package com.sun.identity.saml2.soapbinding;

import com.sun.identity.federation.common.IFSConstants;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.EncryptedAssertion;
import com.sun.identity.saml2.assertion.Issuer;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2SDKUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.common.SOAPCommunicator;
import com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement;
import com.sun.identity.saml2.key.EncInfo;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.logging.LogUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaUtils;
import com.sun.identity.saml2.protocol.RequestAbstract;
import com.sun.identity.saml2.protocol.Response;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.xacml.context.ContextFactory;
import com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Set;
import java.util.logging.Level;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.forgerock.openam.utils.Time;
import org.w3c.dom.Element;

/* loaded from: input_file:com/sun/identity/saml2/soapbinding/QueryHandlerServlet.class */
public class QueryHandlerServlet extends HttpServlet {
    static final String REQUEST_ABSTRACT = "RequestAbstract";
    static final String XSI_TYPE_ATTR = "xsi:type";
    static final String XACML_AUTHZ_QUERY = "XACMLAuthzDecisionQuery";
    static final String METAALIAS_KEY = "/metaAlias";
    static Debug debug = Debug.getInstance(SAML2SDKUtils.BUNDLE_NAME);

    public void init() throws ServletException {
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        processRequest(httpServletRequest, httpServletResponse);
    }

    /* JADX WARN: Type inference failed for: r11v0, types: [java.lang.Throwable, com.sun.identity.saml2.common.SAML2Exception] */
    private void processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            SAMLUtils.checkHTTPContentLength(httpServletRequest);
            String requestURI = httpServletRequest.getRequestURI();
            String metaAliasByUri = SAML2MetaUtils.getMetaAliasByUri(requestURI);
            if (debug.messageEnabled()) {
                debug.message("QueryHandlerServlet:processRequestqueryMetaAlias is :" + metaAliasByUri);
            }
            String entityByMetaAlias = SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(metaAliasByUri);
            String realmByMetaAlias = SAML2MetaUtils.getRealmByMetaAlias(metaAliasByUri);
            if (debug.messageEnabled()) {
                debug.message("QueryHandlerServlet:processRequesturi : " + requestURI + ",queryMetaAlias=" + metaAliasByUri + ", pdpEntityID=" + entityByMetaAlias);
            }
            SOAPMessage sOAPMessage = SOAPCommunicator.getInstance().getSOAPMessage(httpServletRequest);
            Element sOAPBody = SOAPCommunicator.getInstance().getSOAPBody(sOAPMessage);
            if (debug.messageEnabled()) {
                debug.message("QueryHandlerServlet:processRequestSOAPMessage received.:" + XMLUtils.print(sOAPBody));
            }
            SOAPMessage onMessage = onMessage(sOAPMessage, httpServletRequest, httpServletResponse, realmByMetaAlias, entityByMetaAlias);
            if (onMessage != null) {
                if (onMessage.saveRequired()) {
                    onMessage.saveChanges();
                }
                httpServletResponse.setStatus(200);
                SAML2Utils.putHeaders(onMessage.getMimeHeaders(), httpServletResponse);
            } else {
                debug.error("QueryHandlerServlet:processRequestSOAPMessage is null");
                httpServletResponse.setStatus(204);
                onMessage = SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "invalidQuery", null);
            }
            ServletOutputStream outputStream = httpServletResponse.getOutputStream();
            onMessage.writeTo(outputStream);
            outputStream.flush();
        } catch (SOAPException e) {
            debug.error("QueryHandlerServlet:processRequest", e);
            SAMLUtils.sendError(httpServletRequest, httpServletResponse, IFSConstants.MAX_CACHING_TIME, "failedToProcessRequest", e.getMessage());
        } catch (SAML2Exception e2) {
            debug.error("QueryHandlerServlet:processRequest", (Throwable) e2);
            SAMLUtils.sendError(httpServletRequest, httpServletResponse, IFSConstants.MAX_CACHING_TIME, "failedToProcessRequest", e2.getMessage());
        }
    }

    /* JADX WARN: Type inference failed for: r16v0, types: [java.lang.Throwable, com.sun.identity.saml2.common.SAML2Exception] */
    public SOAPMessage onMessage(SOAPMessage sOAPMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws SOAPException {
        SOAPMessage createSOAPFault;
        try {
            Element sOAPBody = SOAPCommunicator.getInstance().getSOAPBody(sOAPMessage);
            if (debug.messageEnabled()) {
                debug.message("QueryHandlerServlet:onMessage:SOAPMessage recd. :" + XMLUtils.print(sOAPBody));
            }
            createSOAPFault = SOAPCommunicator.getInstance().createSOAPMessage(processSAMLRequest(str, str2, SOAPCommunicator.getInstance().getSamlpElement(sOAPMessage, REQUEST_ABSTRACT), httpServletRequest, sOAPMessage).toXMLString(true, true), false);
        } catch (SAML2Exception e) {
            debug.error("QueryHandlerServlet:onMessage:XACML Response Error SOAP Fault", (Throwable) e);
            createSOAPFault = SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "invalidQuery", e.getMessage());
        }
        return createSOAPFault;
    }

    static void signAssertion(String str, String str2, Assertion assertion) throws SAML2Exception {
        KeyProvider keyProviderInstance = KeyUtil.getKeyProviderInstance();
        if (keyProviderInstance == null) {
            debug.error("QueryHandlerServlet.signAssertion: Unable to get a key provider instance.");
            throw new SAML2Exception("nullKeyProvider");
        }
        String attributeValueFromXACMLConfig = SAML2Utils.getAttributeValueFromXACMLConfig(str, SAML2Constants.PDP_ROLE, str2, "signingCertAlias");
        if (attributeValueFromXACMLConfig != null) {
            assertion.sign(keyProviderInstance.getPrivateKey(attributeValueFromXACMLConfig), keyProviderInstance.getX509Certificate(attributeValueFromXACMLConfig));
        } else {
            debug.error("QueryHandlerServlet.signAssertion: Unable to get the hosted PDP signing certificate alias.");
            LogUtil.error(Level.INFO, LogUtil.NULL_PDP_SIGN_CERT_ALIAS, new String[]{str, str2});
            throw new SAML2Exception("missingSigningCertAlias");
        }
    }

    Response processSAMLRequest(String str, String str2, Element element, HttpServletRequest httpServletRequest, SOAPMessage sOAPMessage) throws SAML2Exception {
        Response response = null;
        if (element != null) {
            String attribute = element.getAttribute("xsi:type");
            if (debug.messageEnabled()) {
                debug.message("QueryHandlerServlet:processSAMLRequestxsi type is : " + attribute);
            }
            if (attribute != null && attribute.indexOf(XACML_AUTHZ_QUERY) != -1) {
                XACMLAuthzDecisionQuery createXACMLAuthzDecisionQuery = ContextFactory.getInstance().createXACMLAuthzDecisionQuery(element);
                LogUtil.access(Level.FINE, LogUtil.REQUEST_MESSAGE, new String[]{createXACMLAuthzDecisionQuery.toXMLString(true, true), str2});
                Issuer issuer = createXACMLAuthzDecisionQuery.getIssuer();
                String str3 = null;
                if (issuer != null) {
                    str3 = issuer.getValue().trim();
                }
                if (debug.messageEnabled()) {
                    debug.message("QueryHandlerServlet:processSAMLRequestIssuer is:" + str3);
                }
                boolean z = false;
                try {
                    z = SAML2Utils.getSAML2MetaManager().isTrustedXACMLProvider(str, str2, str3, SAML2Constants.PDP_ROLE);
                } catch (SAML2MetaException e) {
                    debug.error("Error retreiving meta", e);
                }
                if (!z) {
                    if (debug.messageEnabled()) {
                        debug.message("QueryHandlerServlet:processSAMLRequestIssuer in Request is not valid." + str3);
                    }
                    LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, new String[]{str, str3, str2});
                    throw new SAML2Exception("invalidIssuerInRequest");
                }
                response = processXACMLResponse(str, str2, createXACMLAuthzDecisionQuery, httpServletRequest, sOAPMessage);
            }
        }
        return response;
    }

    Response processXACMLResponse(String str, String str2, RequestAbstract requestAbstract, HttpServletRequest httpServletRequest, SOAPMessage sOAPMessage) throws SAML2Exception {
        String pathInfo = httpServletRequest.getPathInfo();
        String substring = pathInfo.substring(pathInfo.indexOf(METAALIAS_KEY) + 10);
        String value = requestAbstract.getIssuer().getValue();
        if (debug.messageEnabled()) {
            debug.message("QueryHandlerServlet:processXACMLResponseSOAPMessage KEY . :" + substring);
            debug.message("QueryHandlerServlet:processXACMLResponsepepEntityID is :" + value);
        }
        boolean wantXACMLAuthzDecisionQuerySigned = SAML2Utils.getWantXACMLAuthzDecisionQuerySigned(str, str2, SAML2Constants.PDP_ROLE);
        if (debug.messageEnabled()) {
            debug.message("QueryHandlerServlet:processXACMLResponsePDP wantAuthzQuerySigned:" + wantXACMLAuthzDecisionQuerySigned);
        }
        if (wantXACMLAuthzDecisionQuerySigned) {
            if (!requestAbstract.isSigned()) {
                debug.error("Request not signed");
                throw new SAML2Exception("nullSig");
            }
            Set<X509Certificate> pEPVerificationCerts = KeyUtil.getPEPVerificationCerts(SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(str, value), value);
            if (pEPVerificationCerts.isEmpty() || !requestAbstract.isSignatureValid(pEPVerificationCerts)) {
                debug.error("QueryHandlerServlet:processXACMLResponseInvalid signature in message");
                throw new SAML2Exception("invalidQuerySignature");
            }
            debug.message("QueryHandlerServlet:processXACMLResponseValid signature found");
        }
        RequestHandler requestHandler = (RequestHandler) SOAPBindingService.handlers.get(substring);
        if (requestHandler == null) {
            debug.error("QueryHandlerServlet:processXACMLResponseRequestHandler not found");
            throw new SAML2Exception("missingRequestHandler");
        }
        if (debug.messageEnabled()) {
            debug.message("QueryHandlerServlet:processXACMLResponseFound handler");
        }
        Response handleQuery = requestHandler.handleQuery(str2, value, requestAbstract, sOAPMessage);
        handleQuery.setID(SAML2Utils.generateID());
        handleQuery.setVersion(SAML2Constants.VERSION_2_0);
        handleQuery.setIssueInstant(Time.newDate());
        Issuer createIssuer = AssertionFactory.getInstance().createIssuer();
        createIssuer.setValue(str2);
        handleQuery.setIssuer(createIssuer);
        Assertion assertion = (Assertion) handleQuery.getAssertion().get(0);
        assertion.setID(SAML2Utils.generateID());
        assertion.setVersion(SAML2Constants.VERSION_2_0);
        assertion.setIssueInstant(Time.newDate());
        assertion.setIssuer(createIssuer);
        String attributeValueFromXACMLConfig = SAML2Utils.getAttributeValueFromXACMLConfig(str, SAML2Constants.PEP_ROLE, value, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
        XACMLAuthzDecisionQueryDescriptorElement policyEnforcementPointDescriptor = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(str, value);
        boolean isWantAssertionsSigned = policyEnforcementPointDescriptor.isWantAssertionsSigned();
        if (debug.messageEnabled()) {
            debug.message("QueryHandlerServlet:processXACMLResponse wantAssertionSigned :" + isWantAssertionsSigned);
        }
        if (isWantAssertionsSigned) {
            signAssertion(str, str2, assertion);
        }
        if (attributeValueFromXACMLConfig == null || !attributeValueFromXACMLConfig.equalsIgnoreCase("true")) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(assertion);
            handleQuery.setAssertion(arrayList);
        } else {
            EncInfo pEPEncInfo = KeyUtil.getPEPEncInfo(policyEnforcementPointDescriptor, value);
            EncryptedAssertion encrypt = assertion.encrypt(pEPEncInfo.getWrappingKey(), pEPEncInfo.getDataEncAlgorithm(), pEPEncInfo.getDataEncStrength(), value);
            if (encrypt == null) {
                debug.error("QueryHandlerServlet:processXACMLResponseAssertion encryption failed.");
                throw new SAML2Exception("FailedToEncryptAssertion");
            }
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(encrypt);
            handleQuery.setEncryptedAssertion(arrayList2);
            handleQuery.setAssertion(new ArrayList());
            if (debug.messageEnabled()) {
                debug.message("QueryHandlerServlet:processXACMLResponseAssertion encrypted.");
            }
        }
        signResponse(handleQuery, str, value, str2);
        return handleQuery;
    }

    static void signResponse(Response response, String str, String str2, String str3) throws SAML2Exception {
        String attributeValueFromXACMLConfig = SAML2Utils.getAttributeValueFromXACMLConfig(str, SAML2Constants.PEP_ROLE, str2, SAML2Constants.WANT_XACML_AUTHZ_DECISION_RESPONSED_SIGNED);
        if (attributeValueFromXACMLConfig == null || attributeValueFromXACMLConfig.equalsIgnoreCase("false")) {
            if (debug.messageEnabled()) {
                debug.message("signResponse : Response doesn't need to be signed.");
                return;
            }
            return;
        }
        String attributeValueFromXACMLConfig2 = SAML2Utils.getAttributeValueFromXACMLConfig(str, SAML2Constants.PDP_ROLE, str3, "signingCertAlias");
        if (attributeValueFromXACMLConfig2 == null) {
            debug.error("signResponse : PDP certificate alias is null.");
            LogUtil.error(Level.INFO, LogUtil.NULL_PDP_SIGN_CERT_ALIAS, new String[]{str, str3});
            throw new SAML2Exception("missingSigningCertAlias");
        }
        if (debug.messageEnabled()) {
            debug.message("signResponse : realm is : " + str);
            debug.message("signResponse : pepEntityID is :" + str2);
            debug.message("signResponse : pdpEntityID : " + str3);
            debug.message("signResponse : wantResponseSigned" + attributeValueFromXACMLConfig);
            debug.message("signResponse : Cert Alias:" + attributeValueFromXACMLConfig2);
        }
        KeyProvider keyProviderInstance = KeyUtil.getKeyProviderInstance();
        if (keyProviderInstance == null) {
            debug.error("signResponse : Unable to get a key provider instance.");
            throw new SAML2Exception("nullKeyProvider");
        }
        PrivateKey privateKey = keyProviderInstance.getPrivateKey(attributeValueFromXACMLConfig2);
        X509Certificate x509Certificate = keyProviderInstance.getX509Certificate(attributeValueFromXACMLConfig2);
        if (privateKey != null) {
            response.sign(privateKey, x509Certificate);
        } else {
            debug.error("Incorrect configuration for Signing Certificate.");
            throw new SAML2Exception("metaDataError");
        }
    }
}
