package com.bea.security.saml2.service.acs;

import com.bea.common.security.saml2.SingleSignOnServicesConfigSpi;
import com.bea.common.security.saml2.utils.SAMLContextHandler;
import com.bea.common.security.service.Identity;
import com.bea.common.security.service.IdentityAssertionService;
import com.bea.common.security.service.LoginSession;
import com.bea.common.security.utils.ContextElementDictionary;
import com.bea.common.security.utils.SAML2ClassLoader;
import com.bea.security.saml2.Saml2Logger;
import com.bea.security.saml2.binding.BindingReceiver;
import com.bea.security.saml2.config.SAML2ConfigSpi;
import com.bea.security.saml2.providers.registry.WebSSOIdPPartner;
import com.bea.security.saml2.service.AbstractService;
import com.bea.security.saml2.service.SAML2Exception;
import com.bea.security.saml2.util.SAML2Constants;
import com.bea.security.saml2.util.SAML2Utils;
import com.bea.security.saml2.util.cache.SAML2Cache;
import com.bea.security.saml2.util.cache.SAML2CacheException;
import java.io.IOException;
import java.security.KeyException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.core.validator.IssuerSchemaValidator;
import org.opensaml.saml2.core.validator.ResponseSchemaValidator;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.validation.ValidationException;
import weblogic.security.service.ContextElement;

/* loaded from: input_file:com/bea/security/saml2/service/acs/AssertionConsumerServiceImpl.class */
public class AssertionConsumerServiceImpl extends AbstractService {
    private SAML2Cache<String, String> authnReqCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/bea/security/saml2/service/acs/AssertionConsumerServiceImpl$ResponseValidator.class */
    public class ResponseValidator extends ResponseSchemaValidator {
        private HttpServletRequest request;

        public ResponseValidator(HttpServletRequest httpServletRequest) {
            this.request = null;
            this.request = httpServletRequest;
        }

        public void validate(Response response) throws ValidationException {
            super.validate(response);
            validateDestination(response);
            validateInResponseTo(response);
            validateIssuer(response);
            ValidateAssertions(response);
        }

        protected void validateDestination(Response response) throws ValidationException {
            if (AssertionConsumerServiceImpl.this.config.getLocalConfiguration().isRecipientCheckEnabled()) {
                String str = SAML2Utils.getLocalSiteFromPublishedURL(AssertionConsumerServiceImpl.this.config.getLocalConfiguration().getPublishedSiteURL()) + this.request.getRequestURI();
                if (DatatypeHelper.isEmpty(response.getDestination()) || !response.getDestination().equals(str)) {
                    throw new ValidationException(Saml2Logger.getDestinationNotMatch(response.getDestination(), str));
                }
            }
        }

        protected void validateConsent(Response response) throws ValidationException {
        }

        protected void validateInResponseTo(Response response) throws ValidationException {
            if (DatatypeHelper.isEmpty(response.getInResponseTo())) {
                return;
            }
            try {
                if (AssertionConsumerServiceImpl.this.authnReqCache.get(response.getInResponseTo()) == null) {
                    throw new ValidationException(Saml2Logger.getNoRequestFound(response.getInResponseTo()));
                }
            } catch (SAML2CacheException e) {
                throw new ValidationException(e);
            }
        }

        protected void validateIssuer(Response response) throws ValidationException {
            if (response.getIssuer() == null) {
                throw new ValidationException(Saml2Logger.getEmptyAttribute("Response:Issuer"));
            }
            new IssuerSchemaValidator().validate(response.getIssuer());
        }

        protected void ValidateAssertions(Response response) throws ValidationException {
            List assertions = response.getAssertions();
            for (int i = 0; i < assertions.size(); i++) {
                validateSubjectConfirmationData((Assertion) assertions.get(i), response);
            }
        }

        private void validateSubjectConfirmationData(Assertion assertion, Response response) throws ValidationException {
            if (assertion.getSubject() == null) {
                throw new ValidationException(Saml2Logger.getEmptyAttribute("Assertion:Subject"));
            }
            List subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
            if (subjectConfirmations == null || subjectConfirmations.size() == 0) {
                throw new ValidationException(Saml2Logger.getEmptyAttribute("Subject:SubjectConfirmations"));
            }
            for (int i = 0; i < subjectConfirmations.size(); i++) {
                SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmations.get(i);
                if (!"urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod())) {
                    throw new ValidationException(Saml2Logger.getIllegalConfirmationMethod(subjectConfirmation.getMethod(), "urn:oasis:names:tc:SAML:2.0:cm:bearer"));
                }
                validateConfirmationData(subjectConfirmation.getSubjectConfirmationData(), response);
            }
        }

        private void validateConfirmationData(SubjectConfirmationData subjectConfirmationData, Response response) throws ValidationException {
            if (AssertionConsumerServiceImpl.this.config.getLocalConfiguration().isRecipientCheckEnabled() && (DatatypeHelper.isEmpty(subjectConfirmationData.getRecipient()) || !subjectConfirmationData.getRecipient().equals(response.getDestination()))) {
                throw new ValidationException(Saml2Logger.getIllegalRecipient(subjectConfirmationData.getRecipient(), response.getDestination()));
            }
            if (!DatatypeHelper.isEmpty(subjectConfirmationData.getInResponseTo()) && !subjectConfirmationData.getInResponseTo().equals(response.getInResponseTo())) {
                throw new ValidationException(Saml2Logger.getIllegalInResponseTo(subjectConfirmationData.getInResponseTo(), response.getInResponseTo()));
            }
        }
    }

    public AssertionConsumerServiceImpl(SAML2ConfigSpi sAML2ConfigSpi) {
        super(sAML2ConfigSpi);
        this.authnReqCache = null;
    }

    @Override // com.bea.security.saml2.service.Service
    public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Assertion consumer service: processing");
        }
        try {
            if (!this.config.getLocalConfiguration().isServiceProviderEnabled()) {
                if (!this.log.isDebugEnabled()) {
                    return false;
                }
                this.log.debug("Service provider is not enabled.");
                return false;
            }
            String bindingTypeFromURI = getBindingTypeFromURI(httpServletRequest, httpServletResponse);
            checkBindingTypeEnabled(bindingTypeFromURI);
            BindingReceiver newBindingReceiver = this.config.getBindingHandlerFactory().newBindingReceiver(bindingTypeFromURI, httpServletRequest, httpServletResponse);
            Response receiveResponse = newBindingReceiver.receiveResponse();
            String value = receiveResponse.getStatus().getStatusCode().getValue();
            if (!value.equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
                throw new SAML2Exception(Saml2Logger.getIllegalResponseCode(value), 403);
            }
            verifyAttrAndEle(receiveResponse, httpServletRequest);
            WebSSOIdPPartner webSSOIdPPartner = (WebSSOIdPPartner) this.config.getPartnerManager().findIdentityProviderByIssuerURI(receiveResponse.getIssuer().getValue());
            if (webSSOIdPPartner == null) {
                throw new SAML2Exception(Saml2Logger.getNoIdPForIssuerURI(receiveResponse.getIssuer().getValue()), 404);
            }
            if (!webSSOIdPPartner.isEnabled()) {
                throw new SAML2Exception(Saml2Logger.getIdPNotEnabled(webSSOIdPPartner.getName()), 404);
            }
            Signature signature = receiveResponse.getSignature();
            if (signature != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("<samlp:Response> is signed.");
                }
                PublicKey verifyKey = SAML2Utils.getVerifyKey(webSSOIdPPartner);
                if (!newBindingReceiver.verifySignature(verifyKey)) {
                    SAML2Utils.verifySamlObjectSignature(verifyKey, signature);
                }
            }
            Identity assertIdentity = assertIdentity(receiveResponse, webSSOIdPPartner, httpServletRequest);
            Thread currentThread = Thread.currentThread();
            ClassLoader contextClassLoader = currentThread.getContextClassLoader();
            try {
                if (contextClassLoader instanceof SAML2ClassLoader) {
                    currentThread.setContextClassLoader(((SAML2ClassLoader) contextClassLoader).getThreadConextClassLoader());
                }
                LoginSession create = this.config.getSessionService().create(assertIdentity, new Date(), httpServletRequest);
                currentThread.setContextClassLoader(contextClassLoader);
                if (create == null) {
                    throw new SAML2Exception(Saml2Logger.getCreateSessionError(assertIdentity.toString()), 403);
                }
                httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(getRedirectURL(receiveResponse, newBindingReceiver.getRelayState(), this.config.getLocalConfiguration().getDefaultURL())));
                return true;
            } catch (Throwable th) {
                currentThread.setContextClassLoader(contextClassLoader);
                throw th;
            }
        } catch (SAML2Exception e) {
            return logAndSendError(httpServletResponse, e.getHttpStatusCode(), e);
        } catch (KeyException e2) {
            return logAndSendError(httpServletResponse, 403, e2);
        } catch (CertificateException e3) {
            return logAndSendError(httpServletResponse, 403, e3);
        } catch (ValidationException e4) {
            return logAndSendError(httpServletResponse, 403, e4);
        } catch (LoginException e5) {
            return logAndSendError(httpServletResponse, 403, e5);
        } catch (Exception e6) {
            return logAndSendError(httpServletResponse, 500, e6);
        }
    }

    private String getRedirectURL(Response response, String str, String str2) throws SAML2Exception {
        String str3 = null;
        if (response.getInResponseTo() != null) {
            try {
                str3 = this.authnReqCache.remove(response.getInResponseTo());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Using redirect URL from request cache: '" + str3 + "'");
                }
            } catch (SAML2CacheException e) {
                throw new SAML2Exception(e);
            }
        } else if (str != null) {
            str3 = str;
            if (this.log.isDebugEnabled()) {
                this.log.debug("Using redirect URL from RelayState: '" + str3 + "'");
            }
        }
        if (!isValidRedirectURL(str3)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Null or invalid redirect URL, defaulting");
            }
            if (isValidRedirectURL(str2)) {
                str3 = str2;
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Default URL is: '" + str2 + "'");
                }
            } else {
                str3 = "/";
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Invalid default URL, using '/'");
                }
            }
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Redirecting to URL: " + str3);
        }
        return str3;
    }

    private static boolean isValidRedirectURL(String str) {
        if (str != null) {
            return str.startsWith("/") || str.startsWith("http://") || str.startsWith("https://");
        }
        return false;
    }

    private void checkBindingTypeEnabled(String str) throws SAML2Exception {
        if (!this.config.getLocalConfiguration().isServiceProviderArtifactBindingEnabled() && "HTTP/Artifact".equals(str)) {
            throw new SAML2Exception(Saml2Logger.getBindingUnenabled(str));
        }
        if (!this.config.getLocalConfiguration().isServiceProviderPOSTBindingEnabled() && "HTTP/POST".equals(str)) {
            throw new SAML2Exception(Saml2Logger.getBindingUnenabled(str));
        }
    }

    private Identity assertIdentity(Response response, WebSSOIdPPartner webSSOIdPPartner, HttpServletRequest httpServletRequest) throws LoginException, MarshallingException {
        Assertion assertion = (Assertion) response.getAssertions().get(0);
        IdentityAssertionService identityAssertionService = this.config.getIdentityAssertionService();
        SAMLContextHandler sAMLContextHandler = new SAMLContextHandler();
        SingleSignOnServicesConfigSpi localConfiguration = this.config.getLocalConfiguration();
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.EntityID", localConfiguration.getEntityID()));
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.PartnerName", webSSOIdPPartner.getName()));
        sAMLContextHandler.addElement(new ContextElement(ContextElementDictionary.SAML_ATTRIBUTE_PRINCIPALS, new ArrayList()));
        sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.OneUsePolicyApplies", (httpServletRequest.getRequestURI().endsWith(SAML2Constants.POST_URI) && localConfiguration.isPOSTOneUseCheckEnabled()) ? Boolean.TRUE : Boolean.FALSE));
        if (localConfiguration.isWantAssertionsSigned()) {
            sAMLContextHandler.addElement(new ContextElement("com.bea.contextelement.saml2.WantAssertionSigned", Boolean.TRUE));
        }
        return identityAssertionService.assertIdentity("SAML2.Assertion.DOM", assertion.getDOM(), sAMLContextHandler);
    }

    private void verifyAttrAndEle(Response response, HttpServletRequest httpServletRequest) throws ValidationException {
        new ResponseValidator(httpServletRequest).validate(response);
    }

    public void setAuthnReqCache(SAML2Cache<String, String> sAML2Cache) {
        this.authnReqCache = sAML2Cache;
    }
}
