package org.wso2.carbon.identity.sso.saml.servlet;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.URLDecoder;
import java.net.URLEncoder;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SAMLSSOService;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSORespDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOSessionDTO;
import org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.ui.CarbonUIUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.class */
public class SAMLSSOProviderServlet extends HttpServlet {
    private static final long serialVersionUID = -5182312441482721905L;
    private static Log log = LogFactory.getLog(SAMLSSOProviderServlet.class);
    private SAMLSSOService samlSsoService = new SAMLSSOService();

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        handleRequest(httpServletRequest, httpServletResponse, false);
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        handleRequest(httpServletRequest, httpServletResponse, true);
    }

    private void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws ServletException, IOException {
        String str = null;
        Cookie tokenIdCookie = getTokenIdCookie(httpServletRequest);
        if (tokenIdCookie != null) {
            str = tokenIdCookie.getValue();
        }
        Cookie rememberMeCookie = getRememberMeCookie(httpServletRequest);
        if (rememberMeCookie != null) {
            str = rememberMeCookie.getValue();
        }
        String queryString = httpServletRequest.getQueryString();
        if (log.isDebugEnabled()) {
            log.debug("Query string : " + queryString);
        }
        String parameter = httpServletRequest.getParameter("authMode");
        if (!SAMLSSOConstants.AuthnModes.OPENID.equals(parameter)) {
            parameter = SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD;
        }
        String parameter2 = httpServletRequest.getParameter(SAMLSSOConstants.RELAY_STATE);
        String parameter3 = httpServletRequest.getParameter("spEntityID");
        String parameter4 = httpServletRequest.getParameter(SAMLSSOConstants.AUTH_REQ_SAML_ASSRTN);
        try {
            if (httpServletRequest.getAttribute("commonAuthAuthenticated") != null) {
                handleRequestFromLoginPage(httpServletRequest, httpServletResponse, UUIDGenerator.generateUUID(), (String) httpServletRequest.getAttribute(SAMLSSOConstants.SESSION_DATA_KEY));
                return;
            }
            if (parameter3 != null) {
                handleIdPInitSSO(httpServletRequest, httpServletResponse, parameter3, parameter2, queryString, parameter, str);
                return;
            }
            if (parameter4 != null) {
                handleSPInitSSO(httpServletRequest, httpServletResponse, queryString, parameter2, parameter, parameter4, str, z);
                return;
            }
            log.debug("Invalid request message or single logout message ");
            String id = httpServletRequest.getSession().getId();
            Cookie rememberMeCookie2 = getRememberMeCookie(httpServletRequest);
            if (rememberMeCookie2 != null) {
                id = rememberMeCookie2.getValue();
            }
            if (id != null) {
                this.samlSsoService.doSingleLogout(id);
            }
            sendNotification(SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, httpServletRequest, httpServletResponse);
        } catch (IdentityException e) {
            log.error(SAMLSSOConstants.Notification.EXCEPTION_STATUS, e);
            sendNotification(SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, httpServletRequest, httpServletResponse);
        }
    }

    private void sendNotification(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        httpServletResponse.sendRedirect(CarbonUIUtil.getAdminConsoleURL(httpServletRequest).replace("samlsso/carbon/", "authenticationendpoint/samlsso_notification.do") + ("?status=" + str + "&" + SAMLSSOConstants.STATUS_MSG + "=" + str2));
    }

    private void handleIdPInitSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5) throws IdentityException, IOException, ServletException {
        SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest = new SAMLSSOService().validateIdPInitSSORequest(httpServletRequest, httpServletResponse, str, str2, str3, str5, httpServletRequest.getParameter("SSOAuthSessionID"), str4);
        if (validateIdPInitSSORequest.isValid() && validateIdPInitSSORequest.getResponse() != null) {
            if (SAMLSSOConstants.AuthnModes.OPENID.equals(str4)) {
                storeRememberMeCookie(str5, httpServletRequest, httpServletResponse, SAMLSSOService.getSSOSessionTimeout());
            }
            if (SAMLSSOService.isSAMLSSOLoginAccepted()) {
                httpServletRequest.getSession().setAttribute("authenticatedOpenID", SAMLSSOUtil.getOpenID(validateIdPInitSSORequest.getSubject()));
                httpServletRequest.getSession().setAttribute("openId", SAMLSSOUtil.getOpenID(validateIdPInitSSORequest.getSubject()));
            }
            sendResponse(httpServletRequest, httpServletResponse, str2, validateIdPInitSSORequest.getResponse(), validateIdPInitSSORequest.getAssertionConsumerURL(), validateIdPInitSSORequest.getSubject());
            return;
        }
        if (validateIdPInitSSORequest.isValid()) {
            SAMLSSOService sAMLSSOService = this.samlSsoService;
            if (SAMLSSOService.isOpenIDLoginAccepted() && httpServletRequest.getSession().getAttribute("authenticatedOpenID") != null) {
                handleRequestWithOpenIDLogin(httpServletRequest, httpServletResponse, validateIdPInitSSORequest, str2, str5);
                return;
            }
        }
        if (validateIdPInitSSORequest.isValid() && validateIdPInitSSORequest.getResponse() == null) {
            sendToAuthenticate(httpServletRequest, httpServletResponse, validateIdPInitSSORequest, str2);
        } else {
            log.debug("Invalid SAML SSO Request");
            throw new IdentityException("Invalid SAML SSO Request");
        }
    }

    private void handleSPInitSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, boolean z) throws IdentityException, IOException, ServletException {
        SAMLSSOReqValidationResponseDTO validateSPInitSSORequest = new SAMLSSOService().validateSPInitSSORequest(str4, str, str5, httpServletRequest.getParameter("SSOAuthSessionID"), str3, z);
        if (validateSPInitSSORequest.isLogOutReq()) {
            LogoutRequestSender.getInstance().sendLogoutRequests(validateSPInitSSORequest.getLogoutRespDTO());
            if (SAMLSSOService.isSAMLSSOLoginAccepted()) {
                httpServletRequest.getSession().removeAttribute("authenticatedOpenID");
                httpServletRequest.getSession().removeAttribute("openId");
            }
            sendResponse(httpServletRequest, httpServletResponse, str2, validateSPInitSSORequest.getLogoutResponse(), validateSPInitSSORequest.getAssertionConsumerURL(), validateSPInitSSORequest.getSubject());
            return;
        }
        if (validateSPInitSSORequest.isValid() && validateSPInitSSORequest.getResponse() != null && !validateSPInitSSORequest.isPassive()) {
            if (SAMLSSOConstants.AuthnModes.OPENID.equals(str3)) {
                storeRememberMeCookie(str5, httpServletRequest, httpServletResponse, SAMLSSOService.getSSOSessionTimeout());
            }
            if (SAMLSSOService.isSAMLSSOLoginAccepted()) {
                httpServletRequest.getSession().setAttribute("authenticatedOpenID", SAMLSSOUtil.getOpenID(validateSPInitSSORequest.getSubject()));
                httpServletRequest.getSession().setAttribute("openId", SAMLSSOUtil.getOpenID(validateSPInitSSORequest.getSubject()));
            }
            sendResponse(httpServletRequest, httpServletResponse, str2, validateSPInitSSORequest.getResponse(), validateSPInitSSORequest.getAssertionConsumerURL(), validateSPInitSSORequest.getSubject());
            return;
        }
        if (validateSPInitSSORequest.isValid()) {
            SAMLSSOService sAMLSSOService = this.samlSsoService;
            if (SAMLSSOService.isOpenIDLoginAccepted() && httpServletRequest.getSession().getAttribute("authenticatedOpenID") != null) {
                handleRequestWithOpenIDLogin(httpServletRequest, httpServletResponse, validateSPInitSSORequest, str2, str5);
                return;
            }
        }
        if (validateSPInitSSORequest.isValid() && validateSPInitSSORequest.getResponse() != null && validateSPInitSSORequest.isPassive()) {
            sendResponse(httpServletRequest, httpServletResponse, str2, validateSPInitSSORequest.getResponse(), validateSPInitSSORequest.getAssertionConsumerURL(), validateSPInitSSORequest.getSubject());
        } else if (validateSPInitSSORequest.isValid() && validateSPInitSSORequest.getResponse() == null && !validateSPInitSSORequest.isPassive()) {
            sendToAuthenticate(httpServletRequest, httpServletResponse, validateSPInitSSORequest, str2);
        } else {
            log.debug("Invalid SAML SSO Request");
            throw new IdentityException("Invalid SAML SSO Request");
        }
    }

    private void sendToAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str) throws ServletException, IOException {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = new SAMLSSOSessionDTO();
        sAMLSSOSessionDTO.setHttpQueryString(httpServletRequest.getQueryString());
        sAMLSSOSessionDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
        sAMLSSOSessionDTO.setRelayState(str);
        sAMLSSOSessionDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
        sAMLSSOSessionDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
        sAMLSSOSessionDTO.setRequestID(sAMLSSOReqValidationResponseDTO.getId());
        sAMLSSOSessionDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
        sAMLSSOSessionDTO.setRelyingPartySessionId(sAMLSSOReqValidationResponseDTO.getRpSessionId());
        sAMLSSOSessionDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
        if (sAMLSSOReqValidationResponseDTO.isIdPInitSSO()) {
            sAMLSSOSessionDTO.setIdPInitSSO(true);
        } else {
            sAMLSSOSessionDTO.setIdPInitSSO(false);
        }
        String generateUUID = UUIDGenerator.generateUUID();
        httpServletRequest.getSession().setAttribute(generateUUID, sAMLSSOSessionDTO);
        httpServletResponse.sendRedirect(CarbonUIUtil.getAdminConsoleURL(httpServletRequest).replace("samlsso/carbon/", "commonauth") + ("?SAMLRequest=" + httpServletRequest.getParameter(SAMLSSOConstants.AUTH_REQ_SAML_ASSRTN) + "&issuer=" + sAMLSSOReqValidationResponseDTO.getIssuer() + "&" + SAMLSSOConstants.SESSION_DATA_KEY + "=" + generateUUID + "&type=samlsso&commonAuthCallerPath=" + URLEncoder.encode("../../samlsso", "UTF-8") + "&forceAuthenticate=true"));
    }

    private void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4) throws ServletException, IOException {
        httpServletRequest.getSession().removeAttribute(SAMLSSOConstants.SESSION_DATA_KEY);
        if (str != null) {
            str = URLDecoder.decode(str, "UTF-8").replaceAll("&", "&amp;").replaceAll("\"", "&quot;").replaceAll("'", "&apos;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replace("\n", "");
        }
        String aCSUrlWithTenantPartitioning = getACSUrlWithTenantPartitioning(str3, str4);
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html>");
        writer.println("<body>");
        writer.println("<p>You are now redirected back to " + aCSUrlWithTenantPartitioning);
        writer.println(" If the redirection fails, please click the post button.</p>");
        writer.println("<form method='post' action='" + aCSUrlWithTenantPartitioning + "'>");
        writer.println("<p>");
        writer.println("<input type='hidden' name='SAMLResponse' value='" + str2 + "'>");
        writer.println("<input type='hidden' name='RelayState' value='" + str + "'>");
        writer.println("<button type='submit'>POST</button>");
        writer.println("</p>");
        writer.println("</form>");
        writer.println("<script type='text/javascript'>");
        writer.println("document.forms[0].submit();");
        writer.println("</script>");
        writer.println("</body>");
        writer.println("</html>");
    }

    private void handleRequestFromLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws IdentityException, IOException, ServletException {
        SAMLSSORespDTO authenticate;
        SAMLSSOSessionDTO sAMLSSOSessionDTO = (SAMLSSOSessionDTO) httpServletRequest.getSession().getAttribute(str2);
        if (sAMLSSOSessionDTO == null) {
            sendNotification(SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, httpServletRequest, httpServletResponse);
            log.error("The value of sessionDTO is null. This could be due to the hostname settings");
            return;
        }
        String parameter = httpServletRequest.getParameter(SAMLSSOConstants.RELAY_STATE) != null ? httpServletRequest.getParameter(SAMLSSOConstants.RELAY_STATE) : sAMLSSOSessionDTO.getRelayState();
        SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO = new SAMLSSOAuthnReqDTO();
        populateAuthnReqDTO(httpServletRequest, sAMLSSOAuthnReqDTO, sAMLSSOSessionDTO);
        SAMLSSOService sAMLSSOService = new SAMLSSOService();
        if (!SAMLSSOService.isOpenIDLoginAccepted() || httpServletRequest.getSession().getAttribute("authenticatedOpenID") == null) {
            authenticate = sAMLSSOService.authenticate(sAMLSSOAuthnReqDTO, str, ((Boolean) httpServletRequest.getAttribute("commonAuthAuthenticated")).booleanValue(), SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);
        } else {
            sAMLSSOAuthnReqDTO.setUsername(SAMLSSOUtil.getUserNameFromOpenID((String) httpServletRequest.getSession().getAttribute("authenticatedOpenID")));
            authenticate = sAMLSSOService.authenticate(sAMLSSOAuthnReqDTO, str, true, SAMLSSOConstants.AuthnModes.OPENID);
        }
        if (!authenticate.isSessionEstablished()) {
            sendNotification(SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getParameter("chkRemember") != null && httpServletRequest.getParameter("chkRemember").equals("on")) {
            storeRememberMeCookie(str, httpServletRequest, httpServletResponse, SAMLSSOService.getSSOSessionTimeout());
        }
        storeTokenIdCookie(str, httpServletRequest, httpServletResponse);
        if (SAMLSSOService.isSAMLSSOLoginAccepted()) {
            httpServletRequest.getSession().setAttribute("authenticatedOpenID", SAMLSSOUtil.getOpenID(authenticate.getSubject()));
            httpServletRequest.getSession().setAttribute("openId", SAMLSSOUtil.getOpenID(authenticate.getSubject()));
        }
        sendResponse(httpServletRequest, httpServletResponse, parameter, authenticate.getRespString(), authenticate.getAssertionConsumerURL(), authenticate.getSubject());
    }

    private void populateAuthnReqDTO(HttpServletRequest httpServletRequest, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, SAMLSSOSessionDTO sAMLSSOSessionDTO) {
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOSessionDTO.getAssertionConsumerURL());
        sAMLSSOAuthnReqDTO.setId(sAMLSSOSessionDTO.getRequestID());
        sAMLSSOAuthnReqDTO.setIssuer(sAMLSSOSessionDTO.getIssuer());
        sAMLSSOAuthnReqDTO.setSubject(sAMLSSOSessionDTO.getSubject());
        sAMLSSOAuthnReqDTO.setRpSessionId(sAMLSSOSessionDTO.getRelyingPartySessionId());
        sAMLSSOAuthnReqDTO.setRequestMessageString(sAMLSSOSessionDTO.getRequestMessageString());
        sAMLSSOAuthnReqDTO.setQueryString(sAMLSSOSessionDTO.getHttpQueryString());
        sAMLSSOAuthnReqDTO.setDestination(sAMLSSOSessionDTO.getDestination());
        sAMLSSOAuthnReqDTO.setUsername((String) httpServletRequest.getAttribute("authenticatedUser"));
        sAMLSSOAuthnReqDTO.setIdPInitSSO(sAMLSSOSessionDTO.isIdPInitSSO());
    }

    private Cookie getRememberMeCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals("samlssoRememberMe")) {
                return cookie;
            }
        }
        return null;
    }

    private void storeRememberMeCookie(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i) {
        Cookie rememberMeCookie = getRememberMeCookie(httpServletRequest);
        if (rememberMeCookie == null) {
            rememberMeCookie = new Cookie("samlssoRememberMe", str);
        }
        rememberMeCookie.setMaxAge(i);
        httpServletResponse.addCookie(rememberMeCookie);
    }

    private Cookie getTokenIdCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals("samlssoTokenId")) {
                return cookie;
            }
        }
        return null;
    }

    private void storeTokenIdCookie(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie rememberMeCookie = getRememberMeCookie(httpServletRequest);
        if (rememberMeCookie == null) {
            rememberMeCookie = new Cookie("samlssoTokenId", str);
        }
        httpServletResponse.addCookie(rememberMeCookie);
    }

    private String getLoginPage(String str) {
        return (str == null || str.length() == 0) ? "authenticationendpoint/samlsso/samlsso_auth_ajaxprocessor.jsp" : "/carbon/" + str.trim();
    }

    private String getRequestParameter(HttpServletRequest httpServletRequest, String str) {
        if (httpServletRequest.getParameter(str) != null && !httpServletRequest.getParameter(str).equals("null")) {
            return httpServletRequest.getParameter(str);
        }
        if (httpServletRequest.getAttribute(str) == null || httpServletRequest.getAttribute(str).equals("null")) {
            return null;
        }
        return (String) httpServletRequest.getAttribute(str);
    }

    private void handleRequestWithOpenIDLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, String str2) throws ServletException, IOException, IdentityException {
        SAMLSSOSessionDTO sAMLSSOSessionDTO = new SAMLSSOSessionDTO();
        sAMLSSOSessionDTO.setHttpQueryString(httpServletRequest.getQueryString());
        sAMLSSOSessionDTO.setDestination(sAMLSSOReqValidationResponseDTO.getDestination());
        sAMLSSOSessionDTO.setRelayState(str);
        sAMLSSOSessionDTO.setRequestMessageString(sAMLSSOReqValidationResponseDTO.getRequestMessageString());
        sAMLSSOSessionDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
        sAMLSSOSessionDTO.setRequestID(sAMLSSOReqValidationResponseDTO.getId());
        sAMLSSOSessionDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
        sAMLSSOSessionDTO.setRelyingPartySessionId(sAMLSSOReqValidationResponseDTO.getRpSessionId());
        sAMLSSOSessionDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
        String generateUUID = UUIDGenerator.generateUUID();
        httpServletRequest.getSession().setAttribute(generateUUID, sAMLSSOSessionDTO);
        handleRequestFromLoginPage(httpServletRequest, httpServletResponse, str2, generateUUID);
    }

    private String getACSUrlWithTenantPartitioning(String str, String str2) {
        String str3 = null;
        String str4 = str;
        if (str2 != null && MultitenantUtils.getTenantDomain(str2) != null) {
            str3 = MultitenantUtils.getTenantDomain(str2);
        }
        if (str3 != null && "true".equals(IdentityUtil.getProperty("SSOService.TenantPartitioningEnabled"))) {
            str4 = str4 + "?tenantDomain=" + str3;
        }
        return str4;
    }
}
