package com.alfaariss.oa.sso;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.UserException;
import com.alfaariss.oa.api.IComponent;
import com.alfaariss.oa.api.attribute.IAttributes;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.attribute.ITGTAttributes;
import com.alfaariss.oa.api.authentication.IAuthenticationContexts;
import com.alfaariss.oa.api.authentication.IAuthenticationMethod;
import com.alfaariss.oa.api.authentication.IAuthenticationProfile;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.persistence.PersistenceException;
import com.alfaariss.oa.api.requestor.IRequestor;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.session.SessionState;
import com.alfaariss.oa.api.tgt.ITGT;
import com.alfaariss.oa.api.user.IUser;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.attribute.UserAttributes;
import com.alfaariss.oa.engine.core.attribute.gather.AttributeGatherer;
import com.alfaariss.oa.engine.core.attribute.release.IAttributeReleasePolicy;
import com.alfaariss.oa.engine.core.attribute.release.factory.IAttributeReleasePolicyFactory;
import com.alfaariss.oa.engine.core.authentication.AuthenticationContexts;
import com.alfaariss.oa.engine.core.authentication.AuthenticationException;
import com.alfaariss.oa.engine.core.authentication.AuthenticationProfile;
import com.alfaariss.oa.engine.core.authentication.factory.IAuthenticationProfileFactory;
import com.alfaariss.oa.engine.core.requestor.RequestorPool;
import com.alfaariss.oa.engine.core.requestor.factory.IRequestorPoolFactory;
import com.alfaariss.oa.engine.core.session.factory.ISessionFactory;
import com.alfaariss.oa.engine.core.tgt.factory.ITGTFactory;
import com.alfaariss.oa.util.session.ProxyAttributes;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.asimba.utility.web.URLPathContext;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/sso/SSOService.class */
public class SSOService implements IComponent {
    public static final String TGT_ATTR_SHADOWED_IDPS = "shadowed_idps";
    private IConfigurationManager _configurationManager;
    private ISessionFactory<?> _sessionFactory;
    private ITGTFactory<?> _tgtFactory;
    private IRequestorPoolFactory _requestorPoolFactory;
    private IAuthenticationProfileFactory _authenticationProfileFactory;
    private AttributeGatherer _attributeGatherer;
    private IAttributeReleasePolicyFactory _attributeReleasePolicyFactory;
    static final /* synthetic */ boolean $assertionsDisabled;
    private Log _systemLogger = LogFactory.getLog(SSOService.class);
    private boolean _bSingleSignOn = true;

    public void start(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        if (iConfigurationManager == null) {
            throw new IllegalArgumentException("Supplied ConfigurationManager is empty");
        }
        Engine engine = Engine.getInstance();
        this._configurationManager = iConfigurationManager;
        this._sessionFactory = engine.getSessionFactory();
        this._tgtFactory = engine.getTGTFactory();
        this._requestorPoolFactory = engine.getRequestorPoolFactory();
        this._authenticationProfileFactory = engine.getAuthenticationProfileFactory();
        this._attributeGatherer = engine.getAttributeGatherer();
        this._attributeReleasePolicyFactory = engine.getAttributeReleasePolicyFactory();
        readDefaultConfiguration(element);
        this._systemLogger.info("SSO Service started");
    }

    public void restart(Element element) throws OAException {
        synchronized (this) {
            Engine engine = Engine.getInstance();
            this._sessionFactory = engine.getSessionFactory();
            this._tgtFactory = engine.getTGTFactory();
            this._requestorPoolFactory = engine.getRequestorPoolFactory();
            this._authenticationProfileFactory = engine.getAuthenticationProfileFactory();
            readDefaultConfiguration(element);
            this._systemLogger.info("SSO Service restarted");
        }
    }

    public void stop() {
        this._systemLogger.info("SSO Service stopped");
    }

    public ISession getSession(String str) throws SSOException {
        try {
            return this._sessionFactory.retrieve(str);
        } catch (OAException e) {
            this._systemLogger.warn("Could not retrieve session", e);
            throw new SSOException(e.getCode(), e);
        }
    }

    public ITGT getTGT(String str) throws SSOException {
        try {
            return this._tgtFactory.retrieve(str);
        } catch (OAException e) {
            this._systemLogger.warn("Could not retrieve TGT", e);
            throw new SSOException(e.getCode(), e);
        }
    }

    public RequestorPool getRequestorPool(ISession iSession) throws SSOException {
        try {
            return this._requestorPoolFactory.getRequestorPool(iSession.getRequestorId());
        } catch (OAException e) {
            this._systemLogger.warn("Could not retrieve requestor pool", e);
            throw new SSOException(e.getCode(), e);
        }
    }

    public IRequestor getRequestor(String str) throws SSOException {
        try {
            return this._requestorPoolFactory.getRequestor(str);
        } catch (OAException e) {
            this._systemLogger.warn("Could not retrieve requestor: " + str, e);
            throw new SSOException(e.getCode());
        }
    }

    public IRequestor getRequestor(ISession iSession) throws SSOException {
        try {
            return this._requestorPoolFactory.getRequestor(iSession.getRequestorId());
        } catch (OAException e) {
            this._systemLogger.warn("Could not retrieve requestor ", e);
            throw new SSOException(e.getCode(), e);
        }
    }

    public List<IAuthenticationProfile> getAllAuthNProfiles(RequestorPool requestorPool) throws SSOException {
        try {
            Vector vector = new Vector();
            for (String str : requestorPool.getAuthenticationProfileIDs()) {
                AuthenticationProfile profile = this._authenticationProfileFactory.getProfile(str);
                if (profile == null) {
                    this._systemLogger.warn("AuthN Profile not found: " + str);
                    throw new OAException(1);
                }
                if (profile.isEnabled()) {
                    vector.add(profile);
                }
            }
            return vector;
        } catch (OAException e) {
            this._systemLogger.warn("Could not retrieve AuthN profiles", e);
            throw new SSOException(e.getCode(), e);
        }
    }

    public IAuthenticationProfile getAuthNProfile(String str) throws SSOException {
        try {
            return this._authenticationProfileFactory.getProfile(str);
        } catch (AuthenticationException e) {
            this._systemLogger.warn("Could not retrieve AuthN profile: " + str, e);
            throw new SSOException(e.getCode());
        }
    }

    public IAuthenticationProfile getSelectedAuthNProfile(ISession iSession, String str, boolean z) throws UserException, SSOException {
        IAuthenticationProfile iAuthenticationProfile = null;
        if (str != null) {
            try {
                if (iSession.getState() != SessionState.AUTHN_NOT_SUPPORTED) {
                    List authNProfiles = iSession.getAuthNProfiles();
                    iAuthenticationProfile = this._authenticationProfileFactory.getProfile(str);
                    if (iAuthenticationProfile == null) {
                        this._systemLogger.debug("Selected profile is not available: " + str);
                        throw new UserException(UserEvent.AUTHN_PROFILE_NOT_AVAILABLE);
                    }
                    if (!iAuthenticationProfile.isEnabled()) {
                        this._systemLogger.debug("Selected profile is disabled: " + str);
                        throw new UserException(UserEvent.AUTHN_PROFILE_DISABLED);
                    }
                    if (authNProfiles.contains(iAuthenticationProfile)) {
                        iSession.setSelectedAuthNProfile(iAuthenticationProfile);
                        return iAuthenticationProfile;
                    }
                    this._systemLogger.debug("Selected profile is not required: " + str);
                    throw new UserException(UserEvent.AUTHN_PROFILE_INVALID);
                }
            } catch (Exception e) {
                this._systemLogger.error("Internal error during retrieval the selected profile: " + str, e);
                throw new SSOException(1);
            } catch (UserException e2) {
                throw e2;
            }
        }
        iSession.setAuthNProfiles(filterRegisteredProfiles(iSession));
        if (iSession.getAuthNProfiles().size() == 1 && !z) {
            iAuthenticationProfile = (IAuthenticationProfile) iSession.getAuthNProfiles().get(0);
            iSession.setSelectedAuthNProfile(iAuthenticationProfile);
        }
        return iAuthenticationProfile;
    }

    public ITGT handleSingleSignon(ISession iSession) throws SSOException {
        ITGT itgt = null;
        if (this._bSingleSignOn) {
            try {
                IAuthenticationProfile selectedAuthNProfile = iSession.getSelectedAuthNProfile();
                String tGTId = iSession.getTGTId();
                if (tGTId == null) {
                    itgt = this._tgtFactory.createTGT(iSession.getUser());
                } else {
                    itgt = this._tgtFactory.retrieve(tGTId);
                    if (itgt == null) {
                        this._systemLogger.warn("Could not retrieve TGT with id: " + tGTId);
                        throw new SSOException(1);
                    }
                }
                List<IAuthenticationMethod> authenticationMethods = selectedAuthNProfile.getAuthenticationMethods();
                IAuthenticationProfile authenticationProfile = itgt.getAuthenticationProfile();
                for (IAuthenticationMethod iAuthenticationMethod : authenticationMethods) {
                    if (!authenticationProfile.containsMethod(iAuthenticationMethod)) {
                        if (disableSSOForMethod(iSession, iAuthenticationMethod.getID())) {
                            this._systemLogger.debug("Disabling SSO for method " + iAuthenticationMethod.getID());
                        } else {
                            this._systemLogger.debug("Adding " + iAuthenticationMethod.getID() + " to TGT SSO methods");
                            authenticationProfile.addAuthenticationMethod(iAuthenticationMethod);
                            registerAuthenticationContext(itgt, iSession, iAuthenticationMethod);
                        }
                    }
                }
                itgt.setAuthenticationProfile(authenticationProfile);
                if (!itgt.getAuthNProfileIDs().contains(selectedAuthNProfile.getID())) {
                    itgt.addAuthNProfileID(selectedAuthNProfile.getID());
                }
                addRequestorID(itgt, iSession.getRequestorId());
                processShadowIDP(itgt, iSession);
                itgt.persist();
                iSession.setTGTId(itgt.getId());
            } catch (SSOException e) {
                throw e;
            } catch (OAException e2) {
                this._systemLogger.warn("Could not update TGT", e2);
                throw new SSOException(e2.getCode(), e2);
            } catch (Exception e3) {
                this._systemLogger.error("Internal error during sso handling", e3);
                throw new SSOException(1);
            }
        }
        return itgt;
    }

    public boolean checkSingleSignon(ISession iSession, String str, RequestorPool requestorPool) throws SSOException, UserException {
        List list;
        boolean z = false;
        if (!this._bSingleSignOn) {
            this._systemLogger.debug("SSO disabled");
        } else if (str == null) {
            this._systemLogger.debug("No valid TGT Cookie found");
        } else {
            try {
                ITGT retrieve = this._tgtFactory.retrieve(str);
                if (retrieve == null || retrieve.isExpired()) {
                    this._systemLogger.debug("TGT expired and ignored");
                } else {
                    String forcedUserID = iSession.getForcedUserID();
                    IUser user = retrieve.getUser();
                    if (forcedUserID != null && user != null && !forcedUserID.equalsIgnoreCase(user.getID())) {
                        removeTGT(retrieve);
                        this._systemLogger.warn("User in TGT and forced user do not correspond");
                        throw new UserException(UserEvent.TGT_USER_INVALID);
                    }
                    iSession.setTGTId(str);
                    iSession.setUser(retrieve.getUser());
                    if (iSession.isForcedAuthentication()) {
                        this._systemLogger.debug("Forced authentication");
                    } else {
                        IAuthenticationProfile authenticationProfile = retrieve.getAuthenticationProfile();
                        Iterator it = requestorPool.getAuthenticationProfileIDs().iterator();
                        while (it.hasNext() && !z) {
                            AuthenticationProfile profile = this._authenticationProfileFactory.getProfile((String) it.next());
                            if (profile != null && profile.isEnabled()) {
                                z = authenticationProfile.compareTo(profile) >= 0;
                            }
                        }
                        if (z && (list = (List) iSession.getAttributes().get(ProxyAttributes.class, "requested_authnprofile")) != null) {
                            Iterator it2 = list.iterator();
                            boolean z2 = false;
                            while (it2.hasNext() && !z2) {
                                AuthenticationProfile profile2 = this._authenticationProfileFactory.getProfile((String) it2.next());
                                if (profile2 != null) {
                                    z2 = authenticationProfile.compareTo(profile2) >= 0;
                                    this._systemLogger.debug("tgtProfile (" + authenticationProfile.getAuthenticationMethods().toString() + ") " + (z2 ? "DOES" : "does NOT") + " satisfy authentication profile '" + profile2.getID() + "' (" + profile2.getAuthenticationMethods().toString() + ")");
                                }
                            }
                            if (z2) {
                                this._systemLogger.info("Allow SSO, as TGT satisfies Requested AuthenticationProfile.");
                            } else {
                                this._systemLogger.info("Do not resume SSO, as Requested AuthenticationProfile requires extra authentication methods to be performed.");
                                z = false;
                            }
                        }
                    }
                    if (z && !matchShadowIDP(retrieve, iSession)) {
                        this._systemLogger.warn("IDP in TGT and IDP-alias do not correspond; do not resume SSO session.");
                        z = false;
                    }
                    if (z) {
                        addRequestorID(retrieve, iSession.getRequestorId());
                        retrieve.persist();
                    }
                }
            } catch (SSOException e) {
                throw e;
            } catch (OAException e2) {
                this._systemLogger.warn("Could not retrieve or update TGT", e2);
                throw new SSOException(e2.getCode());
            }
        }
        return z;
    }

    public void removeTGT(ITGT itgt) throws SSOException {
        itgt.expire();
        try {
            itgt.persist();
        } catch (PersistenceException e) {
            this._systemLogger.warn("Could not remove TGT", e);
            throw new SSOException(e.getCode(), e);
        }
    }

    public void gatherAttributes(ISession iSession) throws OAException {
        IUser user;
        if (this._attributeGatherer == null || !this._attributeGatherer.isEnabled() || (user = iSession.getUser()) == null) {
            return;
        }
        this._attributeGatherer.process(user.getID(), user.getAttributes());
    }

    public void performAttributeReleasePolicy(ISession iSession, String str) throws OAException {
        IAttributeReleasePolicy policy;
        try {
            IAttributes userAttributes = new UserAttributes();
            if (this._attributeReleasePolicyFactory != null && this._attributeReleasePolicyFactory.isEnabled() && str != null && (policy = this._attributeReleasePolicyFactory.getPolicy(str)) != null && policy.isEnabled()) {
                this._systemLogger.debug("applying attribute releasepolicy: " + str);
                userAttributes = policy.apply(iSession.getUser().getAttributes());
                iSession.getUser().setAttributes(userAttributes);
            }
            IAttributes attributes = iSession.getUser().getAttributes();
            Enumeration names = attributes.getNames();
            while (names.hasMoreElements()) {
                attributes.remove((String) names.nextElement());
            }
            iSession.getUser().setAttributes(userAttributes);
        } catch (Exception e) {
            this._systemLogger.fatal("Internal error during applying the attribute release policy", e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        }
    }

    private void readDefaultConfiguration(Element element) throws OAException {
        if (!$assertionsDisabled && element == null) {
            throw new AssertionError("Supplied config == null");
        }
        this._bSingleSignOn = true;
        String param = this._configurationManager.getParam(element, "single_sign_on");
        if (param != null) {
            if ("false".equalsIgnoreCase(param)) {
                this._bSingleSignOn = false;
            } else if (!"true".equalsIgnoreCase(param)) {
                this._systemLogger.error("Invalid value for 'single_sign_on' item found in configuration: " + param);
                throw new OAException(17);
            }
        }
        this._systemLogger.info("SSO enabled: " + this._bSingleSignOn);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.util.List] */
    private List<IAuthenticationProfile> filterRegisteredProfiles(ISession iSession) {
        Vector vector = new Vector();
        IUser user = iSession.getUser();
        if (user != null) {
            for (IAuthenticationProfile iAuthenticationProfile : iSession.getAuthNProfiles()) {
                boolean z = true;
                Iterator it = iAuthenticationProfile.getAuthenticationMethods().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (!user.isAuthenticationRegistered(((IAuthenticationMethod) it.next()).getID())) {
                        z = false;
                        break;
                    }
                }
                if (z) {
                    vector.add(iAuthenticationProfile);
                }
            }
        } else {
            vector = iSession.getAuthNProfiles();
        }
        List list = (List) iSession.getAttributes().get(ProxyAttributes.class, "requested_authnprofile");
        if (list != null) {
            Iterator it2 = vector.iterator();
            while (it2.hasNext()) {
                IAuthenticationProfile iAuthenticationProfile2 = (IAuthenticationProfile) it2.next();
                if (!list.contains(iAuthenticationProfile2.getID())) {
                    it2.remove();
                    this._systemLogger.info("Removing " + iAuthenticationProfile2.getID() + " from allowed authnprofiles for the user: doesn't match the requested authn profiles");
                }
            }
        }
        return vector;
    }

    private void addRequestorID(ITGT itgt, String str) {
        List requestorIDs = itgt.getRequestorIDs();
        if (!requestorIDs.isEmpty() && requestorIDs.contains(str)) {
            itgt.removeRequestorID(str);
        }
        itgt.addRequestorID(str);
    }

    protected boolean disableSSOForMethod(ISession iSession, String str) {
        ISessionAttributes attributes = iSession.getAttributes();
        String str2 = str + ".disable_sso";
        return attributes.contains(SSOService.class, str2) && "true".equalsIgnoreCase((String) attributes.get(SSOService.class, str2));
    }

    protected void processShadowIDP(ITGT itgt, ISession iSession) {
        ISessionAttributes attributes = iSession.getAttributes();
        String str = (String) attributes.get(ProxyAttributes.class, "shadowed.idpId");
        if (str == null) {
            this._systemLogger.debug("No 'shadowed.idpId' found in session attributes.");
            return;
        }
        URLPathContext uRLPathContext = (URLPathContext) attributes.get(ProxyAttributes.class, "urlpath.context");
        String str2 = null;
        if (uRLPathContext != null) {
            str2 = (String) uRLPathContext.getParams().get("i");
        }
        if (str2 == null) {
            this._systemLogger.warn("Found 'shadowed.idpId' in session but there was no 'urlpath.context' in session or no 'i'-value in URLPathContext; ignoring.");
            return;
        }
        ITGTAttributes attributes2 = itgt.getAttributes();
        Map map = (Map) attributes2.get(SSOService.class, TGT_ATTR_SHADOWED_IDPS);
        if (map == null) {
            map = new HashMap();
        }
        map.put(str2, str);
        this._systemLogger.info("Adding " + str2 + "->" + str + " to TGT attribute '" + TGT_ATTR_SHADOWED_IDPS + "'");
        attributes2.put(SSOService.class, TGT_ATTR_SHADOWED_IDPS, map);
    }

    protected boolean matchShadowIDP(ITGT itgt, ISession iSession) {
        ISessionAttributes attributes = iSession.getAttributes();
        URLPathContext uRLPathContext = (URLPathContext) attributes.get(ProxyAttributes.class, "urlpath.context");
        if (uRLPathContext == null || !uRLPathContext.getParams().containsKey("i")) {
            this._systemLogger.debug("No 'urlpath.context' or no \"i\"-value found in session attributes.");
            return true;
        }
        String str = (String) uRLPathContext.getParams().get("i");
        Map map = (Map) itgt.getAttributes().get(SSOService.class, TGT_ATTR_SHADOWED_IDPS);
        if (map == null) {
            this._systemLogger.warn("Found 'urlpath.context' in session, but there is norecord of a 'shadowed_idps' in the TGT attributes");
            return false;
        }
        String str2 = (String) map.get(str);
        if (str2 == null) {
            this._systemLogger.warn("Did not find alias '" + str + "' in map in TGT attributes");
            return false;
        }
        attributes.put(ProxyAttributes.class, "shadowed.idpId", str2);
        return true;
    }

    private void registerAuthenticationContext(ITGT itgt, ISession iSession, IAuthenticationMethod iAuthenticationMethod) {
        ISessionAttributes attributes = iSession.getAttributes();
        if (!attributes.contains(AuthenticationContexts.class, "authcontexts")) {
            this._systemLogger.debug("The ISession did not contain AuthenticationContexts; skipping.");
            return;
        }
        IAuthenticationContexts iAuthenticationContexts = (IAuthenticationContexts) attributes.get(AuthenticationContexts.class, "authcontexts");
        if (!iAuthenticationContexts.contains(iAuthenticationMethod.getID())) {
            this._systemLogger.debug("The Session's AuthenticationContexts did not contain context for " + iAuthenticationMethod.getID() + "; skipping.");
            return;
        }
        ITGTAttributes attributes2 = itgt.getAttributes();
        AuthenticationContexts authenticationContexts = !attributes2.contains(AuthenticationContexts.class, "authcontexts") ? new AuthenticationContexts() : (IAuthenticationContexts) attributes2.get(AuthenticationContexts.class, "authcontexts");
        authenticationContexts.setAuthenticationContext(iAuthenticationMethod.getID(), iAuthenticationContexts.getAuthenticationContext(iAuthenticationMethod.getID()));
        attributes2.put(AuthenticationContexts.class, "authcontexts", authenticationContexts);
        this._systemLogger.debug("TGT AuthenticationContexts registered for " + authenticationContexts.getStoredAuthenticationMethods());
    }

    static {
        $assertionsDisabled = !SSOService.class.desiredAssertionStatus();
    }
}
