package com.alfaariss.oa.authentication.remote.saml2;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.idmapper.IIDMapper;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.sso.logout.IASLogout;
import com.alfaariss.oa.api.tgt.ITGT;
import com.alfaariss.oa.api.tgt.TGTListenerEvent;
import com.alfaariss.oa.authentication.remote.saml2.beans.SAMLRemoteUser;
import com.alfaariss.oa.authentication.remote.saml2.logout.LogoutManager;
import com.alfaariss.oa.authentication.remote.saml2.profile.logout.LogoutProfile;
import com.alfaariss.oa.authentication.remote.saml2.selector.ISAMLOrganizationSelector;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.idp.storage.IIDPStorage;
import com.alfaariss.oa.engine.core.tgt.factory.ITGTAliasStore;
import com.alfaariss.oa.engine.core.tgt.factory.ITGTFactory;
import com.alfaariss.oa.engine.user.provisioning.storage.external.IExternalStorage;
import com.alfaariss.oa.engine.user.provisioning.translator.standard.StandardProfile;
import com.alfaariss.oa.sso.authentication.web.IWebAuthenticationMethod;
import com.alfaariss.oa.util.logging.UserEventLogItem;
import com.alfaariss.oa.util.saml2.SAML2ConditionsWindow;
import com.alfaariss.oa.util.saml2.SAML2Exchange;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import com.alfaariss.oa.util.saml2.opensaml.CustomOpenSAMLBootstrap;
import java.util.Hashtable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.asimba.util.saml2.assertion.SAML2TimestampWindow;
import org.opensaml.xml.ConfigurationException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/BaseSAML2AuthenticationMethod.class */
public abstract class BaseSAML2AuthenticationMethod implements IWebAuthenticationMethod, IASLogout {
    protected Log _logger;
    protected Log _eventLogger;
    protected IConfigurationManager _configurationManager = null;
    protected String _sMethodId = null;
    protected boolean _bIsEnabled = false;
    protected boolean _bEnableFallback = false;
    protected String _sFriendlyName = null;
    protected IIDMapper _idMapper = null;
    protected ISAMLOrganizationSelector _oSelector = null;
    protected Hashtable<String, String> _htAttributeMapper;
    protected ITGTFactory _tgtFactory;
    protected IIDPStorage _organizationStorage;
    protected ITGTAliasStore _aliasStoreIDPRole;
    protected SAML2ConditionsWindow _conditionsWindow;
    protected String _sLinkedIDPProfile;
    protected SAML2TimestampWindow _oAuthnInstantWindow;
    private LogoutProfile _asynchronousLogoutProfile;
    private String _sTGTRemoveReason;
    private LogoutManager _logoutManager;
    protected StandardProfile _oRemoteSAMLUserProvisioningProfile;

    public BaseSAML2AuthenticationMethod() throws OAException {
        this._logger = null;
        this._eventLogger = null;
        this._htAttributeMapper = null;
        this._logger = LogFactory.getLog(getClass());
        this._eventLogger = LogFactory.getLog("com.alfaariss.oa.EventLogger");
        this._htAttributeMapper = new Hashtable<>();
        try {
            CustomOpenSAMLBootstrap.bootstrap();
        } catch (ConfigurationException e) {
            this._logger.error("Could not initialize OpenSAML", e);
            throw new OAException(2);
        }
    }

    public String getID() {
        return this._sMethodId;
    }

    public boolean isEnabled() {
        return this._bIsEnabled;
    }

    public String getFriendlyName() {
        return this._sFriendlyName;
    }

    public void start(IConfigurationManager iConfigurationManager, Element element, IIDPStorage iIDPStorage) throws OAException {
        try {
            this._configurationManager = iConfigurationManager;
            this._organizationStorage = iIDPStorage;
            this._tgtFactory = Engine.getInstance().getTGTFactory();
            this._aliasStoreIDPRole = this._tgtFactory.getAliasStoreIDP();
            if (this._aliasStoreIDPRole == null) {
                this._logger.error("IDP Role TGT Alias Store is disabled");
                throw new OAException(2);
            }
            this._sMethodId = this._configurationManager.getParam(element, "id");
            if (this._sMethodId == null) {
                this._logger.error("No 'id' parameter found in configuration");
                throw new OAException(17);
            }
            this._sFriendlyName = this._configurationManager.getParam(element, "friendlyname");
            if (this._sFriendlyName == null) {
                this._logger.error("No 'friendlyname' parameter found in configuration");
                throw new OAException(17);
            }
            this._bIsEnabled = true;
            String param = this._configurationManager.getParam(element, "enabled");
            if (param != null) {
                if (param.equalsIgnoreCase("FALSE")) {
                    this._bIsEnabled = false;
                } else if (!param.equalsIgnoreCase("TRUE")) {
                    this._logger.error("Unknown value in 'enabled' configuration item: " + param);
                    throw new OAException(17);
                }
            }
            if (this._bIsEnabled) {
                this._sLinkedIDPProfile = null;
                Element section = this._configurationManager.getSection(element, "idpprofile");
                if (section != null) {
                    this._sLinkedIDPProfile = this._configurationManager.getParam(section, "id");
                }
                if (section == null || this._sLinkedIDPProfile == null) {
                    this._logger.fatal("No 'idpprofile' configured; make sure there is a <idpprofile id='..' /> value to reference the SAML2IDP Profile that configures the ResponseEndpoint for this SAML2 SP");
                    throw new OAException(2);
                }
                Element section2 = this._configurationManager.getSection(element, "Conditions");
                if (section2 == null) {
                    this._conditionsWindow = new SAML2ConditionsWindow();
                } else {
                    this._conditionsWindow = new SAML2ConditionsWindow(this._configurationManager, section2);
                }
                Element section3 = this._configurationManager.getSection(element, "authnstmt");
                if (section3 == null) {
                    this._oAuthnInstantWindow = new SAML2TimestampWindow();
                    this._oAuthnInstantWindow.setBeforeOffset(3600000L);
                    this._logger.info("Initializing AuthnInstant before-offset to " + this._oAuthnInstantWindow.getBeforeOffset());
                } else {
                    this._oAuthnInstantWindow = new SAML2TimestampWindow(this._configurationManager, section3);
                    this._logger.info("Initialized AuthnInstant offsets.");
                }
                Element section4 = this._configurationManager.getSection(element, "idmapper");
                if (section4 != null) {
                    this._idMapper = createMapper(this._configurationManager, section4);
                }
                Element section5 = this._configurationManager.getSection(element, "selector");
                if (section5 == null) {
                    this._logger.info("No optional 'selector' section found in configuration");
                } else {
                    this._oSelector = createSelector(section5);
                }
                Element section6 = iConfigurationManager.getSection(element, "attributemapper");
                if (section6 == null) {
                    this._logger.info("No optional 'attributemapper' section found in configuration");
                } else {
                    readMapperConfiguration(section6);
                }
                try {
                    SAML2Exchange.getEntityDescriptor(this._sLinkedIDPProfile);
                    this._logoutManager = new LogoutManager(this._configurationManager, element, this._sMethodId, this._organizationStorage, this._idMapper, this._sLinkedIDPProfile);
                    if (this._logoutManager.isEnabled()) {
                        this._logger.info("Logout: enabled");
                        this._tgtFactory.addListener(this._logoutManager);
                        this._asynchronousLogoutProfile = createASynchronousLogoutProfile(element);
                    } else {
                        this._logger.info("Logout: disabled");
                    }
                    Element section7 = iConfigurationManager.getSection(element, "provisioning");
                    if (section7 == null) {
                        this._oRemoteSAMLUserProvisioningProfile = null;
                        this._logger.info("Default Remote SAML User provisioning");
                    } else {
                        this._oRemoteSAMLUserProvisioningProfile = new StandardProfile();
                        this._oRemoteSAMLUserProvisioningProfile.start(iConfigurationManager, section7, (IExternalStorage) null);
                        this._logger.info("Remote SAML User provisioning configured.");
                    }
                } catch (OAException e) {
                    this._logger.error("Cannot start: there is no SAML2 IDP Profile that handles the Response Endpoint for this SAML SP");
                    throw new OAException(2);
                }
            }
        } catch (Exception e2) {
            this._logger.fatal("Internal error during start", e2);
            throw new OAException(1);
        } catch (OAException e3) {
            throw e3;
        }
    }

    public void restart(Element element) throws OAException {
        synchronized (this) {
            stop();
            start(this._configurationManager, element);
        }
    }

    public void stop() {
        this._bIsEnabled = false;
        if (this._asynchronousLogoutProfile != null) {
            this._asynchronousLogoutProfile.destroy();
        }
        if (this._logoutManager != null) {
            if (this._tgtFactory != null) {
                this._tgtFactory.removeListener(this._logoutManager);
            }
            this._logoutManager.destroy();
            this._logoutManager = null;
        }
        if (this._idMapper != null) {
            this._idMapper.stop();
        }
        if (this._oSelector != null) {
            this._oSelector.stop();
        }
        this._oSelector = null;
        if (this._htAttributeMapper != null) {
            this._htAttributeMapper.clear();
        }
    }

    public UserEvent logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ITGT itgt, ISession iSession) throws OAException {
        SAML2IDP idp;
        if (this._asynchronousLogoutProfile == null) {
            this._logger.error("Logout disabled");
            return UserEvent.INTERNAL_ERROR;
        }
        if (itgt == null) {
            this._logger.error("No TGT supplied");
            this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.INTERNAL_ERROR, this, "no tgt"));
            return UserEvent.INTERNAL_ERROR;
        }
        SAMLRemoteUser user = iSession.getUser();
        if (user == null) {
            this._logger.error("No user available in TGT");
            this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), UserEvent.INTERNAL_ERROR, this, "invalid tgt"));
            return UserEvent.INTERNAL_ERROR;
        }
        UserEvent userEvent = UserEvent.USER_LOGOUT_FAILED;
        if (this._asynchronousLogoutProfile != null) {
            ISessionAttributes attributes = iSession.getAttributes();
            if (attributes.contains(getClass(), this._sMethodId, "aslogout_organization")) {
                idp = (SAML2IDP) attributes.get(getClass(), this._sMethodId, "aslogout_organization");
            } else {
                idp = this._organizationStorage.getIDP(user.getIDP());
                if (idp != null) {
                    attributes.put(getClass(), this._sMethodId, "aslogout_organization", idp);
                }
            }
            String alias = this._aliasStoreIDPRole.getAlias("session_index", idp.getID(), itgt.getId());
            if (alias != null) {
                userEvent = this._asynchronousLogoutProfile.processASynchronous(httpServletRequest, httpServletResponse, iSession, idp, this._sTGTRemoveReason, alias);
                if (userEvent == UserEvent.USER_LOGGED_OUT) {
                    itgt.getAttributes().put(BaseSAML2AuthenticationMethod.class, this._sMethodId, "aslogout_organization", idp);
                    itgt.persist();
                }
            }
            this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), userEvent, this, (String) null));
        }
        return userEvent;
    }

    public boolean canLogout(ITGT itgt) throws OAException {
        SAML2IDP idp;
        if (this._asynchronousLogoutProfile == null) {
            return false;
        }
        if (itgt == null) {
            this._logger.error("No TGT supplied");
            throw new OAException(1);
        }
        SAMLRemoteUser user = itgt.getUser();
        if (user == null) {
            this._logger.error("No user available in TGT");
            throw new OAException(1);
        }
        if (!(user instanceof SAMLRemoteUser)) {
            return false;
        }
        SAMLRemoteUser sAMLRemoteUser = user;
        return (!this._organizationStorage.exists(sAMLRemoteUser.getIDP()) || (idp = this._organizationStorage.getIDP(sAMLRemoteUser.getIDP())) == null || this._asynchronousLogoutProfile.getService(idp) == null || this._aliasStoreIDPRole.getAlias("session_index", idp.getID(), itgt.getId()) == null) ? false : true;
    }

    private LogoutProfile createASynchronousLogoutProfile(Element element) throws OAException {
        if (this._configurationManager.getSection(element, "logout") != null) {
            Element section = this._configurationManager.getSection(element, "event");
            while (true) {
                Element element2 = section;
                if (element2 == null) {
                    break;
                }
                String param = this._configurationManager.getParam(element2, "id");
                if (param == null) {
                    this._logger.error("No 'id' parameter in 'event' section found in configuration");
                    throw new OAException(17);
                }
                TGTListenerEvent valueOf = TGTListenerEvent.valueOf(param);
                if (valueOf == null) {
                    this._logger.error("Invalid 'id' parameter in 'event' section found in configuration: " + param);
                    throw new OAException(2);
                }
                if (valueOf == TGTListenerEvent.ON_REMOVE) {
                    this._sTGTRemoveReason = this._configurationManager.getParam(element2, "reason");
                    if (this._sTGTRemoveReason == null) {
                        this._logger.error("No 'reason' parameter in 'event' section found in configuration");
                        throw new OAException(17);
                    }
                }
                section = this._configurationManager.getNextSection(element2);
            }
        }
        LogoutProfile logoutProfile = new LogoutProfile("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        logoutProfile.init(SAML2Exchange.getEntityDescriptor(this._sLinkedIDPProfile), this._idMapper, this._organizationStorage, this._sMethodId, this._sLinkedIDPProfile, this._conditionsWindow);
        return logoutProfile;
    }

    private void readMapperConfiguration(Element element) throws OAException {
        Element section = this._configurationManager.getSection(element, "map");
        while (true) {
            Element element2 = section;
            if (element2 == null) {
                return;
            }
            String param = this._configurationManager.getParam(element2, "ext");
            if (param == null) {
                this._logger.error("No 'ext' item found in 'map' section");
                throw new OAException(17);
            }
            String param2 = this._configurationManager.getParam(element2, "int");
            if (param2 == null) {
                this._logger.error("No 'int' item found in 'map' section");
                throw new OAException(17);
            }
            if (this._htAttributeMapper.containsKey(param)) {
                this._logger.error("Ext name not unique in map with 'ext' value: " + param);
                throw new OAException(2);
            }
            if (this._htAttributeMapper.contains(param2)) {
                this._logger.error("Int name not unique in map with 'int' value: " + param2);
                throw new OAException(2);
            }
            this._htAttributeMapper.put(param, param2);
            section = this._configurationManager.getNextSection(element2);
        }
    }

    private ISAMLOrganizationSelector createSelector(Element element) throws OAException {
        String param = this._configurationManager.getParam(element, "class");
        if (param == null) {
            this._logger.error("No 'class' item in 'selector' section found");
            throw new OAException(17);
        }
        try {
            ISAMLOrganizationSelector iSAMLOrganizationSelector = (ISAMLOrganizationSelector) Class.forName(param).newInstance();
            iSAMLOrganizationSelector.start(this._configurationManager, element);
            return iSAMLOrganizationSelector;
        } catch (ClassCastException e) {
            this._logger.error("Configured class isn't of type 'ISAMLRequestorSelector': " + param, e);
            throw new OAException(17, e);
        } catch (ClassNotFoundException e2) {
            this._logger.error("Configured class doesn't exist: " + param, e2);
            throw new OAException(17, e2);
        } catch (IllegalAccessException e3) {
            this._logger.error("Configured class can't be accessed: " + param, e3);
            throw new OAException(17, e3);
        } catch (InstantiationException e4) {
            this._logger.error("Can't create an instance of the configured class: " + param, e4);
            throw new OAException(17, e4);
        }
    }

    private IIDMapper createMapper(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        try {
            String param = iConfigurationManager.getParam(element, "class");
            if (param == null) {
                this._logger.error("No 'class' parameter found in 'idmapper' section in configuration");
                throw new OAException(17);
            }
            try {
                try {
                    IIDMapper iIDMapper = (IIDMapper) Class.forName(param).newInstance();
                    iIDMapper.start(iConfigurationManager, element);
                    return iIDMapper;
                } catch (Exception e) {
                    this._logger.error("Could not create an 'IIDMapper' instance of the configured 'class' found with name: " + param, e);
                    throw new OAException(2);
                }
            } catch (Exception e2) {
                this._logger.error("No 'class' found with name: " + param, e2);
                throw new OAException(2);
            }
        } catch (Exception e3) {
            this._logger.fatal("Internal error during creation of id mapper", e3);
            throw new OAException(1);
        } catch (OAException e4) {
            throw e4;
        }
    }
}
