package coldfusion.saml;

import coldfusion.filter.FusionContext;
import coldfusion.log.CFLogs;
import coldfusion.runtime.ApplicationException;
import coldfusion.saml.SAMLServiceImpl;
import coldfusion.saml.SamlAuth;
import coldfusion.saml.util.SignatureVerifier;
import coldfusion.server.ServiceFactory;
import coldfusion.util.RB;
import com.onelogin.saml2.exception.SettingsException;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.saml2.servlet.ServletUtils;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Util;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:coldfusion/saml/SamlResponseHandler.class */
public class SamlResponseHandler {
    private static final String INRESPONSETO = "InResponseTo";
    private static final String LOGIN_NAMEID = "NAMEID";
    private static final String LOGIN_NAMEID_FORMAT = "NAMEIDFORMAT";
    private static final String LOGIN_NAMEIDQUALIFIER = "NAMEIDQUALIFIER";
    private static final String LOGIN_NAMEIDSPQUALIFIER = "NAMEIDSPQUALIFIER";
    private static final String LOGIN_SESSIONINDEX = "SESSIONINDEX";
    private static final String LOGIN_AUTHENTICATED = "AUTHENTICATED";
    private static final String LOGIN_ATTRIBUTES = "ATTRIBUTES";
    private static final String LOGOUT_SUCCESS = "SUCCESSFULLOGOUT";
    private static final String RELAYSTATE = "RELAYSTATE";
    private static final String LOGOUT_PREFIX = "LOGOUT";
    private static final String SAML_REQUEST = "SAMLRequest";
    private static final String SAML_RESPONSE = "SAMLResponse";
    private RequestOptions requestOptions;
    private SamlAuth auth;
    private String id;
    private String idpName;
    private String spName;

    /* loaded from: input_file:coldfusion/saml/SamlResponseHandler$IdpNotFoundException.class */
    public class IdpNotFoundException extends ApplicationException {
        public IdpNotFoundException() {
        }
    }

    /* loaded from: input_file:coldfusion/saml/SamlResponseHandler$InvalidBindingException.class */
    public class InvalidBindingException extends ApplicationException {
        public InvalidBindingException() {
        }
    }

    /* loaded from: input_file:coldfusion/saml/SamlResponseHandler$SamlResponseException.class */
    public class SamlResponseException extends ApplicationException {
        public String message;

        public SamlResponseException(String str) {
            this.message = "";
            this.message = str;
        }

        public SamlResponseException(String str, Throwable th) {
            super(th);
            this.message = "";
            this.message = str;
        }
    }

    /* loaded from: input_file:coldfusion/saml/SamlResponseHandler$SpNotFoundException.class */
    public class SpNotFoundException extends ApplicationException {
        public SpNotFoundException() {
        }
    }

    public SamlResponseHandler(boolean z, String str, String str2) {
        String id = getId(z);
        SpConfiguration sp = getSp(str2);
        if (id != null) {
            this.id = id;
            this.requestOptions = SamlCacheHelper.getCacheValue(id, sp, "SAML Response");
        }
        this.idpName = str;
        this.spName = str2;
    }

    private String getId(boolean z) {
        HttpRequest makeHttpRequest = ServletUtils.makeHttpRequest(FusionContext.getCurrent().getRequest());
        try {
            String[] split = new String(Util.base64decoder(z ? makeHttpRequest.getParameter(SAML_REQUEST) : makeHttpRequest.getParameter(SAML_RESPONSE)), "UTF-8").split(INRESPONSETO);
            if (split.length <= 1) {
                return null;
            }
            int indexOf = split[1].indexOf("\"");
            int i = indexOf + 1;
            while (split[1].charAt(i) != '\"') {
                i++;
            }
            return split[1].substring(indexOf + 1, i);
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    public Map handleResponse() {
        Map map = null;
        checkReplayAttack();
        if (isLoginResponse()) {
            map = handleLoginResponse();
        } else if (isLogoutResponse()) {
            map = handleLogoutResponse();
        }
        return map;
    }

    private void checkReplayAttack() {
        if (this.requestOptions == null) {
            CFLogs.APPLICATION_LOG.warn(RB.getString(this, "ReplayAttack"));
            throw new SamlResponseException(RB.getString(this, "ReplayAttack"));
        }
    }

    private boolean isLoginResponse() {
        return this.requestOptions != null && this.requestOptions.getSamlState() == SamlState.LOGIN_PENDING;
    }

    private boolean isLogoutResponse() {
        return this.requestOptions != null && this.requestOptions.getSamlState() == SamlState.LOGOUT_PENDING;
    }

    public Map handleLoginResponse() {
        HashMap hashMap = new HashMap();
        FusionContext current = FusionContext.getCurrent();
        this.auth = new SamlAuth(getSettings(), current.getRequest(), current.getResponse(), this.requestOptions, getSp(this.spName));
        String str = null;
        if (this.auth == null) {
            return null;
        }
        try {
            if (this.id == null) {
                throw new SamlResponseException(RB.getString(this, "InvalidResponseID"));
            }
            if ((this.id != null && this.requestOptions == null) || (this.id != null && this.requestOptions != null && this.requestOptions.getSamlState() != SamlState.LOGIN_PENDING)) {
                throw new SamlResponseException(RB.getString(this, "LifetimeExpired"));
            }
            this.auth.processResponse();
            if (this.auth.getErrors().size() > 0) {
                if (StringUtils.equals(this.auth.getErrors().get(0), "invalid_response")) {
                    str = this.auth.getLastErrorReason();
                } else if (StringUtils.equals(this.auth.getErrors().get(0), "invalid_binding")) {
                    str = RB.getString(this, "InvalidBinding");
                }
                if (str != null) {
                    throw new SamlResponseException(str);
                }
                return null;
            }
            SamlCacheHelper.removeCacheValue(this.id, getSp(this.spName), "SAML Login");
            hashMap.put("NAMEID", this.auth.getNameId());
            hashMap.put("NAMEIDFORMAT", this.auth.getNameIdFormat());
            hashMap.put("NAMEIDQUALIFIER", this.auth.getNameIdNameQualifier());
            hashMap.put("NAMEIDSPQUALIFIER", this.auth.getNameIdSPNameQualifier());
            hashMap.put("SESSIONINDEX", this.auth.getSessionIndex());
            hashMap.put(LOGIN_AUTHENTICATED, Boolean.valueOf(this.auth.isAuthenticated()));
            hashMap.put(LOGIN_ATTRIBUTES, this.auth.getAttributes());
            hashMap.put("RELAYSTATE", current.getRequest().getParameter("RelayState"));
            return hashMap;
        } catch (SettingsException e) {
            throw new SamlResponseException(e.getLocalizedMessage());
        } catch (SamlAuth.XXEException e2) {
            throw e2;
        } catch (Throwable th) {
            SamlCacheHelper.removeCacheValue(this.id, getSp(this.spName), "SAML Login");
            CFLogs.APPLICATION_LOG.error(th.getLocalizedMessage(), th);
            throw new SamlResponseException(th.getLocalizedMessage(), th);
        }
    }

    public Map handleLogoutResponse() {
        HashMap hashMap = new HashMap();
        FusionContext current = FusionContext.getCurrent();
        if (ServletUtils.makeHttpRequest(current.getRequest()).getParameter(SAML_RESPONSE) == null) {
            throw new InvalidBindingException();
        }
        Saml2Settings settings = getSettings();
        if (settings.getWantMessagesSigned()) {
            try {
                new SignatureVerifier().validateLogoutSignature(settings);
            } catch (Throwable th) {
                throw new SamlResponseException(th.getMessage(), th);
            }
        }
        settings.setWantMessagesSigned(false);
        this.auth = new SamlAuth(settings, current.getRequest(), current.getResponse(), this.requestOptions, getSp(this.spName));
        if (this.auth == null) {
            return null;
        }
        if (this.id == null) {
            throw new SamlResponseException(RB.getString(this, "InvalidResponseID"));
        }
        if ((this.id != null && this.requestOptions == null) || (this.id != null && this.requestOptions != null && this.requestOptions.getSamlState() != SamlState.LOGOUT_PENDING)) {
            throw new SamlResponseException(RB.getString(this, "LifetimeExpired"));
        }
        try {
            this.auth.processSLO(getId(false));
            if (this.auth.getErrors().size() <= 0) {
                hashMap.put(LOGOUT_SUCCESS, Boolean.valueOf(this.auth.getLogoutSuccess()));
                return hashMap;
            }
            if (StringUtils.equals(this.auth.getErrors().get(0), "invalid_logout_response")) {
                throw new SamlResponseException(this.auth.getLastErrorReason());
            }
            if (StringUtils.equals(this.auth.getErrors().get(0), "invalid_binding")) {
                throw new SamlResponseException(RB.getString(this, "InvalidBinding"));
            }
            if (!StringUtils.equals(this.auth.getErrors().get(0), "logout_not_success")) {
                return null;
            }
            hashMap.put(LOGOUT_SUCCESS, false);
            return hashMap;
        } catch (Exception e) {
            throw new SamlResponseException(RB.getString(this, "GenericResponseException"));
        }
    }

    public Map handleLogoutRequest() {
        FusionContext current = FusionContext.getCurrent();
        String parameter = ServletUtils.makeHttpRequest(current.getRequest()).getParameter(SAML_REQUEST);
        RequestOptions requestOptions = new RequestOptions(this.idpName, this.spName, SamlState.LOGOUT_REQUEST_PROCESSING);
        if (parameter == null) {
            throw new InvalidBindingException();
        }
        String str = null;
        this.auth = new SamlAuth(getSettings(this.idpName, this.spName), current.getRequest(), current.getResponse(), requestOptions, getSp(this.spName));
        try {
            Map processIdpInitatedSLO = this.auth.processIdpInitatedSLO();
            if (this.auth.getErrors().size() <= 0) {
                FusionContext.getCurrent().pageContext.getVariableScope();
                SamlCacheHelper.updateCache(LOGOUT_PREFIX + ((String) processIdpInitatedSLO.get("SESSIONINDEX")), requestOptions, getSp(this.spName));
            } else if (StringUtils.equals(this.auth.getErrors().get(0), "invalid_logout_request")) {
                str = this.auth.getLastErrorReason();
            } else if (StringUtils.equals(this.auth.getErrors().get(0), "invalid_binding")) {
                str = RB.getString(this, "InvalidBinding");
            }
            if (str != null) {
                throw new SamlResponseException(str);
            }
            return processIdpInitatedSLO;
        } catch (Exception e) {
            throw new SamlResponseException(RB.getString(this, "GenericRequestException"));
        }
    }

    public void sendLogoutResponse(String str) {
        FusionContext current = FusionContext.getCurrent();
        String parameter = ServletUtils.makeHttpRequest(current.getRequest()).getParameter(SAML_REQUEST);
        FusionContext.getCurrent().pageContext.getVariableScope();
        RequestOptions cacheValue = SamlCacheHelper.getCacheValue(LOGOUT_PREFIX + str, getSp(this.spName), "SAML Logout Response");
        if (parameter != null) {
            this.auth = new SamlAuth(getSettings(cacheValue.getIdpConfig(), cacheValue.getSpConfig()), current.getRequest(), current.getResponse(), null, getSp(this.spName));
            if (cacheValue != null) {
                try {
                    if (cacheValue.getSamlState() == SamlState.LOGOUT_REQUEST_PROCESSING) {
                        this.auth.performLogoutRequestRedirect();
                    }
                } catch (Exception e) {
                    throw new SamlResponseException(RB.getString(this, "LogoutResponseSendException"));
                }
            }
        }
    }

    private Saml2Settings getSettings() {
        return getSettings(this.idpName, this.spName);
    }

    private Saml2Settings getSettings(String str, String str2) {
        return SamlHelper.getSamlSettings(getIdp(str), getSp(str2));
    }

    private IdpConfiguration getIdp(String str) {
        IdpConfiguration idpConfiguration = null;
        Map structFromAppScope = SamlHelper.getStructFromAppScope(SamlRequestBuilder.IDP, str);
        if (structFromAppScope != null) {
            idpConfiguration = SamlHelper.createIdpConfigFromStruct(structFromAppScope);
        }
        if (idpConfiguration == null) {
            idpConfiguration = (IdpConfiguration) ServiceFactory.getSamlService().getIdpMetadata(str);
        }
        if (idpConfiguration == null) {
            throw new IdpNotFoundException();
        }
        List<String> validateIdpSettings = SamlHelper.validateIdpSettings(idpConfiguration);
        if (validateIdpSettings.isEmpty()) {
            return idpConfiguration;
        }
        throw new SAMLServiceImpl.IdpException(validateIdpSettings);
    }

    private SpConfiguration getSp(String str) {
        SpConfiguration spConfiguration = null;
        Map structFromAppScope = SamlHelper.getStructFromAppScope(SamlRequestBuilder.SP, str);
        if (structFromAppScope != null) {
            spConfiguration = SamlHelper.createSpConfigFromStruct(structFromAppScope);
        }
        if (spConfiguration == null) {
            spConfiguration = (SpConfiguration) ServiceFactory.getSamlService().getSpMetadata(str);
        }
        if (spConfiguration == null) {
            throw new SpNotFoundException();
        }
        List<String> validateSpSettings = SamlHelper.validateSpSettings(spConfiguration);
        if (validateSpSettings.isEmpty()) {
            return spConfiguration;
        }
        throw new SAMLServiceImpl.SpException(validateSpSettings);
    }
}
