package edu.internet2.middleware.shibboleth.idp.profile.saml1;

import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.ShibbolethSSOConfiguration;
import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
import edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext;
import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
import java.io.IOException;
import java.util.ArrayList;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml1.core.AttributeStatement;
import org.opensaml.saml1.core.AuthenticationStatement;
import org.opensaml.saml1.core.Request;
import org.opensaml.saml1.core.Response;
import org.opensaml.saml1.core.StatusCode;
import org.opensaml.saml1.core.SubjectLocality;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.class */
public class ShibbolethSSOProfileHandler extends AbstractSAML1ProfileHandler {
    private final Logger log = LoggerFactory.getLogger(ShibbolethSSOProfileHandler.class);
    private SAMLObjectBuilder<AuthenticationStatement> authnStatementBuilder;
    private SAMLObjectBuilder<SubjectLocality> subjectLocalityBuilder;
    private SAMLObjectBuilder<Endpoint> endpointBuilder;
    private String authenticationManagerPath;

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler$ShibbolethSSORequestContext.class */
    public class ShibbolethSSORequestContext extends BaseSAML1ProfileRequestContext<Request, Response, ShibbolethSSOConfiguration> {
        private String spAssertionConsumerService;
        private ShibbolethSSOLoginContext loginContext;

        public ShibbolethSSORequestContext() {
        }

        public ShibbolethSSOLoginContext getLoginContext() {
            return this.loginContext;
        }

        public void setLoginContext(ShibbolethSSOLoginContext shibbolethSSOLoginContext) {
            this.loginContext = shibbolethSSOLoginContext;
        }

        public String getSpAssertionConsumerService() {
            return this.spAssertionConsumerService;
        }

        public void setSpAssertionConsumerService(String str) {
            this.spAssertionConsumerService = str;
        }
    }

    public ShibbolethSSOProfileHandler(String str) {
        if (DatatypeHelper.isEmpty(str)) {
            throw new IllegalArgumentException("Authentication manager path may not be null");
        }
        if (str.startsWith("/")) {
            this.authenticationManagerPath = str;
        } else {
            this.authenticationManagerPath = "/" + str;
        }
        this.authnStatementBuilder = getBuilderFactory().getBuilder(AuthenticationStatement.DEFAULT_ELEMENT_NAME);
        this.subjectLocalityBuilder = getBuilderFactory().getBuilder(SubjectLocality.DEFAULT_ELEMENT_NAME);
        this.endpointBuilder = getBuilderFactory().getBuilder(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
    }

    public String getProfileId() {
        return "urn:mace:shibboleth:2.0:profiles:saml1:sso";
    }

    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest();
        HttpServletResponse wrappedResponse = ((HttpServletResponseAdapter) hTTPOutTransport).getWrappedResponse();
        ServletContext servletContext = wrappedRequest.getSession().getServletContext();
        LoginContext loginContext = HttpServletHelper.getLoginContext(getStorageService(), servletContext, wrappedRequest);
        if (loginContext == null) {
            this.log.debug("Incoming request does not contain a login context, processing as first leg of request");
            performAuthentication(hTTPInTransport, hTTPOutTransport);
            return;
        }
        HttpServletHelper.unbindLoginContext(getStorageService(), servletContext, wrappedRequest, wrappedResponse);
        if (!(loginContext instanceof ShibbolethSSOLoginContext)) {
            this.log.debug("Incoming request contained a login context but it was not a ShibbolethSSOLoginContext, processing as first leg of request");
            performAuthentication(hTTPInTransport, hTTPOutTransport);
        } else if (loginContext.isPrincipalAuthenticated()) {
            this.log.debug("Incoming request contains a login context and indicates principal was authenticated, processing second leg of request");
            completeAuthenticationRequest((ShibbolethSSOLoginContext) loginContext, hTTPInTransport, hTTPOutTransport);
        } else if (loginContext.getAuthenticationFailure() != null) {
            this.log.debug("Incoming request contains a login context and indicates there was an error authenticating the principal, processing second leg of request");
            completeAuthenticationRequest((ShibbolethSSOLoginContext) loginContext, hTTPInTransport, hTTPOutTransport);
        } else {
            this.log.debug("Incoming request contains a login context but principal was not authenticated, processing first leg of request");
            performAuthentication(hTTPInTransport, hTTPOutTransport);
        }
    }

    protected void performAuthentication(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest();
        HttpServletResponse wrappedResponse = ((HttpServletResponseAdapter) hTTPOutTransport).getWrappedResponse();
        ShibbolethSSORequestContext shibbolethSSORequestContext = new ShibbolethSSORequestContext();
        decodeRequest(shibbolethSSORequestContext, hTTPInTransport, hTTPOutTransport);
        ShibbolethSSOLoginContext loginContext = shibbolethSSORequestContext.getLoginContext();
        RelyingPartyConfiguration relyingPartyConfiguration = getRelyingPartyConfiguration(loginContext.getRelyingPartyId());
        loginContext.setDefaultAuthenticationMethod(relyingPartyConfiguration.getDefaultAuthenticationMethod());
        if (relyingPartyConfiguration.getProfileConfiguration("urn:mace:shibboleth:2.0:profiles:saml1:sso") == null) {
            shibbolethSSORequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED, "Shibboleth SSO profile is not configured"));
            String str = "Shibboleth SSO profile is not configured for relying party " + loginContext.getRelyingPartyId();
            this.log.warn(str);
            throw new ProfileException(str);
        }
        HttpServletHelper.bindLoginContext(loginContext, getStorageService(), wrappedRequest.getSession().getServletContext(), wrappedRequest, wrappedResponse);
        try {
            String buildURL = HttpServletHelper.getContextRelativeUrl(wrappedRequest, this.authenticationManagerPath).buildURL();
            this.log.debug("Redirecting user to authentication engine at {}", buildURL);
            wrappedResponse.sendRedirect(buildURL);
        } catch (IOException e) {
            shibbolethSSORequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED, "Unable to perform user authentication"));
            this.log.error("Error forwarding Shibboleth SSO request to AuthenticationManager", e);
            throw new ProfileException("Error forwarding Shibboleth SSO request to AuthenticationManager", e);
        }
    }

    protected void decodeRequest(ShibbolethSSORequestContext shibbolethSSORequestContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Decoding message with decoder binding {}", getInboundMessageDecoder(shibbolethSSORequestContext).getBindingURI());
        }
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest();
        shibbolethSSORequestContext.setCommunicationProfileId(getProfileId());
        shibbolethSSORequestContext.setMetadataProvider(getMetadataProvider());
        shibbolethSSORequestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        shibbolethSSORequestContext.setCommunicationProfileId("urn:mace:shibboleth:2.0:profiles:saml1:sso");
        shibbolethSSORequestContext.setInboundMessageTransport(hTTPInTransport);
        shibbolethSSORequestContext.setInboundSAMLProtocol("urn:mace:shibboleth:1.0");
        shibbolethSSORequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        shibbolethSSORequestContext.setOutboundMessageTransport(hTTPOutTransport);
        shibbolethSSORequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:1.1:protocol");
        SAMLMessageDecoder inboundMessageDecoder = getInboundMessageDecoder(shibbolethSSORequestContext);
        shibbolethSSORequestContext.setMessageDecoder(inboundMessageDecoder);
        try {
            inboundMessageDecoder.decode(shibbolethSSORequestContext);
            this.log.debug("Decoded Shibboleth SSO request from relying party '{}'", shibbolethSSORequestContext.getInboundMessageIssuer());
            ShibbolethSSOLoginContext shibbolethSSOLoginContext = new ShibbolethSSOLoginContext();
            shibbolethSSOLoginContext.setRelyingParty(shibbolethSSORequestContext.getInboundMessageIssuer());
            shibbolethSSOLoginContext.setSpAssertionConsumerService(shibbolethSSORequestContext.getSpAssertionConsumerService());
            shibbolethSSOLoginContext.setSpTarget(shibbolethSSORequestContext.getRelayState());
            shibbolethSSOLoginContext.setAuthenticationEngineURL(this.authenticationManagerPath);
            shibbolethSSOLoginContext.setProfileHandlerURL(HttpHelper.getRequestUriWithoutContext(wrappedRequest));
            shibbolethSSORequestContext.setLoginContext(shibbolethSSOLoginContext);
        } catch (SecurityException e) {
            shibbolethSSORequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED, "Request does not meet security requirements"));
            String str = "Shibboleth SSO request does not meet security requirements: " + e.getMessage();
            this.log.warn(str);
            throw new ProfileException(str, e);
        } catch (MessageDecodingException e2) {
            shibbolethSSORequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED, "Error decoding request"));
            this.log.warn("Error decoding Shibboleth SSO request", e2);
            throw new ProfileException("Error decoding Shibboleth SSO request", e2);
        }
    }

    protected void completeAuthenticationRequest(ShibbolethSSOLoginContext shibbolethSSOLoginContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        SAMLObject buildErrorResponse;
        AttributeStatement buildAttributeStatement;
        ShibbolethSSORequestContext buildRequestContext = buildRequestContext(shibbolethSSOLoginContext, hTTPInTransport, hTTPOutTransport);
        try {
        } catch (ProfileException e) {
            buildErrorResponse = buildErrorResponse(buildRequestContext);
        }
        if (shibbolethSSOLoginContext.getAuthenticationFailure() != null) {
            buildRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "User failed authentication"));
            throw new ProfileException("Authentication failure", shibbolethSSOLoginContext.getAuthenticationFailure());
        }
        resolveAttributes(buildRequestContext);
        ArrayList arrayList = new ArrayList();
        arrayList.add(buildAuthenticationStatement(buildRequestContext));
        if (((ShibbolethSSOConfiguration) buildRequestContext.getProfileConfiguration()).includeAttributeStatement() && (buildAttributeStatement = buildAttributeStatement(buildRequestContext, "urn:oasis:names:tc:SAML:1.0:cm:bearer")) != null) {
            buildRequestContext.setReleasedAttributes(buildRequestContext.getAttributes().keySet());
            arrayList.add(buildAttributeStatement);
        }
        buildErrorResponse = buildResponse(buildRequestContext, arrayList);
        buildRequestContext.setOutboundSAMLMessage(buildErrorResponse);
        buildRequestContext.setOutboundSAMLMessageId(buildErrorResponse.getID());
        buildRequestContext.setOutboundSAMLMessageIssueInstant(buildErrorResponse.getIssueInstant());
        encodeResponse(buildRequestContext);
        writeAuditLogEntry(buildRequestContext);
    }

    protected ShibbolethSSORequestContext buildRequestContext(ShibbolethSSOLoginContext shibbolethSSOLoginContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        ShibbolethSSORequestContext shibbolethSSORequestContext = new ShibbolethSSORequestContext();
        shibbolethSSORequestContext.setCommunicationProfileId(getProfileId());
        shibbolethSSORequestContext.setMessageDecoder(getInboundMessageDecoder(shibbolethSSORequestContext));
        shibbolethSSORequestContext.setLoginContext(shibbolethSSOLoginContext);
        shibbolethSSORequestContext.setRelayState(shibbolethSSOLoginContext.getSpTarget());
        shibbolethSSORequestContext.setInboundMessageTransport(hTTPInTransport);
        shibbolethSSORequestContext.setInboundSAMLProtocol("urn:mace:shibboleth:1.0");
        shibbolethSSORequestContext.setOutboundMessageTransport(hTTPOutTransport);
        shibbolethSSORequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:1.1:protocol");
        shibbolethSSORequestContext.setMetadataProvider(getMetadataProvider());
        String relyingPartyId = shibbolethSSOLoginContext.getRelyingPartyId();
        shibbolethSSORequestContext.setPeerEntityId(relyingPartyId);
        shibbolethSSORequestContext.setInboundMessageIssuer(relyingPartyId);
        populateRequestContext(shibbolethSSORequestContext);
        return shibbolethSSORequestContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRelyingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateRelyingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor peerEntityMetadata = baseSAMLProfileRequestContext.getPeerEntityMetadata();
        if (peerEntityMetadata != null) {
            baseSAMLProfileRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setPeerEntityRoleMetadata(peerEntityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateAssertingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateAssertingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor localEntityMetadata = baseSAMLProfileRequestContext.getLocalEntityMetadata();
        if (localEntityMetadata != null) {
            baseSAMLProfileRequestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setLocalEntityRoleMetadata(localEntityMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        ShibbolethSSOLoginContext loginContext = ((ShibbolethSSORequestContext) baseSAMLProfileRequestContext).getLoginContext();
        Endpoint endpoint = null;
        if (baseSAMLProfileRequestContext.getRelyingPartyConfiguration().getRelyingPartyId() != "anonymous") {
            ShibbolethSSOEndpointSelector shibbolethSSOEndpointSelector = new ShibbolethSSOEndpointSelector();
            shibbolethSSOEndpointSelector.setSpAssertionConsumerService(loginContext.getSpAssertionConsumerService());
            shibbolethSSOEndpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            shibbolethSSOEndpointSelector.setMetadataProvider(getMetadataProvider());
            shibbolethSSOEndpointSelector.setEntityMetadata(baseSAMLProfileRequestContext.getPeerEntityMetadata());
            shibbolethSSOEndpointSelector.setEntityRoleMetadata(baseSAMLProfileRequestContext.getPeerEntityRoleMetadata());
            shibbolethSSOEndpointSelector.setSamlRequest(baseSAMLProfileRequestContext.getInboundSAMLMessage());
            shibbolethSSOEndpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
            endpoint = shibbolethSSOEndpointSelector.selectEndpoint();
        } else if (loginContext.getSpAssertionConsumerService() != null) {
            endpoint = (Endpoint) this.endpointBuilder.buildObject();
            endpoint.setLocation(loginContext.getSpAssertionConsumerService());
            endpoint.setBinding(getSupportedOutboundBindings().get(0));
            this.log.warn("Generating endpoint for anonymous relying party. ACS url {} and binding {}", new Object[]{baseSAMLProfileRequestContext.getInboundMessageIssuer(), endpoint.getLocation(), endpoint.getBinding()});
        } else {
            this.log.warn("Unable to generate endpoint for anonymous party.  No ACS url provided.");
        }
        return endpoint;
    }

    protected AuthenticationStatement buildAuthenticationStatement(ShibbolethSSORequestContext shibbolethSSORequestContext) throws ProfileException {
        ShibbolethSSOLoginContext loginContext = shibbolethSSORequestContext.getLoginContext();
        AuthenticationStatement buildObject = this.authnStatementBuilder.buildObject();
        buildObject.setAuthenticationInstant(loginContext.getAuthenticationInstant());
        buildObject.setAuthenticationMethod(loginContext.getAuthenticationMethod());
        buildObject.setSubjectLocality(buildSubjectLocality(shibbolethSSORequestContext));
        buildObject.setSubject(selectEndpoint(shibbolethSSORequestContext).getBinding().equals("urn:oasis:names:tc:SAML:1.0:profiles:artifact-01") ? buildSubject(shibbolethSSORequestContext, "urn:oasis:names:tc:SAML:1.0:cm:artifact") : buildSubject(shibbolethSSORequestContext, "urn:oasis:names:tc:SAML:1.0:cm:bearer"));
        return buildObject;
    }

    protected SubjectLocality buildSubjectLocality(ShibbolethSSORequestContext shibbolethSSORequestContext) {
        SubjectLocality buildObject = this.subjectLocalityBuilder.buildObject();
        buildObject.setIPAddress(shibbolethSSORequestContext.getInboundMessageTransport().getPeerAddress());
        return buildObject;
    }
}
