package pl.edu.icm.unity.saml.ecp;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.messages.XMLExpandedMessage;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import java.io.IOException;
import java.util.Collections;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.authn.remote.AbstractRemoteVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultProcessor;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.exceptions.WrongArgumentException;
import pl.edu.icm.unity.rest.jwt.endpoint.JWTManagement;
import pl.edu.icm.unity.saml.SAMLResponseValidatorUtil;
import pl.edu.icm.unity.saml.metadata.cfg.RemoteMetaManager;
import pl.edu.icm.unity.saml.sp.SAMLSPProperties;
import pl.edu.icm.unity.saml.xmlbeans.soap.Envelope;
import pl.edu.icm.unity.saml.xmlbeans.soap.EnvelopeDocument;
import pl.edu.icm.unity.saml.xmlbeans.soap.Header;
import pl.edu.icm.unity.types.authn.AuthenticationOptionKey;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityTaV;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/ecp/ECPStep2Handler.class */
public class ECPStep2Handler {
    private static final Logger log = Log.getLogger("unity.server.saml", ECPStep2Handler.class);
    private RemoteMetaManager metadataManager;
    private ECPContextManagement samlContextManagement;
    private RemoteAuthnResultProcessor remoteAuthnProcessor;
    private JWTManagement jwtGenerator;
    private AuthenticationRealm realm;
    private SessionManagement sessionMan;
    private ReplayAttackChecker replayAttackChecker;
    private String myAddress;

    public ECPStep2Handler(SAMLECPProperties sAMLECPProperties, RemoteMetaManager remoteMetaManager, ECPContextManagement eCPContextManagement, String str, ReplayAttackChecker replayAttackChecker, TokensManagement tokensManagement, PKIManagement pKIManagement, RemoteAuthnResultProcessor remoteAuthnResultProcessor, EntityManagement entityManagement, SessionManagement sessionManagement, AuthenticationRealm authenticationRealm, String str2) {
        this.metadataManager = remoteMetaManager;
        this.samlContextManagement = eCPContextManagement;
        this.remoteAuthnProcessor = remoteAuthnResultProcessor;
        this.jwtGenerator = new JWTManagement(tokensManagement, pKIManagement, entityManagement, authenticationRealm.getName(), str2, sAMLECPProperties.getJWTProperties());
        this.realm = authenticationRealm;
        this.sessionMan = sessionManagement;
        this.replayAttackChecker = replayAttackChecker;
        this.myAddress = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processECPPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        try {
            Envelope envelope = EnvelopeDocument.Factory.parse(httpServletRequest.getReader()).getEnvelope();
            try {
                String processHeader = processHeader(envelope.getHeader());
                try {
                    try {
                        try {
                            AuthenticationResult processSamlResponse = processSamlResponse((SAMLSPProperties) this.metadataManager.getVirtualConfiguration(), ResponseDocument.Factory.parse(envelope.getBody().newReader()), (ECPAuthnState) this.samlContextManagement.getAuthnContext(processHeader));
                            if (!processSamlResponse.getStatus().equals(AuthenticationResult.Status.success)) {
                                httpServletResponse.sendError(403, "SAML authentication is unsuccessful");
                                return;
                            }
                            AuthenticatedEntity authenticatedEntity = processSamlResponse.getAuthenticatedEntity();
                            Long entityId = authenticatedEntity.getEntityId();
                            InvocationContext invocationContext = new InvocationContext((IdentityTaV) null, this.realm, Collections.emptyList());
                            authnSuccess(authenticatedEntity, invocationContext);
                            InvocationContext.setCurrent(invocationContext);
                            try {
                                String generate = this.jwtGenerator.generate(new EntityParam(entityId));
                                httpServletResponse.setContentType("application/jwt");
                                httpServletResponse.getWriter().write(generate);
                                httpServletResponse.flushBuffer();
                                InvocationContext.setCurrent((InvocationContext) null);
                            } catch (Throwable th) {
                                InvocationContext.setCurrent((InvocationContext) null);
                                throw th;
                            }
                        } catch (Exception e) {
                            log.warn("Error while processing SAML response", e);
                            httpServletResponse.sendError(400, e.getMessage());
                        }
                    } catch (XmlException e2) {
                        log.warn("Received SOAP body contents which can not be parsed as SAML response.", e2);
                        httpServletResponse.sendError(400, "Received SOAP body contents which can not be parsed as SAML response.");
                    }
                } catch (WrongArgumentException e3) {
                    log.warn("Received a request with unknown relay state " + processHeader);
                    httpServletResponse.sendError(400, "Received a request with unknown relay state");
                }
            } catch (ServletException e4) {
                log.warn("Wrong ECP response header", e4);
                httpServletResponse.sendError(400, e4.getMessage());
            }
        } catch (XmlException e5) {
            log.warn("Received contents which can not the parsed as SOAP Envelope.", e5);
            httpServletResponse.sendError(400, "Received a contents which can not the parsed as SOAP Envelope.");
        }
    }

    private void authnSuccess(AuthenticatedEntity authenticatedEntity, InvocationContext invocationContext) {
        log.info("Client was successfully authenticated: [" + authenticatedEntity.getEntityId() + "] " + authenticatedEntity.getAuthenticatedWith().toString());
        LoginSession createSession = this.sessionMan.getCreateSession(authenticatedEntity.getEntityId().longValue(), this.realm, "", authenticatedEntity.getOutdatedCredentialId(), new LoginSession.RememberMeInfo(false, false), (AuthenticationOptionKey) null, (AuthenticationOptionKey) null);
        invocationContext.setLoginSession(createSession);
        createSession.addAuthenticatedIdentities(authenticatedEntity.getAuthenticatedWith());
        createSession.setRemoteIdP(authenticatedEntity.getRemoteIdP());
    }

    private String processHeader(Header header) throws ServletException {
        NodeList childNodes = header.getDomNode().getChildNodes();
        String str = null;
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item instanceof Element) {
                Element element = (Element) item;
                String localName = element.getLocalName();
                if ("urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp".equals(element.getNamespaceURI()) && "RelayState".equals(localName)) {
                    str = extractRelayState(element);
                } else {
                    String attributeNS = element.getAttributeNS("http://schemas.xmlsoap.org/soap/envelope/", "mustUnderstand");
                    if ("1".equals(attributeNS) || "true".equals(attributeNS)) {
                        throw new ServletException("Unsupported header which is marked as mandatory to understand: " + element.getLocalName());
                    }
                }
            }
        }
        if (str == null) {
            throw new ServletException("RelayState was not provided");
        }
        return str;
    }

    private String extractRelayState(Element element) throws ServletException {
        Node firstChild = element.getFirstChild();
        if (firstChild == null) {
            throw new ServletException("RelayState element is malformed or empty");
        }
        return firstChild.getNodeValue();
    }

    private AuthenticationResult processSamlResponse(SAMLSPProperties sAMLSPProperties, ResponseDocument responseDocument, ECPAuthnState eCPAuthnState) throws ServletException, AuthenticationException {
        String findIdPKey = findIdPKey(sAMLSPProperties, responseDocument);
        String value = sAMLSPProperties.getValue(findIdPKey + SAMLSPProperties.IDP_GROUP_MEMBERSHIP_ATTRIBUTE);
        return this.remoteAuthnProcessor.getResult(new SAMLResponseValidatorUtil(sAMLSPProperties, this.replayAttackChecker, this.myAddress).verifySAMLResponse(responseDocument, new XMLExpandedMessage(responseDocument, responseDocument.getResponse()), eCPAuthnState.getRequestId(), SAMLBindings.PAOS, value, findIdPKey), AbstractRemoteVerificator.getTranslationProfile(sAMLSPProperties, findIdPKey + "translationProfile", findIdPKey + "embeddedTranslationProfile"), false, Optional.empty());
    }

    private String findIdPKey(SAMLSPProperties sAMLSPProperties, ResponseDocument responseDocument) throws ServletException {
        NameIDType issuer = responseDocument.getResponse().getIssuer();
        if (issuer == null || issuer.isNil()) {
            throw new ServletException("Invalid response: no issuer");
        }
        String stringValue = issuer.getStringValue();
        for (String str : sAMLSPProperties.getStructuredListKeys(SAMLSPProperties.IDP_PREFIX)) {
            if (sAMLSPProperties.getValue(str + SAMLSPProperties.IDP_ID).equals(stringValue)) {
                return str;
            }
        }
        throw new ServletException("The issuer " + stringValue + " is not among trusted issuers");
    }
}
