package org.pac4j.saml.sso;

import java.util.Iterator;
import java.util.List;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.pac4j.saml.context.ExtendedSAMLMessageContext;
import org.pac4j.saml.exceptions.SamlException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/saml/sso/Saml2ResponseValidator.class */
public class Saml2ResponseValidator {
    private static final Logger logger = LoggerFactory.getLogger(Saml2ResponseValidator.class);
    private int acceptedSkew = 120;
    private int maximumAuthenticationLifetime = 3600;

    public void validateSamlResponse(ExtendedSAMLMessageContext extendedSAMLMessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        SAMLObject inboundSAMLMessage = extendedSAMLMessageContext.getInboundSAMLMessage();
        if (!(inboundSAMLMessage instanceof Response)) {
            throw new SamlException("Response instance is an unsupported type");
        }
        Response response = (Response) inboundSAMLMessage;
        validateSamlProtocolResponse(response, extendedSAMLMessageContext, signatureTrustEngine);
        if (decrypter != null) {
            decryptEncryptedAssertions(response, decrypter);
        }
        validateSamlSSOResponse(response, extendedSAMLMessageContext, signatureTrustEngine, decrypter);
    }

    public void validateSamlProtocolResponse(Response response, ExtendedSAMLMessageContext extendedSAMLMessageContext, SignatureTrustEngine signatureTrustEngine) {
        if (!isIssueInstantValid(response.getIssueInstant())) {
            throw new SamlException("Response issue instant is too old or in the future");
        }
        if (response.getIssuer() != null) {
            validateIssuer(response.getIssuer(), extendedSAMLMessageContext);
        }
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            String value = response.getStatus().getStatusCode().getValue();
            if (response.getStatus().getStatusMessage() != null) {
                value = value + " / " + response.getStatus().getStatusMessage().getMessage();
            }
            throw new SamlException("Authentication response is not success ; actual " + value);
        }
        if (response.getSignature() != null) {
            validateSignature(response.getSignature(), extendedSAMLMessageContext.getPeerEntityId(), signatureTrustEngine);
            extendedSAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
        }
    }

    public void validateSamlSSOResponse(Response response, ExtendedSAMLMessageContext extendedSAMLMessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        Iterator it = response.getAssertions().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Assertion assertion = (Assertion) it.next();
            if (assertion.getAuthnStatements().size() > 0) {
                try {
                    validateAssertion(assertion, extendedSAMLMessageContext, signatureTrustEngine, decrypter);
                    extendedSAMLMessageContext.setSubjectAssertion(assertion);
                    break;
                } catch (SamlException e) {
                    logger.error("Current assertion validation failed, continue with the next one", e);
                }
            }
        }
        if (extendedSAMLMessageContext.getSubjectAssertion() == null) {
            throw new SamlException("No valid subject assertion found in response");
        }
        if (extendedSAMLMessageContext.getSubjectNameIdentifier() == null) {
            throw new SamlException("Subject NameID cannot be null");
        }
    }

    protected void decryptEncryptedAssertions(Response response, Decrypter decrypter) {
        Iterator it = response.getEncryptedAssertions().iterator();
        while (it.hasNext()) {
            try {
                response.getAssertions().add(decrypter.decrypt((EncryptedAssertion) it.next()));
            } catch (DecryptionException e) {
                logger.error("Decryption of assertion failed, continue with the next one", e);
            }
        }
    }

    protected void validateIssuer(Issuer issuer, ExtendedSAMLMessageContext extendedSAMLMessageContext) {
        if (issuer.getFormat() != null && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
            throw new SamlException("Issuer type is not entity but " + issuer.getFormat());
        }
        if (!extendedSAMLMessageContext.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) {
            throw new SamlException("Issuer " + issuer.getValue() + " does not match idp entityId " + extendedSAMLMessageContext.getPeerEntityMetadata().getEntityID());
        }
    }

    protected void validateAssertion(Assertion assertion, ExtendedSAMLMessageContext extendedSAMLMessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        if (!isIssueInstantValid(assertion.getIssueInstant())) {
            throw new SamlException("Assertion issue instant is too old or in the future");
        }
        validateIssuer(assertion.getIssuer(), extendedSAMLMessageContext);
        if (assertion.getSubject() == null) {
            throw new SamlException("Assertion subject cannot be null");
        }
        validateSubject(assertion.getSubject(), extendedSAMLMessageContext, decrypter);
        validateAssertionConditions(assertion.getConditions(), extendedSAMLMessageContext);
        validateAuthenticationStatements(assertion.getAuthnStatements(), extendedSAMLMessageContext);
        validateAssertionSignature(assertion.getSignature(), extendedSAMLMessageContext, signatureTrustEngine);
    }

    protected void validateSubject(Subject subject, ExtendedSAMLMessageContext extendedSAMLMessageContext, Decrypter decrypter) {
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod()) && isValidBearerSubjectConfirmationData(subjectConfirmation.getSubjectConfirmationData(), extendedSAMLMessageContext)) {
                NameID nameID = null;
                if (subject.getEncryptedID() == null) {
                    nameID = subject.getNameID();
                } else if (decrypter == null) {
                    logger.warn("Encrypted attributes returned, but no keystore was provided.");
                } else {
                    try {
                        nameID = decrypter.decrypt(subject.getEncryptedID());
                    } catch (DecryptionException e) {
                        throw new SamlException("Decryption of nameID's subject failed", e);
                    }
                }
                extendedSAMLMessageContext.setSubjectNameIdentifier(nameID);
                return;
            }
        }
        throw new SamlException("Subject confirmation validation failed");
    }

    protected boolean isValidBearerSubjectConfirmationData(SubjectConfirmationData subjectConfirmationData, ExtendedSAMLMessageContext extendedSAMLMessageContext) {
        if (subjectConfirmationData == null) {
            logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotBefore() != null) {
            logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter() == null) {
            logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBeforeNow()) {
            logger.debug("SubjectConfirmationData notOnOrAfter is too old");
            return false;
        }
        if (subjectConfirmationData.getRecipient() == null) {
            logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getRecipient().equals(extendedSAMLMessageContext.getAssertionConsumerUrl())) {
            return true;
        }
        logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found", subjectConfirmationData.getRecipient());
        return false;
    }

    protected void validateAssertionConditions(Conditions conditions, ExtendedSAMLMessageContext extendedSAMLMessageContext) {
        if (conditions == null) {
            throw new SamlException("Assertion conditions cannot be null");
        }
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(this.acceptedSkew).isAfterNow()) {
            throw new SamlException("Assertion condition notBefore is not valid");
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBeforeNow()) {
            throw new SamlException("Assertion condition notOnOrAfter is not valid");
        }
        validateAudienceRestrictions(conditions.getAudienceRestrictions(), extendedSAMLMessageContext.getLocalEntityId());
    }

    protected void validateAudienceRestrictions(List<AudienceRestriction> list, String str) {
        if (list == null || list.size() == 0) {
            throw new SamlException("Audience restrictions cannot be null or empty");
        }
        if (!matchAudienceRestriction(list, str)) {
            throw new SamlException("Assertion audience does not match SP configuration");
        }
    }

    protected void validateAuthenticationStatements(List<AuthnStatement> list, ExtendedSAMLMessageContext extendedSAMLMessageContext) {
        for (AuthnStatement authnStatement : list) {
            if (!isAuthnInstantValid(authnStatement.getAuthnInstant())) {
                throw new SamlException("Authentication issue instant is too old or in the future");
            }
            if (authnStatement.getSessionNotOnOrAfter() != null && authnStatement.getSessionNotOnOrAfter().isBeforeNow()) {
                throw new SamlException("Authentication session between IDP and subject has ended");
            }
        }
    }

    protected void validateAssertionSignature(Signature signature, ExtendedSAMLMessageContext extendedSAMLMessageContext, SignatureTrustEngine signatureTrustEngine) {
        if (signature != null) {
            validateSignature(signature, extendedSAMLMessageContext.getPeerEntityMetadata().getEntityID(), signatureTrustEngine);
        } else if (extendedSAMLMessageContext.getLocalEntityRoleMetadata().getWantAssertionsSigned().booleanValue() && !extendedSAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
            throw new SamlException("Assertion or response must be signed");
        }
    }

    protected void validateSignature(Signature signature, String str, SignatureTrustEngine signatureTrustEngine) {
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
            criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol"));
            criteriaSet.add(new EntityIDCriteria(str));
            try {
                if (!signatureTrustEngine.validate(signature, criteriaSet)) {
                    throw new SamlException("Signature is not trusted");
                }
            } catch (SecurityException e) {
                throw new SamlException("An error occured during signature validation", e);
            }
        } catch (ValidationException e2) {
            throw new SamlException("SAMLSignatureProfileValidator failed to validate signature", e2);
        }
    }

    private boolean matchAudienceRestriction(List<AudienceRestriction> list, String str) {
        for (AudienceRestriction audienceRestriction : list) {
            if (audienceRestriction.getAudiences() != null) {
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (it.hasNext()) {
                    if (str.equals(((Audience) it.next()).getAudienceURI())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean isDateValid(DateTime dateTime, int i) {
        long currentTimeMillis = System.currentTimeMillis();
        return dateTime.isBefore(currentTimeMillis + ((long) (this.acceptedSkew * 1000))) && dateTime.isAfter(currentTimeMillis - ((long) ((this.acceptedSkew + i) * 1000)));
    }

    private boolean isIssueInstantValid(DateTime dateTime) {
        return isDateValid(dateTime, 0);
    }

    private boolean isAuthnInstantValid(DateTime dateTime) {
        return isDateValid(dateTime, this.maximumAuthenticationLifetime);
    }

    public void setAcceptedSkew(int i) {
        this.acceptedSkew = i;
    }

    public void setMaximumAuthenticationLifetime(int i) {
        this.maximumAuthenticationLifetime = i;
    }
}
