package com.ibm.ws.security.saml.sso20.sp;

import com.ibm.websphere.pmi.PmiConstants;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContextBuilder;
import com.ibm.ws.security.saml.sso20.internal.utils.ForwardRequestInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.HttpRequestInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.wsspi.security.tai.TAIResult;
import java.io.UnsupportedEncodingException;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.transport.https.HttpsURLConnectionFactory;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestMarshaller;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso.2.0_1.0.15.jar:com/ibm/ws/security/saml/sso20/sp/Solicited.class */
public class Solicited {
    public static final TraceComponent tc = Tr.register((Class<?>) Solicited.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    SsoSamlService ssoService;
    static final long serialVersionUID = 7364496672035843220L;

    public Solicited(SsoSamlService ssoSamlService) {
        this.ssoService = null;
        this.ssoService = ssoSamlService;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Solicited(" + ssoSamlService.getProviderId() + ")", new Object[0]);
        }
    }

    @FFDCIgnore({SamlException.class})
    public TAIResult sendAuthRequestToIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException, SamlException {
        BasicMessageContext<?, ?, ?> buildIdp = BasicMessageContextBuilder.getInstance().buildIdp(httpServletRequest, httpServletResponse, this.ssoService);
        String handleIdpMetadataAndLoginUrl = handleIdpMetadataAndLoginUrl(buildIdp);
        if (this.ssoService.getConfig() != null && handleIdpMetadataAndLoginUrl != null && this.ssoService.getConfig().isHttpsRequired() && !handleIdpMetadataAndLoginUrl.startsWith(HttpsURLConnectionFactory.HTTPS_URL_PROTOCOL_ID)) {
            throw new SamlException("SAML20_IDP_PROTOCOL_NOT_HTTPS", (Exception) null, new Object[]{handleIdpMetadataAndLoginUrl});
        }
        String generateRandom = SamlUtil.generateRandom();
        HttpRequestInfo httpRequestInfo = new HttpRequestInfo(httpServletRequest);
        AuthnRequest buildAuthnRequest = buildAuthnRequest(httpRequestInfo.getInResponseToId(), httpServletRequest, buildIdp);
        try {
            if (buildIdp.getSsoConfig().isAuthnRequestsSigned()) {
                signAuthnRequest(buildAuthnRequest, RequestUtil.getSigningCredential(this.ssoService));
            }
            String authnRequestString = getAuthnRequestString(buildAuthnRequest);
            String str = Constants.SP_INITAL + generateRandom;
            RequestUtil.cacheRequestInfo(generateRandom, this.ssoService, httpRequestInfo);
            return postIdp(httpServletRequest, httpServletResponse, authnRequestString, str, handleIdpMetadataAndLoginUrl, httpRequestInfo);
        } catch (SamlException e) {
            throw e;
        }
    }

    String handleIdpMetadataAndLoginUrl(BasicMessageContext<?, ?, ?> basicMessageContext) throws SamlException {
        String str = null;
        MetadataProvider metadataProvider = basicMessageContext.getMetadataProvider();
        if (metadataProvider == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "idp metadata file :" + basicMessageContext.getSsoConfig().getIdpMetadata(), new Object[0]);
            }
            String idpMetadata = this.ssoService.getConfig().getIdpMetadata();
            String providerId = this.ssoService.getProviderId();
            if (idpMetadata == null || idpMetadata.isEmpty()) {
                throw new SamlException("SAML20_NO_IDP_URL_OR_METADATA", (Exception) null, new Object[]{providerId});
            }
            throw new SamlException("SAML20_NO_IDP_URL_ERROR", (Exception) null, new Object[]{idpMetadata, providerId});
        }
        try {
            XMLObject metadata = metadataProvider.getMetadata();
            if (!(metadata instanceof EntityDescriptor)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ERROR: metadata is not an EntityDescriptor", new Object[0]);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "idp metadata file :" + basicMessageContext.getSsoConfig().getIdpMetadata(), new Object[0]);
                }
                throw new SamlException("SAML20_NO_IDP_URL_ERROR", (Exception) null, new Object[]{this.ssoService.getConfig().getIdpMetadata(), this.ssoService.getProviderId()});
            }
            EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
            basicMessageContext.setPeerEntityId(entityDescriptor.getEntityID());
            IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
            if (iDPSSODescriptor == null) {
                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", (Exception) null, new Object[]{this.ssoService.getConfig().getIdpMetadata(), this.ssoService.getProviderId(), "No IDPSSODescriptor"});
            }
            Iterator<SingleSignOnService> it = iDPSSODescriptor.getSingleSignOnServices().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SingleSignOnService next = it.next();
                if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(next.getBinding())) {
                    basicMessageContext.setPeerEntityEndpoint(next);
                    str = next.getLocation();
                    break;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "idpLogin url:" + str + "(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)", new Object[0]);
            }
            return str;
        } catch (MetadataProviderException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.sp.Solicited", "214", this, new Object[]{basicMessageContext});
            throw new SamlException(e);
        }
    }

    AuthnRequest buildAuthnRequest(String str, HttpServletRequest httpServletRequest, BasicMessageContext<?, ?, ?> basicMessageContext) {
        SsoConfig config = this.ssoService.getConfig();
        AuthnRequest mo15285buildObject = new AuthnRequestBuilder().mo15285buildObject();
        mo15285buildObject.setID(str);
        mo15285buildObject.setAssertionConsumerServiceURL(RequestUtil.getAcsUrl(httpServletRequest, Constants.SAML20_CONTEXT_PATH, this.ssoService.getProviderId(), this.ssoService.getConfig()));
        mo15285buildObject.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        mo15285buildObject.setVersion(SAMLVersion.VERSION_20);
        mo15285buildObject.setForceAuthn(Boolean.valueOf(config.isForceAuthn()));
        mo15285buildObject.setIsPassive(Boolean.valueOf(config.isPassive()));
        mo15285buildObject.setNameIDPolicy(buildNameIdPolicy(config));
        mo15285buildObject.setIssuer(getIssuer(RequestUtil.getEntityUrl(httpServletRequest, Constants.SAML20_CONTEXT_PATH, this.ssoService.getProviderId(), this.ssoService.getConfig())));
        mo15285buildObject.setIssueInstant(new DateTime());
        mo15285buildObject.setDestination(basicMessageContext.getPeerEntityEndpoint().getLocation());
        RequestedAuthnContext buildRequestedAuthnContext = buildRequestedAuthnContext();
        if (buildRequestedAuthnContext != null) {
            mo15285buildObject.setRequestedAuthnContext(buildRequestedAuthnContext);
        }
        return mo15285buildObject;
    }

    RequestedAuthnContext buildRequestedAuthnContext() {
        RequestedAuthnContext requestedAuthnContext = null;
        SsoConfig config = this.ssoService.getConfig();
        String[] authnContextClassRef = config.getAuthnContextClassRef();
        if (authnContextClassRef != null && authnContextClassRef.length > 0) {
            requestedAuthnContext = new RequestedAuthnContextBuilder().mo15285buildObject();
            addAuthnContextClassRef(requestedAuthnContext, authnContextClassRef);
            requestedAuthnContext.setComparison(getAuthnContextComparisonTypeEnumeration(config.getAuthnContextComparisonType()));
        }
        return requestedAuthnContext;
    }

    AuthnContextComparisonTypeEnumeration getAuthnContextComparisonTypeEnumeration(String str) {
        return "exact".equals(str) ? AuthnContextComparisonTypeEnumeration.EXACT : "minimum".equals(str) ? AuthnContextComparisonTypeEnumeration.MINIMUM : PmiConstants.LEVEL_MAX_STRING.equals(str) ? AuthnContextComparisonTypeEnumeration.MAXIMUM : "better".equals(str) ? AuthnContextComparisonTypeEnumeration.BETTER : AuthnContextComparisonTypeEnumeration.EXACT;
    }

    void addAuthnContextClassRef(RequestedAuthnContext requestedAuthnContext, String[] strArr) {
        AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
        List<AuthnContextClassRef> authnContextClassRefs = requestedAuthnContext.getAuthnContextClassRefs();
        int i = 0;
        for (String str : strArr) {
            AuthnContextClassRef mo15285buildObject = authnContextClassRefBuilder.mo15285buildObject();
            mo15285buildObject.setAuthnContextClassRef(str);
            int i2 = i;
            i++;
            authnContextClassRefs.add(i2, mo15285buildObject);
        }
    }

    Issuer getIssuer(String str) {
        Issuer mo15285buildObject = new IssuerBuilder().mo15285buildObject();
        mo15285buildObject.setValue(str);
        return mo15285buildObject;
    }

    NameIDPolicy buildNameIdPolicy(SsoConfig ssoConfig) {
        NameIDPolicy mo15285buildObject = new NameIDPolicyBuilder().mo15285buildObject();
        String nameIDFormat = ssoConfig.getNameIDFormat();
        if (nameIDFormat != null && !nameIDFormat.isEmpty()) {
            mo15285buildObject.setFormat(nameIDFormat);
        }
        Boolean allowCreate = ssoConfig.getAllowCreate();
        if (allowCreate != null) {
            mo15285buildObject.setAllowCreate(Boolean.valueOf(allowCreate.booleanValue()));
        }
        return mo15285buildObject;
    }

    TAIResult postIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, HttpRequestInfo httpRequestInfo) throws WebTrustAssociationFailedException {
        try {
            String encodeBytes = Base64.encodeBytes(str.getBytes("UTF-8"), 8);
            if (str2 == null || encodeBytes == null || str3 == null) {
                throw new WebTrustAssociationFailedException("RelayState, Single-Sign-On URL, and AuthnRequest must be provided");
            }
            try {
                httpServletResponse.setStatus(200);
                ForwardRequestInfo forwardRequestInfo = new ForwardRequestInfo(str3);
                forwardRequestInfo.setFragmentCookieId(httpRequestInfo.getFragmentCookieId());
                forwardRequestInfo.setParameter("RelayState", new String[]{str2});
                forwardRequestInfo.setParameter("SAMLRequest", new String[]{encodeBytes});
                forwardRequestInfo.redirectPostRequest(httpServletRequest, httpServletResponse, null, null);
                return TAIResult.create(403);
            } catch (SamlException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.sp.Solicited", "397", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, str3, httpRequestInfo});
                WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
                webTrustAssociationFailedException.initCause(e);
                throw webTrustAssociationFailedException;
            }
        } catch (UnsupportedEncodingException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.sp.Solicited", "370", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, str3, httpRequestInfo});
            SamlException samlException = new SamlException(e2);
            WebTrustAssociationFailedException webTrustAssociationFailedException2 = new WebTrustAssociationFailedException(samlException.getMessage());
            webTrustAssociationFailedException2.initCause(samlException);
            throw webTrustAssociationFailedException2;
        }
    }

    void signAuthnRequest(SAMLObject sAMLObject, Credential credential) throws SamlException {
        SsoConfig config = this.ssoService.getConfig();
        if (!(sAMLObject instanceof SignableSAMLObject) || credential == null) {
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
        Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        signature.setSignatureAlgorithm(config.getSignatureMethodAlgorithm());
        signature.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        signature.setSigningCredential(credential);
        try {
            SecurityHelper.prepareSignatureParams(signature, credential, null, null);
            signableSAMLObject.setSignature(signature);
            try {
                Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(signableSAMLObject);
                if (marshaller == null) {
                    throw new SamlException("SAML20_AUTHENTICATION_FAIL", (Exception) null, new Object[0]);
                }
                marshaller.marshall(signableSAMLObject);
                Signer.signObject(signature);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.sp.Solicited", "448", this, new Object[]{sAMLObject, credential});
                throw new SamlException(e, true);
            }
        } catch (SecurityException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.sp.Solicited", "429", this, new Object[]{sAMLObject, credential});
            throw new SamlException((Exception) e2, true);
        }
    }

    String getAuthnRequestString(AuthnRequest authnRequest) throws SamlException {
        String str = null;
        if (authnRequest != null) {
            try {
                str = XMLHelper.nodeToString(new AuthnRequestMarshaller().marshall(authnRequest));
            } catch (MarshallingException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.sp.Solicited", "461", this, new Object[]{authnRequest});
                throw new SamlException((Exception) e, true);
            }
        }
        return str;
    }
}
