package com.liferay.saml.opensaml.integration.internal.servlet.profile;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.service.ServiceContext;
import com.liferay.portal.kernel.service.ServiceContextFactory;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.theme.ThemeDisplay;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.URLCodec;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.saml.helper.RelayStateHelper;
import com.liferay.saml.opensaml.integration.internal.binding.SamlBinding;
import com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager;
import com.liferay.saml.opensaml.integration.internal.resolver.AttributePublisherImpl;
import com.liferay.saml.opensaml.integration.internal.resolver.AttributeResolverRegistry;
import com.liferay.saml.opensaml.integration.internal.resolver.AttributeResolverSAMLContextImpl;
import com.liferay.saml.opensaml.integration.internal.resolver.DecrypterContext;
import com.liferay.saml.opensaml.integration.internal.resolver.NameIdResolverRegistry;
import com.liferay.saml.opensaml.integration.internal.resolver.NameIdResolverSAMLContextImpl;
import com.liferay.saml.opensaml.integration.internal.resolver.SubjectAssertionContext;
import com.liferay.saml.opensaml.integration.internal.resolver.UserResolverSAMLContextImpl;
import com.liferay.saml.opensaml.integration.internal.util.OpenSamlUtil;
import com.liferay.saml.opensaml.integration.internal.util.SamlUtil;
import com.liferay.saml.opensaml.integration.resolver.AttributeResolver;
import com.liferay.saml.opensaml.integration.resolver.NameIdResolver;
import com.liferay.saml.opensaml.integration.resolver.UserResolver;
import com.liferay.saml.persistence.exception.NoSuchIdpSpSessionException;
import com.liferay.saml.persistence.model.SamlIdpSpConnection;
import com.liferay.saml.persistence.model.SamlIdpSsoSession;
import com.liferay.saml.persistence.model.SamlSpAuthRequest;
import com.liferay.saml.persistence.model.SamlSpIdpConnection;
import com.liferay.saml.persistence.model.SamlSpMessage;
import com.liferay.saml.persistence.model.SamlSpSession;
import com.liferay.saml.persistence.service.SamlIdpSpConnectionLocalService;
import com.liferay.saml.persistence.service.SamlIdpSpSessionLocalService;
import com.liferay.saml.persistence.service.SamlIdpSsoSessionLocalService;
import com.liferay.saml.persistence.service.SamlSpAuthRequestLocalService;
import com.liferay.saml.persistence.service.SamlSpIdpConnectionLocalService;
import com.liferay.saml.persistence.service.SamlSpMessageLocalService;
import com.liferay.saml.persistence.service.SamlSpSessionLocalService;
import com.liferay.saml.runtime.SamlException;
import com.liferay.saml.runtime.configuration.SamlConfiguration;
import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper;
import com.liferay.saml.runtime.exception.AssertionException;
import com.liferay.saml.runtime.exception.AudienceException;
import com.liferay.saml.runtime.exception.AuthnAgeException;
import com.liferay.saml.runtime.exception.DestinationException;
import com.liferay.saml.runtime.exception.EntityInteractionException;
import com.liferay.saml.runtime.exception.ExpiredException;
import com.liferay.saml.runtime.exception.InResponseToException;
import com.liferay.saml.runtime.exception.IssuerException;
import com.liferay.saml.runtime.exception.ReplayException;
import com.liferay.saml.runtime.exception.SignatureException;
import com.liferay.saml.runtime.exception.StatusException;
import com.liferay.saml.runtime.exception.SubjectException;
import com.liferay.saml.runtime.servlet.profile.WebSsoProfile;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.client.cache.HeaderConstants;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.Duration;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.InOutOperationContext;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLMessageInfoContext;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLSubjectNameIdentifierContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.ecp.RelayState;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.encryption.Encrypter;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.EncryptionOptionalCriterion;
import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(configurationPid = {"com.liferay.saml.runtime.configuration.SamlConfiguration"}, immediate = true, service = {WebSsoProfile.class})
/* loaded from: input_file:com/liferay/saml/opensaml/integration/internal/servlet/profile/WebSsoProfileImpl.class */
public class WebSsoProfileImpl extends BaseProfile implements WebSsoProfile {
    private static final Log _log = LogFactoryUtil.getLog(WebSsoProfileImpl.class);
    private static final SAMLSignatureProfileValidator _samlSignatureProfileValidator = new SAMLSignatureProfileValidator();
    private AttributeResolverRegistry _attributeResolverRegistry;

    @Reference(cardinality = ReferenceCardinality.OPTIONAL)
    private Decrypter _decrypter;
    private NameIdResolverRegistry _nameIdResolverRegistry;

    @Reference
    private Portal _portal;

    @Reference
    private RelayStateHelper _relayStateHelper;
    private SamlConfiguration _samlConfiguration;

    @Reference
    private SamlIdpSpConnectionLocalService _samlIdpSpConnectionLocalService;

    @Reference
    private SamlIdpSpSessionLocalService _samlIdpSpSessionLocalService;

    @Reference
    private SamlIdpSsoSessionLocalService _samlIdpSsoSessionLocalService;
    private SAMLMetadataEncryptionParametersResolver _samlMetadataEncryptionParametersResolver;
    private SamlSpAuthRequestLocalService _samlSpAuthRequestLocalService;
    private SamlSpIdpConnectionLocalService _samlSpIdpConnectionLocalService;
    private SamlSpMessageLocalService _samlSpMessageLocalService;

    @Reference
    private UserLocalService _userLocalService;
    private UserResolver _userResolver;

    public void processAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        try {
            doProcessAuthnRequest(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void processResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        SAMLPeerEntityContext sAMLPeerEntityContext;
        MessageContext<?> messageContext = null;
        try {
            messageContext = decodeAuthnResponse(httpServletRequest, httpServletResponse, getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI));
            doProcessResponse(messageContext, httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e, e);
            } else if (!(e instanceof AuthnAgeException) && !(e instanceof SubjectException)) {
                _log.error(e.getMessage());
            }
            if (messageContext != null && (sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class)) != null) {
                throw new EntityInteractionException(sAMLPeerEntityContext.getEntityId(), (String) Optional.ofNullable(messageContext.getSubcontext(SAMLSubjectNameIdentifierContext.class)).map((v0) -> {
                    return v0.getSAML2SubjectNameID();
                }).map((v0) -> {
                    return v0.getValue();
                }).orElse(null), e);
            }
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void sendAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws PortalException {
        try {
            doSendAuthnRequest(httpServletRequest, httpServletResponse, str);
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void updateSamlSpSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
        String id = httpServletRequest.getSession().getId();
        if (samlSpSession == null || id.equals(samlSpSession.getJSessionId())) {
            return;
        }
        try {
            this.samlSpSessionLocalService.updateSamlSpSession(samlSpSession.getPrimaryKey(), id);
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e, e);
            }
        }
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        this._samlConfiguration = (SamlConfiguration) ConfigurableUtil.createConfigurable(SamlConfiguration.class, map);
        this._samlMetadataEncryptionParametersResolver = new SAMLMetadataEncryptionParametersResolver(this.metadataManager.getMetadataCredentialResolver());
        this._samlMetadataEncryptionParametersResolver.setAutoGenerateDataEncryptionCredential(true);
    }

    protected void addSamlSsoSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSsoRequestContext samlSsoRequestContext, NameID nameID) throws Exception {
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        this._samlIdpSpSessionLocalService.addSamlIdpSpSession(this._samlIdpSsoSessionLocalService.addSamlIdpSsoSession(samlSsoRequestContext.getSamlSsoSessionId(), serviceContextFactory).getSamlIdpSsoSessionId(), ((SAMLPeerEntityContext) samlSsoRequestContext.getSAMLMessageContext().getSubcontext(SAMLPeerEntityContext.class)).getEntityId(), nameID.getFormat(), nameID.getValue(), serviceContextFactory);
        addCookie(httpServletRequest, httpServletResponse, "SAML_SSO_SESSION_ID", samlSsoRequestContext.getSamlSsoSessionId(), -1);
    }

    protected SamlSsoRequestContext decodeAuthnConversationAfterLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        HttpSession session = httpServletRequest.getSession();
        SamlSsoRequestContext samlSsoRequestContext = (SamlSsoRequestContext) session.getAttribute("SAML_SSO_REQUEST_CONTEXT");
        if (samlSsoRequestContext == null) {
            return null;
        }
        session.removeAttribute("SAML_SSO_REQUEST_CONTEXT");
        MessageContext<?> messageContext = getMessageContext(httpServletRequest, httpServletResponse, samlSsoRequestContext.getPeerEntityId());
        samlSsoRequestContext.setSAMLMessageContext(messageContext);
        String authnRequestXml = samlSsoRequestContext.getAuthnRequestXml();
        if (Validator.isNotNull(authnRequestXml)) {
            AuthnRequest authnRequest = (AuthnRequest) OpenSamlUtil.unmarshall(authnRequestXml);
            InOutOperationContext inOutOperationContext = new InOutOperationContext(new MessageContext(), new MessageContext());
            messageContext.addSubcontext(inOutOperationContext);
            MessageContext inboundMessageContext = inOutOperationContext.getInboundMessageContext();
            inboundMessageContext.setMessage(authnRequest);
            ((SAMLMessageInfoContext) inboundMessageContext.getSubcontext(SAMLMessageInfoContext.class, true)).setMessageId(authnRequest.getID());
        }
        ((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class, true)).setRelayState(samlSsoRequestContext.getRelayState());
        String samlSsoSessionId = getSamlSsoSessionId(httpServletRequest);
        if (Validator.isNotNull(samlSsoSessionId)) {
            samlSsoRequestContext.setSamlSsoSessionId(samlSsoSessionId);
        } else {
            samlSsoRequestContext.setNewSession(true);
            samlSsoRequestContext.setSamlSsoSessionId(generateIdentifier(30));
        }
        samlSsoRequestContext.setStage(1);
        samlSsoRequestContext.setUserId(this.portal.getUserId(httpServletRequest));
        return samlSsoRequestContext;
    }

    protected SamlSsoRequestContext decodeAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        SamlSsoRequestContext samlSsoRequestContext;
        SamlSsoRequestContext decodeAuthnConversationAfterLogin;
        SamlSsoRequestContext decodeAuthnConversationAfterLogin2;
        String string = ParamUtil.getString(httpServletRequest, "saml_message_id");
        if (!Validator.isBlank(string) && (decodeAuthnConversationAfterLogin2 = decodeAuthnConversationAfterLogin(httpServletRequest, httpServletResponse)) != null) {
            MessageContext<?> sAMLMessageContext = decodeAuthnConversationAfterLogin2.getSAMLMessageContext();
            SAMLMessageInfoContext sAMLMessageInfoContext = (SAMLMessageInfoContext) ((InOutOperationContext) sAMLMessageContext.getSubcontext(InOutOperationContext.class)).getInboundMessageContext().getSubcontext(SAMLMessageInfoContext.class, true);
            if (sAMLMessageContext != null && string.equals(sAMLMessageInfoContext.getMessageId())) {
                return decodeAuthnConversationAfterLogin2;
            }
        }
        boolean z = false;
        String string2 = ParamUtil.getString(httpServletRequest, "entityId");
        String string3 = ParamUtil.getString(httpServletRequest, "SAMLRequest");
        if (Validator.isNotNull(string2) && Validator.isNull(string3)) {
            z = true;
        }
        if (z && (decodeAuthnConversationAfterLogin = decodeAuthnConversationAfterLogin(httpServletRequest, httpServletResponse)) != null) {
            MessageContext<?> sAMLMessageContext2 = decodeAuthnConversationAfterLogin.getSAMLMessageContext();
            SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) sAMLMessageContext2.getSubcontext(SAMLPeerEntityContext.class);
            if (sAMLMessageContext2 != null && string2.equals(sAMLPeerEntityContext.getEntityId())) {
                return decodeAuthnConversationAfterLogin;
            }
        }
        SamlBinding samlBinding = StringUtil.equalsIgnoreCase(httpServletRequest.getMethod(), "GET") ? getSamlBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI) : getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI);
        if (z) {
            MessageContext<?> messageContext = getMessageContext(httpServletRequest, httpServletResponse, string2);
            SAMLBindingContext sAMLBindingContext = (SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class);
            sAMLBindingContext.setBindingUri(samlBinding.getCommunicationProfileId());
            String string4 = ParamUtil.getString(httpServletRequest, RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
            sAMLBindingContext.setRelayState(string4);
            samlSsoRequestContext = new SamlSsoRequestContext(((SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class)).getEntityId(), string4, messageContext, this._userLocalService);
        } else {
            MessageContext<?> decodeSamlMessage = decodeSamlMessage(httpServletRequest, httpServletResponse, samlBinding, this.samlProviderConfigurationHelper.getSamlProviderConfiguration().authnRequestSignatureRequired());
            MessageContext inboundMessageContext = ((InOutOperationContext) decodeSamlMessage.getSubcontext(InOutOperationContext.class)).getInboundMessageContext();
            AuthnRequest authnRequest = (AuthnRequest) inboundMessageContext.getMessage();
            ((SAMLMessageInfoContext) inboundMessageContext.getSubcontext(SAMLMessageInfoContext.class, true)).setMessageId(authnRequest.getID());
            samlSsoRequestContext = new SamlSsoRequestContext(OpenSamlUtil.marshall(authnRequest), ((SAMLPeerEntityContext) decodeSamlMessage.getSubcontext(SAMLPeerEntityContext.class)).getEntityId(), ((SAMLBindingContext) decodeSamlMessage.getSubcontext(SAMLBindingContext.class)).getRelayState(), decodeSamlMessage, this._userLocalService);
        }
        String samlSsoSessionId = getSamlSsoSessionId(httpServletRequest);
        if (Validator.isNotNull(samlSsoSessionId)) {
            samlSsoRequestContext.setSamlSsoSessionId(samlSsoSessionId);
        } else {
            samlSsoRequestContext.setNewSession(true);
            samlSsoRequestContext.setSamlSsoSessionId(generateIdentifier(30));
        }
        samlSsoRequestContext.setStage(0);
        samlSsoRequestContext.setUserId(this.portal.getUserId(httpServletRequest));
        return samlSsoRequestContext;
    }

    protected MessageContext<?> decodeAuthnResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlBinding samlBinding) throws Exception {
        Subject subject;
        MessageContext<?> decodeSamlMessage = decodeSamlMessage(httpServletRequest, httpServletResponse, samlBinding, true);
        MessageContext inboundMessageContext = ((InOutOperationContext) decodeSamlMessage.getSubcontext(InOutOperationContext.class)).getInboundMessageContext();
        Response response = (Response) inboundMessageContext.getMessage();
        List<EncryptedAssertion> encryptedAssertions = response.getEncryptedAssertions();
        ArrayList<Assertion> arrayList = new ArrayList(response.getAssertions());
        if (this._decrypter != null) {
            Iterator<EncryptedAssertion> it = encryptedAssertions.iterator();
            while (it.hasNext()) {
                try {
                    arrayList.add(this._decrypter.decrypt(it.next()));
                } catch (DecryptionException e) {
                    _log.error("Unable to assertion decryption", e);
                }
            }
            inboundMessageContext.addSubcontext(new DecrypterContext(this._decrypter));
        } else if (!encryptedAssertions.isEmpty() && _log.isWarnEnabled()) {
            _log.warn("Message returned encrypted assertions but there is no decrypter available");
        }
        SignatureTrustEngine signatureTrustEngine = this.metadataManager.getSignatureTrustEngine();
        Assertion assertion = null;
        for (Assertion assertion2 : arrayList) {
            try {
                verifyAssertion(assertion2, decodeSamlMessage, signatureTrustEngine);
                if (!assertion2.getAuthnStatements().isEmpty() && (subject = assertion2.getSubject()) != null && subject.getSubjectConfirmations() != null) {
                    Iterator<SubjectConfirmation> it2 = subject.getSubjectConfirmations().iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        if (SubjectConfirmation.METHOD_BEARER.equals(it2.next().getMethod())) {
                            assertion = assertion2;
                            break;
                        }
                    }
                }
            } catch (SamlException e2) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Rejecting assertion " + assertion2.getID(), e2);
                }
            }
        }
        if (assertion == null) {
            throw new AssertionException("Response does not contain any acceptable assertions");
        }
        inboundMessageContext.addSubcontext(new SubjectAssertionContext(assertion));
        return decodeSamlMessage;
    }

    protected void doProcessAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        SamlSsoRequestContext decodeAuthnRequest = decodeAuthnRequest(httpServletRequest, httpServletResponse);
        InOutOperationContext inOutOperationContext = (InOutOperationContext) decodeAuthnRequest.getSAMLMessageContext().getSubcontext(InOutOperationContext.class, false);
        AuthnRequest authnRequest = null;
        User user = decodeAuthnRequest.getUser();
        if (inOutOperationContext != null) {
            authnRequest = (AuthnRequest) inOutOperationContext.getInboundMessageContext().getMessage();
            if (authnRequest != null && authnRequest.isPassive().booleanValue() && user == null) {
                sendFailureResponse(decodeAuthnRequest, StatusCode.NO_PASSIVE, httpServletResponse);
                return;
            }
        }
        boolean z = false;
        if (!decodeAuthnRequest.isNewSession()) {
            String samlSsoSessionId = decodeAuthnRequest.getSamlSsoSessionId();
            SamlIdpSsoSession fetchSamlIdpSso = this._samlIdpSsoSessionLocalService.fetchSamlIdpSso(samlSsoSessionId);
            if (fetchSamlIdpSso != null) {
                z = fetchSamlIdpSso.isExpired();
            } else {
                samlSsoSessionId = null;
                decodeAuthnRequest.setSamlSsoSessionId(null);
            }
            if (z || Validator.isNull(samlSsoSessionId)) {
                addCookie(httpServletRequest, httpServletResponse, "SAML_SSO_SESSION_ID", "", 0);
                decodeAuthnRequest.setNewSession(true);
                decodeAuthnRequest.setSamlSsoSessionId(generateIdentifier(30));
            }
        }
        if (z || user == null || (authnRequest != null && authnRequest.isForceAuthn().booleanValue() && user != null && decodeAuthnRequest.getStage() == 0)) {
            boolean z2 = false;
            if (authnRequest != null && authnRequest.isForceAuthn().booleanValue()) {
                z2 = true;
            }
            redirectToLogin(httpServletRequest, httpServletResponse, decodeAuthnRequest, z2);
            return;
        }
        sendSuccessResponse(httpServletRequest, httpServletResponse, decodeAuthnRequest);
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.removeAttribute("FORCE_REAUTHENTICATION");
        }
    }

    protected void doProcessResponse(MessageContext<?> messageContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        MessageContext inboundMessageContext = ((InOutOperationContext) messageContext.getSubcontext(InOutOperationContext.class)).getInboundMessageContext();
        Response response = (Response) inboundMessageContext.getMessage();
        StatusCode statusCode = response.getStatus().getStatusCode();
        String value = statusCode.getValue();
        if (!value.equals(StatusCode.SUCCESS)) {
            StatusCode statusCode2 = statusCode.getStatusCode();
            if (statusCode2 != null && Validator.isNotNull(statusCode2.getValue())) {
                throw new StatusException(statusCode2.getValue());
            }
            throw new StatusException(value);
        }
        verifyInResponseTo(response);
        verifyDestination(messageContext, response.getDestination());
        Issuer issuer = response.getIssuer();
        verifyIssuer(messageContext, issuer);
        NameID sAML2SubjectNameID = ((SAMLSubjectNameIdentifierContext) messageContext.getSubcontext(SAMLSubjectNameIdentifierContext.class)).getSAML2SubjectNameID();
        if (sAML2SubjectNameID == null) {
            throw new SamlException("Name ID not present in subject");
        }
        if (_log.isDebugEnabled()) {
            _log.debug("SAML authenticated user " + sAML2SubjectNameID.getValue());
        }
        SamlSpIdpConnection samlSpIdpConnection = this._samlSpIdpConnectionLocalService.getSamlSpIdpConnection(CompanyThreadLocal.getCompanyId().longValue(), ((SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class)).getEntityId());
        if (Validator.isNull(response.getInResponseTo()) && samlSpIdpConnection.isForceAuthn()) {
            throw new AuthnAgeException();
        }
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        serviceContextFactory.setUserId(this._userResolver.resolveUser(new UserResolverSAMLContextImpl(messageContext), serviceContextFactory).getUserId());
        SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
        HttpSession session = httpServletRequest.getSession();
        Assertion assertion = ((SubjectAssertionContext) inboundMessageContext.getSubcontext(SubjectAssertionContext.class)).getAssertion();
        String sessionIndex = assertion.getAuthnStatements().get(0).getSessionIndex();
        if (samlSpSession != null) {
            this.samlSpSessionLocalService.updateSamlSpSession(samlSpSession.getSamlSpSessionId(), issuer.getValue(), samlSpSession.getSamlSpSessionKey(), OpenSamlUtil.marshall(assertion), session.getId(), sAML2SubjectNameID.getFormat(), sAML2SubjectNameID.getNameQualifier(), sAML2SubjectNameID.getSPNameQualifier(), sAML2SubjectNameID.getValue(), sessionIndex, serviceContextFactory);
        } else {
            samlSpSession = this.samlSpSessionLocalService.addSamlSpSession(issuer.getValue(), generateIdentifier(30), OpenSamlUtil.marshall(assertion), session.getId(), sAML2SubjectNameID.getFormat(), sAML2SubjectNameID.getNameQualifier(), sAML2SubjectNameID.getSPNameQualifier(), sAML2SubjectNameID.getValue(), sessionIndex, serviceContextFactory);
        }
        session.setAttribute("SAML_SP_SESSION_KEY", samlSpSession.getSamlSpSessionKey());
        addCookie(httpServletRequest, httpServletResponse, "SAML_SP_SESSION_KEY", samlSpSession.getSamlSpSessionKey(), -1);
        httpServletResponse.sendRedirect(getAuthRedirectURL(messageContext, httpServletRequest));
    }

    protected void doSendAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        SamlSpIdpConnection samlSpIdpConnection = (SamlSpIdpConnection) httpServletRequest.getAttribute("SAML_SP_IDP_CONNECTION");
        if (samlSpIdpConnection == null) {
            return;
        }
        String samlIdpEntityId = samlSpIdpConnection.getSamlIdpEntityId();
        MessageContext<?> messageContext = getMessageContext(httpServletRequest, httpServletResponse, samlIdpEntityId);
        InOutOperationContext inOutOperationContext = new InOutOperationContext(new MessageContext(), new MessageContext());
        messageContext.addSubcontext(inOutOperationContext);
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        ((SAMLBindingContext) outboundMessageContext.getSubcontext(SAMLBindingContext.class, true)).setRelayState(this._relayStateHelper.getRelayStateTokenFromRedirect(str));
        SAMLSelfEntityContext sAMLSelfEntityContext = (SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class);
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) ((SAMLMetadataContext) sAMLSelfEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        AssertionConsumerService assertionConsumerServiceForBinding = SamlUtil.getAssertionConsumerServiceForBinding(sPSSODescriptor, SAMLConstants.SAML2_POST_BINDING_URI);
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        outboundMessageContext.addSubcontext(sAMLPeerEntityContext);
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        SingleSignOnService resolveSingleSignOnService = SamlUtil.resolveSingleSignOnService(iDPSSODescriptor, SAMLConstants.SAML2_POST_BINDING_URI);
        NameIDPolicy buildNameIdPolicy = OpenSamlUtil.buildNameIdPolicy();
        buildNameIdPolicy.setAllowCreate((Boolean) true);
        buildNameIdPolicy.setFormat(this.metadataManager.getNameIdFormat(samlIdpEntityId));
        AuthnRequest buildAuthnRequest = OpenSamlUtil.buildAuthnRequest(sAMLSelfEntityContext.getEntityId(), assertionConsumerServiceForBinding, resolveSingleSignOnService, buildNameIdPolicy);
        if (samlSpIdpConnection.isForceAuthn() || GetterUtil.getBoolean(httpServletRequest.getAttribute("FORCE_REAUTHENTICATION"), Boolean.FALSE.booleanValue())) {
            buildAuthnRequest.setForceAuthn((Boolean) true);
        } else {
            buildAuthnRequest.setForceAuthn((Boolean) false);
        }
        buildAuthnRequest.setID(generateIdentifier(20));
        outboundMessageContext.setMessage(buildAuthnRequest);
        if (sPSSODescriptor.isAuthnRequestsSigned().booleanValue() || iDPSSODescriptor.getWantAuthnRequestsSigned().booleanValue()) {
            Credential signingCredential = this.metadataManager.getSigningCredential();
            OpenSamlUtil.prepareSecurityParametersContext(this.metadataManager.getSigningCredential(), (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true), iDPSSODescriptor);
            OpenSamlUtil.signObject(buildAuthnRequest, signingCredential, iDPSSODescriptor);
        }
        ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(resolveSingleSignOnService);
        this._samlSpAuthRequestLocalService.addSamlSpAuthRequest(sAMLPeerEntityContext.getEntityId(), buildAuthnRequest.getID(), ServiceContextFactory.getInstance(httpServletRequest));
        sendSamlMessage(messageContext, httpServletResponse);
    }

    protected String getAuthRedirectURL(MessageContext<?> messageContext, HttpServletRequest httpServletRequest) throws PortalException {
        StringBundler stringBundler = new StringBundler(3);
        stringBundler.append(((ThemeDisplay) httpServletRequest.getAttribute("LIFERAY_SHARED_THEME_DISPLAY")).getPathMain());
        stringBundler.append("/portal/saml/auth_redirect?redirect=");
        String escapeRedirect = this.portal.escapeRedirect(this._relayStateHelper.getRedirectFromRelayStateToken(((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class)).getRelayState()));
        if (Validator.isNull(escapeRedirect)) {
            escapeRedirect = this.portal.getHomeURL(httpServletRequest);
        }
        stringBundler.append(URLCodec.encodeURL(escapeRedirect));
        return stringBundler.toString();
    }

    protected Assertion getSuccessAssertion(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, NameID nameID) {
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        Assertion buildAssertion = OpenSamlUtil.buildAssertion();
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        SubjectConfirmationData successSubjectConfirmationData = getSuccessSubjectConfirmationData(samlSsoRequestContext, assertionConsumerService, dateTime);
        buildAssertion.setConditions(getSuccessConditions(samlSsoRequestContext, dateTime, successSubjectConfirmationData.getNotOnOrAfter()));
        buildAssertion.setID(generateIdentifier(20));
        buildAssertion.setIssueInstant(dateTime);
        buildAssertion.setIssuer(OpenSamlUtil.buildIssuer(((SAMLSelfEntityContext) sAMLMessageContext.getSubcontext(SAMLSelfEntityContext.class)).getEntityId()));
        buildAssertion.setSubject(getSuccessSubject(samlSsoRequestContext, assertionConsumerService, nameID, successSubjectConfirmationData));
        buildAssertion.setVersion(SAMLVersion.VERSION_20);
        buildAssertion.getAuthnStatements().add(getSuccessAuthnStatement(samlSsoRequestContext, buildAssertion));
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) sAMLMessageContext.getSubcontext(SAMLPeerEntityContext.class);
        if (!this.metadataManager.isAttributesEnabled(sAMLPeerEntityContext.getEntityId())) {
            return buildAssertion;
        }
        User user = samlSsoRequestContext.getUser();
        AttributeResolver attributeResolver = this._attributeResolverRegistry.getAttributeResolver(sAMLPeerEntityContext.getEntityId());
        AttributePublisherImpl attributePublisherImpl = new AttributePublisherImpl();
        attributeResolver.resolve(user, new AttributeResolverSAMLContextImpl(sAMLMessageContext), attributePublisherImpl);
        List<Attribute> attributes = attributePublisherImpl.getAttributes();
        if (attributes.isEmpty()) {
            return buildAssertion;
        }
        List<AttributeStatement> attributeStatements = buildAssertion.getAttributeStatements();
        AttributeStatement buildAttributeStatement = OpenSamlUtil.buildAttributeStatement();
        attributeStatements.add(buildAttributeStatement);
        buildAttributeStatement.getAttributes().addAll(attributes);
        return buildAssertion;
    }

    protected AudienceRestriction getSuccessAudienceRestriction(String str) {
        AudienceRestriction buildAudienceRestriction = OpenSamlUtil.buildAudienceRestriction();
        List<Audience> audiences = buildAudienceRestriction.getAudiences();
        Audience buildAudience = OpenSamlUtil.buildAudience();
        buildAudience.setAudienceURI(str);
        audiences.add(buildAudience);
        return buildAudienceRestriction;
    }

    protected AuthnContext getSuccessAuthnContext() {
        AuthnContext buildAuthnContext = OpenSamlUtil.buildAuthnContext();
        AuthnContextClassRef buildAuthnContextClassRef = OpenSamlUtil.buildAuthnContextClassRef();
        buildAuthnContextClassRef.setAuthnContextClassRef(AuthnContext.UNSPECIFIED_AUTHN_CTX);
        buildAuthnContext.setAuthnContextClassRef(buildAuthnContextClassRef);
        return buildAuthnContext;
    }

    protected AuthnStatement getSuccessAuthnStatement(SamlSsoRequestContext samlSsoRequestContext, Assertion assertion) {
        AuthnStatement buildAuthnStatement = OpenSamlUtil.buildAuthnStatement();
        buildAuthnStatement.setAuthnContext(getSuccessAuthnContext());
        buildAuthnStatement.setAuthnInstant(assertion.getIssueInstant());
        buildAuthnStatement.setSessionIndex(samlSsoRequestContext.getSamlSsoSessionId());
        return buildAuthnStatement;
    }

    protected Conditions getSuccessConditions(SamlSsoRequestContext samlSsoRequestContext, DateTime dateTime, DateTime dateTime2) {
        Conditions buildConditions = OpenSamlUtil.buildConditions();
        buildConditions.setNotBefore(dateTime);
        buildConditions.setNotOnOrAfter(dateTime2);
        buildConditions.getAudienceRestrictions().add(getSuccessAudienceRestriction(((SAMLPeerEntityContext) samlSsoRequestContext.getSAMLMessageContext().getSubcontext(SAMLPeerEntityContext.class)).getEntityId()));
        return buildConditions;
    }

    protected NameID getSuccessNameId(SamlSsoRequestContext samlSsoRequestContext) throws Exception {
        NameIDPolicy nameIDPolicy;
        String str = null;
        String str2 = null;
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) sAMLMessageContext.getSubcontext(SAMLPeerEntityContext.class);
        NameIdResolver nameIdResolver = this._nameIdResolverRegistry.getNameIdResolver(sAMLPeerEntityContext.getEntityId());
        boolean z = false;
        AuthnRequest authnRequest = SamlUtil.getAuthnRequest(sAMLMessageContext);
        if (authnRequest != null && (nameIDPolicy = authnRequest.getNameIDPolicy()) != null) {
            str = nameIDPolicy.getFormat();
            str2 = nameIDPolicy.getSPNameQualifier();
            z = nameIDPolicy.getAllowCreate().booleanValue();
        }
        if (str == null) {
            str = this.metadataManager.getNameIdFormat(sAMLPeerEntityContext.getEntityId());
        }
        return OpenSamlUtil.buildNameId(str, null, str2, nameIdResolver.resolve(samlSsoRequestContext.getUser(), sAMLPeerEntityContext.getEntityId(), str, str2, z, new NameIdResolverSAMLContextImpl(sAMLMessageContext)));
    }

    protected Response getSuccessResponse(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, DateTime dateTime) {
        Response buildResponse = OpenSamlUtil.buildResponse();
        buildResponse.setDestination(assertionConsumerService.getLocation());
        buildResponse.setID(generateIdentifier(20));
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        InOutOperationContext inOutOperationContext = (InOutOperationContext) sAMLMessageContext.getSubcontext(InOutOperationContext.class, false);
        if (inOutOperationContext != null) {
            SAMLMessageInfoContext sAMLMessageInfoContext = (SAMLMessageInfoContext) inOutOperationContext.getInboundMessageContext().getSubcontext(SAMLMessageInfoContext.class);
            if (Validator.isNotNull(sAMLMessageInfoContext.getMessageId())) {
                buildResponse.setInResponseTo(sAMLMessageInfoContext.getMessageId());
            }
        }
        buildResponse.setIssueInstant(dateTime);
        buildResponse.setIssuer(OpenSamlUtil.buildIssuer(((SAMLSelfEntityContext) sAMLMessageContext.getSubcontext(SAMLSelfEntityContext.class)).getEntityId()));
        buildResponse.setStatus(OpenSamlUtil.buildStatus(OpenSamlUtil.buildStatusCode(StatusCode.SUCCESS)));
        buildResponse.setVersion(SAMLVersion.VERSION_20);
        return buildResponse;
    }

    protected Subject getSuccessSubject(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, NameID nameID, SubjectConfirmationData subjectConfirmationData) {
        SubjectConfirmation buildSubjectConfirmation = OpenSamlUtil.buildSubjectConfirmation();
        buildSubjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
        buildSubjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
        Subject buildSubject = OpenSamlUtil.buildSubject(nameID);
        buildSubject.getSubjectConfirmations().add(buildSubjectConfirmation);
        return buildSubject;
    }

    protected SubjectConfirmationData getSuccessSubjectConfirmationData(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, DateTime dateTime) {
        SubjectConfirmationData buildSubjectConfirmationData = OpenSamlUtil.buildSubjectConfirmationData();
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        InOutOperationContext inOutOperationContext = (InOutOperationContext) sAMLMessageContext.getSubcontext(InOutOperationContext.class, false);
        if (inOutOperationContext != null) {
            buildSubjectConfirmationData.setInResponseTo(((SAMLMessageInfoContext) inOutOperationContext.getInboundMessageContext().getSubcontext(SAMLMessageInfoContext.class)).getMessageId());
        }
        buildSubjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
        buildSubjectConfirmationData.setNotOnOrAfter(dateTime.plusSeconds(this.metadataManager.getAssertionLifetime(((SAMLPeerEntityContext) sAMLMessageContext.getSubcontext(SAMLPeerEntityContext.class)).getEntityId())));
        return buildSubjectConfirmationData;
    }

    protected void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSsoRequestContext samlSsoRequestContext, boolean z) {
        HttpSession session = httpServletRequest.getSession();
        if (z) {
            logout(httpServletRequest, httpServletResponse);
            session = httpServletRequest.getSession(true);
            session.setAttribute("FORCE_REAUTHENTICATION", Boolean.TRUE);
        }
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        samlSsoRequestContext.setSAMLMessageContext(null);
        session.setAttribute("SAML_SSO_REQUEST_CONTEXT", samlSsoRequestContext);
        httpServletResponse.addHeader("Cache-Control", "private, no-cache, no-store, must-revalidate");
        httpServletResponse.addHeader("Pragma", HeaderConstants.CACHE_CONTROL_NO_CACHE);
        StringBundler stringBundler = new StringBundler(3);
        ThemeDisplay themeDisplay = (ThemeDisplay) httpServletRequest.getAttribute("LIFERAY_SHARED_THEME_DISPLAY");
        stringBundler.append(themeDisplay.getPathMain());
        stringBundler.append("/portal/login?redirect=");
        StringBundler stringBundler2 = new StringBundler(4);
        stringBundler2.append(themeDisplay.getPathMain());
        stringBundler2.append("/portal/saml/sso");
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) sAMLMessageContext.getSubcontext(SAMLPeerEntityContext.class);
        InOutOperationContext inOutOperationContext = (InOutOperationContext) sAMLMessageContext.getSubcontext(InOutOperationContext.class, false);
        if (inOutOperationContext != null) {
            SAMLMessageInfoContext sAMLMessageInfoContext = (SAMLMessageInfoContext) inOutOperationContext.getInboundMessageContext().getSubcontext(SAMLMessageInfoContext.class);
            if (sAMLMessageInfoContext != null && sAMLMessageInfoContext.getMessageId() != null) {
                stringBundler2.append("?saml_message_id=");
                stringBundler2.append(URLCodec.encodeURL(sAMLMessageInfoContext.getMessageId()));
            }
        } else if (sAMLPeerEntityContext.getEntityId() != null) {
            stringBundler2.append("?entityId=");
            stringBundler2.append(URLCodec.encodeURL(sAMLPeerEntityContext.getEntityId()));
        }
        stringBundler.append(URLCodec.encodeURL(stringBundler2.toString()));
        try {
            httpServletResponse.sendRedirect(stringBundler.toString());
        } catch (IOException e) {
            throw new SystemException(e);
        }
    }

    protected void sendFailureResponse(SamlSsoRequestContext samlSsoRequestContext, String str, HttpServletResponse httpServletResponse) throws PortalException {
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        AssertionConsumerService resolverAssertionConsumerService = SamlUtil.resolverAssertionConsumerService(sAMLMessageContext, getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI).getCommunicationProfileId());
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) sAMLMessageContext.getSubcontext(SAMLPeerEntityContext.class);
        ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class)).setEndpoint(resolverAssertionConsumerService);
        Credential signingCredential = this.metadataManager.getSigningCredential();
        InOutOperationContext inOutOperationContext = (InOutOperationContext) sAMLMessageContext.getSubcontext(InOutOperationContext.class);
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        OpenSamlUtil.prepareSecurityParametersContext(signingCredential, (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true), ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor());
        Response buildResponse = OpenSamlUtil.buildResponse();
        buildResponse.setDestination(resolverAssertionConsumerService.getLocation());
        buildResponse.setInResponseTo(((SAMLMessageInfoContext) inOutOperationContext.getInboundMessageContext().getSubcontext(SAMLMessageInfoContext.class)).getMessageId());
        buildResponse.setIssueInstant(new DateTime(DateTimeZone.UTC));
        buildResponse.setIssuer(OpenSamlUtil.buildIssuer(((SAMLSelfEntityContext) sAMLMessageContext.getSubcontext(SAMLSelfEntityContext.class)).getEntityId()));
        buildResponse.setStatus(OpenSamlUtil.buildStatus(OpenSamlUtil.buildStatusCode(str)));
        outboundMessageContext.setMessage(buildResponse);
        sendSamlMessage(sAMLMessageContext, httpServletResponse);
    }

    protected void sendSuccessResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSsoRequestContext samlSsoRequestContext) throws Exception {
        MessageContext<?> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        AssertionConsumerService resolverAssertionConsumerService = SamlUtil.resolverAssertionConsumerService(sAMLMessageContext, getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI).getCommunicationProfileId());
        NameID successNameId = getSuccessNameId(samlSsoRequestContext);
        Assertion successAssertion = getSuccessAssertion(samlSsoRequestContext, resolverAssertionConsumerService, successNameId);
        Credential signingCredential = this.metadataManager.getSigningCredential();
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) sAMLMessageContext.getSubcontext(SAMLPeerEntityContext.class);
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        if (sPSSODescriptor.getWantAssertionsSigned().booleanValue()) {
            OpenSamlUtil.signObject(successAssertion, signingCredential, sPSSODescriptor);
        }
        Response successResponse = getSuccessResponse(samlSsoRequestContext, resolverAssertionConsumerService, successAssertion.getIssueInstant());
        SamlIdpSpConnection samlIdpSpConnection = this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(CompanyThreadLocal.getCompanyId().longValue(), sAMLPeerEntityContext.getEntityId());
        CriteriaSet criteriaSet = new CriteriaSet(new EncryptionConfigurationCriterion((EncryptionConfiguration) ConfigurationService.get(EncryptionConfiguration.class)), new RoleDescriptorCriterion(sPSSODescriptor));
        if (!samlIdpSpConnection.isEncryptionForced()) {
            criteriaSet.add(new EncryptionOptionalCriterion(true));
        }
        EncryptionParameters resolveSingle = this._samlMetadataEncryptionParametersResolver.resolveSingle(criteriaSet);
        if (resolveSingle != null) {
            successResponse.getEncryptedAssertions().add(new Encrypter(new DataEncryptionParameters(resolveSingle), new KeyEncryptionParameters(resolveSingle, sAMLPeerEntityContext.getEntityId())).encrypt(successAssertion));
        } else {
            if (samlIdpSpConnection.isEncryptionForced()) {
                throw new SamlException(StringBundler.concat(new String[]{"Encryption is forced for ", sAMLPeerEntityContext.getEntityId(), ", but no encryption parameters have been successfully ", "negotiated"}));
            }
            successResponse.getAssertions().add(successAssertion);
        }
        InOutOperationContext inOutOperationContext = (InOutOperationContext) sAMLMessageContext.getSubcontext(InOutOperationContext.class, false);
        if (inOutOperationContext == null) {
            inOutOperationContext = (InOutOperationContext) sAMLMessageContext.addSubcontext(new InOutOperationContext(new MessageContext(), new MessageContext()));
        }
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        outboundMessageContext.addSubcontext(sAMLMessageContext.getSubcontext(SAMLBindingContext.class, true));
        outboundMessageContext.setMessage(successResponse);
        OpenSamlUtil.prepareSecurityParametersContext(signingCredential, (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true), sPSSODescriptor);
        ((SAMLProtocolContext) outboundMessageContext.getSubcontext(SAMLProtocolContext.class, true)).setProtocol(SAMLConstants.SAML20P_NS);
        ((SAMLEndpointContext) ((SAMLPeerEntityContext) outboundMessageContext.getSubcontext(SAMLPeerEntityContext.class, true)).getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(resolverAssertionConsumerService);
        if (samlSsoRequestContext.isNewSession()) {
            addSamlSsoSession(httpServletRequest, httpServletResponse, samlSsoRequestContext, successNameId);
        } else {
            updateSamlSsoSession(httpServletRequest, samlSsoRequestContext, successNameId);
        }
        sendSamlMessage(sAMLMessageContext, httpServletResponse);
    }

    @Reference(unbind = "-")
    protected void setAttributeResolverRegistry(AttributeResolverRegistry attributeResolverRegistry) {
        this._attributeResolverRegistry = attributeResolverRegistry;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    @Reference(unbind = "-")
    public void setIdentifierGenerationStrategyFactory(IdentifierGenerationStrategyFactory identifierGenerationStrategyFactory) {
        super.setIdentifierGenerationStrategyFactory(identifierGenerationStrategyFactory);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    @Reference(unbind = "-")
    public void setMetadataManager(MetadataManager metadataManager) {
        super.setMetadataManager(metadataManager);
    }

    @Reference(unbind = "-")
    protected void setNameIdResolverRegistry(NameIdResolverRegistry nameIdResolverRegistry) {
        this._nameIdResolverRegistry = nameIdResolverRegistry;
    }

    @Reference(unbind = "-")
    protected void setPortal(Portal portal) {
        this.portal = portal;
    }

    @Reference(cardinality = ReferenceCardinality.AT_LEAST_ONE, policyOption = ReferencePolicyOption.GREEDY)
    protected void setSamlBinding(SamlBinding samlBinding) {
        addSamlBinding(samlBinding);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    @Reference(unbind = "-")
    public void setSamlProviderConfigurationHelper(SamlProviderConfigurationHelper samlProviderConfigurationHelper) {
        super.setSamlProviderConfigurationHelper(samlProviderConfigurationHelper);
    }

    @Reference(unbind = "-")
    protected void setSamlSpAuthRequestLocalService(SamlSpAuthRequestLocalService samlSpAuthRequestLocalService) {
        this._samlSpAuthRequestLocalService = samlSpAuthRequestLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpIdpConnectionLocalService(SamlSpIdpConnectionLocalService samlSpIdpConnectionLocalService) {
        this._samlSpIdpConnectionLocalService = samlSpIdpConnectionLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpMessageLocalService(SamlSpMessageLocalService samlSpMessageLocalService) {
        this._samlSpMessageLocalService = samlSpMessageLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpSessionLocalService(SamlSpSessionLocalService samlSpSessionLocalService) {
        this.samlSpSessionLocalService = samlSpSessionLocalService;
    }

    @Reference(policyOption = ReferencePolicyOption.GREEDY, unbind = "-")
    protected void setUserResolver(UserResolver userResolver) {
        this._userResolver = userResolver;
    }

    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    protected void unsetSamlBinding(SamlBinding samlBinding) {
        removeSamlBinding(samlBinding);
    }

    protected void updateSamlSsoSession(HttpServletRequest httpServletRequest, SamlSsoRequestContext samlSsoRequestContext, NameID nameID) throws Exception {
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        SamlIdpSsoSession updateModifiedDate = this._samlIdpSsoSessionLocalService.updateModifiedDate(samlSsoRequestContext.getSamlSsoSessionId());
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) samlSsoRequestContext.getSAMLMessageContext().getSubcontext(SAMLPeerEntityContext.class);
        try {
            this._samlIdpSpSessionLocalService.updateModifiedDate(updateModifiedDate.getSamlIdpSsoSessionId(), sAMLPeerEntityContext.getEntityId());
        } catch (NoSuchIdpSpSessionException e) {
            this._samlIdpSpSessionLocalService.addSamlIdpSpSession(updateModifiedDate.getSamlIdpSsoSessionId(), sAMLPeerEntityContext.getEntityId(), nameID.getFormat(), nameID.getValue(), serviceContextFactory);
        }
    }

    protected void verifyAssertion(Assertion assertion, MessageContext<?> messageContext, TrustEngine<Signature> trustEngine) throws PortalException {
        verifyReplay(messageContext, assertion);
        verifyIssuer(messageContext, assertion.getIssuer());
        verifyAssertionSignature(assertion.getSignature(), messageContext, trustEngine);
        verifyConditions(messageContext, assertion.getConditions());
        verifySubject(messageContext, assertion.getSubject());
    }

    protected void verifyAssertionSignature(Signature signature, MessageContext<?> messageContext, TrustEngine<Signature> trustEngine) throws PortalException {
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) ((SAMLMetadataContext) ((SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class)).getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        if (signature != null) {
            verifySignature(messageContext, signature, trustEngine);
        } else if (sPSSODescriptor.getWantAssertionsSigned().booleanValue()) {
            throw new SignatureException("SAML assertion is not signed");
        }
    }

    protected void verifyAudienceRestrictions(List<AudienceRestriction> list, MessageContext<?> messageContext) throws PortalException {
        if (list.isEmpty()) {
            return;
        }
        SAMLSelfEntityContext sAMLSelfEntityContext = (SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class);
        Iterator<AudienceRestriction> it = list.iterator();
        while (it.hasNext()) {
            Iterator<Audience> it2 = it.next().getAudiences().iterator();
            while (it2.hasNext()) {
                if (it2.next().getAudienceURI().equals(sAMLSelfEntityContext.getEntityId())) {
                    return;
                }
            }
        }
        throw new AudienceException("Unable verify audience");
    }

    protected void verifyConditions(MessageContext<?> messageContext, Conditions conditions) throws PortalException {
        verifyAudienceRestrictions(conditions.getAudienceRestrictions(), messageContext);
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        DateTime notBefore = conditions.getNotBefore();
        if (notBefore != null) {
            verifyNotBeforeDateTime(dateTime, this.metadataManager.getClockSkew(), notBefore);
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        if (notOnOrAfter != null) {
            verifyNotOnOrAfterDateTime(dateTime, this.metadataManager.getClockSkew(), notOnOrAfter);
        }
    }

    protected void verifyDestination(MessageContext<?> messageContext, String str) throws PortalException {
        List<AssertionConsumerService> assertionConsumerServices = ((SPSSODescriptor) ((SAMLMetadataContext) ((SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class)).getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor()).getAssertionConsumerServices();
        SAMLBindingContext sAMLBindingContext = (SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class);
        for (AssertionConsumerService assertionConsumerService : assertionConsumerServices) {
            String binding = assertionConsumerService.getBinding();
            if (str.equals(assertionConsumerService.getLocation()) && binding.equals(sAMLBindingContext.getBindingUri())) {
                return;
            }
        }
        throw new DestinationException(StringBundler.concat(new String[]{"Destination ", str, " does not match any assertion ", "consumer location with binding ", sAMLBindingContext.getBindingUri()}));
    }

    protected void verifyInResponseTo(Response response) throws PortalException {
        if (Validator.isNull(response.getInResponseTo())) {
            return;
        }
        String value = response.getIssuer().getValue();
        String inResponseTo = response.getInResponseTo();
        SamlSpAuthRequest fetchSamlSpAuthRequest = this._samlSpAuthRequestLocalService.fetchSamlSpAuthRequest(value, inResponseTo);
        if (fetchSamlSpAuthRequest == null) {
            throw new InResponseToException(StringBundler.concat(new String[]{"Response in response to ", inResponseTo, " does not match any authentication requests"}));
        }
        this._samlSpAuthRequestLocalService.deleteSamlSpAuthRequest(fetchSamlSpAuthRequest);
    }

    protected void verifyIssuer(MessageContext<?> messageContext, Issuer issuer) throws PortalException {
        String format = issuer.getFormat();
        if (format != null && !format.equals(NameIDType.ENTITY)) {
            throw new IssuerException("Invalid issuer format " + format);
        }
        String entityId = ((SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class)).getEntityId();
        if (!entityId.equals(issuer.getValue())) {
            throw new IssuerException("Issuer does not match expected peer entity ID " + entityId);
        }
    }

    protected void verifyNotBeforeDateTime(DateTime dateTime, long j, DateTime dateTime2) throws PortalException {
        DateTime minus = dateTime2.minus(new Duration(j));
        if (dateTime.isBefore(minus)) {
            throw new AssertionException(StringBundler.concat(new Object[]{"Date ", dateTime, " is before ", minus, " including clock skew ", Long.valueOf(j)}));
        }
    }

    protected void verifyNotOnOrAfterDateTime(DateTime dateTime, long j, DateTime dateTime2) throws PortalException {
        DateTime plus = dateTime2.plus(new Duration(j));
        if (dateTime.isEqual(plus) || dateTime.isAfter(plus)) {
            throw new ExpiredException(StringBundler.concat(new Object[]{"Date ", dateTime, " is after ", plus, " including clock skew ", Long.valueOf(j)}));
        }
    }

    protected void verifyReplay(MessageContext<?> messageContext, Assertion assertion) throws PortalException {
        String value = assertion.getIssuer().getValue();
        String id = assertion.getID();
        DateTime plus = new DateTime(DateTimeZone.UTC).plus(this._samlConfiguration.getReplayChacheDuration() + this.metadataManager.getClockSkew());
        try {
            SamlSpMessage fetchSamlSpMessage = this._samlSpMessageLocalService.fetchSamlSpMessage(value, id);
            if (fetchSamlSpMessage != null && !fetchSamlSpMessage.isExpired()) {
                throw new ReplayException(StringBundler.concat(new String[]{"SAML assertion ", id, " replayed from IdP ", value}));
            }
            if (fetchSamlSpMessage != null) {
                this._samlSpMessageLocalService.deleteSamlSpMessage(fetchSamlSpMessage);
            }
            ServiceContext serviceContext = new ServiceContext();
            serviceContext.setCompanyId(CompanyThreadLocal.getCompanyId().longValue());
            this._samlSpMessageLocalService.addSamlSpMessage(value, id, plus.toDate(), serviceContext);
        } catch (SystemException e) {
            throw new SamlException(e);
        }
    }

    protected void verifySignature(MessageContext<?> messageContext, Signature signature, TrustEngine<Signature> trustEngine) throws PortalException {
        try {
            _samlSignatureProfileValidator.validate(signature);
            SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EntityIdCriterion(sAMLPeerEntityContext.getEntityId()));
            criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
            criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            if (trustEngine.validate(signature, criteriaSet)) {
            } else {
                throw new SignatureException("Unable validate signature trust");
            }
        } catch (Exception e) {
            if (!(e instanceof PortalException)) {
                throw new SignatureException("Unable to verify signature", e);
            }
            throw e;
        }
    }

    protected void verifySubject(MessageContext<?> messageContext, Subject subject) throws PortalException {
        SubjectConfirmationData subjectConfirmationData;
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if (subjectConfirmation.getMethod().equals(SubjectConfirmation.METHOD_BEARER) && (subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData()) != null) {
                DateTime dateTime = new DateTime(DateTimeZone.UTC);
                long clockSkew = this.metadataManager.getClockSkew();
                DateTime notBefore = subjectConfirmationData.getNotBefore();
                if (notBefore != null) {
                    verifyNotBeforeDateTime(dateTime, clockSkew, notBefore);
                }
                DateTime notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
                if (notOnOrAfter != null) {
                    verifyNotOnOrAfterDateTime(dateTime, clockSkew, notOnOrAfter);
                }
                if (Validator.isNull(subjectConfirmationData.getRecipient())) {
                    continue;
                } else {
                    verifyDestination(messageContext, subjectConfirmationData.getRecipient());
                    NameID nameID = subject.getNameID();
                    if (!Validator.isNull(nameID.getValue())) {
                        ((SAMLSubjectNameIdentifierContext) messageContext.getSubcontext(SAMLSubjectNameIdentifierContext.class)).setSubjectNameIdentifier(nameID);
                        return;
                    }
                }
            }
        }
        throw new SubjectException("Unable to verify subject");
    }
}
