package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
import edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler;
import java.io.OutputStreamWriter;
import java.util.ArrayList;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
import org.opensaml.saml2.binding.decoding.HandlerChainAwareHTTPSOAP11Decoder;
import org.opensaml.saml2.binding.encoding.HandlerChainAwareHTTPSOAP11Encoder;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.ecp.Response;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.handler.BasicHandlerChain;
import org.opensaml.ws.message.handler.Handler;
import org.opensaml.ws.message.handler.HandlerChain;
import org.opensaml.ws.message.handler.HandlerChainResolver;
import org.opensaml.ws.message.handler.HandlerException;
import org.opensaml.ws.message.handler.StaticHandlerChainResolver;
import org.opensaml.ws.soap.util.SOAPHelper;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/SAML2ECPProfileHandler.class */
public class SAML2ECPProfileHandler extends SSOProfileHandler {
    private final Logger log;
    private String authnContextClassRef;
    private SAMLObjectBuilder<Response> ecpResponseBuilder;
    private SAMLObjectBuilder<AuthnContext> authnContextBuilder;
    private SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder;
    private StaticHandlerChainResolver inboundPreSecurityHandlerChainResolver;
    private StaticHandlerChainResolver inboundPostSecurityHandlerChainResolver;
    private StaticHandlerChainResolver outboundHandlerChainResolver;
    private SAMLMessageEncoder messageEncoder;
    private SAMLMessageDecoder messageDecoder;
    private static String soapFaultResponseMessage = "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\"> <env:Body> <env:Fault> <faultcode>env:Client</faultcode> <faultstring>An error occurred processing the request.</faultstring> <detail/> </env:Fault> </env:Body></env:Envelope>";

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/SAML2ECPProfileHandler$ECPRequestContext.class */
    public class ECPRequestContext extends SSOProfileHandler.SSORequestContext {
        protected ECPRequestContext() {
            super();
        }
    }

    public SAML2ECPProfileHandler() {
        super("/Save/My/Walrus");
        this.log = LoggerFactory.getLogger(SAML2ECPProfileHandler.class);
        this.authnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport";
        this.ecpResponseBuilder = Configuration.getBuilderFactory().getBuilder(Response.DEFAULT_ELEMENT_NAME);
        this.authnContextBuilder = getBuilderFactory().getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME);
        this.authnContextClassRefBuilder = getBuilderFactory().getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
    }

    public void initialize() {
        this.messageDecoder = new HandlerChainAwareHTTPSOAP11Decoder();
        this.messageEncoder = new HandlerChainAwareHTTPSOAP11Encoder();
        this.messageEncoder.setNotConfidential(true);
        this.inboundPreSecurityHandlerChainResolver = new StaticHandlerChainResolver(buildPreSecurityInboundHandlerChain());
        this.inboundPostSecurityHandlerChainResolver = new StaticHandlerChainResolver(buildPostSecurityInboundHandlerChain());
        this.outboundHandlerChainResolver = new StaticHandlerChainResolver(buildOutboundHandlerChain());
        ArrayList arrayList = new ArrayList();
        arrayList.add("urn:oasis:names:tc:SAML:2.0:bindings:PAOS");
        setSupportedOutboundBindings(arrayList);
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
    public String getProfileId() {
        return "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp";
    }

    public void setAuthnContextClassRef(String str) {
        this.authnContextClassRef = str;
    }

    public String getAuthnContextClassRef() {
        return this.authnContextClassRef;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        SAMLObject buildErrorResponse;
        AttributeStatement buildAttributeStatement;
        ECPRequestContext buildRequestContext = buildRequestContext(hTTPInTransport, hTTPOutTransport);
        try {
            decodeRequest(buildRequestContext, hTTPInTransport, hTTPOutTransport);
            checkSamlVersion(buildRequestContext);
            checkNameIDPolicy(buildRequestContext);
        } catch (ProfileException e) {
            if (buildRequestContext.getPeerEntityEndpoint() == null) {
                this.log.debug("Returning SOAP fault", e);
                try {
                    hTTPOutTransport.setCharacterEncoding("UTF-8");
                    hTTPOutTransport.setHeader("Content-Type", "application/soap+xml");
                    hTTPOutTransport.setStatusCode(500);
                    OutputStreamWriter outputStreamWriter = new OutputStreamWriter(hTTPOutTransport.getOutgoingStream(), "UTF-8");
                    outputStreamWriter.write(soapFaultResponseMessage);
                    outputStreamWriter.flush();
                    return;
                } catch (Exception e2) {
                    this.log.error("Error returning SOAP fault", e2);
                    return;
                }
            }
            buildErrorResponse = buildErrorResponse(buildRequestContext);
        }
        if (buildRequestContext.getPrincipalName() == null) {
            buildRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed", null));
            throw new ProfileException("Authentication not performed");
        }
        if (buildRequestContext.getSubjectNameIdentifier() != null) {
            this.log.debug("Authentication request contained a subject with a name identifier, resolving principal from NameID");
            String principalName = buildRequestContext.getPrincipalName();
            resolvePrincipal(buildRequestContext);
            String principalName2 = buildRequestContext.getPrincipalName();
            if (!DatatypeHelper.safeEquals(principalName, principalName2)) {
                this.log.warn("Authentication request identified principal {} but authentication mechanism identified principal {}", principalName2, principalName);
                buildRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed", null));
                throw new ProfileException("User failed authentication");
            }
        }
        if (getRelyingPartyConfiguration(buildRequestContext.getInboundMessageIssuer()).getProfileConfiguration(getProfileId()) == null) {
            this.log.warn("SAML2ECP profile is not configured for relying party '{}'", buildRequestContext.getInboundMessageIssuer());
            buildRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported", null));
            throw new ProfileException("SAML2ECP profile is not configured for relying party");
        }
        resolveAttributes(buildRequestContext);
        ArrayList arrayList = new ArrayList();
        arrayList.add(buildAuthnStatement(buildRequestContext));
        if (((SSOConfiguration) buildRequestContext.getProfileConfiguration()).includeAttributeStatement() && (buildAttributeStatement = buildAttributeStatement(buildRequestContext)) != null) {
            buildRequestContext.setReleasedAttributes(buildRequestContext.getAttributes().keySet());
            arrayList.add(buildAttributeStatement);
        }
        buildErrorResponse = buildResponse(buildRequestContext, "urn:oasis:names:tc:SAML:2.0:cm:bearer", arrayList);
        buildErrorResponse.setDestination(buildRequestContext.getPeerEntityEndpoint().getLocation());
        buildRequestContext.setOutboundSAMLMessage(buildErrorResponse);
        buildRequestContext.setOutboundSAMLMessageId(buildErrorResponse.getID());
        buildRequestContext.setOutboundSAMLMessageIssueInstant(buildErrorResponse.getIssueInstant());
        encodeResponse(buildRequestContext);
        writeAuditLogEntry(buildRequestContext);
    }

    protected void decodeRequest(ECPRequestContext eCPRequestContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Decoding message with decoder binding '{}'", getInboundMessageDecoder(eCPRequestContext).getBindingURI());
        }
        try {
            SAMLMessageDecoder inboundMessageDecoder = getInboundMessageDecoder(eCPRequestContext);
            eCPRequestContext.setMessageDecoder(inboundMessageDecoder);
            inboundMessageDecoder.decode(eCPRequestContext);
            this.log.debug("Decoded request from relying party '{}'", eCPRequestContext.getInboundMessageIssuer());
            if (!(eCPRequestContext.getInboundSAMLMessage() instanceof AuthnRequest)) {
                this.log.warn("Incomming message was not a AuthnRequest, it was a '{}'", eCPRequestContext.getInboundSAMLMessage().getClass().getName());
                eCPRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported", "Invalid SAML AuthnRequest message."));
                throw new ProfileException("Invalid SAML AuthnRequest message.");
            }
            Subject subject = eCPRequestContext.getInboundSAMLMessage().getSubject();
            if (subject != null) {
                eCPRequestContext.setSubjectNameIdentifier(subject.getNameID());
            }
            populateRequestContext(eCPRequestContext);
        } catch (MessageDecodingException e) {
            eCPRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported", "Error decoding authentication request message"));
            this.log.warn("Error decoding authentication request message", e);
            throw new ProfileException("Error decoding authentication request message", e);
        } catch (SecurityException e2) {
            eCPRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", "Message did not meet security requirements"));
            this.log.warn("Message did not meet security requirements", e2);
            throw new ProfileException("Message did not meet security requirements", e2);
        }
    }

    protected ECPRequestContext buildRequestContext(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        ECPRequestContext eCPRequestContext = new ECPRequestContext();
        eCPRequestContext.setCommunicationProfileId(getProfileId());
        eCPRequestContext.setMessageDecoder(getInboundMessageDecoder(eCPRequestContext));
        eCPRequestContext.setInboundMessageTransport(hTTPInTransport);
        eCPRequestContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        eCPRequestContext.setOutboundMessageTransport(hTTPOutTransport);
        eCPRequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        eCPRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        eCPRequestContext.setMetadataProvider(getMetadataProvider());
        eCPRequestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        String inboundMessageIssuer = eCPRequestContext.getInboundMessageIssuer();
        eCPRequestContext.setPeerEntityId(inboundMessageIssuer);
        eCPRequestContext.setInboundMessageIssuer(inboundMessageIssuer);
        eCPRequestContext.setPreSecurityInboundHandlerChainResolver(getPreSecurityInboundHandlerChainResolver());
        eCPRequestContext.setPostSecurityInboundHandlerChainResolver(getPostSecurityInboundHandlerChainResolver());
        eCPRequestContext.setOutboundHandlerChainResolver(getOutboundHandlerChainResolver());
        return eCPRequestContext;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler, edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        Subject subject = baseSAMLProfileRequestContext.getInboundSAMLMessage().getSubject();
        if (subject != null) {
            baseSAMLProfileRequestContext.setSubjectNameIdentifier(subject.getNameID());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
    public AuthnStatement buildAuthnStatement(SSOProfileHandler.SSORequestContext sSORequestContext) {
        AuthnStatement buildAuthnStatement = super.buildAuthnStatement(sSORequestContext);
        buildAuthnStatement.setAuthnInstant(new DateTime());
        return buildAuthnStatement;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
    protected AuthnContext buildAuthnContext(SSOProfileHandler.SSORequestContext sSORequestContext) {
        if (getAuthnContextClassRef() == null) {
            return null;
        }
        AuthnContext buildObject = this.authnContextBuilder.buildObject();
        AuthnContextClassRef buildObject2 = this.authnContextClassRefBuilder.buildObject();
        buildObject2.setAuthnContextClassRef(getAuthnContextClassRef());
        buildObject.setAuthnContextClassRef(buildObject2);
        return buildObject;
    }

    protected HandlerChain buildPreSecurityInboundHandlerChain() {
        BasicHandlerChain basicHandlerChain = new BasicHandlerChain();
        basicHandlerChain.getHandlers().add(new Handler() { // from class: edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.1
            public void invoke(MessageContext messageContext) throws HandlerException {
                ECPRequestContext eCPRequestContext = (ECPRequestContext) messageContext;
                String remoteUser = messageContext.getInboundMessageTransport().getWrappedRequest().getRemoteUser();
                if (remoteUser == null) {
                    SAML2ECPProfileHandler.this.log.warn("REMOTE_USER not set, unable to set principal name");
                } else {
                    SAML2ECPProfileHandler.this.log.debug("Setting principal name: {}", remoteUser);
                    eCPRequestContext.setPrincipalName(remoteUser);
                }
            }
        });
        return basicHandlerChain;
    }

    protected HandlerChain buildPostSecurityInboundHandlerChain() {
        return null;
    }

    protected HandlerChainResolver getPreSecurityInboundHandlerChainResolver() {
        return this.inboundPreSecurityHandlerChainResolver;
    }

    protected HandlerChainResolver getPostSecurityInboundHandlerChainResolver() {
        return this.inboundPostSecurityHandlerChainResolver;
    }

    protected HandlerChain buildOutboundHandlerChain() {
        BasicHandlerChain basicHandlerChain = new BasicHandlerChain();
        basicHandlerChain.getHandlers().add(new Handler() { // from class: edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.2
            public void invoke(MessageContext messageContext) throws HandlerException {
                SAMLMessageContext sAMLMessageContext = (SAMLMessageContext) messageContext;
                Response buildObject = SAML2ECPProfileHandler.this.ecpResponseBuilder.buildObject();
                if (sAMLMessageContext.getPeerEntityEndpoint() == null || sAMLMessageContext.getPeerEntityEndpoint().getLocation() == null) {
                    throw new HandlerException("Unable to determine ACS URL for response.");
                }
                buildObject.setAssertionConsumerServiceURL(sAMLMessageContext.getPeerEntityEndpoint().getLocation());
                SOAPHelper.addSOAP11MustUnderstandAttribute(buildObject, true);
                SOAPHelper.addSOAP11ActorAttribute(buildObject, "http://schemas.xmlsoap.org/soap/actor/next");
                SOAPHelper.addHeaderBlock(messageContext, buildObject);
            }
        });
        return basicHandlerChain;
    }

    protected HandlerChainResolver getOutboundHandlerChainResolver() {
        return this.outboundHandlerChainResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public SAMLMessageEncoder getOutboundMessageEncoder(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        return this.messageEncoder;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public SAMLMessageDecoder getInboundMessageDecoder(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        return this.messageDecoder;
    }
}
