package com.alfaariss.oa.profile.saml2.profile.sso;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.RequestorEvent;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.UserException;
import com.alfaariss.oa.api.attribute.IAttributes;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.authentication.IAuthenticationProfile;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.requestor.IRequestor;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.session.SessionState;
import com.alfaariss.oa.api.tgt.ITGT;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.authentication.AuthenticationException;
import com.alfaariss.oa.engine.core.authentication.factory.IAuthenticationProfileFactory;
import com.alfaariss.oa.engine.core.requestor.RequestorPool;
import com.alfaariss.oa.engine.core.requestor.factory.IRequestorPoolFactory;
import com.alfaariss.oa.engine.core.tgt.factory.ITGTAliasStore;
import com.alfaariss.oa.profile.saml2.profile.sso.protocol.AuthenticationRequestProtocol;
import com.alfaariss.oa.util.ModifiedBase64;
import com.alfaariss.oa.util.logging.RequestorEventLogItem;
import com.alfaariss.oa.util.logging.UserEventLogItem;
import com.alfaariss.oa.util.saml2.ISAML2Requestors;
import com.alfaariss.oa.util.saml2.NameIDFormatter;
import com.alfaariss.oa.util.saml2.SAML2IssueInstantWindow;
import com.alfaariss.oa.util.saml2.SAML2Requestor;
import com.alfaariss.oa.util.saml2.SAML2SecurityException;
import com.alfaariss.oa.util.saml2.StatusException;
import com.alfaariss.oa.util.saml2.binding.AbstractDecodingFactory;
import com.alfaariss.oa.util.saml2.binding.AbstractEncodingFactory;
import com.alfaariss.oa.util.saml2.binding.BindingProperties;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.metadata.role.sso.IDPSSODescriptorBuilder;
import com.alfaariss.oa.util.saml2.profile.AbstractSAML2Profile;
import com.alfaariss.oa.util.session.ProxyAttributes;
import com.alfaariss.oa.util.validation.SessionValidator;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.asimba.utility.web.URLPathContext;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004;
import org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.Base64;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/profile/saml2/profile/sso/WebBrowserSSO.class */
public class WebBrowserSSO extends AbstractSAML2Profile {
    public static final String SESSION_REQUEST_RELAYSTATE = "RelayState";
    public static final String TGT_REQUEST_NAMEIDFORMAT = "NameIDFormat";
    public static final String TGT_REQUEST_SPNAMEQUALIFIER = "SPNameQualifier";
    public static final String REQ_AUTHNCONTEXT_PASSTHROUGH = "passthrough";
    public static final String REQ_AUTHNCONTEXT_FILTER = "filter";
    public static final String TYPE_SOURCEID = "sourceid";
    private static final int TGT_ALIAS_LENGTH = 256;
    private static final long DEFAULT_RESPONSE_EXPIRATION = 60000;
    private static final String PROPERTY_AUTHNCONTEXT = ".authncontext";
    private BindingProperties _requestBindingProperties;
    private BindingProperties _responseBindingProperties;
    private String _requestedAuthnContextMode;
    private Hashtable<String, String> _htAuthnContexts;
    private NameIDFormatter _nameIDFormatter;
    private String _sAttributeNameFormatDefault;
    private IDPSSODescriptor _idpSSODescriptor;
    private SecureRandom _oSecureRandom;
    private long _lExpirationOffset;
    private IAuthenticationProfileFactory _authnProfileFactory;
    private ITGTAliasStore _spAliasStore;
    private boolean _bCompatible;
    private Log _logger = LogFactory.getLog(WebBrowserSSO.class);
    private Hashtable<String, String> _htAttributeNameFormatMapper = new Hashtable<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.alfaariss.oa.profile.saml2.profile.sso.WebBrowserSSO$1, reason: invalid class name */
    /* loaded from: input_file:com/alfaariss/oa/profile/saml2/profile/sso/WebBrowserSSO$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$alfaariss$oa$api$session$SessionState = new int[SessionState.values().length];

        static {
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.AUTHN_OK.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.PASSIVE_FAILED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.AUTHN_SELECTION_FAILED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_CANCELLED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.AUTHN_FAILED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.PRE_AUTHZ_FAILED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.POST_AUTHZ_FAILED.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_BLOCKED.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_UNKNOWN.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    public void init(IConfigurationManager iConfigurationManager, Element element, EntityDescriptor entityDescriptor, String str, String str2, ISAML2Requestors iSAML2Requestors, SAML2IssueInstantWindow sAML2IssueInstantWindow, String str3) throws OAException {
        super.init(iConfigurationManager, element, entityDescriptor, str, str2, iSAML2Requestors, sAML2IssueInstantWindow, str3);
        this._oSecureRandom = this._cryptoManager.getSecureRandom();
        this._authnProfileFactory = Engine.getInstance().getAuthenticationProfileFactory();
        Element section = iConfigurationManager.getSection(element, "bindings");
        if (section == null) {
            this._logger.error("No 'bindings' section found in 'profile' section in configuration with profile id: " + this._sID);
            throw new OAException(17);
        }
        this._requestBindingProperties = new BindingProperties(iConfigurationManager, section);
        this._responseBindingProperties = new BindingProperties(iConfigurationManager, section);
        Element section2 = iConfigurationManager.getSection(element, "nameid");
        if (section2 == null) {
            this._logger.error("No 'nameid' section found in 'profile' section in configuration with profile id: " + this._sID);
            throw new OAException(17);
        }
        this._spAliasStore = this._tgtFactory.getAliasStoreSP();
        if (this._spAliasStore == null) {
            this._logger.error("TGT Factory has no SP Role alias support");
            throw new OAException(2);
        }
        this._nameIDFormatter = new NameIDFormatter(iConfigurationManager, section2, this._cryptoManager, this._spAliasStore);
        if (this._nameIDFormatter.getDefault() == null) {
            this._logger.error("No 'default' item found in 'nameid' section in configuration");
            throw new OAException(17);
        }
        this._htAuthnContexts = readAuthnContextTypes(iConfigurationManager, element);
        this._htAttributeNameFormatMapper.clear();
        Element section3 = iConfigurationManager.getSection(element, "response");
        if (section3 == null) {
            this._logger.info("No optional 'response' section found in 'profile' section in configuration with profile id: " + this._sID);
            this._sAttributeNameFormatDefault = null;
            this._lExpirationOffset = DEFAULT_RESPONSE_EXPIRATION;
        } else {
            readResponseConfig(iConfigurationManager, section3);
        }
        this._bCompatible = isCompatible();
        this._logger.info("Artifact binding: " + (this._bCompatible ? "supported" : "not supported"));
        this._logger.info("Optional user attribute name format: " + (this._bCompatible ? "supported" : "not supported"));
        this._logger.info("Passive authentication: " + (this._bCompatible ? "supported" : "not supported"));
        if (!this._bCompatible && this._requestBindingProperties.isSupported("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact")) {
            StringBuffer stringBuffer = new StringBuffer("Disabling '");
            stringBuffer.append("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact");
            stringBuffer.append("' binding as request binding, because it is not supported in this version");
            this._logger.warn(stringBuffer.toString());
            Vector vector = new Vector();
            vector.addAll(this._requestBindingProperties.getBindings());
            vector.remove("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact");
            this._requestBindingProperties.setBindings(vector);
        }
        updateEntityDescriptor(iConfigurationManager, element);
    }

    public void process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAException {
        try {
            String parameter = httpServletRequest.getParameter("asid");
            if (parameter == null) {
                processSAMLRequest(httpServletRequest, httpServletResponse, null);
            } else {
                if (!SessionValidator.validateDefaultSessionId(parameter)) {
                    this._logger.warn("Invalid session id in request: " + parameter);
                    throw new UserException(UserEvent.REQUEST_INVALID);
                }
                ISession retrieve = this._sessionFactory.retrieve(parameter);
                if (retrieve == null) {
                    StringBuffer stringBuffer = new StringBuffer("No session with id '");
                    stringBuffer.append(parameter);
                    stringBuffer.append("' found in request sent from IP: ");
                    stringBuffer.append(httpServletRequest.getRemoteAddr());
                    this._logger.debug(stringBuffer.toString());
                    throw new UserException(UserEvent.REQUEST_INVALID);
                }
                if (retrieve.isExpired()) {
                    StringBuffer stringBuffer2 = new StringBuffer("Expired session with id '");
                    stringBuffer2.append(parameter);
                    stringBuffer2.append("' found in request sent from IP: ");
                    stringBuffer2.append(httpServletRequest.getRemoteAddr());
                    this._logger.debug(stringBuffer2.toString());
                    throw new UserException(UserEvent.REQUEST_INVALID);
                }
                processAuthenticationResponse(httpServletRequest, httpServletResponse, retrieve);
            }
        } catch (UserException e) {
            this._eventLogger.info(0 != 0 ? new UserEventLogItem((ISession) null, httpServletRequest.getRemoteAddr(), e.getEvent(), this, (String) null) : new UserEventLogItem((String) null, (String) null, (SessionState) null, e.getEvent(), (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, (String) null));
            if (httpServletResponse.isCommitted()) {
                return;
            }
            try {
                httpServletResponse.sendError(400);
            } catch (IOException e2) {
                this._logger.warn("Could not send response", e2);
            }
        } catch (Exception e3) {
            this._eventLogger.info(0 != 0 ? new RequestorEventLogItem((ISession) null, httpServletRequest.getRemoteAddr(), RequestorEvent.INTERNAL_ERROR, this, (String) null) : new RequestorEventLogItem((String) null, (String) null, (SessionState) null, RequestorEvent.INTERNAL_ERROR, (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, (String) null));
            this._logger.fatal("Internal error during process", e3);
            throw new OAException(1);
        } catch (OAException e4) {
            this._eventLogger.info(0 != 0 ? new RequestorEventLogItem((ISession) null, httpServletRequest.getRemoteAddr(), RequestorEvent.REQUEST_INVALID, this, (String) null) : new RequestorEventLogItem((String) null, (String) null, (SessionState) null, RequestorEvent.REQUEST_INVALID, (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, (String) null));
            throw e4;
        } catch (SAML2SecurityException e5) {
            this._logger.debug("Security error", e5);
            this._eventLogger.info(new RequestorEventLogItem((String) null, (String) null, (SessionState) null, e5.getEvent(), (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, "Security Fault"));
            try {
                if (!httpServletResponse.isCommitted()) {
                    httpServletResponse.sendError(403);
                }
            } catch (IOException e6) {
                this._logger.warn("Could not send response", e6);
            }
        }
    }

    private void processSAMLRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession) throws OAException, SAML2SecurityException, UserException {
        try {
            AbstractDecodingFactory resolveInstance = AbstractDecodingFactory.resolveInstance(httpServletRequest, httpServletResponse, this._requestBindingProperties);
            if (resolveInstance == null) {
                this._logger.error("No decode factory available for request");
                throw new OAException(1);
            }
            SAMLMessageDecoder decoder = resolveInstance.getDecoder();
            String bindingURI = decoder.getBindingURI();
            if (!this._requestBindingProperties.isSupported(bindingURI)) {
                this._logger.error("The binding is not supported by this protocol: " + bindingURI);
                throw new OAException(1);
            }
            this._logger.debug("Binding URI: " + bindingURI);
            SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> context = resolveInstance.getContext();
            String parameter = httpServletRequest.getParameter("SAMLart");
            if (parameter != null) {
                SAML2ArtifactType0004 buildArtifact = new SAML2ArtifactType0004Builder().buildArtifact(Base64.decode(parameter));
                SAML2Requestor resolveRequestor = resolveRequestor(buildArtifact.getSourceID());
                if (resolveRequestor == null) {
                    StringBuffer stringBuffer = new StringBuffer("Unknown requestor specified with with SourceID '");
                    stringBuffer.append(Arrays.toString(buildArtifact.getSourceID()));
                    stringBuffer.append("' in artifact: ");
                    stringBuffer.append(parameter);
                    this._logger.warn(stringBuffer.toString());
                    throw new UserException(UserEvent.REQUEST_INVALID);
                }
                MetadataProvider metadataProvider = resolveRequestor.getMetadataProvider();
                if (metadataProvider != null) {
                    context.setMetadataProvider(metadataProvider);
                }
                context.setInboundMessageIssuer(resolveRequestor.getID());
                context.setOutboundMessageIssuer(this._sEntityID);
            }
            try {
                decoder.decode(context);
                SAMLObject inboundSAMLMessage = context.getInboundSAMLMessage();
                if (this._logger.isDebugEnabled() && inboundSAMLMessage != null) {
                    logXML(inboundSAMLMessage);
                }
                if (inboundSAMLMessage == null) {
                    this._logger.error("No SAML Message found in request");
                    throw new OAException(1);
                }
                if (inboundSAMLMessage instanceof AuthnRequest) {
                    processAuthenticationRequest(httpServletRequest, httpServletResponse, iSession, context, (AuthnRequest) inboundSAMLMessage);
                } else {
                    this._logger.error("Unsupported SAML message in request");
                    throw new OAException(1);
                }
            } catch (SecurityException e) {
                this._logger.debug("Could not decode inbound message due to security exception", e);
                throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
            } catch (MessageDecodingException e2) {
                this._logger.debug("Could not decode request", e2);
                throw new UserException(UserEvent.REQUEST_INVALID);
            }
        } catch (Exception e3) {
            this._logger.fatal("Could not process SAML request message", e3);
            throw new OAException(1);
        } catch (OAException e4) {
            throw e4;
        } catch (SAML2SecurityException e5) {
            throw e5;
        } catch (UserException e6) {
            throw e6;
        }
    }

    private void processAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession, SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, AuthnRequest authnRequest) throws OAException, SAML2SecurityException {
        AuthenticationRequestProtocol authenticationRequestProtocol = null;
        try {
            String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
            SAML2Requestor validateRequest = validateRequest(sAMLMessageContext, SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            ISession createSession = this._sessionFactory.createSession(inboundMessageIssuer);
            String relayState = sAMLMessageContext.getRelayState();
            if (relayState != null) {
                createSession.getAttributes().put(WebBrowserSSO.class, "RelayState", relayState);
            }
            URLPathContext uRLPathContext = getURLPathContext(httpServletRequest);
            if (uRLPathContext != null) {
                createSession.getAttributes().put(ProxyAttributes.class, "urlpath.context", uRLPathContext);
            }
            this._logger.debug("Put on map? urlpath.context=" + uRLPathContext);
            AuthenticationRequestProtocol authenticationRequestProtocol2 = new AuthenticationRequestProtocol(createSession, this._nameIDFormatter, this._sProfileURL, this._sEntityID, validateRequest, this._cryptoManager, this._issueInstantWindow, this._bCompatible, this._bEnableProxiedEntityId);
            ISession processRequest = authenticationRequestProtocol2.processRequest(authnRequest);
            processRequestedAuthnContext(processRequest, authenticationRequestProtocol2);
            if (!this._requestBindingProperties.isSupported(authenticationRequestProtocol2.getProtocolBinding())) {
                this._logger.debug("Response binding is not supported: " + authenticationRequestProtocol2.getProtocolBinding());
                throw new StatusException(RequestorEvent.REQUEST_INVALID, "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding");
            }
            processRequest.persist();
            this._eventLogger.info(new RequestorEventLogItem(processRequest, httpServletRequest.getRemoteAddr(), RequestorEvent.AUTHN_INITIATION_SUCCESSFUL, this, (String) null));
            forwardUser(httpServletRequest, httpServletResponse, processRequest);
        } catch (Exception e) {
            this._logger.fatal("Could not process AuthnRequest", e);
            throw new OAException(1);
        } catch (SAML2SecurityException e2) {
            throw e2;
        } catch (OAException e3) {
            throw e3;
        } catch (StatusException e4) {
            this._logger.debug("The request was invalid, so try to send a SAML error response");
            sendResponse(httpServletRequest, httpServletResponse, sAMLMessageContext, authenticationRequestProtocol.createErrorResponse(authenticationRequestProtocol.getDestination(), e4.getTopLevelstatusCode(), e4.getSecondLevelStatusCode()), null, iSession);
            this._eventLogger.info(new RequestorEventLogItem(iSession, httpServletRequest.getRemoteAddr(), e4.getEvent(), this, (String) null));
            iSession.expire();
            iSession.persist();
        }
    }

    private void processRequestedAuthnContext(ISession iSession, AuthenticationRequestProtocol authenticationRequestProtocol) {
        List<String> requestedAuthnContextClassRefs = authenticationRequestProtocol.getRequestedAuthnContextClassRefs();
        if (requestedAuthnContextClassRefs.size() == 0) {
            return;
        }
        if (!this._requestedAuthnContextMode.equals(REQ_AUTHNCONTEXT_FILTER)) {
            ISessionAttributes attributes = iSession.getAttributes();
            attributes.put(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthnContextClassRefs", requestedAuthnContextClassRefs);
            this._logger.debug("Using proxied requested AuthnContextClassRefs: " + requestedAuthnContextClassRefs);
            String requestedAuthnContextComparisonType = authenticationRequestProtocol.getRequestedAuthnContextComparisonType();
            if (requestedAuthnContextComparisonType != null) {
                attributes.put(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthnContextComparisonType", requestedAuthnContextComparisonType);
                this._logger.debug("Using proxied requested AuthnContextComparisonType: " + requestedAuthnContextComparisonType);
                return;
            }
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : requestedAuthnContextClassRefs) {
            for (Map.Entry<String, String> entry : this._htAuthnContexts.entrySet()) {
                if (entry.getValue().equals(str)) {
                    arrayList.add(entry.getKey());
                }
            }
        }
        iSession.getAttributes().put(ProxyAttributes.class, "requested_authnprofile", arrayList);
        this._logger.debug("Using filtered requested AuthnContextClassRefs: " + requestedAuthnContextClassRefs);
    }

    private void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession) throws OAException {
        StatusResponseType createErrorResponse;
        try {
            String requestorId = iSession.getRequestorId();
            IRequestor requestor = this._requestorPoolFactory.getRequestor(requestorId);
            if (requestor == null) {
                this._logger.debug("No OA Requestor found with id: " + requestorId);
                throw new OAException(1);
            }
            SAML2Requestor requestor2 = this._requestors.getRequestor(requestor);
            SAMLMessageContext createEncodingContext = createEncodingContext(httpServletRequest, httpServletResponse);
            createEncodingContext.setInboundMessageIssuer(requestorId);
            createEncodingContext.setOutboundMessageIssuer(this._sEntityID);
            MetadataProvider metadataProvider = requestor2.getMetadataProvider();
            if (metadataProvider != null) {
                createEncodingContext.setMetadataProvider(metadataProvider);
            }
            AuthenticationRequestProtocol authenticationRequestProtocol = new AuthenticationRequestProtocol(iSession, this._nameIDFormatter, this._sProfileURL, this._sEntityID, requestor2, this._cryptoManager, this._issueInstantWindow, this._bCompatible, this._bEnableProxiedEntityId);
            RequestorEventLogItem requestorEventLogItem = null;
            switch (AnonymousClass1.$SwitchMap$com$alfaariss$oa$api$session$SessionState[iSession.getState().ordinal()]) {
                case 1:
                    ITGT itgt = null;
                    String tGTId = iSession.getTGTId();
                    if (tGTId == null) {
                        this._logger.debug("No TGT ID found in session with id: " + iSession.getId());
                    } else {
                        itgt = this._tgtFactory.retrieve(tGTId);
                        if (itgt == null) {
                            this._logger.debug("No TGT found with id: " + tGTId);
                            throw new OAException(1);
                        }
                        String nameIDFormat = authenticationRequestProtocol.getNameIDFormat();
                        if (nameIDFormat != null) {
                            itgt.getAttributes().put(getClass(), "NameIDFormat", nameIDFormat);
                        }
                        String sPNameQualifier = authenticationRequestProtocol.getSPNameQualifier();
                        if (sPNameQualifier != null) {
                            itgt.getAttributes().put(getClass(), "SPNameQualifier", sPNameQualifier);
                        }
                    }
                    List<String> resolveAuthNContextTypes = resolveAuthNContextTypes(iSession, itgt);
                    String resolveTGTAlias = resolveTGTAlias(tGTId, requestorId);
                    createErrorResponse = authenticationRequestProtocol.createResponse(itgt, resolveAuthNContextTypes, iSession.getUser().getAttributes(), this._sAttributeNameFormatDefault, this._htAttributeNameFormatMapper, resolveTGTAlias, this._lExpirationOffset, resolveAuthNContextAuthenticatingAuthorities(iSession, itgt));
                    if (createErrorResponse == null) {
                        if (itgt != null) {
                            itgt.removeRequestorID(requestorId);
                            this._spAliasStore.removeAlias("session_index", requestorId, resolveTGTAlias);
                            if (itgt.getRequestorIDs().size() == 0) {
                                itgt.expire();
                            }
                        }
                        createErrorResponse = authenticationRequestProtocol.createErrorResponse(authenticationRequestProtocol.getDestination(), "urn:oasis:names:tc:SAML:2.0:status:Responder", null);
                    }
                    if (itgt != null) {
                        itgt.persist();
                    }
                    requestorEventLogItem = new RequestorEventLogItem(iSession, httpServletRequest.getRemoteAddr(), RequestorEvent.TOKEN_DEREFERENCE_SUCCESSFUL, this, (String) null);
                    break;
                case 2:
                    createErrorResponse = authenticationRequestProtocol.createErrorResponse(authenticationRequestProtocol.getDestination(), "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:NoPassive");
                    break;
                case 3:
                    createErrorResponse = authenticationRequestProtocol.createErrorResponse(authenticationRequestProtocol.getDestination(), "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext");
                    break;
                case 4:
                case 5:
                case 6:
                case 7:
                case 8:
                case 9:
                default:
                    createErrorResponse = authenticationRequestProtocol.createErrorResponse(authenticationRequestProtocol.getDestination(), "urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                    break;
            }
            sendResponse(httpServletRequest, httpServletResponse, createEncodingContext, createErrorResponse, authenticationRequestProtocol, iSession);
            if (requestorEventLogItem == null) {
                requestorEventLogItem = new RequestorEventLogItem(iSession, httpServletRequest.getRemoteAddr(), RequestorEvent.TOKEN_DEREFERENCE_FAILED, this, (String) null);
            }
            this._eventLogger.info(requestorEventLogItem);
            iSession.expire();
            iSession.persist();
        } catch (Exception e) {
            this._logger.fatal("Could not generate an authentication response", e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        }
    }

    private void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, StatusResponseType statusResponseType, AuthenticationRequestProtocol authenticationRequestProtocol, ISession iSession) throws OAException {
        SAMLObject outboundSAMLMessage;
        try {
            ISessionAttributes attributes = iSession.getAttributes();
            if (attributes.contains(WebBrowserSSO.class, "RelayState")) {
                sAMLMessageContext.setRelayState((String) attributes.get(WebBrowserSSO.class, "RelayState"));
            }
            if (this._signingEnabled) {
                sAMLMessageContext.setOutboundSAMLMessageSigningCredential(SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._sEntityID));
            }
            sAMLMessageContext.setOutboundSAMLMessage(statusResponseType);
            sAMLMessageContext.setLocalEntityId(this._sEntityID);
            String protocolBinding = authenticationRequestProtocol.getProtocolBinding();
            if (protocolBinding == null || !this._responseBindingProperties.isSupported(protocolBinding)) {
                this._logger.debug("Using default binding: " + this._responseBindingProperties.getDefault());
                protocolBinding = this._responseBindingProperties.getDefault();
            }
            sAMLMessageContext.setLocalEntityMetadata(this._entityDescriptor);
            sAMLMessageContext.setLocalEntityRoleMetadata(this._idpSSODescriptor);
            String destination = statusResponseType.getDestination();
            if (destination == null) {
                this._logger.warn("No destination for response available");
                throw new OAException(1);
            }
            sAMLMessageContext.setPeerEntityEndpoint(buildMetadataEndpoint(SingleSignOnService.DEFAULT_ELEMENT_NAME, protocolBinding, destination, null));
            AbstractEncodingFactory.createInstance(httpServletRequest, httpServletResponse, protocolBinding, this._responseBindingProperties).getEncoder().encode(sAMLMessageContext);
            if (this._logger.isDebugEnabled() && (outboundSAMLMessage = sAMLMessageContext.getOutboundSAMLMessage()) != null) {
                logXML(outboundSAMLMessage);
            }
        } catch (OAException e) {
            throw e;
        } catch (Exception e2) {
            this._logger.fatal("Could not generate response", e2);
            throw new OAException(1);
        }
    }

    private void updateEntityDescriptor(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        this._idpSSODescriptor = this._entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        if (this._idpSSODescriptor == null) {
            throw new IllegalArgumentException("No IDPSSODescriptor available");
        }
        IDPSSODescriptorBuilder iDPSSODescriptorBuilder = new IDPSSODescriptorBuilder(iConfigurationManager, element, this._idpSSODescriptor);
        iDPSSODescriptorBuilder.buildNameIDFormats();
        iDPSSODescriptorBuilder.buildWantAuthnRequestsSigned(this._requestors.isDefaultSigningEnabled());
        iDPSSODescriptorBuilder.buildSingleSignOnService(this._sProfileURL, this._requestBindingProperties);
    }

    private Hashtable<String, String> readAuthnContextTypes(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        Hashtable<String, String> hashtable = new Hashtable<>();
        this._requestedAuthnContextMode = REQ_AUTHNCONTEXT_PASSTHROUGH;
        try {
            Element element2 = null;
            Element section = iConfigurationManager.getSection(element, "authentication");
            if (section == null) {
                StringBuffer stringBuffer = new StringBuffer("No optional 'authentication' section found in 'profile' section in configuration with profile id '");
                stringBuffer.append(this._sID);
                stringBuffer.append("', using default AuthnContext: ");
                stringBuffer.append("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
                this._logger.info(stringBuffer.toString());
            } else {
                String param = iConfigurationManager.getParam(section, "request_mode");
                if (param != null) {
                    if (!REQ_AUTHNCONTEXT_FILTER.equalsIgnoreCase(param) && !REQ_AUTHNCONTEXT_PASSTHROUGH.equalsIgnoreCase(param)) {
                        this._logger.error("Invalid value configured for optional authentication@request_mode: " + param + "; allowed: '" + REQ_AUTHNCONTEXT_FILTER + "' or '" + REQ_AUTHNCONTEXT_PASSTHROUGH + "'");
                        throw new OAException(17);
                    }
                    this._requestedAuthnContextMode = param;
                }
                element2 = iConfigurationManager.getSection(section, "profile");
                if (element2 == null) {
                    this._logger.info("Not one 'profile' section found in 'authentication' section in configuration, using default AuthnContext: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
                }
            }
            while (element2 != null) {
                String param2 = iConfigurationManager.getParam(element2, "id");
                if (param2 == null) {
                    this._logger.error("No 'id' item found in 'profile' section in configuration");
                    throw new OAException(17);
                }
                String param3 = iConfigurationManager.getParam(element2, "authncontext");
                if (param3 == null) {
                    this._logger.error("No 'authncontext' item found in 'profile' section in configuration");
                    throw new OAException(17);
                }
                if (hashtable.containsKey(param2)) {
                    this._logger.error("Configured 'id' item in 'profile' section is not unique: " + param2);
                    throw new OAException(17);
                }
                hashtable.put(param2, param3);
                element2 = iConfigurationManager.getNextSection(element2);
            }
            return hashtable;
        } catch (Exception e) {
            this._logger.fatal("Could not read AuthnContext types", e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        }
    }

    private String resolveTGTAlias(String str, String str2) throws OAException {
        String str3;
        do {
            try {
                byte[] bArr = new byte[TGT_ALIAS_LENGTH];
                this._oSecureRandom.nextBytes(bArr);
                str3 = "_" + new String(ModifiedBase64.encode(bArr, "UTF-8"));
            } catch (OAException e) {
                throw e;
            } catch (Exception e2) {
                StringBuffer stringBuffer = new StringBuffer("Could not resolve TGT alias for tgt '");
                if (str != null) {
                    stringBuffer.append(str);
                }
                stringBuffer.append("' and requestor ID: ");
                stringBuffer.append(str2);
                this._logger.fatal(stringBuffer.toString(), e2);
                throw new OAException(1);
            }
        } while (this._spAliasStore.isAlias("session_index", str2, str3));
        if (str != null) {
            this._spAliasStore.putAlias("session_index", str2, str, str3);
        }
        return str3;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v54, types: [java.util.List] */
    private List<String> resolveAuthNContextTypes(ISession iSession, ITGT itgt) throws OAException {
        Vector<String> vector;
        String str;
        Vector vector2 = new Vector();
        if (itgt != null && (str = (String) itgt.getAttributes().get(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthnContextClassRef")) != null && !vector2.contains(str)) {
            vector2.add(str);
        }
        String str2 = (String) iSession.getAttributes().get(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthnContextClassRef");
        if (str2 != null && !vector2.contains(str2)) {
            vector2.add(str2);
            if (itgt != null) {
                this._logger.debug("Copy the proxied AuthnContextClassRef to a TGT attribute: " + str2);
                itgt.getAttributes().put(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthnContextClassRef", str2);
            }
        }
        if (itgt != null) {
            vector = itgt.getAuthNProfileIDs();
        } else {
            vector = new Vector();
            IAuthenticationProfile selectedAuthNProfile = iSession.getSelectedAuthNProfile();
            if (selectedAuthNProfile != null) {
                vector.add(selectedAuthNProfile.getID());
            }
        }
        for (String str3 : vector) {
            if (this._htAuthnContexts.containsKey(str3)) {
                String str4 = this._htAuthnContexts.get(str3);
                if (!vector2.contains(str4)) {
                    vector2.add(str4);
                }
            } else {
                try {
                    String str5 = (String) this._authnProfileFactory.getProfile(str3).getProperty(this._sOAProfileID + PROPERTY_AUTHNCONTEXT);
                    if (str5 != null && !vector2.contains(str5)) {
                        vector2.add(str5);
                    }
                } catch (AuthenticationException e) {
                    this._logger.error("Authentication profile not available: " + str3);
                    throw new OAException(1);
                }
            }
        }
        if (vector2.isEmpty()) {
            vector2.add("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
        }
        return vector2;
    }

    private List<String> resolveAuthNContextAuthenticatingAuthorities(ISession iSession, ITGT itgt) {
        List list;
        Vector vector = new Vector();
        if (itgt != null && (list = (List) itgt.getAttributes().get(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthenticatingAuthorities")) != null) {
            vector.addAll(list);
        }
        List<String> list2 = (List) iSession.getAttributes().get(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthenticatingAuthorities");
        if (list2 != null) {
            for (String str : list2) {
                if (!vector.contains(str)) {
                    vector.add(str);
                }
            }
            if (itgt != null) {
                this._logger.debug("Copy the proxied AuthenticatingAuthorities to a TGT attribute: " + vector);
                itgt.getAttributes().put(com.alfaariss.oa.util.saml2.proxy.ProxyAttributes.class, "AuthenticatingAuthorities", vector);
            }
        }
        return vector;
    }

    private SAML2Requestor resolveRequestor(byte[] bArr) throws OAException, UserException {
        IRequestor iRequestor = null;
        if (!this._requestorPoolFactory.isRequestorIDSupported(TYPE_SOURCEID)) {
            Iterator it = this._requestorPoolFactory.getAllEnabledRequestors().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                IRequestor iRequestor2 = (IRequestor) it.next();
                if (Arrays.equals(bArr, generateSHA1(iRequestor2.getID()))) {
                    iRequestor = iRequestor2;
                    break;
                }
            }
        } else {
            iRequestor = this._requestorPoolFactory.getRequestor(bArr, TYPE_SOURCEID);
        }
        if (iRequestor == null) {
            this._logger.debug("Unknown requestor specified with SourceID: " + Arrays.toString(bArr));
            throw new UserException(UserEvent.REQUEST_INVALID);
        }
        if (!iRequestor.isEnabled()) {
            this._logger.debug("Disabled requestor found in request: " + iRequestor.getID());
            throw new UserException(UserEvent.REQUEST_INVALID);
        }
        RequestorPool requestorPool = this._requestorPoolFactory.getRequestorPool(iRequestor.getID());
        if (requestorPool == null) {
            this._logger.warn("Requestor not available in a pool: " + iRequestor.getID());
            throw new OAException(1);
        }
        if (requestorPool.isEnabled()) {
            return this._requestors.getRequestor(iRequestor);
        }
        StringBuffer stringBuffer = new StringBuffer("Requestor '");
        stringBuffer.append(iRequestor.getID());
        stringBuffer.append("' is found in a disabled requestor pool: ");
        stringBuffer.append(requestorPool.getID());
        this._logger.warn(stringBuffer.toString());
        throw new OAException(1);
    }

    private byte[] generateSHA1(String str) throws OAException {
        try {
            return MessageDigest.getInstance("SHA-1").digest(str.getBytes("UTF-8"));
        } catch (UnsupportedEncodingException e) {
            this._logger.error("UTF-8 not supported", e);
            throw new OAException(1);
        } catch (NoSuchAlgorithmException e2) {
            this._logger.error("SHA-1 not supported", e2);
            throw new OAException(1);
        }
    }

    private void readResponseConfig(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        Element section = iConfigurationManager.getSection(element, "attributes");
        if (section != null) {
            this._sAttributeNameFormatDefault = iConfigurationManager.getParam(section, "format");
            if (this._sAttributeNameFormatDefault == null) {
                this._sAttributeNameFormatDefault = iConfigurationManager.getParam(section, "nameformat");
                if (this._sAttributeNameFormatDefault == null) {
                    this._logger.info("No optional 'format' or 'nameformat' item in 'attributes' section found in configuration");
                }
            }
            Element section2 = iConfigurationManager.getSection(section, "attribute");
            while (true) {
                Element element2 = section2;
                if (element2 == null) {
                    break;
                }
                String param = iConfigurationManager.getParam(element2, "name");
                if (param == null) {
                    this._logger.error("No 'name' item in 'attribute' section found in configuration");
                    throw new OAException(17);
                }
                String param2 = iConfigurationManager.getParam(element2, "format");
                if (param2 == null) {
                    this._logger.error("No 'format' item in 'attribute' section found in configuration");
                    throw new OAException(17);
                }
                if (this._htAttributeNameFormatMapper.containsKey(param)) {
                    this._logger.error("Configured 'name' in 'attribute' section is not unique: " + param);
                    throw new OAException(2);
                }
                this._htAttributeNameFormatMapper.put(param, param2);
                section2 = iConfigurationManager.getNextSection(element2);
            }
        } else {
            this._sAttributeNameFormatDefault = null;
        }
        if (this._sAttributeNameFormatDefault != null) {
            this._logger.info("Using optional attribute name format: " + this._sAttributeNameFormatDefault);
        } else {
            this._logger.info("Not using optional attribute name format");
        }
        Element section3 = iConfigurationManager.getSection(element, "expiration");
        if (section3 == null) {
            this._lExpirationOffset = DEFAULT_RESPONSE_EXPIRATION;
        } else {
            String param3 = iConfigurationManager.getParam(section3, "offset");
            if (param3 == null) {
                this._logger.error("No 'offset' section found in 'expiration' section in configuration");
                throw new OAException(17);
            }
            try {
                this._lExpirationOffset = Long.parseLong(param3);
                this._lExpirationOffset *= 1000;
                if (this._lExpirationOffset < 0) {
                    this._logger.error("Invalid 'offset' section found in 'expiration' section in configuration (may not be negative): " + this._lExpirationOffset);
                    throw new OAException(17);
                }
            } catch (NumberFormatException e) {
                this._logger.error("Invalid 'offset' section found in 'expiration' section in configuration: " + this._lExpirationOffset, e);
                throw new OAException(17);
            }
        }
        this._logger.info("Using expiration offset in response of (ms): " + this._lExpirationOffset);
    }

    private boolean isCompatible() {
        try {
            IRequestorPoolFactory.class.getDeclaredMethod("isRequestorIDSupported", String.class);
            IAttributes.class.getDeclaredMethod("getFormat", String.class);
            ISession.class.getDeclaredMethod("isPassive", new Class[0]);
            return true;
        } catch (NoSuchMethodException | SecurityException e) {
            return false;
        }
    }

    protected URLPathContext getURLPathContext(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        int lastIndexOf = requestURI.lastIndexOf("/");
        if (lastIndexOf == -1) {
            return null;
        }
        return URLPathContext.fromValue(requestURI.substring(lastIndexOf + 1));
    }
}
