package org.opensaml.saml2.metadata.provider;

import java.util.HashSet;
import java.util.Iterator;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.opensaml.saml2.metadata.AffiliationDescriptor;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.SignableXMLObject;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.opensaml.xml.validation.Validator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/org.apache.rampart.wso2-rampart-trust-1.6.1-wso2v42.jar:opensaml-2.6.6.jar:org/opensaml/saml2/metadata/provider/SignatureValidationFilter.class
  input_file:WEB-INF/lib/rampart-core-1.6.1-wso2v42.jar:opensaml-2.6.6.jar:org/opensaml/saml2/metadata/provider/SignatureValidationFilter.class
  input_file:WEB-INF/lib/wss4j-1.5.11-wso2v19.jar:opensaml-2.6.1.jar:org/opensaml/saml2/metadata/provider/SignatureValidationFilter.class
 */
/* loaded from: input_file:WEB-INF/lib/opensaml-2.6.6.jar:org/opensaml/saml2/metadata/provider/SignatureValidationFilter.class */
public class SignatureValidationFilter implements MetadataFilter {
    private final Logger log = LoggerFactory.getLogger(SignatureValidationFilter.class);
    private SignatureTrustEngine signatureTrustEngine;
    private boolean requireSignature;
    private CriteriaSet defaultCriteria;
    private Validator<Signature> sigValidator;

    public SignatureValidationFilter(SignatureTrustEngine signatureTrustEngine) {
        if (signatureTrustEngine == null) {
            throw new IllegalArgumentException("Signature trust engine may not be null");
        }
        this.signatureTrustEngine = signatureTrustEngine;
        this.sigValidator = new SAMLSignatureProfileValidator();
    }

    public SignatureValidationFilter(SignatureTrustEngine signatureTrustEngine, Validator<Signature> validator) {
        if (signatureTrustEngine == null) {
            throw new IllegalArgumentException("Signature trust engine may not be null");
        }
        this.signatureTrustEngine = signatureTrustEngine;
        this.sigValidator = validator;
    }

    public SignatureTrustEngine getSignatureTrustEngine() {
        return this.signatureTrustEngine;
    }

    public Validator<Signature> getSignaturePrevalidator() {
        return this.sigValidator;
    }

    public boolean getRequireSignature() {
        return this.requireSignature;
    }

    public void setRequireSignature(boolean z) {
        this.requireSignature = z;
    }

    public CriteriaSet getDefaultCriteria() {
        return this.defaultCriteria;
    }

    public void setDefaultCriteria(CriteriaSet criteriaSet) {
        this.defaultCriteria = criteriaSet;
    }

    @Override // org.opensaml.saml2.metadata.provider.MetadataFilter
    public void doFilter(XMLObject xMLObject) throws FilterException {
        SignableXMLObject signableXMLObject = (SignableXMLObject) xMLObject;
        if (!signableXMLObject.isSigned() && getRequireSignature()) {
            throw new FilterException("Metadata root element was unsigned and signatures are required.");
        }
        if (signableXMLObject instanceof EntityDescriptor) {
            processEntityDescriptor((EntityDescriptor) signableXMLObject);
        } else if (signableXMLObject instanceof EntitiesDescriptor) {
            processEntityGroup((EntitiesDescriptor) signableXMLObject);
        } else {
            this.log.error("Internal error, metadata object was of an unsupported type: {}", xMLObject.getClass().getName());
        }
    }

    protected void processEntityDescriptor(EntityDescriptor entityDescriptor) throws FilterException {
        String entityID = entityDescriptor.getEntityID();
        this.log.trace("Processing EntityDescriptor: {}", entityID);
        if (entityDescriptor.isSigned()) {
            verifySignature(entityDescriptor, entityID, false);
        }
        Iterator<RoleDescriptor> it = entityDescriptor.getRoleDescriptors().iterator();
        while (it.hasNext()) {
            RoleDescriptor next = it.next();
            if (next.isSigned()) {
                this.log.trace("Processing signed RoleDescriptor member: {}", next.getElementQName());
                try {
                    verifySignature(next, getRoleIDToken(entityID, next), false);
                } catch (FilterException e) {
                    this.log.error("RoleDescriptor '{}' subordinate to entity '{}' failed signature verification, removing from metadata provider", next.getElementQName(), entityID);
                    it.remove();
                }
            } else {
                this.log.trace("RoleDescriptor member '{}' was not signed, skipping signature processing...", next.getElementQName());
            }
        }
        if (entityDescriptor.getAffiliationDescriptor() != null) {
            AffiliationDescriptor affiliationDescriptor = entityDescriptor.getAffiliationDescriptor();
            if (!affiliationDescriptor.isSigned()) {
                this.log.trace("AffiliationDescriptor member was not signed, skipping signature processing...");
                return;
            }
            this.log.trace("Processing signed AffiliationDescriptor member with owner ID: {}", affiliationDescriptor.getOwnerID());
            try {
                verifySignature(affiliationDescriptor, affiliationDescriptor.getOwnerID(), false);
            } catch (FilterException e2) {
                this.log.error("AffiliationDescriptor with owner ID '{}' subordinate to entity '{}' failed signature verification, removing from metadata provider", affiliationDescriptor.getOwnerID(), entityID);
                entityDescriptor.setAffiliationDescriptor(null);
            }
        }
    }

    protected void processEntityGroup(EntitiesDescriptor entitiesDescriptor) throws FilterException {
        this.log.trace("Processing EntitiesDescriptor group: {}", entitiesDescriptor.getName());
        if (entitiesDescriptor.isSigned()) {
            verifySignature(entitiesDescriptor, entitiesDescriptor.getName(), true);
        }
        HashSet hashSet = new HashSet();
        for (EntityDescriptor entityDescriptor : entitiesDescriptor.getEntityDescriptors()) {
            if (entityDescriptor.isSigned()) {
                this.log.trace("Processing signed EntityDescriptor member: {}", entityDescriptor.getEntityID());
                try {
                    processEntityDescriptor(entityDescriptor);
                } catch (FilterException e) {
                    this.log.error("EntityDescriptor '{}' failed signature verification, removing from metadata provider", entityDescriptor.getEntityID());
                    hashSet.add(entityDescriptor);
                }
            } else {
                this.log.trace("EntityDescriptor member '{}' was not signed, skipping signature processing...", entityDescriptor.getEntityID());
            }
        }
        if (!hashSet.isEmpty()) {
            entitiesDescriptor.getEntityDescriptors().removeAll(hashSet);
            hashSet.clear();
        }
        for (EntitiesDescriptor entitiesDescriptor2 : entitiesDescriptor.getEntitiesDescriptors()) {
            this.log.trace("Processing EntitiesDescriptor member: {}", entitiesDescriptor2.getName());
            try {
                processEntityGroup(entitiesDescriptor2);
            } catch (FilterException e2) {
                this.log.error("EntitiesDescriptor '{}' failed signature verification, removing from metadata provider", entitiesDescriptor2.getName());
                hashSet.add(entitiesDescriptor2);
            }
        }
        if (hashSet.isEmpty()) {
            return;
        }
        entitiesDescriptor.getEntitiesDescriptors().removeAll(hashSet);
    }

    protected void verifySignature(SignableXMLObject signableXMLObject, String str, boolean z) throws FilterException {
        this.log.debug("Verifying signature on metadata entry: {}", str);
        Signature signature = signableXMLObject.getSignature();
        if (signature == null) {
            this.log.warn("Signature was null, skipping processing on metadata entry: {}", str);
            return;
        }
        performPreValidation(signature, str);
        try {
            if (getSignatureTrustEngine().validate(signature, buildCriteriaSet(signableXMLObject, str, z))) {
                this.log.trace("Signature trust establishment succeeded for metadata entry {}", str);
            } else {
                this.log.error("Signature trust establishment failed for metadata entry {}", str);
                throw new FilterException("Signature trust establishment failed for metadata entry");
            }
        } catch (SecurityException e) {
            this.log.error("Error processing signature verification for metadata entry '{}': {} ", str, e.getMessage());
            throw new FilterException("Error processing signature verification for metadata entry", e);
        }
    }

    protected void performPreValidation(Signature signature, String str) throws FilterException {
        if (getSignaturePrevalidator() != null) {
            try {
                getSignaturePrevalidator().validate(signature);
            } catch (ValidationException e) {
                this.log.error("Signature on metadata entry '{}' failed signature pre-validation", str);
                throw new FilterException("Metadata instance signature failed signature pre-validation", e);
            }
        }
    }

    protected CriteriaSet buildCriteriaSet(SignableXMLObject signableXMLObject, String str, boolean z) {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (getDefaultCriteria() != null) {
            criteriaSet.addAll(getDefaultCriteria());
        }
        if (!criteriaSet.contains(UsageCriteria.class)) {
            criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
        }
        return criteriaSet;
    }

    protected String getRoleIDToken(String str, RoleDescriptor roleDescriptor) {
        return "[Role: " + str + "::" + roleDescriptor.getElementQName().getLocalPart() + DefaultExpressionEngine.DEFAULT_ATTRIBUTE_END;
    }
}
