package ddf.security.samlp.impl;

import ddf.security.samlp.SamlProtocol;
import ddf.security.samlp.SimpleSign;
import ddf.security.samlp.ValidationException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang.StringUtils;
import org.codice.ddf.security.common.HttpUtils;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator.class */
public abstract class SamlValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlValidator.class);
    protected final Builder builder;

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$Builder.class */
    public static class Builder {
        protected SimpleSign simpleSign;
        protected SamlProtocol.Binding binding;
        protected boolean isRequest;
        protected XMLObject xmlObject;
        protected Duration timeout = Duration.ofMinutes(10);
        protected Duration clockSkew = Duration.ofSeconds(30);
        protected String requestId;
        protected String destination;
        protected String relayState;
        protected String signature;
        protected String sigAlgo;
        protected String samlString;
        protected String signingCertificate;

        public Builder(SimpleSign simpleSign) {
            this.simpleSign = simpleSign;
        }

        public void buildAndValidate(@NotNull String str, @NotNull SamlProtocol.Binding binding, @NotNull SignableXMLObject signableXMLObject) throws IllegalStateException, ValidationException {
            build(str, binding, signableXMLObject).validate();
        }

        public SamlValidator build(@NotNull String str, @NotNull SamlProtocol.Binding binding, @NotNull SignableXMLObject signableXMLObject) throws IllegalStateException, ValidationException {
            if (binding == null) {
                throw new IllegalArgumentException("Binding cannot be null!");
            }
            this.binding = binding;
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("The service destination cannot be null");
            }
            this.destination = str;
            if (signableXMLObject instanceof LogoutRequest) {
                this.isRequest = true;
                SamlValidator.LOGGER.trace("xmlObject is a LogoutRequest [{}]", signableXMLObject);
            } else {
                if (!(signableXMLObject instanceof LogoutResponse)) {
                    throw new IllegalArgumentException("Could not determine type of xmlObject");
                }
                this.isRequest = false;
                SamlValidator.LOGGER.trace("xmlObject is a LogoutResponse [{}]", signableXMLObject);
            }
            this.xmlObject = signableXMLObject;
            if (binding == SamlProtocol.Binding.HTTP_POST) {
                return this.isRequest ? new PostRequest(this) : new PostResponse(this);
            }
            if (binding != SamlProtocol.Binding.HTTP_REDIRECT) {
                throw new UnsupportedOperationException("Binding not supported.");
            }
            if (StringUtils.isBlank(this.signature) || StringUtils.isBlank(this.sigAlgo) || StringUtils.isBlank(this.samlString) || StringUtils.isBlank(this.signingCertificate)) {
                throw new UnsupportedOperationException("Cannot validate object with blank data");
            }
            return this.isRequest ? new RedirectRequest(this) : new RedirectResponse(this);
        }

        public Builder setRedirectParams(String str, String str2, String str3, String str4, String str5) {
            this.relayState = str;
            this.signature = str2;
            this.sigAlgo = str3;
            this.samlString = str4;
            this.signingCertificate = str5;
            return this;
        }

        public Builder setRequestId(@NotNull String str) {
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("Logout Request Id cannot be blank!");
            }
            this.requestId = str;
            return this;
        }

        public Builder setTimeout(@NotNull Duration duration) {
            if (duration == null) {
                throw new IllegalArgumentException("Timeout cannot be null!");
            }
            this.timeout = duration;
            return this;
        }

        public Builder setClockSkew(@NotNull Duration duration) {
            if (duration == null) {
                throw new IllegalArgumentException("clockSkew cannot be null!");
            }
            this.clockSkew = duration;
            return this;
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$PostRequest.class */
    public static class PostRequest extends Request {
        protected final LogoutRequest logoutRequest;

        private PostRequest(Builder builder) {
            super(builder);
            this.logoutRequest = builder.xmlObject;
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void additionalValidation() throws ValidationException {
            checkPostSignature(this.logoutRequest);
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$PostResponse.class */
    public static class PostResponse extends Response {
        protected final LogoutResponse logoutResponse;

        private PostResponse(Builder builder) {
            super(builder);
            this.logoutResponse = builder.xmlObject;
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void additionalValidation() throws ValidationException {
            checkPostSignature(this.logoutResponse);
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$RedirectRequest.class */
    public static class RedirectRequest extends Request {
        protected final LogoutRequest logoutRequest;

        private RedirectRequest(Builder builder) {
            super(builder);
            this.logoutRequest = builder.xmlObject;
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void additionalValidation() throws ValidationException {
            checkRedirectSignature("SAMLRequest");
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$RedirectResponse.class */
    public static class RedirectResponse extends Response {
        protected final LogoutResponse logoutResponse;

        private RedirectResponse(Builder builder) {
            super(builder);
            this.logoutResponse = builder.xmlObject;
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void additionalValidation() throws ValidationException {
            checkRedirectSignature("SAMLResponse");
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$Request.class */
    public static abstract class Request extends SamlValidator {
        protected final LogoutRequest logoutRequest;

        private Request(Builder builder) {
            super(builder);
            this.logoutRequest = builder.xmlObject;
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected SAMLVersion getSamlVersion() {
            return this.logoutRequest.getVersion();
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected DateTime getIssueInstant() {
            return this.logoutRequest.getIssueInstant();
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void checkRequiredFields() throws ValidationException {
            if (StringUtils.isBlank(this.logoutRequest.getID())) {
                throw new ValidationException("ID cannot be blank!");
            }
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void checkDestination() throws ValidationException {
            if (StringUtils.isNotBlank(this.logoutRequest.getDestination())) {
                try {
                    if (HttpUtils.validateAndStripQueryString(this.logoutRequest.getDestination()).equals(this.builder.destination)) {
                    } else {
                        throw new ValidationException("Destination validation failed");
                    }
                } catch (MalformedURLException e) {
                    throw new ValidationException(String.format("Destination [%s]is not a valid URL", this.logoutRequest.getDestination()), e);
                }
            }
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/samlp/impl/SamlValidator$Response.class */
    public static abstract class Response extends SamlValidator {
        protected final LogoutResponse logoutResponse;

        private Response(Builder builder) {
            super(builder);
            this.logoutResponse = builder.xmlObject;
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected SAMLVersion getSamlVersion() {
            return this.logoutResponse.getVersion();
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected DateTime getIssueInstant() {
            return this.logoutResponse.getIssueInstant();
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void checkRequiredFields() throws ValidationException {
            if (StringUtils.isBlank(this.logoutResponse.getID())) {
                throw new ValidationException("ID cannot be blank!");
            }
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void checkDestination() throws ValidationException {
            if (StringUtils.isNotBlank(this.logoutResponse.getDestination())) {
                try {
                    if (this.builder.destination.equals(HttpUtils.validateAndStripQueryString(this.logoutResponse.getDestination()))) {
                    } else {
                        throw new ValidationException("Destination validation failed");
                    }
                } catch (MalformedURLException e) {
                    throw new ValidationException("Invalid Destination URL", e);
                }
            }
        }

        @Override // ddf.security.samlp.impl.SamlValidator
        protected void checkId() throws ValidationException {
            if (StringUtils.isNotBlank(this.builder.requestId) && !this.builder.requestId.equals(this.logoutResponse.getInResponseTo())) {
                throw new ValidationException("The InResponseTo value did not match the Logout Request Id");
            }
        }
    }

    private SamlValidator(Builder builder) {
        this.builder = builder;
    }

    public final void validate() throws ValidationException {
        checkTimestamp();
        checkSamlVersion();
        checkId();
        checkRequiredFields();
        checkDestination();
        additionalValidation();
    }

    protected void checkTimestamp() throws ValidationException {
        DateTime issueInstant = getIssueInstant();
        if (issueInstant == null) {
            throw new ValidationException("Issue Instant cannot be null!");
        }
        Instant ofEpochMilli = Instant.ofEpochMilli(issueInstant.getMillis());
        Instant now = Instant.now();
        if (ofEpochMilli.minus((TemporalAmount) this.builder.clockSkew).isAfter(now)) {
            throw new ValidationException("Issue Instant cannot be in the future");
        }
        if (ofEpochMilli.plus((TemporalAmount) this.builder.clockSkew).isBefore(now.minus((TemporalAmount) this.builder.timeout))) {
            throw new ValidationException("Issue Instant was outside valid time range");
        }
    }

    protected void checkSamlVersion() throws ValidationException {
        SAMLVersion samlVersion = getSamlVersion();
        if (samlVersion == null) {
            throw new ValidationException("SAML Version cannot be null!");
        }
        if (!SAMLVersion.VERSION_20.equals(samlVersion)) {
            throw new ValidationException("Invalid SAML Version!");
        }
    }

    protected abstract void checkRequiredFields() throws ValidationException;

    protected abstract void checkDestination() throws ValidationException;

    protected abstract void additionalValidation() throws ValidationException;

    protected void checkId() throws ValidationException {
    }

    protected abstract DateTime getIssueInstant();

    protected abstract SAMLVersion getSamlVersion();

    void checkPostSignature(SignableSAMLObject signableSAMLObject) throws ValidationException {
        if (signableSAMLObject.getSignature() != null) {
            try {
                this.builder.simpleSign.validateSignature(signableSAMLObject.getSignature(), signableSAMLObject.getDOM().getOwnerDocument());
            } catch (SimpleSign.SignatureException e) {
                throw new ValidationException("Invalid or untrusted signature.");
            }
        }
    }

    void checkRedirectSignature(String str) throws ValidationException {
        try {
            if (this.builder.simpleSign.validateSignature(String.format("%s=%s&RelayState=%s&SigAlg=%s", str, URLEncoder.encode(this.builder.samlString, "UTF-8"), this.builder.relayState, URLEncoder.encode(this.builder.sigAlgo, "UTF-8")), this.builder.signature, this.builder.signingCertificate)) {
            } else {
                throw new ValidationException("Signature verification failed for redirect binding.");
            }
        } catch (SimpleSign.SignatureException | UnsupportedEncodingException e) {
            throw new ValidationException("Signature validation failed.", e);
        }
    }
}
