package com.atlassian.plugins.authentication.impl.web.saml;

import com.atlassian.plugin.spring.scanner.annotation.component.Scanned;
import com.atlassian.plugin.spring.scanner.annotation.imports.ComponentImport;
import com.atlassian.plugins.authentication.impl.config.saml.SamlConfig;
import com.atlassian.plugins.authentication.impl.config.saml.SamlConfigService;
import com.atlassian.plugins.authentication.impl.util.ApplicationStateValidator;
import com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse;
import com.atlassian.plugins.authentication.impl.web.saml.provider.SamlProvider;
import com.atlassian.plugins.authentication.impl.web.saml.provider.SamlRequest;
import com.atlassian.plugins.authentication.impl.web.saml.provider.SamlResponse;
import com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException;
import com.atlassian.plugins.authentication.impl.web.usercontext.PrincipalResolver;
import com.atlassian.plugins.authentication.impl.web.usercontext.rememberme.RememberMeCookieHandler;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.UrlMode;
import com.atlassian.sal.api.auth.AuthenticationListener;
import com.atlassian.sal.api.auth.Authenticator;
import com.atlassian.sal.api.message.I18nResolver;
import com.google.common.collect.Iterables;
import java.io.IOException;
import java.io.Serializable;
import java.security.Principal;
import java.util.Optional;
import javax.inject.Inject;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Scanned
/* loaded from: input_file:com/atlassian/plugins/authentication/impl/web/saml/SamlConsumerServlet.class */
public class SamlConsumerServlet extends HttpServlet {
    private static final Logger log = LoggerFactory.getLogger(SamlConsumerServlet.class);
    public static final String URL = "/plugins/servlet/samlconsumer";
    public static final String SAML_RESPONSE_PARAM = "SAMLResponse";
    public static final String RELAY_STATE_QUERY_PARAM = "RelayState";
    private final ApplicationProperties applicationProperties;
    private final SamlConfigService samlConfigService;
    private final PrincipalResolver principalResolver;
    private final SamlProvider samlProvider;
    private final SessionDataService sessionDataService;
    private final AssertionValidationService assertionValidationService;
    private final AuthenticationListener authenticationListener;
    private final I18nResolver i18nResolver;
    private final RememberMeCookieHandler rememberMeCookieHandler;
    private final ApplicationStateValidator applicationStateValidator;

    @Inject
    public SamlConsumerServlet(@ComponentImport ApplicationProperties applicationProperties, SamlConfigService samlConfigService, PrincipalResolver principalResolver, SamlProvider samlProvider, SessionDataService sessionDataService, AssertionValidationService assertionValidationService, @ComponentImport AuthenticationListener authenticationListener, @ComponentImport I18nResolver i18nResolver, RememberMeCookieHandler rememberMeCookieHandler, ApplicationStateValidator applicationStateValidator) {
        this.applicationProperties = applicationProperties;
        this.samlConfigService = samlConfigService;
        this.principalResolver = principalResolver;
        this.samlProvider = samlProvider;
        this.sessionDataService = sessionDataService;
        this.assertionValidationService = assertionValidationService;
        this.rememberMeCookieHandler = rememberMeCookieHandler;
        this.authenticationListener = authenticationListener;
        this.i18nResolver = i18nResolver;
        this.applicationStateValidator = applicationStateValidator;
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.debug("Received SAML POST payload");
        this.applicationStateValidator.checkCanConsumeSaml();
        Optional<SessionData> sessionData = this.sessionDataService.getSessionData(httpServletRequest, httpServletResponse, httpServletRequest.getParameter(RELAY_STATE_QUERY_PARAM));
        Optional<U> map = sessionData.map((v0) -> {
            return v0.getSamlRequest();
        });
        String extractTargetUrlOrReturnBaseUrl = extractTargetUrlOrReturnBaseUrl(sessionData);
        String str = null;
        try {
            SamlResponse extractSamlResponse = this.samlProvider.extractSamlResponse(httpServletRequest, httpServletResponse, (SamlRequest) map.orElse(null));
            this.assertionValidationService.validateAssertionId(extractSamlResponse);
            str = getUsernameAttribute(extractSamlResponse, this.samlConfigService.getSamlConfig());
            log.debug("Extracted username {} from valid SAML request", str);
            Principal resolvePrincipal = this.principalResolver.resolvePrincipal(str, httpServletRequest);
            log.debug("Authenticated user {}, redirecting to {}", str, extractTargetUrlOrReturnBaseUrl);
            this.sessionDataService.requireNewSession(httpServletRequest);
            this.sessionDataService.setUserLoggedInWithSaml(httpServletRequest);
            this.authenticationListener.authenticationSuccess(new Authenticator.Result.Success(this.i18nResolver.createMessage("saml.authentication.successful", new Serializable[]{str}), resolvePrincipal), httpServletRequest, httpServletResponse);
            refreshRememberMeCookieIfNeeded(httpServletRequest, httpServletResponse, resolvePrincipal);
            productSpecificWorkarounds(httpServletRequest);
            httpServletResponse.sendRedirect(extractTargetUrlOrReturnBaseUrl);
        } catch (InvalidSamlResponse e) {
            e.setTargetUrl((String) sessionData.flatMap((v0) -> {
                return v0.getTargetUrl();
            }).map((v0) -> {
                return v0.toString();
            }).orElse(null));
            this.authenticationListener.authenticationFailure(new Authenticator.Result.Failure(this.i18nResolver.createMessage("saml.authentication.invalidsamlresponse", new Serializable[]{httpServletRequest.getRemoteAddr()})), httpServletRequest, httpServletResponse);
            throw e;
        } catch (AuthenticationFailedException e2) {
            this.authenticationListener.authenticationFailure(new Authenticator.Result.Failure(this.i18nResolver.createMessage("saml.authentication.authenticationfailed", new Serializable[]{str})), httpServletRequest, httpServletResponse);
            throw e2;
        }
    }

    private String extractTargetUrlOrReturnBaseUrl(Optional<SessionData> optional) {
        String str = (String) optional.flatMap((v0) -> {
            return v0.getTargetUrl();
        }).map(uri -> {
            return UriBuilder.fromUri(uri).replacePath("").path(this.applicationProperties.getBaseUrl(UrlMode.RELATIVE)).path(uri.getPath()).build(new Object[0]).toString();
        }).orElse(this.applicationProperties.getBaseUrl(UrlMode.RELATIVE));
        if (str.isEmpty()) {
            str = "/";
        }
        return str;
    }

    private void refreshRememberMeCookieIfNeeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Principal principal) {
        if (this.samlConfigService.getSamlConfig().isEnableRememberMe()) {
            this.rememberMeCookieHandler.refreshRememberMeCookie(httpServletRequest, httpServletResponse, principal);
        }
    }

    private void productSpecificWorkarounds(HttpServletRequest httpServletRequest) {
        if ("jira".equals(this.applicationProperties.getPlatformId())) {
            httpServletRequest.setAttribute("com.atlassian.web.servlet.plugin.request.RedirectInterceptingResponse.sendRedirect", Boolean.TRUE);
            httpServletRequest.getSession().setAttribute("com.atlassian.labs.botkiller.BotKiller", Integer.valueOf(httpServletRequest.getSession().getMaxInactiveInterval()));
        }
    }

    private String getUsernameAttribute(SamlResponse samlResponse, SamlConfig samlConfig) {
        return samlConfig.getUsernameAttribute() != null ? (String) Iterables.getOnlyElement(samlResponse.getAttribute(samlConfig.getUsernameAttribute())) : samlResponse.getNameId();
    }
}
