package com.alfaariss.oa.profile.saml2.profile.sso.protocol;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.RequestorEvent;
import com.alfaariss.oa.api.attribute.IAttributes;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.tgt.ITGT;
import com.alfaariss.oa.engine.core.crypto.CryptoManager;
import com.alfaariss.oa.util.saml2.NameIDFormatter;
import com.alfaariss.oa.util.saml2.SAML2IssueInstantWindow;
import com.alfaariss.oa.util.saml2.SAML2Requestor;
import com.alfaariss.oa.util.saml2.StatusException;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.proxy.ProxyAttributes;
import com.alfaariss.oa.util.saml2.proxy.SAML2IDPEntry;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.impl.SAMLObjectContentReference;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthenticatingAuthority;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.GetComplete;
import org.opensaml.saml2.core.IDPEntry;
import org.opensaml.saml2.core.IDPList;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.RequesterID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Scoping;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.core.impl.AttributeBuilder;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.schema.impl.XSStringBuilder;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.Signer;

/* loaded from: input_file:com/alfaariss/oa/profile/saml2/profile/sso/protocol/AuthenticationRequestProtocol.class */
public class AuthenticationRequestProtocol extends AbstractAuthenticationRequestProtocol {
    public static final String SAML2_BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    public static final String SESSION_REQUEST_ASSERTION_CONSUMER_SERVICE_URL = "AssertionConsumerServiceURL";
    public static final String SESSION_REQUEST_PROTOCOLBINDING = "ProtocolBinding";
    public static final String SESSION_REQUEST_NAMEIDFORMAT = "NameIDFormat";
    public static final String SESSION_REQUEST_SPNAMEQUALIFIER = "SPNameQualifier";
    private Log _logger;
    private String _sBindingURI;
    private String _sNameIDFormat;
    private String _sAssertionConsumerServiceURL;
    private String _sSPNameQualifier;
    private NameIDFormatter _nameIDFormatter;
    private SAML2Requestor _saml2Requestor;
    private SPSSODescriptor _spSSODescriptor;
    private String _sRequestedAuthnContextComparisonType;
    private List<String> _lRequestedAuthnContextClassRefs;
    private CryptoManager _cryptoManager;
    private boolean _bCompatible;

    public AuthenticationRequestProtocol(ISession iSession, NameIDFormatter nameIDFormatter, String str, String str2, SAML2Requestor sAML2Requestor, CryptoManager cryptoManager, SAML2IssueInstantWindow sAML2IssueInstantWindow, boolean z, boolean z2) throws OAException {
        super(cryptoManager.getSecureRandom(), str, iSession, str2, sAML2IssueInstantWindow, z2);
        MetadataProvider metadataProvider;
        this._logger = LogFactory.getLog(AuthenticationRequestProtocol.class);
        try {
            this._sBindingURI = null;
            this._sNameIDFormat = null;
            this._sAssertionConsumerServiceURL = null;
            this._sSPNameQualifier = null;
            this._nameIDFormatter = nameIDFormatter;
            this._saml2Requestor = sAML2Requestor;
            this._sRequestedAuthnContextComparisonType = null;
            this._lRequestedAuthnContextClassRefs = new ArrayList();
            this._cryptoManager = cryptoManager;
            this._bCompatible = z;
            if (this._saml2Requestor != null && (metadataProvider = this._saml2Requestor.getMetadataProvider()) != null) {
                this._spSSODescriptor = metadataProvider.getRole(this._saml2Requestor.getID(), SPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol");
            }
            readSessionAttributes(iSession);
        } catch (Exception e) {
            this._logger.fatal("Internal error during object creation", e);
            throw new OAException(1);
        }
    }

    public ISession processRequest(RequestAbstractType requestAbstractType) throws OAException, StatusException {
        try {
            AuthnRequest authnRequest = (AuthnRequest) requestAbstractType;
            ISessionAttributes attributes = this._session.getAttributes();
            resolveResponseTarget(authnRequest, attributes);
            processRequestAbstractType(requestAbstractType);
            Subject subject = authnRequest.getSubject();
            if (subject != null) {
                processSubject(subject, attributes);
            }
            resolveNameIDFormat(authnRequest, attributes);
            RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
            if (requestedAuthnContext != null) {
                resolveRequestedAuthnContext(requestedAuthnContext, attributes);
            }
            Scoping scoping = authnRequest.getScoping();
            if (scoping != null) {
                processRequestScoping(attributes, scoping);
            }
            Boolean isForceAuthn = authnRequest.isForceAuthn();
            if (isForceAuthn != null) {
                this._session.setForcedAuthentication(isForceAuthn.booleanValue());
                this._logger.debug("ForcedAuthentication: " + isForceAuthn);
            }
            Boolean isPassive = authnRequest.isPassive();
            if (isPassive != null && isPassive.booleanValue()) {
                if (!this._bCompatible) {
                    this._logger.debug("Unsupported Passive: " + isPassive);
                    throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:NoPassive");
                }
                this._logger.debug("Passive: " + isPassive);
                this._session.setPassive(isPassive.booleanValue());
            }
            Integer attributeConsumingServiceIndex = authnRequest.getAttributeConsumingServiceIndex();
            if (attributeConsumingServiceIndex != null) {
                attributes.put(ProxyAttributes.class, "AttributeConsumingServiceIndex", attributeConsumingServiceIndex);
                this._logger.debug("AttributeConsumingServiceIndex: " + attributeConsumingServiceIndex);
            }
            String providerName = authnRequest.getProviderName();
            if (providerName != null) {
                attributes.put(ProxyAttributes.class, "ProviderName", providerName);
                this._logger.debug("ProviderName: " + providerName);
            }
            return this._session;
        } catch (OAException e) {
            throw e;
        } catch (StatusException e2) {
            throw e2;
        } catch (Exception e3) {
            this._logger.fatal("Internal error during process", e3);
            throw new OAException(1);
        }
    }

    public StatusResponseType createResponse(ITGT itgt, List<String> list, IAttributes iAttributes, String str, Hashtable<String, String> hashtable, String str2, long j, List<String> list2) throws OAException {
        try {
            ISessionAttributes attributes = this._session.getAttributes();
            if (attributes.contains(AuthenticationRequestProtocol.class, "ProtocolBinding")) {
                this._sBindingURI = (String) attributes.get(AuthenticationRequestProtocol.class, "ProtocolBinding");
            }
            Response buildObject = this._builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME).buildObject();
            Assertion buildAssertion = buildAssertion(itgt, list, iAttributes, str, hashtable, str2, j, list2);
            if (this._spSSODescriptor != null && this._spSSODescriptor.getWantAssertionsSigned().booleanValue()) {
                Signature createSignature = createSignature();
                buildAssertion.setSignature(createSignature);
                ((SAMLObjectContentReference) createSignature.getContentReferences().get(0)).setDigestAlgorithm(SAML2CryptoUtils.getXMLDigestMethodURI(this._cryptoManager.getMessageDigest()));
                signAssertion(buildAssertion, createSignature);
            }
            buildObject.getAssertions().add(buildAssertion);
            return createResponse(this._sAssertionConsumerServiceURL, buildObject, "urn:oasis:names:tc:SAML:2.0:status:Success");
        } catch (Exception e) {
            this._logger.fatal("Internal error during response creation", e);
            throw new OAException(1);
        } catch (OAException e2) {
            return null;
        }
    }

    public String getProtocolBinding() {
        return this._sBindingURI;
    }

    public String getDestination() {
        return this._sAssertionConsumerServiceURL;
    }

    public String getNameIDFormat() {
        return this._sNameIDFormat;
    }

    public String getSPNameQualifier() {
        return this._sSPNameQualifier;
    }

    public List<String> getRequestedAuthnContextClassRefs() {
        return this._lRequestedAuthnContextClassRefs;
    }

    public String getRequestedAuthnContextComparisonType() {
        return this._sRequestedAuthnContextComparisonType;
    }

    private void processSubject(Subject subject, ISessionAttributes iSessionAttributes) throws StatusException, OAException {
        try {
            NameID nameID = subject.getNameID();
            if (nameID != null) {
                String sPProvidedID = nameID.getSPProvidedID();
                if (sPProvidedID != null) {
                    this._logger.debug("Unsupported SPProvidedID in request: " + sPProvidedID);
                    throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported");
                }
                String sPNameQualifier = nameID.getSPNameQualifier();
                if (sPNameQualifier != null) {
                    this._logger.debug("SPNameQualifier: " + sPNameQualifier);
                    iSessionAttributes.put(ProxyAttributes.class, "SPNameQualifier", sPNameQualifier);
                }
                String nameQualifier = nameID.getNameQualifier();
                if (nameQualifier != null) {
                    this._logger.debug("NameQualifier: " + nameQualifier);
                    iSessionAttributes.put(ProxyAttributes.class, "NameQualifier", nameQualifier);
                    if (!nameQualifier.equals(this._sEntityID)) {
                    }
                }
                String format = nameID.getFormat();
                if (format != null) {
                    this._logger.debug("NameIDFormat: " + format);
                    iSessionAttributes.put(ProxyAttributes.class, "NameFormat", format);
                }
                String value = nameID.getValue();
                if (value != null) {
                    this._logger.debug("NameID: " + value);
                    iSessionAttributes.put(ProxyAttributes.class, "NameID", value);
                }
                if (value != null) {
                    if (format == null || !this._nameIDFormatter.exists(format, this._session.getRequestorId(), value)) {
                        this._logger.debug("Setting forced user ID: " + value);
                        this._session.setForcedUserID(value);
                    } else {
                        this._logger.debug("Supplied NameID is a TGT alias and must be set as forced user ID: " + value);
                    }
                }
            }
        } catch (Exception e) {
            this._logger.fatal("Internal error during subject processing", e);
            throw new OAException(1);
        } catch (StatusException e2) {
            throw e2;
        }
    }

    private void resolveRequestedAuthnContext(RequestedAuthnContext requestedAuthnContext, ISessionAttributes iSessionAttributes) throws StatusException {
        AuthnContextComparisonTypeEnumeration comparison = requestedAuthnContext.getComparison();
        if (comparison != null) {
            this._sRequestedAuthnContextComparisonType = comparison.toString();
        }
        List authnContextClassRefs = requestedAuthnContext.getAuthnContextClassRefs();
        if (authnContextClassRefs.size() > 0) {
            ArrayList arrayList = new ArrayList();
            Iterator it = authnContextClassRefs.iterator();
            while (it.hasNext()) {
                String authnContextClassRef = ((AuthnContextClassRef) it.next()).getAuthnContextClassRef();
                if (authnContextClassRef != null) {
                    arrayList.add(authnContextClassRef);
                }
            }
            if (arrayList.size() == 0) {
                this._logger.debug("Requested RequestedAuthnContext ClassRefs not supported: " + arrayList);
                throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext");
            }
            this._lRequestedAuthnContextClassRefs = arrayList;
            this._logger.debug("Using requested RequestedAuthnContext ClassRefs: " + arrayList);
        }
        List<AuthnContextDeclRef> authnContextDeclRefs = requestedAuthnContext.getAuthnContextDeclRefs();
        if (authnContextDeclRefs.size() > 0) {
            Vector vector = new Vector();
            for (AuthnContextDeclRef authnContextDeclRef : authnContextDeclRefs) {
                String authnContextDeclRef2 = authnContextDeclRef.getAuthnContextDeclRef();
                if (authnContextDeclRef2 != null && authnContextDeclRef2.equals("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")) {
                    vector.add(authnContextDeclRef2);
                } else if (authnContextDeclRef2 != null) {
                    this._logger.debug("Requested RequestedAuthnContext AuthnContextDeclRef not supported: " + authnContextDeclRef.getAuthnContextDeclRef());
                }
            }
            if (vector.size() == 0) {
                this._logger.debug("Requested RequestedAuthnContext DeclRefs not supported: " + vector);
                throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext");
            }
            this._logger.debug("Using requested RequestedAuthnContext DeclRefs: " + vector);
        }
    }

    private void resolveNameIDFormat(AuthnRequest authnRequest, ISessionAttributes iSessionAttributes) throws StatusException {
        NameIDPolicy nameIDPolicy = authnRequest.getNameIDPolicy();
        if (nameIDPolicy != null) {
            this._sSPNameQualifier = nameIDPolicy.getSPNameQualifier();
            if (this._sSPNameQualifier != null) {
                this._logger.debug("SPNameQualifier: " + this._sSPNameQualifier);
                iSessionAttributes.put(AuthenticationRequestProtocol.class, "SPNameQualifier", this._sSPNameQualifier);
            }
            Boolean allowCreate = nameIDPolicy.getAllowCreate();
            if (allowCreate != null) {
                this._logger.debug("NameIDPolicy AllowCreate in request: : " + allowCreate);
                iSessionAttributes.put(ProxyAttributes.class, "AllowCreate", allowCreate);
            }
            this._sNameIDFormat = nameIDPolicy.getFormat();
            if (this._sNameIDFormat != null && !this._nameIDFormatter.isSupported(this._sNameIDFormat)) {
                this._logger.debug("Unsupported NameID Format in NameIDPolicy: " + this._sNameIDFormat);
                throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy");
            }
        }
        if (this._sNameIDFormat == null) {
            this._sNameIDFormat = this._nameIDFormatter.getDefault();
            this._logger.debug("No NameID Format specified by requestor, using: " + this._sNameIDFormat);
        } else {
            this._logger.debug("Using NameID Format: " + this._sNameIDFormat);
        }
        iSessionAttributes.put(AuthenticationRequestProtocol.class, "NameIDFormat", this._sNameIDFormat);
    }

    private void resolveResponseTarget(AuthnRequest authnRequest, ISessionAttributes iSessionAttributes) throws StatusException {
        String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
        if (assertionConsumerServiceURL != null) {
            if (authnRequest.isSigned()) {
                this._sAssertionConsumerServiceURL = assertionConsumerServiceURL;
            } else {
                if (this._spSSODescriptor != null) {
                    Iterator it = this._spSSODescriptor.getAssertionConsumerServices().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        AssertionConsumerService assertionConsumerService = (AssertionConsumerService) it.next();
                        String responseLocation = assertionConsumerService.getResponseLocation();
                        if (!assertionConsumerServiceURL.equals(assertionConsumerService.getLocation())) {
                            if (responseLocation != null && assertionConsumerServiceURL.equals(responseLocation)) {
                                this._sAssertionConsumerServiceURL = assertionConsumerServiceURL;
                                break;
                            }
                        } else {
                            this._sAssertionConsumerServiceURL = responseLocation;
                            if (this._sAssertionConsumerServiceURL == null) {
                                this._sAssertionConsumerServiceURL = assertionConsumerServiceURL;
                            }
                        }
                    }
                }
                if (this._sAssertionConsumerServiceURL == null) {
                    StringBuffer stringBuffer = new StringBuffer("Can't trust AssertionConsumerServiceURL '");
                    stringBuffer.append(assertionConsumerServiceURL);
                    stringBuffer.append("' supplied in request: ");
                    stringBuffer.append(authnRequest.getID());
                    this._logger.debug(stringBuffer.toString());
                }
            }
        }
        this._sBindingURI = authnRequest.getProtocolBinding();
        if (this._sAssertionConsumerServiceURL == null) {
            if (this._spSSODescriptor == null) {
                this._logger.error("No SPSSODescriptor in metadata: Can't resolve response target for request: " + authnRequest.getID());
                throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder");
            }
            Integer assertionConsumerServiceIndex = authnRequest.getAssertionConsumerServiceIndex();
            if (assertionConsumerServiceIndex != null) {
                List assertionConsumerServices = this._spSSODescriptor.getAssertionConsumerServices();
                if (assertionConsumerServices == null) {
                    this._logger.error("No AssertionConsumerServices in metadata for requestor: " + this._session.getRequestorId());
                    throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder");
                }
                AssertionConsumerService assertionConsumerService2 = null;
                Iterator it2 = assertionConsumerServices.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    AssertionConsumerService assertionConsumerService3 = (AssertionConsumerService) it2.next();
                    if (assertionConsumerServiceIndex.equals(assertionConsumerService3.getIndex())) {
                        assertionConsumerService2 = assertionConsumerService3;
                        break;
                    }
                }
                if (assertionConsumerService2 == null) {
                    StringBuffer stringBuffer2 = new StringBuffer("Invalid AssertionConsumerServiceIndex '");
                    stringBuffer2.append(assertionConsumerServiceIndex);
                    stringBuffer2.append("' supplied in request: ");
                    stringBuffer2.append(authnRequest.getID());
                    this._logger.error(stringBuffer2.toString());
                    throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder");
                }
                this._sAssertionConsumerServiceURL = assertionConsumerService2.getResponseLocation();
                if (this._sAssertionConsumerServiceURL == null) {
                    this._sAssertionConsumerServiceURL = assertionConsumerService2.getLocation();
                    this._logger.debug("No 'ResponseLocation' found, using Location: " + this._sAssertionConsumerServiceURL);
                }
                this._sBindingURI = assertionConsumerService2.getBinding();
            } else {
                AssertionConsumerService defaultAssertionConsumerService = this._spSSODescriptor.getDefaultAssertionConsumerService();
                if (defaultAssertionConsumerService == null) {
                    this._logger.error("No default AssertionConsumerServices in metadata for requestor: " + this._session.getRequestorId());
                    throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder");
                }
                this._sAssertionConsumerServiceURL = defaultAssertionConsumerService.getResponseLocation();
                if (this._sAssertionConsumerServiceURL == null) {
                    this._sAssertionConsumerServiceURL = defaultAssertionConsumerService.getLocation();
                    this._logger.error("No 'ResponseLocation' found, using Location: " + this._sAssertionConsumerServiceURL);
                }
                this._sBindingURI = defaultAssertionConsumerService.getBinding();
            }
        }
        if (this._sAssertionConsumerServiceURL == null) {
            this._logger.error("No AssertionConsumerServiceURL as target for response available for request: " + authnRequest.getID());
            throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder");
        }
        iSessionAttributes.put(AuthenticationRequestProtocol.class, SESSION_REQUEST_ASSERTION_CONSUMER_SERVICE_URL, this._sAssertionConsumerServiceURL);
        this._logger.debug("AssertionConsumerServiceURL: " + this._sAssertionConsumerServiceURL);
        if (this._sBindingURI == null) {
            this._logger.error("No ProtocolBinding for response available for request: " + authnRequest.getID());
            throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder");
        }
        iSessionAttributes.put(AuthenticationRequestProtocol.class, "ProtocolBinding", this._sBindingURI);
        this._logger.debug("ProtocolBinding: " + this._sBindingURI);
    }

    private void readSessionAttributes(ISession iSession) {
        ISessionAttributes attributes = iSession.getAttributes();
        if (attributes.contains(AuthenticationRequestProtocol.class, SESSION_REQUEST_ASSERTION_CONSUMER_SERVICE_URL)) {
            this._sAssertionConsumerServiceURL = (String) attributes.get(AuthenticationRequestProtocol.class, SESSION_REQUEST_ASSERTION_CONSUMER_SERVICE_URL);
        }
        if (attributes.contains(AuthenticationRequestProtocol.class, "ProtocolBinding")) {
            this._sBindingURI = (String) attributes.get(AuthenticationRequestProtocol.class, "ProtocolBinding");
        }
        if (attributes.contains(AuthenticationRequestProtocol.class, "NameIDFormat")) {
            this._sNameIDFormat = (String) attributes.get(AuthenticationRequestProtocol.class, "NameIDFormat");
        }
        if (attributes.contains(AuthenticationRequestProtocol.class, "SPNameQualifier")) {
            this._sSPNameQualifier = (String) attributes.get(AuthenticationRequestProtocol.class, "SPNameQualifier");
        }
    }

    private void processRequestScoping(ISessionAttributes iSessionAttributes, Scoping scoping) throws StatusException, OAException {
        try {
            Integer proxyCount = scoping.getProxyCount();
            if (proxyCount != null) {
                iSessionAttributes.put(ProxyAttributes.class, "ProxyCount", proxyCount);
                this._logger.debug("ProxyCount: " + proxyCount);
            }
            IDPList iDPList = scoping.getIDPList();
            if (iDPList != null) {
                List<IDPEntry> iDPEntrys = iDPList.getIDPEntrys();
                if (iDPEntrys != null) {
                    Vector vector = new Vector();
                    Vector vector2 = new Vector();
                    for (IDPEntry iDPEntry : iDPEntrys) {
                        String providerID = iDPEntry.getProviderID();
                        if (providerID == null) {
                            this._logger.debug("No ProviderID in IDPEntry within request Scoping");
                            throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Requester");
                        }
                        vector.add(new SAML2IDPEntry(providerID, iDPEntry.getName(), iDPEntry.getLoc()));
                        vector2.add(providerID);
                    }
                    if (!vector.isEmpty()) {
                        iSessionAttributes.put(ProxyAttributes.class, "IDPList", vector);
                        this._logger.debug("Forced IDPs: " + vector);
                    }
                    if (!vector2.isEmpty()) {
                        iSessionAttributes.put(com.alfaariss.oa.util.session.ProxyAttributes.class, "forced_organizations", vector2);
                        this._logger.debug("Preferred organizations: " + vector2);
                    }
                }
                GetComplete getComplete = iDPList.getGetComplete();
                if (getComplete != null) {
                    String getComplete2 = getComplete.getGetComplete();
                    iSessionAttributes.put(ProxyAttributes.class, "IDPList_GetComplete", getComplete2);
                    this._logger.debug("GetComplete: " + getComplete2);
                }
            }
            List requesterIDs = scoping.getRequesterIDs();
            if (requesterIDs != null && requesterIDs.size() > 0) {
                Vector vector3 = new Vector();
                Iterator it = requesterIDs.iterator();
                while (it.hasNext()) {
                    vector3.add(((RequesterID) it.next()).getRequesterID());
                }
                if (!vector3.isEmpty()) {
                    iSessionAttributes.put(ProxyAttributes.class, "RequestorIDs", vector3);
                    this._logger.debug("RequesterIDs in request Scoping: " + vector3);
                }
            }
        } catch (StatusException e) {
            throw e;
        } catch (Exception e2) {
            this._logger.fatal("Internal error during process", e2);
            throw new OAException(1);
        }
    }

    private Assertion buildAssertion(ITGT itgt, List<String> list, IAttributes iAttributes, String str, Hashtable<String, String> hashtable, String str2, long j, List<String> list2) throws OAException {
        try {
            Assertion buildObject = this._builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject.setVersion(SAMLVersion.VERSION_20);
            buildObject.setID(str2);
            buildObject.setIssueInstant(new DateTime());
            buildObject.setIssuer(this._sShadowedEntityId != null ? buildIssuer(null, this._sShadowedEntityId) : buildIssuer(null, this._sEntityID));
            DateTime dateTime = new DateTime(System.currentTimeMillis() + j);
            String str3 = null;
            if (itgt != null) {
                str3 = itgt.getId();
            }
            buildObject.setSubject(buildSubject(this._nameIDFormatter.format(this._session.getUser(), this._sNameIDFormat, this._session.getRequestorId(), str3), dateTime));
            DateTime dateTime2 = dateTime;
            if (itgt != null) {
                dateTime2 = new DateTime(itgt.getTgtExpTime());
            }
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                buildObject.getAuthnStatements().add(buildAuthnStatement(str2, dateTime2, it.next(), list2));
            }
            if (iAttributes.size() > 0) {
                buildObject.getAttributeStatements().add(buildAttributeStatement(iAttributes, str, hashtable));
            }
            buildObject.setConditions(buildConditions(dateTime));
            return buildObject;
        } catch (OAException e) {
            throw e;
        }
    }

    private Issuer buildIssuer(String str, String str2) {
        Issuer buildObject = this._builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setValue(str2);
        if (str != null) {
            buildObject.setFormat(str);
        }
        return buildObject;
    }

    private Conditions buildConditions(DateTime dateTime) {
        AudienceRestriction buildObject = this._builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME).buildObject();
        Audience buildObject2 = this._builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setAudienceURI(this._session.getRequestorId());
        buildObject.getAudiences().add(buildObject2);
        Conditions buildObject3 = this._builderFactory.getBuilder(Conditions.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.getAudienceRestrictions().add(buildObject);
        buildObject3.setNotBefore(new DateTime());
        buildObject3.setNotOnOrAfter(new DateTime(dateTime));
        return buildObject3;
    }

    private Subject buildSubject(String str, DateTime dateTime) throws OAException {
        NameID buildObject = this._builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME).buildObject();
        if (this._sNameIDFormat != null) {
            buildObject.setFormat(this._sNameIDFormat);
        } else {
            buildObject.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
        }
        buildObject.setValue(str);
        if (this._sSPNameQualifier != null) {
            buildObject.setSPNameQualifier(this._sSPNameQualifier);
        }
        if (this._sShadowedEntityId != null) {
            buildObject.setNameQualifier(this._sShadowedEntityId);
        } else {
            buildObject.setNameQualifier(this._sEntityID);
        }
        Subject buildObject2 = this._builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setNameID(buildObject);
        SubjectConfirmation buildObject3 = this._builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setMethod(SAML2_BEARER);
        SubjectConfirmationData buildObject4 = this._builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME).buildObject();
        if (this._sAssertionConsumerServiceURL == null) {
            this._logger.warn("Can't set Recipient in confirmation data, no AssertionConsumerServiceURL available");
            throw new OAException(1);
        }
        buildObject4.setRecipient(this._sAssertionConsumerServiceURL);
        buildObject4.setNotOnOrAfter(dateTime);
        buildObject4.setInResponseTo(this._sRequestID);
        buildObject3.setSubjectConfirmationData(buildObject4);
        buildObject2.getSubjectConfirmations().add(buildObject3);
        return buildObject2;
    }

    private AuthnStatement buildAuthnStatement(String str, DateTime dateTime, String str2, List<String> list) {
        AuthnStatement buildObject = this._builderFactory.getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setAuthnInstant(new DateTime());
        buildObject.setSessionIndex(str);
        buildObject.setSessionNotOnOrAfter(dateTime);
        AuthnContext buildObject2 = this._builderFactory.getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME).buildObject();
        AuthnContextClassRef buildObject3 = this._builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setAuthnContextClassRef(str2);
        buildObject2.setAuthnContextClassRef(buildObject3);
        if (list != null) {
            for (String str3 : list) {
                AuthenticatingAuthority buildObject4 = this._builderFactory.getBuilder(AuthenticatingAuthority.DEFAULT_ELEMENT_NAME).buildObject();
                buildObject4.setURI(str3);
                buildObject2.getAuthenticatingAuthorities().add(buildObject4);
            }
        }
        buildObject.setAuthnContext(buildObject2);
        return buildObject;
    }

    private AttributeStatement buildAttributeStatement(IAttributes iAttributes, String str, Hashtable<String, String> hashtable) {
        AttributeStatement buildObject = this._builderFactory.getBuilder(AttributeStatement.DEFAULT_ELEMENT_NAME).buildObject();
        AttributeBuilder builder = this._builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
        Enumeration names = iAttributes.getNames();
        while (names.hasMoreElements()) {
            String str2 = (String) names.nextElement();
            Attribute buildObject2 = builder.buildObject();
            buildObject2.setName(str2);
            String str3 = hashtable.get(str2);
            if (str3 == null) {
                if (str != null && str.trim().length() == 0) {
                    str3 = null;
                } else if (str != null) {
                    str3 = str;
                } else if (this._bCompatible) {
                    str3 = iAttributes.getFormat(str2);
                }
            }
            if (str3 != null) {
                buildObject2.setNameFormat(str3);
            }
            Object obj = iAttributes.get(str2);
            if (obj instanceof String) {
                XSString buildObject3 = this._builderFactory.getBuilder(XSString.TYPE_NAME).buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
                buildObject3.setValue((String) obj);
                buildObject2.getAttributeValues().add(buildObject3);
            } else if (obj instanceof List) {
                XSStringBuilder builder2 = this._builderFactory.getBuilder(XSString.TYPE_NAME);
                Iterator it = ((List) obj).iterator();
                while (it.hasNext()) {
                    XSString buildObject4 = builder2.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
                    buildObject4.setValue((String) it.next());
                    buildObject2.getAttributeValues().add(buildObject4);
                }
            } else {
                StringBuffer stringBuffer = new StringBuffer("Attribute '");
                stringBuffer.append(str2);
                stringBuffer.append("' has an unsupported value; is not a String: ");
                stringBuffer.append(obj);
                this._logger.debug(stringBuffer.toString());
            }
            buildObject.getAttributes().add(buildObject2);
        }
        return buildObject;
    }

    private Signature createSignature() throws OAException, SecurityException {
        Signature buildObject = this._builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSignatureAlgorithm(SAML2CryptoUtils.getXMLSignatureURI(this._cryptoManager));
        X509Credential retrieveMySigningCredentials = SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._sEntityID);
        buildObject.setSigningCredential(retrieveMySigningCredentials);
        SecurityHelper.prepareSignatureParams(buildObject, retrieveMySigningCredentials, (SecurityConfiguration) null, (String) null);
        return buildObject;
    }

    private void signAssertion(Assertion assertion, Signature signature) throws OAException {
        try {
            Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(assertion);
            if (marshaller == null) {
                this._logger.error("No marshaller registered for " + assertion.getElementQName() + ", unable to marshall assertion");
                throw new OAException(1);
            }
            if (assertion.getDOM() == null) {
                marshaller.marshall(assertion);
            }
            Signer.signObject(signature);
        } catch (MarshallingException e) {
            this._logger.warn("Marshalling error while signing assertion request", e);
            throw new OAException(1);
        } catch (Exception e2) {
            this._logger.error("Could not sign assertion", e2);
            throw new OAException(2);
        } catch (OAException e3) {
            throw e3;
        }
    }
}
