package com.liferay.saml.opensaml.integration.internal.profile;

import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.service.ServiceContext;
import com.liferay.portal.kernel.service.ServiceContextFactory;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.theme.ThemeDisplay;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.StringBundler;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.URLCodec;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.saml.opensaml.integration.SamlBinding;
import com.liferay.saml.opensaml.integration.internal.resolver.AttributePublisherImpl;
import com.liferay.saml.opensaml.integration.internal.resolver.AttributeResolverRegistry;
import com.liferay.saml.opensaml.integration.internal.resolver.AttributeResolverSAMLContextImpl;
import com.liferay.saml.opensaml.integration.internal.resolver.NameIdResolverRegistry;
import com.liferay.saml.opensaml.integration.internal.resolver.NameIdResolverSAMLContextImpl;
import com.liferay.saml.opensaml.integration.internal.resolver.UserResolverSAMLContextImpl;
import com.liferay.saml.opensaml.integration.internal.util.OpenSamlUtil;
import com.liferay.saml.opensaml.integration.internal.util.SamlUtil;
import com.liferay.saml.opensaml.integration.metadata.MetadataManager;
import com.liferay.saml.opensaml.integration.resolver.AttributeResolver;
import com.liferay.saml.opensaml.integration.resolver.NameIdResolver;
import com.liferay.saml.opensaml.integration.resolver.UserResolver;
import com.liferay.saml.persistence.exception.NoSuchIdpSpSessionException;
import com.liferay.saml.persistence.exception.NoSuchSpIdpConnectionException;
import com.liferay.saml.persistence.model.SamlIdpSsoSession;
import com.liferay.saml.persistence.model.SamlSpAuthRequest;
import com.liferay.saml.persistence.model.SamlSpMessage;
import com.liferay.saml.persistence.model.SamlSpSession;
import com.liferay.saml.persistence.service.SamlIdpSpSessionLocalService;
import com.liferay.saml.persistence.service.SamlIdpSsoSessionLocalService;
import com.liferay.saml.persistence.service.SamlSpAuthRequestLocalService;
import com.liferay.saml.persistence.service.SamlSpIdpConnectionLocalService;
import com.liferay.saml.persistence.service.SamlSpMessageLocalService;
import com.liferay.saml.persistence.service.SamlSpSessionLocalService;
import com.liferay.saml.runtime.SamlException;
import com.liferay.saml.runtime.configuration.SamlConfiguration;
import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper;
import com.liferay.saml.runtime.exception.AssertionException;
import com.liferay.saml.runtime.exception.AudienceException;
import com.liferay.saml.runtime.exception.DestinationException;
import com.liferay.saml.runtime.exception.ExpiredException;
import com.liferay.saml.runtime.exception.InResponseToException;
import com.liferay.saml.runtime.exception.IssuerException;
import com.liferay.saml.runtime.exception.ReplayException;
import com.liferay.saml.runtime.exception.SignatureException;
import com.liferay.saml.runtime.exception.StatusException;
import com.liferay.saml.runtime.exception.SubjectException;
import com.liferay.saml.runtime.profile.WebSsoProfile;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.http.HttpHeaders;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.Duration;
import org.opensaml.common.IdentifierGenerator;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.ecp.RelayState;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.trust.TrustEngine;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(configurationPid = {"com.liferay.saml.runtime.configuration.SamlConfiguration"}, configurationPolicy = ConfigurationPolicy.OPTIONAL, immediate = true, service = {WebSsoProfile.class})
/* loaded from: input_file:com/liferay/saml/opensaml/integration/internal/profile/WebSsoProfileImpl.class */
public class WebSsoProfileImpl extends BaseProfile implements WebSsoProfile {
    private static final Log _log = LogFactoryUtil.getLog(WebSsoProfileImpl.class);
    private static final SAMLSignatureProfileValidator _samlSignatureProfileValidator = new SAMLSignatureProfileValidator();
    private AttributeResolverRegistry _attributeResolverRegistry;
    private NameIdResolverRegistry _nameIdResolverRegistry;
    private SamlConfiguration _samlConfiguration;

    @Reference
    private SamlIdpSpSessionLocalService _samlIdpSpSessionLocalService;

    @Reference
    private SamlIdpSsoSessionLocalService _samlIdpSsoSessionLocalService;
    private SamlSpAuthRequestLocalService _samlSpAuthRequestLocalService;
    private SamlSpIdpConnectionLocalService _samlSpIdpConnectionLocalService;
    private SamlSpMessageLocalService _samlSpMessageLocalService;

    @Reference
    private UserLocalService _userLocalService;
    private UserResolver _userResolver;

    public void processAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        try {
            doProcessAuthnRequest(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void processResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        try {
            doProcessResponse(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void sendAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws PortalException {
        try {
            doSendAuthnRequest(httpServletRequest, httpServletResponse, str);
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void updateSamlSpSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
        String id = httpServletRequest.getSession().getId();
        if (samlSpSession == null || id.equals(samlSpSession.getJSessionId())) {
            return;
        }
        try {
            this.samlSpSessionLocalService.updateSamlSpSession(samlSpSession.getPrimaryKey(), id);
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e, e);
            }
        }
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        this._samlConfiguration = (SamlConfiguration) ConfigurableUtil.createConfigurable(SamlConfiguration.class, map);
    }

    protected void addSamlSsoSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSsoRequestContext samlSsoRequestContext, NameID nameID) throws Exception {
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        this._samlIdpSpSessionLocalService.addSamlIdpSpSession(this._samlIdpSsoSessionLocalService.addSamlIdpSsoSession(samlSsoRequestContext.getSamlSsoSessionId(), serviceContextFactory).getSamlIdpSsoSessionId(), samlSsoRequestContext.getSAMLMessageContext().getPeerEntityId(), nameID.getFormat(), nameID.getValue(), serviceContextFactory);
        addCookie(httpServletRequest, httpServletResponse, "SAML_SSO_SESSION_ID", samlSsoRequestContext.getSamlSsoSessionId(), -1);
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected SamlSsoRequestContext decodeAuthnConversationAfterLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        HttpSession session = httpServletRequest.getSession();
        SamlSsoRequestContext samlSsoRequestContext = (SamlSsoRequestContext) session.getAttribute("SAML_SSO_REQUEST_CONTEXT");
        if (samlSsoRequestContext == 0) {
            return null;
        }
        session.removeAttribute("SAML_SSO_REQUEST_CONTEXT");
        SAMLMessageContext<?, ?, ?> samlMessageContext = getSamlMessageContext(httpServletRequest, httpServletResponse, samlSsoRequestContext.getPeerEntityId());
        samlSsoRequestContext.setSAMLMessageContext(samlMessageContext);
        String autnRequestXml = samlSsoRequestContext.getAutnRequestXml();
        if (Validator.isNotNull(autnRequestXml)) {
            AuthnRequest authnRequest = (AuthnRequest) OpenSamlUtil.unmarshall(autnRequestXml);
            samlMessageContext.setInboundSAMLMessage(authnRequest);
            samlMessageContext.setInboundSAMLMessageId(authnRequest.getID());
        }
        samlMessageContext.setRelayState(samlSsoRequestContext.getRelayState());
        String samlSsoSessionId = getSamlSsoSessionId(httpServletRequest);
        if (Validator.isNotNull(samlSsoSessionId)) {
            samlSsoRequestContext.setSamlSsoSessionId(samlSsoSessionId);
        } else {
            samlSsoRequestContext.setNewSession(true);
            samlSsoRequestContext.setSamlSsoSessionId(generateIdentifier(30));
        }
        samlSsoRequestContext.setStage(1);
        samlSsoRequestContext.setUserId(this.portal.getUserId(httpServletRequest));
        return samlSsoRequestContext;
    }

    protected SamlSsoRequestContext decodeAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        SamlSsoRequestContext samlSsoRequestContext;
        SamlSsoRequestContext decodeAuthnConversationAfterLogin;
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext;
        SamlSsoRequestContext decodeAuthnConversationAfterLogin2;
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext2;
        String string = ParamUtil.getString(httpServletRequest, "saml_message_id");
        if (!Validator.isBlank(string) && (decodeAuthnConversationAfterLogin2 = decodeAuthnConversationAfterLogin(httpServletRequest, httpServletResponse)) != null && (sAMLMessageContext2 = decodeAuthnConversationAfterLogin2.getSAMLMessageContext()) != null && string.equals(sAMLMessageContext2.getInboundSAMLMessageId())) {
            return decodeAuthnConversationAfterLogin2;
        }
        boolean z = false;
        String string2 = ParamUtil.getString(httpServletRequest, "entityId");
        String string3 = ParamUtil.getString(httpServletRequest, "SAMLRequest");
        if (Validator.isNotNull(string2) && Validator.isNull(string3)) {
            z = true;
        }
        if (z && (decodeAuthnConversationAfterLogin = decodeAuthnConversationAfterLogin(httpServletRequest, httpServletResponse)) != null && (sAMLMessageContext = decodeAuthnConversationAfterLogin.getSAMLMessageContext()) != null && string2.equals(sAMLMessageContext.getPeerEntityId())) {
            return decodeAuthnConversationAfterLogin;
        }
        SamlBinding samlBinding = StringUtil.equalsIgnoreCase(httpServletRequest.getMethod(), "GET") ? getSamlBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI) : getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI);
        if (z) {
            SAMLMessageContext<?, ?, ?> samlMessageContext = getSamlMessageContext(httpServletRequest, httpServletResponse, string2);
            samlMessageContext.setCommunicationProfileId(samlBinding.getCommunicationProfileId());
            String string4 = ParamUtil.getString(httpServletRequest, RelayState.DEFAULT_ELEMENT_LOCAL_NAME);
            samlMessageContext.setRelayState(string4);
            samlSsoRequestContext = new SamlSsoRequestContext(samlMessageContext.getPeerEntityId(), string4, samlMessageContext, this._userLocalService);
        } else {
            SAMLMessageContext<?, ?, ?> decodeSamlMessage = decodeSamlMessage(httpServletRequest, httpServletResponse, samlBinding, this.samlProviderConfigurationHelper.getSamlProviderConfiguration().authnRequestSignatureRequired());
            samlSsoRequestContext = new SamlSsoRequestContext(OpenSamlUtil.marshall((AuthnRequest) decodeSamlMessage.getInboundSAMLMessage()), decodeSamlMessage.getPeerEntityId(), decodeSamlMessage.getRelayState(), decodeSamlMessage, this._userLocalService);
        }
        String samlSsoSessionId = getSamlSsoSessionId(httpServletRequest);
        if (Validator.isNotNull(samlSsoSessionId)) {
            samlSsoRequestContext.setSamlSsoSessionId(samlSsoSessionId);
        } else {
            samlSsoRequestContext.setNewSession(true);
            samlSsoRequestContext.setSamlSsoSessionId(generateIdentifier(30));
        }
        samlSsoRequestContext.setStage(0);
        samlSsoRequestContext.setUserId(this.portal.getUserId(httpServletRequest));
        return samlSsoRequestContext;
    }

    protected void doProcessAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        SamlSsoRequestContext decodeAuthnRequest = decodeAuthnRequest(httpServletRequest, httpServletResponse);
        AuthnRequest inboundSAMLMessage = decodeAuthnRequest.getSAMLMessageContext().getInboundSAMLMessage();
        User user = decodeAuthnRequest.getUser();
        if (inboundSAMLMessage != null && inboundSAMLMessage.isPassive().booleanValue() && user == null) {
            sendFailureResponse(decodeAuthnRequest, StatusCode.NO_PASSIVE_URI);
            return;
        }
        boolean z = false;
        if (!decodeAuthnRequest.isNewSession()) {
            String samlSsoSessionId = decodeAuthnRequest.getSamlSsoSessionId();
            SamlIdpSsoSession fetchSamlIdpSso = this._samlIdpSsoSessionLocalService.fetchSamlIdpSso(samlSsoSessionId);
            if (fetchSamlIdpSso != null) {
                z = fetchSamlIdpSso.isExpired();
            } else {
                samlSsoSessionId = null;
                decodeAuthnRequest.setSamlSsoSessionId(null);
            }
            if (z || Validator.isNull(samlSsoSessionId)) {
                addCookie(httpServletRequest, httpServletResponse, "SAML_SSO_SESSION_ID", "", 0);
                decodeAuthnRequest.setNewSession(true);
                decodeAuthnRequest.setSamlSsoSessionId(generateIdentifier(30));
            }
        }
        if (!z && user != null && (inboundSAMLMessage == null || !inboundSAMLMessage.isForceAuthn().booleanValue() || user == null || decodeAuthnRequest.getStage() != 0)) {
            sendSuccessResponse(httpServletRequest, httpServletResponse, decodeAuthnRequest);
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                session.removeAttribute("FORCE_REAUTHENTICATION");
                return;
            }
            return;
        }
        boolean z2 = false;
        if (z || (inboundSAMLMessage != null && inboundSAMLMessage.isForceAuthn().booleanValue())) {
            z2 = true;
        }
        redirectToLogin(httpServletRequest, httpServletResponse, decodeAuthnRequest, z2);
    }

    protected void doProcessResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        Subject subject;
        SAMLMessageContext<?, ?, ?> decodeSamlMessage = decodeSamlMessage(httpServletRequest, httpServletResponse, getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), true);
        Response response = (Response) decodeSamlMessage.getInboundSAMLMessage();
        StatusCode statusCode = response.getStatus().getStatusCode();
        String value = statusCode.getValue();
        if (!value.equals(StatusCode.SUCCESS_URI)) {
            StatusCode statusCode2 = statusCode.getStatusCode();
            if (statusCode2 != null && Validator.isNotNull(statusCode2.getValue())) {
                throw new StatusException(statusCode2.getValue());
            }
            throw new StatusException(value);
        }
        verifyInResponseTo(response);
        verifyDestination(decodeSamlMessage, response.getDestination());
        verifyIssuer(decodeSamlMessage, response.getIssuer());
        Assertion assertion = null;
        SignatureTrustEngine signatureTrustEngine = this.metadataManager.getSignatureTrustEngine();
        ArrayList arrayList = new ArrayList();
        Iterator<Assertion> it = response.getAssertions().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Assertion next = it.next();
            try {
                verifyAssertion(next, decodeSamlMessage, signatureTrustEngine);
                if (!next.getAuthnStatements().isEmpty() && (subject = next.getSubject()) != null && subject.getSubjectConfirmations() != null) {
                    Iterator<SubjectConfirmation> it2 = subject.getSubjectConfirmations().iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        } else if (SubjectConfirmation.METHOD_BEARER.equals(it2.next().getMethod())) {
                            assertion = next;
                            break;
                        }
                    }
                }
            } catch (SamlException e) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Rejecting assertion " + next.getID(), e);
                }
            }
            if (assertion != null) {
                Iterator<AttributeStatement> it3 = next.getAttributeStatements().iterator();
                while (it3.hasNext()) {
                    Iterator<Attribute> it4 = it3.next().getAttributes().iterator();
                    while (it4.hasNext()) {
                        arrayList.add(it4.next());
                    }
                }
            }
        }
        if (assertion == null) {
            throw new AssertionException("Response does not contain any acceptable assertions");
        }
        NameID nameID = (NameID) decodeSamlMessage.getSubjectNameIdentifier();
        if (nameID == null) {
            throw new SamlException("Name ID not present in subject");
        }
        if (_log.isDebugEnabled()) {
            _log.debug("SAML authenticated user " + nameID.getValue());
        }
        String marshall = OpenSamlUtil.marshall(assertion);
        String sessionIndex = assertion.getAuthnStatements().get(0).getSessionIndex();
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        serviceContextFactory.setUserId(this._userResolver.resolveUser(new UserResolverSAMLContextImpl(decodeSamlMessage), serviceContextFactory).getUserId());
        HttpSession session = httpServletRequest.getSession();
        SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
        if (samlSpSession != null) {
            this.samlSpSessionLocalService.updateSamlSpSession(samlSpSession.getSamlSpSessionId(), samlSpSession.getSamlSpSessionKey(), marshall, session.getId(), nameID.getFormat(), nameID.getNameQualifier(), nameID.getSPNameQualifier(), nameID.getValue(), sessionIndex, serviceContextFactory);
        } else {
            samlSpSession = this.samlSpSessionLocalService.addSamlSpSession(generateIdentifier(30), marshall, session.getId(), nameID.getFormat(), nameID.getNameQualifier(), nameID.getSPNameQualifier(), nameID.getValue(), sessionIndex, serviceContextFactory);
        }
        session.setAttribute("SAML_SP_SESSION_KEY", samlSpSession.getSamlSpSessionKey());
        addCookie(httpServletRequest, httpServletResponse, "SAML_SP_SESSION_KEY", samlSpSession.getSamlSpSessionKey(), -1);
        StringBundler stringBundler = new StringBundler(3);
        stringBundler.append(((ThemeDisplay) httpServletRequest.getAttribute("LIFERAY_SHARED_THEME_DISPLAY")).getPathMain());
        stringBundler.append("/portal/saml/auth_redirect?redirect=");
        String escapeRedirect = this.portal.escapeRedirect(decodeSamlMessage.getRelayState());
        if (Validator.isNull(escapeRedirect)) {
            escapeRedirect = this.portal.getHomeURL(httpServletRequest);
        }
        stringBundler.append(URLCodec.encodeURL(escapeRedirect));
        httpServletResponse.sendRedirect(stringBundler.toString());
    }

    protected void doSendAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        String defaultIdpEntityId = this.metadataManager.getDefaultIdpEntityId();
        SAMLMessageContext<?, ?, ?> samlMessageContext = getSamlMessageContext(httpServletRequest, httpServletResponse, defaultIdpEntityId);
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) samlMessageContext.getLocalEntityRoleMetadata();
        AssertionConsumerService assertionConsumerServiceForBinding = SamlUtil.getAssertionConsumerServiceForBinding(sPSSODescriptor, SAMLConstants.SAML2_POST_BINDING_URI);
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) samlMessageContext.getPeerEntityRoleMetadata();
        SingleSignOnService resolveSingleSignOnService = SamlUtil.resolveSingleSignOnService(iDPSSODescriptor, SAMLConstants.SAML2_POST_BINDING_URI);
        NameIDPolicy buildNameIdPolicy = OpenSamlUtil.buildNameIdPolicy();
        buildNameIdPolicy.setAllowCreate((Boolean) true);
        buildNameIdPolicy.setFormat(this.metadataManager.getNameIdFormat(defaultIdpEntityId));
        AuthnRequest buildAuthnRequest = OpenSamlUtil.buildAuthnRequest(sPSSODescriptor, assertionConsumerServiceForBinding, resolveSingleSignOnService, buildNameIdPolicy);
        buildAuthnRequest.setID(generateIdentifier(20));
        boolean z = false;
        try {
            z = this._samlSpIdpConnectionLocalService.getSamlSpIdpConnection(this.portal.getCompanyId(httpServletRequest), defaultIdpEntityId).isForceAuthn();
        } catch (NoSuchSpIdpConnectionException e) {
        }
        buildAuthnRequest.setForceAuthn(Boolean.valueOf(z));
        samlMessageContext.setOutboundSAMLMessage(buildAuthnRequest);
        if (sPSSODescriptor.isAuthnRequestsSigned().booleanValue() || iDPSSODescriptor.getWantAuthnRequestsSigned().booleanValue()) {
            Credential signingCredential = this.metadataManager.getSigningCredential();
            samlMessageContext.setOutboundSAMLMessageSigningCredential(signingCredential);
            OpenSamlUtil.signObject(buildAuthnRequest, signingCredential);
        }
        samlMessageContext.setPeerEntityEndpoint(resolveSingleSignOnService);
        samlMessageContext.setRelayState(str);
        this._samlSpAuthRequestLocalService.addSamlSpAuthRequest(samlMessageContext.getPeerEntityId(), buildAuthnRequest.getID(), ServiceContextFactory.getInstance(httpServletRequest));
        sendSamlMessage(samlMessageContext);
    }

    protected Assertion getSuccessAssertion(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, NameID nameID) {
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        Assertion buildAssertion = OpenSamlUtil.buildAssertion();
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        SubjectConfirmationData successSubjectConfirmationData = getSuccessSubjectConfirmationData(samlSsoRequestContext, assertionConsumerService, dateTime);
        buildAssertion.setConditions(getSuccessConditions(samlSsoRequestContext, dateTime, successSubjectConfirmationData.getNotOnOrAfter()));
        buildAssertion.setID(generateIdentifier(20));
        buildAssertion.setIssueInstant(dateTime);
        buildAssertion.setIssuer(OpenSamlUtil.buildIssuer(sAMLMessageContext.getLocalEntityId()));
        buildAssertion.setSubject(getSuccessSubject(samlSsoRequestContext, assertionConsumerService, nameID, successSubjectConfirmationData));
        buildAssertion.setVersion(SAMLVersion.VERSION_20);
        buildAssertion.getAuthnStatements().add(getSuccessAuthnStatement(samlSsoRequestContext, buildAssertion));
        if (!this.metadataManager.isAttributesEnabled(sAMLMessageContext.getPeerEntityId())) {
            return buildAssertion;
        }
        User user = samlSsoRequestContext.getUser();
        AttributeResolver attributeResolver = this._attributeResolverRegistry.getAttributeResolver(sAMLMessageContext.getPeerEntityId());
        AttributePublisherImpl attributePublisherImpl = new AttributePublisherImpl();
        attributeResolver.resolve(user, new AttributeResolverSAMLContextImpl(sAMLMessageContext), attributePublisherImpl);
        List<Attribute> attributes = attributePublisherImpl.getAttributes();
        if (attributes.isEmpty()) {
            return buildAssertion;
        }
        List<AttributeStatement> attributeStatements = buildAssertion.getAttributeStatements();
        AttributeStatement buildAttributeStatement = OpenSamlUtil.buildAttributeStatement();
        attributeStatements.add(buildAttributeStatement);
        buildAttributeStatement.getAttributes().addAll(attributes);
        return buildAssertion;
    }

    protected AudienceRestriction getSuccessAudienceRestriction(String str) {
        AudienceRestriction buildAudienceRestriction = OpenSamlUtil.buildAudienceRestriction();
        List<Audience> audiences = buildAudienceRestriction.getAudiences();
        Audience buildAudience = OpenSamlUtil.buildAudience();
        buildAudience.setAudienceURI(str);
        audiences.add(buildAudience);
        return buildAudienceRestriction;
    }

    protected AuthnContext getSuccessAuthnContext() {
        AuthnContext buildAuthnContext = OpenSamlUtil.buildAuthnContext();
        AuthnContextClassRef buildAuthnContextClassRef = OpenSamlUtil.buildAuthnContextClassRef();
        buildAuthnContextClassRef.setAuthnContextClassRef(AuthnContext.UNSPECIFIED_AUTHN_CTX);
        buildAuthnContext.setAuthnContextClassRef(buildAuthnContextClassRef);
        return buildAuthnContext;
    }

    protected AuthnStatement getSuccessAuthnStatement(SamlSsoRequestContext samlSsoRequestContext, Assertion assertion) {
        AuthnStatement buildAuthnStatement = OpenSamlUtil.buildAuthnStatement();
        buildAuthnStatement.setAuthnContext(getSuccessAuthnContext());
        buildAuthnStatement.setAuthnInstant(assertion.getIssueInstant());
        buildAuthnStatement.setSessionIndex(samlSsoRequestContext.getSamlSsoSessionId());
        return buildAuthnStatement;
    }

    protected Conditions getSuccessConditions(SamlSsoRequestContext samlSsoRequestContext, DateTime dateTime, DateTime dateTime2) {
        Conditions buildConditions = OpenSamlUtil.buildConditions();
        buildConditions.setNotBefore(dateTime);
        buildConditions.setNotOnOrAfter(dateTime2);
        buildConditions.getAudienceRestrictions().add(getSuccessAudienceRestriction(samlSsoRequestContext.getSAMLMessageContext().getPeerEntityId()));
        return buildConditions;
    }

    protected NameID getSuccessNameId(SamlSsoRequestContext samlSsoRequestContext) throws Exception {
        NameIDPolicy nameIDPolicy;
        String str = null;
        String str2 = null;
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        NameIdResolver nameIdResolver = this._nameIdResolverRegistry.getNameIdResolver(sAMLMessageContext.getPeerEntityId());
        boolean z = false;
        AuthnRequest inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (inboundSAMLMessage != null && (nameIDPolicy = inboundSAMLMessage.getNameIDPolicy()) != null) {
            str = nameIDPolicy.getFormat();
            str2 = nameIDPolicy.getSPNameQualifier();
            z = nameIDPolicy.getAllowCreate().booleanValue();
        }
        if (str == null) {
            str = this.metadataManager.getNameIdFormat(sAMLMessageContext.getPeerEntityId());
        }
        return OpenSamlUtil.buildNameId(str, null, str2, nameIdResolver.resolve(samlSsoRequestContext.getUser(), sAMLMessageContext.getPeerEntityId(), str, str2, z, new NameIdResolverSAMLContextImpl(sAMLMessageContext)));
    }

    protected Response getSuccessResponse(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, Assertion assertion) {
        Response buildResponse = OpenSamlUtil.buildResponse();
        buildResponse.setDestination(assertionConsumerService.getLocation());
        buildResponse.setID(generateIdentifier(20));
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        if (Validator.isNotNull(sAMLMessageContext.getInboundSAMLMessageId())) {
            buildResponse.setInResponseTo(sAMLMessageContext.getInboundSAMLMessageId());
        }
        buildResponse.setIssueInstant(assertion.getIssueInstant());
        buildResponse.setIssuer(OpenSamlUtil.buildIssuer(sAMLMessageContext.getLocalEntityId()));
        buildResponse.setStatus(OpenSamlUtil.buildStatus(OpenSamlUtil.buildStatusCode(StatusCode.SUCCESS_URI)));
        buildResponse.setVersion(SAMLVersion.VERSION_20);
        buildResponse.getAssertions().add(assertion);
        return buildResponse;
    }

    protected Subject getSuccessSubject(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, NameID nameID, SubjectConfirmationData subjectConfirmationData) {
        SubjectConfirmation buildSubjectConfirmation = OpenSamlUtil.buildSubjectConfirmation();
        buildSubjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
        buildSubjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
        Subject buildSubject = OpenSamlUtil.buildSubject(nameID);
        buildSubject.getSubjectConfirmations().add(buildSubjectConfirmation);
        return buildSubject;
    }

    protected SubjectConfirmationData getSuccessSubjectConfirmationData(SamlSsoRequestContext samlSsoRequestContext, AssertionConsumerService assertionConsumerService, DateTime dateTime) {
        SubjectConfirmationData buildSubjectConfirmationData = OpenSamlUtil.buildSubjectConfirmationData();
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        buildSubjectConfirmationData.setInResponseTo(sAMLMessageContext.getInboundSAMLMessageId());
        buildSubjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
        buildSubjectConfirmationData.setNotOnOrAfter(dateTime.plusSeconds(this.metadataManager.getAssertionLifetime(sAMLMessageContext.getPeerEntityId())));
        return buildSubjectConfirmationData;
    }

    protected void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSsoRequestContext samlSsoRequestContext, boolean z) {
        HttpSession session = httpServletRequest.getSession();
        if (z) {
            logout(httpServletRequest, httpServletResponse);
            session = httpServletRequest.getSession(true);
            session.setAttribute("FORCE_REAUTHENTICATION", Boolean.TRUE);
        }
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        samlSsoRequestContext.setSAMLMessageContext(null);
        session.setAttribute("SAML_SSO_REQUEST_CONTEXT", samlSsoRequestContext);
        httpServletResponse.addHeader(HttpHeaders.CACHE_CONTROL, "private, no-cache, no-store, must-revalidate");
        httpServletResponse.addHeader(HttpHeaders.PRAGMA, "no-cache");
        StringBundler stringBundler = new StringBundler(3);
        ThemeDisplay themeDisplay = (ThemeDisplay) httpServletRequest.getAttribute("LIFERAY_SHARED_THEME_DISPLAY");
        stringBundler.append(themeDisplay.getPathMain());
        stringBundler.append("/portal/login?redirect=");
        StringBundler stringBundler2 = new StringBundler(4);
        stringBundler2.append(themeDisplay.getPathMain());
        stringBundler2.append("/portal/saml/sso");
        if (sAMLMessageContext.getInboundSAMLMessageId() != null) {
            stringBundler2.append("?saml_message_id=");
            stringBundler2.append(URLCodec.encodeURL(sAMLMessageContext.getInboundSAMLMessageId()));
        } else if (sAMLMessageContext.getPeerEntityId() != null) {
            stringBundler2.append("?entityId=");
            stringBundler2.append(URLCodec.encodeURL(sAMLMessageContext.getPeerEntityId()));
        }
        stringBundler.append(URLCodec.encodeURL(stringBundler2.toString()));
        try {
            httpServletResponse.sendRedirect(stringBundler.toString());
        } catch (IOException e) {
            throw new SystemException(e);
        }
    }

    protected void sendFailureResponse(SamlSsoRequestContext samlSsoRequestContext, String str) throws PortalException {
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        AssertionConsumerService resolverAssertionConsumerService = SamlUtil.resolverAssertionConsumerService(sAMLMessageContext, getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI).getCommunicationProfileId());
        sAMLMessageContext.setPeerEntityEndpoint(resolverAssertionConsumerService);
        sAMLMessageContext.setOutboundSAMLMessageSigningCredential(this.metadataManager.getSigningCredential());
        Response buildResponse = OpenSamlUtil.buildResponse();
        buildResponse.setDestination(resolverAssertionConsumerService.getLocation());
        buildResponse.setInResponseTo(sAMLMessageContext.getInboundSAMLMessageId());
        buildResponse.setIssueInstant(new DateTime(DateTimeZone.UTC));
        buildResponse.setIssuer(OpenSamlUtil.buildIssuer(sAMLMessageContext.getLocalEntityId()));
        buildResponse.setStatus(OpenSamlUtil.buildStatus(OpenSamlUtil.buildStatusCode(str)));
        sAMLMessageContext.setOutboundSAMLMessage(buildResponse);
        sendSamlMessage(sAMLMessageContext);
    }

    protected void sendSuccessResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSsoRequestContext samlSsoRequestContext) throws Exception {
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        AssertionConsumerService resolverAssertionConsumerService = SamlUtil.resolverAssertionConsumerService(sAMLMessageContext, getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI).getCommunicationProfileId());
        NameID successNameId = getSuccessNameId(samlSsoRequestContext);
        Assertion successAssertion = getSuccessAssertion(samlSsoRequestContext, resolverAssertionConsumerService, successNameId);
        Credential signingCredential = this.metadataManager.getSigningCredential();
        if (((SPSSODescriptor) sAMLMessageContext.getPeerEntityRoleMetadata()).getWantAssertionsSigned().booleanValue()) {
            OpenSamlUtil.signObject(successAssertion, signingCredential);
        }
        sAMLMessageContext.setOutboundSAMLMessage(getSuccessResponse(samlSsoRequestContext, resolverAssertionConsumerService, successAssertion));
        sAMLMessageContext.setOutboundSAMLMessageSigningCredential(signingCredential);
        sAMLMessageContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
        sAMLMessageContext.setPeerEntityEndpoint(resolverAssertionConsumerService);
        if (samlSsoRequestContext.isNewSession()) {
            addSamlSsoSession(httpServletRequest, httpServletResponse, samlSsoRequestContext, successNameId);
        } else {
            updateSamlSsoSession(httpServletRequest, samlSsoRequestContext, successNameId);
        }
        sendSamlMessage(sAMLMessageContext);
    }

    @Reference(unbind = "-")
    protected void setAttributeResolverRegistry(AttributeResolverRegistry attributeResolverRegistry) {
        this._attributeResolverRegistry = attributeResolverRegistry;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.liferay.saml.opensaml.integration.internal.profile.BaseProfile
    @Reference(unbind = "-")
    public void setIdentifierGenerator(IdentifierGenerator identifierGenerator) {
        super.setIdentifierGenerator(identifierGenerator);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.liferay.saml.opensaml.integration.internal.profile.BaseProfile
    @Reference(unbind = "-")
    public void setMetadataManager(MetadataManager metadataManager) {
        super.setMetadataManager(metadataManager);
    }

    @Reference(unbind = "-")
    protected void setNameIdResolverRegistry(NameIdResolverRegistry nameIdResolverRegistry) {
        this._nameIdResolverRegistry = nameIdResolverRegistry;
    }

    @Reference(unbind = "-")
    protected void setPortal(Portal portal) {
        this.portal = portal;
    }

    @Reference(cardinality = ReferenceCardinality.AT_LEAST_ONE, policyOption = ReferencePolicyOption.GREEDY, unbind = "unsetSamlBinding")
    protected void setSamlBinding(SamlBinding samlBinding) {
        addSamlBinding(samlBinding);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.liferay.saml.opensaml.integration.internal.profile.BaseProfile
    @Reference(unbind = "-")
    public void setSamlProviderConfigurationHelper(SamlProviderConfigurationHelper samlProviderConfigurationHelper) {
        super.setSamlProviderConfigurationHelper(samlProviderConfigurationHelper);
    }

    @Reference(unbind = "-")
    protected void setSamlSpAuthRequestLocalService(SamlSpAuthRequestLocalService samlSpAuthRequestLocalService) {
        this._samlSpAuthRequestLocalService = samlSpAuthRequestLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpIdpConnectionLocalService(SamlSpIdpConnectionLocalService samlSpIdpConnectionLocalService) {
        this._samlSpIdpConnectionLocalService = samlSpIdpConnectionLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpMessageLocalService(SamlSpMessageLocalService samlSpMessageLocalService) {
        this._samlSpMessageLocalService = samlSpMessageLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpSessionLocalService(SamlSpSessionLocalService samlSpSessionLocalService) {
        this.samlSpSessionLocalService = samlSpSessionLocalService;
    }

    @Reference(policyOption = ReferencePolicyOption.GREEDY, unbind = "-")
    protected void setUserResolver(UserResolver userResolver) {
        this._userResolver = userResolver;
    }

    @Override // com.liferay.saml.opensaml.integration.internal.profile.BaseProfile
    protected void unsetSamlBinding(SamlBinding samlBinding) {
        removeSamlBinding(samlBinding);
    }

    protected void updateSamlSsoSession(HttpServletRequest httpServletRequest, SamlSsoRequestContext samlSsoRequestContext, NameID nameID) throws Exception {
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        SamlIdpSsoSession updateModifiedDate = this._samlIdpSsoSessionLocalService.updateModifiedDate(samlSsoRequestContext.getSamlSsoSessionId());
        SAMLMessageContext<AuthnRequest, Response, NameID> sAMLMessageContext = samlSsoRequestContext.getSAMLMessageContext();
        try {
            this._samlIdpSpSessionLocalService.updateModifiedDate(updateModifiedDate.getSamlIdpSsoSessionId(), sAMLMessageContext.getPeerEntityId());
        } catch (NoSuchIdpSpSessionException e) {
            this._samlIdpSpSessionLocalService.addSamlIdpSpSession(updateModifiedDate.getSamlIdpSsoSessionId(), sAMLMessageContext.getPeerEntityId(), nameID.getFormat(), nameID.getValue(), serviceContextFactory);
        }
    }

    protected void verifyAssertion(Assertion assertion, SAMLMessageContext<?, ?, NameID> sAMLMessageContext, TrustEngine<Signature> trustEngine) throws PortalException {
        verifyReplay(sAMLMessageContext, assertion);
        verifyIssuer(sAMLMessageContext, assertion.getIssuer());
        verifyAssertionSignature(assertion.getSignature(), sAMLMessageContext, trustEngine);
        verifyConditions(sAMLMessageContext, assertion.getConditions());
        verifySubject(sAMLMessageContext, assertion.getSubject());
    }

    protected void verifyAssertionSignature(Signature signature, SAMLMessageContext<?, ?, ?> sAMLMessageContext, TrustEngine<Signature> trustEngine) throws PortalException {
        SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata();
        if (signature != null) {
            verifySignature(sAMLMessageContext, signature, trustEngine);
        } else if (sPSSODescriptor.getWantAssertionsSigned().booleanValue()) {
            throw new SignatureException("SAML assertion is not signed");
        }
    }

    protected void verifyAudienceRestrictions(List<AudienceRestriction> list, SAMLMessageContext<?, ?, ?> sAMLMessageContext) throws PortalException {
        if (list.isEmpty()) {
            return;
        }
        Iterator<AudienceRestriction> it = list.iterator();
        while (it.hasNext()) {
            Iterator<Audience> it2 = it.next().getAudiences().iterator();
            while (it2.hasNext()) {
                if (it2.next().getAudienceURI().equals(sAMLMessageContext.getLocalEntityId())) {
                    return;
                }
            }
        }
        throw new AudienceException("Unable verify audience");
    }

    protected void verifyConditions(SAMLMessageContext<?, ?, ?> sAMLMessageContext, Conditions conditions) throws PortalException {
        verifyAudienceRestrictions(conditions.getAudienceRestrictions(), sAMLMessageContext);
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        DateTime notBefore = conditions.getNotBefore();
        if (notBefore != null) {
            verifyNotBeforeDateTime(dateTime, this.metadataManager.getClockSkew(), notBefore);
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        if (notOnOrAfter != null) {
            verifyNotOnOrAfterDateTime(dateTime, this.metadataManager.getClockSkew(), notOnOrAfter);
        }
    }

    protected void verifyDestination(SAMLMessageContext<?, ?, ?> sAMLMessageContext, String str) throws PortalException {
        for (AssertionConsumerService assertionConsumerService : ((SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata()).getAssertionConsumerServices()) {
            String binding = assertionConsumerService.getBinding();
            if (str.equals(assertionConsumerService.getLocation()) && binding.equals(sAMLMessageContext.getCommunicationProfileId())) {
                return;
            }
        }
        throw new DestinationException("Destination " + str + " does not match any assertion consumer location with binding " + sAMLMessageContext.getCommunicationProfileId());
    }

    protected void verifyInResponseTo(Response response) throws PortalException {
        if (Validator.isNull(response.getInResponseTo())) {
            return;
        }
        String value = response.getIssuer().getValue();
        String inResponseTo = response.getInResponseTo();
        SamlSpAuthRequest fetchSamlSpAuthRequest = this._samlSpAuthRequestLocalService.fetchSamlSpAuthRequest(value, inResponseTo);
        if (fetchSamlSpAuthRequest == null) {
            throw new InResponseToException("Response in response to " + inResponseTo + " does not match any authentication requests");
        }
        this._samlSpAuthRequestLocalService.deleteSamlSpAuthRequest(fetchSamlSpAuthRequest);
    }

    protected void verifyIssuer(SAMLMessageContext<?, ?, ?> sAMLMessageContext, Issuer issuer) throws PortalException {
        String format = issuer.getFormat();
        if (format != null && !format.equals(NameIDType.ENTITY)) {
            throw new IssuerException("Invalid issuer format " + format);
        }
        String peerEntityId = sAMLMessageContext.getPeerEntityId();
        if (!peerEntityId.equals(issuer.getValue())) {
            throw new IssuerException("Issuer does not match expected peer entity ID " + peerEntityId);
        }
    }

    protected void verifyNotBeforeDateTime(DateTime dateTime, long j, DateTime dateTime2) throws PortalException {
        DateTime minus = dateTime2.minus(new Duration(j));
        if (dateTime.isBefore(minus)) {
            throw new AssertionException("Date " + dateTime.toString() + " is before " + minus.toString() + " including clock skew " + j);
        }
    }

    protected void verifyNotOnOrAfterDateTime(DateTime dateTime, long j, DateTime dateTime2) throws PortalException {
        DateTime plus = dateTime2.plus(new Duration(j));
        if (dateTime.isEqual(plus) || dateTime.isAfter(plus)) {
            throw new ExpiredException("Date " + dateTime.toString() + " is after " + plus.toString() + " including clock skew " + j);
        }
    }

    protected void verifyReplay(SAMLMessageContext<?, ?, ?> sAMLMessageContext, Assertion assertion) throws PortalException {
        String value = assertion.getIssuer().getValue();
        String id = assertion.getID();
        DateTime plus = new DateTime(DateTimeZone.UTC).plus(this._samlConfiguration.getReplayChacheDuration() + this.metadataManager.getClockSkew());
        try {
            SamlSpMessage fetchSamlSpMessage = this._samlSpMessageLocalService.fetchSamlSpMessage(value, id);
            if (fetchSamlSpMessage != null && !fetchSamlSpMessage.isExpired()) {
                throw new ReplayException("SAML assertion " + id + " replayed from IdP " + value);
            }
            if (fetchSamlSpMessage != null) {
                this._samlSpMessageLocalService.deleteSamlSpMessage(fetchSamlSpMessage);
            }
            ServiceContext serviceContext = new ServiceContext();
            serviceContext.setCompanyId(CompanyThreadLocal.getCompanyId().longValue());
            this._samlSpMessageLocalService.addSamlSpMessage(value, id, plus.toDate(), serviceContext);
        } catch (SystemException e) {
            throw new SamlException(e);
        }
    }

    protected void verifySignature(SAMLMessageContext<?, ?, ?> sAMLMessageContext, Signature signature, TrustEngine<Signature> trustEngine) throws PortalException {
        try {
            _samlSignatureProfileValidator.validate(signature);
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EntityIDCriteria(sAMLMessageContext.getPeerEntityId()));
            criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
            criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
            if (trustEngine.validate(signature, criteriaSet)) {
            } else {
                throw new SignatureException("Unable validate signature trust");
            }
        } catch (Exception e) {
            if (!(e instanceof PortalException)) {
                throw new SignatureException("Unable to verify signature", e);
            }
            throw e;
        }
    }

    protected void verifySubject(SAMLMessageContext<?, ?, NameID> sAMLMessageContext, Subject subject) throws PortalException {
        SubjectConfirmationData subjectConfirmationData;
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if (subjectConfirmation.getMethod().equals(SubjectConfirmation.METHOD_BEARER) && (subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData()) != null) {
                DateTime dateTime = new DateTime(DateTimeZone.UTC);
                long clockSkew = this.metadataManager.getClockSkew();
                DateTime notBefore = subjectConfirmationData.getNotBefore();
                if (notBefore != null) {
                    verifyNotBeforeDateTime(dateTime, clockSkew, notBefore);
                }
                DateTime notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
                if (notOnOrAfter != null) {
                    verifyNotOnOrAfterDateTime(dateTime, clockSkew, notOnOrAfter);
                }
                if (!Validator.isNull(subjectConfirmationData.getRecipient())) {
                    verifyDestination(sAMLMessageContext, subjectConfirmationData.getRecipient());
                    sAMLMessageContext.setSubjectNameIdentifier(subject.getNameID());
                    return;
                }
            }
        }
        throw new SubjectException("Unable to verify subject");
    }
}
