package org.nuxeo.ecm.platform.auth.saml;

import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.common.utils.i18n.I18NUtils;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.auth.saml.binding.HTTPPostBinding;
import org.nuxeo.ecm.platform.auth.saml.binding.HTTPRedirectBinding;
import org.nuxeo.ecm.platform.auth.saml.binding.SAMLBinding;
import org.nuxeo.ecm.platform.auth.saml.key.KeyManager;
import org.nuxeo.ecm.platform.auth.saml.slo.SLOProfile;
import org.nuxeo.ecm.platform.auth.saml.slo.SLOProfileImpl;
import org.nuxeo.ecm.platform.auth.saml.sso.WebSSOProfile;
import org.nuxeo.ecm.platform.auth.saml.sso.WebSSOProfileImpl;
import org.nuxeo.ecm.platform.auth.saml.user.AbstractUserResolver;
import org.nuxeo.ecm.platform.auth.saml.user.EmailBasedUserResolver;
import org.nuxeo.ecm.platform.auth.saml.user.UserMapperBasedResolver;
import org.nuxeo.ecm.platform.auth.saml.user.UserResolver;
import org.nuxeo.ecm.platform.ui.web.auth.LoginScreenHelper;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPluginLogoutExtension;
import org.nuxeo.ecm.platform.ui.web.auth.service.LoginProviderLinkComputer;
import org.nuxeo.ecm.platform.web.common.CookieHelper;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.usermapper.service.UserMapperService;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.InTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;

/* loaded from: input_file:org/nuxeo/ecm/platform/auth/saml/SAMLAuthenticationProvider.class */
public class SAMLAuthenticationProvider implements NuxeoAuthenticationPlugin, LoginProviderLinkComputer, NuxeoAuthenticationPluginLogoutExtension {
    private static final String ERROR_PAGE = "saml/error.jsp";
    private static final String ERROR_AUTH = "error.saml.auth";
    private static final String ERROR_USER = "error.saml.userMapping";
    static final String SAML_SESSION_KEY = "SAML_SESSION";
    private static ChainingEncryptedKeyResolver encryptedKeyResolver;
    private Map<String, AbstractSAMLProfile> profiles = new HashMap();
    private UserResolver userResolver;
    private KeyManager keyManager;
    private SignatureTrustEngine trustEngine;
    private Decrypter decrypter;
    private MetadataProvider metadataProvider;
    private static final Log log = LogFactory.getLog(SAMLAuthenticationProvider.class);
    private static final Class<? extends UserResolver> DEFAULT_USER_RESOLVER_CLASS = EmailBasedUserResolver.class;
    private static final Class<? extends UserResolver> USERMAPPER_USER_RESOLVER_CLASS = UserMapperBasedResolver.class;
    static List<SAMLBinding> bindings = new ArrayList();

    public void initPlugin(Map<String, String> map) {
        String str = map.get("userResolverClass");
        Class cls = null;
        if (StringUtils.isBlank(str)) {
            cls = ((UserMapperService) Framework.getService(UserMapperService.class)) != null ? USERMAPPER_USER_RESOLVER_CLASS : DEFAULT_USER_RESOLVER_CLASS;
        } else {
            try {
                cls = Class.forName(str).asSubclass(AbstractUserResolver.class);
            } catch (ClassNotFoundException e) {
                log.error("Failed get user resolver class " + str);
            }
        }
        try {
            this.userResolver = (UserResolver) cls.newInstance();
            this.userResolver.init(map);
        } catch (IllegalAccessException | InstantiationException e2) {
            log.error("Failed to initialize user resolver " + str);
        }
        try {
            DefaultBootstrap.bootstrap();
        } catch (ConfigurationException e3) {
            log.error("Failed to bootstrap OpenSAML", e3);
        }
        try {
            initializeMetadataProvider(map);
            this.trustEngine = new ExplicitKeySignatureTrustEngine(new MetadataCredentialResolver(this.metadataProvider), Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver());
            Credential encryptionCredential = getKeyManager().getEncryptionCredential();
            if (encryptionCredential != null) {
                this.decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(encryptionCredential), encryptedKeyResolver);
                this.decrypter.setRootInNewDocument(true);
            }
            for (IDPSSODescriptor iDPSSODescriptor : getIdPDescriptor().getRoleDescriptors()) {
                if (iDPSSODescriptor.getElementQName().equals(IDPSSODescriptor.DEFAULT_ELEMENT_NAME) && iDPSSODescriptor.isSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol")) {
                    IDPSSODescriptor iDPSSODescriptor2 = iDPSSODescriptor;
                    Iterator it = iDPSSODescriptor2.getSingleSignOnServices().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        SingleSignOnService singleSignOnService = (SingleSignOnService) it.next();
                        if (singleSignOnService.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) {
                            addProfile(new WebSSOProfileImpl(singleSignOnService));
                            break;
                        }
                    }
                    Iterator it2 = iDPSSODescriptor2.getSingleLogoutServices().iterator();
                    while (true) {
                        if (it2.hasNext()) {
                            SingleLogoutService singleLogoutService = (SingleLogoutService) it2.next();
                            if (singleLogoutService.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) {
                                addProfile(new SLOProfileImpl(singleLogoutService));
                                break;
                            }
                        }
                    }
                }
            }
        } catch (MetadataProviderException e4) {
            log.warn("Failed to register IdP: " + e4.getMessage());
        }
        if (StringUtils.isNotBlank(map.get("name"))) {
            LoginScreenHelper.registerLoginProvider(map.get("name"), map.get("icon"), (String) null, map.get("label"), map.get("description"), this);
        }
    }

    private void addProfile(AbstractSAMLProfile abstractSAMLProfile) {
        abstractSAMLProfile.setTrustEngine(this.trustEngine);
        abstractSAMLProfile.setDecrypter(this.decrypter);
        this.profiles.put(abstractSAMLProfile.getProfileIdentifier(), abstractSAMLProfile);
    }

    private void initializeMetadataProvider(Map<String, String> map) throws MetadataProviderException {
        String str = map.get("metadata");
        if (str == null) {
            throw new MetadataProviderException("No metadata URI set for provider " + (map.containsKey("name") ? map.get("name") : ""));
        }
        FilesystemMetadataProvider hTTPMetadataProvider = (str.startsWith("http:") || str.startsWith("https:")) ? new HTTPMetadataProvider(str, (map.containsKey("timeout") ? Integer.parseInt(map.get("timeout")) : 5) * 1000) : new FilesystemMetadataProvider(new File(str));
        hTTPMetadataProvider.setParserPool(new BasicParserPool());
        hTTPMetadataProvider.initialize();
        this.metadataProvider = hTTPMetadataProvider;
    }

    private EntityDescriptor getIdPDescriptor() throws MetadataProviderException {
        return this.metadataProvider.getMetadata();
    }

    protected String getSSOUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        WebSSOProfile webSSOProfile = (WebSSOProfile) this.profiles.get(WebSSOProfile.PROFILE_URI);
        if (webSSOProfile == null) {
            return null;
        }
        SAMLMessageContext basicSAMLMessageContext = new BasicSAMLMessageContext();
        populateLocalContext(basicSAMLMessageContext, httpServletRequest);
        String requestedUrl = getRequestedUrl(httpServletRequest);
        if (requestedUrl != null) {
            basicSAMLMessageContext.setRelayState(requestedUrl);
        }
        HTTPRedirectBinding hTTPRedirectBinding = (HTTPRedirectBinding) getBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        String location = webSSOProfile.getEndpoint().getLocation();
        try {
            AuthnRequest buildAuthRequest = webSSOProfile.buildAuthRequest(httpServletRequest, new String[0]);
            buildAuthRequest.setDestination(webSSOProfile.getEndpoint().getLocation());
            basicSAMLMessageContext.setOutboundSAMLMessage(buildAuthRequest);
            location = hTTPRedirectBinding.buildRedirectURL(basicSAMLMessageContext, webSSOProfile.getEndpoint().getLocation());
        } catch (SAMLException e) {
            log.error("Failed to build redirect URL", e);
        }
        return location;
    }

    private String getRequestedUrl(HttpServletRequest httpServletRequest) {
        HttpSession session;
        String str = (String) httpServletRequest.getAttribute("requestedUrl");
        if (str == null && (session = httpServletRequest.getSession(false)) != null) {
            str = (String) session.getAttribute("Nuxeo5_Start_Page");
        }
        return str;
    }

    public String computeUrl(HttpServletRequest httpServletRequest, String str) {
        return getSSOUrl(httpServletRequest, null);
    }

    public Boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (((String) httpServletRequest.getAttribute("org.nuxeo.ecm.login.error")) != null) {
            try {
                httpServletRequest.getRequestDispatcher(ERROR_PAGE).forward(httpServletRequest, httpServletResponse);
                return true;
            } catch (ServletException | IOException e) {
                log.error("Failed to redirect to error page", e);
                return false;
            }
        }
        String sSOUrl = getSSOUrl(httpServletRequest, httpServletResponse);
        try {
            httpServletResponse.sendRedirect(sSOUrl);
            return true;
        } catch (IOException e2) {
            log.error(String.format("Unable to send redirect on %s", sSOUrl), e2);
            return false;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(httpServletRequest);
        SAMLBinding binding = getBinding((InTransport) httpServletRequestAdapter);
        if (binding == null) {
            return null;
        }
        HttpServletResponseAdapter httpServletResponseAdapter = new HttpServletResponseAdapter(httpServletResponse, httpServletRequest.isSecure());
        SAMLMessageContext basicSAMLMessageContext = new BasicSAMLMessageContext();
        basicSAMLMessageContext.setInboundMessageTransport(httpServletRequestAdapter);
        basicSAMLMessageContext.setOutboundMessageTransport(httpServletResponseAdapter);
        populateLocalContext(basicSAMLMessageContext, httpServletRequest);
        try {
            binding.decode(basicSAMLMessageContext);
            try {
                if (basicSAMLMessageContext.getPeerEntityId() == null) {
                    basicSAMLMessageContext.setPeerEntityId(getIdPDescriptor().getEntityID());
                }
                if (basicSAMLMessageContext.getPeerEntityMetadata() == null) {
                    basicSAMLMessageContext.setPeerEntityMetadata(getIdPDescriptor());
                }
                if (basicSAMLMessageContext.getPeerEntityRole() == null) {
                    basicSAMLMessageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
                }
            } catch (MetadataProviderException e) {
            }
            AbstractSAMLProfile processor = getProcessor(basicSAMLMessageContext);
            if (processor == 0) {
                log.warn("Unsupported profile encountered in the context " + basicSAMLMessageContext.getCommunicationProfileId());
                return null;
            }
            basicSAMLMessageContext.setCommunicationProfileId(processor.getProfileIdentifier());
            SAMLObject inboundSAMLMessage = basicSAMLMessageContext.getInboundSAMLMessage();
            if (processor instanceof SLOProfile) {
                SLOProfile sLOProfile = (SLOProfile) processor;
                try {
                    if (inboundSAMLMessage instanceof LogoutResponse) {
                        sLOProfile.processLogoutResponse(basicSAMLMessageContext);
                    } else if (inboundSAMLMessage instanceof LogoutRequest) {
                        sLOProfile.processLogoutRequest(basicSAMLMessageContext, getSamlCredential(httpServletRequest));
                    }
                    return null;
                } catch (SAMLException e2) {
                    log.debug("Error processing SAML message", e2);
                    return null;
                }
            }
            try {
                SAMLCredential processAuthenticationResponse = ((WebSSOProfile) processor).processAuthenticationResponse(basicSAMLMessageContext);
                String str = (String) Framework.doPrivileged(() -> {
                    return this.userResolver.findOrCreateNuxeoUser(processAuthenticationResponse);
                });
                if (str == null) {
                    log.warn("Failed to resolve user with NameID \"" + processAuthenticationResponse.getNameID().getValue() + "\".");
                    sendError(httpServletRequest, ERROR_USER);
                    return null;
                }
                if (processAuthenticationResponse.getSessionIndexes() != null && !processAuthenticationResponse.getSessionIndexes().isEmpty()) {
                    httpServletResponse.addCookie(CookieHelper.createCookie(httpServletRequest, SAML_SESSION_KEY, String.join("|", processAuthenticationResponse.getSessionIndexes().get(0), processAuthenticationResponse.getNameID().getValue(), processAuthenticationResponse.getNameID().getFormat())));
                }
                HttpSession session = httpServletRequest.getSession(!httpServletResponse.isCommitted());
                if (session != null && StringUtils.isNotEmpty(processAuthenticationResponse.getRelayState())) {
                    session.setAttribute("Nuxeo5_Start_Page", processAuthenticationResponse.getRelayState());
                }
                return new UserIdentificationInfo(str, str);
            } catch (SAMLException e3) {
                log.error("Error processing SAML message", e3);
                sendError(httpServletRequest, ERROR_AUTH);
                return null;
            }
        } catch (SecurityException | MessageDecodingException e4) {
            log.error("Error during SAML decoding", e4);
            return null;
        }
    }

    protected AbstractSAMLProfile getProcessor(SAMLMessageContext sAMLMessageContext) {
        SAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        return this.profiles.get(((inboundSAMLMessage instanceof LogoutResponse) || (inboundSAMLMessage instanceof LogoutRequest)) ? SLOProfile.PROFILE_URI : WebSSOProfile.PROFILE_URI);
    }

    protected SAMLBinding getBinding(String str) {
        for (SAMLBinding sAMLBinding : bindings) {
            if (sAMLBinding.getBindingURI().equals(str)) {
                return sAMLBinding;
            }
        }
        return null;
    }

    protected SAMLBinding getBinding(InTransport inTransport) {
        for (SAMLBinding sAMLBinding : bindings) {
            if (sAMLBinding.supports(inTransport)) {
                return sAMLBinding;
            }
        }
        return null;
    }

    private void populateLocalContext(SAMLMessageContext sAMLMessageContext, HttpServletRequest httpServletRequest) {
        sAMLMessageContext.setLocalEntityId(SAMLConfiguration.getEntityId());
        sAMLMessageContext.setLocalEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        String baseURL = VirtualHostHelper.getBaseURL(httpServletRequest);
        sAMLMessageContext.setLocalEntityRoleMetadata(SAMLConfiguration.getSPSSODescriptor(baseURL + (baseURL.endsWith("/") ? "" : "/") + LoginScreenHelper.getStartupPagePath()));
        sAMLMessageContext.setMetadataProvider(this.metadataProvider);
        this.keyManager = (KeyManager) Framework.getService(KeyManager.class);
        if (getKeyManager().getSigningCredential() != null) {
            sAMLMessageContext.setOutboundSAMLMessageSigningCredential(getKeyManager().getSigningCredential());
        }
    }

    public Boolean needLoginPrompt(HttpServletRequest httpServletRequest) {
        return true;
    }

    public List<String> getUnAuthenticatedURLPrefix() {
        return null;
    }

    protected String getSLOUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SLOProfile sLOProfile = (SLOProfile) this.profiles.get(SLOProfile.PROFILE_URI);
        if (sLOProfile == null) {
            return null;
        }
        String location = sLOProfile.getEndpoint().getLocation();
        SAMLCredential samlCredential = getSamlCredential(httpServletRequest);
        SAMLMessageContext basicSAMLMessageContext = new BasicSAMLMessageContext();
        populateLocalContext(basicSAMLMessageContext, httpServletRequest);
        try {
            LogoutRequest buildLogoutRequest = sLOProfile.buildLogoutRequest(basicSAMLMessageContext, samlCredential);
            buildLogoutRequest.setDestination(sLOProfile.getEndpoint().getLocation());
            basicSAMLMessageContext.setOutboundSAMLMessage(buildLogoutRequest);
            location = ((HTTPRedirectBinding) getBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")).buildRedirectURL(basicSAMLMessageContext, sLOProfile.getEndpoint().getLocation());
        } catch (SAMLException e) {
            log.error("Failed to get SAML Logout request", e);
        }
        return location;
    }

    private SAMLCredential getSamlCredential(HttpServletRequest httpServletRequest) {
        SAMLCredential sAMLCredential = null;
        Cookie cookie = getCookie(httpServletRequest, SAML_SESSION_KEY);
        if (cookie != null) {
            String[] split = cookie.getValue().split("\\|");
            String str = split[0];
            String str2 = split[1];
            String str3 = split[2];
            NameID buildObject = Configuration.getBuilderFactory().getBuilder(NameID.DEFAULT_ELEMENT_NAME).buildObject(NameID.DEFAULT_ELEMENT_NAME);
            buildObject.setValue(str2);
            buildObject.setFormat(str3);
            ArrayList arrayList = new ArrayList();
            arrayList.add(str);
            sAMLCredential = new SAMLCredential(buildObject, arrayList);
        }
        return sAMLCredential;
    }

    public Boolean handleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String sLOUrl = getSLOUrl(httpServletRequest, httpServletResponse);
        if (sLOUrl == null) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Send redirect to " + sLOUrl);
        }
        try {
            httpServletResponse.sendRedirect(sLOUrl);
            Cookie cookie = getCookie(httpServletRequest, SAML_SESSION_KEY);
            if (cookie != null) {
                removeCookie(httpServletResponse, cookie);
            }
            return true;
        } catch (IOException e) {
            log.error(String.format("Unable to send redirect on %s", sLOUrl), e);
            return false;
        }
    }

    private void sendError(HttpServletRequest httpServletRequest, String str) {
        httpServletRequest.setAttribute("org.nuxeo.ecm.login.error", I18NUtils.getMessageString("messages", str, (Object[]) null, httpServletRequest.getLocale()));
    }

    private KeyManager getKeyManager() {
        if (this.keyManager == null) {
            this.keyManager = (KeyManager) Framework.getService(KeyManager.class);
        }
        return this.keyManager;
    }

    private Cookie getCookie(HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (str.equals(cookie.getName())) {
                return cookie;
            }
        }
        return null;
    }

    private void removeCookie(HttpServletResponse httpServletResponse, Cookie cookie) {
        log.debug(String.format("Removing cookie %s.", cookie.getName()));
        cookie.setMaxAge(0);
        cookie.setValue("");
        httpServletResponse.addCookie(cookie);
    }

    static {
        bindings.add(new HTTPPostBinding());
        bindings.add(new HTTPRedirectBinding());
        encryptedKeyResolver = new ChainingEncryptedKeyResolver();
        encryptedKeyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
        encryptedKeyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
        encryptedKeyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());
    }
}
