package com.linecorp.armeria.server.saml;

import com.linecorp.armeria.common.AggregatedHttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.annotation.Nullable;
import com.linecorp.armeria.internal.shaded.guava.collect.ImmutableList;
import com.linecorp.armeria.server.ServiceRequestContext;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.joda.time.DateTime;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/linecorp/armeria/server/saml/SamlAssertionConsumerFunction.class */
public final class SamlAssertionConsumerFunction implements SamlServiceFunction {
    private static final long MILLIS_IN_MINUTE;
    private final SamlAssertionConsumerConfig cfg;
    private final String entityId;
    private final Map<String, SamlIdentityProviderConfig> idpConfigs;

    @Nullable
    private final SamlIdentityProviderConfig defaultIdpConfig;
    private final SamlRequestIdManager requestIdManager;
    private final SamlSingleSignOnHandler ssoHandler;
    private final boolean signatureRequired;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlAssertionConsumerFunction(SamlAssertionConsumerConfig samlAssertionConsumerConfig, String str, Map<String, SamlIdentityProviderConfig> map, @Nullable SamlIdentityProviderConfig samlIdentityProviderConfig, SamlRequestIdManager samlRequestIdManager, SamlSingleSignOnHandler samlSingleSignOnHandler, boolean z) {
        this.cfg = samlAssertionConsumerConfig;
        this.entityId = str;
        this.idpConfigs = map;
        this.defaultIdpConfig = samlIdentityProviderConfig;
        this.requestIdManager = samlRequestIdManager;
        this.ssoHandler = samlSingleSignOnHandler;
        this.signatureRequired = z;
    }

    @Override // com.linecorp.armeria.server.saml.SamlServiceFunction
    public HttpResponse serve(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, String str, SamlPortConfig samlPortConfig) {
        try {
            SamlBindingProtocol bindingProtocol = this.cfg.endpoint().bindingProtocol();
            MessageContext<Response> samlObject = bindingProtocol == SamlBindingProtocol.HTTP_REDIRECT ? HttpRedirectBindingUtil.toSamlObject(aggregatedHttpRequest, "SAMLResponse", this.idpConfigs, this.defaultIdpConfig, this.signatureRequired) : HttpPostBindingUtil.toSamlObject(aggregatedHttpRequest, "SAMLResponse");
            String uriString = this.cfg.endpoint().toUriString(samlPortConfig.scheme().uriText(), str, samlPortConfig.port());
            Response response = (Response) samlObject.getMessage();
            if (!$assertionsDisabled && response == null) {
                throw new AssertionError();
            }
            String str2 = (String) getValidatedAssertion(bindingProtocol, response, uriString).getAuthnStatements().stream().map((v0) -> {
                return v0.getSessionIndex();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst().orElse(null);
            SAMLBindingContext subcontext = samlObject.getSubcontext(SAMLBindingContext.class);
            return this.ssoHandler.loginSucceeded(serviceRequestContext, aggregatedHttpRequest, samlObject, str2, subcontext != null ? subcontext.getRelayState() : null);
        } catch (SamlException e) {
            return this.ssoHandler.loginFailed(serviceRequestContext, aggregatedHttpRequest, null, e);
        }
    }

    private SamlIdentityProviderConfig resolveIdpConfig(Issuer issuer) {
        SamlIdentityProviderConfig samlIdentityProviderConfig;
        String value = issuer.getValue();
        if (value == null || (samlIdentityProviderConfig = this.idpConfigs.get(value)) == null) {
            throw new InvalidSamlRequestException("failed to find identity provider from configuration: " + issuer.getValue());
        }
        return samlIdentityProviderConfig;
    }

    private Assertion getValidatedAssertion(SamlBindingProtocol samlBindingProtocol, Response response, String str) {
        SamlIdentityProviderConfig samlIdentityProviderConfig;
        List<Assertion> build;
        Subject subject;
        SubjectConfirmationData subjectConfirmationData;
        String value = response.getStatus().getStatusCode().getValue();
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(value)) {
            throw new InvalidSamlRequestException("response status code: " + value + " (expected: urn:oasis:names:tc:SAML:2.0:status:Success)");
        }
        DateTime dateTime = new DateTime();
        DateTime issueInstant = response.getIssueInstant();
        if (issueInstant == null) {
            throw new InvalidSamlRequestException("failed to get IssueInstant attribute");
        }
        if (Math.abs(dateTime.getMillis() - issueInstant.getMillis()) > MILLIS_IN_MINUTE) {
            throw new InvalidSamlRequestException("invalid IssueInstant: " + issueInstant + " (now: " + dateTime + ')');
        }
        if (response.getEncryptedAssertions().isEmpty()) {
            build = response.getAssertions();
        } else {
            Issuer issuer = response.getIssuer();
            if (issuer != null) {
                samlIdentityProviderConfig = resolveIdpConfig(issuer);
            } else {
                if (this.defaultIdpConfig == null) {
                    throw new SamlException("failed to decrypt an assertion because there is no credential");
                }
                samlIdentityProviderConfig = this.defaultIdpConfig;
            }
            ImmutableList.Builder builder = new ImmutableList.Builder();
            Iterator it = response.getEncryptedAssertions().iterator();
            while (it.hasNext()) {
                builder.add(decryptAssertion((EncryptedAssertion) it.next(), samlIdentityProviderConfig.encryptionCredential()));
            }
            builder.addAll(response.getAssertions());
            build = builder.build();
        }
        if (build.isEmpty()) {
            throw new InvalidSamlRequestException("failed to get Assertion elements from the response");
        }
        for (Assertion assertion : build) {
            Issuer issuer2 = assertion.getIssuer();
            if (issuer2 == null || issuer2.getValue() == null) {
                throw new InvalidSamlRequestException("failed to get an Issuer element from the assertion");
            }
            SamlIdentityProviderConfig resolveIdpConfig = resolveIdpConfig(issuer2);
            if (samlBindingProtocol != SamlBindingProtocol.HTTP_REDIRECT) {
                SamlMessageUtil.validateSignature(resolveIdpConfig.signingCredential(), response, this.signatureRequired);
            }
            SamlMessageUtil.validateSignature(resolveIdpConfig.signingCredential(), assertion, this.signatureRequired);
            if (!assertion.getAuthnStatements().isEmpty() && (subject = assertion.getSubject()) != null) {
                for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
                    if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod()) && (subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData()) != null) {
                        if (!str.equals(subjectConfirmationData.getRecipient())) {
                            throw new InvalidSamlRequestException("recipient is not matched: " + subjectConfirmationData.getRecipient());
                        }
                        if (dateTime.isAfter(subjectConfirmationData.getNotOnOrAfter())) {
                            throw new InvalidSamlRequestException("response has been expired: " + subjectConfirmationData.getNotOnOrAfter());
                        }
                        if (!this.requestIdManager.validateId(subjectConfirmationData.getInResponseTo())) {
                            throw new InvalidSamlRequestException("request ID is not valid: " + subjectConfirmationData.getInResponseTo());
                        }
                        Conditions conditions = assertion.getConditions();
                        if (conditions == null) {
                            throw new InvalidSamlRequestException("no condition found from the assertion");
                        }
                        if (conditions.getAudienceRestrictions().stream().flatMap(audienceRestriction -> {
                            return audienceRestriction.getAudiences().stream();
                        }).filter(audience -> {
                            return this.entityId.equals(audience.getAudienceURI());
                        }).findAny().isPresent()) {
                            return assertion;
                        }
                        throw new InvalidSamlRequestException("no audience found from the assertion");
                    }
                }
            }
        }
        throw new InvalidSamlRequestException("no subject found from the assertions");
    }

    private static Assertion decryptAssertion(EncryptedAssertion encryptedAssertion, Credential credential) {
        Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(credential), new InlineEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        try {
            return decrypter.decrypt(encryptedAssertion);
        } catch (DecryptionException e) {
            throw new InvalidSamlRequestException("failed to decrypt an assertion", e);
        }
    }

    static {
        $assertionsDisabled = !SamlAssertionConsumerFunction.class.desiredAssertionStatus();
        MILLIS_IN_MINUTE = TimeUnit.MINUTES.toMillis(1L);
    }
}
