package com.sun.identity.saml2.plugins;

import com.sun.identity.cot.CircleOfTrustManager;

import com.sun.identity.cot.CircleOfTrustDescriptor;

import com.sun.identity.cot.COTException;

import com.sun.identity.saml2.common.SAML2Exception;

import com.sun.identity.saml2.common.SAML2Utils;

import com.sun.identity.saml2.common.SAML2Constants;

import com.sun.identity.saml2.jaxb.assertion.AttributeElement;

import com.sun.identity.saml2.jaxb.assertion.AttributeValueElement;

import com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;

import com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;

import com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement;

import com.sun.identity.saml2.jaxb.metadata.ExtensionsType;

import com.sun.identity.saml2.jaxb.metadataattr.EntityAttributesElement;

import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;

import com.sun.identity.saml2.meta.SAML2MetaManager;

import com.sun.identity.saml2.meta.SAML2MetaUtils;

import com.sun.identity.saml2.meta.SAML2MetaException;

import com.sun.identity.saml2.profile.IDPSSOUtil;

import com.sun.identity.saml2.profile.SPSSOFederate;

import com.sun.identity.saml2.profile.SPCache;

import com.sun.identity.saml2.protocol.AuthnRequest;

import com.sun.identity.saml2.protocol.RequestedAuthnContext;

import java.util.ArrayList;

import java.util.List;

import java.util.Map;

import java.util.HashMap;

import java.util.HashSet;

import java.util.Iterator;

import java.util.Set;

import java.util.StringTokenizer;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.http.HttpSession;

import org.apache.commons.lang.StringUtils;

public class SAML2IDPProxyFRImpl implements SAML2IDPFinder {

public static String IDP_FINDER_ENABLED_IN_SP = "idpFinderEnabled";

public static String SESSION_ATTR_NAME_IDP_LIST = "_IDPLIST_";

public static String SESSION_ATTR_NAME_RELAYSTATE = "_RELAYSTATE_";

public static String SESSION_ATTR_NAME_SPREQUESTER = "_SPREQUESTER_";

public static String SESSION_ATTR_NAME_REQAUTHNCONTEXT = "_REQAUTHNCONTEXT_";

SPSSODescriptorElement spSSODescriptor = null;

String relayState = "";

String binding = "";

/*

public SAML2IDPProxyFRImpl() {

}

public static String className = "SAML2IDPProxyFRImpl.";

/**

public List getPreferredIDP(

AuthnRequest authnRequest,

String hostProviderID,

String realm,

HttpServletRequest request,

HttpServletResponse response) throws SAML2Exception {

// Entering the class and method

String methodName = "getPreferredIDP";

String classMethod = className + methodName + ":";

debugMessage(methodName, "Entering.");

Boolean isIdpFinderForAllSPsEnabled = isIDPFinderForAllSPs(realm, hostProviderID);

// Start the logic to obtain the list of preferred IdPs

try {

// Inititate the metadata manager

SAML2MetaManager sm = new SAML2MetaManager();

if (sm == null) {

throw new SAML2Exception(

SAML2Utils.bundle.getString("errorMetaManager"));

}

// Obtain the SP configuration

try {

spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, authnRequest.getIssuer().getValue().toString());

} catch (SAML2MetaException sme) {

SAML2Utils.debug.error(classMethod, sme);

spSSODescriptor = null;

}

// Get the relay state from the request, if exists

relayState = request.getParameter(SAML2Constants.RELAY_STATE);

binding = SAML2Constants.HTTP_REDIRECT;

if (request.getMethod().equals("POST")) {

binding = SAML2Constants.HTTP_POST;

}

// Read the local metadata of the SP that made the request

SPSSOConfigElement spEntityCfg =

sm.getSPSSOConfig(realm, authnRequest.getIssuer().getValue());

Map spConfigAttrsMap = null;

if (spEntityCfg != null) {

spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);

}

// Check if the local configuration of the remote SP wants to use

// the Introduction Cookie

Boolean isIntroductionForProxyingEnabled = false;

String useIntroductionForProxying =

SPSSOFederate.getParameter(spConfigAttrsMap,

SAML2Constants.USE_INTRODUCTION_FOR_IDP_PROXY);

if (useIntroductionForProxying != null)

isIntroductionForProxyingEnabled =

useIntroductionForProxying.equalsIgnoreCase("true");

// Check if the local configuration of the remote SP wants to use

// the IDP Finder

Boolean isIdPFinderEnabled = false;

String idpFinderEnabled = SPSSOFederate.getParameter(spConfigAttrsMap,

IDP_FINDER_ENABLED_IN_SP);

if (idpFinderEnabled != null)

isIdPFinderEnabled = idpFinderEnabled.equalsIgnoreCase("true");

String idpFinderJSP = getIDPFinderJSP(realm, hostProviderID);

// providerIDs will contain the list of IdPs to return from this method

List providerIDs = new ArrayList();

// If the SP doesn't want to use the Introduction cookie and does not

// want to use the IdP Finder. i.e. just use the manual list in the

// extended metadata

if (!isIntroductionForProxyingEnabled && !isIdPFinderEnabled

&& !isIdpFinderForAllSPsEnabled) {

debugMessage(methodName, " idpFinder wil use the static list of the SP");

List<String> proxyIDPs = null;

if (spConfigAttrsMap != null && !spConfigAttrsMap.isEmpty()) {

proxyIDPs = (List<String>) spConfigAttrsMap.get(SAML2Constants.IDP_PROXY_LIST);

}

debugMessage(methodName, " List from the configuration: " + proxyIDPs);

if (proxyIDPs == null || proxyIDPs.isEmpty()) {

SAML2Utils.debug.error("SAML2IDPProxyImpl.getPrefferedIDP:"

+ "Preferred IDPs are null.");

return null;

}

// If there are several IdPs listed in the SP configuration,

// give the user the chance to select one interactively

if (proxyIDPs.size() > 1) {

String idpListSt = selectIDPBasedOnLOA(proxyIDPs, realm, authnRequest);

// Construct the IDPFinder URL to redirect to

String idpFinder = getRedirect(request, idpFinderJSP);

// Generate the requestID

String requestID = SAML2Utils.generateID();

// Store the important stuff and the session parameters so the

// idpFinderImplemenatation can read them and process them

storeSessionParamsAndCache(request, idpListSt, authnRequest,

hostProviderID, realm, requestID);

debugMessage(methodName, ": Redirect url = " + idpFinder);

response.sendRedirect(idpFinder);

// return something different than null

providerIDs.add(requestID);

debugMessage(methodName, " Redirected successfully");

return providerIDs;

}

providerIDs.add(proxyIDPs.iterator().next());

return providerIDs;

}

// If the SP wants to use the IdPFinder or it is globally enabled

// and it does not want to use the introduction cookie

if (!isIntroductionForProxyingEnabled && (isIdPFinderEnabled

|| isIdpFinderForAllSPsEnabled)) {

debugMessage(methodName, "SP wants to use IdP Finder");

String idpListSt = idpList(authnRequest, realm);

if (!idpListSt.trim().isEmpty()) {

// Construct the IDPFinder URL to redirect to

String idpFinder = getRedirect(request, idpFinderJSP);

// Generate the requestID

String requestID = SAML2Utils.generateID();

// Store the important stuff and the session parameters so the

// idpFinderImplemenatation can read them and process them

storeSessionParamsAndCache(request, idpListSt, authnRequest,

hostProviderID, realm, requestID);

debugMessage(methodName, ": Redirect url = " + idpFinder);

response.sendRedirect(idpFinder);

// return something different than null

providerIDs.add(requestID);

debugMessage(methodName, " Redirected successfully");

return providerIDs;

} else {

return null;

}

} else {

// IDP Proxy with introduction cookie

List cotList = (List) spConfigAttrsMap.get("cotlist");

String cotListStr = (String) cotList.iterator().next();

CircleOfTrustManager cotManager = new CircleOfTrustManager();

CircleOfTrustDescriptor cotDesc =

cotManager.getCircleOfTrust(realm, cotListStr);

String readerURL = cotDesc.getSAML2ReaderServiceURL();

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message(classMethod + "SAMLv2 idp"

+ "discovery reader URL = " + readerURL);

}

if (readerURL != null && (!readerURL.equals(""))) {

String rID = SAML2Utils.generateID();

String redirectURL =

SAML2Utils.getRedirectURL(readerURL, rID, request);

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.error(classMethod

+ "Redirect url = " + redirectURL);

}

if (redirectURL != null) {

response.sendRedirect(redirectURL);

Map aMap = new HashMap();

SPCache.reqParamHash.put(rID, aMap);

providerIDs.add(rID);

return providerIDs;

}

}

}

return null;

} catch (SAML2MetaException ex) {

SAML2Utils.debug.error(classMethod

+ "meta Exception in retrieving the preferred IDP", ex);

return null;

} catch (COTException sme) {

SAML2Utils.debug.error(classMethod

+ "Error retreiving COT ", sme);

return null;

} catch (Exception e) {

SAML2Utils.debug.error(classMethod

+ "Exception in retrieving the preferred IDP", e);

return null;

}

}

private void debugMessage(String methodName, String message) {

String classMethod = "SAML2IDPPRoxyFRImpl." + methodName + ":";

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message(classMethod + message);

}

}

private String idpList(

AuthnRequest authnRequest,

String realm)

{

String classMethod = "idpList";

try {

List<String> idpList = SAML2Utils.getSAML2MetaManager().getAllRemoteIdentityProviderEntities(realm);

return selectIDPBasedOnLOA(idpList, realm, authnRequest);

} catch (SAML2MetaException me) {

debugMessage(classMethod, "SOmething went wrong: " + me);

return null;

}

}

private String selectIDPBasedOnLOA(List<String> idpList, String realm, AuthnRequest authnRequest) {

String classMethod = "selectIdPBasedOnLOA";

EntityDescriptorElement idpDesc = null;

Set authnRequestContextSet = null;

String idps = "";

try {

RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();

if (requestedAuthnContext == null) {

//Handle the special case when the original request did not contain any Requested AuthnContext:

//In this case we just simply return all the IdPs as each one should support a default AuthnContext.

return StringUtils.join(idpList, " ");

}

List listOfAuthnContexts = requestedAuthnContext.getAuthnContextClassRef();

debugMessage(classMethod, "listofAuthnContexts: " + listOfAuthnContexts);

try {

authnRequestContextSet = new HashSet(listOfAuthnContexts);

} catch (Exception ex1) {

authnRequestContextSet = new HashSet();

}

if ((idpList != null) && (!idpList.isEmpty())) {

Iterator idpI = idpList.iterator();

while (idpI.hasNext()) {

String idp = (String) idpI.next();

debugMessage(classMethod, "IDP is: " + idp);

idpDesc = SAML2Utils.getSAML2MetaManager().getEntityDescriptor(realm, idp);

if (idpDesc != null) {

ExtensionsType et = idpDesc.getExtensions();

if (et != null) {

debugMessage(classMethod, "Extensions found for idp: " + idp);

List idpExtensions = et.getAny();

if (idpExtensions != null || !idpExtensions.isEmpty()) {

debugMessage(classMethod, "Extensions content found for idp: " + idp);

Iterator idpExtensionsI = idpExtensions.iterator();

while (idpExtensionsI.hasNext()) {

EntityAttributesElement eael = (EntityAttributesElement) idpExtensionsI.next();

if (eael != null) {

debugMessage(classMethod, "Entity Attributes found for idp: " + idp);

List attribL = eael.getAttributeOrAssertion();

if (attribL != null || !attribL.isEmpty()) {

Iterator attrI = attribL.iterator();

while (attrI.hasNext()) {

AttributeElement ae = (AttributeElement) attrI.next();

// TODO: Verify what type of element this is (Attribute or assertion)

// For validation purposes

List av = ae.getAttributeValue();

if (av != null || !av.isEmpty()) {

debugMessage(classMethod, "Attribute Values found for idp: " + idp);

Iterator avI = av.iterator();

while (avI.hasNext()) {

AttributeValueElement ave = (AttributeValueElement) avI.next();

if (ave != null) {

List contentL = ave.getContent();

debugMessage(classMethod, "Attribute Value Elements found for idp: " + idp

+ "-->" + contentL);

if (contentL != null || !contentL.isEmpty()) {

Set idpContextSet = trimmedListToSet(contentL);

debugMessage(classMethod, "idpContextSet = " + idpContextSet);

idpContextSet.retainAll(authnRequestContextSet);

if (idpContextSet != null && !idpContextSet.isEmpty()) {

idps = idp + " " + idps;

debugMessage(classMethod, "Extension Values found for idp " + idp

+ ": " + idpContextSet);

}

}

}

}

}

}

}

}

}

}

} else {

debugMessage(classMethod, " No extensions found for IdP " + idp);

}

} else {

debugMessage(classMethod, "Configuration for the idp " + idp + " was not found in this system");

}

}

}

} catch (SAML2MetaException me) {

debugMessage(classMethod, "SOmething went wrong: " + me);

}

debugMessage(classMethod, " IDPList returns: " + idps);

return idps.trim();

}

private String selectIDPBasedOnAuthContext(List idpList, String realm, AuthnRequest authnRequest) {

String classMethod = "selectIdPBasedOnLOA";

EntityDescriptorElement idpDesc = null;

Set authnRequestContextSet = null;

String idps = "";

try {

List listOfAuthnContexts = authnRequest.getRequestedAuthnContext().getAuthnContextClassRef();

debugMessage(classMethod, "listofAuthnContexts: " + listOfAuthnContexts);

try {

authnRequestContextSet = new HashSet(listOfAuthnContexts);

} catch (Exception ex1) {

authnRequestContextSet = new HashSet();

}

if ((idpList != null) && (!idpList.isEmpty())) {

Iterator idpI = idpList.iterator();

while (idpI.hasNext()) {

String idp = (String) idpI.next();

debugMessage(classMethod, "IDP is: " + idp);

List supportedAuthnContextsbyIDP =

getSupportedAuthnContextsByIDP(realm, idp);

if (supportedAuthnContextsbyIDP != null) {

debugMessage(classMethod, "Standard Authn Contexts found for idp: " + idp);

Set idpContextSet = trimmedListToSet(supportedAuthnContextsbyIDP);

debugMessage(classMethod, "idpContextSet = " + idpContextSet);

idpContextSet.retainAll(authnRequestContextSet);

if (idpContextSet != null && !idpContextSet.isEmpty()) {

idps = idp + " " + idps;

debugMessage(classMethod, "Standard Authn Contexts found for idp " + idp

+ ": " + idpContextSet);

}

} else {

debugMessage(classMethod, "The IdP" + idp + " has no standard authentication"

+ " contexts configured");

}

}

}

} catch (Exception me) {

SAML2Utils.debug.error(classMethod + "Error when trying to get the idp's by standard Authn Context: " + me);

}

debugMessage(classMethod, " IDPList returns: " + idps);

return idps.trim();

}

private Set trimmedListToSet(List list) {

Set trimmedSet= new HashSet();

String classMethod = "trimmedListToSet";

Iterator I = list.iterator();

while (I.hasNext()) {

trimmedSet.add(I.next().toString().trim());

debugMessage(classMethod, " element added to Set : ");

}

return trimmedSet;

}

private String buildReturnURL(String requestID,

HttpServletRequest request) {

String methodName = "buildReturnURL";

StringBuffer sb = new StringBuffer();

String baseURL = request.getScheme() + "://" +

request.getHeader("host") +

request.getRequestURI();

String qs = request.getQueryString();

if (qs != null && !qs.isEmpty()) {

baseURL = baseURL + "?" + qs;

}

StringBuffer retURL = new StringBuffer().append(baseURL);

if (retURL.toString().indexOf("?") == -1) {

retURL.append("?");

} else {

retURL.append("&");

}

retURL.append("requestID=").append(requestID);

sb.append(retURL);

String returnURL = sb.toString();

debugMessage(methodName, " ReturnURL is: " + returnURL);

return returnURL;

}

private void storeSessionParamsAndCache(

HttpServletRequest request,

String idpListSt,

AuthnRequest authnRequest,

String hostProviderID,

String realm,

String requestID) {

String methodName = "storeSessionParamsAndCache";

HttpSession hts = request.getSession();

hts.setAttribute(SESSION_ATTR_NAME_IDP_LIST, idpListSt);

debugMessage(methodName, " Setting " + SESSION_ATTR_NAME_IDP_LIST + " = " + idpListSt);

hts.setAttribute(SESSION_ATTR_NAME_RELAYSTATE, buildReturnURL(requestID, request));

debugMessage(methodName, " Setting " + SESSION_ATTR_NAME_RELAYSTATE);

hts.setAttribute(SESSION_ATTR_NAME_SPREQUESTER, authnRequest.getIssuer().getValue().toString());

debugMessage(methodName, " Setting " + SESSION_ATTR_NAME_SPREQUESTER);

RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();

hts.setAttribute(SESSION_ATTR_NAME_REQAUTHNCONTEXT,

requestedAuthnContext == null ? null : requestedAuthnContext.getAuthnContextClassRef());

debugMessage(methodName, " Setting " + SESSION_ATTR_NAME_REQAUTHNCONTEXT);

// Save the important param in the reqParamHash so we can

// locate them when we return to the IDPSSOFederate.

Map paramsMap = new HashMap();

paramsMap.put("authnReq", authnRequest);

paramsMap.put("spSSODescriptor", spSSODescriptor);

paramsMap.put("idpEntityID", hostProviderID);

paramsMap.put("realm", realm);

paramsMap.put("relayState", relayState);

paramsMap.put("binding", binding);

SPCache.reqParamHash.put(requestID, paramsMap);

}

private String getRedirect(

HttpServletRequest request,

String idpFinderImplementation) {

String methodName = "getRedirect";

// Get the base URL and construct the IdP Finder URL

String baseURL = request.getScheme() + "://"

+ request.getHeader("host")

+ request.getContextPath();

String idpFinder = baseURL + "/" + idpFinderImplementation;

debugMessage(methodName, ": Redirect url = " + idpFinder);

return idpFinder;

}

/**

private Boolean isIDPFinderForAllSPs(

String realm, String idpEntityID)

throws SAML2Exception {

String methodName = "isIDPFinderForAllSPs";

Boolean isIdpFinderForAllSPsEnabled = false;

try {

String idpFinderForAllSPs = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(

realm, idpEntityID, SAML2Constants.ENABLE_PROXY_IDP_FINDER_FOR_ALL_SPS);

if (idpFinderForAllSPs != null && !idpFinderForAllSPs.isEmpty()) {

debugMessage(methodName, "idpFinderForAllSPs is: " + idpFinderForAllSPs);

isIdpFinderForAllSPsEnabled = idpFinderForAllSPs.equalsIgnoreCase("true");

} else isIdpFinderForAllSPsEnabled = false;

} catch (Exception ex) {

SAML2Utils.debug.error(methodName +

"Unable to get IDP Proxy Finder.", ex);

throw new SAML2Exception(ex);

}

return isIdpFinderForAllSPsEnabled;

}

/**

private String getIDPFinderJSP(

String realm, String idpEntityID)

throws SAML2Exception {

String methodName = "getIDPFinderJSP";

String idpFinderJSP = SAML2Constants.DEFAULT_PROXY_IDP_FINDER;

try {

idpFinderJSP = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(

realm, idpEntityID, SAML2Constants.PROXY_IDP_FINDER_JSP);

if (idpFinderJSP != null && !idpFinderJSP.isEmpty()) {

debugMessage(methodName, "idpFinderForAllSPs is: " + idpFinderJSP);

}

} catch (Exception ex) {

SAML2Utils.debug.error(methodName +

"Unable to get IDP Proxy Finder.", ex);

throw new SAML2Exception(ex);

}

return idpFinderJSP;

}

public List getAttributeListValueFromIDPSSOConfig(

String realm,

String hostEntityId,

String attrName)

{

String classMethod = "IDPSSOUtil.getAttributeValueFromIDPSSOConfig: ";

List result = null;

try {

IDPSSOConfigElement config = SAML2Utils.getSAML2MetaManager().getIDPSSOConfig(

realm, hostEntityId);

Map attrs = SAML2MetaUtils.getAttributes(config);

List value = (List) attrs.get(attrName);

if (value != null && value.size() != 0) {

result = value;

}

} catch (SAML2MetaException sme) {

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message(classMethod +

"get IDPSSOConfig failed:", sme);

}

result = null;

}

return result;

}

public List getSupportedAuthnContextsByIDP(String realm, String hostEntityId)

{

List authnContextList = null;

List supportedClassRef = null;

supportedClassRef =

getAttributeListValueFromIDPSSOConfig(

realm,

hostEntityId,

SAML2Constants.IDP_AUTHNCONTEXT_CLASSREF_MAPPING);

if (supportedClassRef != null && !supportedClassRef.isEmpty()) {

Iterator it = supportedClassRef.iterator();

while (it.hasNext()) {

StringTokenizer tokenizer =

new StringTokenizer((String) it.next(), "|");

if (tokenizer.countTokens() > 1) {

authnContextList.add(tokenizer.nextToken());

}

}

}

return authnContextList;

}

}