package org.gluu.idp.externalauth;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import org.apache.commons.lang.StringUtils;
import org.gluu.context.J2EContext;
import org.gluu.context.WebContext;
import org.gluu.idp.context.GluuScratchContext;
import org.gluu.idp.externalauth.openid.client.IdpAuthClient;
import org.gluu.idp.script.service.IdpCustomScriptManager;
import org.gluu.idp.script.service.external.IdpExternalScriptService;
import org.gluu.idp.service.GluuAttributeMappingService;
import org.gluu.oxauth.client.auth.principal.OpenIdCredentials;
import org.gluu.oxauth.client.auth.user.UserProfile;
import org.gluu.oxauth.model.exception.InvalidJwtException;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.util.StringHelper;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.context.EnvironmentAware;
import org.springframework.core.env.Environment;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

@WebServlet(name = "ShibOxAuthAuthServlet", urlPatterns = {"/Authn/oxAuth/*"})
/* loaded from: input_file:org/gluu/idp/externalauth/ShibOxAuthAuthServlet.class */
public class ShibOxAuthAuthServlet extends HttpServlet {
    private static final long serialVersionUID = -4864851392327422662L;
    public static final String OXAUTH_ACR_USED = "acr_used";
    public static final String OXAUTH_ACR_REQUESTED = "acr_requested";
    private IdpAuthClient authClient;
    private IdpCustomScriptManager customScriptManager;
    private IdpExternalScriptService externalScriptService;
    private GluuAttributeMappingService gluuAttributeMappingService;
    private final Logger LOG = LoggerFactory.getLogger(ShibOxAuthAuthServlet.class);
    private final String OXAUTH_PARAM_ENTITY_ID = "entityId";
    private final String OXAUTH_PARAM_ISSUER_ID = "issuerId";
    private final String OXAUTH_PARAM_EXTRA_PARAMS = "extraParameters";
    private final String OXAUTH_ATTRIBIUTE_SEND_END_SESSION_REQUEST = "sendEndSession";
    private final Set<OxAuthToShibTranslator> translators = new HashSet();

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        ServletContext servletContext = getServletContext();
        WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(servletContext);
        this.authClient = (IdpAuthClient) webApplicationContext.getBean("idpAuthClient");
        this.customScriptManager = (IdpCustomScriptManager) webApplicationContext.getBean("idpCustomScriptManager");
        this.gluuAttributeMappingService = (GluuAttributeMappingService) webApplicationContext.getBean("gluuAttributeMappingService");
        this.customScriptManager.init();
        this.externalScriptService = this.customScriptManager.getIdpExternalScriptService();
        buildTranslators(((ApplicationContext) servletContext.getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE)).getEnvironment());
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        try {
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            this.LOG.trace("Get request to: '{}'", stringBuffer);
            if (stringBuffer.endsWith("/logout")) {
                processLogoutRequest(httpServletRequest, httpServletResponse);
                return;
            }
            if (stringBuffer.endsWith("/ssologout")) {
                processSsoLogoutRequest(httpServletRequest, httpServletResponse);
                return;
            }
            WebContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
            boolean isAuthorizationResponse = this.authClient.isAuthorizationResponse(j2EContext);
            HttpServletRequest httpServletRequest2 = httpServletRequest;
            if (isAuthorizationResponse) {
                try {
                    final Jwt parse = Jwt.parse(this.authClient.getRequestState(j2EContext));
                    httpServletRequest2 = new HttpServletRequestWrapper(httpServletRequest) { // from class: org.gluu.idp.externalauth.ShibOxAuthAuthServlet.1
                        public String getParameter(String str) {
                            return parse.getClaims().hasClaim(str) ? parse.getClaims().getClaimAsString(str) : super.getParameter(str);
                        }
                    };
                } catch (InvalidJwtException e) {
                    this.LOG.debug("State is not in JWT format", e);
                }
            }
            String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest2);
            boolean parseBoolean = Boolean.parseBoolean(httpServletRequest.getAttribute("forceAuthn").toString());
            if (!isAuthorizationResponse) {
                this.LOG.debug("Initiating oxAuth login redirect");
                startLoginRequest(httpServletRequest, httpServletResponse, startExternalAuthentication, Boolean.valueOf(parseBoolean));
                return;
            }
            this.LOG.info("Processing authorization response");
            if (this.authClient.isValidRequestState(j2EContext)) {
                processAuthorizationResponse(httpServletRequest, httpServletResponse, startExternalAuthentication);
            } else {
                this.LOG.error("The state in session and in request are not equals");
                startLoginRequest(httpServletRequest, httpServletResponse, startExternalAuthentication, Boolean.valueOf(parseBoolean));
            }
        } catch (Exception e2) {
            this.LOG.error("Something unexpected happened", e2);
            httpServletRequest.setAttribute("authnError", "AuthenticationException");
        } catch (ExternalAuthenticationException e3) {
            this.LOG.warn("Error processing oxAuth authentication request", e3);
            loadErrorPage(httpServletRequest, httpServletResponse);
        }
    }

    private void processAuthorizationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws ExternalAuthenticationException, IOException {
        try {
            try {
                WebContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
                OpenIdCredentials credentials = this.authClient.getCredentials(j2EContext);
                this.LOG.debug("Client name : '{}'", credentials.getClientName());
                UserProfile userProfile = this.authClient.getUserProfile(credentials, j2EContext);
                this.LOG.debug("User profile : {}", userProfile);
                if (userProfile == null) {
                    this.LOG.error("Token validation failed, returning InvalidToken");
                    httpServletRequest.setAttribute("authnError", "InvalidToken");
                } else {
                    ArrayList arrayList = new ArrayList();
                    boolean z = false;
                    TranslateAttributesContext buildContext = buildContext(httpServletRequest, httpServletResponse, userProfile, str, arrayList);
                    if (this.externalScriptService.isEnabled()) {
                        z = this.externalScriptService.executeExternalTranslateAttributesMethod(buildContext);
                    }
                    if (!z) {
                        this.LOG.debug("Using default translate attributes method");
                        Iterator<OxAuthToShibTranslator> it = this.translators.iterator();
                        while (it.hasNext()) {
                            it.next().doTranslation(buildContext);
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        this.LOG.debug("Storing generated idp attributes");
                        ((GluuScratchContext) ExternalAuthentication.getProfileRequestContext(str, httpServletRequest).getSubcontext(GluuScratchContext.class, true)).setIdpAttributes(arrayList);
                    }
                    this.LOG.debug("Created an IdP subject instance with principals for {} ", userProfile.getId());
                    HashSet hashSet = new HashSet();
                    hashSet.add(new UsernamePrincipal(userProfile.getId()));
                    httpServletRequest.setAttribute("subject", new Subject(false, hashSet, Collections.emptySet(), Collections.emptySet()));
                    AuthenticationContext authenticationContext = (AuthenticationContext) new ChildContextLookup(AuthenticationContext.class).apply(ExternalAuthentication.getProfileRequestContext(str, httpServletRequest));
                    if (authenticationContext != null) {
                        String usedAcr = userProfile.getUsedAcr();
                        if (StringHelper.isEmpty(usedAcr)) {
                            this.LOG.debug("ACR method is undefined");
                        } else {
                            authenticationContext.getAuthenticationStateMap().put(OXAUTH_ACR_USED, usedAcr);
                            this.LOG.debug("Used ACR method: {}", userProfile);
                        }
                    }
                }
                ExternalAuthentication.finishExternalAuthentication(str, httpServletRequest, httpServletResponse);
            } catch (Exception e) {
                this.LOG.error("Token validation failed, returning InvalidToken", e);
                httpServletRequest.setAttribute("authnError", "InvalidToken");
                ExternalAuthentication.finishExternalAuthentication(str, httpServletRequest, httpServletResponse);
            }
        } catch (Throwable th) {
            ExternalAuthentication.finishExternalAuthentication(str, httpServletRequest, httpServletResponse);
            throw th;
        }
    }

    protected void startLoginRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, Boolean bool) {
        String extraHttpParameters;
        try {
            WebContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
            HashMap hashMap = new HashMap();
            String parameter = httpServletRequest.getParameter("conversation");
            hashMap.put("conversation", parameter);
            HashMap hashMap2 = new HashMap();
            hashMap2.put("entityId", httpServletRequest.getAttribute("relyingParty").toString());
            try {
                GluuScratchContext gluuScratchContext = (GluuScratchContext) ExternalAuthentication.getProfileRequestContext(str, httpServletRequest).getSubcontext(GluuScratchContext.class);
                if (gluuScratchContext != null && (extraHttpParameters = gluuScratchContext.getExtraHttpParameters()) != null && !extraHttpParameters.isEmpty()) {
                    hashMap2.put("extraParameters", URLEncoder.encode(extraHttpParameters, "UTF-8"));
                }
            } catch (ExternalAuthenticationException e) {
                this.LOG.debug("Could not set extra parameters for the request. Extra request parameters will not be available to oxAuth", e);
            }
            try {
                ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(parameter, httpServletRequest);
                AuthnRequest authnRequest = (AuthnRequest) profileRequestContext.getInboundMessageContext().getMessage();
                if (authnRequest != null) {
                    RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
                    Issuer issuer = authnRequest.getIssuer();
                    if (issuer != null) {
                        hashMap2.put("issuerId", issuer.getValue());
                    }
                    if (null != requestedAuthnContext) {
                        String str2 = (String) requestedAuthnContext.getAuthnContextClassRefs().stream().map((v0) -> {
                            return v0.getAuthnContextClassRef();
                        }).collect(Collectors.joining(" "));
                        hashMap2.put("acr_values", str2);
                        AuthenticationContext authenticationContext = (AuthenticationContext) new ChildContextLookup(AuthenticationContext.class).apply(profileRequestContext);
                        if (authenticationContext != null) {
                            authenticationContext.getAuthenticationStateMap().put(OXAUTH_ACR_REQUESTED, str2);
                            this.LOG.debug("Requested ACR method: {}", str2);
                        }
                    }
                }
            } catch (Exception e2) {
                this.LOG.error("Unable to process to AuthnContextClassRef", e2);
            }
            String redirectionUrl = this.authClient.getRedirectionUrl(j2EContext, hashMap, hashMap2, bool.booleanValue());
            this.LOG.debug("Generated redirection Url", redirectionUrl);
            this.LOG.debug("loginUrl: {}", redirectionUrl);
            httpServletResponse.sendRedirect(redirectionUrl);
        } catch (IOException e3) {
            this.LOG.error("Unable to redirect to oxAuth from ShibOxAuth", e3);
        }
    }

    protected void processLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            WebContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
            String logoutRedirectionUrl = this.authClient.getLogoutRedirectionUrl(j2EContext);
            this.LOG.debug("Generated logout redirection Url", logoutRedirectionUrl);
            this.LOG.debug("logoutUrl: {}", logoutRedirectionUrl);
            httpServletResponse.sendRedirect(logoutRedirectionUrl);
            this.authClient.clearAuthorized(j2EContext);
            this.authClient.setAttribute(j2EContext, "sendEndSession", Boolean.TRUE);
            this.LOG.debug("Client authorization is removed (set null id_token in session)");
        } catch (IOException e) {
            this.LOG.error("Unable to redirect to oxAuth from ShibOxAuth", e);
        }
    }

    protected void processSsoLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            WebContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
            if (Boolean.TRUE.equals(this.authClient.getAttribute(j2EContext, "sendEndSession"))) {
                this.authClient.setAttribute(j2EContext, "sendEndSession", null);
                this.LOG.debug("Client send end_session request. Ignoring OP initiated logout request");
            } else {
                this.LOG.debug("logoutUrl: {}", "/idp/profile/Logout");
                httpServletResponse.sendRedirect("/idp/profile/Logout");
                this.authClient.clearAuthorized(j2EContext);
                this.LOG.debug("Client authorization is removed (set null id_token in session)");
            }
        } catch (IOException e) {
            this.LOG.error("Unable to redirect to oxAuth from ShibOxAuth", e);
        }
    }

    private void buildTranslators(Environment environment) {
        this.translators.add(new AuthenticatedNameTranslator());
        for (String str : StringUtils.split(StringUtils.defaultString(environment.getProperty("shib.oxauth.oxAuthToShibTranslator", "")), ';')) {
            try {
                this.LOG.debug("Loading translator class {}", str);
                EnvironmentAware environmentAware = (OxAuthToShibTranslator) Class.forName(str).newInstance();
                if (environmentAware instanceof EnvironmentAware) {
                    environmentAware.setEnvironment(environment);
                }
                this.translators.add(environmentAware);
                this.LOG.debug("Added translator class {}", str);
            } catch (Exception e) {
                this.LOG.error("Error building oxAuth to Shib translator with name: " + str, e);
            }
        }
    }

    private void loadErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            httpServletRequest.getRequestDispatcher("/no-conversation-state.jsp").forward(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            this.LOG.error("Error rendering the empty conversation state (shib-oxauth-authn3) error view.");
            httpServletResponse.resetBuffer();
            httpServletResponse.setStatus(404);
        }
    }

    private TranslateAttributesContext buildContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, UserProfile userProfile, String str, List<IdPAttribute> list) {
        TranslateAttributesContext translateAttributesContext = new TranslateAttributesContext(httpServletRequest, httpServletResponse, userProfile, str, list);
        translateAttributesContext.setGluuAttributeMappingService(this.gluuAttributeMappingService);
        return translateAttributesContext;
    }
}
