package com.sun.identity.saml2.profile;

import com.iplanet.am.util.OrderedSet;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2SDKUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.logging.LogUtil;
import com.sun.identity.saml2.logging.SAML2LogManager;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.protocol.Artifact;
import com.sun.identity.saml2.protocol.ArtifactResolve;
import com.sun.identity.saml2.protocol.ArtifactResponse;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.saml2.protocol.Status;
import com.sun.identity.saml2.protocol.StatusCode;
import com.sun.identity.security.AdminTokenAction;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.StringTokenizer;
import java.util.logging.Level;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.soap.MessageFactory;
import javax.xml.soap.MimeHeader;
import javax.xml.soap.MimeHeaders;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;

/* loaded from: input_file:122983-01/SUNWsaml2/reloc/SUNWam/saml2/lib/saml2.jar:com/sun/identity/saml2/profile/IDPArtifactResolution.class */
public class IDPArtifactResolution {
    static SSOToken adminToken;
    static LogUtil logUtil;
    static MessageFactory messageFactory;

    private IDPArtifactResolution() {
    }

    public static void doArtifactResolution(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            String parameter = httpServletRequest.getParameter("metaAlias");
            if (parameter == null || parameter.trim().length() == 0) {
                parameter = SAML2MetaUtils.getMetaAliasByUri(httpServletRequest.getRequestURI());
            }
            if (parameter == null || parameter.trim().length() == 0) {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("unable to get IDP meta alias from request.").toString());
                }
                logUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{parameter}, adminToken);
                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("nullIDPMetaAlias"));
                return;
            }
            try {
                String entityByMetaAlias = IDPSSOUtil.metaManager.getEntityByMetaAlias(parameter);
                if (entityByMetaAlias == null || entityByMetaAlias.trim().length() == 0) {
                    SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("Unable to get IDP Entity ID from meta.").toString());
                    logUtil.error(Level.INFO, LogUtil.INVALID_IDP, new String[]{entityByMetaAlias}, adminToken);
                    httpServletResponse.sendError(500, SAML2Utils.bundle.getString("nullIDPEntityID"));
                    return;
                }
                try {
                    SOAPMessage onMessage = onMessage(messageFactory.createMessage(getHeaders(httpServletRequest), httpServletRequest.getInputStream()), httpServletRequest, SAML2MetaUtils.getRealmByMetaAlias(parameter), entityByMetaAlias);
                    if (onMessage != null) {
                        if (onMessage.saveRequired()) {
                            onMessage.saveChanges();
                        }
                        httpServletResponse.setStatus(200);
                        putHeaders(onMessage.getMimeHeaders(), httpServletResponse);
                        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
                        onMessage.writeTo(outputStream);
                        outputStream.flush();
                    } else {
                        httpServletResponse.setStatus(204);
                    }
                } catch (SAML2Exception e) {
                    SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("SAML2 error").toString(), e);
                    httpServletResponse.sendError(500, SAML2Utils.bundle.getString("unableToCreateArtifactResponse"));
                } catch (SOAPException e2) {
                    SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("SOAP error").toString(), e2);
                    logUtil.error(Level.INFO, LogUtil.INVALID_SOAP_MESSAGE, new String[]{entityByMetaAlias}, adminToken);
                    httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSOAPMessage"));
                }
            } catch (SAML2MetaException e3) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("Unable to get IDP Entity ID from meta.").toString());
                logUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{parameter}, adminToken);
                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("metaDataError"));
            } catch (SSOException e4) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("invalid or expired sso token").toString(), e4);
                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSSOToken"));
            }
        } catch (IOException e5) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.doArtifactResolution: ").append("I/O rrror").toString(), e5);
        }
    }

    public static SOAPMessage onMessage(SOAPMessage sOAPMessage, HttpServletRequest httpServletRequest, String str, String str2) throws SAML2Exception {
        SPSSODescriptorElement sPSSODescriptorElement;
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Entering onMessage().").toString());
        }
        ArtifactResolve createArtifactResolve = ProtocolFactory.getInstance().createArtifactResolve(SAML2Utils.getSamlpElement(sOAPMessage, SAML2SDKUtils.ARTIFACT_RESOLVE));
        if (createArtifactResolve == null) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("no valid ArtifactResolve node found in SOAP body.").toString());
            }
            return SAML2Utils.createSOAPFault(SAML2Constants.CLIENT_FAULT, "noArtifactResolve", null);
        }
        String value = createArtifactResolve.getIssuer().getValue();
        try {
            sPSSODescriptorElement = IDPSSOUtil.metaManager.getSPSSODescriptor(str, value);
        } catch (SSOException e) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("invalid or expired sso token").toString(), e);
            return SAML2Utils.createSOAPFault(SAML2Constants.SERVER_FAULT, "invalidSSOToken", null);
        } catch (SAML2MetaException e2) {
            SAML2Utils.debug.error("IDPArtifactResolution.onMessage: ", e2);
            sPSSODescriptorElement = null;
        }
        if (sPSSODescriptorElement == null) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Unable to get SP SSO Descriptor from meta.").toString());
            return SAML2Utils.createSOAPFault(SAML2Constants.SERVER_FAULT, "metaDataError", null);
        }
        OrderedSet aCSUrl = SPSSOFederate.getACSUrl(sPSSODescriptorElement, SAML2Constants.HTTP_ARTIFACT);
        String str3 = (String) aCSUrl.get(0);
        String attributeValueFromSSOConfig = SAML2Utils.getAttributeValueFromSSOConfig(str, str2, SAML2Constants.IDP_ROLE, SAML2Constants.WANT_ARTIFACT_RESOLVE_SIGNED);
        if (attributeValueFromSSOConfig != null && attributeValueFromSSOConfig.equals(SAML2Constants.TRUE)) {
            if (!createArtifactResolve.isSigned()) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("The artifact resolve is not signed ").append("when it is expected to be signed.").toString());
                return SAML2Utils.createSOAPFault(SAML2Constants.CLIENT_FAULT, "ArtifactResolveNotSigned", null);
            }
            if (!createArtifactResolve.isSignatureValid(KeyUtil.getVerificationCert(sPSSODescriptorElement, value, false))) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("artifact resolve verification failed.").toString());
                return SAML2Utils.createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifact", null);
            }
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("artifact resolve signature verification is successful.").toString());
            }
        }
        Artifact artifact = createArtifactResolve.getArtifact();
        if (artifact == null) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Unable to get an artifact from ArtifactResolve.").toString());
            return SAML2Utils.createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifactSignature", null);
        }
        String artifactValue = artifact.getArtifactValue();
        Response response = (Response) IDPCache.responsesByArtifacts.remove(artifactValue);
        if (response == null) {
            String remoteServiceURL = SAML2Utils.getRemoteServiceURL(artifact.getMessageHandle());
            if (remoteServiceURL != null) {
                String stringBuffer = new StringBuffer().append(remoteServiceURL).append(httpServletRequest.getRequestURI()).toString();
                try {
                    return SAML2Utils.scf.createConnection().call(sOAPMessage, stringBuffer);
                } catch (Exception e3) {
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("unable to forward request to remote server. ").append("remote url = ").append(stringBuffer).toString(), e3);
                    }
                }
            }
            SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Response is null").toString());
            return SAML2Utils.createSOAPFault(SAML2Constants.SERVER_FAULT, "UnableToFindResponse", null);
        }
        boolean isWantAssertionsSigned = sPSSODescriptorElement.isWantAssertionsSigned();
        if (isWantAssertionsSigned && SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("signing the assertion.").toString());
        }
        IDPSSOUtil.signAndEncryptResponseComponents(str, value, str2, response, isWantAssertionsSigned);
        ArtifactResponse createArtifactResponse = ProtocolFactory.getInstance().createArtifactResponse();
        Status createStatus = ProtocolFactory.getInstance().createStatus();
        StatusCode createStatusCode = ProtocolFactory.getInstance().createStatusCode();
        createStatusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success");
        createStatus.setStatusCode(createStatusCode);
        Issuer createIssuer = AssertionFactory.getInstance().createIssuer();
        createIssuer.setValue(str2);
        createArtifactResponse.setStatus(createStatus);
        createArtifactResponse.setID(SAML2Utils.generateID());
        createArtifactResponse.setInResponseTo(createArtifactResolve.getID());
        createArtifactResponse.setVersion(SAML2Constants.VERSION_2_0);
        createArtifactResponse.setIssueInstant(new Date());
        createArtifactResponse.setAny(response.toXMLString(true, true));
        createArtifactResponse.setIssuer(createIssuer);
        createArtifactResponse.setDestination(str3);
        String attributeValueFromSSOConfig2 = SAML2Utils.getAttributeValueFromSSOConfig(str, value, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ARTIFACT_RESPONSE_SIGNED);
        if (attributeValueFromSSOConfig2 != null && attributeValueFromSSOConfig2.equals(SAML2Constants.TRUE)) {
            KeyProvider keyProviderInstance = KeyUtil.getKeyProviderInstance();
            if (keyProviderInstance == null) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Unable to get a key provider instance.").toString());
                return SAML2Utils.createSOAPFault(SAML2Constants.SERVER_FAULT, "nullKeyProvider", null);
            }
            String signingCertAlias = SAML2Utils.getSigningCertAlias(str, str2, SAML2Constants.IDP_ROLE);
            if (signingCertAlias == null) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Unable to get the hosted IDP signing certificate alias.").toString());
                return SAML2Utils.createSOAPFault(SAML2Constants.SERVER_FAULT, "missingSigningCertAlias", null);
            }
            createArtifactResponse.sign(keyProviderInstance.getPrivateKey(signingCertAlias), keyProviderInstance.getX509Certificate(signingCertAlias));
        }
        String xMLString = createArtifactResponse.toXMLString(true, true);
        logUtil.access(Level.INFO, LogUtil.ARTIFACT_RESPONSE, new String[]{str2, artifactValue, xMLString}, adminToken);
        if (xMLString != null) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("ArtifactResponse message:\n").append(xMLString).toString());
            }
        } else if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Unable to print ArtifactResponse message.").toString());
        }
        try {
            return SAML2Utils.createSOAPMessage(xMLString);
        } catch (SOAPException e4) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPArtifactResolution.onMessage: ").append("Unable to create a SOAPMessage and add a document ").toString(), e4);
            return SAML2Utils.createSOAPFault(SAML2Constants.SERVER_FAULT, "unableToCreateSOAPMessage", null);
        }
    }

    private static MimeHeaders getHeaders(HttpServletRequest httpServletRequest) {
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        MimeHeaders mimeHeaders = new MimeHeaders();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            StringTokenizer stringTokenizer = new StringTokenizer(httpServletRequest.getHeader(str), ",");
            while (stringTokenizer.hasMoreTokens()) {
                mimeHeaders.addHeader(str, stringTokenizer.nextToken().trim());
            }
        }
        return mimeHeaders;
    }

    private static void putHeaders(MimeHeaders mimeHeaders, HttpServletResponse httpServletResponse) {
        Iterator allHeaders = mimeHeaders.getAllHeaders();
        while (allHeaders.hasNext()) {
            MimeHeader mimeHeader = (MimeHeader) allHeaders.next();
            String[] header = mimeHeaders.getHeader(mimeHeader.getName());
            if (header.length == 1) {
                httpServletResponse.setHeader(mimeHeader.getName(), mimeHeader.getValue());
            } else {
                StringBuffer stringBuffer = new StringBuffer();
                int i = 0;
                while (i < header.length) {
                    if (i != 0) {
                        stringBuffer.append(',');
                    }
                    int i2 = i;
                    i++;
                    stringBuffer.append(header[i2]);
                }
                httpServletResponse.setHeader(mimeHeader.getName(), stringBuffer.toString());
            }
        }
    }

    static {
        adminToken = null;
        logUtil = null;
        messageFactory = null;
        try {
            messageFactory = MessageFactory.newInstance();
        } catch (SOAPException e) {
            SAML2Utils.debug.error("Unable to obtain SOAPFactory.", e);
        }
        adminToken = (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
        logUtil = SAML2LogManager.getLogInstance();
    }
}
