package com.alfaariss.oa.authentication.remote.saml2;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.user.IUser;
import com.alfaariss.oa.authentication.remote.saml2.beans.SAMLRemoteUser;
import com.alfaariss.oa.authentication.remote.saml2.profile.sso.WebBrowserSSOProfile;
import com.alfaariss.oa.authentication.remote.saml2.util.RemoteIDPListEntry;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.idp.IDPStorageManager;
import com.alfaariss.oa.engine.core.idp.storage.IIDPStorage;
import com.alfaariss.oa.util.logging.UserEventLogItem;
import com.alfaariss.oa.util.saml2.SAML2Exchange;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import com.alfaariss.oa.util.saml2.proxy.ProxyAttributes;
import com.alfaariss.oa.util.saml2.proxy.SAML2IDPEntry;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.logging.LogFactory;
import org.asimba.utility.web.URLPathContext;
import org.opensaml.saml2.core.IDPEntry;
import org.opensaml.saml2.core.IDPList;
import org.opensaml.util.resource.ResourceException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/SAML2AuthenticationMethod.class */
public class SAML2AuthenticationMethod extends BaseSAML2AuthenticationMethod {
    private static final String AUTHORITY_NAME = "SAML2AuthenticationMethod_";
    private static final String LIST_AVAILABLE_ORGANIZATIONS = "SAML2_Organizations";
    private static final String SELECTED_ORGANIZATION = "SAML2_Selected_organization";
    private Map<String, RemoteIDPListEntry> _mRemoteIDPLists;
    private WebBrowserSSOProfile _profileWebBrowserSSO;

    public SAML2AuthenticationMethod() throws OAException {
        this._mRemoteIDPLists = null;
        this._logger = LogFactory.getLog(SAML2AuthenticationMethod.class);
        this._mRemoteIDPLists = new HashMap();
    }

    public void start(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        try {
            Element section = iConfigurationManager.getSection(element, "idps");
            if (section == null) {
                this._logger.error("No 'idps' section found in 'method' section in configuration from SAML authentication method");
                throw new OAException(17);
            }
            IIDPStorage createStorage = createStorage(iConfigurationManager, section);
            createStorage.start(iConfigurationManager, section);
            IDPStorageManager iDPStorageManager = Engine.getInstance().getIDPStorageManager();
            if (iDPStorageManager.existStorage(createStorage.getID())) {
                this._logger.error("Storage not unique: " + createStorage.getID());
                throw new OAException(2);
            }
            iDPStorageManager.addStorage(createStorage);
            super.start(iConfigurationManager, element, createStorage);
            if (this._bIsEnabled) {
                String param = this._configurationManager.getParam(section, "fallback");
                if (param != null) {
                    if (param.equalsIgnoreCase("TRUE")) {
                        this._bEnableFallback = true;
                    } else if (!param.equalsIgnoreCase("FALSE")) {
                        this._logger.error("Unknown value in 'fallback' configuration item (in organizations): " + param);
                        throw new OAException(17);
                    }
                    this._logger.debug("Optional organization fallback set to " + this._bEnableFallback);
                }
                this._profileWebBrowserSSO = new WebBrowserSSOProfile();
                this._profileWebBrowserSSO.init(this._configurationManager, element, SAML2Exchange.getEntityDescriptor(this._sLinkedIDPProfile), this._idMapper, this._organizationStorage, this._sMethodId, this._sLinkedIDPProfile, this._conditionsWindow, this._oAuthnInstantWindow, this._oRemoteSAMLUserProvisioningProfile);
            }
        } catch (Exception e) {
            this._logger.fatal("Internal error during start", e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v87, types: [java.util.List] */
    public UserEvent authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession) throws OAException {
        Vector vector;
        UserEvent userEvent;
        try {
            ISessionAttributes attributes = iSession.getAttributes();
            Integer num = (Integer) attributes.get(ProxyAttributes.class, "ProxyCount");
            if (num != null && num.intValue() <= 0) {
                this._logger.debug("No more authentication proxying allowed: " + num);
                this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, "ProxyCount <= 0"));
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            Vector vector2 = null;
            URLPathContext uRLPathContext = (URLPathContext) attributes.get(com.alfaariss.oa.util.session.ProxyAttributes.class, "urlpath.context");
            SAML2IDP processURLPathContext = uRLPathContext != null ? processURLPathContext(attributes, uRLPathContext) : null;
            if (processURLPathContext != null) {
                this._logger.info("Established organization from URLPathContext: " + processURLPathContext.getID());
                if (!attributes.contains(SAML2AuthenticationMethod.class, this._sMethodId + "." + SELECTED_ORGANIZATION)) {
                    attributes.put(SAML2AuthenticationMethod.class, this._sMethodId, SELECTED_ORGANIZATION, processURLPathContext);
                }
            } else if (attributes.contains(SAML2AuthenticationMethod.class, this._sMethodId + "." + SELECTED_ORGANIZATION)) {
                processURLPathContext = (SAML2IDP) attributes.get(SAML2AuthenticationMethod.class, this._sMethodId + "." + SELECTED_ORGANIZATION);
            } else {
                if (attributes.contains(SAML2AuthenticationMethod.class, this._sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS)) {
                    vector = (List) attributes.get(SAML2AuthenticationMethod.class, this._sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS);
                    vector2 = new Vector();
                    vector2.add(Warnings.WARNING_ORGANIZATION_UNAVAILABLE);
                } else {
                    IUser user = iSession.getUser();
                    if (user != null && !user.isAuthenticationRegistered(this._sMethodId)) {
                        this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_NOT_REGISTERED, this, (String) null));
                        return UserEvent.AUTHN_METHOD_NOT_REGISTERED;
                    }
                    vector = new Vector();
                    Vector vector3 = new Vector();
                    List<String> forcedIDPs = getForcedIDPs(iSession);
                    if (forcedIDPs != null && !forcedIDPs.isEmpty()) {
                        attributes.put(SAML2AuthNConstants.class, SAML2AuthNConstants.FORCED_ORGANIZATIONS, forcedIDPs);
                    }
                    for (SAML2IDP saml2idp : this._organizationStorage.getAll()) {
                        vector3.add(saml2idp);
                        if (forcedIDPs == null || forcedIDPs.contains(saml2idp.getID())) {
                            vector.add(saml2idp);
                        }
                    }
                    if (vector.isEmpty()) {
                        vector = vector3;
                    }
                }
                if (vector.size() == 0) {
                    this._logger.debug("No organizations available to choose from");
                    this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_NOT_SUPPORTED, this, (String) null));
                    return UserEvent.AUTHN_METHOD_NOT_SUPPORTED;
                }
                if (this._oSelector == null) {
                    processURLPathContext = (SAML2IDP) vector.get(0);
                    this._logger.debug("No selector configured, using: " + processURLPathContext.getID());
                } else {
                    try {
                        processURLPathContext = this._oSelector.resolve(httpServletRequest, httpServletResponse, iSession, vector, this._sFriendlyName, vector2);
                    } catch (OAException e) {
                        this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.INTERNAL_ERROR, this, "selecting organization"));
                        throw e;
                    }
                }
                if (processURLPathContext == null) {
                    this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_IN_PROGRESS, this, (String) null));
                    return UserEvent.AUTHN_METHOD_IN_PROGRESS;
                }
                attributes.put(SAML2AuthenticationMethod.class, this._sMethodId, SELECTED_ORGANIZATION, processURLPathContext);
                vector.remove(processURLPathContext);
                attributes.put(SAML2AuthenticationMethod.class, this._sMethodId, LIST_AVAILABLE_ORGANIZATIONS, vector);
            }
            if (this._profileWebBrowserSSO != null) {
                userEvent = this._profileWebBrowserSSO.process(httpServletRequest, httpServletResponse, iSession, processURLPathContext, this._htAttributeMapper);
                this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), userEvent, this, (String) null));
            } else {
                this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, "No suitable SAML2 profile could be found for authentication"));
                userEvent = UserEvent.AUTHN_METHOD_FAILED;
            }
            if (userEvent == UserEvent.AUTHN_METHOD_FAILED && this._bEnableFallback) {
                UserEvent userEvent2 = UserEvent.AUTHN_METHOD_IN_PROGRESS;
                attributes.remove(SAML2AuthenticationMethod.class, this._sMethodId + "." + SELECTED_ORGANIZATION);
                this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_IN_PROGRESS, this, "Fallback mechanism activated"));
                userEvent = authenticate(httpServletRequest, httpServletResponse, iSession);
            }
            return userEvent;
        } catch (OAException e2) {
            this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, e2.getLocalizedMessage()));
            throw e2;
        }
    }

    public String getAuthority() {
        return AUTHORITY_NAME + this._sMethodId;
    }

    @Override // com.alfaariss.oa.authentication.remote.saml2.BaseSAML2AuthenticationMethod
    public void stop() {
        if (this._profileWebBrowserSSO != null) {
            this._profileWebBrowserSSO.destroy();
        }
        if (this._mRemoteIDPLists != null) {
            this._mRemoteIDPLists.clear();
        }
        if (this._organizationStorage != null) {
            Engine.getInstance().getIDPStorageManager().removeStorage(this._organizationStorage.getID());
            this._organizationStorage.stop();
        }
        super.stop();
    }

    private List<String> getForcedIDPs(ISession iSession) throws OAException {
        IDPList list;
        String organization;
        Vector vector = new Vector();
        SAMLRemoteUser user = iSession.getUser();
        if ((user instanceof SAMLRemoteUser) && (organization = user.getOrganization()) != null && this._organizationStorage.exists(organization)) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("There is a Remote SAML User available in session with ID '");
            stringBuffer.append(iSession.getId());
            stringBuffer.append("' that is known at remote IdP '");
            stringBuffer.append(organization);
            stringBuffer.append("' so this IdP will be forced");
            this._logger.debug(stringBuffer.toString());
            vector.add(organization);
            return vector;
        }
        ISessionAttributes attributes = iSession.getAttributes();
        String str = (String) attributes.get(ProxyAttributes.class, "IDPList_GetComplete");
        if (str != null) {
            this._logger.debug("Using proxy attribute: IDPList_GetComplete: " + str);
            try {
                if (this._mRemoteIDPLists.containsKey(str)) {
                    list = this._mRemoteIDPLists.get(str).getList();
                } else {
                    RemoteIDPListEntry remoteIDPListEntry = new RemoteIDPListEntry(str, 1000);
                    list = remoteIDPListEntry.getList();
                    this._mRemoteIDPLists.put(str, remoteIDPListEntry);
                }
                if (list != null) {
                    Iterator it = list.getIDPEntrys().iterator();
                    while (it.hasNext()) {
                        vector.add(((IDPEntry) it.next()).getProviderID());
                    }
                }
            } catch (ResourceException e) {
                this._logger.warn("Failed retrieval of IDPList from GetComplete URL: " + str, e);
            }
        }
        List list2 = (List) attributes.get(ProxyAttributes.class, "IDPList");
        if (list2 != null) {
            if (this._logger.isDebugEnabled()) {
                StringBuffer stringBuffer2 = new StringBuffer("Using proxy attribute ");
                stringBuffer2.append("IDPList");
                stringBuffer2.append(": ").append(list2);
                this._logger.debug(stringBuffer2);
            }
            Iterator it2 = list2.iterator();
            while (it2.hasNext()) {
                String providerID = ((SAML2IDPEntry) it2.next()).getProviderID();
                if (providerID != null && !vector.contains(providerID)) {
                    vector.add(providerID);
                }
            }
        }
        Collection<String> collection = (Collection) attributes.get(com.alfaariss.oa.util.session.ProxyAttributes.class, "forced_organizations");
        if (collection != null) {
            if (this._logger.isDebugEnabled()) {
                StringBuffer stringBuffer3 = new StringBuffer("Using proxy attribute ");
                stringBuffer3.append("forced_organizations");
                stringBuffer3.append(": ").append(collection);
                this._logger.debug(stringBuffer3);
            }
            for (String str2 : collection) {
                if (!vector.contains(str2)) {
                    vector.add(str2);
                }
            }
        }
        return vector;
    }

    private IIDPStorage createStorage(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        try {
            String param = iConfigurationManager.getParam(element, "class");
            if (param == null) {
                this._logger.error("No 'class' item found in 'storage' section in configuration");
                throw new OAException(17);
            }
            try {
                try {
                    return (IIDPStorage) Class.forName(param).newInstance();
                } catch (Exception e) {
                    this._logger.error("Could not create an 'IIDPStorage' instance of the configured 'class' found with name: " + param, e);
                    throw new OAException(2);
                }
            } catch (Exception e2) {
                this._logger.error("No 'class' found with name: " + param, e2);
                throw new OAException(2);
            }
        } catch (Exception e3) {
            this._logger.fatal("Internal error during creation of storage object", e3);
            throw new OAException(1);
        } catch (OAException e4) {
            throw e4;
        }
    }

    protected SAML2IDP processURLPathContext(ISessionAttributes iSessionAttributes, URLPathContext uRLPathContext) throws OAException {
        if (iSessionAttributes.contains(com.alfaariss.oa.util.session.ProxyAttributes.class, "shadowed.idpId")) {
            String str = (String) iSessionAttributes.get(com.alfaariss.oa.util.session.ProxyAttributes.class, "shadowed.idpId");
            SAML2IDP idp = this._organizationStorage.getIDP(str);
            if (idp instanceof SAML2IDP) {
                this._logger.info("Found IDP '" + str + "' from previous URLPath Context match");
                return idp;
            }
            this._logger.warn("Non-SAML2IDP found in IDP Storage - inform developers of this condition! (1)");
            return null;
        }
        String str2 = (String) uRLPathContext.getParams().get("i");
        if (str2 == null) {
            this._logger.info("No 'i' value found in URLPath Context path ('" + uRLPathContext + "')");
            return null;
        }
        for (SAML2IDP saml2idp : this._organizationStorage.getAll()) {
            if (DigestUtils.shaHex(saml2idp.getID()).equalsIgnoreCase(str2)) {
                this._logger.info("Found IDP '" + saml2idp.getID() + "' in matching URLPath Context");
                if (saml2idp instanceof SAML2IDP) {
                    iSessionAttributes.put(com.alfaariss.oa.util.session.ProxyAttributes.class, "shadowed.idpId", saml2idp.getID());
                    return saml2idp;
                }
                this._logger.warn("Non-SAML2IDP found in IDP Storage - inform developers of this condition! (2)");
                return null;
            }
        }
        this._logger.info("No IDP found for provided i");
        return null;
    }
}
