package org.wso2.carbon.identity.sso.saml.validators;

import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Subject;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.dto.SAMLAuthenticationContextClassRefDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/validators/SPInitSSOAuthnRequestValidator.class */
public class SPInitSSOAuthnRequestValidator extends SSOAuthnRequestAbstractValidator {
    private static final Log log = LogFactory.getLog(SPInitSSOAuthnRequestValidator.class);
    AuthnRequest authnReq;
    String queryString;

    public SPInitSSOAuthnRequestValidator(AuthnRequest authnRequest) throws IdentityException {
        this.authnReq = authnRequest;
    }

    public SPInitSSOAuthnRequestValidator(AuthnRequest authnRequest, String str) throws IdentityException {
        this.authnReq = authnRequest;
        this.queryString = str;
    }

    @Override // org.wso2.carbon.identity.sso.saml.validators.SSOAuthnRequestValidator
    public SAMLSSOReqValidationResponseDTO validate() throws IdentityException {
        String validateRequestIssueInstant;
        try {
            SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
            Issuer issuer = this.authnReq.getIssuer();
            if (!SAMLVersion.VERSION_20.equals(this.authnReq.getVersion())) {
                String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.VERSION_MISMATCH, "Invalid SAML Version in Authentication Request. SAML Version should be equal to 2.0", this.authnReq.getAssertionConsumerServiceURL());
                if (log.isDebugEnabled()) {
                    log.debug("Invalid version in the SAMLRequest" + this.authnReq.getVersion());
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            if (SAMLSSOUtil.isSAMLAuthenticationRequestValidityPeriodEnabled() && (validateRequestIssueInstant = validateRequestIssueInstant()) != null) {
                log.error(validateRequestIssueInstant);
                sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, validateRequestIssueInstant, null));
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            if (StringUtils.isNotBlank(issuer.getValue())) {
                sAMLSSOReqValidationResponseDTO.setIssuer(issuer.getValue());
            } else {
                if (!StringUtils.isNotBlank(issuer.getSPProvidedID())) {
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    String buildErrorResponse2 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer/ProviderName should not be empty in the Authentication Request.", this.authnReq.getAssertionConsumerServiceURL());
                    log.debug("SAML Request issuer validation failed. Issuer should not be empty");
                    sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse2);
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    return sAMLSSOReqValidationResponseDTO;
                }
                sAMLSSOReqValidationResponseDTO.setIssuer(issuer.getSPProvidedID());
            }
            String splitAppendedTenantDomain = splitAppendedTenantDomain(issuer.getValue());
            String tenantDomainFromThreadLocal = SAMLSSOUtil.getTenantDomainFromThreadLocal();
            Subject subject = this.authnReq.getSubject();
            if (log.isDebugEnabled()) {
                log.debug("Validating SAML Request  of the Issuer :" + splitAppendedTenantDomain + " of tenant domain:" + tenantDomainFromThreadLocal);
            }
            SAMLSSOServiceProviderDO serviceProviderConfig = SAMLSSOUtil.getServiceProviderConfig(splitAppendedTenantDomain, tenantDomainFromThreadLocal);
            if (serviceProviderConfig == null) {
                String str = "A Service Provider with the Issuer '" + sAMLSSOReqValidationResponseDTO.getIssuer() + "' is not registered. Service Provider should be registered in advance.";
                String buildErrorResponse3 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str, this.authnReq.getAssertionConsumerServiceURL());
                log.warn(str);
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse3);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            if (SAMLSSOUtil.getIssuerWithQualifierInThreadLocal() != null) {
                sAMLSSOReqValidationResponseDTO.setIssuerQualifier(SAMLSSOUtil.getIssuerQualifier());
                sAMLSSOReqValidationResponseDTO.setIssuer(SAMLSSOUtil.getIssuerWithQualifierInThreadLocal());
            }
            if (serviceProviderConfig.isDoValidateSignatureInRequests()) {
                List<String> destinationFromTenantDomain = SAMLSSOUtil.getDestinationFromTenantDomain(tenantDomainFromThreadLocal);
                if (this.authnReq.getDestination() == null || !destinationFromTenantDomain.contains(this.authnReq.getDestination())) {
                    String str2 = "Destination validation for Authentication Request failed. Received: [" + this.authnReq.getDestination() + "]. Expected one in the list: [" + StringUtils.join(destinationFromTenantDomain, ',') + "]";
                    log.warn(str2);
                    sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str2, this.authnReq.getAssertionConsumerServiceURL()));
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    return sAMLSSOReqValidationResponseDTO;
                }
                boolean z = false;
                if (SAMLSSOUtil.isSpCertificateExpiryValidationEnabled()) {
                    z = SAMLSSOUtil.isCertificateExpired(serviceProviderConfig.getX509Certificate());
                }
                if (z) {
                    sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "The Signature validation validation failed as the SP certificate is expired, of Issuer :" + sAMLSSOReqValidationResponseDTO.getIssuer() + " and tenantDomain:" + tenantDomainFromThreadLocal, this.authnReq.getAssertionConsumerServiceURL()));
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    return sAMLSSOReqValidationResponseDTO;
                }
                if (!SAMLSSOUtil.isSignatureValid(this.authnReq, this.queryString, sAMLSSOReqValidationResponseDTO.getIssuer(), serviceProviderConfig.getX509Certificate())) {
                    String str3 = "Signature validation for Authentication Request failed for the request of Issuer :" + sAMLSSOReqValidationResponseDTO.getIssuer() + " in tenantDomain:" + tenantDomainFromThreadLocal;
                    log.warn(str3);
                    sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str3, this.authnReq.getAssertionConsumerServiceURL()));
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    return sAMLSSOReqValidationResponseDTO;
                }
            } else {
                String assertionConsumerServiceURL = this.authnReq.getAssertionConsumerServiceURL();
                if (StringUtils.isNotEmpty(assertionConsumerServiceURL) && !serviceProviderConfig.getAssertionConsumerUrlList().contains(assertionConsumerServiceURL)) {
                    String str4 = "ALERT: Invalid Assertion Consumer URL value '" + assertionConsumerServiceURL + "' in the AuthnRequest message from  the issuer '" + serviceProviderConfig.getIssuer() + "'. Possibly an attempt for a spoofing attack";
                    log.error(str4);
                    sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str4, this.authnReq.getAssertionConsumerServiceURL()));
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    return sAMLSSOReqValidationResponseDTO;
                }
            }
            if (StringUtils.isNotBlank(issuer.getFormat()) && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
                sAMLSSOReqValidationResponseDTO.setValid(false);
                String buildErrorResponse4 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer Format attribute value is invalid", this.authnReq.getAssertionConsumerServiceURL());
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Issuer Format attribute value " + issuer.getFormat());
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse4);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            if (subject != null && subject.getNameID() != null) {
                sAMLSSOReqValidationResponseDTO.setSubject(subject.getNameID().getValue());
            }
            if (subject != null && subject.getSubjectConfirmations() != null && !subject.getSubjectConfirmations().isEmpty()) {
                sAMLSSOReqValidationResponseDTO.setValid(false);
                String buildErrorResponse5 = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Subject Confirmation methods should NOT be in the request.", this.authnReq.getAssertionConsumerServiceURL());
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Request message. A Subject confirmation method found " + subject.getSubjectConfirmations().get(0));
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse5);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            sAMLSSOReqValidationResponseDTO.setId(this.authnReq.getID());
            sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(this.authnReq.getAssertionConsumerServiceURL());
            sAMLSSOReqValidationResponseDTO.setDestination(this.authnReq.getDestination());
            sAMLSSOReqValidationResponseDTO.setValid(true);
            sAMLSSOReqValidationResponseDTO.setPassive(this.authnReq.isPassive().booleanValue());
            sAMLSSOReqValidationResponseDTO.setForceAuthn(this.authnReq.isForceAuthn().booleanValue());
            setRequestedAuthnContext(sAMLSSOReqValidationResponseDTO);
            Integer attributeConsumingServiceIndex = this.authnReq.getAttributeConsumingServiceIndex();
            if (attributeConsumingServiceIndex != null && attributeConsumingServiceIndex.intValue() >= 1) {
                sAMLSSOReqValidationResponseDTO.setAttributeConsumingServiceIndex(attributeConsumingServiceIndex.intValue());
            }
            if (log.isDebugEnabled()) {
                log.debug("Authentication Request Validation is successful..");
            }
            return sAMLSSOReqValidationResponseDTO;
        } catch (Exception e) {
            throw IdentityException.error("Error validating the authentication request", e);
        }
    }

    private void setRequestedAuthnContext(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) {
        if (this.authnReq.getRequestedAuthnContext() != null) {
            if (this.authnReq.getRequestedAuthnContext().getComparison() == null || StringUtils.isBlank(this.authnReq.getRequestedAuthnContext().getComparison().toString())) {
                sAMLSSOReqValidationResponseDTO.setRequestedAuthnContextComparison(AuthnContextComparisonTypeEnumeration.EXACT.toString());
            } else {
                sAMLSSOReqValidationResponseDTO.setRequestedAuthnContextComparison(this.authnReq.getRequestedAuthnContext().getComparison().toString());
            }
            if (this.authnReq.getRequestedAuthnContext().getAuthnContextClassRefs() != null) {
                this.authnReq.getRequestedAuthnContext().getAuthnContextClassRefs().stream().forEach(authnContextClassRef -> {
                    sAMLSSOReqValidationResponseDTO.addAuthenticationContextClassRef(new SAMLAuthenticationContextClassRefDTO(authnContextClassRef.getAuthnContextClassRef()));
                });
            }
        }
    }

    private String validateRequestIssueInstant() {
        DateTime issueInstant = this.authnReq.getIssueInstant();
        if (issueInstant == null) {
            return "IssueInstant time is not valid.";
        }
        DateTime plusSeconds = issueInstant.plusSeconds(SAMLSSOUtil.getSAMLAuthenticationRequestValidityPeriod());
        int clockSkewInSeconds = IdentityUtil.getClockSkewInSeconds();
        if (issueInstant.minusSeconds(clockSkewInSeconds).isAfterNow()) {
            return "The request IssueInstant time is 'Not Before'";
        }
        if (plusSeconds != null && plusSeconds.plusSeconds(clockSkewInSeconds).isBeforeNow()) {
            return "The request IssueInstant time is  'Not On Or After'";
        }
        if (plusSeconds == null || !issueInstant.isAfter(plusSeconds)) {
            return null;
        }
        return "The request IssueInstant time is  'Not On Or After'";
    }
}
