                    sAMLSSOServiceProviderDO2.setIssuer(sAMLSSOAuthnReqDTO.getIssuer());
                    sAMLSSOServiceProviderDO2.setAssertionConsumerUrl(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                    sAMLSSOServiceProviderDO2.setCertAlias(sAMLSSOAuthnReqDTO.getCertAlias());
                    sAMLSSOServiceProviderDO2.setLogoutURL(sAMLSSOAuthnReqDTO.getLogoutURL());
                    persistenceManager.persistSession(str, generateUUID, sAMLSSOAuthnReqDTO.getUsername(), sAMLSSOServiceProviderDO2, sAMLSSOAuthnReqDTO.getRpSessionId());
                }
                Response buildResponse = new ResponseBuilder().buildResponse(sAMLSSOAuthnReqDTO, generateUUID);
                sAMLSSORespDTO = new SAMLSSORespDTO();
                String marshall = SAMLSSOUtil.marshall(buildResponse);
                if (log.isDebugEnabled()) {
                    log.debug(marshall);
                }
                sAMLSSORespDTO.setRespString(SAMLSSOUtil.encode(marshall));
                sAMLSSORespDTO.setSessionEstablished(true);
                sAMLSSORespDTO.setAssertionConsumerURL(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                sAMLSSORespDTO.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
                sAMLSSORespDTO.setSubject(sAMLSSOAuthnReqDTO.getUsername());
            }
            if (log.isDebugEnabled()) {
                log.debug(sAMLSSORespDTO.getRespString());
            }
            return sAMLSSORespDTO;
        } catch (Exception e) {
            log.error("Error processing the authentication request", e);
            SAMLSSORespDTO buildErrorResponse = buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "Authentication Failure, invalid username or password.");
            buildErrorResponse.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
            return buildErrorResponse;
        }
    }

    private SAMLSSOServiceProviderDO getServiceProviderConfig(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentityException {
        try {
            SAMLSSOServiceProviderDO serviceProvider = SSOServiceProviderConfigManager.getInstance().getServiceProvider(sAMLSSOAuthnReqDTO.getIssuer());
            if (serviceProvider == null) {
                serviceProvider = IdentityPersistenceManager.getPersistanceManager().getServiceProvider(SAMLSSOUtil.getRegistryService().getConfigSystemRegistry(IdentityUtil.getTenantIdOFUser(sAMLSSOAuthnReqDTO.getUsername())), sAMLSSOAuthnReqDTO.getIssuer());
                sAMLSSOAuthnReqDTO.setStratosDeployment(false);
            } else {
                sAMLSSOAuthnReqDTO.setStratosDeployment(true);
            }
            return serviceProvider;
        } catch (Exception e) {
            throw new IdentityException("Error while reading Service Provider configurations");
        }
    }

    private void populateServiceProviderConfigs(SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentityException {
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO.getAssertionConsumerUrl());
        sAMLSSOAuthnReqDTO.setLoginPageURL(sAMLSSOServiceProviderDO.getLoginPageURL());
        sAMLSSOAuthnReqDTO.setCertAlias(sAMLSSOServiceProviderDO.getCertAlias());
        sAMLSSOAuthnReqDTO.setUseFullyQualifiedUsernameAsSubject(sAMLSSOServiceProviderDO.isUseFullyQualifiedUsername());
        sAMLSSOAuthnReqDTO.setNameIdClaimUri(sAMLSSOServiceProviderDO.getNameIdClaimUri());
        sAMLSSOAuthnReqDTO.setNameIDFormat(sAMLSSOServiceProviderDO.getNameIDFormat());
        sAMLSSOAuthnReqDTO.setDoSingleLogout(sAMLSSOServiceProviderDO.isDoSingleLogout());
        sAMLSSOAuthnReqDTO.setLogoutURL(sAMLSSOServiceProviderDO.getLogoutURL());
        sAMLSSOAuthnReqDTO.setDoSignResponse(sAMLSSOServiceProviderDO.isDoSignResponse());
        sAMLSSOAuthnReqDTO.setDoSignAssertions(sAMLSSOServiceProviderDO.isDoSignAssertions());
        sAMLSSOAuthnReqDTO.setRequestedClaims(sAMLSSOServiceProviderDO.getRequestedClaims());
        sAMLSSOAuthnReqDTO.setRequestedAudiences(sAMLSSOServiceProviderDO.getRequestedAudiences());
    }

    public SAMLSSOReqValidationResponseDTO process(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, String str2, String str3) throws Exception {
        SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO = new SAMLSSOAuthnReqDTO();
        sAMLSSOAuthnReqDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
        sAMLSSOAuthnReqDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
        sAMLSSOAuthnReqDTO.setId(sAMLSSOReqValidationResponseDTO.getId());
        sAMLSSOAuthnReqDTO.setRpSessionId(str2);
        sAMLSSOAuthnReqDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
        sAMLSSOAuthnReqDTO.setQueryString(sAMLSSOReqValidationResponseDTO.getQueryString());
        sAMLSSOAuthnReqDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
        sAMLSSOAuthnReqDTO.setIdPInitSSO(false);
        if (str3.equals(SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD)) {
            SSOSessionPersistenceManager persistenceManager = SSOSessionPersistenceManager.getPersistenceManager();
            if (str != null) {
                sAMLSSOAuthnReqDTO.setUsername(persistenceManager.getSessionInfo(persistenceManager.getSessionIndexFromTokenId(str)).getSubject());
            }
        } else {
            sAMLSSOAuthnReqDTO.setUsername(sAMLSSOReqValidationResponseDTO.getSubject());
        }
        SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO2 = new SAMLSSOReqValidationResponseDTO();
        SAMLSSORespDTO process = process(sAMLSSOAuthnReqDTO, str, true, str3);
        if (process.isSessionEstablished()) {
            sAMLSSOReqValidationResponseDTO2.setValid(true);
        } else {
            sAMLSSOReqValidationResponseDTO2.setValid(false);
        }
        sAMLSSOReqValidationResponseDTO2.setResponse(process.getRespString());
        sAMLSSOReqValidationResponseDTO2.setAssertionConsumerURL(process.getAssertionConsumerURL());
        sAMLSSOReqValidationResponseDTO2.setLoginPageURL(process.getLoginPageURL());
        sAMLSSOReqValidationResponseDTO2.setSubject(process.getSubject());
        return sAMLSSOReqValidationResponseDTO2;
    }

    private SAMLSSORespDTO buildErrorResponse(String str, String str2, String str3) throws Exception {
        SAMLSSORespDTO sAMLSSORespDTO = new SAMLSSORespDTO();
        ErrorResponseBuilder errorResponseBuilder = new ErrorResponseBuilder();
        ArrayList arrayList = new ArrayList();
        arrayList.add(str2);
        sAMLSSORespDTO.setRespString(SAMLSSOUtil.encode(SAMLSSOUtil.marshall(errorResponseBuilder.buildResponse(str, arrayList, str3))));
        sAMLSSORespDTO.setSessionEstablished(false);
        return sAMLSSORespDTO;
    }

    private boolean authenticate(String str, String str2) throws IdentityException {
        String domainFromThreadLocal;
        try {
            UserRealm realmByUserName = AnonymousSessionUtil.getRealmByUserName(SAMLSSOUtil.getRegistryService(), SAMLSSOUtil.getRealmService(), str);
            if (realmByUserName == null) {
                log.warn("Realm creation failed. Tenant may be inactive or invalid.");
                return false;
            }
            if (!realmByUserName.getUserStoreManager().authenticate(MultitenantUtils.getTenantAwareUsername(str), str2)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("user authentication failed due to invalid credentials.");
                return false;
            }
            if (str.indexOf("/") < 0 && (domainFromThreadLocal = UserCoreUtil.getDomainFromThreadLocal()) != null) {
                str = domainFromThreadLocal + "/" + str;
            }
            if (realmByUserName.getAuthorizationManager().isUserAuthorized(MultitenantUtils.getTenantAwareUsername(str), "/permission/admin/login", "ui.execute")) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("User is successfully authenticated.");
                return true;
            }
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Authorization Failure when performing log-in action");
            return false;
        } catch (Exception e) {
            throw new IdentityException("Error obtaining user realm for authenticating the user", e);
        }
    }
}
