package org.apache.cxf.fediz.cxf.plugin;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.FedizProcessor;
import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.core.processor.FedizResponse;
import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.cxf.fediz.core.util.CookieUtils;
import org.apache.cxf.fediz.cxf.plugin.state.ResponseState;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
import org.apache.cxf.jaxrs.impl.UriInfoImpl;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.class */
public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter implements ContainerResponseFilter {
    private static final Logger LOG = LoggerFactory.getLogger(FedizRedirectBindingFilter.class);

    @Context
    private MessageContext messageContext;
    private boolean redirectOnInitialSignIn;

    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        FedizContext fedizContext = getFedizContext(currentMessage);
        if (isMetadataRequest(containerRequestContext, fedizContext)) {
            return;
        }
        String method = containerRequestContext.getMethod();
        MultivaluedMap<String, String> multivaluedMap = null;
        try {
            if ("GET".equals(method)) {
                multivaluedMap = containerRequestContext.getUriInfo().getQueryParameters();
            } else if ("POST".equals(method)) {
                multivaluedMap = JAXRSUtils.getStructuredParams(IOUtils.toString(containerRequestContext.getEntityStream()), "&", true, false);
            }
            if (isLogoutRequest(containerRequestContext, fedizContext, currentMessage, multivaluedMap) || isSignoutCleanupRequest(fedizContext, currentMessage, multivaluedMap) || checkSecurityContext(fedizContext, currentMessage, multivaluedMap)) {
                return;
            }
            if (isSignInRequired(fedizContext, multivaluedMap)) {
                processSignInRequired(containerRequestContext, fedizContext);
            } else if (isSignInRequest(fedizContext, multivaluedMap)) {
                processSignInRequest(containerRequestContext, fedizContext, currentMessage, multivaluedMap);
            } else {
                LOG.error("SignIn parameter is incorrect or not supported");
                throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
            }
        } catch (Exception e) {
            LOG.debug(e.getMessage(), e);
            throw ExceptionUtils.toInternalServerErrorException(e, (Response) null);
        }
    }

    private void processSignInRequest(ContainerRequestContext containerRequestContext, FedizContext fedizContext, Message message, MultivaluedMap<String, String> multivaluedMap) {
        String responseToken = getResponseToken(fedizContext, multivaluedMap);
        String state = getState(fedizContext, multivaluedMap);
        if (responseToken == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SignIn request must contain a response token from the IdP");
            }
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Process SignIn request");
            LOG.debug("token=\n" + responseToken);
        }
        FedizResponse validateSignInRequest = validateSignInRequest(fedizContext, multivaluedMap, responseToken, state);
        validateAudienceRestrictions(validateSignInRequest, fedizContext.getAudienceUris(), this.messageContext.getHttpServletRequest());
        String uuid = UUID.randomUUID().toString();
        long currentTimeMillis = System.currentTimeMillis();
        Date tokenExpires = validateSignInRequest.getTokenExpires();
        long time = tokenExpires != null ? tokenExpires.getTime() : currentTimeMillis + getStateTimeToLive();
        String webAppDomain = getWebAppDomain();
        String nodeToString = DOM2Writer.nodeToString(validateSignInRequest.getToken());
        List<String> roles = validateSignInRequest.getRoles();
        if (roles == null || roles.size() == 0) {
            roles = Collections.singletonList("Authenticated");
        } else if (fedizContext.isAddAuthenticatedRole()) {
            roles = new ArrayList(roles);
            roles.add("Authenticated");
        }
        String webAppContext = getWebAppContext(message);
        ResponseState responseState = new ResponseState(nodeToString, state, webAppContext, webAppDomain, currentTimeMillis, time);
        responseState.setClaims(validateSignInRequest.getClaims());
        responseState.setRoles(roles);
        responseState.setIssuer(validateSignInRequest.getIssuer());
        responseState.setSubject(validateSignInRequest.getUsername());
        getStateManager().setResponseState(uuid, responseState);
        String createCookie = CookieUtils.createCookie(AbstractServiceProviderFilter.SECURITY_CONTEXT_TOKEN, uuid, webAppContext, webAppDomain, getStateTimeToLive());
        if (isRedirectOnInitialSignIn()) {
            Response.ResponseBuilder seeOther = Response.seeOther(new UriInfoImpl(message).getAbsolutePath());
            seeOther.header("Set-Cookie", createCookie);
            containerRequestContext.abortWith(seeOther.build());
        } else {
            try {
                setSecurityContext(responseState, message, validateSignInRequest.getToken());
                containerRequestContext.setProperty(AbstractServiceProviderFilter.SECURITY_CONTEXT_TOKEN, createCookie);
            } catch (Exception e) {
                reportError("INVALID_RESPONSE_STATE");
            }
        }
    }

    private void processSignInRequired(ContainerRequestContext containerRequestContext, FedizContext fedizContext) {
        FedizProcessor newFedizProcessor = FedizProcessorFactory.newFedizProcessor(fedizContext.getProtocol());
        HttpServletRequest httpServletRequest = this.messageContext.getHttpServletRequest();
        try {
            RedirectionResponse createSignInRequest = newFedizProcessor.createSignInRequest(httpServletRequest, fedizContext);
            String redirectionURL = createSignInRequest.getRedirectionURL();
            if (redirectionURL == null) {
                LOG.warn("Failed to create SignInRequest.");
                throw ExceptionUtils.toInternalServerErrorException((Throwable) null, (Response) null);
            }
            Response.ResponseBuilder seeOther = Response.seeOther(new URI(redirectionURL));
            Map headers = createSignInRequest.getHeaders();
            if (!headers.isEmpty()) {
                for (Map.Entry entry : headers.entrySet()) {
                    seeOther.header((String) entry.getKey(), entry.getValue());
                }
            }
            RequestState requestState = createSignInRequest.getRequestState();
            if (requestState != null && requestState.getState() != null) {
                getStateManager().setRequestState(requestState.getState(), requestState);
                seeOther.header("Set-Cookie", CookieUtils.createCookie(AbstractServiceProviderFilter.SECURITY_CONTEXT_STATE, requestState.getState(), httpServletRequest.getRequestURI(), getWebAppDomain(), getStateTimeToLive()));
            }
            containerRequestContext.abortWith(seeOther.build());
        } catch (Exception e) {
            LOG.debug(e.getMessage(), e);
            throw ExceptionUtils.toInternalServerErrorException(e, (Response) null);
        }
    }

    private boolean isMetadataRequest(ContainerRequestContext containerRequestContext, FedizContext fedizContext) {
        String path = containerRequestContext.getUriInfo().getPath();
        if (path.indexOf("FederationMetadata/2007-06/FederationMetadata.xml") == -1 && path.indexOf(getMetadataURI(fedizContext)) == -1) {
            return false;
        }
        if (LOG.isInfoEnabled()) {
            LOG.info("Metadata document requested");
        }
        try {
            containerRequestContext.abortWith(Response.ok(DOM2Writer.nodeToString(FedizProcessorFactory.newFedizProcessor(fedizContext.getProtocol()).getMetaData(this.messageContext.getHttpServletRequest(), fedizContext)), "text/xml").build());
            return true;
        } catch (Exception e) {
            LOG.error("Failed to get metadata document: " + e.getMessage());
            throw ExceptionUtils.toInternalServerErrorException(e, (Response) null);
        }
    }

    private boolean isLogoutRequest(ContainerRequestContext containerRequestContext, FedizContext fedizContext, Message message, MultivaluedMap<String, String> multivaluedMap) {
        boolean z = false;
        String logoutURL = fedizContext.getLogoutURL();
        if (multivaluedMap != null && (fedizContext.getProtocol() instanceof FederationProtocol) && "wsignout1.0".equals(multivaluedMap.getFirst("wa"))) {
            z = true;
        } else if (logoutURL != null && !logoutURL.isEmpty()) {
            String str = "/" + containerRequestContext.getUriInfo().getPath();
            if (str.equals(logoutURL) || str.equals(logoutURL + "/")) {
                z = true;
            }
        }
        if (!z) {
            return false;
        }
        cleanupContext(message);
        try {
            RedirectionResponse createSignOutRequest = FedizProcessorFactory.newFedizProcessor(fedizContext.getProtocol()).createSignOutRequest(this.messageContext.getHttpServletRequest(), (SamlAssertionWrapper) null, fedizContext);
            String redirectionURL = createSignOutRequest.getRedirectionURL();
            if (redirectionURL == null) {
                return false;
            }
            Response.ResponseBuilder seeOther = Response.seeOther(new URI(redirectionURL));
            Map headers = createSignOutRequest.getHeaders();
            if (!headers.isEmpty()) {
                for (Map.Entry entry : headers.entrySet()) {
                    seeOther.header((String) entry.getKey(), entry.getValue());
                }
            }
            containerRequestContext.abortWith(seeOther.build());
            return true;
        } catch (Exception e) {
            LOG.debug(e.getMessage(), e);
            throw ExceptionUtils.toInternalServerErrorException(e, (Response) null);
        }
    }

    private void cleanupContext(Message message) {
        Map cookies = new HttpHeadersImpl(message).getCookies();
        if (cookies.containsKey(AbstractServiceProviderFilter.SECURITY_CONTEXT_TOKEN)) {
            getStateManager().removeResponseState(((Cookie) cookies.get(AbstractServiceProviderFilter.SECURITY_CONTEXT_TOKEN)).getValue());
        }
        if (cookies.containsKey(AbstractServiceProviderFilter.SECURITY_CONTEXT_STATE)) {
            getStateManager().removeRequestState(((Cookie) cookies.get(AbstractServiceProviderFilter.SECURITY_CONTEXT_STATE)).getValue());
        }
    }

    private String getMetadataURI(FedizContext fedizContext) {
        return fedizContext.getProtocol().getMetadataURI() != null ? fedizContext.getProtocol().getMetadataURI() : (!(fedizContext.getProtocol() instanceof FederationProtocol) && (fedizContext.getProtocol() instanceof SAMLProtocol)) ? "SAML/Metadata.xml" : "FederationMetadata/2007-06/FederationMetadata.xml";
    }

    private boolean isSignInRequired(FedizContext fedizContext, MultivaluedMap<String, String> multivaluedMap) {
        if (multivaluedMap != null && (fedizContext.getProtocol() instanceof FederationProtocol) && multivaluedMap.getFirst("wa") == null) {
            return true;
        }
        return multivaluedMap != null && (fedizContext.getProtocol() instanceof SAMLProtocol) && multivaluedMap.getFirst("RelayState") == null;
    }

    private boolean isSignInRequest(FedizContext fedizContext, MultivaluedMap<String, String> multivaluedMap) {
        if (multivaluedMap != null && (fedizContext.getProtocol() instanceof FederationProtocol) && "wsignin1.0".equals(multivaluedMap.getFirst("wa"))) {
            return true;
        }
        return (multivaluedMap == null || !(fedizContext.getProtocol() instanceof SAMLProtocol) || multivaluedMap.getFirst("RelayState") == null) ? false : true;
    }

    private boolean isSignoutCleanupRequest(FedizContext fedizContext, Message message, MultivaluedMap<String, String> multivaluedMap) {
        boolean z = false;
        if (multivaluedMap != null && (fedizContext.getProtocol() instanceof FederationProtocol) && "wsignoutcleanup1.0".equals(multivaluedMap.getFirst("wa"))) {
            z = true;
        }
        if (!z) {
            return false;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("SignOutCleanup request found");
            LOG.debug("SignOutCleanup action...");
        }
        cleanupContext(message);
        try {
            ServletOutputStream outputStream = this.messageContext.getHttpServletResponse().getOutputStream();
            InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("logout.jpg");
            if (resourceAsStream == null) {
                LOG.warn("Could not write logout.jpg");
                return true;
            }
            byte[] bArr = new byte[1024];
            while (true) {
                int read = resourceAsStream.read(bArr);
                if (read == -1) {
                    resourceAsStream.close();
                    outputStream.flush();
                    return true;
                }
                outputStream.write(bArr, 0, read);
            }
        } catch (Exception e) {
            LOG.debug(e.getMessage(), e);
            throw ExceptionUtils.toInternalServerErrorException(e, (Response) null);
        }
    }

    private String getResponseToken(FedizContext fedizContext, MultivaluedMap<String, String> multivaluedMap) {
        if (multivaluedMap != null && (fedizContext.getProtocol() instanceof FederationProtocol)) {
            return (String) multivaluedMap.getFirst("wresult");
        }
        if (multivaluedMap == null || !(fedizContext.getProtocol() instanceof SAMLProtocol)) {
            return null;
        }
        return (String) multivaluedMap.getFirst("SAMLResponse");
    }

    private FedizResponse validateSignInRequest(FedizContext fedizContext, MultivaluedMap<String, String> multivaluedMap, String str, String str2) {
        FedizRequest fedizRequest = new FedizRequest();
        fedizRequest.setAction((String) multivaluedMap.getFirst("wa"));
        fedizRequest.setResponseToken(str);
        if (str2 == null || str2.getBytes().length <= 0) {
            LOG.error("Invalid RelayState/WCTX");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        fedizRequest.setState(str2);
        fedizRequest.setRequestState(getStateManager().removeRequestState(str2));
        if (fedizRequest.getRequestState() == null) {
            LOG.error("Missing Request State");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        if (CookieUtils.isStateExpired(fedizRequest.getRequestState().getCreatedAt(), false, 0L, getStateTimeToLive())) {
            LOG.error("EXPIRED_REQUEST_STATE");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        HttpServletRequest httpServletRequest = this.messageContext.getHttpServletRequest();
        fedizRequest.setRequest(httpServletRequest);
        fedizRequest.setCerts((X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate"));
        try {
            return FedizProcessorFactory.newFedizProcessor(fedizContext.getProtocol()).processRequest(fedizRequest, fedizContext);
        } catch (ProcessingException e) {
            LOG.error("Federation processing failed: " + e.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e, (Response) null);
        }
    }

    private void validateAudienceRestrictions(FedizResponse fedizResponse, List<String> list, HttpServletRequest httpServletRequest) {
        if (fedizResponse.getAudience() != null) {
            boolean z = false;
            Iterator<String> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (fedizResponse.getAudience().startsWith(it.next())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                LOG.warn("Token AudienceRestriction [" + fedizResponse.getAudience() + "] doesn't match with specified list of URIs.");
                throw ExceptionUtils.toForbiddenException((Throwable) null, (Response) null);
            }
            if (LOG.isDebugEnabled() && httpServletRequest.getRequestURL().indexOf(fedizResponse.getAudience()) == -1) {
                LOG.debug("Token AudienceRestriction doesn't match with request URL [" + fedizResponse.getAudience() + "]  [" + ((Object) httpServletRequest.getRequestURL()) + "]");
            }
        }
    }

    public boolean isRedirectOnInitialSignIn() {
        return this.redirectOnInitialSignIn;
    }

    public void setRedirectOnInitialSignIn(boolean z) {
        this.redirectOnInitialSignIn = z;
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        String str = (String) containerRequestContext.getProperty(AbstractServiceProviderFilter.SECURITY_CONTEXT_TOKEN);
        if (str != null) {
            containerResponseContext.getHeaders().add("Set-Cookie", str);
        }
    }
}
