package org.forgerock.openam.authentication.modules.saml2;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.spi.AMPostAuthProcessInterface;
import com.sun.identity.authentication.spi.AuthenticationException;
import com.sun.identity.plugin.session.SessionException;
import com.sun.identity.plugin.session.SessionManager;
import com.sun.identity.plugin.session.SessionProvider;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.saml2.assertion.impl.NameIDImplWithoutSPNameQualifier;
import com.sun.identity.saml2.common.NameIDInfo;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2FailoverUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.metadata.EndpointType;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
import com.sun.identity.saml2.profile.CacheObject;
import com.sun.identity.saml2.profile.IDPProxyUtil;
import com.sun.identity.saml2.profile.LogoutUtil;
import com.sun.identity.saml2.profile.ResponseInfo;
import com.sun.identity.saml2.profile.SPACSUtils;
import com.sun.identity.saml2.profile.SPCache;
import com.sun.identity.saml2.protocol.AuthnRequest;
import com.sun.identity.saml2.protocol.LogoutRequest;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.sm.DNMapper;
import java.io.PrintWriter;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
import org.forgerock.openam.saml2.SAML2Store;
import org.forgerock.openam.utils.Time;
import org.forgerock.openam.xui.XUIState;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.errors.EncodingException;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/saml2/SAML2PostAuthenticationPlugin.class */
public class SAML2PostAuthenticationPlugin implements AMPostAuthProcessInterface {
    private static final Debug DEBUG = Debug.getInstance("amAuthSAML2");
    private static final SAML2MetaManager META_MANAGER = SAML2Utils.getSAML2MetaManager();
    private static final String SLO_SESSION_LOCATION = "saml2SLOLoc";
    private static final String SLO_SESSION_REFERENCE = "saml2SLORef";

    public void onLoginSuccess(Map map, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SSOToken sSOToken) {
        try {
            String property = sSOToken.getProperty("metaAlias");
            String property2 = sSOToken.getProperty("SessionIndex");
            String property3 = sSOToken.getProperty("spEntityID");
            String property4 = sSOToken.getProperty("idpEntityID");
            NameIDImplWithoutSPNameQualifier nameIDImplWithoutSPNameQualifier = new NameIDImplWithoutSPNameQualifier(sSOToken.getProperty("NameID"));
            boolean parseBoolean = Boolean.parseBoolean(sSOToken.getProperty(Constants.IS_TRANSIENT));
            String property5 = sSOToken.getProperty(Constants.REQUEST_ID);
            SessionProvider provider = SessionManager.getProvider();
            NameIDInfo nameIDInfo = new NameIDInfo(property3, property4, nameIDImplWithoutSPNameQualifier, "SPRole", false);
            String property6 = sSOToken.getProperty("openam.saml.singlelogout.enabled");
            String property7 = sSOToken.getProperty(Constants.CACHE_KEY);
            String orgNameToRealmName = DNMapper.orgNameToRealmName(sSOToken.getProperty("Organization"));
            SAML2ResponseData sAML2ResponseData = (SAML2ResponseData) SAML2Store.getTokenFromStore(property7);
            if (sAML2ResponseData == null && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                sAML2ResponseData = (SAML2ResponseData) SAML2FailoverUtils.retrieveSAML2Token(property7);
            }
            if (sAML2ResponseData == null) {
                throw new SAML2Exception("Unable to retrieve response map from data cache.");
            }
            if (Boolean.parseBoolean(property6)) {
                setupSingleLogOut(sSOToken, property, property2, property3, property4, nameIDImplWithoutSPNameQualifier);
            }
            configureIdpInitSLO(provider, sSOToken, property2, property, nameIDInfo, parseBoolean, property5);
            configurePostSSO(property3, orgNameToRealmName, httpServletRequest, httpServletResponse, sSOToken, provider, sAML2ResponseData.getResponseInfo(), property7);
            clearSession(sSOToken);
        } catch (SAML2Exception | SessionException | SSOException | SAML2TokenRepositoryException e) {
            DEBUG.warning("Error saving SAML assertion information in memory. SLO not configured for this session.", e);
        }
    }

    private void configurePostSSO(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SSOToken sSOToken, SessionProvider sessionProvider, ResponseInfo responseInfo, String str3) throws SAML2Exception {
        AuthnRequest authnRequest = (AuthnRequest) SPCache.authnRequestHash.get(str3);
        boolean parseBoolean = Boolean.parseBoolean((String) SPCache.fedAccountHash.get(str3));
        SAML2ServiceProviderAdapter sPAdapterClass = SAML2Utils.getSPAdapterClass(str, str2);
        if (sPAdapterClass != null) {
            try {
                sessionProvider.setProperty(sSOToken, "SAML2ResponseRedirected", new String[]{String.valueOf(sPAdapterClass.postSingleSignOnSuccess(str, str2, httpServletRequest, httpServletResponse, (PrintWriter) null, sSOToken, authnRequest, responseInfo.getResponse(), responseInfo.getProfileBinding(), parseBoolean))});
            } catch (SessionException | UnsupportedOperationException e) {
                DEBUG.warning("SAML2PostAuthenticationPlugin.configurePostSSO :: failed to set properties in session.", e);
            }
        }
        SPCache.authnRequestHash.remove(str3);
        SPCache.fedAccountHash.remove(str3);
    }

    private void configureIdpInitSLO(SessionProvider sessionProvider, SSOToken sSOToken, String str, String str2, NameIDInfo nameIDInfo, boolean z, String str3) throws SessionException, SAML2Exception, SSOException {
        SPACSUtils.saveInfoInMemory(sessionProvider, sSOToken, str, str2, nameIDInfo, IDPProxyUtil.isIDPProxyEnabled(str3), z);
    }

    private void setupSingleLogOut(SSOToken sSOToken, String str, String str2, String str3, String str4, NameID nameID) throws SSOException, SAML2Exception, SessionException {
        SAML2MetaManager sAML2MetaManager = new SAML2MetaManager();
        String realmByMetaAlias = SAML2MetaUtils.getRealmByMetaAlias(str);
        String property = sSOToken.getProperty("RelayState");
        EndpointType endpointType = null;
        Iterator it = sAML2MetaManager.getIDPSSODescriptor(realmByMetaAlias, str4).getSingleLogoutService().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            EndpointType endpointType2 = (EndpointType) it.next();
            if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(endpointType2.getBinding())) {
                endpointType = endpointType2;
                break;
            }
        }
        if (endpointType == null) {
            DEBUG.warning("Unable to determine SLO endpoint. Aborting SLO attempt. Please note this PAP only supports HTTP-Redirect as a valid binding.");
            return;
        }
        LogoutRequest createLogoutRequest = createLogoutRequest(str, realmByMetaAlias, str4, endpointType, nameID, str2);
        long currentTimeMillis = (Time.currentTimeMillis() / 1000) + SPCache.interval;
        String redirectURL = getRedirectURL(createLogoutRequest.toXMLString(true, true), property, realmByMetaAlias, str4, endpointType.getLocation(), str3);
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            try {
                SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(createLogoutRequest.getID(), createLogoutRequest, currentTimeMillis);
            } catch (SAML2TokenRepositoryException e) {
                DEBUG.warning("Unable to set SLO redirect location. Aborting SLO attempt.");
                return;
            }
        } else {
            SAML2Store.saveTokenWithKey(createLogoutRequest.getID(), createLogoutRequest);
        }
        sSOToken.setProperty(SLO_SESSION_LOCATION, endpointType.getLocation());
        sSOToken.setProperty(SLO_SESSION_REFERENCE, redirectURL);
    }

    private void clearSession(SSOToken sSOToken) throws SSOException {
        sSOToken.setProperty("RelayState", "");
        sSOToken.setProperty("SessionIndex", "");
        sSOToken.setProperty("idpEntityID", "");
        sSOToken.setProperty("spEntityID", "");
        sSOToken.setProperty("metaAlias", "");
        sSOToken.setProperty("reqBinding", "");
        sSOToken.setProperty("NameID", "");
        sSOToken.setProperty(Constants.IS_TRANSIENT, "");
        sSOToken.setProperty(Constants.REQUEST_ID, "");
        sSOToken.setProperty(Constants.CACHE_KEY, "");
    }

    public void onLoginFailure(Map map, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
    }

    public void onLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SSOToken sSOToken) throws AuthenticationException {
        try {
            if (Boolean.parseBoolean(sSOToken.getProperty("openam.saml.singlelogout.enabled"))) {
                XUIState xUIState = (XUIState) InjectorHolder.getInstance(XUIState.class);
                StringBuilder sb = new StringBuilder();
                sb.append(sSOToken.getProperty(SLO_SESSION_LOCATION));
                if (xUIState.isXUIEnabled()) {
                    sb.append(ESAPI.encoder().encodeForURL(sSOToken.getProperty(SLO_SESSION_REFERENCE)));
                } else {
                    sb.append(sSOToken.getProperty(SLO_SESSION_REFERENCE));
                }
                httpServletRequest.setAttribute("PostProcessLogoutURL", sb.toString());
            }
        } catch (EncodingException | SSOException e) {
            DEBUG.warning("Error loading SAML assertion information in memory. SLO failed for this session.", e);
        }
    }

    private LogoutRequest createLogoutRequest(String str, String str2, String str3, EndpointType endpointType, NameID nameID, String str4) throws SAML2Exception, SessionException {
        String generateID = SAML2Utils.generateID();
        if (generateID == null || generateID.length() == 0) {
            DEBUG.warning("SAML2 PAP :: Unable to perform single logout, unable to generate request ID - {}", new Object[]{SAML2Utils.bundle.getString("cannotGenerateID")});
            throw new SAML2Exception("libSAML2", "cannotGenerateID", new Object[0]);
        }
        String entityByMetaAlias = META_MANAGER.getEntityByMetaAlias(str);
        Issuer createIssuer = SAML2Utils.createIssuer(entityByMetaAlias);
        LogoutRequest createLogoutRequest = ProtocolFactory.getInstance().createLogoutRequest();
        createLogoutRequest.setID(generateID);
        createLogoutRequest.setVersion("2.0");
        createLogoutRequest.setIssueInstant(Time.newDate());
        createLogoutRequest.setIssuer(createIssuer);
        if (str4 != null) {
            createLogoutRequest.setSessionIndex(Collections.singletonList(str4));
        }
        createLogoutRequest.setDestination(XMLUtils.escapeSpecialCharacters(endpointType.getLocation()));
        LogoutUtil.setNameIDForSLORequest(createLogoutRequest, nameID, str2, entityByMetaAlias, "SPRole", str3);
        return createLogoutRequest;
    }

    private String getRedirectURL(String str, String str2, String str3, String str4, String str5, String str6) throws SAML2Exception {
        StringBuilder append = new StringBuilder().append("SAMLRequest").append("=").append(SAML2Utils.encodeForRedirect(str));
        if (str2 != null && str2.length() > 0) {
            String generateID = SAML2Utils.generateID();
            SPCache.relayStateHash.put(generateID, new CacheObject(str2));
            append.append("&").append("RelayState").append("=").append(generateID);
        }
        boolean wantLogoutRequestSigned = SAML2Utils.getWantLogoutRequestSigned(str3, str4, "IDPRole");
        String sb = append.toString();
        if (wantLogoutRequestSigned) {
            sb = SAML2Utils.signQueryString(sb, str3, str6, "SPRole");
        }
        return (str5.contains("?") ? "&" : "?") + sb;
    }
}
