package org.apache.cxf.fediz.core.handler;

import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.core.processor.FedizResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/fediz-core-1.6.0.jar:org/apache/cxf/fediz/core/handler/SigninHandler.class */
public class SigninHandler<T> implements RequestHandler<T> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SigninHandler.class);
    private final FedizContext fedizContext;

    public SigninHandler(FedizContext fedizContext) {
        this.fedizContext = fedizContext;
    }

    @Override // org.apache.cxf.fediz.core.handler.RequestHandler
    public boolean canHandleRequest(HttpServletRequest httpServletRequest) {
        if ((this.fedizContext.getProtocol() instanceof FederationProtocol) && "wsignin1.0".equals(httpServletRequest.getParameter("wa"))) {
            return true;
        }
        return (this.fedizContext.getProtocol() instanceof SAMLProtocol) && httpServletRequest.getParameter("SAMLResponse") != null;
    }

    @Override // org.apache.cxf.fediz.core.handler.RequestHandler
    public T handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!"POST".equals(httpServletRequest.getMethod())) {
            throw new RuntimeException("Incorrect method GET for Sign-In-Response");
        }
        LOG.debug("Sign-In-Response received");
        String responseToken = getResponseToken(httpServletRequest);
        if (responseToken == null) {
            return null;
        }
        LOG.debug("Validating RSTR...");
        try {
            FedizResponse processSigninRequest = processSigninRequest(responseToken, httpServletRequest, httpServletResponse);
            if (!validateAudienceRestrictions(processSigninRequest.getAudience(), httpServletRequest.getRequestURL().toString())) {
                return null;
            }
            LOG.debug("RSTR validated successfully");
            return createPrincipal(httpServletRequest, httpServletResponse, processSigninRequest);
        } catch (ProcessingException e) {
            LOG.error("Federation processing failed: " + e.getMessage());
            return null;
        }
    }

    protected T createPrincipal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FedizResponse fedizResponse) {
        return null;
    }

    public FedizResponse processSigninRequest(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ProcessingException {
        LOG.debug("Process SignIn request");
        LOG.debug("token=\n{}", str);
        FedizRequest fedizRequest = new FedizRequest();
        fedizRequest.setAction(httpServletRequest.getParameter("wa"));
        fedizRequest.setResponseToken(str);
        if (this.fedizContext.getProtocol() instanceof SAMLProtocol) {
            String parameter = httpServletRequest.getParameter("RelayState");
            fedizRequest.setState(parameter);
            if (parameter != null) {
                HttpSession session = httpServletRequest.getSession();
                fedizRequest.setRequestState((RequestState) session.getAttribute(FederationConstants.SESSION_SAVED_REQUEST_STATE_PREFIX + parameter));
                session.removeAttribute(FederationConstants.SESSION_SAVED_REQUEST_STATE_PREFIX + parameter);
            }
        }
        fedizRequest.setRequest(httpServletRequest);
        fedizRequest.setCerts((X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate"));
        return FedizProcessorFactory.newFedizProcessor(this.fedizContext.getProtocol()).processRequest(fedizRequest, this.fedizContext);
    }

    protected boolean validateAudienceRestrictions(String str, String str2) {
        List<String> audienceUris = this.fedizContext.getAudienceUris();
        boolean z = audienceUris.isEmpty() && str == null;
        if (!z && str != null) {
            Iterator<String> it = audienceUris.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (str.startsWith(it.next())) {
                    z = true;
                    LOG.debug("Token audience matches with valid URIs.");
                    break;
                }
            }
            if (!z) {
                LOG.warn("Token AudienceRestriction [{}] doesn't match with specified list of URIs.", str);
                LOG.debug("Authenticated URIs are: {}", audienceUris);
            }
            if (LOG.isDebugEnabled() && str2 != null && str2.indexOf(str) == -1) {
                LOG.debug("Token AudienceRestriction doesn't match with request URL [{}]  [{}]", str, str2);
            }
        }
        return z;
    }

    public String getResponseToken(HttpServletRequest httpServletRequest) {
        String str = null;
        if (this.fedizContext.getProtocol() instanceof FederationProtocol) {
            str = httpServletRequest.getParameter("wresult");
            if (str == null) {
                throw new RuntimeException("Missing required parameter 'wresult'");
            }
        } else if (this.fedizContext.getProtocol() instanceof SAMLProtocol) {
            str = httpServletRequest.getParameter("SAMLResponse");
            if (str == null) {
                throw new RuntimeException("Missing required parameter 'SAMLResponse'");
            }
        }
        return str;
    }

    public String getContextParameter(HttpServletRequest httpServletRequest) {
        String str = null;
        if (this.fedizContext.getProtocol() instanceof FederationProtocol) {
            str = httpServletRequest.getParameter("wctx");
            if (this.fedizContext.isRequestStateValidation() && str == null) {
                throw new RuntimeException("Missing required parameter 'wctx'");
            }
        } else if (this.fedizContext.getProtocol() instanceof SAMLProtocol) {
            str = httpServletRequest.getParameter("RelayState");
            if (this.fedizContext.isRequestStateValidation() && str == null) {
                throw new RuntimeException("Missing required parameter 'RelayState'");
            }
        }
        return str;
    }

    public FedizContext getFedizContext() {
        return this.fedizContext;
    }
}
