package com.adobe.granite.auth.saml;

import com.adobe.granite.auth.saml.SamlIdentitySync;
import com.adobe.granite.auth.saml.binding.MessageContext;
import com.adobe.granite.auth.saml.binding.PostBinding;
import com.adobe.granite.auth.saml.binding.RequestBinding;
import com.adobe.granite.auth.saml.binding.ResponseBinding;
import com.adobe.granite.auth.saml.configuration.IdpConfiguration;
import com.adobe.granite.auth.saml.configuration.SpConfiguration;
import com.adobe.granite.auth.saml.extidp.DefaultUserSync;
import com.adobe.granite.auth.saml.extidp.SamlIdentityPovider;
import com.adobe.granite.auth.saml.extidp.SamlIdpUserSync;
import com.adobe.granite.auth.saml.model.Assertion;
import com.adobe.granite.auth.saml.model.AuthnRequest;
import com.adobe.granite.auth.saml.model.AuthnStatement;
import com.adobe.granite.auth.saml.model.Issuer;
import com.adobe.granite.auth.saml.model.LogoutRequest;
import com.adobe.granite.auth.saml.model.LogoutResponse;
import com.adobe.granite.auth.saml.model.NameIdPolicy;
import com.adobe.granite.auth.saml.model.Response;
import com.adobe.granite.auth.saml.model.SamlConstants;
import com.adobe.granite.auth.saml.model.Status;
import com.adobe.granite.auth.saml.spi.SamlHookException;
import com.adobe.granite.auth.saml.util.OSGiConfigUtil;
import com.adobe.granite.auth.saml.util.SamlReader;
import com.adobe.granite.auth.saml.util.ToggleRouterProvider;
import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
import com.adobe.granite.keystore.KeyStoreService;
import com.adobe.granite.toggle.api.ToggleRouter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLDecoder;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Calendar;
import java.util.Collections;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.text.StrSubstitutor;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyOption;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferencePolicyOption;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.CredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.apache.sling.xss.XSSAPI;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service(value = {AuthenticationHandler.class}, serviceFactory = true)
@Component(metatype = true, label = "%granite.auth.saml.label", description = "%granite.auth.saml.description", policy = ConfigurationPolicy.REQUIRE, configurationFactory = true)
@Properties({@Property(name = "service.description", value = {"Adobe Granite SAML Authentication Handler"}, propertyPrivate = true), @Property(name = "service.vendor", value = {"Adobe"}, propertyPrivate = true), @Property(name = "path", value = {SamlAuthenticationHandler.DEFAULT_DEFAULT_REDIRECT_URL}, cardinality = 100, propertyPrivate = false), @Property(name = "service.ranking", intValue = {5002}, propertyPrivate = false), @Property(name = "authtype", value = {SamlIdentitySync.AUTH_TYPE}, propertyPrivate = true)})
/* loaded from: input_file:com/adobe/granite/auth/saml/SamlAuthenticationHandler.class */
public class SamlAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {
    private static final String DEFAULT_IDP_URL = "";
    private static final boolean DEFAULT_IDP_HTTP_REDIRECT = false;
    private static final String DEFAULT_SP_ENTITY_ID = "";
    private static final String DEFAULT_DEFAULT_REDIRECT_URL = "/";
    private static final boolean DEFAULT_USE_ENCRYPTION = true;
    private static final String DEFAULT_USER_ID_ATTRIBUTE = "uid";
    private static final boolean DEFAULT_CREATE_USER = true;
    private static final boolean DEFAULT_STORE_SAML_RESPONSE = false;
    private static final boolean DEFAULT_ADD_GROUP_MEMBERSHIPS = true;
    private static final String DEFAULT_GROUPS_ATTRIBUTE = "groupMembership";
    private static final String DEFAULT_NAMEIDFORMAT_ATTRIBUTE = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";
    private static final boolean DEFAULT_HANDLE_LOGOUT = false;
    private static final String DEFAULT_IDP_CERT_ALIAS = "";
    private static final String DEFAULT_SP_PRIVATE_KEY_ALIAS = "";
    private static final String DEFAULT_KEYSTORE_PASSWORD = "";
    private static final int DEFAULT_CLOCK_TOLERANCE = 60;
    private static final String DEFAULT_DIGEST_METHOD = "http://www.w3.org/2001/04/xmlenc#sha256";
    private static final String DEFAULT_SIGNATURE_METHOD = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
    private static final String DEFAULT_SYNC_TYPE = "default";

    @Property({""})
    public static final String OSGI_PROPERTY_IDP_URL = "idpUrl";

    @Property({""})
    public static final String OSGI_PROPERTY_IDP_CERT_ALIAS = "idpCertAlias";

    @Property(boolValue = {false})
    public static final String OSGI_PROPERTY_IDP_HTTP_REDIRECT = "idpHttpRedirect";

    @Property({""})
    public static final String OSGI_PROPERTY_SP_ENTITY_ID = "serviceProviderEntityId";

    @Property
    public static final String OSGI_PROPERTY_ASSERTION_CONSUMER_SERVICE_URL = "assertionConsumerServiceURL";

    @Property({""})
    public static final String OSGI_PROPERTY_SP_PRIVATE_KEY_ALIAS = "spPrivateKeyAlias";

    @Property(passwordValue = {""})
    public static final String OSGI_PROPERTY_KEYSTORE_PASSWORD = "keyStorePassword";

    @Property({DEFAULT_DEFAULT_REDIRECT_URL})
    public static final String OSGI_PROPERTY_DEFAULT_REDIRECT_URL = "defaultRedirectUrl";

    @Property({DEFAULT_USER_ID_ATTRIBUTE})
    public static final String OSGI_PROPERTY_USER_ID_ATTRIBUTE = "userIDAttribute";

    @Property(boolValue = {true})
    public static final String OSGI_PROPERTY_USE_ENCRYPTION = "useEncryption";

    @Property(boolValue = {true})
    public static final String OSGI_PROPERTY_CREATE_USER = "createUser";

    @Property(boolValue = {false})
    public static final String OSGI_PROPERTY_STORE_SAML_RESPONSE = "storeSAMLResponse";

    @Property
    public static final String OSGI_PROPERTY_USER_INTERMEDIATE_PATH = "userIntermediatePath";

    @Property(boolValue = {true})
    public static final String OSGI_PROPERTY_ADD_GROUP_MEMBERSHIPS = "addGroupMemberships";

    @Property({DEFAULT_GROUPS_ATTRIBUTE})
    public static final String OSGI_PROPERTY_GROUPS_ATTRIBUTE = "groupMembershipAttribute";

    @Property(unbounded = PropertyUnbounded.ARRAY)
    public static final String OSGI_PROPERTY_DEFAULT_GROUPS = "defaultGroups";

    @Property({"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"})
    public static final String OSGI_PROPERTY_NAMEIDFORMAT = "nameIdFormat";

    @Property(unbounded = PropertyUnbounded.ARRAY)
    public static final String OSGI_PROPERTY_SYNCH_ATTRIBUTES = "synchronizeAttributes";

    @Property(boolValue = {false})
    public static final String OSGI_PROPERTY_HANDLE_LOGOUT = "handleLogout";

    @Property
    public static final String OSGI_PROPERTY_LOGOUT_URL = "logoutUrl";

    @Property(intValue = {DEFAULT_CLOCK_TOLERANCE})
    public static final String OSGI_PROPERTY_CLOCK_TOLERANCE = "clockTolerance";

    @Property({"http://www.w3.org/2001/04/xmlenc#sha256"})
    public static final String OSGI_PROPERTY_DIGEST_METHOD = "digestMethod";

    @Property({"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"})
    public static final String OSGI_PROPERTY_SIGNATURE_METHOD = "signatureMethod";

    @Property(value = {"default"}, options = {@PropertyOption(name = "default", value = "default sync"), @PropertyOption(name = SamlIdpUserSync.SYNC_TYPE_IDP, value = "oak external idp sync"), @PropertyOption(name = SamlIdpUserSync.SYNC_TYPE_IDP_DYNAMIC, value = "Oak External IDP Sync with Dynamic Groups/Membership"), @PropertyOption(name = SamlIdpUserSync.SYNC_TYPE_IDP_DYNAMIC_SIMPLIFIED_ID, value = "Oak External IDP Sync with Dynamic Groups/Membership with simplified ID without idpName in the username. Use this when migration from default userSync is enabled.")})
    public static final String OSGI_PROPERTY_SYNC_TYPE = "identitySyncType";

    @Property
    public static final String OSGI_PROPERTY_IDP_IDENTIFIER = "idpIdentifier";
    private static final String LOGIN_SUFFIX = "/saml_login";
    private static final String ERROR_HREF_FORMAT = "%s%s.error.html?j_reason=%s";
    private static final String ERROR_PAGE_PATH = "/libs/granite/core/content/login";
    private static final String UTF_8 = "UTF-8";
    private static final String PARAMETER_SAML_REQUEST_PATH = "saml_request_path";
    private static final String REQUEST_PATH_COOKIE = "saml_request_path";
    private static final String LOGIN_TOKEN_COOKIE = "login-token";

    @Reference
    private SlingRepository repository;

    @Reference
    private CryptoSupport cryptoSupport;

    @Reference
    private ResourceResolverFactory resourceResolverFactory;

    @Reference
    private KeyStoreService keyStoreService;
    private IdpConfiguration idpConfiguration;
    private boolean idpHttpRedirect;
    private SpConfiguration spConfiguration;
    private String defaultRedirectUrl;
    private String userIDAttribute;
    private String groupsAttribute;
    private boolean createUser;
    private boolean storeSAMLResponse;
    private String userIntermediatePath;
    private boolean addGroupMemberships;
    private RequestBinding requestBinding;
    private ResponseBinding responseBinding;
    private String nameIdFormat;
    private String[] synchronizeAttributes;
    private Set<String> defaultGroups;
    private boolean handleLogout;
    private String errorTemplate;
    private String idpIdentifier;
    private final Logger log = LoggerFactory.getLogger(getClass());

    @Reference
    XSSAPI xssAPI;
    private SamlReader samlReader;

    @Reference
    private ConfigurationAdmin configurationAdmin;

    @Reference
    private SlingSettingsService settings;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ToggleRouter toggleRouter;
    private SamlIdentitySync userSync;
    private ServiceRegistration<?> regIdp;
    private Map<String, String> statusCodeErrorsLogMap;
    private SamlHooksTracker samlHooksTracker;

    public SamlAuthenticationHandler() {
        PostBinding postBinding = new PostBinding();
        this.requestBinding = postBinding;
        this.responseBinding = postBinding;
        this.idpConfiguration = new IdpConfiguration();
        this.spConfiguration = new SpConfiguration();
        this.samlReader = new SamlReader();
        this.statusCodeErrorsLogMap = new HashMap();
        this.statusCodeErrorsLogMap.put("", "Invalid SAML. StatusCode has null value. This is not allowed in SAML");
        this.statusCodeErrorsLogMap.put("urn:oasis:names:tc:SAML:2.0:status:Requester", "Invalid SAML. Status code is: urn:oasis:names:tc:SAML:2.0:status:Requester. The request could not be performed due to an error on the part of the requester (AEM)");
        this.statusCodeErrorsLogMap.put(SamlConstants.RESPONDER, "Invalid SAML. Status code is: urn:oasis:names:tc:SAML:2.0:status:Responder. The request could not be performed due to an error on the part of the SAML responder or SAML authority");
        this.statusCodeErrorsLogMap.put(SamlConstants.VERSION_MISMATCH, "Invalid SAML. .Status code is: urn:oasis:names:tc:SAML:2.0:status:VersionMismatch. The SAML responder could not process the request because the version of the request message was incorrect.");
    }

    @Activate
    public void activate(ComponentContext componentContext) {
        this.idpConfiguration.setIdpPostUrl(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_IDP_URL), ""));
        this.idpHttpRedirect = OsgiUtil.toBoolean(componentContext.getProperties().get(OSGI_PROPERTY_IDP_HTTP_REDIRECT), false);
        this.idpConfiguration.setIdpCertAlias(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_IDP_CERT_ALIAS), ""));
        this.spConfiguration.setEntityId(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_SP_ENTITY_ID), ""));
        this.spConfiguration.setUseEncryption(OsgiUtil.toBoolean(componentContext.getProperties().get(OSGI_PROPERTY_USE_ENCRYPTION), true));
        this.spConfiguration.setSpPrivateKeyAlias(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_SP_PRIVATE_KEY_ALIAS), ""));
        this.spConfiguration.setKeyStorePassword(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_KEYSTORE_PASSWORD), ""));
        this.defaultRedirectUrl = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_DEFAULT_REDIRECT_URL), DEFAULT_DEFAULT_REDIRECT_URL);
        this.userIDAttribute = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_USER_ID_ATTRIBUTE), DEFAULT_USER_ID_ATTRIBUTE);
        this.createUser = OsgiUtil.toBoolean(componentContext.getProperties().get(OSGI_PROPERTY_CREATE_USER), true);
        this.storeSAMLResponse = OsgiUtil.toBoolean(componentContext.getProperties().get(OSGI_PROPERTY_STORE_SAML_RESPONSE), false);
        this.userIntermediatePath = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_USER_INTERMEDIATE_PATH), (String) null);
        if (this.userIntermediatePath != null) {
            if (this.userIntermediatePath.startsWith(DEFAULT_DEFAULT_REDIRECT_URL)) {
                this.userIntermediatePath = this.userIntermediatePath.substring(1);
            }
            if (this.userIntermediatePath.endsWith(DEFAULT_DEFAULT_REDIRECT_URL)) {
                this.userIntermediatePath = this.userIntermediatePath.substring(0, this.userIntermediatePath.length() - 1);
            }
        }
        this.addGroupMemberships = OsgiUtil.toBoolean(componentContext.getProperties().get(OSGI_PROPERTY_ADD_GROUP_MEMBERSHIPS), true);
        this.groupsAttribute = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_GROUPS_ATTRIBUTE), DEFAULT_GROUPS_ATTRIBUTE);
        this.nameIdFormat = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_NAMEIDFORMAT), "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
        this.synchronizeAttributes = OsgiUtil.toStringArray(componentContext.getProperties().get(OSGI_PROPERTY_SYNCH_ATTRIBUTES), new String[0]);
        this.defaultGroups = toStringSet(componentContext.getProperties().get(OSGI_PROPERTY_DEFAULT_GROUPS), Collections.emptySet());
        this.handleLogout = OsgiUtil.toBoolean(componentContext.getProperties().get(OSGI_PROPERTY_HANDLE_LOGOUT), false);
        this.idpConfiguration.setIdpLogoutPostUrl(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_LOGOUT_URL), (String) null));
        this.errorTemplate = loadTemplate("/templates/error.html");
        this.spConfiguration.setClockTolerance(OsgiUtil.toInteger(componentContext.getProperties().get(OSGI_PROPERTY_CLOCK_TOLERANCE), DEFAULT_CLOCK_TOLERANCE));
        this.spConfiguration.setAssertionConsumerServiceURL(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_ASSERTION_CONSUMER_SERVICE_URL), (String) null));
        this.requestBinding.setDigestMethod(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_DIGEST_METHOD), "http://www.w3.org/2001/04/xmlenc#sha256"));
        this.requestBinding.setSignatureMethod(OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_SIGNATURE_METHOD), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
        if (this.handleLogout && (this.idpConfiguration.getIdpLogoutPostUrl() == null || this.idpConfiguration.getIdpLogoutPostUrl().length() == 0)) {
            this.log.warn("handleLogout set to true, but no logout url provided; logout will be disabled");
        }
        ((PostBinding) this.requestBinding).setXSSAPI(this.xssAPI);
        this.idpIdentifier = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_IDP_IDENTIFIER), (String) null);
        if (this.idpIdentifier == null || this.idpIdentifier.trim().isEmpty()) {
            this.idpIdentifier = this.spConfiguration.getEntityId();
        }
        String osgiUtil = OsgiUtil.toString(componentContext.getProperties().get(OSGI_PROPERTY_SYNC_TYPE), "default");
        if (SamlIdpUserSync.SYNC_TYPE_IDP.equals(osgiUtil)) {
            this.log.info("registering saml idp with id {} and with syncType: {}", this.idpIdentifier, osgiUtil);
            this.userSync = new SamlIdpUserSync(this.idpIdentifier, this.repository.getDefaultWorkspace(), OSGiConfigUtil.getRepositoryId(this.repository, this.settings), this.groupsAttribute, true);
            registerSamlAsIdp(componentContext, this.idpIdentifier, false, true);
        } else if (SamlIdpUserSync.SYNC_TYPE_IDP_DYNAMIC.equals(osgiUtil) || SamlIdpUserSync.SYNC_TYPE_IDP_DYNAMIC_SIMPLIFIED_ID.equals(osgiUtil)) {
            this.log.info("registering saml idp with id {} and with syncType: {}", this.idpIdentifier, osgiUtil);
            boolean z = !SamlIdpUserSync.SYNC_TYPE_IDP_DYNAMIC_SIMPLIFIED_ID.equals(osgiUtil);
            this.userSync = new SamlIdpUserSync(this.idpIdentifier, this.repository.getDefaultWorkspace(), OSGiConfigUtil.getRepositoryId(this.repository, this.settings), this.groupsAttribute, z);
            registerSamlAsIdp(componentContext, this.idpIdentifier, true, z);
        } else {
            this.userSync = new DefaultUserSync(this.repository, this.createUser, this.userIntermediatePath, this.addGroupMemberships, this.defaultGroups, this.groupsAttribute, this.synchronizeAttributes);
        }
        ToggleRouterProvider.setInstance(this.toggleRouter);
        this.samlHooksTracker = new SamlHooksTracker(componentContext.getBundleContext());
        this.samlHooksTracker.open();
        this.log.info("SAML Authentication Handler activated.");
    }

    protected void registerSamlAsIdp(ComponentContext componentContext, String str, boolean z, boolean z2) {
        this.regIdp = componentContext.getBundleContext().registerService(new String[]{ExternalIdentityProvider.class.getName(), CredentialsSupport.class.getName()}, new SamlIdentityPovider(str, z2), (Dictionary) null);
        OSGiConfigUtil.setupSyncHandler(this.configurationAdmin, str, this.userIntermediatePath, this.addGroupMemberships, this.defaultGroups, this.synchronizeAttributes, z);
        OSGiConfigUtil.setupExternalLoginModule(this.configurationAdmin, str);
    }

    @Deactivate
    public void deactivate() {
        if (this.regIdp != null) {
            this.regIdp.unregister();
        }
        ToggleRouterProvider.setInstance(null);
        this.samlHooksTracker.close();
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (isDisabled() || httpServletRequest == null || !httpServletRequest.getRequestURI().endsWith(LOGIN_SUFFIX)) {
            return null;
        }
        return handleLogin(httpServletRequest, httpServletResponse);
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Object attribute = httpServletRequest.getAttribute("j_reason");
        if (attribute != null) {
            String valueOf = String.valueOf(attribute);
            if (SamlIdentitySync.REASON.isA(valueOf)) {
                String format = String.format(ERROR_HREF_FORMAT, httpServletRequest.getContextPath(), ERROR_PAGE_PATH, valueOf);
                this.log.info("SAML error with reason: {} detected, redirect user to: {}", new String[]{valueOf, format});
                redirectErrorPage(httpServletResponse, format);
                return false;
            }
            this.log.warn("Unknown reason found: {}", attribute);
        }
        if (this.idpHttpRedirect) {
            httpServletResponse.sendRedirect(this.idpConfiguration.getIdpPostUrl());
            return true;
        }
        ResourceResolver resourceResolver = null;
        try {
            try {
                try {
                    MessageContext messageContext = new MessageContext(this.idpConfiguration, this.spConfiguration);
                    messageContext.setContextPath(httpServletRequest.getContextPath());
                    messageContext.setMessage(createAuthnRequest());
                    resourceResolver = this.resourceResolverFactory.getServiceResourceResolver((Map) null);
                    Key key = null;
                    try {
                        key = this.spConfiguration.getDecryptionKey(this.keyStoreService.getKeyStore(resourceResolver));
                    } catch (KeyStoreNotInitialisedException e) {
                        this.log.debug("Could not retrieve SP's private key: " + e.getMessage());
                    }
                    if (key == null) {
                        this.log.debug("Private key of SP not provided: Cannot sign Authn request.");
                    }
                    if (AuthUtil.isRedirectValid(httpServletRequest, httpServletRequest.getParameter(PostBinding.REQUEST_PATH_COOKIE))) {
                        messageContext.setRequestPathParameter(httpServletRequest.getParameter(PostBinding.REQUEST_PATH_COOKIE));
                    }
                    this.requestBinding.send(messageContext, httpServletResponse, key);
                    if (resourceResolver == null) {
                        return true;
                    }
                    resourceResolver.close();
                    return true;
                } catch (Throwable th) {
                    if (resourceResolver != null) {
                        resourceResolver.close();
                    }
                    throw th;
                }
            } catch (LoginException e2) {
                this.log.error("Could not get service resolver to retrieve SP's private key.");
                if (resourceResolver == null) {
                    return true;
                }
                resourceResolver.close();
                return true;
            }
        } catch (IOException e3) {
            this.log.warn("Could not send authentication request message", e3);
            throw new RuntimeException(e3);
        }
    }

    protected void handleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        KeyStore keyStore = null;
        KeyStore keyStore2 = null;
        Key key = null;
        ResourceResolver resourceResolver = null;
        try {
            try {
                resourceResolver = this.resourceResolverFactory.getServiceResourceResolver((Map) null);
                keyStore = this.keyStoreService.getTrustStore(resourceResolver);
                keyStore2 = this.keyStoreService.getKeyStore(resourceResolver);
                key = this.spConfiguration.getDecryptionKey(keyStore2);
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
            } catch (LoginException e) {
                this.log.warn("Could not access service resource resolver to retrieve SP's private key.");
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
            }
            MessageContext messageContext = new MessageContext(this.idpConfiguration, this.spConfiguration);
            messageContext.setContextPath(httpServletRequest.getContextPath());
            MessageContext messageContext2 = null;
            try {
                messageContext2 = this.responseBinding.receive(messageContext, httpServletRequest, keyStore, keyStore2);
            } catch (IOException e2) {
                this.log.error("Could not handle SingleLogout request.", e2);
            }
            if (messageContext2 == null) {
                this.log.error("Could not read LogoutRequest message.");
                return;
            }
            LogoutRequest logoutRequest = (LogoutRequest) messageContext2.getMessage();
            if (!logoutRequest.isSignatureValid()) {
                this.log.error("Received LogoutRequest with invalid signature.");
                return;
            }
            MessageContext messageContext3 = new MessageContext(this.idpConfiguration, this.spConfiguration);
            messageContext3.setContextPath(httpServletRequest.getContextPath());
            if (httpServletRequest.getParameter(PostBinding.RELAY_STATE_PARAM) != null) {
                messageContext3.setRelayState(httpServletRequest.getParameter(PostBinding.RELAY_STATE_PARAM).getBytes());
            }
            LogoutResponse createLogoutResponse = createLogoutResponse(logoutRequest);
            if (key == null) {
                this.log.debug("Private key of SP not provided: Cannot sign Logout response.");
            }
            messageContext3.setMessage(createLogoutResponse);
            try {
                this.requestBinding.send(messageContext3, httpServletResponse, key);
            } catch (IOException e3) {
                this.log.error("Unable to send LogoutRespond message.", e3);
            }
        } catch (Throwable th) {
            if (resourceResolver != null) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.handleLogout && (httpServletRequest instanceof SlingHttpServletRequest)) {
            clearRequestPathCookie(httpServletRequest, httpServletResponse);
            clearCookie(LOGIN_TOKEN_COOKIE, httpServletRequest, httpServletResponse);
            if (httpServletRequest.getParameter(PostBinding.SAML_REQUEST_PARAM) != null) {
                handleLogout(httpServletRequest, httpServletResponse);
                return;
            }
            ResourceResolver resourceResolver = null;
            try {
                try {
                    Authorizable authorizable = (Authorizable) ((SlingHttpServletRequest) httpServletRequest).getResourceResolver().adaptTo(Authorizable.class);
                    if (authorizable.hasProperty(SamlIdentitySync.PROPERTY_SAML_RESPONSE)) {
                        String unprotect = this.cryptoSupport.unprotect(authorizable.getProperty(SamlIdentitySync.PROPERTY_SAML_RESPONSE)[0].getString());
                        Certificate certificate = this.idpConfiguration.getCertificate(this.keyStoreService.getTrustStore(((SlingHttpServletRequest) httpServletRequest).getResourceResolver()));
                        if (certificate != null) {
                            Response response = (Response) this.samlReader.read(new ByteArrayInputStream(unprotect.getBytes(UTF_8)), null, certificate.getPublicKey());
                            MessageContext messageContext = new MessageContext(this.idpConfiguration, this.spConfiguration);
                            messageContext.setMessage(createLogoutRequest(response));
                            messageContext.setContextPath(httpServletRequest.getContextPath());
                            resourceResolver = this.resourceResolverFactory.getServiceResourceResolver((Map) null);
                            Key decryptionKey = this.spConfiguration.getDecryptionKey(this.keyStoreService.getKeyStore(resourceResolver));
                            if (decryptionKey == null) {
                                this.log.debug("Private key of SP not provided: Cannot sign Logout request.");
                            }
                            this.requestBinding.send(messageContext, httpServletResponse, decryptionKey);
                        } else {
                            this.log.error("Unable to perform SAML logout. Could not read IdP certificate from truststore.");
                        }
                    }
                    if (resourceResolver != null) {
                        resourceResolver.close();
                    }
                } catch (Exception e) {
                    this.log.error("Unable to perform SAML logout.", e);
                    if (0 != 0) {
                        resourceResolver.close();
                    }
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    resourceResolver.close();
                }
                throw th;
            }
        }
    }

    protected void clearRequestPathCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        clearCookie(PostBinding.REQUEST_PATH_COOKIE, httpServletRequest, httpServletResponse);
    }

    private static void clearCookie(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (null != cookies) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookie.getName().equals(str)) {
                    cookie.setValue("");
                    break;
                }
                i++;
            }
        }
        Cookie cookie2 = new Cookie(str, "");
        cookie2.setMaxAge(1);
        cookie2.setPath(DEFAULT_DEFAULT_REDIRECT_URL);
        httpServletResponse.addCookie(cookie2);
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        clearRequestPathCookie(httpServletRequest, httpServletResponse);
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (!httpServletRequest.getRequestURI().endsWith(LOGIN_SUFFIX)) {
            return DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse);
        }
        try {
            String str = this.defaultRedirectUrl;
            Cookie[] cookies = httpServletRequest.getCookies();
            if (null != cookies) {
                for (Cookie cookie : cookies) {
                    if (PostBinding.REQUEST_PATH_COOKIE.equals(cookie.getName())) {
                        String decode = URLDecoder.decode(cookie.getValue(), UTF_8);
                        if (AuthUtil.isRedirectValid(httpServletRequest, decode)) {
                            str = decode;
                        }
                    }
                }
            }
            clearRequestPathCookie(httpServletRequest, httpServletResponse);
            this.userSync.authenticationSucceeded(httpServletRequest, httpServletResponse, authenticationInfo);
            httpServletResponse.sendRedirect(str);
            return true;
        } catch (IOException e) {
            this.log.error("Could not read request.", e);
            return false;
        }
    }

    protected AuthenticationInfo handleLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        MessageContext messageContext = new MessageContext(this.idpConfiguration, this.spConfiguration);
        messageContext.setContextPath(httpServletRequest.getContextPath());
        KeyStore keyStore = null;
        ResourceResolver resourceResolver = null;
        try {
            try {
                ResourceResolver serviceResourceResolver = this.resourceResolverFactory.getServiceResourceResolver((Map) null);
                try {
                    KeyStore trustStore = this.keyStoreService.getTrustStore(serviceResourceResolver);
                    try {
                        keyStore = this.keyStoreService.getKeyStore(serviceResourceResolver);
                    } catch (KeyStoreNotInitialisedException e) {
                        if (this.spConfiguration.getUseEncryption()) {
                            this.log.error("KeyStore uninitialized. Cannot retrieve private key to decrypt assertions.");
                            if (serviceResourceResolver != null) {
                                serviceResourceResolver.close();
                            }
                            return null;
                        }
                    }
                    if (serviceResourceResolver != null) {
                        serviceResourceResolver.close();
                    }
                    MessageContext messageContext2 = null;
                    try {
                        messageContext2 = this.responseBinding.receive(messageContext, httpServletRequest, trustStore, keyStore);
                    } catch (IOException e2) {
                        this.log.error("Fatal failure while parsing the request.", e2);
                    }
                    if (messageContext2 == null) {
                        this.log.error("SAML response parameter was not provided or invalid.");
                        return null;
                    }
                    Response response = (Response) messageContext2.getMessage();
                    boolean z = true;
                    if (this.toggleRouter == null) {
                        this.log.error("Feature Flag for FT_GRANITE-46419 not working. Assuming true");
                    } else {
                        z = this.toggleRouter.isEnabled("FT_GRANITE-46419");
                    }
                    if (z) {
                        Status status = response.getStatus();
                        if (status == null) {
                            this.log.error("Invalid SAML. StatusCode is mandatory element but was not provided.");
                            return AuthenticationInfo.FAIL_AUTH;
                        }
                        String statusCode = status.getStatusCode();
                        if (this.statusCodeErrorsLogMap.containsKey(statusCode)) {
                            this.log.error(this.statusCodeErrorsLogMap.get(statusCode));
                            return AuthenticationInfo.FAIL_AUTH;
                        }
                        if (!statusCode.equals(SamlConstants.SUCCESS)) {
                            this.log.error("Invalid SAML. Status code is not expected. Returning Authentication failed");
                            return AuthenticationInfo.FAIL_AUTH;
                        }
                    }
                    List<Assertion> assertions = response.getAssertions();
                    if (assertions.size() <= 0) {
                        return null;
                    }
                    Assertion assertion = assertions.get(0);
                    if (!assertion.isValid(this.spConfiguration)) {
                        this.log.info("Login failed. SAML token invalid.");
                        httpServletRequest.setAttribute("j_reason", SamlIdentitySync.REASON.invalid_token);
                        return AuthenticationInfo.FAIL_AUTH;
                    }
                    try {
                        this.samlHooksTracker.postSamlValidationProcess(httpServletRequest, assertion, response);
                        String str = null;
                        if (!"".equals(this.userIDAttribute) && assertion.getAttributes().containsKey(this.userIDAttribute)) {
                            str = assertion.getAttributes().get(this.userIDAttribute).getValue().toString().trim();
                        }
                        if ((str == null || "".equals(str)) && assertion.getSubject() != null && assertion.getSubject().getNameId() != null) {
                            str = assertion.getSubject().getNameId().getValue().trim();
                        }
                        if (str == null || "".equals(str)) {
                            this.log.error("Could not extract username from assertion.");
                            httpServletRequest.setAttribute("j_reason", SamlIdentitySync.REASON.no_username);
                            return AuthenticationInfo.FAIL_AUTH;
                        }
                        String str2 = null;
                        if (this.storeSAMLResponse || this.handleLogout) {
                            str2 = response.getRawMessage();
                            try {
                                str2 = this.cryptoSupport.protect(str2);
                            } catch (CryptoException e3) {
                                this.log.error("Encryption of samlResponse failed.", e3);
                            }
                        }
                        return syncUser(httpServletRequest, httpServletResponse, assertion, str, str2);
                    } catch (SamlHookException e4) {
                        this.log.debug("Exception during execution of postSamlValidationHook", e4);
                        return AuthenticationInfo.FAIL_AUTH;
                    }
                } catch (KeyStoreNotInitialisedException e5) {
                    this.log.error("Could not access TrustStore to get the IdP certificate.", e5.getMessage());
                    if (serviceResourceResolver != null) {
                        serviceResourceResolver.close();
                    }
                    return null;
                }
            } catch (LoginException e6) {
                this.log.error("Could not access service resource resolver to retrieve Key- and TrustStore.", e6.getMessage());
                if (0 != 0) {
                    resourceResolver.close();
                }
                return null;
            }
        } catch (Throwable th) {
            if (0 != 0) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    protected AuthenticationInfo syncUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion, String str, String str2) {
        AuthenticationInfo process = this.userSync.process(httpServletRequest, httpServletResponse, assertion, str, str2);
        try {
            this.samlHooksTracker.postSyncUserProcess(httpServletRequest, httpServletResponse, assertion, process, str2);
            return process;
        } catch (SamlHookException e) {
            this.log.debug("Exeception during execution of SamlHook: ", e);
            return AuthenticationInfo.FAIL_AUTH;
        }
    }

    protected AuthnRequest createAuthnRequest() {
        AuthnRequest authnRequest = new AuthnRequest();
        authnRequest.setId("_" + UUID.randomUUID().toString());
        authnRequest.setVersion(SamlConstants.VERSION_2);
        authnRequest.setDestination(this.idpConfiguration.getIdpPostUrl());
        authnRequest.setProtocolBinding(SamlConstants.POST_BINDING);
        authnRequest.setIssueInstant(Calendar.getInstance());
        authnRequest.setAssertionConsumerServiceUrl(this.spConfiguration.getAssertionConsumerServiceURL());
        authnRequest.setIssuer(new Issuer(this.spConfiguration.getEntityId()));
        NameIdPolicy nameIdPolicy = new NameIdPolicy();
        nameIdPolicy.setFormat(this.nameIdFormat);
        nameIdPolicy.setAllowCreate(true);
        authnRequest.setNameIdPolicy(nameIdPolicy);
        return authnRequest;
    }

    protected LogoutRequest createLogoutRequest(Response response) {
        LogoutRequest logoutRequest = new LogoutRequest();
        logoutRequest.setIssueInstant(Calendar.getInstance());
        logoutRequest.setId("_" + UUID.randomUUID().toString());
        logoutRequest.setVersion(SamlConstants.VERSION_2);
        logoutRequest.setDestination(this.idpConfiguration.getIdpLogoutPostUrl());
        logoutRequest.setIssuer(new Issuer(this.spConfiguration.getEntityId()));
        logoutRequest.setNameId(response.getNameId());
        logoutRequest.setNameIdFormat(response.getNameIdFormat());
        logoutRequest.setNameQualifier(response.getNameQualifier());
        logoutRequest.setSpNameQualifier(response.getSpNameQualifier());
        Iterator<AuthnStatement> it = response.getAssertions().get(0).getAuthnStatements().iterator();
        while (it.hasNext()) {
            logoutRequest.addSessionIndex(it.next().getSessionIndex());
        }
        return logoutRequest;
    }

    protected LogoutResponse createLogoutResponse(LogoutRequest logoutRequest) {
        LogoutResponse logoutResponse = new LogoutResponse();
        logoutResponse.setIssueInstant(Calendar.getInstance());
        logoutResponse.setId("_" + UUID.randomUUID().toString());
        logoutResponse.setVersion(SamlConstants.VERSION_2);
        logoutResponse.setDestination(this.idpConfiguration.getIdpLogoutPostUrl());
        logoutResponse.setIssuer(new Issuer(this.spConfiguration.getEntityId()));
        logoutResponse.setInResponseTo(logoutRequest.getId());
        Status status = new Status();
        status.setStatusCode(SamlConstants.SUCCESS);
        logoutResponse.setStatus(status);
        return logoutResponse;
    }

    protected boolean isDisabled() {
        return "".equals(this.idpConfiguration.getIdpPostUrl()) || "".equals(this.spConfiguration.getEntityId()) || "".equals(this.idpConfiguration.getIdpCertAlias());
    }

    private void redirectErrorPage(@Nonnull HttpServletResponse httpServletResponse, @Nonnull String str) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("href", str);
        String replace = new StrSubstitutor(hashMap, "{", "}").replace(this.errorTemplate);
        httpServletResponse.setContentType("text/html");
        httpServletResponse.addHeader("cache-control", "private, max-age=0, no-cache, no-store");
        httpServletResponse.getOutputStream().print(replace);
        httpServletResponse.flushBuffer();
    }

    @Nullable
    private Set<String> toStringSet(@Nullable Object obj, @Nullable Set<String> set) {
        String[] stringArray = OsgiUtil.toStringArray(obj);
        return stringArray != null ? buildSet(stringArray) : set;
    }

    @Nonnull
    private Set<String> buildSet(@Nonnull String[] strArr) {
        HashSet hashSet = new HashSet(strArr.length);
        for (String str : strArr) {
            if (str != null) {
                String trim = str.trim();
                if (trim.length() != 0) {
                    hashSet.add(trim);
                }
            }
        }
        return hashSet;
    }

    @Nonnull
    private String loadTemplate(@Nonnull String str) {
        InputStream resourceAsStream = getClass().getResourceAsStream(str);
        if (resourceAsStream != null) {
            try {
                return IOUtils.toString(resourceAsStream, UTF_8);
            } catch (IOException e) {
                this.log.error("I/O error while loading the template: {}", str, e);
            }
        }
        throw new RuntimeException(String.format("Failed to load template: %s", str));
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }

    protected void bindKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreService = keyStoreService;
    }

    protected void unbindKeyStoreService(KeyStoreService keyStoreService) {
        if (this.keyStoreService == keyStoreService) {
            this.keyStoreService = null;
        }
    }

    protected void bindXssAPI(XSSAPI xssapi) {
        this.xssAPI = xssapi;
    }

    protected void unbindXssAPI(XSSAPI xssapi) {
        if (this.xssAPI == xssapi) {
            this.xssAPI = null;
        }
    }

    protected void bindConfigurationAdmin(ConfigurationAdmin configurationAdmin) {
        this.configurationAdmin = configurationAdmin;
    }

    protected void unbindConfigurationAdmin(ConfigurationAdmin configurationAdmin) {
        if (this.configurationAdmin == configurationAdmin) {
            this.configurationAdmin = null;
        }
    }

    protected void bindSettings(SlingSettingsService slingSettingsService) {
        this.settings = slingSettingsService;
    }

    protected void unbindSettings(SlingSettingsService slingSettingsService) {
        if (this.settings == slingSettingsService) {
            this.settings = null;
        }
    }

    protected void bindToggleRouter(ToggleRouter toggleRouter) {
        this.toggleRouter = toggleRouter;
    }

    protected void unbindToggleRouter(ToggleRouter toggleRouter) {
        if (this.toggleRouter == toggleRouter) {
            this.toggleRouter = null;
        }
    }
}
