package com.sun.identity.saml2.profile;

import com.iplanet.am.util.AMURLEncDec;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.saml2.assertion.AuthnContext;
import com.sun.identity.saml2.common.QuerySignatureUtil;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.protocol.AuthnRequest;
import com.sun.identity.saml2.protocol.NameIDPolicy;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.saml2.protocol.RequestedAuthnContext;
import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:122984-01/SUNWsaml2/reloc/SUNWam/saml2/lib/saml2.jar:com/sun/identity/saml2/profile/IDPSSOFederate.class */
public class IDPSSOFederate {
    private static final String REQ_ID = "ReqID";

    private IDPSSOFederate() {
    }

    public static void doSSOFederate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CacheObject cacheObject;
        IDPSSODescriptorElement iDPSSODescriptorElement;
        boolean z;
        SPSSODescriptorElement sPSSODescriptorElement;
        try {
            String parameter = httpServletRequest.getParameter("metaAlias");
            if (parameter == null || parameter.trim().length() == 0) {
                parameter = SAML2MetaUtils.getMetaAliasByUri(httpServletRequest.getRequestURI());
            }
            if (parameter == null || parameter.trim().length() == 0) {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("unable to get IDP meta alias from request.").toString());
                }
                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("IDPMetaAliasNotFound"));
                return;
            }
            try {
                if (IDPSSOUtil.metaManager == null) {
                    SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to get meta manager.").toString());
                    httpServletResponse.sendError(500, SAML2Utils.bundle.getString("errorMetaManager"));
                    return;
                }
                String entityByMetaAlias = IDPSSOUtil.metaManager.getEntityByMetaAlias(parameter);
                if (entityByMetaAlias == null || entityByMetaAlias.trim().length() == 0) {
                    SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to get IDP Entity ID from meta.").toString());
                    httpServletResponse.sendError(500, SAML2Utils.bundle.getString("nullIDPEntityID"));
                    return;
                }
                String realmByMetaAlias = SAML2MetaUtils.getRealmByMetaAlias(parameter);
                String parameter2 = httpServletRequest.getParameter(REQ_ID);
                if (parameter2 != null && parameter2.trim().length() == 0) {
                    parameter2 = null;
                }
                AuthnRequest authnRequest = null;
                if (parameter2 == null) {
                    String parameter3 = httpServletRequest.getParameter(SAML2Constants.SAML_REQUEST);
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("saml request=").append(parameter3).toString());
                    }
                    if (parameter3 == null) {
                        SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("samlRequest is null").toString());
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("InvalidSAMLRequest"));
                        return;
                    }
                    AuthnRequest authnRequest2 = getAuthnRequest(parameter3);
                    if (authnRequest2 == null) {
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("InvalidSAMLRequest"));
                        return;
                    }
                    if (!SAML2Utils.isSourceSiteValid(authnRequest2.getIssuer(), realmByMetaAlias, entityByMetaAlias)) {
                        if (SAML2Utils.debug.warningEnabled()) {
                            SAML2Utils.debug.warning(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Issuer in Request is not valid.").toString());
                        }
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("InvalidSAMLRequest"));
                        return;
                    }
                    try {
                        iDPSSODescriptorElement = IDPSSOUtil.metaManager.getIDPSSODescriptor(realmByMetaAlias, entityByMetaAlias);
                    } catch (SSOException e) {
                        SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("invalid or expired sso token").toString(), e);
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSSOToken"));
                        return;
                    } catch (SAML2MetaException e2) {
                        SAML2Utils.debug.error("IDPSSOFederate.doSSOFederate: ", e2);
                        iDPSSODescriptorElement = null;
                    }
                    if (iDPSSODescriptorElement == null) {
                        SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to get IDP SSO Descriptor from meta.").toString());
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("metaDataError"));
                        return;
                    }
                    if (iDPSSODescriptorElement.isWantAuthnRequestsSigned()) {
                        String value = authnRequest2.getIssuer().getValue();
                        if (value == null || value.trim().length() == 0) {
                            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("InvalidSAMLRequest"));
                            return;
                        }
                        try {
                            sPSSODescriptorElement = IDPSSOUtil.metaManager.getSPSSODescriptor(realmByMetaAlias, value);
                        } catch (SSOException e3) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("invalid or expired sso token").toString(), e3);
                            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSSOToken"));
                            return;
                        } catch (SAML2MetaException e4) {
                            SAML2Utils.debug.error("IDPSSOFederate.doSSOFederate: ", e4);
                            sPSSODescriptorElement = null;
                        }
                        if (sPSSODescriptorElement == null) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to get SP SSO Descriptor from meta.").toString());
                            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("metaDataError"));
                            return;
                        }
                        try {
                            if (!QuerySignatureUtil.verify(httpServletRequest.getQueryString(), KeyUtil.getVerificationCert(sPSSODescriptorElement, value, false))) {
                                SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("authn request verification failed.").toString());
                                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSignInRequest"));
                                return;
                            }
                            if (!SAML2Utils.verifyDestination(authnRequest2.getDestination(), SPSSOFederate.getSSOURL(iDPSSODescriptorElement.getSingleSignOnService()))) {
                                SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("authn request destination verification failed.").toString());
                                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidDestination"));
                                return;
                            } else if (SAML2Utils.debug.messageEnabled()) {
                                SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Authn Request signature verification is successful.").toString());
                            }
                        } catch (SAML2Exception e5) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("authn request verification failed.").toString(), e5);
                            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSignInRequest"));
                            return;
                        }
                    }
                    String id = authnRequest2.getID();
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("request id=").append(id).toString());
                    }
                    if (id == null) {
                        SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Request id is null").toString());
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("InvalidSAMLRequestID"));
                        return;
                    }
                    SSOToken sSOToken = SAML2Utils.getSSOToken(httpServletRequest);
                    if (authnRequest2.isForceAuthn() == Boolean.TRUE && sSOToken != null) {
                        try {
                            SSOTokenManager.getInstance().destroyToken(sSOToken);
                        } catch (SSOException e6) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to invalidate the sso token.").toString());
                        }
                        sSOToken = null;
                    }
                    String parameter4 = httpServletRequest.getParameter("RelayState");
                    if (sSOToken == null) {
                        synchronized (IDPCache.authnRequestCache) {
                            IDPCache.authnRequestCache.put(id, new CacheObject(authnRequest2));
                        }
                        if (parameter4 != null && parameter4.trim().length() != 0) {
                            IDPCache.relayStateCache.put(id, parameter4);
                        }
                        try {
                            redirectAuthentication(httpServletRequest, httpServletResponse, authnRequest2, id, realmByMetaAlias, entityByMetaAlias);
                            return;
                        } catch (SAML2Exception e7) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to redirect to authentication.").toString(), e7);
                            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("UnableToRedirectToAuth"));
                            return;
                        } catch (IOException e8) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to redirect to authentication.").toString(), e8);
                            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("UnableToRedirectToAuth"));
                            return;
                        }
                    }
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("SSOToken is valid").toString());
                    }
                    RequestedAuthnContext requestedAuthnContext = authnRequest2.getRequestedAuthnContext();
                    String str = null;
                    try {
                        str = sSOToken.getProperty(SAML2Constants.IDP_SESSION_INDEX);
                        z = isSessionUpgrade(requestedAuthnContext, str);
                    } catch (SSOException e9) {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Cannot get session Index").toString());
                        }
                        z = false;
                    }
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Session Upgrade is :").append(z).toString());
                    }
                    if (z) {
                        IDPCache.oldIDPSessionCache.put(id, (IDPSession) IDPCache.idpSessionsByIndices.get(str));
                        IDPCache.authnRequestCache.put(id, new CacheObject(authnRequest2));
                        IDPCache.isSessionUpgradeCache.add(id);
                        try {
                            redirectAuthentication(httpServletRequest, httpServletResponse, authnRequest2, id, realmByMetaAlias, entityByMetaAlias);
                            return;
                        } catch (SAML2Exception e10) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to redirect to authentication.").toString(), e10);
                            SAML2Utils.bundle.getString("UnableToRedirectToAuth");
                            z = false;
                            cleanUpCache(id);
                        } catch (IOException e11) {
                            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to redirect to authentication.").toString(), e11);
                            SAML2Utils.bundle.getString("UnableToRedirectToAuth");
                            z = false;
                            cleanUpCache(id);
                        }
                    }
                    if (!z) {
                        sendResponseToACS(httpServletRequest, httpServletResponse, authnRequest2, parameter, parameter4);
                    }
                } else {
                    synchronized (IDPCache.authnRequestCache) {
                        cacheObject = (CacheObject) IDPCache.authnRequestCache.remove(parameter2);
                    }
                    if (cacheObject != null) {
                        authnRequest = (AuthnRequest) cacheObject.getObject();
                    }
                    String str2 = (String) IDPCache.relayStateCache.remove(parameter2);
                    if (authnRequest == null) {
                        SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to get AuthnRequest from cache.").toString());
                        httpServletResponse.sendError(500, SAML2Utils.bundle.getString("UnableToGetAuthnReq"));
                        return;
                    }
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("RequestID=").append(parameter2).toString());
                    }
                    boolean z2 = false;
                    if (IDPCache.isSessionUpgradeCache != null && !IDPCache.isSessionUpgradeCache.isEmpty() && IDPCache.isSessionUpgradeCache.contains(parameter2)) {
                        z2 = true;
                    }
                    if (z2) {
                        IDPCache.idpSessionsByIndices.put(SAML2Utils.getSSOToken(httpServletRequest).getProperty(SAML2Constants.IDP_SESSION_INDEX), (IDPSession) IDPCache.oldIDPSessionCache.remove(parameter2));
                    }
                    sendResponseToACS(httpServletRequest, httpServletResponse, authnRequest, parameter, str2);
                }
            } catch (SSOException e12) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("invalid or expired sso token").toString(), e12);
                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("invalidSSOToken"));
            } catch (SAML2MetaException e13) {
                SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("Unable to get IDP Entity ID from meta.").toString());
                httpServletResponse.sendError(500, SAML2Utils.bundle.getString("nullIDPEntityID"));
            }
        } catch (SSOException e14) {
            SAML2Utils.debug.error("SSOException : ", e14);
        } catch (IOException e15) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.doSSOFederate: ").append("I/O rrror").toString(), e15);
        }
    }

    private static void sendResponseToACS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthnRequest authnRequest, String str, String str2) throws IOException {
        String value = authnRequest.getIssuer().getValue();
        String str3 = null;
        NameIDPolicy nameIDPolicy = authnRequest.getNameIDPolicy();
        if (nameIDPolicy != null) {
            str3 = nameIDPolicy.getFormat();
        }
        try {
            IDPSSOUtil.doSSOFederate(httpServletRequest, httpServletResponse, authnRequest, value, str, str3, str2);
        } catch (SAML2Exception e) {
            SAML2Utils.debug.error(new StringBuffer().append("IDPSSOFederate.sendResponeToACS: ").append("Unable to do sso or federation.").toString(), e);
            httpServletResponse.sendError(500, SAML2Utils.bundle.getString("UnableToDOSSOOrFederation"));
        }
    }

    private static AuthnRequest getAuthnRequest(String str) {
        AuthnRequest authnRequest = null;
        String decodeFromRedirect = SAML2Utils.decodeFromRedirect(str);
        if (decodeFromRedirect != null) {
            try {
                authnRequest = ProtocolFactory.getInstance().createAuthnRequest(decodeFromRedirect);
            } catch (SAML2Exception e) {
                SAML2Utils.debug.error("IDPSSOFederate.getAuthnRequest(): cannot construct a AuthnRequest object from the SAMLRequest value:", e);
            }
        }
        return authnRequest;
    }

    private static void redirectAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthnRequest authnRequest, String str, String str2, String str3) throws SAML2Exception, IOException {
        StringBuffer stringBuffer = new StringBuffer(IDPSSOUtil.getAuthenticationServiceURL(str2, str3, httpServletRequest));
        Set authnTypeAndValues = IDPSSOUtil.getIDPAuthnContextMapper(str2, str3).getIDPAuthnContextInfo(authnRequest, str3, str2).getAuthnTypeAndValues();
        if (authnTypeAndValues != null && !authnTypeAndValues.isEmpty()) {
            Iterator it = authnTypeAndValues.iterator();
            StringBuffer stringBuffer2 = new StringBuffer((String) it.next());
            while (it.hasNext()) {
                stringBuffer2.append("&");
                stringBuffer2.append((String) it.next());
            }
            if (stringBuffer.indexOf("?") == -1) {
                stringBuffer.append("?");
            } else {
                stringBuffer.append("&");
            }
            stringBuffer.append(stringBuffer2.toString());
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.redirectAuthentication: ").append("authString=").append(stringBuffer2.toString()).toString());
            }
        }
        if (stringBuffer.indexOf("?") == -1) {
            stringBuffer.append("?goto=");
        } else {
            stringBuffer.append("&goto=");
        }
        stringBuffer.append(AMURLEncDec.encode(httpServletRequest.getRequestURL().append("?ReqID=").append(str).toString()));
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.redirectAuthentication: ").append("New URL for authentication: ").append(stringBuffer.toString()).toString());
        }
        httpServletResponse.sendRedirect(stringBuffer.toString());
    }

    private static boolean isSessionUpgrade(RequestedAuthnContext requestedAuthnContext, String str) {
        if (str == null) {
            return false;
        }
        boolean z = true;
        if (requestedAuthnContext != null) {
            HashSet hashSet = (HashSet) IDPCache.authnContextCache.remove(str);
            if (hashSet == null || hashSet.isEmpty()) {
                z = false;
            } else {
                Iterator it = hashSet.iterator();
                List<String> authnContextClassRef = requestedAuthnContext.getAuthnContextClassRef();
                if (authnContextClassRef == null || authnContextClassRef.isEmpty()) {
                    List<String> authnContextDeclRef = requestedAuthnContext.getAuthnContextDeclRef();
                    if (authnContextDeclRef != null && !authnContextDeclRef.isEmpty()) {
                        for (String str2 : authnContextDeclRef) {
                            if (SAML2Utils.debug.messageEnabled()) {
                                SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.isSessionUpgrade: ").append("authDeclReference from SP is :").append(str2).toString());
                            }
                            while (true) {
                                if (it.hasNext()) {
                                    String authnContextDeclRef2 = ((AuthnContext) it.next()).getAuthnContextDeclRef();
                                    if (SAML2Utils.debug.messageEnabled()) {
                                        SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.isSessionUpgrade: ").append("Original authDeclRef from  SP is : ").append(authnContextDeclRef2).toString());
                                    }
                                    if (str2 != null && str2.equals(authnContextDeclRef2)) {
                                        z = false;
                                        break;
                                    }
                                }
                            }
                        }
                    }
                } else {
                    for (String str3 : authnContextClassRef) {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.isSessionUpgrade: ").append("SP authClassReference: ").append(str3).toString());
                        }
                        while (true) {
                            if (it.hasNext()) {
                                String authnContextClassRef2 = ((AuthnContext) it.next()).getAuthnContextClassRef();
                                if (SAML2Utils.debug.messageEnabled()) {
                                    SAML2Utils.debug.message(new StringBuffer().append("IDPSSOFederate.isSessionUpgrade: ").append("SP Original authClassReference: ").append(authnContextClassRef2).toString());
                                }
                                if (str3 != null && str3.equals(authnContextClassRef2)) {
                                    z = false;
                                    break;
                                }
                            }
                        }
                    }
                }
            }
        }
        return z;
    }

    private static void cleanUpCache(String str) {
        IDPCache.oldIDPSessionCache.remove(str);
        IDPCache.authnRequestCache.remove(str);
        IDPCache.isSessionUpgradeCache.remove(str);
    }
}
