package com.ibm.ws.security.web.saml;

import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.security.web.saml.filter.HTTPHeaderFilter;
import com.ibm.ws.security.web.saml.util.AuthnRequestCache;
import com.ibm.ws.security.web.saml.util.ReplayManagerImpl;
import com.ibm.ws.security.web.saml.util.Util;
import com.ibm.ws.wssecurity.saml.binding.saml20.PostBindingSPConfig;
import com.ibm.ws.wssecurity.saml.binding.saml20.ReplayManager;
import com.ibm.ws.wssecurity.saml.binding.saml20.SAMLSpConstants;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/security/web/saml/SAMLPostBindingConfig.class */
public class SAMLPostBindingConfig {
    private static final TraceComponent tc = Tr.register(SAMLPostBindingConfig.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String comp = "security.wssecurity";
    protected static final String REFER = "Referer";
    protected boolean filterDefined;
    static final String SP_CONTEXT = "/samlsps";
    protected HashMap<String, String> configMap = new HashMap<>();
    protected HashMap<String, PostBindingConfig> ConfigMap = new HashMap<>();
    protected ArrayList<PostBindingConfig> postBindingCfgs = new ArrayList<>();
    ReplayManager replayManager = null;
    AuthnRequestCache authnCache = null;

    public SAMLPostBindingConfig(Properties properties) throws SoapSecurityException {
        this.filterDefined = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "SAMLPostBindingConfig(Properties p[" + ConfigUtil.getObjState(properties) + "])");
        }
        Iterator<Properties> it = SAMLPostBindingSSOPartnerConfig.sortPropertiesForIdP(properties).iterator();
        while (it.hasNext()) {
            Properties next = it.next();
            PostBindingConfig postBindingConfig = new PostBindingConfig(next);
            postBindingConfig.setSSOIndex((String) next.get(SAMLPostBindingSSOPartnerConfig.INDEX));
            this.postBindingCfgs.add(postBindingConfig);
            if (postBindingConfig.hasFilter()) {
                this.filterDefined = true;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Create config for ACS: " + next.getProperty(SAMLSpConstants.SP_ACS));
            }
        }
        buildReplayManager(properties);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "SAMLPostBindingConfig(Properties p)");
        }
    }

    public ArrayList<PostBindingConfig> getAllPostBindingConfig() {
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAllPostBindingConfig returns [" + ConfigUtil.getObjType(this.postBindingCfgs) + (this.postBindingCfgs == null ? "" : "(size=" + this.postBindingCfgs.size() + ")") + "]");
        }
        return this.postBindingCfgs;
    }

    public PostBindingConfig getValidPostBindingConfig(HttpServletRequest httpServletRequest) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getValidPostBindingConfig(HttpServletRequest req[" + ConfigUtil.getObjType(httpServletRequest) + "])");
        }
        PostBindingConfig postBindingConfig = getPostBindingConfig(httpServletRequest);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "pbCfg[" + ConfigUtil.getObjState(postBindingConfig) + "]");
        }
        if (postBindingConfig != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getValidPostBindingConfig returns [" + ConfigUtil.getObjType(postBindingConfig) + "]");
            }
            return postBindingConfig;
        }
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Could not find configured AssertionConsumerServiceURL:" + stringBuffer);
        }
        throw new WebTrustAssociationFailedException(ConfigUtil.getMessage("security.wssecurity.CWWSS8030E", new String[]{stringBuffer}));
    }

    public PostBindingConfig getPostBindingConfig(HttpServletRequest httpServletRequest) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPostBindingConfig(HttpServletRequest req[" + ConfigUtil.getObjType(httpServletRequest) + "])");
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "reqUrl[" + stringBuffer + "]");
        }
        PostBindingConfig postBindingConfig = null;
        if (stringBuffer != null) {
            Iterator<PostBindingConfig> it = this.postBindingCfgs.iterator();
            while (true) {
                if (0 != 0 || !it.hasNext()) {
                    break;
                }
                PostBindingConfig next = it.next();
                String assertionConsumerService = next.getPostBindingSPConfig().getAssertionConsumerService();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "acs[" + assertionConsumerService + "]");
                }
                if (assertionConsumerService != null) {
                    if (Util.isAcs(stringBuffer, assertionConsumerService)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "exact match found");
                        }
                        z3 = true;
                        postBindingConfig = next;
                    } else if (stringBuffer != null && containsTarget(assertionConsumerService, stringBuffer)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "match found");
                        }
                        postBindingConfig = next;
                        if (z) {
                            z2 = true;
                            postBindingConfig = null;
                        }
                        z = true;
                    }
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "exactMatch[" + z3 + "], matchOnce[" + z + "], matchTwice[" + z2 + "]");
        }
        if (z3 || !z2) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getPostBindingConfig returns [" + postBindingConfig + "]");
            }
            return postBindingConfig;
        }
        String message = SoapSecurityException.getMessage("security.wssecurity.CWWSS8031E");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Can not uniquely identify one SSO configuration to process the request:" + httpServletRequest.getRequestURI());
            Tr.debug(tc, message);
        }
        throw new WebTrustAssociationFailedException(message);
    }

    public PostBindingConfig getPostBindingConfigForIdPSelection(HttpServletRequest httpServletRequest) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPostBindingConfigForIdPSelection(HttpServletRequest req[" + ConfigUtil.getObjType(httpServletRequest) + "])");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "postBindingCfgs[" + ConfigUtil.getObjState(this.postBindingCfgs) + "], size[" + (this.postBindingCfgs == null ? "0" : Integer.valueOf(this.postBindingCfgs.size())) + "]");
        }
        if (this.postBindingCfgs == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getPostBindingConfigForIdPSelection returns [null]");
            return null;
        }
        PostBindingConfig defaultPostBindingConfigForIdPSelection = getDefaultPostBindingConfigForIdPSelection(httpServletRequest);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "defaultCfg[" + ConfigUtil.getObjState(defaultPostBindingConfigForIdPSelection) + "]");
        }
        if (defaultPostBindingConfigForIdPSelection != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Use default SSO config for [" + httpServletRequest.getRequestURI() + "]");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getPostBindingConfigForIdPSelection returns [" + defaultPostBindingConfigForIdPSelection + "]");
            }
            return defaultPostBindingConfigForIdPSelection;
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "reqUrl[" + stringBuffer + "]");
        }
        PostBindingConfig postBindingConfig = null;
        if (stringBuffer != null) {
            Iterator<PostBindingConfig> it = this.postBindingCfgs.iterator();
            while (true) {
                if (0 != 0 || !it.hasNext()) {
                    break;
                }
                PostBindingConfig next = it.next();
                String assertionConsumerService = next.getPostBindingSPConfig().getAssertionConsumerService();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "acs[" + assertionConsumerService + "]");
                }
                if (assertionConsumerService != null) {
                    if (Util.isAcs(assertionConsumerService, stringBuffer)) {
                        postBindingConfig = next;
                        z3 = true;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "exact match found, pbCfg[" + ConfigUtil.getObjType(postBindingConfig) + "]");
                        }
                    } else if (0 == 0 && stringBuffer != null && containsTarget(assertionConsumerService, stringBuffer)) {
                        postBindingConfig = next;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "match found, pbCfg[" + ConfigUtil.getObjType(postBindingConfig) + "]");
                        }
                        if (z) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Duplicated filter" + httpServletRequest.getRequestURI());
                            }
                            z2 = true;
                            postBindingConfig = null;
                        }
                        z = true;
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "exactMatch [" + z3 + "], matchOnce[" + z + "], matchTwice[" + z2 + "], pbCfg[" + ConfigUtil.getObjType(postBindingConfig) + "]");
            }
            if (!z3 && !z2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "explicitly filter");
                }
                Iterator<PostBindingConfig> it2 = this.postBindingCfgs.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    PostBindingConfig next2 = it2.next();
                    PostBindingSPConfig postBindingSPConfig = next2.getPostBindingSPConfig();
                    HTTPHeaderFilter hTTPHeaderFilter = next2.getHTTPHeaderFilter();
                    String assertionConsumerService2 = postBindingSPConfig.getAssertionConsumerService();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "acs[" + assertionConsumerService2 + "], filter[" + ConfigUtil.getObjType(hTTPHeaderFilter) + "]");
                    }
                    if (assertionConsumerService2 != null && hTTPHeaderFilter != null && hTTPHeaderFilter.isAccepted(httpServletRequest) && !hTTPHeaderFilter.noFilter()) {
                        postBindingConfig = next2;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "match found, pbCfg[" + ConfigUtil.getObjType(postBindingConfig) + "]");
                        }
                        if (z) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Duplicated filter" + httpServletRequest.getRequestURI());
                            }
                            z2 = true;
                            postBindingConfig = null;
                        } else {
                            z = true;
                        }
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "exactMatch [" + z3 + "], matchOnce[" + z + "], matchTwice[" + z2 + "], pbCfg[" + ConfigUtil.getObjType(postBindingConfig) + "]");
            }
            if (postBindingConfig == null && !z2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "implied filter");
                }
                Iterator<PostBindingConfig> it3 = this.postBindingCfgs.iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    PostBindingConfig next3 = it3.next();
                    PostBindingSPConfig postBindingSPConfig2 = next3.getPostBindingSPConfig();
                    HTTPHeaderFilter hTTPHeaderFilter2 = next3.getHTTPHeaderFilter();
                    String assertionConsumerService3 = postBindingSPConfig2.getAssertionConsumerService();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "acs[" + assertionConsumerService3 + "], filter[" + ConfigUtil.getObjType(hTTPHeaderFilter2) + "]");
                    }
                    if (assertionConsumerService3 != null && hTTPHeaderFilter2 != null && hTTPHeaderFilter2.isAccepted(httpServletRequest) && hTTPHeaderFilter2.noFilter()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Use default filter" + httpServletRequest.getRequestURI());
                        }
                        postBindingConfig = next3;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "match found, pbCfg[" + ConfigUtil.getObjType(postBindingConfig) + "]");
                        }
                        if (z) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Duplicated filter" + httpServletRequest.getRequestURI());
                            }
                            z2 = true;
                            postBindingConfig = null;
                        } else {
                            z = true;
                        }
                    }
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "matchTwice[" + z2 + "]");
        }
        if (!z2) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getPostBindingConfigForIdPSelection returns [" + postBindingConfig + "]");
            }
            return postBindingConfig;
        }
        String message = SoapSecurityException.getMessage("security.wssecurity.CWWSS8031E");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Can not uniquely identify one SSO configuration to process the request:" + httpServletRequest.getRequestURI());
            Tr.debug(tc, message);
        }
        throw new WebTrustAssociationFailedException(message);
    }

    protected PostBindingConfig getDefaultPostBindingConfigForIdPSelection(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultPostBindingConfigForIdPSelection(HttpServletRequest req[" + ConfigUtil.getObjType(httpServletRequest) + "])");
        }
        PostBindingConfig postBindingConfig = null;
        if (this.postBindingCfgs != null && 1 == this.postBindingCfgs.size()) {
            PostBindingConfig postBindingConfig2 = this.postBindingCfgs.get(0);
            if (postBindingConfig2.getHTTPHeaderFilter() != null && postBindingConfig2.getHTTPHeaderFilter().isAccepted(httpServletRequest)) {
                postBindingConfig = postBindingConfig2;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDefaultPostBindingConfigForIdPSelection returns [" + ConfigUtil.getObjType(postBindingConfig) + "]");
        }
        return postBindingConfig;
    }

    protected boolean containsTarget(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "containsTarget(target[" + str + "], incoming[" + str2 + "])");
        }
        boolean z = false;
        if (str != null && str.endsWith("*") && str.length() > 1 && str2 != null) {
            String substring = str.substring(0, str.lastIndexOf("*"));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "newTarget[" + substring + "]");
            }
            if (str2.startsWith(substring)) {
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "containsTarget returns [" + z + "]");
        }
        return z;
    }

    public boolean hasFilter() {
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "hasFilter returns [" + this.filterDefined + "]");
        }
        return this.filterDefined;
    }

    public ReplayManager getReplayAttackManager() {
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getReplayAttackManager returns [" + ConfigUtil.getObjType(this.replayManager) + "]");
        }
        return this.replayManager;
    }

    protected void buildReplayManager(Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildReplayManager(Properties p[" + ConfigUtil.getObjState(properties) + "])");
        }
        ReplayManagerConfig replayManagerConfig = new ReplayManagerConfig(properties);
        this.replayManager = new ReplayManagerImpl(replayManagerConfig);
        this.authnCache = new AuthnRequestCache(replayManagerConfig.getReplayAttackCacheEntry(), 600000, replayManagerConfig.useDistributedCache());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "buildReplayManager(Properties p)");
        }
    }

    public AuthnRequestCache getAuthnRequestCache() {
        return this.authnCache;
    }
}
