package org.forgerock.openam.authentication.modules.saml2;

import com.google.common.annotations.VisibleForTesting;
import com.sun.identity.federation.common.FSUtils;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2FailoverUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.profile.ResponseInfo;
import com.sun.identity.saml2.profile.SPACSUtils;
import com.sun.identity.saml2.profile.SPCache;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.CookieUtils;
import com.sun.identity.shared.encode.URLEncDec;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Map;
import java.util.UUID;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
import org.forgerock.openam.saml2.SAML2Store;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openam.xui.XUIState;
import org.owasp.esapi.ESAPI;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/saml2/SAML2Proxy.class */
public final class SAML2Proxy {
    public static final String RESPONSE_KEY = "responsekey";
    public static final String DEFAULT_ERROR_MESSAGE = "Request not valid!";
    public static final String BAD_REQUEST = "badRequest";
    public static final String MISSING_COOKIE = "missingCookie";
    public static final String MISSING_META_MANAGER = "missingMeta";
    public static final String META_DATA_ERROR = "metaError";
    public static final String SAML_GET_RESPONSE_ERROR = "samlGet";
    public static final String SAML_VERIFY_RESPONSE_ERROR = "samlVerify";
    public static final String SAML_FAILOVER_DISABLED_ERROR = "samlFailover";
    public static final String ERROR_PARAM_KEY = "error";
    public static final String ERROR_CODE_PARAM_KEY = "errorCode";
    public static final String ERROR_MESSAGE_PARAM_KEY = "errorMessage";
    private static final Debug DEBUG = Debug.getInstance("amAuthSAML2");

    private SAML2Proxy() {
    }

    private static String generateKey() {
        return UUID.randomUUID().toString();
    }

    public static void processSamlResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter) throws IOException {
        String url = getUrl(httpServletRequest, httpServletResponse);
        if (((XUIState) InjectorHolder.getInstance(XUIState.class)).isXUIEnabled()) {
            httpServletResponse.sendRedirect(url);
        } else {
            printWriter.println(getAutoSubmittingFormHtml(url));
        }
    }

    private static String getUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletRequest == null || httpServletResponse == null) {
            DEBUG.error("SAML2Proxy: Null request or response");
            return getUrlWithError(httpServletRequest, BAD_REQUEST);
        }
        try {
            SAMLUtils.checkHTTPContentLength(httpServletRequest);
            if (FSUtils.needSetLBCookieAndRedirect(httpServletRequest, httpServletResponse, false)) {
                return getUrlWithError(httpServletRequest, MISSING_COOKIE);
            }
            String metaAliasByUri = SAML2MetaUtils.getMetaAliasByUri(httpServletRequest.getRequestURL().toString());
            SAML2MetaManager sAML2MetaManager = SAML2Utils.getSAML2MetaManager();
            if (sAML2MetaManager == null) {
                DEBUG.error("SAML2Proxy: Unable to obtain metaManager");
                return getUrlWithError(httpServletRequest, MISSING_META_MANAGER);
            }
            try {
                String entityByMetaAlias = sAML2MetaManager.getEntityByMetaAlias(metaAliasByUri);
                if (entityByMetaAlias == null) {
                    throw new SAML2MetaException("Caught Instantly");
                }
                String realmByMetaAlias = SAML2MetaUtils.getRealmByMetaAlias(metaAliasByUri);
                if (StringUtils.isEmpty(realmByMetaAlias)) {
                    realmByMetaAlias = "/";
                }
                try {
                    ResponseInfo response = SPACSUtils.getResponse(httpServletRequest, httpServletResponse, realmByMetaAlias, entityByMetaAlias, sAML2MetaManager);
                    try {
                        Map verifyResponse = SAML2Utils.verifyResponse(httpServletRequest, httpServletResponse, response.getResponse(), realmByMetaAlias, entityByMetaAlias, response.getProfileBinding());
                        String generateKey = generateKey();
                        SAML2ResponseData sAML2ResponseData = new SAML2ResponseData((String) verifyResponse.get("SessionIndex"), (Subject) verifyResponse.get("Subject"), (Assertion) verifyResponse.get("assertion"), response);
                        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                            try {
                                SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(generateKey, sAML2ResponseData, (Time.currentTimeMillis() / 1000) + SPCache.interval);
                            } catch (SAML2TokenRepositoryException e) {
                                DEBUG.error("An error occurred while persisting the SAML token", e);
                                return getUrlWithError(httpServletRequest, SAML_FAILOVER_DISABLED_ERROR);
                            }
                        } else {
                            SAML2Store.saveTokenWithKey(generateKey, sAML2ResponseData);
                        }
                        return getUrlWithKey(httpServletRequest, generateKey);
                    } catch (SAML2Exception e2) {
                        DEBUG.error("SAML2Proxy: An error occurred while verifying the SAML response", e2);
                        return getUrlWithError(httpServletRequest, SAML_VERIFY_RESPONSE_ERROR, e2.getL10NMessage(httpServletRequest.getLocale()));
                    }
                } catch (SAML2Exception e3) {
                    DEBUG.error("SAML2Proxy: Unable to obtain SAML response", e3);
                    return getUrlWithError(httpServletRequest, SAML_GET_RESPONSE_ERROR, e3.getL10NMessage(httpServletRequest.getLocale()));
                }
            } catch (SAML2MetaException e4) {
                DEBUG.warning("SAML2Proxy: unable to find hosted entity with metaAlias: {} Exception: {}", new Object[]{metaAliasByUri, e4.toString()});
                return getUrlWithError(httpServletRequest, META_DATA_ERROR);
            }
        } catch (ServletException e5) {
            DEBUG.error("SAML2Proxy: content length too large");
            return getUrlWithError(httpServletRequest, BAD_REQUEST);
        }
    }

    protected static String getUrlWithKey(HttpServletRequest httpServletRequest, String str) {
        StringBuilder locationValue = getLocationValue(httpServletRequest);
        if (locationValue == null) {
            throw new IllegalStateException(DEFAULT_ERROR_MESSAGE);
        }
        return encodeMessage(locationValue, str);
    }

    protected static String getUrlWithError(HttpServletRequest httpServletRequest, String str) {
        return getUrlWithError(httpServletRequest, str, DEFAULT_ERROR_MESSAGE);
    }

    protected static String getUrlWithError(HttpServletRequest httpServletRequest, String str, String str2) {
        StringBuilder locationValue = getLocationValue(httpServletRequest);
        if (locationValue == null) {
            throw new IllegalStateException(DEFAULT_ERROR_MESSAGE);
        }
        locationValue.append("&").append(ERROR_PARAM_KEY).append("=").append(true).append("&").append(ERROR_CODE_PARAM_KEY).append("=").append(URLEncDec.encode(str)).append("&").append(ERROR_MESSAGE_PARAM_KEY).append("=").append(URLEncDec.encode(str2));
        return locationValue.toString();
    }

    private static String encodeMessage(StringBuilder sb, String str) {
        if (sb.toString().contains("?")) {
            sb.append("&");
        } else {
            sb.append("?");
        }
        sb.append(RESPONSE_KEY).append("=").append(URLEncDec.encode(str)).append("&").append(ERROR_PARAM_KEY).append("=").append(false);
        return sb.toString();
    }

    private static StringBuilder getLocationValue(HttpServletRequest httpServletRequest) {
        String cookieValueFromReq = CookieUtils.getCookieValueFromReq(httpServletRequest, "authenticationStep");
        if (StringUtils.isEmpty(cookieValueFromReq)) {
            return null;
        }
        return new StringBuilder(cookieValueFromReq);
    }

    @VisibleForTesting
    protected static String getAutoSubmittingFormHtml(String str) {
        StringBuilder sb = new StringBuilder();
        sb.append("<html>\n").append("<body onLoad=\"").append("document.postform.submit()").append("\">\n");
        sb.append("<form name=\"postform\" action=\"").append(ESAPI.encoder().encodeForHTMLAttribute(str)).append("\" method=\"post\"").append(">\n");
        sb.append("<noscript>\n<center>\n");
        sb.append("<p>Your browser does not have JavaScript enabled, ");
        sb.append("you must click the button below to continue</p>\n");
        sb.append("<input type=\"submit\" value=\"submit\" />\n");
        sb.append("</center>\n</noscript>\n").append("</form>\n").append("</body>\n").append("</html>\n");
        return sb.toString();
    }
}
