package edu.internet2.middleware.shibboleth.idp.authn;

import edu.internet2.middleware.shibboleth.common.session.SessionManager;
import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
import edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager;
import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
import edu.internet2.middleware.shibboleth.idp.session.Session;
import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
import edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl;
import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
import org.opensaml.util.storage.StorageService;
import org.opensaml.ws.transport.http.HTTPTransportUtils;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.helpers.MessageFormatter;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.class */
public class AuthenticationEngine extends HttpServlet {
    public static final String RETAIN_PUBLIC_CREDENTIALS = "retainSubjectsPublicCredentials";
    public static final String RETAIN_PRIVATE_CREDENTIALS = "retainSubjectsPrivateCredentials";
    public static final String LOGIN_CONTEXT_PARTITION_NAME_INIT_PARAM_NAME = "loginContextPartitionName";
    public static final String LOGIN_CONTEXT_LIFETIME_INIT_PARAM_NAME = "loginContextEntryLifetime";
    public static final String IDP_SESSION_COOKIE_NAME = "_idp_session";
    public static final String LOGIN_CONTEXT_KEY_NAME = "_idp_authn_lc_key";
    private static final long serialVersionUID = -8479060989001890156L;
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationEngine.class);
    private static ServletContext context;
    private static StorageService<String, LoginContextEntry> storageService;
    private boolean retainSubjectsPublicCredentials;
    private boolean retainSubjectsPrivateCredentials;
    private IdPProfileHandlerManager handlerManager;
    private SessionManager<Session> sessionManager;

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(servletConfig.getInitParameter(RETAIN_PRIVATE_CREDENTIALS));
        if (safeTrimOrNullString != null) {
            this.retainSubjectsPrivateCredentials = Boolean.parseBoolean(safeTrimOrNullString);
        } else {
            this.retainSubjectsPrivateCredentials = false;
        }
        String safeTrimOrNullString2 = DatatypeHelper.safeTrimOrNullString(servletConfig.getInitParameter(RETAIN_PUBLIC_CREDENTIALS));
        if (safeTrimOrNullString2 != null) {
            this.retainSubjectsPublicCredentials = Boolean.parseBoolean(safeTrimOrNullString2);
        } else {
            this.retainSubjectsPublicCredentials = false;
        }
        context = servletConfig.getServletContext();
        this.handlerManager = HttpServletHelper.getProfileHandlerManager(context);
        this.sessionManager = HttpServletHelper.getSessionManager(context);
        storageService = HttpServletHelper.getStorageService(context);
    }

    public static void returnToAuthenticationEngine(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Returning control to authentication engine");
        LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, context, httpServletRequest);
        if (loginContext != null) {
            forwardRequest(loginContext.getAuthenticationEngineURL(), httpServletRequest, httpServletResponse);
        } else {
            LOG.warn("No login context available, unable to return to authentication engine");
            forwardRequest("/error.jsp", httpServletRequest, httpServletResponse);
        }
    }

    public static void returnToProfileHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Returning control to profile handler");
        LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, context, httpServletRequest);
        if (loginContext == null) {
            LOG.warn("No login context available, unable to return to profile handler");
            forwardRequest("/error.jsp", httpServletRequest, httpServletResponse);
        }
        HttpServletHelper.unbindLoginContext(storageService, context, httpServletRequest, httpServletResponse);
        HttpServletHelper.bindLoginContext(loginContext, httpServletRequest);
        LOG.debug("Returning control to profile handler at: {}", loginContext.getProfileHandlerURL());
        forwardRequest(loginContext.getProfileHandlerURL(), httpServletRequest, httpServletResponse);
    }

    protected static void forwardRequest(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
        } catch (ServletException e) {
            LOG.error("Unable to return control back to authentication engine", e);
        } catch (IOException e2) {
            LOG.error("Unable to return control back to authentication engine", e2);
        }
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        LOG.debug("Processing incoming request");
        if (httpServletResponse.isCommitted()) {
            LOG.error("HTTP Response already committed");
        }
        LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, getServletContext(), httpServletRequest);
        if (loginContext == null) {
            LOG.error("Incoming request does not have attached login context");
            throw new ServletException("Incoming request does not have attached login context");
        }
        if (loginContext.getAuthenticationAttempted()) {
            completeAuthentication(loginContext, httpServletRequest, httpServletResponse);
        } else {
            startUserAuthentication(loginContext, httpServletRequest, httpServletResponse);
        }
    }

    protected void startUserAuthentication(LoginContext loginContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Beginning user authentication process.");
        try {
            Session session = (Session) httpServletRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
            if (session != null) {
                LOG.debug("Existing IdP session available for principal {}", session.getPrincipalName());
            }
            Map<String, LoginHandler> determinePossibleLoginHandlers = determinePossibleLoginHandlers(session, loginContext);
            LOG.debug("Possible authentication handlers for this request: {}", determinePossibleLoginHandlers);
            if (loginContext.isForceAuthRequired()) {
                filterByForceAuthentication(session, loginContext, determinePossibleLoginHandlers);
            }
            if (loginContext.isPassiveAuthRequired()) {
                filterByPassiveAuthentication(session, loginContext, determinePossibleLoginHandlers);
            }
            LOG.debug("Possible authentication handlers after filtering: {}", determinePossibleLoginHandlers);
            LoginHandler selectLoginHandler = selectLoginHandler(determinePossibleLoginHandlers, loginContext, session);
            LOG.debug("Authenticating user with login handler of type {}", selectLoginHandler.getClass().getName());
            loginContext.setAuthenticationAttempted();
            loginContext.setAuthenticationEngineURL(HttpHelper.getRequestUriWithoutContext(httpServletRequest));
            HttpServletHelper.bindLoginContext(loginContext, storageService, getServletContext(), httpServletRequest, httpServletResponse);
            selectLoginHandler.login(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            loginContext.setAuthenticationFailure(e);
            returnToProfileHandler(httpServletRequest, httpServletResponse);
        }
    }

    protected LoginHandler selectLoginHandler(Map<String, LoginHandler> map, LoginContext loginContext, Session session) throws AuthenticationException {
        LoginHandler value;
        LOG.debug("Selecting appropriate login handler for request");
        if (session != null && map.containsKey("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession")) {
            LOG.debug("Using previous session login handler");
            value = map.get("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
            for (AuthenticationMethodInformation authenticationMethodInformation : session.getAuthenticationMethods().values()) {
                if (!authenticationMethodInformation.isExpired() && (loginContext.getRequestedAuthenticationMethods().isEmpty() || loginContext.getRequestedAuthenticationMethods().contains(authenticationMethodInformation.getAuthenticationMethod()))) {
                    LOG.debug("Basing previous session authentication on active authentication method {}", authenticationMethodInformation.getAuthenticationMethod());
                    loginContext.setAttemptedAuthnMethod(authenticationMethodInformation.getAuthenticationMethod());
                    loginContext.setAuthenticationMethodInformation(authenticationMethodInformation);
                    break;
                }
            }
        } else {
            map.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
            if (map.isEmpty()) {
                LOG.info("No authentication mechanism available for use with relying party '{}'", loginContext.getRelyingPartyId());
                throw new AuthenticationException();
            }
            if (loginContext.getDefaultAuthenticationMethod() == null || !map.containsKey(loginContext.getDefaultAuthenticationMethod())) {
                Map.Entry<String, LoginHandler> next = map.entrySet().iterator().next();
                loginContext.setAttemptedAuthnMethod(next.getKey());
                value = next.getValue();
            } else {
                value = map.get(loginContext.getDefaultAuthenticationMethod());
                loginContext.setAttemptedAuthnMethod(loginContext.getDefaultAuthenticationMethod());
            }
        }
        return value;
    }

    protected Map<String, LoginHandler> determinePossibleLoginHandlers(Session session, LoginContext loginContext) throws AuthenticationException {
        HashMap hashMap = new HashMap(this.handlerManager.getLoginHandlers());
        LOG.debug("Filtering configured login handlers by requested athentication methods.");
        LOG.debug("Configured LoginHandlers: {}", hashMap);
        LOG.debug("Requested authentication methods: {}", loginContext.getRequestedAuthenticationMethods());
        if (loginContext.getRequestedAuthenticationMethods().isEmpty()) {
            LOG.trace("No preference given for authentication methods");
            return hashMap;
        }
        if (hashMap.containsKey("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession") && session != null && loginContext.getRequestedAuthenticationMethods() != null) {
            boolean z = false;
            Iterator<String> it = session.getAuthenticationMethods().keySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (loginContext.getRequestedAuthenticationMethods().contains(it.next())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                hashMap.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
            }
        }
        Iterator it2 = hashMap.entrySet().iterator();
        while (it2.hasNext()) {
            Map.Entry entry = (Map.Entry) it2.next();
            if (!((String) entry.getKey()).equals("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession") && !loginContext.getRequestedAuthenticationMethods().contains(entry.getKey())) {
                it2.remove();
            }
        }
        if (!hashMap.isEmpty()) {
            return hashMap;
        }
        LOG.warn("No authentication method, requested by the service provider, is supported");
        throw new AuthenticationException("No authentication method, requested by the service provider, is supported");
    }

    protected void filterByForceAuthentication(Session session, LoginContext loginContext, Map<String, LoginHandler> map) throws ForceAuthenticationException {
        LOG.debug("Forced authentication is required, filtering possible login handlers accordingly");
        ArrayList arrayList = new ArrayList();
        if (session != null) {
            arrayList.addAll(session.getAuthenticationMethods().values());
        }
        map.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            LoginHandler loginHandler = map.get(((AuthenticationMethodInformation) it.next()).getAuthenticationMethod());
            if (loginHandler != null && !loginHandler.supportsForceAuthentication()) {
                Iterator<String> it2 = loginHandler.getSupportedAuthenticationMethods().iterator();
                while (it2.hasNext()) {
                    map.remove(it2.next());
                }
            }
        }
        LOG.debug("Authentication handlers remaining after forced authentication requirement filtering: {}", map);
        if (map.isEmpty()) {
            LOG.info("Force authentication requested but no login handlers available to support it");
            throw new ForceAuthenticationException();
        }
    }

    protected void filterByPassiveAuthentication(Session session, LoginContext loginContext, Map<String, LoginHandler> map) throws PassiveAuthenticationException {
        LOG.debug("Passive authentication is required, filtering poassible login handlers accordingly.");
        if (session == null) {
            map.remove("urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession");
        }
        Iterator<Map.Entry<String, LoginHandler>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            if (!it.next().getValue().supportsPassive()) {
                it.remove();
            }
        }
        LOG.debug("Authentication handlers remaining after passive authentication requirement filtering: {}", map);
        if (map.isEmpty()) {
            LOG.warn("Passive authentication required but no login handlers available to support it");
            throw new PassiveAuthenticationException();
        }
    }

    protected void completeAuthentication(LoginContext loginContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.debug("Completing user authentication process");
        Session session = (Session) httpServletRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
        try {
            String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY));
            if (safeTrimOrNullString == null) {
                safeTrimOrNullString = loginContext.getAttemptedAuthnMethod();
            } else if (!loginContext.getRequestedAuthenticationMethods().isEmpty() && !loginContext.getRequestedAuthenticationMethods().contains(safeTrimOrNullString)) {
                String format = MessageFormatter.format("Relying patry required an authentication method of '{}' but the login handler performed '{}'", loginContext.getRequestedAuthenticationMethods(), safeTrimOrNullString);
                LOG.error(format);
                throw new AuthenticationException(format);
            }
            validateSuccessfulAuthentication(loginContext, httpServletRequest, safeTrimOrNullString);
            Subject loginHandlerSubject = getLoginHandlerSubject(httpServletRequest);
            if (loginContext.isForceAuthRequired()) {
                validateForcedReauthentication(session, safeTrimOrNullString, loginHandlerSubject);
            }
            loginContext.setPrincipalAuthenticated(true);
            updateUserSession(loginContext, loginHandlerSubject, safeTrimOrNullString, httpServletRequest, httpServletResponse);
            LOG.debug("User {} authenticated with method {}", loginContext.getPrincipalName(), loginContext.getAuthenticationMethod());
        } catch (AuthenticationException e) {
            LOG.error("Authentication failed with the error:", e);
            loginContext.setPrincipalAuthenticated(false);
            loginContext.setAuthenticationFailure(e);
        }
        returnToProfileHandler(httpServletRequest, httpServletResponse);
    }

    protected void validateSuccessfulAuthentication(LoginContext loginContext, HttpServletRequest httpServletRequest, String str) throws AuthenticationException {
        LOG.debug("Validating authentication was performed successfully");
        if (str == null) {
            LOG.error("No authentication method reported by login handler.");
            throw new AuthenticationException("No authentication method reported by login handler.");
        }
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
        if (safeTrimOrNullString != null) {
            LOG.error("Error returned from login handler for authentication method {}:\n{}", loginContext.getAttemptedAuthnMethod(), safeTrimOrNullString);
            throw new AuthenticationException(safeTrimOrNullString);
        }
        AuthenticationException authenticationException = (AuthenticationException) httpServletRequest.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
        if (authenticationException != null) {
            throw authenticationException;
        }
        Subject subject = (Subject) httpServletRequest.getAttribute(LoginHandler.SUBJECT_KEY);
        Principal principal = (Principal) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
        String safeTrimOrNullString2 = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
        if (subject == null && principal == null && safeTrimOrNullString2 == null) {
            LOG.error("No user identified by login handler.");
            throw new AuthenticationException("No user identified by login handler.");
        }
    }

    protected Subject getLoginHandlerSubject(HttpServletRequest httpServletRequest) throws AuthenticationException {
        Subject subject = (Subject) httpServletRequest.getAttribute(LoginHandler.SUBJECT_KEY);
        Principal principal = (Principal) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString((String) httpServletRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
        if (subject == null && (principal != null || safeTrimOrNullString != null)) {
            subject = new Subject();
            if (principal == null) {
                principal = new UsernamePrincipal(safeTrimOrNullString);
            }
            subject.getPrincipals().add(principal);
        }
        return subject;
    }

    protected void validateForcedReauthentication(Session session, String str, Subject subject) throws AuthenticationException {
        AuthenticationMethodInformation authenticationMethodInformation;
        if (session == null || (authenticationMethodInformation = session.getAuthenticationMethods().get(str)) == null) {
            return;
        }
        boolean z = false;
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (authenticationMethodInformation.getAuthenticationPrincipal().equals(it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new ForceAuthenticationException("Authenticated principal does not match previously authenticated principal");
        }
    }

    protected void updateUserSession(LoginContext loginContext, Subject subject, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal next = subject.getPrincipals().iterator().next();
        LOG.debug("Updating session information for principal {}", next.getName());
        Session session = (Session) httpServletRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
        if (session == null) {
            LOG.debug("Creating shibboleth session for principal {}", next.getName());
            session = (Session) this.sessionManager.createSession();
            loginContext.setSessionID(session.getSessionID());
            addSessionCookie(httpServletRequest, httpServletResponse, session);
        }
        session.setSubject(mergeSubjects(session.getSubject(), subject));
        AuthenticationMethodInformation authenticationMethodInformation = loginContext.getAuthenticationMethodInformation();
        if (authenticationMethodInformation == null || !authenticationMethodInformation.getAuthenticationMethod().equals(str)) {
            LOG.debug("Recording authentication and service information in Shibboleth session for principal: {}", next.getName());
            authenticationMethodInformation = new AuthenticationMethodInformationImpl(session.getSubject(), next, str, new DateTime(), this.handlerManager.getLoginHandlers().get(loginContext.getAttemptedAuthnMethod()).getAuthenticationDuration());
        }
        loginContext.setAuthenticationMethodInformation(authenticationMethodInformation);
        session.getAuthenticationMethods().put(authenticationMethodInformation.getAuthenticationMethod(), authenticationMethodInformation);
        this.sessionManager.indexSession(session, authenticationMethodInformation.getAuthenticationPrincipal().getName());
        ServiceInformationImpl serviceInformationImpl = new ServiceInformationImpl(loginContext.getRelyingPartyId(), new DateTime(), authenticationMethodInformation);
        session.getServicesInformation().put(serviceInformationImpl.getEntityID(), serviceInformationImpl);
    }

    protected Subject mergeSubjects(Subject subject, Subject subject2) {
        if (subject == null && subject2 == null) {
            return new Subject();
        }
        if (subject == null) {
            return subject2;
        }
        if (subject2 == null) {
            return subject;
        }
        HashSet hashSet = new HashSet(3);
        hashSet.addAll(subject.getPrincipals());
        hashSet.addAll(subject2.getPrincipals());
        HashSet hashSet2 = new HashSet(3);
        if (this.retainSubjectsPublicCredentials) {
            LOG.debug("Merging in subjects public credentials");
            hashSet2.addAll(subject.getPublicCredentials());
            hashSet2.addAll(subject2.getPublicCredentials());
        }
        HashSet hashSet3 = new HashSet(3);
        if (this.retainSubjectsPrivateCredentials) {
            LOG.debug("Merging in subjects private credentials");
            hashSet3.addAll(subject.getPrivateCredentials());
            hashSet3.addAll(subject2.getPrivateCredentials());
        }
        return new Subject(false, hashSet, hashSet2, hashSet3);
    }

    protected void addSessionCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Session session) {
        httpServletRequest.setAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE, session);
        byte[] bytes = httpServletRequest.getRemoteAddr().getBytes();
        byte[] bytes2 = session.getSessionID().getBytes();
        String str = null;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA");
            messageDigest.update(session.getSessionSecret());
            messageDigest.update(bytes);
            messageDigest.update(bytes2);
            str = Base64.encodeBytes(messageDigest.digest());
        } catch (GeneralSecurityException e) {
            LOG.error("Unable to compute signature over session cookie material", e);
        }
        LOG.debug("Adding IdP session cookie to HTTP response");
        StringBuilder sb = new StringBuilder();
        sb.append(Base64.encodeBytes(bytes, 8)).append("|");
        sb.append(Base64.encodeBytes(bytes2, 8)).append("|");
        sb.append(str);
        Cookie cookie = new Cookie("_idp_session", HTTPTransportUtils.urlEncode(sb.toString()));
        cookie.setVersion(1);
        cookie.setPath("".equals(httpServletRequest.getContextPath()) ? "/" : httpServletRequest.getContextPath());
        cookie.setSecure(httpServletRequest.isSecure());
        httpServletResponse.addCookie(cookie);
    }
}
