package com.sun.identity.saml2.profile;

import com.sun.identity.cot.COTException;
import com.sun.identity.cot.CircleOfTrustManager;
import com.sun.identity.federation.common.IFSConstants;
import com.sun.identity.multiprotocol.MultiProtocolUtils;
import com.sun.identity.plugin.monitoring.FedMonAgent;
import com.sun.identity.plugin.monitoring.FedMonSAML2Svc;
import com.sun.identity.plugin.monitoring.MonitorManager;
import com.sun.identity.plugin.session.SessionException;
import com.sun.identity.plugin.session.SessionManager;
import com.sun.identity.plugin.session.SessionProvider;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.Attribute;
import com.sun.identity.saml2.assertion.AttributeStatement;
import com.sun.identity.saml2.assertion.AudienceRestriction;
import com.sun.identity.saml2.assertion.AuthnContext;
import com.sun.identity.saml2.assertion.AuthnStatement;
import com.sun.identity.saml2.assertion.Conditions;
import com.sun.identity.saml2.assertion.EncryptedAssertion;
import com.sun.identity.saml2.assertion.EncryptedAttribute;
import com.sun.identity.saml2.assertion.EncryptedID;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.assertion.SubjectConfirmation;
import com.sun.identity.saml2.assertion.SubjectConfirmationData;
import com.sun.identity.saml2.common.AccountUtils;
import com.sun.identity.saml2.common.NameIDInfo;
import com.sun.identity.saml2.common.NewBoolean;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2FailoverUtils;
import com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException;
import com.sun.identity.saml2.common.SAML2SDKUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.common.SOAPCommunicator;
import com.sun.identity.saml2.ecp.ECPFactory;
import com.sun.identity.saml2.ecp.ECPResponse;
import com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
import com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
import com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
import com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
import com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement;
import com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement;
import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.key.EncInfo;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.logging.LogUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.plugins.IDPAccountMapper;
import com.sun.identity.saml2.plugins.IDPAttributeMapper;
import com.sun.identity.saml2.plugins.IDPAuthnContextMapper;
import com.sun.identity.saml2.plugins.IDPECPSessionMapper;
import com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter;
import com.sun.identity.saml2.protocol.AuthnRequest;
import com.sun.identity.saml2.protocol.NameIDPolicy;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.saml2.protocol.Status;
import com.sun.identity.saml2.protocol.StatusCode;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.shared.encode.URLEncDec;
import com.sun.identity.shared.xml.XMLUtils;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.soap.SOAPMessage;
import org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
import org.forgerock.openam.saml2.audit.SAML2EventLogger;
import org.forgerock.openam.utils.ClientUtils;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:com/sun/identity/saml2/profile/IDPSSOUtil.class */
public class IDPSSOUtil {
    public static final String NAMEID_FORMAT = "SAML2NameIDFormat";
    public static final String NULL = "null";
    private static final String REDIRECTED = "redirected";
    private static final String REDIRECTED_TRUE = "redirected=true";
    public static SAML2MetaManager metaManager;
    public static CircleOfTrustManager cotManager;
    static IDPSessionListener sessionListener = new IDPSessionListener();
    static SessionProvider sessionProvider;
    private static FedMonAgent agent;
    private static FedMonSAML2Svc saml2Svc;

    private IDPSSOUtil() {
    }

    public static void doSSOFederate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, AuthnRequest authnRequest, String str, String str2, String str3, String str4, SAML2EventLogger sAML2EventLogger) throws SAML2Exception {
        doSSOFederate(httpServletRequest, httpServletResponse, printWriter, authnRequest, str, str2, str3, str4, null, sAML2EventLogger);
    }

    public static void doSSOFederate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, AuthnRequest authnRequest, String str, String str2, String str3, String str4, Object obj, SAML2EventLogger sAML2EventLogger) throws SAML2Exception {
        Object obj2 = null;
        if (obj != null) {
            obj2 = obj;
            sAML2EventLogger.setSSOTokenId(obj2);
        } else {
            try {
                obj2 = sessionProvider.getSession(httpServletRequest);
                if (null != sAML2EventLogger) {
                    sAML2EventLogger.setAuthTokenId(obj2);
                }
            } catch (SessionException e) {
                if (SAML2Utils.debug.warningEnabled()) {
                    SAML2Utils.debug.warning("IDPSSOUtil.doSSOFederate: No session yet.");
                }
            }
        }
        String str5 = null;
        if (authnRequest != null) {
            str5 = authnRequest.toXMLString();
            sAML2EventLogger.setRequestId(authnRequest.getID());
        }
        LogUtil.access(Level.INFO, LogUtil.RECEIVED_AUTHN_REQUEST, new String[]{str, str2, str5}, obj2);
        try {
            if (metaManager == null) {
                SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: Unable to get meta manager.");
                throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
            }
            String entityByMetaAlias = metaManager.getEntityByMetaAlias(str2);
            if (entityByMetaAlias == null || entityByMetaAlias.trim().length() == 0) {
                SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: Unable to get IDP Entity ID from meta.");
                LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, new String[]{entityByMetaAlias}, obj2);
                throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
            }
            String realmByMetaAlias = SAML2MetaUtils.getRealmByMetaAlias(str2);
            if (authnRequest == null) {
                Issuer createIssuer = AssertionFactory.getInstance().createIssuer();
                createIssuer.setValue(str);
                if (!SAML2Utils.isSourceSiteValid(createIssuer, realmByMetaAlias, entityByMetaAlias)) {
                    if (SAML2Utils.debug.warningEnabled()) {
                        SAML2Utils.debug.warning("IDPSSOUtil.doSSOFederate: The remote provider is not valid.");
                    }
                    throw new SAML2Exception(SAML2Utils.bundle.getString("invalidReceiver"));
                }
            }
            SAML2Utils.validateRelayStateURL(realmByMetaAlias, entityByMetaAlias, str4, SAML2Constants.IDP_ROLE);
            if (authnRequest != null || (obj2 != null && isValidSessionInRealm(realmByMetaAlias, obj2))) {
                try {
                    SAML2Utils.debug.message("IDPSSOUtil.doSSOFederate:  Invoking the IDP Adapter");
                    SAML2IdentityProviderAdapter iDPAdapterClass = getIDPAdapterClass(realmByMetaAlias, entityByMetaAlias);
                    if (iDPAdapterClass != null) {
                        if (iDPAdapterClass.preSendResponse(authnRequest, entityByMetaAlias, realmByMetaAlias, httpServletRequest, httpServletResponse, obj2, null, str4)) {
                            return;
                        }
                    }
                } catch (SAML2Exception e2) {
                    SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate:  There was a problem when invokingthe preSendResponse of the IDP Adapter: ", e2);
                }
                sendResponseToACS(httpServletRequest, httpServletResponse, printWriter, obj2, authnRequest, str, entityByMetaAlias, str2, realmByMetaAlias, str3, str4, null);
                return;
            }
            try {
                if (Boolean.parseBoolean(httpServletRequest.getParameter(REDIRECTED))) {
                    if (obj2 == null) {
                        SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: The IdP was not able to create a session");
                        LogUtil.error(Level.INFO, LogUtil.SSO_NOT_FOUND, new String[]{entityByMetaAlias}, obj2, null);
                    } else {
                        try {
                            String clientIPAddress = ClientUtils.getClientIPAddress(httpServletRequest);
                            String singleValuedSessionProperty = SAML2Utils.getSingleValuedSessionProperty(obj2, SAML2Constants.ORGANIZATION);
                            SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: The realm of the session (" + singleValuedSessionProperty + ") does not correspond to that of the IdP (" + realmByMetaAlias + ")");
                            LogUtil.error(Level.INFO, LogUtil.INVALID_REALM_FOR_SESSION, new String[]{singleValuedSessionProperty, realmByMetaAlias, str, clientIPAddress, null}, obj2, null);
                        } catch (SessionException e3) {
                            SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: Failed to retrieve realm from session", e3);
                        }
                    }
                    SAMLUtils.sendError(httpServletRequest, httpServletResponse, IFSConstants.MAX_CACHING_TIME, "UnableToDOSSOOrFederation", SAML2Utils.bundle.getString("UnableToDOSSOOrFederation"));
                } else {
                    redirectAuthentication(httpServletRequest, httpServletResponse, authnRequest, null, realmByMetaAlias, entityByMetaAlias, str);
                }
            } catch (IOException e4) {
                SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: Unable to redirect to authentication.", e4);
                SAMLUtils.sendError(httpServletRequest, httpServletResponse, IFSConstants.MAX_CACHING_TIME, "UnableToRedirectToAuth", SAML2Utils.bundle.getString("UnableToRedirectToAuth"));
            }
        } catch (SAML2MetaException e5) {
            SAML2Utils.debug.error("IDPSSOUtil.doSSOFederate: Unable to get IDP Entity ID from meta.");
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{str2}, obj2);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    }

    public static void sendResponseToACS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, Object obj, AuthnRequest authnRequest, String str, String str2, String str3, String str4, String str5, String str6, AuthnContext authnContext) throws SAML2Exception {
        StringBuffer stringBuffer = new StringBuffer();
        String aCSurl = getACSurl(str, str4, authnRequest, httpServletRequest, stringBuffer);
        String stringBuffer2 = stringBuffer.toString();
        if (aCSurl == null || aCSurl.trim().length() == 0) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: no ACS URL found.");
            LogUtil.error(Level.INFO, "NO_ACS_URL", new String[]{str3}, obj);
            throw new SAML2Exception(SAML2Utils.bundle.getString("UnableTofindACSURL"));
        }
        if (stringBuffer2 == null || stringBuffer2.trim().length() == 0) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: no return binding found.");
            LogUtil.error(Level.INFO, LogUtil.NO_RETURN_BINDING, new String[]{str3}, obj);
            throw new SAML2Exception(SAML2Utils.bundle.getString("UnableTofindBinding"));
        }
        String parameter = httpServletRequest.getParameter("affiliationID");
        String remoteServiceURL = SAML2Utils.getRemoteServiceURL(getSessionIndex(obj));
        if (remoteServiceURL != null) {
            String str7 = remoteServiceURL + SAML2Utils.removeDeployUri(httpServletRequest.getRequestURI()) + "?" + httpServletRequest.getQueryString();
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("SessionIndex for this SSOToken is not local, forwarding the request to: " + str7);
            }
            HashMap sendRequestToOrigServer = SAML2Utils.sendRequestToOrigServer(httpServletRequest, httpServletResponse, str7);
            if (sendRequestToOrigServer != null && !sendRequestToOrigServer.isEmpty()) {
                String str8 = (String) sendRequestToOrigServer.get(SAML2Constants.AM_REDIRECT_URL);
                String str9 = (String) sendRequestToOrigServer.get(SAML2Constants.OUTPUT_DATA);
                String str10 = (String) sendRequestToOrigServer.get(SAML2Constants.RESPONSE_CODE);
                if (str8 != null) {
                    try {
                        if (!str8.isEmpty()) {
                            httpServletResponse.sendRedirect(str8);
                            return;
                        }
                    } catch (IOException e) {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS() error in Request Routing", e);
                            return;
                        }
                        return;
                    }
                }
                if (str10 != null) {
                    httpServletResponse.setStatus(Integer.valueOf(str10).intValue());
                }
                if (str9 == null || str9.isEmpty()) {
                    return;
                }
                SAML2Utils.debug.message("Printing the forwarded response");
                httpServletResponse.setContentType("text/html; charset=UTF-8");
                printWriter.println(str9);
                return;
            }
        }
        Response response = getResponse(httpServletRequest, obj, authnRequest, str, str2, str3, str4, str5, aCSurl, parameter, authnContext);
        if (response == null) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: response is null");
            String string = SAML2Utils.bundle.getString("UnableToCreateAssertion");
            if (authnRequest == null) {
                throw new SAML2Exception(string);
            }
            response = SAML2Utils.getErrorResponse(authnRequest, SAML2Constants.RESPONDER, null, string, str2);
        } else {
            try {
                sessionProvider.setProperty(obj, SAML2Constants.IDP_META_ALIAS, new String[]{str3});
            } catch (SessionException e2) {
                SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: error setting idpMetaAlias into the session: ", e2);
            }
        }
        if (response == null) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: error response is null");
            throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToCreateErrorResponse"));
        }
        MultiProtocolUtils.addFederationProtocol(obj, "saml2");
        if (setCOTCookie(httpServletRequest, httpServletResponse, stringBuffer2, str, str2, str3, str4, str6, aCSurl, response, obj)) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS: Redirected to set COT cookie.");
                return;
            }
            return;
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS: Doesn't set COT cookie.");
            SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS: Response is:  " + response.toXMLString());
        }
        try {
            SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS: Invoking the IDP Adapter");
            SAML2IdentityProviderAdapter iDPAdapterClass = getIDPAdapterClass(str4, str2);
            if (iDPAdapterClass != null) {
                iDPAdapterClass.preSignResponse(authnRequest, response, str2, str4, httpServletRequest, obj, str6);
            }
        } catch (SAML2Exception e3) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: There was a problem when invoking the preSendResponse of the IDP Adapter: ", e3);
        }
        sendResponse(httpServletRequest, httpServletResponse, printWriter, stringBuffer2, str, str2, str3, str4, str6, aCSurl, response, obj);
    }

    private static boolean setCOTCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, String str6, String str7, Response response, Object obj) {
        String writerURL = getWriterURL(str5, str3, str2);
        if (writerURL == null) {
            return false;
        }
        ArrayList arrayList = new ArrayList(9);
        arrayList.add(0, str);
        arrayList.add(1, str2);
        arrayList.add(2, str3);
        arrayList.add(3, str4);
        arrayList.add(4, str5);
        arrayList.add(5, str6);
        arrayList.add(6, str7);
        arrayList.add(7, response);
        arrayList.add(8, obj);
        String generateIDWithServerID = SAML2Utils.generateIDWithServerID();
        IDPCache.responseCache.put(generateIDWithServerID, arrayList);
        StringBuffer stringBuffer = new StringBuffer(100);
        stringBuffer.append(httpServletRequest.getScheme()).append("://").append(httpServletRequest.getServerName()).append(":").append(httpServletRequest.getServerPort()).append(httpServletRequest.getRequestURI()).append("?").append(SAML2Constants.RES_INFO_ID).append("=").append(generateIDWithServerID);
        String encode = URLEncDec.encode(stringBuffer.toString());
        StringBuffer stringBuffer2 = new StringBuffer(200);
        stringBuffer2.append(writerURL);
        if (writerURL.indexOf("?") > 0) {
            stringBuffer2.append("&");
        } else {
            stringBuffer2.append("?");
        }
        stringBuffer2.append("_saml_idp").append("=").append(str3).append("&").append("RelayState").append("=").append(encode);
        String stringBuffer3 = stringBuffer2.toString();
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.setCOTCookie: Writer redirect URL: " + stringBuffer3);
        }
        try {
            httpServletResponse.sendRedirect(stringBuffer3);
            return true;
        } catch (IOException e) {
            SAML2Utils.debug.error("IDPSSOUtil.setCOTCookie: Unable to send redirect: ", e);
            return false;
        }
    }

    public static void sendResponseWithStatus(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, String str, String str2, String str3, AuthnRequest authnRequest, String str4, String str5, String str6, String str7) throws SAML2Exception {
        Response errorResponse = SAML2Utils.getErrorResponse(authnRequest, str6, str7, null, str2);
        StringBuffer stringBuffer = new StringBuffer();
        sendResponse(httpServletRequest, httpServletResponse, printWriter, stringBuffer.toString(), str5, str2, str, str3, str4, getACSurl(str5, str3, authnRequest, httpServletRequest, stringBuffer), errorResponse, null);
    }

    public static void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, String str) throws SAML2Exception {
        ArrayList arrayList = (ArrayList) IDPCache.responseCache.remove(str);
        if (arrayList == null || arrayList.size() != 9) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponse: unable to get response information from cache.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToGetResponseInfoFromCache"));
        }
        sendResponse(httpServletRequest, httpServletResponse, printWriter, (String) arrayList.get(0), (String) arrayList.get(1), (String) arrayList.get(2), (String) arrayList.get(3), (String) arrayList.get(4), (String) arrayList.get(5), (String) arrayList.get(6), (Response) arrayList.get(7), arrayList.get(8));
    }

    public static void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, String str, String str2, String str3, String str4, String str5, String str6, String str7, Response response, Object obj) throws SAML2Exception {
        String nameIDStringFromResponse = SAML2Utils.getNameIDStringFromResponse(response);
        HashMap hashMap = new HashMap();
        hashMap.put("NameID", nameIDStringFromResponse);
        if (!str.equals(SAML2Constants.HTTP_POST)) {
            if (str.equals(SAML2Constants.HTTP_ARTIFACT)) {
                sendResponseArtifact(httpServletRequest, httpServletResponse, str3, str2, str5, str7, str6, response, obj, hashMap);
                return;
            } else {
                if (!str.equals(SAML2Constants.PAOS)) {
                    SAML2Utils.debug.error("IDPSSOUtil.sendResponse: unsupported return binding.");
                    throw new SAML2Exception(SAML2Utils.bundle.getString("UnSupportedReturnBinding"));
                }
                signAndEncryptResponseComponents(str5, str2, str3, response, true);
                sendResponseECP(httpServletRequest, httpServletResponse, printWriter, str3, str5, str7, response);
                return;
            }
        }
        boolean z = true;
        boolean wantPOSTResponseSigned = SAML2Utils.wantPOSTResponseSigned(str5, str2, SAML2Constants.SP_ROLE);
        if (wantPOSTResponseSigned) {
            z = wantAssertionsSigned(str2, str5);
        }
        signAndEncryptResponseComponents(str5, str2, str3, response, z);
        if (wantPOSTResponseSigned) {
            signResponse(str5, str3, response);
        }
        String xMLString = response.toXMLString(true, true);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.sendResponse: SAML Response content :\n" + xMLString);
        }
        String encodeForPOST = SAML2Utils.encodeForPOST(xMLString);
        LogUtil.access(Level.INFO, LogUtil.POST_RESPONSE, new String[]{str2, str4, xMLString}, obj, hashMap);
        try {
            SAML2Utils.postToTarget(httpServletRequest, httpServletResponse, "SAMLResponse", encodeForPOST, "RelayState", str6, str7);
        } catch (SAML2Exception e) {
            LogUtil.error(Level.INFO, LogUtil.POST_TO_TARGET_FAILED, new String[]{str7}, obj, hashMap);
            throw e;
        }
    }

    public static Response getResponse(HttpServletRequest httpServletRequest, Object obj, AuthnRequest authnRequest, String str, String str2, String str3, String str4, String str5, String str6, String str7, AuthnContext authnContext) throws SAML2Exception {
        StatusCode createStatusCode;
        ArrayList arrayList;
        Assertion assertion;
        Response createResponse = ProtocolFactory.getInstance().createResponse();
        Status createStatus = ProtocolFactory.getInstance().createStatus();
        if (createStatus == null || (createStatusCode = ProtocolFactory.getInstance().createStatusCode()) == null) {
            return null;
        }
        try {
            arrayList = new ArrayList();
            assertion = getAssertion(httpServletRequest, obj, authnRequest, str, str2, str3, str4, str5, str6, str7, authnContext);
        } catch (SAML2InvalidNameIDPolicyException e) {
            createStatusCode.setValue(SAML2Constants.REQUESTER);
            StatusCode createStatusCode2 = ProtocolFactory.getInstance().createStatusCode();
            createStatusCode2.setValue(SAML2Constants.INVALID_NAME_ID_POLICY);
            createStatusCode.setStatusCode(createStatusCode2);
            createStatus.setStatusMessage(e.getMessage());
        }
        if (assertion == null) {
            SAML2Utils.debug.error("IDPSSOUtil.getResponse: Unable to get Assertion.");
            return null;
        }
        arrayList.add(assertion);
        createResponse.setAssertion(arrayList);
        createStatusCode.setValue(SAML2Constants.SUCCESS);
        createStatus.setStatusCode(createStatusCode);
        createResponse.setStatus(createStatus);
        if (authnRequest != null) {
            createResponse.setInResponseTo(authnRequest.getID());
        }
        createResponse.setVersion(SAML2Constants.VERSION_2_0);
        createResponse.setIssueInstant(Time.newDate());
        createResponse.setID(SAML2Utils.generateID());
        Issuer createIssuer = AssertionFactory.getInstance().createIssuer();
        createIssuer.setValue(str2);
        createResponse.setIssuer(createIssuer);
        createResponse.setDestination(XMLUtils.escapeSpecialCharacters(str6));
        return createResponse;
    }

    private static Assertion getAssertion(HttpServletRequest httpServletRequest, Object obj, AuthnRequest authnRequest, String str, String str2, String str3, String str4, String str5, String str6, String str7, AuthnContext authnContext) throws SAML2Exception {
        IDPSession iDPSession;
        Assertion createAssertion = AssertionFactory.getInstance().createAssertion();
        String generateID = SAML2Utils.generateID();
        createAssertion.setID(generateID);
        createAssertion.setVersion(SAML2Constants.VERSION_2_0);
        createAssertion.setIssueInstant(Time.newDate());
        Issuer createIssuer = AssertionFactory.getInstance().createIssuer();
        createIssuer.setValue(str2);
        createAssertion.setIssuer(createIssuer);
        ArrayList arrayList = new ArrayList();
        NewBoolean newBoolean = new NewBoolean();
        String sessionID = sessionProvider.getSessionID(obj);
        synchronized (sessionID) {
            AuthnStatement authnStatement = getAuthnStatement(httpServletRequest, obj, newBoolean, authnRequest, str2, str4, authnContext, str3);
            if (authnStatement == null) {
                return null;
            }
            String sessionIndex = authnStatement.getSessionIndex();
            if (newBoolean.getValue()) {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getAssertion: This is a new IDP session with sessionIndex=" + sessionIndex + ", and sessionID=" + sessionID);
                }
                iDPSession = IDPCache.idpSessionsBySessionID.get(sessionProvider.getSessionID(obj));
                if (iDPSession == null) {
                    iDPSession = new IDPSession(obj);
                }
                iDPSession.setMetaAlias(str3);
                IDPCache.idpSessionsByIndices.put(sessionIndex, iDPSession);
                if (agent != null && agent.isRunning() && saml2Svc != null) {
                    saml2Svc.setIdpSessionCount(IDPCache.idpSessionsByIndices.size());
                }
            } else {
                iDPSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
            }
            if (newBoolean.getValue()) {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getAssertion: a new IDP session has been saved in cache, with sessionIndex=" + sessionIndex);
                }
                try {
                    sessionProvider.addListener(obj, sessionListener);
                } catch (SessionException e) {
                    SAML2Utils.debug.error("IDPSSOUtil.getAssertion: Unable to add session listener.");
                }
            } else if (iDPSession == null && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                IDPSessionCopy iDPSessionCopy = null;
                try {
                    iDPSessionCopy = (IDPSessionCopy) SAML2FailoverUtils.retrieveSAML2Token(sessionIndex);
                } catch (SAML2TokenRepositoryException e2) {
                    SAML2Utils.debug.error("IDPSSOUtil.getAssertion: Unable to obtain IDPSessionCopy from the SAML2 Token Repository for sessionIndex:" + sessionIndex, e2);
                }
                if (iDPSessionCopy == null) {
                    SAML2Utils.debug.error("IDPSessionCopy is null");
                    throw new SAML2Exception(SAML2Utils.bundle.getString("IDPSessionIsNULL"));
                }
                iDPSession = new IDPSession(iDPSessionCopy);
            } else {
                if (iDPSession == null && !SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                    SAML2Utils.debug.error("IDPSession is null; SAML2 failoveris disabled");
                    throw new SAML2Exception(SAML2Utils.bundle.getString("IDPSessionIsNULL"));
                }
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getAssertion: This is an existing IDP session with sessionIndex=" + sessionIndex + ", and sessionID=" + sessionProvider.getSessionID(iDPSession.getSession()));
                }
            }
            arrayList.add(authnStatement);
            AttributeStatement attributeStatement = getAttributeStatement(obj, str2, str, str4);
            if (attributeStatement != null) {
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(attributeStatement);
                createAssertion.setAttributeStatements(arrayList2);
            }
            int effectiveTime = getEffectiveTime(str4, str2);
            int notBeforeSkewTime = getNotBeforeSkewTime(str4, str2);
            Subject subject = getSubject(obj, authnRequest, str6, str5, str4, str2, str, effectiveTime, str7);
            String value = authnRequest != null ? authnRequest.getIssuer().getValue() : str;
            NameIDandSPpair nameIDandSPpair = new NameIDandSPpair(subject.getNameID(), value);
            synchronized (IDPCache.idpSessionsByIndices) {
                List<NameIDandSPpair> nameIDandSPpairs = iDPSession.getNameIDandSPpairs();
                String value2 = authnRequest != null ? authnRequest.getIssuer().getValue() : value;
                boolean z = false;
                Iterator<NameIDandSPpair> it = nameIDandSPpairs.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().getSPEntityID().equals(value2)) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    nameIDandSPpairs.add(nameIDandSPpair);
                }
            }
            createAssertion.setAuthnStatements(arrayList);
            createAssertion.setSubject(subject);
            Conditions conditions = getConditions(str, notBeforeSkewTime, effectiveTime);
            createAssertion.setConditions(conditions);
            String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str4, str2, SAML2Constants.DISCO_BOOTSTRAPPING_ENABLED);
            if (attributeValueFromIDPSSOConfig != null && attributeValueFromIDPSSOConfig.equalsIgnoreCase("true")) {
                List<AttributeStatement> attributeStatements = createAssertion.getAttributeStatements();
                if (attributeStatements == null) {
                    attributeStatements = new ArrayList();
                    createAssertion.setAttributeStatements(attributeStatements);
                }
                DiscoveryBootstrap discoveryBootstrap = new DiscoveryBootstrap(obj, subject, authnStatement.getAuthnContext().getAuthnContextClassRef(), value, str4);
                attributeStatements.add(discoveryBootstrap.getBootstrapStatement());
                createAssertion.setAdvice(discoveryBootstrap.getCredentials());
            }
            if (assertionCacheEnabled(str4, str2)) {
                try {
                    String lowerCase = sessionProvider.getPrincipalName(obj).toLowerCase();
                    List list = (List) IDPCache.assertionCache.get(lowerCase);
                    if (list == null) {
                        synchronized (IDPCache.assertionCache) {
                            list = (List) IDPCache.assertionCache.get(lowerCase);
                            if (list == null) {
                                list = new ArrayList();
                                IDPCache.assertionCache.put(lowerCase, list);
                            }
                        }
                    }
                    synchronized (list) {
                        list.add(createAssertion);
                    }
                    IDPCache.assertionByIDCache.put(generateID, createAssertion);
                    if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                        try {
                            SAML2FailoverUtils.saveSAML2Token(generateID, lowerCase, createAssertion.toXMLString(true, true), conditions.getNotOnOrAfter().getTime() / 1000);
                            if (SAML2Utils.debug.messageEnabled()) {
                                SAML2Utils.debug.message("IDPSSOUtil.getAssertion: Saving Assertion to SAML2 Token Repository. ID = " + generateID);
                            }
                        } catch (SAML2TokenRepositoryException e3) {
                            SAML2Utils.debug.error("IDPSSOUtil.getAssertion: Unable to save Assertion to the SAML2 Token Repository", e3);
                        }
                    }
                } catch (SessionException e4) {
                    SAML2Utils.debug.error("IDPSSOUtil.getAssertion: Unable to get principal name from the session.", e4);
                    throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
                }
            }
            try {
                if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                    SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(sessionIndex, new IDPSessionCopy(iDPSession), (Time.currentTimeMillis() / 1000) + sessionProvider.getTimeLeft(obj));
                }
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getAssertion: SAVE IDPSession!");
                }
            } catch (SessionException e5) {
                SAML2Utils.debug.error("IDPSSOUtil.getAssertion: Unable to get left-time from the session.", e5);
                throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
            } catch (SAML2TokenRepositoryException e6) {
                SAML2Utils.debug.error("IDPSSOUtil.getAssertion: Unable to save IDPSession to the SAML2 Token Repository", e6);
            }
            return createAssertion;
        }
    }

    private static AuthnStatement getAuthnStatement(HttpServletRequest httpServletRequest, Object obj, NewBoolean newBoolean, AuthnRequest authnRequest, String str, String str2, AuthnContext authnContext, String str3) throws SAML2Exception {
        AuthnStatement createAuthnStatement = AssertionFactory.getInstance().createAuthnStatement();
        Date date = null;
        try {
            String[] property = sessionProvider.getProperty(obj, SessionProvider.AUTH_INSTANT);
            if (property != null && property.length != 0 && property[0] != null && property[0].length() != 0) {
                date = DateUtils.stringToDate(property[0]);
            }
            if (date == null) {
                date = Time.newDate();
            }
            createAuthnStatement.setAuthnInstant(date);
            AuthnContext authnContext2 = authnContext;
            if (authnContext2 == null) {
                String str4 = null;
                try {
                    String[] property2 = sessionProvider.getProperty(obj, "AuthLevel");
                    if (property2 != null && property2.length != 0 && property2[0] != null && property2[0].length() != 0) {
                        str4 = property2[0];
                    }
                    authnContext2 = getIDPAuthnContextMapper(str2, str).getAuthnContextFromAuthLevel(str4, str2, str);
                } catch (Exception e) {
                    SAML2Utils.debug.error("IDPSSOUtil.getAuthnStatement: exception retrieving auth level info from the session: ", e);
                    throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
                }
            }
            Response response = (Response) httpServletRequest.getAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY);
            if (response != null) {
                LinkedHashSet linkedHashSet = new LinkedHashSet();
                List assertion = response.getAssertion();
                if (CollectionUtils.isNotEmpty(assertion)) {
                    Iterator it = assertion.iterator();
                    while (it.hasNext()) {
                        linkedHashSet.addAll(extractAuthenticatingAuthorities((Assertion) it.next()));
                    }
                    linkedHashSet.add(((Assertion) assertion.iterator().next()).getIssuer().getValue());
                    authnContext2.setAuthenticatingAuthority(new ArrayList(linkedHashSet));
                } else {
                    List encryptedAssertion = response.getEncryptedAssertion();
                    if (CollectionUtils.isNotEmpty(encryptedAssertion)) {
                        boolean z = true;
                        Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys((BaseConfigType) metaManager.getSPSSOConfig(str2, metaManager.getEntityByMetaAlias(str3)));
                        Iterator it2 = encryptedAssertion.iterator();
                        while (it2.hasNext()) {
                            Assertion decrypt = ((EncryptedAssertion) it2.next()).decrypt(decryptionKeys);
                            linkedHashSet.addAll(extractAuthenticatingAuthorities(decrypt));
                            if (z) {
                                linkedHashSet.add(decrypt.getIssuer().getValue());
                                z = false;
                            }
                        }
                        authnContext2.setAuthenticatingAuthority(new ArrayList(linkedHashSet));
                    }
                }
            }
            createAuthnStatement.setAuthnContext(authnContext2);
            String sessionIndex = getSessionIndex(obj);
            if (sessionIndex == null) {
                sessionIndex = SAML2Utils.generateIDWithServerID();
                try {
                    sessionProvider.setProperty(obj, SAML2Constants.IDP_SESSION_INDEX, new String[]{sessionIndex});
                    newBoolean.setValue(true);
                } catch (SessionException e2) {
                    SAML2Utils.debug.error("IDPSSOUtil.getAuthnStatement: error setting session index into the session: ", e2);
                    throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
                }
            } else {
                newBoolean.setValue(false);
            }
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getAuthnStatement: SessionIndex (in AuthnStatement) =" + sessionIndex);
            }
            if (sessionIndex != null) {
                HashSet hashSet = (HashSet) IDPCache.authnContextCache.get(sessionIndex);
                if (hashSet == null || hashSet.isEmpty()) {
                    hashSet = new HashSet();
                }
                hashSet.add(authnContext2);
                IDPCache.authnContextCache.put(sessionIndex, hashSet);
                createAuthnStatement.setSessionIndex(sessionIndex);
            }
            return createAuthnStatement;
        } catch (Exception e3) {
            SAML2Utils.debug.error("IDPSSOUtil.getAuthnStatement: exception retrieving info from the session: ", e3);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
        }
    }

    private static AttributeStatement getAttributeStatement(Object obj, String str, String str2, String str3) throws SAML2Exception {
        List<Attribute> attributes = getIDPAttributeMapper(str3, str).getAttributes(obj, str, str2, str3);
        if (attributes == null || attributes.isEmpty()) {
            return null;
        }
        AttributeStatement createAttributeStatement = AssertionFactory.getInstance().createAttributeStatement();
        createAttributeStatement.setAttribute(attributes);
        return createAttributeStatement;
    }

    static IDPAttributeMapper getIDPAttributeMapper(String str, String str2) throws SAML2Exception {
        try {
            String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.IDP_ATTRIBUTE_MAPPER);
            if (attributeValueFromIDPSSOConfig == null) {
                attributeValueFromIDPSSOConfig = SAML2Constants.DEFAULT_IDP_ATTRIBUTE_MAPPER_CLASS;
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getIDPAttributeMapper: use " + SAML2Constants.DEFAULT_IDP_ATTRIBUTE_MAPPER_CLASS);
                }
            }
            IDPAttributeMapper iDPAttributeMapper = (IDPAttributeMapper) IDPCache.idpAttributeMapperCache.get(attributeValueFromIDPSSOConfig);
            if (iDPAttributeMapper == null) {
                iDPAttributeMapper = (IDPAttributeMapper) Class.forName(attributeValueFromIDPSSOConfig).newInstance();
                IDPCache.idpAttributeMapperCache.put(attributeValueFromIDPSSOConfig, iDPAttributeMapper);
            } else if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getIDPAttributeMapper: got the IDPAttributeMapper from cache");
            }
            return iDPAttributeMapper;
        } catch (Exception e) {
            SAML2Utils.debug.error("IDPSSOUtil.getIDPAttributeMapper: Unable to get IDP Attribute Mapper.", e);
            throw new SAML2Exception(e);
        }
    }

    public static IDPAuthnContextMapper getIDPAuthnContextMapper(String str, String str2) throws SAML2Exception {
        try {
            String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.IDP_AUTHNCONTEXT_MAPPER_CLASS);
            if (attributeValueFromIDPSSOConfig == null) {
                attributeValueFromIDPSSOConfig = SAML2Constants.DEFAULT_IDP_AUTHNCONTEXT_MAPPER_CLASS;
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getIDPAuthnContextMapper: use " + SAML2Constants.DEFAULT_IDP_AUTHNCONTEXT_MAPPER_CLASS);
                }
            }
            IDPAuthnContextMapper iDPAuthnContextMapper = (IDPAuthnContextMapper) IDPCache.idpAuthnContextMapperCache.get(attributeValueFromIDPSSOConfig);
            if (iDPAuthnContextMapper == null) {
                iDPAuthnContextMapper = (IDPAuthnContextMapper) Class.forName(attributeValueFromIDPSSOConfig).newInstance();
                IDPCache.idpAuthnContextMapperCache.put(attributeValueFromIDPSSOConfig, iDPAuthnContextMapper);
            } else if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getIDPAuthnContextMapper: got the IDPAuthnContextMapper from cache");
            }
            return iDPAuthnContextMapper;
        } catch (Exception e) {
            SAML2Utils.debug.error("IDPSSOUtil.getIDPAuthnContextMapper: Unable to get IDP AuthnContext Mapper.", e);
            throw new SAML2Exception(e);
        }
    }

    public static IDPECPSessionMapper getIDPECPSessionMapper(String str, String str2) throws SAML2Exception {
        try {
            String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.IDP_ECP_SESSION_MAPPER_CLASS);
            if (attributeValueFromIDPSSOConfig == null) {
                attributeValueFromIDPSSOConfig = SAML2Constants.DEFAULT_IDP_ECP_SESSION_MAPPER_CLASS;
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getIDPECPSessionMapper: use com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper");
                }
            }
            IDPECPSessionMapper iDPECPSessionMapper = (IDPECPSessionMapper) IDPCache.idpECPSessionMapperCache.get(attributeValueFromIDPSSOConfig);
            if (iDPECPSessionMapper == null) {
                iDPECPSessionMapper = (IDPECPSessionMapper) Class.forName(attributeValueFromIDPSSOConfig).newInstance();
                IDPCache.idpECPSessionMapperCache.put(attributeValueFromIDPSSOConfig, iDPECPSessionMapper);
            } else if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getIDPECPSessionMapper: got the IDPECPSessionMapper from cache");
            }
            return iDPECPSessionMapper;
        } catch (Exception e) {
            SAML2Utils.debug.error("IDPSSOUtil.getIDPECPSessionMapper: Unable to get IDPECPSessionMapper.", e);
            throw new SAML2Exception(e);
        }
    }

    private static Subject getSubject(Object obj, AuthnRequest authnRequest, String str, String str2, String str3, String str4, String str5, int i, String str6) throws SAML2Exception {
        String str7;
        NameIDInfo accountFederation;
        Subject createSubject = AssertionFactory.getInstance().createSubject();
        try {
            String principalName = sessionProvider.getPrincipalName(obj);
            boolean isIgnoreProfileSet = SAML2Utils.isIgnoreProfileSet(obj);
            boolean z = true;
            String str8 = null;
            boolean z2 = false;
            if (authnRequest != null) {
                str7 = authnRequest.getIssuer().getValue();
                NameIDPolicy nameIDPolicy = authnRequest.getNameIDPolicy();
                if (nameIDPolicy != null && (StringUtils.isNotEmpty(nameIDPolicy.getSPNameQualifier()) || StringUtils.isNotEmpty(nameIDPolicy.getFormat()))) {
                    z = nameIDPolicy.isAllowCreate();
                    str8 = nameIDPolicy.getSPNameQualifier();
                    if (str8 == null || str8.isEmpty()) {
                        str8 = str5;
                    } else {
                        AffiliationDescriptorType affiliationDescriptor = metaManager.getAffiliationDescriptor(str3, str8);
                        if (affiliationDescriptor != null) {
                            if (!affiliationDescriptor.getAffiliateMember().contains(str7)) {
                                throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
                            }
                            z2 = true;
                            str7 = str8;
                        }
                    }
                }
            } else if (str6 != null) {
                AffiliationDescriptorType affiliationDescriptor2 = metaManager.getAffiliationDescriptor(str3, str6);
                if (affiliationDescriptor2 == null) {
                    throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
                }
                if (!affiliationDescriptor2.getAffiliateMember().contains(str5)) {
                    throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
                }
                z2 = true;
                str7 = str6;
                str8 = str6;
            } else {
                str7 = str5;
                str8 = str5;
            }
            SPSSODescriptorElement sPSSODescriptor = getSPSSODescriptor(str3, str5, "IDPSSOUtil.getSubject: ");
            if (sPSSODescriptor == null) {
                LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, new String[]{str5}, null);
                throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
            }
            IDPSSODescriptorElement iDPSSODescriptor = metaManager.getIDPSSODescriptor(str3, str4);
            if (iDPSSODescriptor == null) {
                LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{str4}, null);
                throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
            }
            String verifyNameIDFormat = SAML2Utils.verifyNameIDFormat(str2, sPSSODescriptor, iDPSSODescriptor);
            boolean equals = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(verifyNameIDFormat);
            NameID nameID = null;
            IDPAccountMapper iDPAccountMapper = SAML2Utils.getIDPAccountMapper(str3, str4);
            boolean z3 = (equals || isIgnoreProfileSet || !iDPAccountMapper.shouldPersistNameIDFormat(str3, str4, str7, verifyNameIDFormat)) ? false : true;
            if (!equals) {
                try {
                    String principalName2 = sessionProvider.getPrincipalName(obj);
                    if (z3 && (accountFederation = AccountUtils.getAccountFederation(principalName2, str4, str7)) != null) {
                        nameID = accountFederation.getNameID();
                        if (!verifyNameIDFormat.equals(nameID.getFormat())) {
                            AccountUtils.removeAccountFederation(accountFederation, principalName2);
                            DoManageNameID.removeIDPFedSession(str7, nameID.getValue());
                            nameID = null;
                        }
                    }
                } catch (SessionException e) {
                    SAML2Utils.debug.error("IDPSSOUtil.getSubject: Unable to get principal name from the session.", e);
                    throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
                }
            }
            if (nameID == null) {
                if (!z && z3) {
                    throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
                }
                nameID = iDPAccountMapper.getNameID(obj, str4, str8, str3, verifyNameIDFormat);
                SAML2Utils.debug.message("IDPSSOUtil.getSubject:  shouldPersistNameID = " + z3);
                if (z3 && z) {
                    AccountUtils.setAccountFederation(SAML2Utils.isDualRole(str4, str3) ? new NameIDInfo(str4, str7, nameID, SAML2Constants.DUAL_ROLE, false) : new NameIDInfo(str4, str7, nameID, SAML2Constants.IDP_ROLE, z2), principalName);
                }
            }
            createSubject.setNameID(nameID);
            if (equals) {
                IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), principalName);
            }
            String str9 = null;
            if (authnRequest != null) {
                str9 = authnRequest.getID();
            }
            SubjectConfirmation subjectConfirmation = getSubjectConfirmation(str9, str, i);
            if (subjectConfirmation == null) {
                SAML2Utils.debug.error("IDPSSOUtil.getSubject: Unable to get subject confirmation");
                throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(subjectConfirmation);
            createSubject.setSubjectConfirmation(arrayList);
            return createSubject;
        } catch (SessionException e2) {
            SAML2Utils.debug.error("IDPSSOUtil.getSubject: There was a problem with the session.", e2);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
        }
    }

    private static SubjectConfirmation getSubjectConfirmation(String str, String str2, int i) throws SAML2Exception {
        SubjectConfirmation createSubjectConfirmation = AssertionFactory.getInstance().createSubjectConfirmation();
        createSubjectConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER);
        SubjectConfirmationData createSubjectConfirmationData = AssertionFactory.getInstance().createSubjectConfirmationData();
        createSubjectConfirmationData.setRecipient(XMLUtils.escapeSpecialCharacters(str2));
        if (str != null) {
            createSubjectConfirmationData.setInResponseTo(str);
        }
        Date newDate = Time.newDate();
        newDate.setTime(newDate.getTime() + (i * 1000));
        createSubjectConfirmationData.setNotOnOrAfter(newDate);
        createSubjectConfirmation.setSubjectConfirmationData(createSubjectConfirmationData);
        return createSubjectConfirmation;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Conditions getConditions(String str, int i, int i2) throws SAML2Exception {
        Conditions createConditions = AssertionFactory.getInstance().createConditions();
        Date newDate = Time.newDate();
        newDate.setTime(newDate.getTime() - (i * 1000));
        createConditions.setNotBefore(newDate);
        Date newDate2 = Time.newDate();
        newDate2.setTime(newDate2.getTime() + (i2 * 1000));
        createConditions.setNotOnOrAfter(newDate2);
        ArrayList arrayList = new ArrayList();
        AudienceRestriction audienceRestriction = getAudienceRestriction(str);
        if (audienceRestriction == null) {
            SAML2Utils.debug.error("IDPSSOUtil.getConditions: Unable to get Audience Restriction");
            throw new SAML2Exception(SAML2Utils.bundle.getString("noAudienceRestriction"));
        }
        arrayList.add(audienceRestriction);
        createConditions.setAudienceRestrictions(arrayList);
        return createConditions;
    }

    private static AudienceRestriction getAudienceRestriction(String str) throws SAML2Exception {
        AudienceRestriction createAudienceRestriction = AssertionFactory.getInstance().createAudienceRestriction();
        if (str != null) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(str);
            createAudienceRestriction.setAudience(arrayList);
        }
        return createAudienceRestriction;
    }

    public static String getACSurl(String str, String str2, AuthnRequest authnRequest, HttpServletRequest httpServletRequest, StringBuffer stringBuffer) throws SAML2Exception {
        String parameter;
        String str3 = null;
        Integer num = null;
        if (authnRequest != null) {
            str3 = authnRequest.getAssertionConsumerServiceURL();
            parameter = authnRequest.getProtocolBinding();
            num = authnRequest.getAssertionConsumerServiceIndex();
        } else {
            parameter = httpServletRequest.getParameter(SAML2Constants.BINDING);
        }
        return getACSurl(str, str2, str3, parameter, num, httpServletRequest, stringBuffer);
    }

    public static String getACSurl(String str, String str2, String str3, String str4, Integer num, HttpServletRequest httpServletRequest, StringBuffer stringBuffer) throws SAML2Exception {
        if (str4 != null && !str4.trim().isEmpty() && !str4.startsWith(SAML2Constants.BINDING_PREFIX)) {
            str4 = SAML2Constants.BINDING_PREFIX + str4;
        }
        if (str3 == null || str3.length() == 0) {
            StringBuffer stringBuffer2 = new StringBuffer();
            if (str4 != null && str4.trim().length() != 0) {
                str3 = getACSurlFromMetaByBinding(str, str2, str4, stringBuffer2);
            } else if (num == null) {
                str3 = getDefaultACSurl(str, str2, stringBuffer2);
            } else {
                int intValue = num.intValue();
                if (intValue < 0 || intValue > 65535) {
                    intValue = 0;
                }
                str3 = getACSurlFromMetaByIndex(str, str2, intValue, stringBuffer2);
            }
            str4 = stringBuffer2.toString();
        } else {
            if (!isACSurlValidInMetadataSP(str3, str, str2)) {
                throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "invalidAssertionConsumerServiceURL", new String[]{str3, str});
            }
            if (str4 == null || str4.isEmpty()) {
                str4 = getBindingForAcsUrl(str, str2, str3);
            }
        }
        stringBuffer.append(str4);
        return str3;
    }

    public static String getDefaultACSurl(String str, String str2, StringBuffer stringBuffer) throws SAML2Exception {
        List assertionConsumerService = getSPSSODescriptor(str2, str, "IDPSSOUtil.getDefaultACSurl: ").getAssertionConsumerService();
        String str3 = null;
        String str4 = null;
        String str5 = null;
        String str6 = null;
        for (int i = 0; i < assertionConsumerService.size(); i++) {
            AssertionConsumerServiceElement assertionConsumerServiceElement = (AssertionConsumerServiceElement) assertionConsumerService.get(i);
            if (assertionConsumerServiceElement.isIsDefault()) {
                str3 = assertionConsumerServiceElement.getLocation();
                str4 = assertionConsumerServiceElement.getBinding();
            }
            if (i == 0) {
                str5 = assertionConsumerServiceElement.getLocation();
                str6 = assertionConsumerServiceElement.getBinding();
            }
        }
        if (str3 == null) {
            str3 = str5;
            str4 = str6;
        }
        if (str4 != null) {
            stringBuffer.append(str4);
        }
        return str3;
    }

    public static String getBindingForAcsUrl(String str, String str2, String str3) throws SAML2Exception {
        List assertionConsumerService = getSPSSODescriptor(str2, str, "IDPSSOUtil.getBindingForAcsUrl: ").getAssertionConsumerService();
        for (int i = 0; i < assertionConsumerService.size(); i++) {
            AssertionConsumerServiceElement assertionConsumerServiceElement = (AssertionConsumerServiceElement) assertionConsumerService.get(i);
            String location = assertionConsumerServiceElement.getLocation();
            if (location != null && location.equals(str3)) {
                return assertionConsumerServiceElement.getBinding();
            }
        }
        return null;
    }

    public static String getACSurlFromMetaByBinding(String str, String str2, String str3, StringBuffer stringBuffer) throws SAML2Exception {
        List assertionConsumerService = getSPSSODescriptor(str2, str, "IDPSSOUtil.getACSurlFromMetaByBinding: ").getAssertionConsumerService();
        String str4 = null;
        String str5 = null;
        String str6 = null;
        String str7 = null;
        String str8 = null;
        String str9 = null;
        int i = 0;
        while (true) {
            if (i >= assertionConsumerService.size()) {
                break;
            }
            AssertionConsumerServiceElement assertionConsumerServiceElement = (AssertionConsumerServiceElement) assertionConsumerService.get(i);
            str5 = assertionConsumerServiceElement.getBinding();
            if (str5.equals(str3)) {
                str4 = assertionConsumerServiceElement.getLocation();
                break;
            }
            if (assertionConsumerServiceElement.isIsDefault()) {
                str6 = assertionConsumerServiceElement.getLocation();
                str7 = assertionConsumerServiceElement.getBinding();
            }
            if (i == 0) {
                str8 = assertionConsumerServiceElement.getLocation();
                str9 = assertionConsumerServiceElement.getBinding();
            }
            i++;
        }
        if (str4 == null || str4.length() == 0) {
            str4 = str6;
            if (str4 == null || str4.length() == 0) {
                str4 = str8;
                if (str4 == null || str4.length() == 0) {
                    SAML2Utils.debug.error("IDPSSOUtil.getACSurlFromMetaByBinding: Unable to get valid Assertion Consumer Service URL");
                    return null;
                }
                stringBuffer.append(str9);
            } else {
                stringBuffer.append(str7);
            }
        } else {
            stringBuffer.append(str5);
        }
        return str4;
    }

    public static String getACSurlFromMetaByIndex(String str, String str2, int i, StringBuffer stringBuffer) throws SAML2Exception {
        List assertionConsumerService = getSPSSODescriptor(str2, str, "IDPSSOUtil.getACSurlFromMetaByIndex: ").getAssertionConsumerService();
        String str3 = null;
        String str4 = null;
        String str5 = null;
        String str6 = null;
        String str7 = null;
        String str8 = null;
        int i2 = 0;
        while (true) {
            if (i2 >= assertionConsumerService.size()) {
                break;
            }
            AssertionConsumerServiceElement assertionConsumerServiceElement = (AssertionConsumerServiceElement) assertionConsumerService.get(i2);
            int index = assertionConsumerServiceElement.getIndex();
            str4 = assertionConsumerServiceElement.getBinding();
            if (index == i) {
                str3 = assertionConsumerServiceElement.getLocation();
                str4 = assertionConsumerServiceElement.getBinding();
                break;
            }
            if (assertionConsumerServiceElement.isIsDefault()) {
                str5 = assertionConsumerServiceElement.getLocation();
                str6 = assertionConsumerServiceElement.getBinding();
            }
            if (i2 == 0) {
                str7 = assertionConsumerServiceElement.getLocation();
                str8 = assertionConsumerServiceElement.getBinding();
            }
            i2++;
        }
        if (str3 == null || str3.length() == 0) {
            str3 = str5;
            if (str3 == null || str3.length() == 0) {
                str3 = str7;
                if (str3 == null || str3.length() == 0) {
                    SAML2Utils.debug.error("IDPSSOUtil.getACSurlFromMetaByIndex: Unable to get valid Assertion Consumer Service URL");
                    return null;
                }
                stringBuffer.append(str8);
            } else {
                stringBuffer.append(str6);
            }
        } else {
            stringBuffer.append(str4);
        }
        return str3;
    }

    public static void sendResponseArtifact(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5, Response response, Object obj, Map map) throws SAML2Exception {
        try {
            IDPSSODescriptorElement iDPSSODescriptor = metaManager.getIDPSSODescriptor(str3, str);
            if (iDPSSODescriptor == null) {
                SAML2Utils.debug.error("IDPSSOUtil.sendResponseArtifact: Unable to get IDP SSO Descriptor from meta.");
                LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{str}, obj, map);
                throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
            }
            ArtifactResolutionServiceElement artifactResolutionServiceElement = (ArtifactResolutionServiceElement) iDPSSODescriptor.getArtifactResolutionService().get(0);
            if (artifactResolutionServiceElement == null) {
                SAML2Utils.debug.error("IDPSSOUtil.sendResponseArtifact: Unable to get ArtifactResolutionServiceElement from meta.");
                LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{str}, obj, map);
                throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
            }
            try {
                String artifactValue = ProtocolFactory.getInstance().createArtifact(null, artifactResolutionServiceElement.getIndex(), SAML2Utils.generateSourceID(str), SAML2Utils.generateMessageHandleWithServerID()).getArtifactValue();
                try {
                    IDPCache.responsesByArtifacts.put(artifactValue, response);
                    if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                        try {
                            SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(artifactValue, response.toXMLString(true, true), getValidTimeofResponse(str3, str, response) / 1000);
                            if (SAML2Utils.debug.messageEnabled()) {
                                SAML2Utils.debug.message("IDPSSOUtil.sendResponseArtifact: Saved Response to SAML2 Token Repository using key " + artifactValue);
                            }
                        } catch (SAML2TokenRepositoryException e) {
                            SAML2Utils.debug.error("IDPSSOUtil.sendResponseArtifact: Unable to save Response to the SAML2 Token Repository", e);
                        }
                    }
                    String attributeValueFromSSOConfig = SAML2Utils.getAttributeValueFromSSOConfig(str3, str2, SAML2Constants.SP_ROLE, SAML2Constants.RESPONSE_ARTIFACT_MESSAGE_ENCODING);
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message("IDPSSOUtil.sendResponseArtifact: messageEncoding = " + attributeValueFromSSOConfig);
                        SAML2Utils.debug.message("IDPSSOUtil.sendResponseArtifact: artStr = " + artifactValue);
                    }
                    if (attributeValueFromSSOConfig == null || !attributeValueFromSSOConfig.equals(SAML2Constants.FORM_ENCODING)) {
                        String str6 = str4 + (str4.contains("?") ? "&" : "?") + "SAMLart=" + URLEncDec.encode(artifactValue);
                        if (str5 != null && str5.trim().length() != 0) {
                            str6 = str6 + "&RelayState=" + URLEncDec.encode(str5);
                        }
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message("IDPSSOUtil.sendResponseArtifact: Redirect URL = " + str6);
                        }
                        LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, new String[]{str, str3, str6}, obj, map);
                        httpServletResponse.sendRedirect(str6);
                    } else {
                        LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, new String[]{str, str3, str4}, obj, map);
                        SAML2Utils.postToTarget(httpServletRequest, httpServletResponse, "SAMLart", artifactValue, "RelayState", str5, str4);
                    }
                } catch (IOException e2) {
                    SAML2Utils.debug.error("IDPSSOUtil.sendResponseArtifact: Unable to send redirect: ", e2);
                }
            } catch (SAML2Exception e3) {
                SAML2Utils.debug.error("IDPSSOUtil.sendResponseArtifact: Unable to create artifact: ", e3);
                LogUtil.error(Level.INFO, LogUtil.CANNOT_CREATE_ARTIFACT, new String[]{str}, obj, map);
                SAMLUtils.sendError(httpServletRequest, httpServletResponse, IFSConstants.MAX_CACHING_TIME, "errorCreateArtifact", SAML2Utils.bundle.getString("errorCreateArtifact"));
            }
        } catch (SAML2MetaException e4) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseArtifact: Unable to get IDP SSO Descriptor from meta.");
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, new String[]{str}, obj, map);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    }

    public static void sendResponseECP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PrintWriter printWriter, String str, String str2, String str3, Response response) throws SAML2Exception {
        ECPResponse createECPResponse = ECPFactory.getInstance().createECPResponse();
        createECPResponse.setMustUnderstand(Boolean.TRUE);
        createECPResponse.setActor("http://schemas.xmlsoap.org/soap/actor/next");
        createECPResponse.setAssertionConsumerServiceURL(str3);
        try {
            SOAPMessage createSOAPMessage = SOAPCommunicator.getInstance().createSOAPMessage(createECPResponse.toXMLString(true, true), response.toXMLString(true, true), false);
            String[] strArr = {str, str2, str3, ""};
            if (LogUtil.isAccessLoggable(Level.FINE)) {
                strArr[3] = SOAPCommunicator.getInstance().soapMessageToString(createSOAPMessage);
            }
            LogUtil.access(Level.INFO, LogUtil.SEND_ECP_RESPONSE, strArr, null);
            if (createSOAPMessage.saveRequired()) {
                createSOAPMessage.saveChanges();
            }
            httpServletResponse.setStatus(200);
            SAML2Utils.putHeaders(createSOAPMessage.getMimeHeaders(), httpServletResponse);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            createSOAPMessage.writeTo(byteArrayOutputStream);
            printWriter.println(byteArrayOutputStream.toString());
            printWriter.flush();
        } catch (Exception e) {
            SAML2Utils.debug.error("IDPSSOUtil.sendResponseECP", e);
            LogUtil.error(Level.INFO, LogUtil.SEND_ECP_RESPONSE_FAILED, new String[]{str, str2, str3}, null);
            SAMLUtils.sendError(httpServletRequest, httpServletResponse, IFSConstants.MAX_CACHING_TIME, "failedToSendECPResponse", e.getMessage());
        }
    }

    public static String getSessionIndex(Object obj) {
        String[] strArr;
        String str;
        if (obj == null) {
            return null;
        }
        try {
            strArr = sessionProvider.getProperty(obj, SAML2Constants.IDP_SESSION_INDEX);
        } catch (SessionException e) {
            SAML2Utils.debug.error("IDPSSOUtil.getSessionIndex: error retrieving session index from the session: ", e);
            strArr = null;
        }
        if (strArr == null || strArr.length == 0 || (str = strArr[0]) == null || str.length() == 0) {
            return null;
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.getSessionIndex: Returning sessionIndex=" + str);
        }
        return str;
    }

    public static String getAuthenticationServiceURL(String str, String str2, HttpServletRequest httpServletRequest) {
        String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.AUTH_URL);
        if (attributeValueFromIDPSSOConfig == null || attributeValueFromIDPSSOConfig.trim().length() == 0) {
            String requestURI = httpServletRequest.getRequestURI();
            String str3 = requestURI;
            int indexOf = requestURI.indexOf("/", requestURI.indexOf("/") + 1);
            if (indexOf != -1) {
                str3 = requestURI.substring(0, indexOf);
            }
            StringBuffer stringBuffer = new StringBuffer(100);
            stringBuffer.append(httpServletRequest.getScheme()).append("://").append(httpServletRequest.getServerName()).append(":").append(httpServletRequest.getServerPort()).append(str3).append("/UI/Login?realm=").append(str);
            attributeValueFromIDPSSOConfig = stringBuffer.toString();
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.getAuthenticationServiceURL: auth url=:" + attributeValueFromIDPSSOConfig);
        }
        return attributeValueFromIDPSSOConfig;
    }

    public static String getAttributeValueFromIDPSSOConfig(String str, String str2, String str3) {
        String str4 = null;
        try {
            List<String> list = SAML2MetaUtils.getAttributes(metaManager.getIDPSSOConfig(str, str2)).get(str3);
            if (list != null && list.size() != 0) {
                str4 = list.get(0);
            }
        } catch (SAML2MetaException e) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getAttributeValueFromIDPSSOConfig: get IDPSSOConfig failed:", e);
            }
            str4 = null;
        }
        return str4;
    }

    static void redirectAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthnRequest authnRequest, String str, String str2, String str3, String str4) throws SAML2Exception, IOException {
        StringBuffer stringBuffer = new StringBuffer(getAuthenticationServiceURL(str2, str3, httpServletRequest));
        if (str4 != null) {
            if (stringBuffer.indexOf("?") == -1) {
                stringBuffer.append("?");
            } else {
                stringBuffer.append("&");
            }
            stringBuffer.append(SAML2Constants.SPENTITYID);
            stringBuffer.append("=");
            stringBuffer.append(URLEncDec.encode(str4));
        }
        Set authnTypeAndValues = getIDPAuthnContextMapper(str2, str3).getIDPAuthnContextInfo(authnRequest, str3, str2).getAuthnTypeAndValues();
        if (authnTypeAndValues != null && !authnTypeAndValues.isEmpty()) {
            Iterator it = authnTypeAndValues.iterator();
            StringBuffer stringBuffer2 = new StringBuffer((String) it.next());
            while (it.hasNext()) {
                stringBuffer2.append("&");
                stringBuffer2.append((String) it.next());
            }
            if (stringBuffer.indexOf("?") == -1) {
                stringBuffer.append("?");
            } else {
                stringBuffer.append("&");
            }
            stringBuffer.append(stringBuffer2.toString());
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.redirectAuthentication: authString=" + stringBuffer2.toString());
            }
        }
        if (stringBuffer.indexOf("?") == -1) {
            stringBuffer.append("?goto=");
        } else {
            stringBuffer.append("&goto=");
        }
        String stringBuffer3 = httpServletRequest.getRequestURL().toString();
        String queryString = httpServletRequest.getQueryString();
        String str5 = queryString != null ? stringBuffer3 + "?" + queryString + "&" + REDIRECTED_TRUE : stringBuffer3 + "?redirected=true";
        if (str != null) {
            str5 = str5 + "&ReqID=" + str;
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.redirectAuthentication: gotoURL=" + str5);
        }
        stringBuffer.append(URLEncDec.encode(str5));
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.redirectAuthentication: New URL for authentication: " + stringBuffer.toString());
        }
        httpServletResponse.sendRedirect(stringBuffer.toString());
    }

    static void signAssertion(String str, String str2, Assertion assertion) throws SAML2Exception {
        KeyProvider keyProviderInstance = KeyUtil.getKeyProviderInstance();
        if (keyProviderInstance == null) {
            SAML2Utils.debug.error("IDPSSOUtil.signAssertion: Unable to get a key provider instance.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullKeyProvider"));
        }
        String signingCertAlias = SAML2Utils.getSigningCertAlias(str, str2, SAML2Constants.IDP_ROLE);
        if (signingCertAlias == null) {
            SAML2Utils.debug.error("IDPSSOUtil.signAssertion: Unable to get the hosted IDP signing certificate alias.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        String signingCertEncryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(str, str2, SAML2Constants.IDP_ROLE);
        assertion.sign((signingCertEncryptedKeyPass == null || signingCertEncryptedKeyPass.isEmpty()) ? keyProviderInstance.getPrivateKey(signingCertAlias) : keyProviderInstance.getPrivateKey(signingCertAlias, signingCertEncryptedKeyPass), keyProviderInstance.getX509Certificate(signingCertAlias));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void signAndEncryptResponseComponents(String str, String str2, String str3, Response response, boolean z) throws SAML2Exception {
        List assertion;
        List<AttributeStatement> attributeStatements;
        NameID nameID;
        boolean z2 = false;
        boolean z3 = false;
        if (response == null || (assertion = response.getAssertion()) == null || assertion.size() == 0) {
            return;
        }
        Assertion assertion2 = (Assertion) assertion.get(0);
        String attributeValueFromSSOConfig = SAML2Utils.getAttributeValueFromSSOConfig(str, str2, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
        boolean z4 = attributeValueFromSSOConfig != null && attributeValueFromSSOConfig.equals("true");
        if (!z4) {
            String attributeValueFromSSOConfig2 = SAML2Utils.getAttributeValueFromSSOConfig(str, str2, SAML2Constants.SP_ROLE, SAML2Constants.WANT_NAMEID_ENCRYPTED);
            z2 = attributeValueFromSSOConfig2 != null && attributeValueFromSSOConfig2.equals("true");
            String attributeValueFromSSOConfig3 = SAML2Utils.getAttributeValueFromSSOConfig(str, str2, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ATTRIBUTE_ENCRYPTED);
            z3 = attributeValueFromSSOConfig3 != null && attributeValueFromSSOConfig3.equals("true");
        }
        if (!z4 && !z2 && !z3) {
            if (z) {
                signAssertion(str, str3, assertion2);
                ArrayList arrayList = new ArrayList();
                arrayList.add(assertion2);
                response.setAssertion(arrayList);
                return;
            }
            return;
        }
        EncInfo encInfo = KeyUtil.getEncInfo(getSPSSODescriptor(str, str2, "IDPSSOUtil.signAndEncryptResponseComponents: "), str2, SAML2Constants.SP_ROLE);
        if (encInfo == null) {
            SAML2Utils.debug.error("IDPSSOUtil.signAndEncryptResponseComponents: failed to get service provider encryption key info.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
        }
        if (z4) {
            if (z) {
                signAssertion(str, str3, assertion2);
            }
            EncryptedAssertion encrypt = assertion2.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), str2);
            if (encrypt == null) {
                SAML2Utils.debug.error("IDPSSOUtil.signAndEncryptResponseComponents: failed to encrypt the assertion.");
                throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptAssertion"));
            }
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(encrypt);
            response.setEncryptedAssertion(arrayList2);
            response.setAssertion(new ArrayList());
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.signAndEncryptResponseComponents: Assertion encrypted.");
                return;
            }
            return;
        }
        if (z2) {
            Subject subject = assertion2.getSubject();
            if (subject == null || (nameID = subject.getNameID()) == null) {
                return;
            }
            EncryptedID encrypt2 = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), str2);
            if (encrypt2 == null) {
                SAML2Utils.debug.error("IDPSSOUtil.signAndEncryptResponseComponents: failed to encrypt the NameID.");
                throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptNameID"));
            }
            subject.setEncryptedID(encrypt2);
            subject.setNameID(null);
            assertion2.setSubject(subject);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.signAndEncryptResponseComponents: NameID encrypted.");
            }
        }
        if (z3 && (attributeStatements = assertion2.getAttributeStatements()) != null && attributeStatements.size() > 0) {
            int size = attributeStatements.size();
            ArrayList arrayList3 = new ArrayList();
            for (int i = 0; i < size; i++) {
                AttributeStatement attributeStatement = attributeStatements.get(i);
                List<Attribute> attribute = attributeStatement.getAttribute();
                if (attribute != null && attribute.size() != 0) {
                    int size2 = attribute.size();
                    ArrayList arrayList4 = new ArrayList();
                    for (int i2 = 0; i2 < size2; i2++) {
                        EncryptedAttribute encrypt3 = attribute.get(i2).encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), str2);
                        if (encrypt3 == null) {
                            SAML2Utils.debug.error("IDPSSOUtil.signAndEncryptResponseComponents: failed to encrypt the Attribute.");
                            throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptAttribute"));
                        }
                        arrayList4.add(encrypt3);
                    }
                    attributeStatement.setEncryptedAttribute(arrayList4);
                    attributeStatement.setAttribute(new ArrayList());
                    arrayList3.add(attributeStatement);
                }
            }
            assertion2.setAttributeStatements(arrayList3);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.signAndEncryptResponseComponents: Attribute encrypted.");
            }
        }
        if (z) {
            signAssertion(str, str3, assertion2);
        }
        ArrayList arrayList5 = new ArrayList();
        arrayList5.add(assertion2);
        response.setAssertion(arrayList5);
    }

    private static String getWriterURL(String str, String str2, String str3) {
        Map<String, List<String>> attributes;
        List<String> list;
        List<String> list2;
        String str4 = null;
        try {
            IDPSSOConfigElement iDPSSOConfig = metaManager.getIDPSSOConfig(str, str2);
            attributes = iDPSSOConfig != null ? SAML2MetaUtils.getAttributes(iDPSSOConfig) : null;
        } catch (COTException e) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getWriterURL: Error retreiving of circle of trust", e);
            }
        } catch (SAML2Exception e2) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getWriterURL: Not able to getting writer URL : ", e2);
            }
        } catch (Exception e3) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("IDPSSOUtil.getWriterURL: Not able to getting writer URL : ", e3);
            }
        }
        if (attributes == null || attributes.size() == 0 || (list = attributes.get("cotlist")) == null || list.size() == 0) {
            return null;
        }
        SPSSOConfigElement sPSSOConfig = metaManager.getSPSSOConfig(str, str3);
        Map<String, List<String>> attributes2 = sPSSOConfig != null ? SAML2MetaUtils.getAttributes(sPSSOConfig) : null;
        if (attributes2 == null || attributes2.size() == 0 || (list2 = attributes2.get("cotlist")) == null || list2.size() == 0) {
            return null;
        }
        list.retainAll(list2);
        for (int i = 0; i < list.size(); i++) {
            str4 = cotManager.getCircleOfTrust(str, list.get(i)).getSAML2WriterServiceURL();
            if (str4 != null && str4.trim().length() != 0) {
                break;
            }
        }
        return str4;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static int getEffectiveTime(String str, String str2) {
        int i = 600;
        String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE);
        if (attributeValueFromIDPSSOConfig != null) {
            try {
                i = Integer.parseInt(attributeValueFromIDPSSOConfig);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getEffectiveTime: got effective time from config:" + i);
                }
            } catch (NumberFormatException e) {
                SAML2Utils.debug.error("IDPSSOUtil.getEffectiveTime: Failed to get assertion effective time from IDP SSO config: ", e);
                i = 600;
            }
        }
        return i;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static int getNotBeforeSkewTime(String str, String str2) {
        int i = 600;
        String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE);
        if (attributeValueFromIDPSSOConfig != null) {
            try {
                i = Integer.parseInt(attributeValueFromIDPSSOConfig);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("IDPSSOUtil.getNotBeforeSkewTime:got NotBefore skew time from config:" + i);
                }
            } catch (NumberFormatException e) {
                SAML2Utils.debug.error("IDPSSOUtil.getNotBeforeSkewTime:IDP SSO config: ", e);
                i = 600;
            }
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IDPSSOUtil.getNotBeforeSkewTime:NotBefore Skew time :" + i);
        }
        return i;
    }

    private static boolean assertionCacheEnabled(String str, String str2) {
        return "true".equalsIgnoreCase(SAML2Utils.getAttributeValueFromSSOConfig(str, str2, SAML2Constants.IDP_ROLE, SAML2Constants.ASSERTION_CACHE_ENABLED));
    }

    public static byte[] stringToByteArray(String str) {
        char[] charArray = str.toCharArray();
        byte[] bArr = new byte[charArray.length];
        for (int i = 0; i < charArray.length; i++) {
            bArr[i] = (byte) charArray[i];
        }
        return bArr;
    }

    public static long getValidTimeofResponse(String str, String str2, Response response) throws SAML2Exception {
        int i = 300;
        String attributeValueFromIDPSSOConfig = getAttributeValueFromIDPSSOConfig(str, str2, SAML2Constants.ASSERTION_TIME_SKEW);
        if (attributeValueFromIDPSSOConfig != null && attributeValueFromIDPSSOConfig.trim().length() > 0) {
            i = Integer.parseInt(attributeValueFromIDPSSOConfig);
            if (i < 0) {
                i = 300;
            }
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("timeskew = " + i);
        }
        List assertion = response.getAssertion();
        if (assertion == null || assertion.size() == 0) {
            return Time.currentTimeMillis() + getEffectiveTime(str, str2) + (i * 1000);
        }
        Conditions conditions = ((Assertion) assertion.get(0)).getConditions();
        if (conditions == null) {
            throw new SAML2Exception("nullConditions");
        }
        Date notOnOrAfter = conditions.getNotOnOrAfter();
        long time = notOnOrAfter.getTime() + (i * 1000);
        if (notOnOrAfter != null && time >= Time.currentTimeMillis()) {
            return time;
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("Time in Assertion  is invalid.");
        }
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidTimeOnResponse"));
    }

    private static void signResponse(String str, String str2, Response response) throws SAML2Exception {
        KeyProvider keyProviderInstance = KeyUtil.getKeyProviderInstance();
        if (keyProviderInstance == null) {
            SAML2Utils.debug.error("IDPSSOUtil:signResponseUnable to get a key provider instance.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullKeyProvider"));
        }
        String signingCertAlias = SAML2Utils.getSigningCertAlias(str, str2, SAML2Constants.IDP_ROLE);
        if (signingCertAlias == null) {
            SAML2Utils.debug.error("IDPSSOUtil:signResponseUnable to get the hosted IDP signing certificate alias.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
        }
        String signingCertEncryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(str, str2, SAML2Constants.IDP_ROLE);
        response.sign((signingCertEncryptedKeyPass == null || signingCertEncryptedKeyPass.isEmpty()) ? keyProviderInstance.getPrivateKey(signingCertAlias) : keyProviderInstance.getPrivateKey(signingCertAlias, signingCertEncryptedKeyPass), keyProviderInstance.getX509Certificate(signingCertAlias));
    }

    public static SAML2IdentityProviderAdapter getIDPAdapterClass(String str, String str2) throws SAML2Exception {
        return SAML2Utils.getIDPAdapterClass(str, str2);
    }

    private static boolean isACSurlValidInMetadataSP(String str, String str2, String str3) throws SAML2Exception {
        boolean z = false;
        List assertionConsumerService = getSPSSODescriptor(str3, str2, "IDPSSOUtil.isACSurlValidInMetadataSP: ").getAssertionConsumerService();
        int i = 0;
        while (true) {
            if (i >= assertionConsumerService.size()) {
                break;
            }
            if (((AssertionConsumerServiceElement) assertionConsumerService.get(i)).getLocation().equalsIgnoreCase(str)) {
                z = true;
                SAML2Utils.debug.message("IDPSSOUtil.isACSurlValidInMetadataSP:  acsURL=" + str + "Found in the metadata");
                break;
            }
            i++;
        }
        return z;
    }

    private static boolean wantAssertionsSigned(String str, String str2) throws SAML2Exception {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("IPDSSOUtil:wantAssertionsSigned : : realm - " + str + "/: spEntityID - " + str2);
        }
        return getSPSSODescriptor(str2, str, "IPDSSOUtil:wantAssertionsSigned : ").isWantAssertionsSigned();
    }

    private static SPSSODescriptorElement getSPSSODescriptor(String str, String str2, String str3) throws SAML2Exception {
        if (metaManager == null) {
            SAML2Utils.debug.error(str3 + "Unable to get meta manager.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
        }
        try {
            SPSSODescriptorElement sPSSODescriptor = metaManager.getSPSSODescriptor(str, str2);
            if (sPSSODescriptor != null) {
                return sPSSODescriptor;
            }
            SAML2Utils.debug.error(str3 + "Unable to get SP SSO Descriptor from metadata, descriptor is null.");
            LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, new String[]{str2}, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        } catch (SAML2MetaException e) {
            SAML2Utils.debug.error(str3 + "Unable to get SP SSO Descriptor from metadata, descriptor is null.");
            LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, new String[]{str2}, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    }

    public static boolean isValidSessionInRealm(String str, Object obj) {
        boolean z = false;
        try {
            String singleValuedSessionProperty = SAML2Utils.getSingleValuedSessionProperty(obj, SAML2Constants.ORGANIZATION);
            if (singleValuedSessionProperty != null && !singleValuedSessionProperty.isEmpty()) {
                if (str.equalsIgnoreCase(singleValuedSessionProperty)) {
                    z = true;
                } else if (SAML2Utils.debug.warningEnabled()) {
                    SAML2Utils.debug.warning("IDPSSOUtil.isValidSessionInRealm: Invalid realm for the session:" + singleValuedSessionProperty + ", while the realm of the IdP is:" + str);
                }
            }
        } catch (SessionException e) {
            SAML2Utils.debug.error("IDPSSOUtil.isValidSessionInRealm: Could not retrieve the session information", e);
        }
        return z;
    }

    private static List<String> extractAuthenticatingAuthorities(Assertion assertion) {
        ArrayList arrayList = new ArrayList();
        List<AuthnStatement> authnStatements = assertion.getAuthnStatements();
        if (authnStatements != null) {
            Iterator<AuthnStatement> it = authnStatements.iterator();
            while (it.hasNext()) {
                List<String> authenticatingAuthority = it.next().getAuthnContext().getAuthenticatingAuthority();
                if (authenticatingAuthority != null) {
                    arrayList.addAll(authenticatingAuthority);
                }
            }
        }
        return arrayList;
    }

    static {
        metaManager = null;
        cotManager = null;
        sessionProvider = null;
        try {
            metaManager = new SAML2MetaManager();
            cotManager = new CircleOfTrustManager();
        } catch (COTException e) {
            SAML2Utils.debug.error("Error retrieving circle of trust");
        } catch (SAML2MetaException e2) {
            SAML2Utils.debug.error("Error retrieving metadata", e2);
        }
        try {
            sessionProvider = SessionManager.getProvider();
        } catch (SessionException e3) {
            SAML2Utils.debug.error("IDPSSOUtil static block: Error getting SessionProvider.", e3);
        }
        agent = MonitorManager.getAgent();
        saml2Svc = MonitorManager.getSAML2Svc();
    }
}
