package com.bea.common.security.internal.service;

import com.bea.common.engine.ServiceConfigurationException;
import com.bea.common.engine.ServiceInitializationException;
import com.bea.common.engine.ServiceLifecycleSpi;
import com.bea.common.engine.Services;
import com.bea.common.logger.service.LoggerService;
import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.internal.utils.Delegator;
import com.bea.common.security.legacy.spi.SAMLSingleSignOnServiceConfigInfoSpi;
import com.bea.common.security.saml.registry.SAMLAssertingPartyConfig;
import com.bea.common.security.saml.registry.SAMLRelyingPartyConfig;
import com.bea.common.security.saml.service.SAMLDestinationSiteHelper;
import com.bea.common.security.saml.service.SAMLSourceSiteHelper;
import com.bea.common.security.saml.utils.SAMLProfile;
import com.bea.common.security.saml.utils.SAMLUtil;
import com.bea.common.security.service.AuditService;
import com.bea.common.security.service.CredentialMappingService;
import com.bea.common.security.service.Identity;
import com.bea.common.security.service.IdentityAssertionService;
import com.bea.common.security.service.IdentityService;
import com.bea.common.security.service.SAMLKeyService;
import com.bea.common.security.service.SAMLSingleSignOnService;
import com.bea.common.security.service.SessionService;
import com.bea.common.security.servicecfg.SAMLSingleSignOnServiceConfig;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.servlet.FilterChain;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/bea/common/security/internal/service/SAMLSingleSignOnServiceImpl.class */
public class SAMLSingleSignOnServiceImpl implements ServiceLifecycleSpi, SAMLSingleSignOnService {
    private static final String BASIC_AUTH_HEADER = "Authorization";
    private static final String BASIC_AUTH_TOKEN = "Basic";
    private static final String X509CERT_ATTRIBUTE = "javax.servlet.request.X509Certificate";
    private LoggerSpi log;
    private AuditService auditService;
    private IdentityService identityService;
    private SessionService sessionService;
    private CredentialMappingService cmService;
    private IdentityAssertionService iaService;
    private SAMLKeyService keyService;
    private SAMLSingleSignOnServiceConfigInfoSpi ssoServiceConfig;
    private SAMLSourceSiteHelper ssHelper;
    private SAMLDestinationSiteHelper dsHelper;

    @Override // com.bea.common.engine.ServiceLifecycleSpi
    public Object init(Object obj, Services services) throws ServiceInitializationException {
        this.log = ((LoggerService) services.getService(LoggerService.SERVICE_NAME)).getLogger("SecuritySAMLService");
        boolean isDebugEnabled = this.log.isDebugEnabled();
        String str = getClass().getName() + ".init";
        if (isDebugEnabled) {
            this.log.debug(str);
        }
        if (obj == null || !(obj instanceof SAMLSingleSignOnServiceConfig)) {
            throw new ServiceConfigurationException(ServiceLogger.getExpectedConfigurationNotSupplied(str, "SAMLSingleSignOnServiceConfig"));
        }
        SAMLSingleSignOnServiceConfig sAMLSingleSignOnServiceConfig = (SAMLSingleSignOnServiceConfig) obj;
        this.auditService = (AuditService) getService(sAMLSingleSignOnServiceConfig.getAuditServiceName(), services, str);
        this.identityService = (IdentityService) getService(sAMLSingleSignOnServiceConfig.getIdentityServiceName(), services, str);
        this.sessionService = (SessionService) getService(sAMLSingleSignOnServiceConfig.getSessionServiceName(), services, str);
        if (sAMLSingleSignOnServiceConfig.getCredMappingServiceName() != null) {
            this.cmService = (CredentialMappingService) getService(sAMLSingleSignOnServiceConfig.getCredMappingServiceName(), services, str);
        }
        if (sAMLSingleSignOnServiceConfig.getIdentityAssertionServiceName() != null) {
            this.iaService = (IdentityAssertionService) getService(sAMLSingleSignOnServiceConfig.getIdentityAssertionServiceName(), services, str);
        }
        this.keyService = (SAMLKeyService) getService(sAMLSingleSignOnServiceConfig.getSAMLKeyServiceName(), services, str);
        this.ssoServiceConfig = sAMLSingleSignOnServiceConfig.getSAMLSingleSignOnServiceConfigInfo();
        try {
            this.ssHelper = new SAMLSourceSiteHelper(this.ssoServiceConfig, this.cmService, this.log, this.keyService);
            this.dsHelper = new SAMLDestinationSiteHelper(this.ssoServiceConfig, this.iaService, this.sessionService, this.log, this.keyService);
            return Delegator.getProxy(SAMLSingleSignOnService.class, this);
        } catch (Exception e) {
            throw new ServiceInitializationException(e);
        }
    }

    @Override // com.bea.common.engine.ServiceLifecycleSpi
    public void shutdown() {
    }

    private Object getService(String str, Services services, String str2) throws ServiceInitializationException {
        Object service = services.getService(str);
        if (this.log.isDebugEnabled()) {
            this.log.debug(str2 + " got " + services.getServiceLoggingName(str));
        }
        return service;
    }

    private boolean checkACSAuthentication(HttpServletRequest httpServletRequest) throws ServletException, IOException {
        Identity currentIdentity = this.identityService.getCurrentIdentity();
        if (currentIdentity != null && !currentIdentity.isAnonymous()) {
            return true;
        }
        Identity identity = this.sessionService.getIdentity(httpServletRequest.getSession());
        return (identity == null || identity.isAnonymous()) ? false : true;
    }

    @Override // com.bea.common.security.service.SAMLSingleSignOnService
    public void doACSGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        if (checkACSAuthentication(httpServletRequest)) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doACSGet:  Unexpected GET for ACS service, returning NOT_FOUND");
            }
            httpServletResponse.sendError(404);
            return;
        }
        if (this.ssoServiceConfig.isACSRequiresSSL() && !httpServletRequest.isSecure()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doACSGet: ACS requires SSL, but the request is not secure");
            }
            httpServletResponse.sendError(403);
            return;
        }
        String parameter = httpServletRequest.getParameter(SAMLUtil.APID_PARAMETER_NAME);
        if (parameter != null) {
            parameter = parameter.trim();
            if (parameter.length() == 0) {
                if (isDebugEnabled) {
                    this.log.debug("SAMLSingleSignOnService.doACSGet: Invalid (empty) APID parameter, returning BAD_REQUEST");
                }
                httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            }
        }
        if (parameter == null && this.ssoServiceConfig.isV2Config()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doACSGet: No APID parameter, returning BAD_REQUEST");
            }
            httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
        SAMLAssertingPartyConfig sAMLAssertingPartyConfig = null;
        if (parameter != null) {
            sAMLAssertingPartyConfig = this.dsHelper.lookupPartner(parameter);
        }
        String assertion = this.dsHelper.getAssertion(sAMLAssertingPartyConfig, httpServletRequest, httpServletResponse);
        if (assertion == null) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doACSGet: Failed to get SAML credentials -- returning");
            }
        } else if (this.dsHelper.doLogin(sAMLAssertingPartyConfig, assertion, httpServletRequest, httpServletResponse)) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doACSGet: Login succeeded, redirecting to target");
            }
            this.dsHelper.doTargetRedirect(httpServletRequest, httpServletResponse);
        } else if (isDebugEnabled) {
            this.log.debug("SAMLSingleSignOnService.doACSGet: Login failed, returning");
        }
    }

    @Override // com.bea.common.security.service.SAMLSingleSignOnService
    public void doACSPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        doACSGet(httpServletRequest, httpServletResponse);
    }

    @Override // com.bea.common.security.service.SAMLSingleSignOnService
    public void doARSPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        if (!this.ssoServiceConfig.isSourceSiteEnabled()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doARSPost: request while Source Site not enabled, returning NOT_FOUND");
            }
            httpServletResponse.sendError(404);
            return;
        }
        boolean z = false;
        X509Certificate x509Certificate = null;
        if (httpServletRequest.isSecure()) {
            z = true;
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doARSPost: request is on a secure channel");
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(X509CERT_ATTRIBUTE);
            if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                if (isDebugEnabled) {
                    this.log.debug("SAMLSingleSignOnService.doARSPost: request: client cert chain found");
                    for (int i = 0; i < x509CertificateArr.length && x509CertificateArr[i] != null; i++) {
                        this.log.debug("SAMLSingleSignOnService.doARSPost: cert[" + i + "] subject DN: " + x509CertificateArr[i].getSubjectDN().getName());
                        this.log.debug("SAMLSingleSignOnService.doARSPost: cert[" + i + "] issuer DN: " + x509CertificateArr[i].getIssuerDN().getName());
                    }
                }
                x509Certificate = x509CertificateArr[0];
            } else if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doARSPost: request: client cert chain not found");
            }
        } else if (isDebugEnabled) {
            this.log.debug("SAMLSingleSignOnService.doARSPost: request is not on a secure channel");
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            String[] split = header.split("\\s");
            if (split.length != 2 || !split[0].equals(BASIC_AUTH_TOKEN)) {
                if (isDebugEnabled) {
                    this.log.debug("SAMLSingleSignOnService.doARSPost: Invalid Authorization header '" + header + "' found in ARS request, returning BAD_REQUEST");
                }
                httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            }
            header = split[1];
        }
        if (this.ssoServiceConfig.isARSRequiresSSL() && !z) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doARSPost: Non-secure ARS request but SSL required, returning NOT_FOUND");
            }
            httpServletResponse.sendError(404);
        } else if (this.ssoServiceConfig.isARSRequiresTwoWaySSL() && x509Certificate == null) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doARSPost: No client certificate for ARS request but two-way SSL required, returning FORBIDDEN");
            }
            httpServletResponse.sendError(403);
        } else {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doARSPost: Dispatching assertion request");
            }
            this.ssHelper.dispatchAssertionRequest(httpServletRequest, httpServletResponse, x509Certificate, header);
        }
    }

    @Override // com.bea.common.security.service.SAMLSingleSignOnService
    public void doITSGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ServletContext servletContext) throws ServletException, IOException {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        String requestURI = httpServletRequest.getRequestURI();
        if (isDebugEnabled) {
            this.log.debug("SAMLSingleSignOnService.doITSGet: Request URI is '" + requestURI + "'");
        }
        String substring = requestURI.substring(httpServletRequest.getContextPath().length());
        if (isDebugEnabled) {
            this.log.debug("SAMLSingleSignOnService.doITSGet: Servlet URI is '" + substring + "'");
        }
        if (!this.ssoServiceConfig.isSourceSiteEnabled()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: request while Source Site not enabled, returning NOT_FOUND");
            }
            httpServletResponse.sendError(404);
            return;
        }
        if (this.ssoServiceConfig.isITSRequiresSSL() && !httpServletRequest.isSecure()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: Non-secure ITS request but SSL required, returning FORBIDDEN");
            }
            httpServletResponse.sendError(403);
            return;
        }
        Identity currentIdentity = this.identityService.getCurrentIdentity();
        if (currentIdentity == null) {
            currentIdentity = this.sessionService.getIdentity(httpServletRequest.getSession());
        }
        if (currentIdentity == null || currentIdentity.isAnonymous()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: Attempt to access ITS by unauthenticated user");
            }
            httpServletResponse.sendError(403);
            return;
        }
        String parameter = httpServletRequest.getParameter(SAMLUtil.RPID_PARAMETER_NAME);
        if (parameter != null) {
            parameter.trim();
            if (parameter.length() == 0) {
                if (isDebugEnabled) {
                    this.log.debug("SAMLSingleSignOnService.doITSGet: Invalid (empty) RPID parameter, returning BAD_REQUEST");
                }
                httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            }
        }
        if (parameter == null && this.ssoServiceConfig.isV2Config()) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: No RPID parameter, returning BAD_REQUEST");
            }
            httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
        String parameter2 = httpServletRequest.getParameter(SAMLUtil.TARGET_PARAMETER_NAME);
        String normalizeURL = SAMLUtil.normalizeURL(parameter2);
        if (normalizeURL == null) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: " + (parameter2 == null ? "No TARGET parameter" : "Invalid TARGET parameter '" + parameter2 + "'"));
            }
            httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
        SAMLRelyingPartyConfig lookupPartner = this.ssHelper.lookupPartner(parameter, normalizeURL, substring);
        if (lookupPartner == null) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: Partner not found, returning FORBIDDEN");
            }
            httpServletResponse.sendError(403);
            return;
        }
        String validateRequestURI = this.ssHelper.validateRequestURI(lookupPartner, substring);
        if (validateRequestURI != null) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: " + lookupPartner.getProfile() + " request received on " + validateRequestURI + " URI '" + substring + "', returning BAD_REQUEST");
            }
            httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
        } else if (lookupPartner.getProfileConfMethodName().equals("bearer")) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: Dispatching POST request");
            }
            this.ssHelper.dispatchPOSTRequest(lookupPartner, currentIdentity, normalizeURL, httpServletRequest, httpServletResponse, servletContext);
        } else if (lookupPartner.getProfileConfMethodName().equals(SAMLProfile.CONF_ARTIFACT)) {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: Dispatching Artifact request");
            }
            this.ssHelper.dispatchArtifactRequest(lookupPartner, currentIdentity, normalizeURL, httpServletRequest, httpServletResponse);
        } else {
            if (isDebugEnabled) {
                this.log.debug("SAMLSingleSignOnService.doITSGet: Unsupported confirmation method '" + lookupPartner.getProfileConfMethodName() + "' for relying party '" + lookupPartner.getPartnerId() + "', returning FORBIDDEN");
            }
            httpServletResponse.sendError(403);
        }
    }

    @Override // com.bea.common.security.service.SAMLSingleSignOnService
    public void doRedirectFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("SAMLSingleSignOnService.doRedirectFilter: Ignoring non-HTTP servlet request");
            }
            callChain(servletRequest, servletResponse, filterChain);
        } else {
            if (this.dsHelper.doSourceSiteRedirect((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
                return;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("SAMLSingleSignOnService.doRedirectFilter: Ignoring request not on consumer URL or redirect URL");
            }
            callChain(servletRequest, servletResponse, filterChain);
        }
    }

    private void callChain(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (filterChain == null) {
            this.log.debug("SAMLSingleSignOnService no filter chain");
        } else {
            this.log.debug("SAMLSingleSignOnService passing to next filter in the chain");
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private void dumpRequest(HttpServletRequest httpServletRequest) {
        if (this.log == null || !this.log.isDebugEnabled()) {
            return;
        }
        Map parameterMap = httpServletRequest.getParameterMap();
        if (parameterMap == null) {
            this.log.debug("Request parameter map is null");
            return;
        }
        for (Map.Entry entry : parameterMap.entrySet()) {
            this.log.debug("Outputting param: " + ((String) entry.getKey()) + "=" + ((String) entry.getValue()));
        }
    }
}
