package pt.digitalis.dif.centralauth.impl;

import com.coveo.saml.SamlClient;
import com.coveo.saml.SamlException;
import com.coveo.saml.SamlResponse;
import java.io.StringReader;
import java.net.URLEncoder;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import net.sf.json.util.JSONUtils;
import org.apache.batik.util.XMLConstants;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.log4j.spi.LocationInfo;
import pt.digitalis.dif.centralauth.configurations.SAMLConfigurations;
import pt.digitalis.dif.centralauth.interfaces.ICentralAuthentication;
import pt.digitalis.dif.centralauth.interfaces.ICentralAuthenticationBusinessUserValidation;
import pt.digitalis.dif.centralauth.interfaces.ICentralAuthenticationUserManagement;
import pt.digitalis.dif.centralauth.objects.CentralUserData;
import pt.digitalis.dif.controller.interfaces.IDIFContext;
import pt.digitalis.dif.controller.objects.DIFRedirect;
import pt.digitalis.dif.controller.objects.RedirectAction;
import pt.digitalis.dif.controller.security.managers.IIdentityManager;
import pt.digitalis.dif.controller.security.objects.DIFUserImpl;
import pt.digitalis.dif.controller.security.objects.IDIFUser;
import pt.digitalis.dif.exception.BusinessException;
import pt.digitalis.dif.exception.InternalFrameworkException;
import pt.digitalis.dif.ioc.DIFIoCRegistry;
import pt.digitalis.dif.utils.http.HttpUtils;
import pt.digitalis.dif.utils.logging.DIFLogger;
import pt.digitalis.dif.utils.logging.IErrorLogManager;
import pt.digitalis.utils.common.StringUtils;

/* loaded from: input_file:WEB-INF/lib/dif-remote-auth-2.4.0-13.jar:pt/digitalis/dif/centralauth/impl/AbstractCentralAuthenticationSAML.class */
public abstract class AbstractCentralAuthenticationSAML extends AbstractAuthentication implements ICentralAuthentication {
    private static final String REQUEST_PARAMETER = "SAMLRequest";
    private static final String RESPONSE_PARAMETER = "SAMLResponse";
    private static final String SESSION_VERIFIED_MANDATORY_AND_BUSINESS_ASSERTION = "mandatoryAndBusinessAssertion";
    private IErrorLogManager errorLog = (IErrorLogManager) DIFIoCRegistry.getRegistry().getImplementation(IErrorLogManager.class);
    private String SESSION_INDEX_ID = "SAMLSessionIndexId";
    private String USER_ID = "SAMLUserId";
    private static SamlClient clientSAML = null;
    private static Calendar timestampSAMLConfs = null;

    @Override // pt.digitalis.dif.centralauth.interfaces.ICentralAuthentication
    public void cleanUp(IDIFContext iDIFContext) {
        iDIFContext.getRequest().addParameter(RESPONSE_PARAMETER, null);
    }

    @Override // pt.digitalis.dif.centralauth.impl.AbstractAuthentication
    public Boolean getChangePasswordAvailable() {
        return SAMLConfigurations.getInstance().getAllowChangePassword();
    }

    @Override // pt.digitalis.dif.centralauth.impl.AbstractAuthentication
    public Boolean getRecoverPasswordAvailable() {
        return SAMLConfigurations.getInstance().getAllowRecoverPassword();
    }

    @Override // pt.digitalis.dif.centralauth.interfaces.ICentralAuthentication
    public DIFRedirect getRedirectLogin(IDIFContext iDIFContext) {
        DIFRedirect dIFRedirect = null;
        try {
            SamlClient samlClient = getSamlClient(iDIFContext);
            String identityProviderLoginUrl = samlClient.getIdentityProviderLoginUrl();
            String samlLoginRequest = samlClient.getSamlLoginRequest();
            RedirectAction redirectAction = RedirectAction.POST;
            if (!samlClient.isLoginMethodPost()) {
                redirectAction = RedirectAction.GET;
                samlLoginRequest = URLEncoder.encode(samlLoginRequest, "UTF-8");
            }
            dIFRedirect = new DIFRedirect(redirectAction, identityProviderLoginUrl);
            dIFRedirect.addParameter(REQUEST_PARAMETER, samlLoginRequest);
        } catch (Exception e) {
            this.errorLog.logError("Central Authentication SAML", "Get Redirect Login", e);
        }
        return dIFRedirect;
    }

    @Override // pt.digitalis.dif.centralauth.interfaces.ICentralAuthentication
    public DIFRedirect getRedirectLogout(IDIFContext iDIFContext) {
        DIFRedirect dIFRedirect = null;
        try {
            dIFRedirect = new DIFRedirect(RedirectAction.GET, getSamlClient(iDIFContext).getIdentityProviderLogoutUrl() + LocationInfo.NA + REQUEST_PARAMETER + XMLConstants.XML_EQUAL_SIGN + getSamlClient(iDIFContext).getSamlLogoutRequest((String) iDIFContext.getSession().getAttribute(this.USER_ID), (String) iDIFContext.getSession().getAttribute(this.SESSION_INDEX_ID), null));
        } catch (Exception e) {
            this.errorLog.logError("Central Authentication SAML", "Get Redirect Logout", e);
        }
        return dIFRedirect;
    }

    @Override // pt.digitalis.dif.centralauth.impl.AbstractAuthentication
    public Boolean getRegistrationAvailable() {
        return SAMLConfigurations.getInstance().getAllowRegistration();
    }

    private SamlClient getSamlClient(IDIFContext iDIFContext) throws SamlException, InternalFrameworkException {
        if (clientSAML == null || timestampSAMLConfs == null || timestampSAMLConfs.before(SAMLConfigurations.getInstance().getTimestamp())) {
            String baseURL = HttpUtils.getBaseURL();
            if (!baseURL.endsWith("/")) {
                baseURL = baseURL + "/";
            }
            clientSAML = SamlClient.fromMetadata(SAMLConfigurations.getInstance().getName(), baseURL + "page?stage=difhomestage", new StringReader(StringUtils.nvl(SAMLConfigurations.getInstance().getMetadata(), "")), SAMLConfigurations.getInstance().getKeyStorePrivateKeyPathSMAL(), SAMLConfigurations.getInstance().getKeyStorePrivateKeyPasswordSMAL(), SAMLConfigurations.getInstance().getPrivateKeyAliasSMAL(), SAMLConfigurations.getInstance().getPrivateKeyPasswordSMAL());
            timestampSAMLConfs = SAMLConfigurations.getInstance().getTimestamp();
            if (SAMLConfigurations.getInstance().getNotBeforeSkew() != null) {
                clientSAML.setNotBeforeSkew(SAMLConfigurations.getInstance().getNotBeforeSkew().longValue());
            }
        }
        return clientSAML;
    }

    @Override // pt.digitalis.dif.centralauth.interfaces.ICentralAuthentication
    public CentralUserData getUserData(IDIFContext iDIFContext) {
        CentralUserData centralUserData = null;
        try {
            String str = (String) iDIFContext.getRequest().getParameter(RESPONSE_PARAMETER);
            if (StringUtils.isNotEmpty(str)) {
                DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - Parameter " + RESPONSE_PARAMETER + " encodedResponse:'" + str + JSONUtils.SINGLE_QUOTE).addToExceptionContext(iDIFContext).getRenderedExceptionContext());
                SamlResponse decodeAndValidateSamlResponse = getSamlClient(iDIFContext).decodeAndValidateSamlResponse(str);
                DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - isSigned:'" + decodeAndValidateSamlResponse.isSigned() + JSONUtils.SINGLE_QUOTE).addToExceptionContext(iDIFContext).getRenderedExceptionContext());
                if (decodeAndValidateSamlResponse.isSigned()) {
                    Map<String, Object> userAttributes = decodeAndValidateSamlResponse.getUserAttributes();
                    if (iDIFContext.getSession().getAttribute(SESSION_VERIFIED_MANDATORY_AND_BUSINESS_ASSERTION + decodeAndValidateSamlResponse.getAssertion().getID()) != null) {
                        return null;
                    }
                    if (SAMLConfigurations.getInstance().getMandatoryAttributesMappings().size() > 0) {
                        String str2 = "";
                        Boolean bool = false;
                        Iterator<String> it2 = SAMLConfigurations.getInstance().getMandatoryAttributesMappings().keySet().iterator();
                        while (true) {
                            if (!it2.hasNext()) {
                                break;
                            }
                            String next = it2.next();
                            if (SAMLConfigurations.getInstance().getMandatoryAttributesMappings().get(next) != null) {
                                if (!userAttributes.containsKey(next) || userAttributes.get(next) == null) {
                                    break;
                                }
                                if (!StringUtils.equals(userAttributes.get(next).toString(), SAMLConfigurations.getInstance().getMandatoryAttributesMappings().get(next).toString())) {
                                    bool = true;
                                    str2 = SAMLConfigurations.getInstance().getInvalidMissingMandatoryFieldValuesMessage();
                                    break;
                                }
                            }
                        }
                        bool = true;
                        SAMLConfigurations.getInstance().getInvalidMissingMandatoryFieldValuesMessage();
                        str2 = "User doesn't have all required information for authentication";
                        if (bool.booleanValue()) {
                            iDIFContext.getSession().addAttribute(SESSION_VERIFIED_MANDATORY_AND_BUSINESS_ASSERTION + decodeAndValidateSamlResponse.getAssertion().getID(), "true");
                            iDIFContext.addResultMessage("info", "", str2, true, true);
                            return null;
                        }
                    }
                    if (!((ICentralAuthenticationBusinessUserValidation) DIFIoCRegistry.getRegistry().getImplementation(ICentralAuthenticationBusinessUserValidation.class)).isBusinessUserValid(userAttributes, iDIFContext).booleanValue()) {
                        iDIFContext.getSession().addAttribute(SESSION_VERIFIED_MANDATORY_AND_BUSINESS_ASSERTION + decodeAndValidateSamlResponse.getAssertion().getID(), "true");
                        iDIFContext.addResultMessage("info", "", SAMLConfigurations.getInstance().getAmbiguousUserMessage(), true, true);
                        return null;
                    }
                    String nameID = decodeAndValidateSamlResponse.getNameID();
                    DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - username:'" + nameID + JSONUtils.SINGLE_QUOTE).addToExceptionContext(iDIFContext));
                    iDIFContext.getSession().addAttribute(this.USER_ID, nameID);
                    iDIFContext.getSession().addAttribute(this.SESSION_INDEX_ID, getSamlClient(iDIFContext).getSessionIndexFromResponse(decodeAndValidateSamlResponse));
                    if (SAMLConfigurations.getInstance().getUsePrefixForUsername().booleanValue()) {
                        nameID = "saml__" + nameID;
                    }
                    centralUserData = new CentralUserData(nameID);
                    IIdentityManager iIdentityManager = (IIdentityManager) DIFIoCRegistry.getRegistry().getImplementation(IIdentityManager.class);
                    Boolean valueOf = Boolean.valueOf(iIdentityManager.userExists(nameID));
                    DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - username '" + nameID + "' exists on identity manager:'" + valueOf + JSONUtils.SINGLE_QUOTE).addToExceptionContext(iDIFContext).getRenderedExceptionContext());
                    if (!valueOf.booleanValue()) {
                        DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - username '" + nameID + "' attributes:'" + userAttributes + JSONUtils.SINGLE_QUOTE).addToExceptionContext(iDIFContext).getRenderedExceptionContext());
                        if (StringUtils.isNotBlank(SAMLConfigurations.getInstance().getBulkParameter()) && userAttributes.containsKey(SAMLConfigurations.getInstance().getBulkParameter())) {
                            String str3 = (String) userAttributes.get(SAMLConfigurations.getInstance().getBulkParameter());
                            userAttributes.remove(SAMLConfigurations.getInstance().getBulkParameter());
                            if (StringUtils.isNotBlank(str3)) {
                                for (String str4 : str3.split(SAMLConfigurations.getInstance().getBulkParameterSeparator())) {
                                    String[] split = str4.split(XMLConstants.XML_EQUAL_SIGN);
                                    userAttributes.put(split[0], split[1]);
                                }
                            }
                        }
                        IDIFUser dIFUserImpl = new DIFUserImpl();
                        dIFUserImpl.setID(nameID);
                        dIFUserImpl.setPassword(RandomStringUtils.randomAlphanumeric(15));
                        if (StringUtils.isNotBlank(SAMLConfigurations.getInstance().getNameAttribute()) && userAttributes.containsKey(SAMLConfigurations.getInstance().getNameAttribute())) {
                            dIFUserImpl.setName(userAttributes.get(SAMLConfigurations.getInstance().getNameAttribute()) + "");
                        } else {
                            dIFUserImpl.setName(decodeAndValidateSamlResponse.getNameID());
                        }
                        if (StringUtils.isNotBlank(SAMLConfigurations.getInstance().getEmailAttribute()) && userAttributes.containsKey(SAMLConfigurations.getInstance().getEmailAttribute())) {
                            dIFUserImpl.setEmail(userAttributes.get(SAMLConfigurations.getInstance().getEmailAttribute()) + "");
                        } else {
                            dIFUserImpl.setEmail(null);
                        }
                        dIFUserImpl.setNick(decodeAndValidateSamlResponse.getNameID());
                        dIFUserImpl.setProfileID(null);
                        DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - username '" + nameID + "' created on identity manager:'true'").addToExceptionContext(iDIFContext).getRenderedExceptionContext());
                        HashMap hashMap = new HashMap();
                        if (userAttributes.size() > 0 && SAMLConfigurations.getInstance().getAttributesMapping().size() > 0) {
                            for (String str5 : userAttributes.keySet()) {
                                if (SAMLConfigurations.getInstance().getAttributesMapping().containsKey(str5)) {
                                    hashMap.put(SAMLConfigurations.getInstance().getAttributesMapping().get(str5), userAttributes.get(str5));
                                }
                            }
                            userAttributes.putAll(hashMap);
                        }
                        iIdentityManager.addUser(dIFUserImpl);
                        if (hashMap.size() > 0) {
                            dIFUserImpl.setAttributes(hashMap);
                            DIFLogger.getLogger().debug(new BusinessException(AbstractCentralAuthenticationSAML.class.getSimpleName() + " - username '" + nameID + "' saved attributes:'" + hashMap + JSONUtils.SINGLE_QUOTE).addToExceptionContext(iDIFContext).getRenderedExceptionContext());
                        }
                        Iterator it3 = DIFIoCRegistry.getRegistry().getImplementations(ICentralAuthenticationUserManagement.class).iterator();
                        while (it3.hasNext()) {
                            ((ICentralAuthenticationUserManagement) it3.next()).doAfterUserCreation(dIFUserImpl);
                        }
                    }
                }
            }
        } catch (Exception e) {
            this.errorLog.logError("Central Authentication SAML", "Get User Data", e);
        }
        return centralUserData;
    }

    @Override // pt.digitalis.dif.features.IDIFFeatureBaseAuthentication
    public Boolean isLocal() {
        return false;
    }

    @Override // pt.digitalis.dif.centralauth.interfaces.ICentralAuthentication
    public boolean supportSingleLogout(IDIFContext iDIFContext) {
        boolean z = false;
        try {
            z = getSamlClient(iDIFContext).supportSingleLogout();
        } catch (Exception e) {
            this.errorLog.logError("Central Authentication SAML", "Support Single Logout", e);
        }
        return z;
    }
}
