package com.bea.security.saml2.service.ars;

import com.bea.security.saml2.Saml2Logger;
import com.bea.security.saml2.artifact.ArtifactDataObject;
import com.bea.security.saml2.artifact.SAML2ArtifactException;
import com.bea.security.saml2.binding.BindingHandlerException;
import com.bea.security.saml2.binding.BindingReceiver;
import com.bea.security.saml2.binding.BindingSender;
import com.bea.security.saml2.config.SAML2ConfigSpi;
import com.bea.security.saml2.providers.registry.WebSSOPartner;
import com.bea.security.saml2.registry.PartnerManagerException;
import com.bea.security.saml2.service.AbstractService;
import com.bea.security.saml2.service.SAML2DetailedException;
import com.bea.security.saml2.service.SAML2Exception;
import com.bea.security.saml2.util.SAML2Constants;
import com.bea.security.saml2.util.SAML2Utils;
import com.bea.security.saml2.util.SAMLObjectBuilder;
import java.io.IOException;
import java.security.KeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.core.ArtifactResolve;
import org.opensaml.saml2.core.ArtifactResponse;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusDetail;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.validation.ValidationException;
import weblogic.xml.crypto.utils.DOMUtils;

/* loaded from: input_file:com/bea/security/saml2/service/ars/ArtifactResolutionServiceImpl.class */
public class ArtifactResolutionServiceImpl extends AbstractService {
    private static final String BASIC_AUTH_HEADER = "Authorization";
    private static final String BASIC_AUTH_TOKEN = "Basic";
    private static final String X509CERT_ATTRIBUTE = "javax.servlet.request.X509Certificate";
    private static final String LOGGING_PREFIX = "ArtifactResolutionService.";

    public ArtifactResolutionServiceImpl(SAML2ConfigSpi sAML2ConfigSpi) {
        super(sAML2ConfigSpi);
    }

    @Override // com.bea.security.saml2.service.Service
    public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String str;
        boolean isDebugEnabled = this.log.isDebugEnabled();
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI.endsWith(SAML2Constants.SP_ARS_PATH)) {
            str = SAML2Constants.SP_SERVICE_PATH;
        } else {
            if (!requestURI.endsWith(SAML2Constants.IDP_ARS_PATH)) {
                if (isDebugEnabled) {
                    this.log.debug("ArtifactResolutionService.process: ARS service called on unexpected URI: '" + requestURI + "', returning NOT_FOUND");
                }
                httpServletResponse.sendError(404);
                return true;
            }
            str = SAML2Constants.IDP_SERVICE_PATH;
        }
        X509Certificate x509Certificate = null;
        if (isDebugEnabled) {
            try {
                this.log.debug("ArtifactResolutionService.process: get SoapHttpBindingReceiver as receiver and SoapHttpBindingSender as sender.");
            } catch (Exception e) {
                logAndSendError(httpServletResponse, 403, e);
                return true;
            }
        }
        BindingReceiver newBindingReceiver = this.config.getBindingHandlerFactory().newBindingReceiver("SOAP", httpServletRequest, httpServletResponse);
        BindingSender sender = getSender(httpServletRequest, httpServletResponse, "SOAP");
        if (newBindingReceiver == null || sender == null) {
            if (isDebugEnabled) {
                this.log.debug("ArtifactResolutionService.process: can not get corresponding binding receiver/sender.");
            }
            throw new Exception(Saml2Logger.getSAML2CouldNotGetBindingHandler("SOAP"));
        }
        if (httpServletRequest.isSecure()) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("ArtifactResolutionService.process: connection is via SSL connection.");
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(X509CERT_ATTRIBUTE);
            if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                x509Certificate = x509CertificateArr[0];
                if (isDebugEnabled) {
                    this.log.debug("ArtifactResolutionService.process: got one client certifacte, its subjectDN is: " + x509Certificate.getSubjectDN().getName());
                }
            }
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            String[] split = header.split("\\s");
            if (split.length != 2 || !split[0].equals(BASIC_AUTH_TOKEN)) {
                throw new Exception("Invalid Authorization header '" + header + "' found in request, should return BAD_REQUEST");
            }
            header = split[1];
        }
        try {
            ArtifactResolve receiveRequest = newBindingReceiver.receiveRequest();
            if (receiveRequest == null) {
                throw new Exception(Saml2Logger.getSAML2InvalidSAMLRequest("<samlp:ArtifactResponse>"));
            }
            try {
                ArtifactResponse buildArifactResponse = buildArifactResponse(lookupByArtifact(str, receiveRequest, x509Certificate, header), receiveRequest.getID());
                try {
                    checkSSOCertificate();
                    try {
                        sender.sendResponse((ArtifactResponse) SAML2Utils.signSamlObject(this.config.getSAML2KeyManager().getSSOKeyInfo().getKey(), buildArifactResponse), null, null, null, null);
                        return true;
                    } catch (MarshallingException e2) {
                        if (this.log != null && this.log.isDebugEnabled()) {
                            this.log.debug(Saml2Logger.getSAML2SigningErrors("<samlp:ArtifactResponse>"), e2);
                        }
                        throw new SAML2DetailedException(Saml2Logger.getSAML2SigningErrors("<samlp:ArtifactResponse>"), e2, 500).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported");
                    }
                } catch (SAML2Exception e3) {
                    throw new SAML2DetailedException(e3.getMessage(), e3, 500).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported");
                }
            } catch (BindingHandlerException e4) {
                logAndSendError(httpServletResponse, e4.getHttpStatusCode(), e4);
                return true;
            } catch (SAML2DetailedException e5) {
                try {
                    sender.sendResponse(buildArifactResponse(new SAML2DetailedException(e5.getMessage(), e5.getHttpStatusCode()).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Success", null), receiveRequest.getID()), null, null, null, null);
                    return true;
                } catch (BindingHandlerException e6) {
                    logAndSendError(httpServletResponse, e6.getHttpStatusCode(), e5);
                    return true;
                }
            } catch (Exception e7) {
                logAndSendError(httpServletResponse, 500, e7);
                return true;
            }
        } catch (Exception e8) {
            if (this.log != null && this.log.isDebugEnabled()) {
                this.log.debug(Saml2Logger.getSAML2InvalidSAMLRequest("ArtifactResolve"), e8);
            }
            try {
                sender.sendResponse(null, null, null, null, null);
                return true;
            } catch (BindingHandlerException e9) {
                logAndSendError(httpServletResponse, e9.getHttpStatusCode(), e9);
                return true;
            }
        }
    }

    private SAMLObject lookupByArtifact(String str, ArtifactResolve artifactResolve, X509Certificate x509Certificate, String str2) throws SAML2DetailedException {
        try {
            ArtifactDataObject retrieve = this.config.getArtifactStore().retrieve(artifactResolve.getArtifact().getArtifact());
            if (retrieve == null) {
                throw new SAML2DetailedException(Saml2Logger.getSAML2SamlMessageIsNull(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester");
            }
            try {
                WebSSOPartner partnerByName = getPartnerByName(str, retrieve.getPartnerName());
                if (partnerByName == null) {
                    throw new SAML2DetailedException(Saml2Logger.getNoPartnerByName("unknown", retrieve.getPartnerName()), 500).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                }
                if (!partnerByName.isEnabled()) {
                    throw new SAML2DetailedException(Saml2Logger.getPartnerIsNotEnabledInRegistry(retrieve.getPartnerName()), 500).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                }
                if (!validateArtifactRequester(partnerByName, x509Certificate, str2)) {
                    this.log.warn(Saml2Logger.getSAML2ArtifactATNFailed());
                    throw new SAML2DetailedException(Saml2Logger.getSAML2ArtifactATNFailed(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                }
                Signature signature = artifactResolve.getSignature();
                if (this.config.getLocalConfiguration().isWantArtifactRequestsSigned() || signature != null) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Verifying the signature of <samlp:ArtifactResolve> message.");
                    }
                    try {
                        SAML2Utils.verifySamlObjectSignature(SAML2Utils.getVerifyKey(partnerByName), signature);
                    } catch (KeyException e) {
                        this.log.error(e.getMessage(), e);
                        throw new SAML2DetailedException(Saml2Logger.getSAML2NoVerifyKeyFor("<samlp:ArtifactResolve>"), 403).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                    } catch (CertificateException e2) {
                        this.log.error(e2.getMessage(), e2);
                        throw new SAML2DetailedException(Saml2Logger.getNoVerifyingCert("<samlp:ArtifactResolve>", partnerByName.getName()), 403).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                    } catch (ValidationException e3) {
                        this.log.error(e3.getMessage(), e3);
                        throw new SAML2DetailedException(Saml2Logger.getSAML2VerifySignatureFail(), 403).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                    }
                }
                return retrieve.getData();
            } catch (PartnerManagerException e4) {
                this.log.warn(Saml2Logger.getFindPartnerByNameError(retrieve.getPartnerName()));
                throw new SAML2DetailedException(Saml2Logger.getFindPartnerByNameError(retrieve.getPartnerName()), e4, 500).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
            }
        } catch (SAML2ArtifactException e5) {
            throw new SAML2DetailedException(e5);
        }
    }

    private WebSSOPartner getPartnerByName(String str, String str2) throws PartnerManagerException {
        return str.equals(SAML2Constants.IDP_SERVICE_PATH) ? (WebSSOPartner) this.config.getPartnerManager().getSPPartner(str2) : (WebSSOPartner) this.config.getPartnerManager().getIdPPartner(str2);
    }

    private boolean validateArtifactRequester(WebSSOPartner webSSOPartner, X509Certificate x509Certificate, String str) {
        byte[] bArr;
        if (this.config.getLocalConfiguration().isWantBasicAuthClientAuthentication()) {
            if (str == null) {
                return false;
            }
            String basicAuthUsername = this.config.getLocalConfiguration().getBasicAuthUsername();
            String basicAuthPassword = this.config.getLocalConfiguration().getBasicAuthPassword();
            try {
                bArr = SAML2Utils.base64Decode(str);
            } catch (IOException e) {
                this.log.warn(e.getMessage());
                bArr = null;
            }
            String str2 = basicAuthUsername + DOMUtils.QNAME_SEPARATOR + basicAuthPassword;
            String str3 = new String(bArr);
            if (this.log.isDebugEnabled()) {
                int indexOf = str3.indexOf(DOMUtils.QNAME_SEPARATOR);
                if (indexOf < 0) {
                    indexOf = str3.length();
                }
                this.log.debug("ArtifactResolutionService.validateArtifactRequester: local basic username: " + basicAuthUsername + "; client basic username: " + str3.substring(0, indexOf));
            }
            if (!str2.equals(str3)) {
                if (!this.log.isDebugEnabled()) {
                    return false;
                }
                this.log.debug("Client basic auth is invalid, authentication is failed.");
                return false;
            }
        }
        if (!this.config.getLocalConfiguration().isWantTransportLayerSecurityClientAuthentication()) {
            return true;
        }
        if (x509Certificate == null) {
            if (!this.log.isDebugEnabled()) {
                return false;
            }
            this.log.debug("ArtifactResolutionService.validateArtifactRequester: certificate from client is null, authentication is failed.");
            return false;
        }
        if (x509Certificate.equals(webSSOPartner.getTransportLayerClientCert())) {
            return true;
        }
        if (!this.log.isDebugEnabled()) {
            return false;
        }
        this.log.debug("ArtifactResolutionService.validateArtifactRequester: certificate from client is invalid, authentication is failed.");
        return false;
    }

    private ArtifactResponse buildArifactResponse(SAMLObject sAMLObject, String str) {
        ArtifactResponse buildArtifactResponse = SAMLObjectBuilder.buildArtifactResponse();
        buildArtifactResponse.setIssuer(SAMLObjectBuilder.buildIssuer(this.config.getLocalConfiguration().getEntityID()));
        buildArtifactResponse.setInResponseTo(str);
        buildArtifactResponse.getUnknownXMLObjects().add(sAMLObject);
        return buildArtifactResponse;
    }

    private ArtifactResponse buildArifactResponse(SAML2DetailedException sAML2DetailedException, String str) {
        StatusMessage statusMessage = null;
        String message = sAML2DetailedException.getMessage();
        if (message != null && message.length() > 0) {
            statusMessage = SAMLObjectBuilder.buildStatusMessage(message);
        }
        Status buildStatus = SAMLObjectBuilder.buildStatus(sAML2DetailedException.getStatus(), statusMessage, (StatusDetail) null);
        ArtifactResponse buildArtifactResponse = SAMLObjectBuilder.buildArtifactResponse();
        buildArtifactResponse.setIssuer(SAMLObjectBuilder.buildIssuer(this.config.getLocalConfiguration().getEntityID()));
        buildArtifactResponse.setInResponseTo(str);
        buildArtifactResponse.setStatus(buildStatus);
        return buildArtifactResponse;
    }
}
