package com.ibm.ws.security.saml.sso20.acs;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.structures.Cache;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoRequest;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.internal.utils.HttpRequestInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.InitialRequestUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.UnsolicitedResponseCache;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Map;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.SubjectConfirmation;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/acs/UnsolicitedHandler.class */
public class UnsolicitedHandler {
    private static TraceComponent tc = Tr.register(UnsolicitedHandler.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    HttpServletRequest request;
    HttpServletResponse response;
    SsoRequest samlRequest;
    Map<String, Object> parameters;
    SsoSamlService ssoService;
    InitialRequestUtil irUtil = new InitialRequestUtil();
    static final long serialVersionUID = -1325257556264314189L;

    public UnsolicitedHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SsoRequest ssoRequest, Map<String, Object> map) {
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        this.samlRequest = ssoRequest;
        this.parameters = map;
        this.ssoService = (SsoSamlService) map.get(Constants.KEY_SAML_SERVICE);
    }

    public void handleRequest(String str) throws SamlException {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SAML WEBSSO - IDP init or SP Unsolicited flow (ACS) starting", new Object[0]);
        }
        String cookieId = RequestUtil.getCookieId(this.request, this.response, Constants.COOKIE_WAS_REQUEST);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "RelayState from cookie is [" + cookieId + "]", new Object[0]);
        }
        RequestUtil.removeCookie(this.request, this.response, Constants.COOKIE_WAS_REQUEST);
        if (cookieId == null || cookieId.isEmpty() || !cookieId.startsWith(Constants.IDP_INITAL)) {
            if (this.samlRequest.getSsoConfig().getUseRelayStateForTarget()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "RelayState from SAMLResponse is [" + str + "]", new Object[0]);
                }
                cookieId = str;
                if (cookieId == null || cookieId.isEmpty()) {
                    cookieId = this.samlRequest.getSsoConfig().getTargetPageUrl();
                }
            } else {
                cookieId = this.samlRequest.getSsoConfig().getTargetPageUrl();
            }
        }
        if (cookieId == null || cookieId.isEmpty()) {
            throw new SamlException("SAML20_NO_PROTECTED_RESOURCE_ENDPOINT_ERR", (Exception) null, new Object[0]);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Final target [" + cookieId + "]", new Object[0]);
        }
        if (this.request.getParameter(Constants.SAMLResponse) == null) {
            throw new SamlException("Cannot process the request because SAML Response from the IdP is missing", (Exception) null, new Object[0]);
        }
        try {
            String decode = URLDecoder.decode(cookieId, Constants.UTF8);
            BasicMessageContext<?, ?> handleSAMLResponse = WebSSOConsumer.getInstance().handleSAMLResponse(this.request, this.response, this.ssoService, null, this.samlRequest);
            UnsolicitedResponseCache unsolicitedResponseCache = this.ssoService.getUnsolicitedResponseCache(this.samlRequest.getProviderName());
            Assertion validatedAssertion = handleSAMLResponse.getValidatedAssertion();
            if (unsolicitedResponseCache.isValid(validatedAssertion.getID())) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The SAML Assertion with ID " + validatedAssertion.getID() + " can not be processed twice.", new Object[0]);
                }
                throw new SamlException("SAML20_RESPONSE_REPLAY", (Exception) null, new Object[]{validatedAssertion.getID()});
            }
            unsolicitedResponseCache.put(validatedAssertion.getID(), Long.valueOf(((SubjectConfirmation) validatedAssertion.getSubject().getSubjectConfirmations().get(0)).getSubjectConfirmationData().getNotOnOrAfter().getMillis()));
            Cache acsCookieCache = this.ssoService.getAcsCookieCache(this.samlRequest.getProviderName());
            HttpRequestInfo unsolicitedRequestInfo = getUnsolicitedRequestInfo(handleSAMLResponse, decode, acsCookieCache);
            unsolicitedRequestInfo.setWithFragmentUrl(this.request, this.response);
            redirectToRelayState(handleSAMLResponse, this.samlRequest.getProviderName(), acsCookieCache, unsolicitedRequestInfo);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML WEBSSO - IDP init or SP Unsolicited flow (ACS) ends", new Object[0]);
            }
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.acs.UnsolicitedHandler", "122", this, new Object[]{str});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Internal error process SAML Web SSO Version 2.0 request", new Object[]{e});
            }
            throw new SamlException(e);
        }
    }

    HttpRequestInfo getUnsolicitedRequestInfo(BasicMessageContext<?, ?> basicMessageContext, String str, Cache cache) throws SamlException {
        HttpRequestInfo cachedRequestInfo = getCachedRequestInfo(str, cache);
        if (cachedRequestInfo == null) {
            cachedRequestInfo = new HttpRequestInfo(str, "");
        }
        return cachedRequestInfo;
    }

    protected void redirectToRelayState(BasicMessageContext<?, ?> basicMessageContext, String str, Cache cache, HttpRequestInfo httpRequestInfo) throws SamlException {
        String generateRandom = SamlUtil.generateRandom();
        cache.put(generateRandom, basicMessageContext.getUserDataIfReady());
        httpRequestInfo.redirectCachedHttpRequest(this.request, this.response, Constants.COOKIE_NAME_WAS_SAML_ACS + SamlUtil.hash(str), generateRandom);
    }

    protected HttpRequestInfo getCachedRequestInfo(String str, Cache cache) throws SamlException {
        if (str == null) {
            return null;
        }
        HttpRequestInfo httpRequestInfo = null;
        if (str.startsWith(Constants.IDP_INITAL)) {
            String substring = str.substring(Constants.IDP_INITAL.length());
            httpRequestInfo = (HttpRequestInfo) cache.get(substring);
            if (httpRequestInfo != null) {
                cache.remove(substring);
                this.irUtil.removeCookie(str, this.request, this.response);
            } else {
                httpRequestInfo = this.irUtil.recreateHttpRequestInfo(str, this.request, this.response, this.ssoService);
            }
        }
        return httpRequestInfo;
    }
}
