package org.wso2.carbon.appmgt.gateway.handlers.security.saml2;

import java.util.Iterator;
import java.util.List;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.wso2.carbon.appmgt.api.model.AuthenticatedIDP;
import org.wso2.carbon.appmgt.api.model.WebApp;
import org.wso2.carbon.appmgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.appmgt.impl.AppManagerConfiguration;
import org.wso2.carbon.appmgt.impl.idp.sso.SSOConfiguratorUtil;
import org.wso2.carbon.appmgt.impl.service.ServiceReferenceHolder;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2SSOException;

/* loaded from: input_file:org/wso2/carbon/appmgt/gateway/handlers/security/saml2/IDPMessage.class */
public class IDPMessage {
    private static final Log log = LogFactory.getLog(IDPMessage.class);
    private RequestAbstractType samlRequest;
    private StatusResponseType samlResponse;
    private List<AuthenticatedIDP> authenticatedIDPs;
    private String relayState;
    private String rawSAMLResponse;
    private String rawSAMLRequest;
    private int timeStampSkewInSeconds = 300;

    public RequestAbstractType getSAMLRequest() {
        return this.samlRequest;
    }

    public void setSAMLRequest(RequestAbstractType requestAbstractType) {
        this.samlRequest = requestAbstractType;
    }

    public StatusResponseType getSAMLResponse() {
        return this.samlResponse;
    }

    public void setSAMLResponse(StatusResponseType statusResponseType) {
        this.samlResponse = statusResponseType;
    }

    public List<AuthenticatedIDP> getAuthenticatedIDPs() {
        return this.authenticatedIDPs;
    }

    public void setAuthenticatedIDPs(List<AuthenticatedIDP> list) {
        this.authenticatedIDPs = list;
    }

    public void setRelayState(String str) {
        this.relayState = str;
    }

    public String getRelayState() {
        return this.relayState;
    }

    public void setRawSAMLResponse(String str) {
        this.rawSAMLResponse = str;
    }

    public String getRawSAMLResponse() {
        return this.rawSAMLResponse;
    }

    public String getRawSAMLRequest() {
        return this.rawSAMLRequest;
    }

    public void setRawSAMLRequest(String str) {
        this.rawSAMLRequest = str;
    }

    public boolean isSLOResponse() {
        return this.samlResponse != null && (this.samlResponse instanceof LogoutResponse);
    }

    public boolean isSLORequest() {
        return this.samlRequest != null && (this.samlRequest instanceof LogoutRequest);
    }

    public boolean validateSignatureAndAudienceRestriction(StatusResponseType statusResponseType, WebApp webApp, AppManagerConfiguration appManagerConfiguration) {
        Assertion assertion = null;
        if (statusResponseType != null) {
            List assertions = ((Response) statusResponseType).getAssertions();
            if (CollectionUtils.isEmpty(assertions)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("SAML Response does not have assertions.");
                return false;
            }
            assertion = (Assertion) assertions.get(0);
        }
        if (!validateAudienceRestriction(assertion, webApp)) {
            return false;
        }
        boolean isResponseSigningEnabled = SSOConfiguratorUtil.isResponseSigningEnabled();
        boolean isAssertionSigningEnabled = SSOConfiguratorUtil.isAssertionSigningEnabled();
        Credential credential = null;
        if (isResponseSigningEnabled || isAssertionSigningEnabled) {
            String firstProperty = appManagerConfiguration.getFirstProperty("SSOConfiguration.ResponseSigningKeyAlias");
            String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
            if (!"carbon.super".equals(tenantDomain)) {
                firstProperty = tenantDomain;
            }
            try {
                credential = GatewayUtils.getIDPCertificate(tenantDomain, firstProperty);
            } catch (IdentitySAML2SSOException e) {
                GatewayUtils.logAndThrowException(log, "Error while getting IdP Certificate", e);
            }
        }
        if (!isResponseSigningEnabled || validateResponseSignature(credential)) {
            return !isAssertionSigningEnabled || validateAssertionSignature(credential);
        }
        return false;
    }

    private boolean validateResponseSignature(Credential credential) {
        Signature signature = null;
        if (isResponse()) {
            signature = getSAMLResponse().getSignature();
        } else if (isRequest()) {
            signature = getSAMLRequest().getSignature();
        }
        return validateSignature(credential, signature);
    }

    private boolean validateAssertionSignature(Credential credential) {
        Signature signature = null;
        if (isResponse()) {
            signature = ((Assertion) getSAMLResponse().getAssertions().get(0)).getSignature();
        }
        return validateSignature(credential, signature);
    }

    private boolean validateSignature(Credential credential, Signature signature) {
        SignatureValidator signatureValidator = new SignatureValidator(credential);
        SAMLSignatureProfileValidator sAMLSignatureProfileValidator = new SAMLSignatureProfileValidator();
        if (signature == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("SAML message has not been singed.");
            return false;
        }
        try {
            sAMLSignatureProfileValidator.validate(signature);
            try {
                signatureValidator.validate(signature);
                return true;
            } catch (ValidationException e) {
                log.error("Response signature or Assertion signature of the SAML message can't be validated.");
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Response signature or Assertion signature of the SAML message can't be validated.", e);
                return false;
            }
        } catch (ValidationException e2) {
            log.error("SAML Response signature or Aseertion signature do not confirm to SAML signature profile. Possible XML Signature Wrapping Attack");
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("SAML signature do not confirm to SAML signature profile.", e2);
            return false;
        }
    }

    public boolean validateAssertionValidityPeriod() {
        if (!SSOConfiguratorUtil.isValidateAssertionValidityPeriod()) {
            return true;
        }
        List assertions = this.samlResponse.getAssertions();
        if (CollectionUtils.isEmpty(assertions)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("SAML Response does not have assertions.");
            return false;
        }
        Assertion assertion = (Assertion) assertions.get(0);
        DateTime notBefore = assertion.getConditions().getNotBefore();
        DateTime notOnOrAfter = assertion.getConditions().getNotOnOrAfter();
        String firstProperty = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty("SSOConfiguration.SAMLResponseValidityTimeStampSkew");
        if (firstProperty != null) {
            this.timeStampSkewInSeconds = Integer.parseInt(firstProperty);
        }
        if (notBefore != null && notBefore.minusSeconds(this.timeStampSkewInSeconds).isAfterNow()) {
            log.error("Failed to meet SAML Assertion Condition 'Not Before'");
            return false;
        }
        if (notOnOrAfter != null && notOnOrAfter.plusSeconds(this.timeStampSkewInSeconds).isBeforeNow()) {
            log.error("Failed to meet SAML Assertion Condition 'Not On Or After'");
            return false;
        }
        if (notBefore == null || notOnOrAfter == null || !notBefore.isAfter(notOnOrAfter)) {
            return true;
        }
        log.error("SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'");
        return false;
    }

    private boolean validateAudienceRestriction(Assertion assertion, WebApp webApp) {
        if (assertion == null) {
            return true;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            log.error("SAML Response doesn't contain Conditions");
            return false;
        }
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
            log.error("SAML Response doesn't contain AudienceRestrictions");
            return false;
        }
        for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (!CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                log.error("SAML Response's AudienceRestriction doesn't contain Audiences");
                return false;
            }
            boolean z = false;
            Iterator it = audienceRestriction.getAudiences().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (webApp.getSaml2SsoIssuer().equals(((Audience) it.next()).getAudienceURI())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                log.error("SAML Assertion Audience Restriction validation failed");
                return false;
            }
        }
        return true;
    }

    private boolean isRequest() {
        return this.samlRequest != null;
    }

    private boolean isResponse() {
        return this.samlResponse != null;
    }
}
