package pl.edu.icm.unity.saml.idp.web.filter;

import eu.unicore.samly2.exceptions.SAMLServerException;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.utils.RoutingServlet;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.SamlHttpServlet;
import pl.edu.icm.unity.saml.idp.SamlIdpProperties;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.saml.metadata.cfg.RemoteMetaManager;
import pl.edu.icm.unity.saml.validator.WebAuthRequestValidator;
import pl.edu.icm.unity.webui.idpcommon.EopException;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/idp/web/filter/SamlParseServlet.class */
public class SamlParseServlet extends SamlHttpServlet {
    private static final Logger log = Log.getLogger("unity.server.saml", SamlParseServlet.class);
    public static final String SESSION_SAML_CONTEXT = "samlAuthnContextKey";
    protected RemoteMetaManager samlConfigProvider;
    protected String endpointAddress;
    protected String samlDispatcherServletPath;
    protected ErrorHandler errorHandler;

    public SamlParseServlet(RemoteMetaManager remoteMetaManager, String str, String str2, ErrorHandler errorHandler) {
        super(true, false, false);
        this.samlConfigProvider = remoteMetaManager;
        this.endpointAddress = str;
        this.samlDispatcherServletPath = str2;
        this.errorHandler = errorHandler;
    }

    @Override // pl.edu.icm.unity.saml.SamlHttpServlet
    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        log.trace("Received GET request to the SAML IdP endpoint");
        processSamlRequest(httpServletRequest, httpServletResponse);
    }

    @Override // pl.edu.icm.unity.saml.SamlHttpServlet
    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        log.trace("Received POST request to the SAML IdP endpoint");
        processSamlRequest(httpServletRequest, httpServletResponse);
    }

    protected void processSamlRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        try {
            processSamlRequestInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void processSamlRequestInterruptible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException, EopException {
        log.trace("Starting SAML request processing");
        SamlIdpProperties samlIdpProperties = (SamlIdpProperties) this.samlConfigProvider.getVirtualConfiguration();
        HttpSession session = httpServletRequest.getSession();
        SAMLAuthnContext sAMLAuthnContext = (SAMLAuthnContext) session.getAttribute(SESSION_SAML_CONTEXT);
        if (httpServletRequest.getParameter("SAMLRequest") == null) {
            if (log.isTraceEnabled()) {
                log.trace("Request to SAML endpoint address, without SAML input, error: " + httpServletRequest.getRequestURI());
            }
            this.errorHandler.showErrorPage(new SAMLProcessingException("No SAML request"), httpServletResponse);
            return;
        }
        if (sAMLAuthnContext != null) {
            if (log.isTraceEnabled() && !sAMLAuthnContext.isExpired()) {
                log.trace("Request to SAML consumer address, with SAML input and we are forced to break the previous SAML login: " + httpServletRequest.getRequestURI());
            }
            session.removeAttribute(SESSION_SAML_CONTEXT);
        }
        if (log.isTraceEnabled()) {
            log.trace("Got request with SAML input to: " + httpServletRequest.getRequestURI());
        }
        try {
            AuthnRequestDocument parse = parse(httpServletRequest);
            if (log.isTraceEnabled()) {
                log.trace("Parsed SAML request:\n" + parse.xmlText());
            }
            SAMLAuthnContext createSamlContext = createSamlContext(httpServletRequest, parse, samlIdpProperties);
            validate(createSamlContext, httpServletResponse, samlIdpProperties);
            session.setAttribute(SESSION_SAML_CONTEXT, createSamlContext);
            RoutingServlet.clean(httpServletRequest);
            if (log.isTraceEnabled()) {
                log.trace("Request with SAML input handled successfully");
            }
            httpServletResponse.sendRedirect(this.samlDispatcherServletPath);
        } catch (SAMLProcessingException e) {
            if (log.isDebugEnabled()) {
                log.debug("Processing of SAML input failed", e);
            }
            this.errorHandler.showErrorPage(e, httpServletResponse);
        }
    }

    protected SAMLAuthnContext createSamlContext(HttpServletRequest httpServletRequest, AuthnRequestDocument authnRequestDocument, SamlIdpProperties samlIdpProperties) {
        SAMLAuthnContext sAMLAuthnContext = new SAMLAuthnContext(authnRequestDocument, samlIdpProperties);
        String parameter = httpServletRequest.getParameter("RelayState");
        if (parameter != null) {
            sAMLAuthnContext.setRelayState(parameter);
        }
        return sAMLAuthnContext;
    }

    protected AuthnRequestDocument parse(HttpServletRequest httpServletRequest) throws SAMLProcessingException {
        String extractRequestFromRedirectBinding;
        String parameter = httpServletRequest.getParameter("SAMLRequest");
        if (parameter == null) {
            throw new SAMLProcessingException("Received an HTTP request, without SAML request (no SAMLRequest parameter)");
        }
        try {
            if (httpServletRequest.getMethod().equals("POST")) {
                extractRequestFromRedirectBinding = extractRequestFromPostBinding(parameter);
            } else {
                if (!httpServletRequest.getMethod().equals("GET")) {
                    throw new SAMLProcessingException("Received a request which is neither POST nor GET");
                }
                extractRequestFromRedirectBinding = extractRequestFromRedirectBinding(parameter);
            }
            try {
                return AuthnRequestDocument.Factory.parse(extractRequestFromRedirectBinding);
            } catch (XmlException e) {
                throw new SAMLProcessingException("Received a nonparseable SAML request", e);
            }
        } catch (Exception e2) {
            throw new SAMLProcessingException("Received a request which can't be decoded", e2);
        }
    }

    protected void validate(SAMLAuthnContext sAMLAuthnContext, HttpServletResponse httpServletResponse, SamlIdpProperties samlIdpProperties) throws SAMLProcessingException, IOException, EopException {
        WebAuthRequestValidator webAuthRequestValidator = new WebAuthRequestValidator(this.endpointAddress, samlIdpProperties.getAuthnTrustChecker(), samlIdpProperties.getRequestValidity(), samlIdpProperties.getReplayChecker());
        samlIdpProperties.configureKnownRequesters(webAuthRequestValidator);
        try {
            webAuthRequestValidator.validate((AuthnRequestDocument) sAMLAuthnContext.getRequestDocument());
        } catch (SAMLServerException e) {
            this.errorHandler.commitErrorResponse(sAMLAuthnContext, e, httpServletResponse);
        }
    }
}
