package com.sun.identity.saml.servlet;

import com.iplanet.am.console.base.model.AMQueryParameters;
import com.iplanet.services.util.Base64;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.saml.AssertionManager;
import com.sun.identity.saml.assertion.Assertion;
import com.sun.identity.saml.assertion.Conditions;
import com.sun.identity.saml.assertion.Statement;
import com.sun.identity.saml.assertion.Subject;
import com.sun.identity.saml.assertion.SubjectConfirmation;
import com.sun.identity.saml.assertion.SubjectStatement;
import com.sun.identity.saml.common.LogUtils;
import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.common.SAMLException;
import com.sun.identity.saml.common.SAMLServiceManager;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.protocol.Response;
import com.sun.identity.saml.protocol.Status;
import com.sun.identity.saml.protocol.StatusCode;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.logging.Level;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:115766-12/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/saml/servlet/SAMLPOSTProfileServlet.class */
public class SAMLPOSTProfileServlet extends HttpServlet {
    private static Map idTimeMap = new HashMap();
    private static Thread cThread = new POSTCleanUpThread(idTimeMap);

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String pOSTUrl;
        if (httpServletRequest == null || httpServletResponse == null) {
            LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("nullInputParameter"));
            httpServletResponse.sendError(500, SAMLUtils.bundle.getString("nullInputParameter"));
            return;
        }
        SAMLUtils.checkHTTPContentLength(httpServletRequest);
        String parameter = httpServletRequest.getParameter("TARGET");
        if (parameter == null) {
            LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("missingTargetSite"));
            httpServletResponse.sendError(400, SAMLUtils.bundle.getString("missingTargetSite"));
            return;
        }
        SAMLServiceManager.SiteEntry destSite = getDestSite(parameter);
        if (destSite == null || (pOSTUrl = destSite.getPOSTUrl()) == null) {
            LogUtils.error(Level.INFO, new StringBuffer().append(SAMLUtils.bundle.getString("targetForbidden")).append(" ").append(parameter).toString());
            httpServletResponse.sendError(400, new StringBuffer().append(SAMLUtils.bundle.getString("targetForbidden")).append(" ").append(parameter).toString());
            return;
        }
        SSOToken sSOToken = getSSOToken(httpServletRequest);
        if (sSOToken == null) {
            httpServletResponse.sendError(500, SAMLUtils.bundle.getString("nullSSOToken"));
            return;
        }
        try {
            String version = destSite.getVersion();
            int i = 1;
            int i2 = SAMLConstants.PROTOCOL_MINOR_VERSION;
            if (version != null) {
                StringTokenizer stringTokenizer = new StringTokenizer(version, ".");
                if (stringTokenizer.countTokens() == 2) {
                    i = Integer.parseInt(stringTokenizer.nextToken().trim());
                    i2 = Integer.parseInt(stringTokenizer.nextToken().trim());
                }
            }
            Assertion createSSOAssertion = AssertionManager.getInstance().createSSOAssertion(sSOToken.getTokenID().toString(), null, destSite.getSourceID(), parameter, new StringBuffer().append(i).append(".").append(i2).toString());
            Status status = new Status(new StatusCode("samlp:Success"));
            ArrayList arrayList = new ArrayList();
            arrayList.add(createSSOAssertion);
            Response response = new Response((String) null, status, pOSTUrl, arrayList);
            response.setMajorVersion(i);
            response.setMinorVersion(i2);
            try {
                byte[] signResponse = signResponse(response);
                try {
                    String trim = Base64.encode(signResponse).trim();
                    if (LogUtils.isLoggable(Level.FINER)) {
                        LogUtils.access(Level.FINER, new StringBuffer().append(SAMLUtils.bundle.getString("targetURL")).append(parameter).append(". ").append(SAMLUtils.bundle.getString("SAMLResponse")).append(new String(signResponse, "UTF-8")).append(". ").append(SAMLUtils.bundle.getString("redirectTo")).append(pOSTUrl).toString());
                    } else {
                        LogUtils.access(Level.INFO, new StringBuffer().append(SAMLUtils.bundle.getString("targetURL")).append(parameter).append(". ").append(SAMLUtils.bundle.getString("redirectTo")).append(pOSTUrl).toString());
                    }
                    httpServletResponse.setContentType("text/html; charset=UTF-8");
                    PrintWriter writer = httpServletResponse.getWriter();
                    writer.println("<HTML>");
                    writer.println("<BODY Onload=\"document.forms[0].submit()\">");
                    writer.println(new StringBuffer().append("<FORM METHOD=\"POST\" ACTION=\"").append(pOSTUrl).append("\">").toString());
                    writer.println("<INPUT TYPE=\"HIDDEN\" NAME=\"SAMLResponse\" ");
                    writer.println(new StringBuffer().append("VALUE=\"").append(trim).append("\">").toString());
                    writer.println(new StringBuffer().append("<INPUT TYPE=\"HIDDEN\" NAME=\"TARGET\" VALUE=\"").append(parameter).append("\"> </FORM>").toString());
                    writer.println("</BODY></HTML>");
                    writer.close();
                } catch (Exception e) {
                    SAMLUtils.debug.error("SAMLPOSTProfileServlet.doGet: Exception when encoding the response:", e);
                    httpServletResponse.sendError(500, SAMLUtils.bundle.getString("errorEncodeResponse"));
                }
            } catch (Exception e2) {
                SAMLUtils.debug.error("SAMLPOSTProfileServlet.doGet: Exception when signing the response:", e2);
                httpServletResponse.sendError(500, SAMLUtils.bundle.getString("errorSigningResponse"));
            }
        } catch (SAMLException e3) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.doGet: Exception when creating Response: ", e3);
            httpServletResponse.sendError(500, e3.getMessage());
        } catch (NumberFormatException e4) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.doGet: Exception when creating Response: ", e4);
            httpServletResponse.sendError(500, e4.getMessage());
        }
    }

    private byte[] signResponse(Response response) throws SAMLException {
        response.signXML();
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message(new StringBuffer().append("SAMLPOSTProfileServlet.signResponse: signed samlResponse is").append(response.toString(true, true, true)).toString());
        }
        try {
            return response.toString(true, true, true).getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message("SAMLPOSTProfileServlet.signResponse", e);
            }
            throw new SAMLException(e.getMessage());
        }
    }

    private SAMLServiceManager.SiteEntry getDestSite(String str) {
        SAMLServiceManager.SiteEntry siteEntry = null;
        try {
            URL url = new URL(str);
            String host = url.getHost();
            int port = url.getPort();
            if (host == null) {
                SAMLUtils.debug.error("SAMLPOSTProfileServlet.getDestSite: missing host in target.");
                return null;
            }
            Iterator it = ((Set) SAMLServiceManager.getAttribute(SAMLConstants.TRUSTED_SERVER_LIST)).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SAMLServiceManager.SiteEntry siteEntry2 = (SAMLServiceManager.SiteEntry) it.next();
                String hostName = siteEntry2.getHostName();
                int port2 = siteEntry2.getPort();
                if (hostName != null && host.indexOf(hostName) != -1) {
                    if (port2 == -1) {
                        siteEntry = siteEntry2;
                    } else if (port2 == port) {
                        siteEntry = siteEntry2;
                        break;
                    }
                }
            }
            if (siteEntry != null) {
                return siteEntry;
            }
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.getDestSite:  No destSite found from the target.");
            return null;
        } catch (Exception e) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.getDestSite: ", e);
            return null;
        }
    }

    private SSOToken getSSOToken(HttpServletRequest httpServletRequest) {
        try {
            SSOTokenManager sSOTokenManager = SSOTokenManager.getInstance();
            SSOToken createSSOToken = sSOTokenManager.createSSOToken(httpServletRequest);
            if (createSSOToken == null) {
                SAMLUtils.debug.error("SAMLPOSTProfileServlet.getSSOToken: SSOToken is null.");
                return null;
            }
            if (sSOTokenManager.isValidToken(createSSOToken)) {
                return createSSOToken;
            }
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.getSSOToken: SSOToken is invalid.");
            return null;
        } catch (SSOException e) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.getSSOToken: Exception when getting SSOToken:", e);
            return null;
        }
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        if (httpServletRequest == null || httpServletResponse == null) {
            LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("nullInputParameter"));
            httpServletResponse.sendError(400, SAMLUtils.bundle.getString("nullInputParameter"));
            return;
        }
        SAMLUtils.checkHTTPContentLength(httpServletRequest);
        String parameter = httpServletRequest.getParameter("TARGET");
        if (parameter == null) {
            LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("missingTargetSite"));
            httpServletResponse.sendError(400, SAMLUtils.bundle.getString("missingTargetSite"));
            return;
        }
        String parameter2 = httpServletRequest.getParameter("SAMLResponse");
        if (parameter2 == null) {
            LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("missingSAMLResponse"));
            httpServletResponse.sendError(400, SAMLUtils.bundle.getString("missingSAMLResponse"));
            return;
        }
        try {
            byte[] decode = Base64.decode(parameter2);
            Response verifySignatureAndGetResponse = verifySignatureAndGetResponse(decode);
            if (verifySignatureAndGetResponse == null) {
                LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("errorObtainResponse"));
                httpServletResponse.sendError(400, SAMLUtils.bundle.getString("errorObtainResponse"));
                return;
            }
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message(new StringBuffer().append("SAMLPOSTProfileServlet.doPost: Received ").append(verifySignatureAndGetResponse.toString()).toString());
            }
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message(new StringBuffer().append("SAMLPOSTProfileServlet.doPost: requestUrl=").append((Object) requestURL).toString());
            }
            if (!verifyResponse(verifySignatureAndGetResponse, requestURL.toString(), httpServletRequest)) {
                LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("invalidResponse"));
                httpServletResponse.sendError(400, SAMLUtils.bundle.getString("invalidResponse"));
                return;
            }
            Map verifyAssertionAndGetSSMap = verifyAssertionAndGetSSMap(verifySignatureAndGetResponse);
            if (verifyAssertionAndGetSSMap == null) {
                LogUtils.error(Level.INFO, SAMLUtils.bundle.getString("invalidAssertion"));
                httpServletResponse.sendError(400, SAMLUtils.bundle.getString("invalidAssertion"));
                return;
            }
            try {
                Map generateSSOToken = SAMLUtils.generateSSOToken(httpServletRequest, httpServletResponse, (SAMLServiceManager.SOAPEntry) verifyAssertionAndGetSSMap.get("sourceSite"), (List) verifyAssertionAndGetSSMap.get(SAMLConstants.POST_ASSERTION), (Subject) verifyAssertionAndGetSSMap.get("subject"), parameter);
                if (LogUtils.isLoggable(Level.FINER)) {
                    LogUtils.access(Level.FINER, new StringBuffer().append(SAMLUtils.bundle.getString("accessGranted")).append(" ").append(SAMLUtils.bundle.getString("SAMLResponse")).append(new String(decode, "UTF-8")).append(" ").append(SAMLUtils.bundle.getString("redirectTo")).append(parameter).toString());
                } else {
                    LogUtils.access(Level.INFO, new StringBuffer().append(SAMLUtils.bundle.getString("accessGranted")).append(" ").append(SAMLUtils.bundle.getString("redirectTo")).append(parameter).toString());
                }
                if (!SAMLUtils.postYN(parameter)) {
                    httpServletResponse.setHeader(AMQueryParameters.QUERY_PARAM_LOCATION, parameter);
                    httpServletResponse.sendRedirect(parameter);
                } else {
                    if (SAMLUtils.debug.messageEnabled()) {
                        SAMLUtils.debug.message(new StringBuffer().append("POST to target:").append(parameter).toString());
                    }
                    SAMLUtils.postToTarget(httpServletResponse, (List) verifyAssertionAndGetSSMap.get(SAMLConstants.POST_ASSERTION), parameter, generateSSOToken);
                }
            } catch (Exception e) {
                SAMLUtils.debug.error("generateToken: ", e);
                LogUtils.error(Level.INFO, e.getMessage());
                httpServletResponse.sendError(500, e.getMessage());
            }
        } catch (Exception e2) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.doPost: Exception when decoding SAMLResponse:", e2);
            httpServletResponse.sendError(500, SAMLUtils.bundle.getString("errorDecodeResponse"));
        }
    }

    private Response verifySignatureAndGetResponse(byte[] bArr) {
        Response response = null;
        if (bArr == null) {
            return null;
        }
        try {
            response = Response.parseXML(new ByteArrayInputStream(bArr));
        } catch (SAMLException e) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifySignatureAndGetResponse:", e);
        }
        if (response == null || (response.isSigned() && response.isSignatureValid())) {
            return response;
        }
        return null;
    }

    private boolean verifyResponse(Response response, String str, HttpServletRequest httpServletRequest) {
        String recipient = response.getRecipient();
        if (recipient == null || recipient.length() == 0 || !(recipient.equals(str) || recipient.equals(getLBURL(str, httpServletRequest)))) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyResponse: Incorrect Recipient.");
            return false;
        }
        if (response.getStatus().getStatusCode().getValue().endsWith(":Success")) {
            return true;
        }
        SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyResponse: Incorrect StatusCode value.");
        return false;
    }

    private String getLBURL(String str, HttpServletRequest httpServletRequest) {
        int indexOf;
        String header = httpServletRequest.getHeader("host");
        if (header != null && (indexOf = str.indexOf("//")) != -1) {
            StringBuffer stringBuffer = new StringBuffer(200);
            stringBuffer.append(str.substring(0, indexOf + 2)).append(header);
            String substring = str.substring(indexOf + 2, str.length());
            int indexOf2 = substring.indexOf("/");
            if (indexOf2 != -1) {
                stringBuffer.append(substring.substring(indexOf2, substring.length()));
            }
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message(new StringBuffer().append("SAMLPOSTProfileServlet.getLBURL: LBURL=").append(stringBuffer.toString()).toString());
            }
            return stringBuffer.toString().trim();
        }
        return str;
    }

    private Map verifyAssertionAndGetSSMap(Response response) {
        Date notOnorAfter;
        Set confirmationMethod;
        Subject subject = null;
        SAMLServiceManager.SOAPEntry sOAPEntry = null;
        List<Assertion> assertion = response.getAssertion();
        long currentTimeMillis = System.currentTimeMillis() + 180000;
        for (Assertion assertion2 : assertion) {
            String assertionID = assertion2.getAssertionID();
            if (idTimeMap.containsKey(assertionID)) {
                SAMLUtils.debug.error(new StringBuffer().append("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap: Assertion: ").append(assertionID).append(" is used.").toString());
                return null;
            }
            SAMLServiceManager.SOAPEntry sourceSite = SAMLUtils.getSourceSite(assertion2.getIssuer());
            sOAPEntry = sourceSite;
            if (sourceSite == null) {
                SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap: issuer is not on the Partner list.");
                return null;
            }
            if (!assertion2.isSignatureValid()) {
                SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap: assertion's signature is not valid.");
                return null;
            }
            if (!assertion2.isTimeValid()) {
                SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap: assertion's time is not valid.");
                return null;
            }
            for (Statement statement : assertion2.getStatement()) {
                int statementType = statement.getStatementType();
                if (statementType == 1 || statementType == 3 || statementType == 2) {
                    Subject subject2 = ((SubjectStatement) statement).getSubject();
                    SubjectConfirmation subjectConfirmation = subject2.getSubjectConfirmation();
                    if (subjectConfirmation == null || (confirmationMethod = subjectConfirmation.getConfirmationMethod()) == null || confirmationMethod.size() != 1) {
                        SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap: missing or extra ConfirmationMethod.");
                        return null;
                    }
                    String str = (String) confirmationMethod.iterator().next();
                    if (str == null || !str.equals("urn:oasis:names:tc:SAML:1.0:cm:bearer")) {
                        SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap:wrong ConfirmationMethod.");
                        return null;
                    }
                    if (statementType == 1 && subject == null) {
                        subject = subject2;
                    }
                }
            }
            Conditions conditions = assertion2.getConditions();
            if (conditions != null && (notOnorAfter = conditions.getNotOnorAfter()) != null) {
                currentTimeMillis = notOnorAfter.getTime();
            }
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message(new StringBuffer().append("SAMLPOSTProfileServlet.doPost: Adding ").append(assertionID).append(" to idTimeMap.").toString());
            }
            synchronized (idTimeMap) {
                idTimeMap.put(assertionID, new Long(currentTimeMillis));
            }
        }
        if (subject == null || sOAPEntry == null) {
            SAMLUtils.debug.error("SAMLPOSTProfileServlet.verifyAssertionAndGetSSMap: couldn't find Subject.");
            return null;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("subject", subject);
        hashMap.put("sourceSite", sOAPEntry);
        hashMap.put(SAMLConstants.POST_ASSERTION, assertion);
        return hashMap;
    }

    static {
        cThread.start();
    }
}
