package org.apache.cxf.rs.security.saml.sso;

import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.SamlAssertionValidator;
import org.apache.ws.security.validate.SignatureTrustValidator;
import org.apache.ws.security.validate.Validator;
import org.opensaml.Configuration;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Document;

/* loaded from: input_file:org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.class */
public class SAMLProtocolResponseValidator {
    public static final String SAML2_STATUSCODE_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
    public static final String SAML1_STATUSCODE_SUCCESS = "Success";
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLProtocolResponseValidator.class);
    private Validator assertionValidator = new SamlAssertionValidator();
    private Validator signatureValidator = new SignatureTrustValidator();

    public void validateSamlResponse(Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null) {
            LOG.fine("Either the SAML Response Status or StatusCode is null");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (!SAML2_STATUSCODE_SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
            LOG.fine("SAML Status code of " + response.getStatus().getStatusCode().getValue() + "does not equal " + SAML2_STATUSCODE_SUCCESS);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        validateResponseAgainstSchemas(response);
        validateResponseSignature(response, crypto, callbackHandler);
        Iterator it = response.getAssertions().iterator();
        while (it.hasNext()) {
            validateAssertion(new AssertionWrapper((Assertion) it.next()), crypto, callbackHandler, response.getDOM().getOwnerDocument());
        }
    }

    public void validateSamlResponse(org.opensaml.saml1.core.Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null || response.getStatus().getStatusCode().getValue() == null) {
            LOG.fine("Either the SAML Response Status or StatusCode is null");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (!SAML1_STATUSCODE_SUCCESS.equals(response.getStatus().getStatusCode().getValue().getLocalPart())) {
            LOG.fine("SAML Status code of " + response.getStatus().getStatusCode().getValue() + "does not equal " + SAML1_STATUSCODE_SUCCESS);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        validateResponseAgainstSchemas(response);
        validateResponseSignature(response, crypto, callbackHandler);
        Iterator it = response.getAssertions().iterator();
        while (it.hasNext()) {
            validateAssertion(new AssertionWrapper((org.opensaml.saml1.core.Assertion) it.next()), crypto, callbackHandler, response.getDOM().getOwnerDocument());
        }
    }

    private void validateResponseAgainstSchemas(Response response) throws WSSecurityException {
        try {
            Configuration.getValidatorSuite("saml2-core-schema-validator").validate(response);
        } catch (ValidationException e) {
            LOG.log(Level.FINE, "Saml Validation error: " + e.getMessage(), e);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
    }

    private void validateResponseAgainstSchemas(org.opensaml.saml1.core.Response response) throws WSSecurityException {
        try {
            Configuration.getValidatorSuite("saml1-core-schema-validator").validate(response);
        } catch (ValidationException e) {
            LOG.log(Level.FINE, "Saml Validation error: " + e.getMessage(), e);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
    }

    private void validateResponseSignature(Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.isSigned()) {
            validateResponseSignature(response.getSignature(), response.getDOM().getOwnerDocument(), crypto, callbackHandler);
        }
    }

    private void validateResponseSignature(org.opensaml.saml1.core.Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.isSigned()) {
            validateResponseSignature(response.getSignature(), response.getDOM().getOwnerDocument(), crypto, callbackHandler);
        }
    }

    private void validateResponseSignature(Signature signature, Document document, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        RequestData requestData = new RequestData();
        requestData.setSigCrypto(crypto);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setCallbackHandler(callbackHandler);
        try {
            SAMLKeyInfo credentialFromKeyInfo = SAMLUtil.getCredentialFromKeyInfo(signature.getKeyInfo().getDOM(), requestData, new WSDocInfo(document), requestData.getWssConfig().isWsiBSPCompliant());
            if (credentialFromKeyInfo == null) {
                LOG.fine("No KeyInfo supplied in the SAMLResponse signature");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            validateSignatureAgainstProfiles(signature, credentialFromKeyInfo);
            Credential credential = new Credential();
            credential.setPublicKey(credentialFromKeyInfo.getPublicKey());
            credential.setCertificates(credentialFromKeyInfo.getCerts());
            try {
                this.signatureValidator.validate(credential, requestData);
            } catch (WSSecurityException e) {
                LOG.log(Level.FINE, "Error in validating signature on SAML Response: " + e.getMessage(), e);
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        } catch (WSSecurityException e2) {
            LOG.log(Level.FINE, "Error in getting KeyInfo from SAML Response: " + e2.getMessage(), e2);
            throw e2;
        }
    }

    private void validateSignatureAgainstProfiles(Signature signature, SAMLKeyInfo sAMLKeyInfo) throws WSSecurityException {
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            BasicX509Credential basicX509Credential = new BasicX509Credential();
            if (sAMLKeyInfo.getCerts() != null) {
                basicX509Credential.setEntityCertificate(sAMLKeyInfo.getCerts()[0]);
            } else {
                if (sAMLKeyInfo.getPublicKey() == null) {
                    LOG.fine("Can't get X509Certificate or PublicKey to verify signature");
                    throw new WSSecurityException(0, "invalidSAMLsecurity");
                }
                basicX509Credential.setPublicKey(sAMLKeyInfo.getPublicKey());
            }
            try {
                new SignatureValidator(basicX509Credential).validate(signature);
            } catch (ValidationException e) {
                LOG.log(Level.FINE, "Error in validating the SAML Signature: " + e.getMessage(), e);
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        } catch (ValidationException e2) {
            LOG.log(Level.FINE, "Error in validating the SAML Signature: " + e2.getMessage(), e2);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
    }

    private void validateAssertion(AssertionWrapper assertionWrapper, Crypto crypto, CallbackHandler callbackHandler, Document document) throws WSSecurityException {
        Credential credential = new Credential();
        credential.setAssertion(assertionWrapper);
        RequestData requestData = new RequestData();
        requestData.setSigCrypto(crypto);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setCallbackHandler(callbackHandler);
        if (assertionWrapper.isSigned()) {
            if (assertionWrapper.getSaml1() != null) {
                assertionWrapper.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true);
            } else {
                assertionWrapper.getSaml2().getDOM().setIdAttributeNS(null, "ID", true);
            }
            try {
                assertionWrapper.verifySignature(requestData, new WSDocInfo(document));
            } catch (WSSecurityException e) {
                e.printStackTrace();
                LOG.log(Level.FINE, "Assertion failed signature validation", e);
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        }
        try {
            this.assertionValidator.validate(credential, requestData);
        } catch (WSSecurityException e2) {
            LOG.log(Level.FINE, "Assertion validation failed: " + e2.getMessage(), e2);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
    }
}
