package org.forgerock.openam.saml2;

import com.sun.identity.multiprotocol.MultiProtocolUtils;
import com.sun.identity.plugin.session.SessionException;
import com.sun.identity.plugin.session.SessionManager;
import com.sun.identity.sae.api.Utils;
import com.sun.identity.saml2.common.QuerySignatureUtil;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.common.SOAPCommunicator;
import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.logging.LogUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.plugins.IDPAuthnContextInfo;
import com.sun.identity.saml2.plugins.IDPAuthnContextMapper;
import com.sun.identity.saml2.profile.CacheObject;
import com.sun.identity.saml2.profile.ClientFaultException;
import com.sun.identity.saml2.profile.FederatedSSOException;
import com.sun.identity.saml2.profile.IDPCache;
import com.sun.identity.saml2.profile.IDPProxyUtil;
import com.sun.identity.saml2.profile.IDPSSOUtil;
import com.sun.identity.saml2.profile.IDPSession;
import com.sun.identity.saml2.profile.SPCache;
import com.sun.identity.saml2.profile.SPSSOFederate;
import com.sun.identity.saml2.profile.ServerFaultException;
import com.sun.identity.saml2.protocol.AuthnRequest;
import com.sun.identity.saml2.protocol.NameIDPolicy;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.encode.URLEncDec;
import com.sun.identity.shared.xml.XMLUtils;
import java.io.ByteArrayInputStream;
import java.io.Closeable;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.IOUtils;
import org.forgerock.openam.utils.StringUtils;
import org.w3c.dom.Document;

/* loaded from: input_file:org/forgerock/openam/saml2/UtilProxySAMLAuthenticator.class */
public class UtilProxySAMLAuthenticator extends SAMLBase implements SAMLAuthenticator {
    private final HttpServletRequest request;
    private final HttpServletResponse response;
    private final IDPSSOFederateRequest data;
    private final PrintWriter out;
    private final boolean isFromECP;

    public UtilProxySAMLAuthenticator(IDPSSOFederateRequest iDPSSOFederateRequest, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, boolean z) {
        this.data = iDPSSOFederateRequest;
        this.out = printWriter;
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        this.isFromECP = z;
    }

    /* JADX WARN: Type inference failed for: r18v0, types: [java.lang.Throwable, com.sun.identity.saml2.common.SAML2Exception] */
    @Override // org.forgerock.openam.saml2.SAMLAuthenticator
    public void authenticate() throws FederatedSSOException, IOException {
        String preferredIDP;
        SPSSODescriptorElement sPSSODescriptorElement = null;
        String str = SAML2Constants.HTTP_REDIRECT;
        if (this.request.getMethod().equals(Utils.POST)) {
            str = SAML2Constants.HTTP_POST;
        }
        this.data.setAuthnRequest(getAuthnRequest(this.request, this.isFromECP, str));
        if (this.data.getAuthnRequest() == null) {
            throw new ClientFaultException(this.data.getIdpAdapter(), "InvalidSAMLRequest");
        }
        this.data.getEventAuditor().setRequestId(this.data.getRequestID());
        this.data.setSpEntityID(this.data.getAuthnRequest().getIssuer().getValue());
        try {
            logAccess(this.isFromECP ? LogUtil.RECEIVED_AUTHN_REQUEST_ECP : LogUtil.RECEIVED_AUTHN_REQUEST, Level.INFO, this.data.getSpEntityID(), this.data.getIdpMetaAlias(), this.data.getAuthnRequest().toXMLString());
            if (!SAML2Utils.isSourceSiteValid(this.data.getAuthnRequest().getIssuer(), this.data.getRealm(), this.data.getIdpEntityID())) {
                SAML2Utils.debug.warning("{} Issuer in Request is not valid.", new Object[]{"UtilProxySAMLAuthenticator.authenticate: "});
                throw new ClientFaultException(this.data.getIdpAdapter(), "InvalidSAMLRequest");
            }
            try {
                IDPSSODescriptorElement iDPSSODescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(this.data.getRealm(), this.data.getIdpEntityID());
                try {
                    sPSSODescriptorElement = IDPSSOUtil.metaManager.getSPSSODescriptor(this.data.getRealm(), this.data.getSpEntityID());
                } catch (SAML2MetaException e) {
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: Unable to get SP SSO Descriptor from meta.");
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: ", e);
                }
                if (iDPSSODescriptor.isWantAuthnRequestsSigned() || (sPSSODescriptorElement != null && sPSSODescriptorElement.isAuthnRequestsSigned())) {
                    if (StringUtils.isBlank(this.data.getSpEntityID())) {
                        throw new ClientFaultException(this.data.getIdpAdapter(), "InvalidSAMLRequest");
                    }
                    if (sPSSODescriptorElement == null) {
                        SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: Unable to get SP SSO Descriptor from meta.");
                        throw new ServerFaultException(this.data.getIdpAdapter(), "metaDataError");
                    }
                    Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(sPSSODescriptorElement, this.data.getSpEntityID(), SAML2Constants.SP_ROLE);
                    try {
                        if (!(this.isFromECP ? this.data.getAuthnRequest().isSignatureValid(verificationCerts) : Utils.POST.equals(this.request.getMethod()) ? this.data.getAuthnRequest().isSignatureValid(verificationCerts) : QuerySignatureUtil.verify(this.request.getQueryString(), verificationCerts))) {
                            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: authn request verification failed.");
                            throw new ClientFaultException(this.data.getIdpAdapter(), "invalidSignInRequest");
                        }
                        if (!this.isFromECP) {
                            SingleSignOnServiceElement singleSignOnServiceEndpoint = SPSSOFederate.getSingleSignOnServiceEndpoint(iDPSSODescriptor.getSingleSignOnService(), str);
                            if (singleSignOnServiceEndpoint == null || StringUtils.isEmpty(singleSignOnServiceEndpoint.getLocation())) {
                                SAML2Utils.debug.error("{} authn request unable to get endpoint location for IdpEntity: {}  MetaAlias: {} ", new Object[]{"UtilProxySAMLAuthenticator.authenticate: ", this.data.getIdpEntityID(), this.data.getIdpMetaAlias()});
                                throw new ClientFaultException(this.data.getIdpAdapter(), "invalidDestination");
                            }
                            if (!SAML2Utils.verifyDestination(this.data.getAuthnRequest().getDestination(), singleSignOnServiceEndpoint.getLocation())) {
                                SAML2Utils.debug.error("{} authn request destination verification failed for IdpEntity: {}  MetaAlias: {} Destination: {}  Location: {}", new Object[]{"UtilProxySAMLAuthenticator.authenticate: ", this.data.getIdpEntityID(), this.data.getIdpMetaAlias(), this.data.getAuthnRequest().getDestination(), singleSignOnServiceEndpoint.getLocation()});
                                throw new ClientFaultException(this.data.getIdpAdapter(), "invalidDestination");
                            }
                        }
                        SAML2Utils.debug.message("{} authn request signature verification is successful.", new Object[]{"UtilProxySAMLAuthenticator.authenticate: "});
                    } catch (SAML2Exception e2) {
                        SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: authn request verification failed.", e2);
                        throw new ClientFaultException(this.data.getIdpAdapter(), "invalidSignInRequest");
                    }
                }
                SAML2Utils.debug.message("{} request id= {}", new Object[]{"UtilProxySAMLAuthenticator.authenticate: ", this.data.getRequestID()});
                if (this.data.getRequestID() == null) {
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: Request id is null");
                    throw new ClientFaultException(this.data.getIdpAdapter(), "InvalidSAMLRequestID");
                }
                if (this.isFromECP) {
                    try {
                        this.data.setSession(IDPSSOUtil.getIDPECPSessionMapper(this.data.getRealm(), this.data.getIdpEntityID()).getSession(this.request, this.response));
                    } catch (SAML2Exception e3) {
                        SAML2Utils.debug.message("Unable to retrieve user session.", new Object[]{"UtilProxySAMLAuthenticator.authenticate: "});
                    }
                } else {
                    try {
                        this.data.setSession(SessionManager.getProvider().getSession(this.request));
                    } catch (SessionException e4) {
                        SAML2Utils.debug.message("{} Unable to retrieve user session.", new Object[]{"UtilProxySAMLAuthenticator.authenticate: "});
                    }
                }
                if (null != this.data.getSession()) {
                    this.data.getEventAuditor().setAuthTokenId(this.data.getSession());
                }
                if (preSingleSignOn(this.request, this.response, this.data)) {
                    return;
                }
                IDPAuthnContextMapper iDPAuthnContextMapper = null;
                try {
                    iDPAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(this.data.getRealm(), this.data.getIdpEntityID());
                } catch (SAML2Exception e5) {
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: ", e5);
                }
                if (iDPAuthnContextMapper == null) {
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: Unable to get IDPAuthnContextMapper from meta.");
                    throw new ServerFaultException(this.data.getIdpAdapter(), "metaDataError");
                }
                IDPAuthnContextInfo iDPAuthnContextInfo = null;
                try {
                    iDPAuthnContextInfo = iDPAuthnContextMapper.getIDPAuthnContextInfo(this.data.getAuthnRequest(), this.data.getIdpEntityID(), this.data.getRealm());
                } catch (SAML2Exception e6) {
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: ", e6);
                }
                if (iDPAuthnContextInfo == null) {
                    SAML2Utils.debug.message("{} Unable to find valid AuthnContext. Sending error Response.", new Object[]{"UtilProxySAMLAuthenticator.authenticate: "});
                    try {
                        Response errorResponse = SAML2Utils.getErrorResponse(this.data.getAuthnRequest(), SAML2Constants.REQUESTER, SAML2Constants.NO_AUTHN_CONTEXT, null, this.data.getIdpEntityID());
                        StringBuffer stringBuffer = new StringBuffer();
                        IDPSSOUtil.sendResponse(this.request, this.response, this.out, stringBuffer.toString(), this.data.getSpEntityID(), this.data.getIdpEntityID(), this.data.getIdpMetaAlias(), this.data.getRealm(), this.data.getRelayState(), IDPSSOUtil.getACSurl(this.data.getSpEntityID(), this.data.getRealm(), this.data.getAuthnRequest(), this.request, stringBuffer), errorResponse, this.data.getSession());
                        return;
                    } catch (SAML2Exception e7) {
                        SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: ", e7);
                        throw new ServerFaultException(this.data.getIdpAdapter(), "metaDataError");
                    }
                }
                this.data.setRelayState(this.request.getParameter("RelayState"));
                this.data.setMatchingAuthnContext(iDPAuthnContextInfo.getAuthnContext());
                if (this.data.getSession() == null) {
                    redirectToAuth(sPSSODescriptorElement, str, iDPAuthnContextInfo, this.data);
                    return;
                }
                SAML2Utils.debug.message("{} There is an existing session", new Object[]{"UtilProxySAMLAuthenticator.authenticate: "});
                boolean isValidSessionInRealm = IDPSSOUtil.isValidSessionInRealm(this.data.getRealm(), this.data.getSession());
                String sessionIndex = IDPSSOUtil.getSessionIndex(this.data.getSession());
                boolean z = false;
                if (isValidSessionInRealm) {
                    z = isSessionUpgrade(iDPAuthnContextInfo, this.data.getSession());
                    SAML2Utils.debug.message("{} IDP Session Upgrade is : {}", new Object[]{"UtilProxySAMLAuthenticator.authenticate: ", Boolean.valueOf(z)});
                }
                ServerFaultException serverFaultException = null;
                if (z || !isValidSessionInRealm || (Boolean.TRUE.equals(this.data.getAuthnRequest().isForceAuthn()) && !Boolean.TRUE.equals(this.data.getAuthnRequest().isPassive()))) {
                    if (sessionIndex != null && sessionIndex.length() != 0) {
                        IDPSession iDPSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
                        if (iDPSession != null) {
                            IDPCache.oldIDPSessionCache.put(this.data.getRequestID(), iDPSession);
                        } else {
                            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: The old SAML2 session  was not found in the idp session by indices cache");
                        }
                    }
                    IDPCache.authnRequestCache.put(this.data.getRequestID(), new CacheObject(this.data.getAuthnRequest()));
                    IDPCache.idpAuthnContextCache.put(this.data.getRequestID(), new CacheObject(this.data.getMatchingAuthnContext()));
                    IDPCache.isSessionUpgradeCache.add(this.data.getRequestID());
                    if (StringUtils.isNotBlank(this.data.getRelayState())) {
                        IDPCache.relayStateCache.put(this.data.getRequestID(), this.data.getRelayState());
                    }
                    if (isValidSessionInRealm) {
                        try {
                            if (IDPProxyUtil.isIDPProxyEnabled(this.data.getAuthnRequest(), this.data.getRealm()) && (preferredIDP = IDPProxyUtil.getPreferredIDP(this.data.getAuthnRequest(), this.data.getIdpEntityID(), this.data.getRealm(), this.request, this.response)) != null) {
                                if (SPCache.reqParamHash != null && !SPCache.reqParamHash.containsKey(preferredIDP)) {
                                    SAML2Utils.debug.message("{} IDP to be proxied {}", new Object[]{"UtilProxySAMLAuthenticator.authenticate: ", preferredIDP});
                                    IDPProxyUtil.sendProxyAuthnRequest(this.data.getAuthnRequest(), preferredIDP, sPSSODescriptorElement, this.data.getIdpEntityID(), this.request, this.response, this.data.getRealm(), this.data.getRelayState(), str);
                                    return;
                                }
                                Map map = (Map) SPCache.reqParamHash.get(preferredIDP);
                                map.put("authnReq", this.data.getAuthnRequest());
                                map.put("spSSODescriptor", sPSSODescriptorElement);
                                map.put("idpEntityID", this.data.getIdpEntityID());
                                map.put("realm", this.data.getRealm());
                                map.put("relayState", this.data.getRelayState());
                                map.put(SAML2Constants.BINDING, str);
                                SPCache.reqParamHash.put(preferredIDP, map);
                                return;
                            }
                        } catch (SAML2Exception e8) {
                            SAML2Utils.debug.message("{} Redirecting for the proxy handling error: {}", new Object[]{"UtilProxySAMLAuthenticator.authenticate: ", e8.getMessage()});
                            serverFaultException = new ServerFaultException(this.data.getIdpAdapter(), "UnableToRedirectToPreferredIDP", e8.getMessage());
                        }
                    }
                    if (preAuthenticationAdapter(this.request, this.response, this.data)) {
                        return;
                    }
                    try {
                        if (!Boolean.TRUE.equals(this.data.getAuthnRequest().isPassive())) {
                            redirectAuthentication(this.request, this.response, iDPAuthnContextInfo, this.data, true);
                            return;
                        }
                        try {
                            IDPSSOUtil.sendResponseWithStatus(this.request, this.response, this.out, this.data.getIdpMetaAlias(), this.data.getIdpEntityID(), this.data.getRealm(), this.data.getAuthnRequest(), this.data.getRelayState(), this.data.getSpEntityID(), SAML2Constants.RESPONDER, SAML2Constants.NOPASSIVE);
                        } catch (SAML2Exception e9) {
                            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: ", e9);
                            serverFaultException = new ServerFaultException(this.data.getIdpAdapter(), "metaDataError");
                        }
                    } catch (SAML2Exception | IOException e10) {
                        SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: Unable to redirect to authentication.", e10);
                        z = false;
                        cleanUpCache(this.data.getRequestID());
                        serverFaultException = new ServerFaultException(this.data.getIdpAdapter(), "UnableToRedirectToAuth", e10.getMessage());
                    }
                }
                if (!z && isValidSessionInRealm) {
                    generateAssertionResponse(this.data);
                }
                if (serverFaultException != null) {
                    throw serverFaultException;
                }
            } catch (SAML2MetaException e11) {
                SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: Unable to get IDP SSO Descriptor from meta.");
                throw new ServerFaultException(this.data.getIdpAdapter(), "metaDataError");
            }
        } catch (SAML2Exception e12) {
            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.authenticate: ", (Throwable) e12);
            throw new ClientFaultException(this.data.getIdpAdapter(), "InvalidSAMLRequest", e12.getMessage());
        }
    }

    private static boolean isSessionUpgrade(IDPAuthnContextInfo iDPAuthnContextInfo, Object obj) {
        if (obj == null) {
            return true;
        }
        String authnContextClassRef = iDPAuthnContextInfo.getAuthnContext().getAuthnContextClassRef();
        int intValue = iDPAuthnContextInfo.getAuthnLevel().intValue();
        SAML2Utils.debug.message("UtilProxySAMLAuthenticator.isSessionUpgrade: Requested AuthnContext: authnClassRef=" + authnContextClassRef + " authnLevel=" + intValue);
        int i = 0;
        try {
            String str = SessionManager.getProvider().getProperty(obj, "AuthLevel")[0];
            i = str.contains(":") ? Integer.parseInt(str.split(":")[1]) : Integer.parseInt(str);
            SAML2Utils.debug.message("UtilProxySAMLAuthenticator.isSessionUpgrade: Current session Authentication Level: " + i);
        } catch (SessionException e) {
            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.isSessionUpgrade:  Couldn't get the session Auth Level", e);
        }
        return intValue > i;
    }

    /* JADX WARN: Type inference failed for: r18v1, types: [java.lang.Throwable, com.sun.identity.saml2.common.SAML2Exception] */
    private void generateAssertionResponse(IDPSSOFederateRequest iDPSSOFederateRequest) throws ServerFaultException {
        synchronized (IDPCache.authnRequestCache) {
            IDPCache.authnRequestCache.put(iDPSSOFederateRequest.getRequestID(), new CacheObject(iDPSSOFederateRequest.getAuthnRequest()));
        }
        synchronized (IDPCache.idpAuthnContextCache) {
            IDPCache.idpAuthnContextCache.put(iDPSSOFederateRequest.getRequestID(), new CacheObject(iDPSSOFederateRequest.getMatchingAuthnContext()));
        }
        if (StringUtils.isNotBlank(iDPSSOFederateRequest.getRelayState())) {
            IDPCache.relayStateCache.put(iDPSSOFederateRequest.getRequestID(), iDPSSOFederateRequest.getRelayState());
        }
        if (preSendResponse(this.request, this.response, iDPSSOFederateRequest)) {
            return;
        }
        MultiProtocolUtils.addFederationProtocol(iDPSSOFederateRequest.getSession(), "saml2");
        NameIDPolicy nameIDPolicy = iDPSSOFederateRequest.getAuthnRequest().getNameIDPolicy();
        try {
            IDPSSOUtil.sendResponseToACS(this.request, this.response, this.out, iDPSSOFederateRequest.getSession(), iDPSSOFederateRequest.getAuthnRequest(), iDPSSOFederateRequest.getSpEntityID(), iDPSSOFederateRequest.getIdpEntityID(), iDPSSOFederateRequest.getIdpMetaAlias(), iDPSSOFederateRequest.getRealm(), nameIDPolicy == null ? null : nameIDPolicy.getFormat(), iDPSSOFederateRequest.getRelayState(), iDPSSOFederateRequest.getMatchingAuthnContext());
        } catch (SAML2Exception e) {
            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.generateAssertionResponseUnable to do sso or federation.", (Throwable) e);
            throw new ServerFaultException(iDPSSOFederateRequest.getIdpAdapter(), "UnableToDOSSOOrFederation", e.getMessage());
        }
    }

    private void redirectToAuth(SPSSODescriptorElement sPSSODescriptorElement, String str, IDPAuthnContextInfo iDPAuthnContextInfo, IDPSSOFederateRequest iDPSSOFederateRequest) throws IOException, ServerFaultException {
        String preferredIDP;
        synchronized (IDPCache.authnRequestCache) {
            IDPCache.authnRequestCache.put(iDPSSOFederateRequest.getRequestID(), new CacheObject(iDPSSOFederateRequest.getAuthnRequest()));
        }
        synchronized (IDPCache.idpAuthnContextCache) {
            IDPCache.idpAuthnContextCache.put(iDPSSOFederateRequest.getRequestID(), new CacheObject(iDPSSOFederateRequest.getMatchingAuthnContext()));
        }
        if (StringUtils.isNotBlank(iDPSSOFederateRequest.getRelayState())) {
            IDPCache.relayStateCache.put(iDPSSOFederateRequest.getRequestID(), iDPSSOFederateRequest.getRelayState());
        }
        try {
            if (!IDPProxyUtil.isIDPProxyEnabled(iDPSSOFederateRequest.getAuthnRequest(), iDPSSOFederateRequest.getRealm()) || (preferredIDP = IDPProxyUtil.getPreferredIDP(iDPSSOFederateRequest.getAuthnRequest(), iDPSSOFederateRequest.getIdpEntityID(), iDPSSOFederateRequest.getRealm(), this.request, this.response)) == null) {
                if (preAuthenticationAdapter(this.request, this.response, iDPSSOFederateRequest)) {
                    return;
                }
                try {
                    if (Boolean.TRUE.equals(iDPSSOFederateRequest.getAuthnRequest().isPassive())) {
                        try {
                            IDPSSOUtil.sendResponseWithStatus(this.request, this.response, this.out, iDPSSOFederateRequest.getIdpMetaAlias(), iDPSSOFederateRequest.getIdpEntityID(), iDPSSOFederateRequest.getRealm(), iDPSSOFederateRequest.getAuthnRequest(), iDPSSOFederateRequest.getRelayState(), iDPSSOFederateRequest.getSpEntityID(), SAML2Constants.RESPONDER, SAML2Constants.NOPASSIVE);
                        } catch (SAML2Exception e) {
                            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.redirectToAuth", e);
                            throw new ServerFaultException(iDPSSOFederateRequest.getIdpAdapter(), "metaDataError");
                        }
                    } else {
                        redirectAuthentication(this.request, this.response, iDPAuthnContextInfo, iDPSSOFederateRequest, false);
                    }
                    return;
                } catch (SAML2Exception | IOException e2) {
                    SAML2Utils.debug.error("UtilProxySAMLAuthenticator.redirectToAuthUnable to redirect to authentication.", e2);
                    throw new ServerFaultException(iDPSSOFederateRequest.getIdpAdapter(), "UnableToRedirectToAuth", e2.getMessage());
                }
            }
            if (SPCache.reqParamHash != null && !SPCache.reqParamHash.containsKey(preferredIDP)) {
                SAML2Utils.debug.message("{} IDP to be proxied {} ", new Object[]{"UtilProxySAMLAuthenticator.redirectToAuth", preferredIDP});
                IDPProxyUtil.sendProxyAuthnRequest(iDPSSOFederateRequest.getAuthnRequest(), preferredIDP, sPSSODescriptorElement, iDPSSOFederateRequest.getIdpEntityID(), this.request, this.response, iDPSSOFederateRequest.getRealm(), iDPSSOFederateRequest.getRelayState(), str);
                return;
            }
            Map map = (Map) SPCache.reqParamHash.get(preferredIDP);
            map.put("authnReq", iDPSSOFederateRequest.getAuthnRequest());
            map.put("spSSODescriptor", sPSSODescriptorElement);
            map.put("idpEntityID", iDPSSOFederateRequest.getIdpEntityID());
            map.put("realm", iDPSSOFederateRequest.getRealm());
            map.put("relayState", iDPSSOFederateRequest.getRelayState());
            map.put(SAML2Constants.BINDING, str);
            SPCache.reqParamHash.put(preferredIDP, map);
        } catch (SAML2Exception e3) {
            SAML2Utils.debug.message("{} Redirecting for the proxy handling error: {}", new Object[]{"UtilProxySAMLAuthenticator.redirectToAuth", e3.getMessage()});
            throw new ServerFaultException(iDPSSOFederateRequest.getIdpAdapter(), "UnableToRedirectToPreferredIDP", e3.getMessage());
        }
    }

    private static AuthnRequest getAuthnRequest(String str) {
        AuthnRequest authnRequest = null;
        String decodeFromRedirect = SAML2Utils.decodeFromRedirect(str);
        if (decodeFromRedirect != null) {
            try {
                authnRequest = ProtocolFactory.getInstance().createAuthnRequest(decodeFromRedirect);
            } catch (SAML2Exception e) {
                SAML2Utils.debug.error("UtilProxySAMLAuthenticator.getAuthnRequest(): cannot construct a AuthnRequest object from the SAMLRequest value:", e);
            }
        }
        return authnRequest;
    }

    private static AuthnRequest getAuthnRequest(HttpServletRequest httpServletRequest, boolean z, String str) {
        if (z) {
            try {
                return ProtocolFactory.getInstance().createAuthnRequest(SOAPCommunicator.getInstance().getSamlpElement(SOAPCommunicator.getInstance().getSOAPMessage(httpServletRequest), "AuthnRequest"));
            } catch (Exception e) {
                SAML2Utils.debug.error("UtilProxySAMLAuthenticator.getAuthnRequest:", e);
                return null;
            }
        }
        String parameter = httpServletRequest.getParameter("SAMLRequest");
        if (parameter == null) {
            SAML2Utils.debug.error("UtilProxySAMLAuthenticator.getAuthnRequest: SAMLRequest is null");
            return null;
        }
        if (str.equals(SAML2Constants.HTTP_REDIRECT)) {
            SAML2Utils.debug.message("UtilProxySAMLAuthenticator.getAuthnRequest: saml request = {}", new Object[]{parameter});
            return getAuthnRequest(parameter);
        }
        if (!str.equals(SAML2Constants.HTTP_POST)) {
            return null;
        }
        ByteArrayInputStream byteArrayInputStream = null;
        AuthnRequest authnRequest = null;
        try {
            try {
                byte[] decode = Base64.decode(parameter);
                if (decode != null) {
                    byteArrayInputStream = new ByteArrayInputStream(decode);
                    Document dOMDocument = XMLUtils.toDOMDocument(byteArrayInputStream, SAML2Utils.debug);
                    if (dOMDocument != null) {
                        SAML2Utils.debug.message("UtilProxySAMLAuthenticator.getAuthnRequest: decoded SAML2 Authn Request: {}", new Object[]{XMLUtils.print(dOMDocument.getDocumentElement())});
                        authnRequest = ProtocolFactory.getInstance().createAuthnRequest(dOMDocument.getDocumentElement());
                    } else {
                        SAML2Utils.debug.error("UtilProxySAMLAuthenticator.getAuthnRequest: Unable to parse SAMLRequest: " + parameter);
                    }
                }
                IOUtils.closeIfNotNull(byteArrayInputStream);
                return authnRequest;
            } catch (Exception e2) {
                SAML2Utils.debug.error("UtilProxySAMLAuthenticator.getAuthnRequest:", e2);
                IOUtils.closeIfNotNull((Closeable) null);
                return null;
            }
        } catch (Throwable th) {
            IOUtils.closeIfNotNull((Closeable) null);
            throw th;
        }
    }

    private static StringBuilder getAppliRootUrl(HttpServletRequest httpServletRequest) {
        return new StringBuilder(httpServletRequest.getScheme()).append("://").append(httpServletRequest.getServerName()).append(":").append(httpServletRequest.getServerPort()).append(httpServletRequest.getContextPath());
    }

    private static String getRelativePath(String str, String str2) {
        return str.substring(str2.length(), str.length());
    }

    private static void redirectAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IDPAuthnContextInfo iDPAuthnContextInfo, IDPSSOFederateRequest iDPSSOFederateRequest, boolean z) throws SAML2Exception, IOException {
        StringBuffer requestURL;
        String authenticationServiceURL = IDPSSOUtil.getAuthenticationServiceURL(iDPSSOFederateRequest.getRealm(), iDPSSOFederateRequest.getIdpEntityID(), httpServletRequest);
        getAppliRootUrl(httpServletRequest);
        StringBuffer stringBuffer = new StringBuffer(authenticationServiceURL);
        if (iDPSSOFederateRequest.getSpEntityID() != null) {
            if (stringBuffer.indexOf("?") == -1) {
                stringBuffer.append("?");
            } else {
                stringBuffer.append("&");
            }
            stringBuffer.append(SAML2Constants.SPENTITYID).append("=").append(URLEncDec.encode(iDPSSOFederateRequest.getSpEntityID()));
        }
        Set<String> authnTypeAndValues = iDPAuthnContextInfo.getAuthnTypeAndValues();
        if (CollectionUtils.isNotEmpty(authnTypeAndValues)) {
            boolean z2 = true;
            StringBuilder sb = new StringBuilder();
            for (String str : authnTypeAndValues) {
                int indexOf = str.indexOf("=");
                if (indexOf != -1) {
                    if (z2) {
                        z2 = false;
                    } else {
                        sb.append("&");
                    }
                    sb.append(str.substring(0, indexOf + 1)).append(URLEncDec.encode(str.substring(indexOf + 1)));
                }
            }
            if (stringBuffer.indexOf("?") == -1) {
                stringBuffer.append("?");
            } else {
                stringBuffer.append("&");
            }
            stringBuffer.append(sb.toString());
            SAML2Utils.debug.message("{} authString= {}", new Object[]{"UtilProxySAMLAuthenticator.redirectAuthentication: ", sb.toString()});
        }
        if (stringBuffer.indexOf("?") != -1) {
            if (z) {
                stringBuffer.append("&ForceAuth=true");
            }
            stringBuffer.append("&goto=");
        } else if (z) {
            stringBuffer.append("?ForceAuth=true&goto=");
        } else {
            stringBuffer.append("?goto=");
        }
        if (0 != 0) {
            requestURL = new StringBuffer(httpServletRequest.getRequestURI());
        } else {
            String attributeValueFromIDPSSOConfig = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(iDPSSOFederateRequest.getRealm(), iDPSSOFederateRequest.getIdpEntityID(), SAML2Constants.RP_URL);
            if (StringUtils.isNotEmpty(attributeValueFromIDPSSOConfig)) {
                requestURL = new StringBuffer(attributeValueFromIDPSSOConfig);
                requestURL.append(getRelativePath(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
            } else {
                requestURL = httpServletRequest.getRequestURL();
            }
        }
        requestURL.append("?ReqID=").append(iDPSSOFederateRequest.getAuthnRequest().getID()).append('&').append("index").append('=').append(iDPSSOFederateRequest.getAuthnRequest().getAssertionConsumerServiceIndex()).append('&').append("acsURL").append('=').append(URLEncDec.encode(iDPSSOFederateRequest.getAuthnRequest().getAssertionConsumerServiceURL())).append('&').append(SAML2Constants.SPENTITYID).append('=').append(URLEncDec.encode(iDPSSOFederateRequest.getAuthnRequest().getIssuer().getValue())).append('&').append(SAML2Constants.BINDING).append('=').append(URLEncDec.encode(iDPSSOFederateRequest.getAuthnRequest().getProtocolBinding()));
        stringBuffer.append(URLEncDec.encode(requestURL.toString()));
        SAML2Utils.debug.message("{} New URL for authentication: {}", new Object[]{"UtilProxySAMLAuthenticator.redirectAuthentication: ", stringBuffer.toString()});
        if (0 == 0) {
            httpServletResponse.sendRedirect(stringBuffer.toString());
            return;
        }
        stringBuffer.append('&').append(SystemPropertiesManager.get("com.sun.identity.auth.cookieName", "AMAuthCookie"));
        stringBuffer.append('=');
        SAML2Utils.debug.message("{} Forward to {}", new Object[]{"UtilProxySAMLAuthenticator.redirectAuthentication: ", stringBuffer.toString()});
        try {
            httpServletRequest.setAttribute("forwardrequest", "yes");
            httpServletRequest.getRequestDispatcher(stringBuffer.toString()).forward(httpServletRequest, httpServletResponse);
        } catch (ServletException e) {
            SAML2Utils.debug.error("{} Exception Bad Forward URL: {}", new Object[]{"UtilProxySAMLAuthenticator.redirectAuthentication: ", stringBuffer.toString()});
        }
    }

    private static void cleanUpCache(String str) {
        IDPCache.oldIDPSessionCache.remove(str);
        IDPCache.authnRequestCache.remove(str);
        IDPCache.idpAuthnContextCache.remove(str);
        IDPCache.isSessionUpgradeCache.remove(str);
    }
}
