package com.resolution.atlasplugins.samlsso.servlet;

import com.atlassian.seraph.auth.Authenticator;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.templaterenderer.TemplateRenderer;
import com.resolution.atlasplugins.samlsso.AuthenticatorHookException;
import com.resolution.atlasplugins.samlsso.Defaults;
import com.resolution.atlasplugins.samlsso.LicenseChecker;
import com.resolution.atlasplugins.samlsso.SSOTokenStore;
import com.resolution.atlasplugins.samlsso.SamlSsoService;
import com.resolution.atlasplugins.samlsso.UserPreparationException;
import com.resolution.atlasplugins.samlsso.Utils;
import com.resolution.atlasplugins.samlsso.configuration.IdpConfiguration;
import com.resolution.atlasplugins.samlsso.configuration.PluginConfiguration;
import com.resolution.atlasplugins.samlsso.confluence.ConfluenceDefaults;
import com.resolution.samlprocessor.SAMLProcessor;
import com.resolution.samlprocessor.SAMLProcessorException;
import com.resolution.samlprocessor.SAMLResponseContent;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.InvocationTargetException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/resolution/atlasplugins/samlsso/servlet/SamlSsoServlet.class */
public class SamlSsoServlet extends BasicServlet {
    private static final Logger logger = LoggerFactory.getLogger(SamlSsoServlet.class);
    private final LicenseChecker licenseChecker;
    public static final String IDP_COOKIE_NAME = "selectedidp";
    public static final int IDP_COOKIE_LIFETIME = 31536000;
    public static final String SSO_TOKEN_PARAMETER = "ssoservlettoken";
    public static final String SESSION_ATTRIBUTE_SUCCESS = "SAMLSSO-SUCCESS";
    public static final String SESSION_ATTRIBUTE_FAILURE = "SAMLSSO-FAILURE";
    private final SSOTokenStore tokenStore;
    private static final long serialVersionUID = 1;

    public SamlSsoServlet(SamlSsoService samlSsoService, PluginConfiguration pluginConfiguration, LicenseChecker licenseChecker, TemplateRenderer templateRenderer) {
        super(samlSsoService, pluginConfiguration, templateRenderer);
        this.licenseChecker = licenseChecker;
        this.tokenStore = SSOTokenStore.getInstance();
    }

    @Override // com.resolution.atlasplugins.samlsso.servlet.BasicServlet
    public void processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        HttpSession session = httpServletRequest.getSession();
        Object attribute = session.getAttribute(SESSION_ATTRIBUTE_SUCCESS);
        session.removeAttribute(SESSION_ATTRIBUTE_SUCCESS);
        String str = (String) session.getAttribute(SESSION_ATTRIBUTE_FAILURE);
        session.removeAttribute(SESSION_ATTRIBUTE_FAILURE);
        if (attribute != null) {
            sendServiceDeskError(httpServletResponse, "Success marker was found in session, seems like you wanted to logout");
            return;
        }
        if (str != null) {
            sendServiceDeskError(httpServletResponse, str);
            return;
        }
        boolean equals = "success".equals(httpServletRequest.getAttribute("os_authstatus"));
        if (logger.isDebugEnabled()) {
            if (equals) {
                logger.debug("Request is already authenticated");
            } else {
                logger.debug("Request is NOT authenticated");
            }
        }
        if (!this.samlSsoService.isInitialized()) {
            logger.error("SAMLSsoComponent is not initialized!");
            sendError(httpServletResponse, null, "SAMLSsoComponent is not initialized. Check logs for details.", null);
            return;
        }
        LicenseChecker.LicenseCheckResult checkLicense = this.licenseChecker.checkLicense();
        if (!checkLicense.isLicensed()) {
            sendError(httpServletResponse, null, checkLicense.getMessage(), null);
            return;
        }
        String parameter = httpServletRequest.getParameter(SSO_TOKEN_PARAMETER);
        if (parameter == null) {
            String parameter2 = httpServletRequest.getParameter("SAMLResponse");
            if (parameter2 == null) {
                processRequestFromClient(httpServletRequest, httpServletResponse);
                return;
            } else {
                processRequestFromIdP(httpServletRequest, httpServletResponse, parameter2);
                return;
            }
        }
        logger.debug("Loading userid from token");
        String useridFromSsoToken = this.tokenStore.getUseridFromSsoToken(parameter);
        if (useridFromSsoToken == null) {
            logger.warn("Could not find a userid with token {}", parameter);
            sendError(httpServletResponse, null, "Could not find a userid for the token provided", null);
            return;
        }
        try {
            logger.debug("Trying to authorize user " + useridFromSsoToken);
            if (this.samlSsoService.getAuthenticatorHook().authoriseUserAndEstablishSession(httpServletRequest, httpServletResponse, useridFromSsoToken, this.pluginConfiguration.isSetRememberMeCookie())) {
                String decode = URLDecoder.decode(httpServletRequest.getParameter("RelayState"), "UTF-8");
                logger.debug("Redirecting to " + decode);
                httpServletResponse.sendRedirect(decode);
            } else {
                sendError(httpServletResponse, useridFromSsoToken, null, null);
            }
        } catch (AuthenticatorHookException e) {
            String message = e.getMessage();
            if (message == null) {
                message = e.getCause().getClass().getName() + ": " + e.getCause().getMessage();
            }
            logger.error("Authenticating user failed: ", e);
            sendError(httpServletResponse, null, message, e);
        }
    }

    private void processRequestFromClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        logger.debug("We have no SAML Response, so this request comes from the Client");
        SAMLProcessor samlProcessor = this.samlSsoService.getSamlProcessor();
        String defaultRedirectUrl = this.pluginConfiguration.getDefaultRedirectUrl();
        String parameter = httpServletRequest.getParameter("redirectTo");
        if (parameter == null || parameter.equals("null")) {
            logger.debug("No original URL in request, using {}", defaultRedirectUrl);
            parameter = defaultRedirectUrl;
        }
        logger.debug("Original url is {}", parameter);
        String parameter2 = httpServletRequest.getParameter("issuer");
        if (parameter2 != null && parameter2.isEmpty()) {
            parameter2 = null;
        }
        if (httpServletRequest.getParameter("selectidp") != null) {
            logger.debug("selectidp parameter is present, rendering selection page");
            sendIdpSelectionPage(httpServletResponse, parameter, 0);
            return;
        }
        if (httpServletRequest.getParameter("idpbyemail") != null) {
            logger.debug("idpbyemail parameter is present, rendering selection by email page");
            sendIdpSelectionByEmailPage(httpServletResponse, parameter);
            return;
        }
        int i = 0;
        int i2 = 0;
        String parameter3 = httpServletRequest.getParameter("idp");
        if (parameter3 != null) {
            try {
                i = Integer.parseInt(parameter3);
            } catch (NumberFormatException e) {
                logger.error("IDP id {} is invalid", parameter3);
                sendError(httpServletResponse, null, "IDP id " + parameter3 + "is invalid", e);
                return;
            }
        } else {
            Cookie[] cookies = httpServletRequest.getCookies();
            if (cookies != null) {
                int i3 = 0;
                while (true) {
                    if (i3 >= cookies.length) {
                        break;
                    }
                    if (!cookies[i3].getName().equals(IDP_COOKIE_NAME)) {
                        i3++;
                    } else if (cookies[i3].getValue() != null) {
                        try {
                            i2 = Integer.parseInt(cookies[i3].getValue());
                            logger.debug("Found idp {} in cookie", Integer.valueOf(i2));
                        } catch (NumberFormatException e2) {
                            logger.warn("Cookie value {} is not parseable, setting id to 0.", cookies[i3].getValue());
                            i2 = 0;
                        }
                    }
                }
            }
        }
        if (i != 0) {
            Cookie cookie = new Cookie(IDP_COOKIE_NAME, String.valueOf(i));
            cookie.setMaxAge(IDP_COOKIE_LIFETIME);
            httpServletResponse.addCookie(cookie);
        } else if (this.pluginConfiguration.isEnableIdPSelection()) {
            sendIdpSelectionPage(httpServletResponse, parameter, i2);
            return;
        } else if (!this.pluginConfiguration.isEnableIdPSelectionByEmailAddress()) {
            logger.debug("Using default IdP 1");
            i = 1;
        } else {
            if (i2 == 0) {
                sendIdpSelectionByEmailPage(httpServletResponse, parameter);
                return;
            }
            i = i2;
        }
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        HashMap hashMap = new HashMap();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!str.equals("redirectTo")) {
                hashMap.put(str, httpServletRequest.getParameter(str));
            }
        }
        try {
            if (this.pluginConfiguration.isRedirectWithPOST()) {
                logger.debug("redirectWithPOST is active, rendering the auto-submitting form to redirect to the IdP:");
                String buildPOSTtoIdPFormHtml = samlProcessor.buildPOSTtoIdPFormHtml(parameter, i, parameter2, hashMap);
                logger.debug(buildPOSTtoIdPFormHtml);
                httpServletResponse.setContentType("text/html;charset=utf-8");
                PrintWriter writer = httpServletResponse.getWriter();
                writer.write(buildPOSTtoIdPFormHtml);
                writer.close();
            } else {
                String buildRedirectToIdPurl = samlProcessor.buildRedirectToIdPurl(httpServletRequest, parameter, i, parameter2, hashMap);
                logger.debug("Redirecting to: " + buildRedirectToIdPurl);
                httpServletResponse.sendRedirect(buildRedirectToIdPurl);
            }
        } catch (SAMLProcessorException e3) {
            logger.error("SAML Processor threw exception", e3);
            sendError(httpServletResponse, null, "Processing saml failed: " + e3.getMessage(), null);
        }
    }

    private void processRequestFromIdP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws ServletException, IOException {
        String absoluteBaseUrl = this.samlSsoService.getAbsoluteBaseUrl();
        String defaultRedirectUrl = this.pluginConfiguration.getDefaultRedirectUrl();
        SAMLProcessor samlProcessor = this.samlSsoService.getSamlProcessor();
        logger.debug("We have a SAML Response, so this request comes from the IdP");
        try {
            SAMLResponseContent processSAMLResponseMessage = samlProcessor.processSAMLResponseMessage(str);
            if (processSAMLResponseMessage.isSuccess()) {
                String userid = processSAMLResponseMessage.getUserid();
                String parameter = httpServletRequest.getParameter("RelayState");
                logger.debug("RelayState parameter is " + parameter);
                if (parameter == null || parameter.length() == 0) {
                    parameter = defaultRedirectUrl;
                    logger.warn("No original URL found in the request, redirecting to " + parameter);
                }
                String str2 = parameter.startsWith(Defaults.DEFAULT_REDIRECT_URL) ? absoluteBaseUrl + parameter : parameter;
                if (!str2.startsWith(absoluteBaseUrl)) {
                    logger.warn("Redirect URL {} is invalid!", str2);
                    sendError(httpServletResponse, null, "Redirect URL " + str2 + " does not belong to the base URL " + absoluteBaseUrl + ", not redirecting.", null);
                    return;
                }
                if (str2.contains("@")) {
                    logger.warn("Redirect URL {} is invalid!", str2);
                    sendError(httpServletResponse, null, "Redirect URL " + str2 + " contains invalid @-character, not redirecting.", null);
                    return;
                }
                logger.debug("Redirect URL {} is valid");
                if (!str2.contains("/servicedesk/customer")) {
                    logger.debug("This is no SamlSsoAuthenticator, using the AuthenticatorHook");
                    boolean z = false;
                    try {
                        z = this.samlSsoService.prepareUser(processSAMLResponseMessage, true, false);
                    } catch (UserPreparationException e) {
                        logger.error("Preparing User failed", e);
                        sendError(httpServletResponse, null, e.getMessage(), e);
                    }
                    if (z) {
                        String str3 = absoluteBaseUrl + "/plugins/servlet/samlsso?" + SSO_TOKEN_PARAMETER + "=" + this.tokenStore.getSsoToken(userid) + "&RelayState=" + URLEncoder.encode(str2, "UTF-8");
                        logger.debug("User is modified, redirecting again to have changes active {}", str3);
                        httpServletResponse.sendRedirect(str3);
                        return;
                    }
                    try {
                        logger.debug("Trying to authorize user " + userid);
                        if (this.samlSsoService.getAuthenticatorHook().authoriseUserAndEstablishSession(httpServletRequest, httpServletResponse, userid, this.pluginConfiguration.isSetRememberMeCookie())) {
                            logger.debug("Redirecting to " + str2);
                            httpServletResponse.sendRedirect(str2);
                        } else {
                            sendError(httpServletResponse, userid, null, null);
                        }
                    } catch (AuthenticatorHookException e2) {
                        String message = e2.getMessage();
                        if (message == null) {
                            message = e2.getCause().getClass().getName() + ": " + e2.getCause().getMessage();
                        }
                        logger.error("Authenticating user failed: ", e2);
                        sendError(httpServletResponse, null, message, e2);
                    }
                } else if (this.samlSsoService.checkForSamlSsoAuthenticator()) {
                    if (str2.contains("samlssotoken=")) {
                        str2 = str2.replaceAll("samlssotoken=.*&", ConfluenceDefaults.ENFORCE_SSO_URLS).replaceAll("samlssotoken=.*$", ConfluenceDefaults.ENFORCE_SSO_URLS).replaceAll("\\?$", ConfluenceDefaults.ENFORCE_SSO_URLS);
                        logger.debug("removed existing samlssotoken from URL {}", str2);
                    }
                    Authenticator authenticator = SecurityConfigFactory.getInstance().getAuthenticator();
                    logger.debug("We have a SamlSsoAuthenticator, redirecting to {} with samlssotoken-parameter", str2);
                    try {
                        Object invoke = authenticator.getClass().getMethod("getSsoToken", String.class).invoke(authenticator, userid);
                        logger.debug("getSsoToken returned {}", invoke);
                        if (!(invoke instanceof String)) {
                            throw new SAMLProcessorException("addUserToSsoMap did not return a String but a " + invoke.getClass().getName());
                        }
                        String str4 = (String) invoke;
                        String str5 = str2.contains("?") ? str2 + "&samlssotoken=" + str4 : str2 + "?samlssotoken=" + str4;
                        logger.debug("Redirecting to {}", str5);
                        this.samlSsoService.prepareUser(processSAMLResponseMessage, true, true);
                        httpServletResponse.sendRedirect(str5);
                    } catch (IllegalAccessException e3) {
                        throw new SAMLProcessorException(e3);
                    } catch (IllegalArgumentException e4) {
                        throw new SAMLProcessorException(e4);
                    } catch (NoSuchMethodException e5) {
                        throw new SAMLProcessorException(e5);
                    } catch (InvocationTargetException e6) {
                        throw new SAMLProcessorException(e6.getCause());
                    }
                } else {
                    sendError(httpServletResponse, userid, "SingleSignOn for JIRA Service Desk requires a SamlSsoAuthenticator which is not configured.", null);
                }
            } else {
                sendError(httpServletResponse, null, processSAMLResponseMessage.getReason(), null);
            }
        } catch (UserPreparationException e7) {
            logger.error("Updating or creating user failed.", e7);
            sendError(httpServletResponse, null, "Updating or creating user failed. " + e7.getMessage(), null);
        } catch (SAMLProcessorException e8) {
            logger.error("SAML Processor threw exception", e8);
            sendError(httpServletResponse, null, "Processing saml failed: " + e8.getMessage(), null);
        }
    }

    protected void sendIdpSelectionByEmailPage(HttpServletResponse httpServletResponse, String str) throws ServletException, IOException {
        Cookie cookie = new Cookie(IDP_COOKIE_NAME, ConfluenceDefaults.ENFORCE_SSO_URLS);
        cookie.setMaxAge(0);
        httpServletResponse.addCookie(cookie);
        Map<String, Integer> emailDomainIdMap = this.pluginConfiguration.getEmailDomainIdMap();
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("{ ");
        boolean z = true;
        for (String str2 : emailDomainIdMap.keySet()) {
            if (z) {
                z = false;
            } else {
                stringBuffer.append(Defaults.LIST_SEPARATOR);
            }
            stringBuffer.append("\"").append(Utils.hashSHA224(str2)).append("\": ").append(emailDomainIdMap.get(str2));
        }
        stringBuffer.append(" }");
        String stringBuffer2 = stringBuffer.toString();
        HashMap hashMap = new HashMap();
        String str3 = this.samlSsoService.getConsumerUrl() + "?idp=IDPID&redirectTo=" + URLEncoder.encode(str, "UTF-8");
        hashMap.put("loginurl", this.samlSsoService.getAbsoluteLoginPageUrl() + "&os_destination=" + URLEncoder.encode(str, "UTF-8"));
        hashMap.put("ssourl", str3);
        hashMap.put("emailDomainMap", stringBuffer2);
        httpServletResponse.setContentType("text/html;charset=utf-8");
        String idpByEmailPageTemplate = this.pluginConfiguration.getIdpByEmailPageTemplate();
        String unescapeHTML = Utils.unescapeHTML(this.renderer.renderFragment(idpByEmailPageTemplate, hashMap));
        logger.debug(idpByEmailPageTemplate);
        logger.debug(unescapeHTML);
        httpServletResponse.getWriter().write(unescapeHTML);
    }

    protected void sendIdpSelectionPage(HttpServletResponse httpServletResponse, String str, int i) throws ServletException, IOException {
        Cookie cookie = new Cookie(IDP_COOKIE_NAME, ConfluenceDefaults.ENFORCE_SSO_URLS);
        cookie.setMaxAge(0);
        httpServletResponse.addCookie(cookie);
        String idpSelectionPageTemplate = this.pluginConfiguration.getIdpSelectionPageTemplate();
        HashMap hashMap = new HashMap();
        hashMap.put("loginurl", this.samlSsoService.getAbsoluteLoginPageUrl() + "&os_destination=" + URLEncoder.encode(str, "UTF-8"));
        hashMap.put("ssourl", this.samlSsoService.getSSOUrl());
        String str2 = null;
        String str3 = null;
        String str4 = null;
        List<IdpConfiguration> idpConfigurations = this.pluginConfiguration.getIdpConfigurations();
        for (IdpConfiguration idpConfiguration : idpConfigurations) {
            String str5 = this.samlSsoService.getConsumerUrl() + "?idp=" + idpConfiguration.getId() + "&redirectTo=" + URLEncoder.encode(str, "UTF-8");
            idpConfiguration.setSsoUrl(str5);
            if (idpConfiguration.getId().intValue() == i) {
                str2 = str5;
                str3 = idpConfiguration.getName();
                str4 = idpConfiguration.getDescription();
            }
        }
        hashMap.put("idps", idpConfigurations);
        hashMap.put("selectedUrl", str2);
        hashMap.put("selectedName", str3);
        hashMap.put("selectedDescription", str4);
        hashMap.put("idpSelected", Boolean.valueOf(str2 != null));
        logger.debug("Last selected idp is {}", str3);
        httpServletResponse.setContentType("text/html;charset=utf-8");
        httpServletResponse.getWriter().write(Utils.unescapeHTML(this.renderer.renderFragment(idpSelectionPageTemplate, hashMap)));
    }
}
