package org.wso2.carbon.identity.sso.saml.extension.eidas;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.schema.impl.XSAnyImpl;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Extensions;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.xmlsec.signature.Signature;
import org.w3c.dom.NodeList;
import org.wso2.carbon.identity.application.common.model.Claim;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2SSOException;
import org.wso2.carbon.identity.sso.saml.extension.SAMLExtensionProcessor;
import org.wso2.carbon.identity.sso.saml.extension.eidas.model.RequestedAttributes;
import org.wso2.carbon.identity.sso.saml.extension.eidas.model.SPType;
import org.wso2.carbon.identity.sso.saml.extension.eidas.util.EidasConstants;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/extension/eidas/EidasExtensionProcessor.class */
public class EidasExtensionProcessor implements SAMLExtensionProcessor {
    private static final Log log = LogFactory.getLog(EidasExtensionProcessor.class);
    private static String errorMsg = "Mandatory Attribute not found.";

    @Override // org.wso2.carbon.identity.sso.saml.extension.SAMLExtensionProcessor
    public boolean canHandle(RequestAbstractType requestAbstractType) throws IdentitySAML2SSOException {
        boolean anyMatch = requestAbstractType.getNamespaces().stream().anyMatch(namespace -> {
            return EidasConstants.EIDAS_NS.equals(namespace.getNamespaceURI());
        });
        if (anyMatch && log.isDebugEnabled()) {
            log.debug("Request in type: " + requestAbstractType.getClass().getSimpleName() + " can be handled by the EidasExtensionProcessor.");
        }
        return anyMatch;
    }

    @Override // org.wso2.carbon.identity.sso.saml.extension.SAMLExtensionProcessor
    public boolean canHandle(StatusResponseType statusResponseType, Assertion assertion, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentitySAML2SSOException {
        String property = sAMLSSOAuthnReqDTO.getProperty(EidasConstants.EIDAS_REQUEST);
        boolean z = false;
        if (property != null) {
            z = EidasConstants.EIDAS_PREFIX.equals(property);
            if (z && log.isDebugEnabled()) {
                log.debug("Response in type: " + statusResponseType.getClass().getSimpleName() + " can be handled by the EidasExtensionProcessor.");
            }
        }
        return z;
    }

    @Override // org.wso2.carbon.identity.sso.saml.extension.SAMLExtensionProcessor
    public void processSAMLExtensions(RequestAbstractType requestAbstractType, SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) throws IdentitySAML2SSOException {
        if (requestAbstractType instanceof AuthnRequest) {
            if (log.isDebugEnabled()) {
                log.debug("Process and validate the extensions in SAML request from the issuer : " + sAMLSSOReqValidationResponseDTO.getIssuer() + " for EIDAS message format.");
            }
            Extensions extensions = requestAbstractType.getExtensions();
            if (extensions != null) {
                validateForceAuthn(sAMLSSOReqValidationResponseDTO);
                validateIsPassive(sAMLSSOReqValidationResponseDTO);
                validateAuthnContextComparison(sAMLSSOReqValidationResponseDTO);
                validateSPType(sAMLSSOReqValidationResponseDTO, extensions);
                processRequestedAttributes(sAMLSSOReqValidationResponseDTO, extensions);
            }
        }
    }

    @Override // org.wso2.carbon.identity.sso.saml.extension.SAMLExtensionProcessor
    public void processSAMLExtensions(StatusResponseType statusResponseType, Assertion assertion, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentitySAML2SSOException {
        if (statusResponseType instanceof Response) {
            if (log.isDebugEnabled()) {
                log.debug("Process and validate a response against the SAML request with extensions for EIDAS message format");
            }
            assertion.setSignature((Signature) null);
            validateMandatoryRequestedAttr((Response) statusResponseType, assertion, sAMLSSOAuthnReqDTO);
            setAuthnContextClassRef(assertion, sAMLSSOAuthnReqDTO);
            if (sAMLSSOAuthnReqDTO.getDoSignAssertions()) {
                try {
                    SAMLSSOUtil.setSignature(assertion, sAMLSSOAuthnReqDTO.getSigningAlgorithmUri(), sAMLSSOAuthnReqDTO.getDigestAlgorithmUri(), new SignKeyDataHolder(sAMLSSOAuthnReqDTO.getUser().getAuthenticatedSubjectIdentifier()));
                } catch (IdentityException e) {
                    throw new IdentitySAML2SSOException("Error in signing SAML Assertion.", (Throwable) e);
                }
            }
        }
    }

    private void validateMandatoryRequestedAttr(Response response, Assertion assertion, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) {
        if (validateMandatoryClaims(assertion, getMandatoryAttributes(sAMLSSOAuthnReqDTO))) {
            setAttributeNameFormat(assertion.getAttributeStatements());
            return;
        }
        response.setStatus(SAMLSSOUtil.buildResponseStatus(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, errorMsg));
        if (CollectionUtils.isNotEmpty(assertion.getAttributeStatements())) {
            assertion.getAttributeStatements().clear();
        }
        NameID buildObject = new NameIDBuilder().buildObject();
        buildObject.setValue("NotAvailable");
        buildObject.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
        assertion.getSubject().setNameID(buildObject);
    }

    private void setAuthnContextClassRef(Assertion assertion, SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) {
        ((AuthnStatement) assertion.getAuthnStatements().get(0)).getAuthnContext().getAuthnContextClassRef().setAuthnContextClassRef(sAMLSSOAuthnReqDTO.getAuthenticationContextClassRefList().get(0).getAuthenticationContextClassReference());
    }

    private void processRequestedAttributes(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, Extensions extensions) throws IdentitySAML2SSOException {
        if (CollectionUtils.isNotEmpty(extensions.getUnknownXMLObjects(RequestedAttributes.DEFAULT_ELEMENT_NAME))) {
            NodeList childNodes = ((XMLObject) extensions.getUnknownXMLObjects(RequestedAttributes.DEFAULT_ELEMENT_NAME).get(0)).getDOM().getChildNodes();
            sAMLSSOReqValidationResponseDTO.setRequestedAttributes(new ArrayList());
            sAMLSSOReqValidationResponseDTO.getProperties().put(EidasConstants.EIDAS_REQUEST, EidasConstants.EIDAS_PREFIX);
            for (int i = 0; i < childNodes.getLength(); i++) {
                ClaimMapping claimMapping = new ClaimMapping();
                Claim claim = new Claim();
                validateAttributeNameFormat(sAMLSSOReqValidationResponseDTO, childNodes.item(i).getAttributes().getNamedItem(EidasConstants.EIDAS_ATTRIBUTE_NAME_FORMAT).getNodeValue());
                claim.setClaimUri(childNodes.item(i).getAttributes().getNamedItem(EidasConstants.EIDAS_ATTRIBUTE_NAME).getNodeValue());
                claimMapping.setRemoteClaim(claim);
                claimMapping.setRequested(true);
                claimMapping.setMandatory(Boolean.parseBoolean(childNodes.item(i).getAttributes().getNamedItem(EidasConstants.EIDAS_ATTRIBUTE_REQUIRED).getNodeValue()));
                sAMLSSOReqValidationResponseDTO.getRequestedAttributes().add(claimMapping);
            }
        }
    }

    private void validateAttributeNameFormat(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str) throws IdentitySAML2SSOException {
        if (str.equals(EidasConstants.EIDAS_ATTRIBUTE_NAME_FORMAT_URI)) {
            return;
        }
        try {
            String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "NameFormat should be urn:oasis:names:tc:SAML:2.0:attrname-format:uri", sAMLSSOReqValidationResponseDTO.getDestination());
            if (log.isDebugEnabled()) {
                log.debug("Invalid Request message. NameFormat found " + str);
            }
            sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse);
            sAMLSSOReqValidationResponseDTO.setValid(false);
        } catch (IOException | IdentityException e) {
            throw new IdentitySAML2SSOException("Issue in building error response.", e);
        }
    }

    private void validateSPType(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, Extensions extensions) throws IdentitySAML2SSOException {
        if (CollectionUtils.isNotEmpty(extensions.getUnknownXMLObjects(SPType.DEFAULT_ELEMENT_NAME))) {
            XMLObject xMLObject = (XMLObject) extensions.getUnknownXMLObjects(SPType.DEFAULT_ELEMENT_NAME).get(0);
            if (log.isDebugEnabled()) {
                log.debug("Process the SP Type: " + xMLObject + " in the EIDAS message");
            }
            if (xMLObject == null || !isValidSPType((XSAnyImpl) xMLObject)) {
                return;
            }
            try {
                String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "SP Type should be either public or private.", sAMLSSOReqValidationResponseDTO.getDestination());
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Request message. SP Type found " + xMLObject.getDOM().getNodeValue());
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse);
                sAMLSSOReqValidationResponseDTO.setValid(false);
            } catch (IOException | IdentityException e) {
                throw new IdentitySAML2SSOException("Issue in building error response.", e);
            }
        }
    }

    private boolean isValidSPType(XSAnyImpl xSAnyImpl) {
        return (xSAnyImpl.getTextContent().equals(EidasConstants.EIDAS_SP_TYPE_PUBLIC) || xSAnyImpl.getTextContent().equals(EidasConstants.EIDAS_SP_TYPE_PRIVATE)) ? false : true;
    }

    private boolean validateMandatoryClaims(Assertion assertion, List<String> list) {
        boolean z = false;
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (CollectionUtils.isNotEmpty(attributeStatements)) {
            for (String str : list) {
                if (log.isDebugEnabled()) {
                    log.debug("Validating the mandatory claim :" + str);
                }
                for (AttributeStatement attributeStatement : attributeStatements) {
                    if (CollectionUtils.isNotEmpty(attributeStatement.getAttributes())) {
                        if (attributeStatement.getAttributes().stream().anyMatch(attribute -> {
                            return attribute.getName().equals(str);
                        })) {
                            z = true;
                        }
                        if (z) {
                            break;
                        }
                    }
                }
                if (!z) {
                    break;
                }
            }
        }
        return z;
    }

    private List<String> getMandatoryAttributes(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) {
        return (List) sAMLSSOAuthnReqDTO.getRequestedAttributes().stream().filter((v0) -> {
            return v0.isMandatory();
        }).map(claimMapping -> {
            return claimMapping.getRemoteClaim().getClaimUri();
        }).collect(Collectors.toList());
    }

    private void setAttributeNameFormat(List<AttributeStatement> list) {
        list.forEach(attributeStatement -> {
            attributeStatement.getAttributes().forEach(attribute -> {
                attribute.setNameFormat(EidasConstants.EIDAS_ATTRIBUTE_NAME_FORMAT_URI);
            });
        });
    }

    private void validateIsPassive(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) throws IdentitySAML2SSOException {
        if (sAMLSSOReqValidationResponseDTO.isPassive()) {
            try {
                String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "isPassive SHOULD be set to false.", sAMLSSOReqValidationResponseDTO.getDestination());
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Request message. isPassive found " + sAMLSSOReqValidationResponseDTO.isPassive());
                }
                setErrorResponse(sAMLSSOReqValidationResponseDTO, buildErrorResponse);
            } catch (IOException | IdentityException e) {
                throw new IdentitySAML2SSOException("Issue in building error response.", e);
            }
        }
    }

    private void validateForceAuthn(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) throws IdentitySAML2SSOException {
        if (sAMLSSOReqValidationResponseDTO.isForceAuthn()) {
            return;
        }
        try {
            String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "ForceAuthn MUST be set to true", sAMLSSOReqValidationResponseDTO.getDestination());
            if (log.isDebugEnabled()) {
                log.debug("Invalid Request message. ForceAuthn is " + sAMLSSOReqValidationResponseDTO.isForceAuthn());
            }
            setErrorResponse(sAMLSSOReqValidationResponseDTO, buildErrorResponse);
        } catch (IOException | IdentityException e) {
            throw new IdentitySAML2SSOException("Issue in building error response.", e);
        }
    }

    private void validateAuthnContextComparison(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO) throws IdentitySAML2SSOException {
        if (AuthnContextComparisonTypeEnumeration.MINIMUM.toString().equals(sAMLSSOReqValidationResponseDTO.getRequestedAuthnContextComparison())) {
            return;
        }
        try {
            String buildErrorResponse = SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Comparison of RequestedAuthnContext should be minimum.", sAMLSSOReqValidationResponseDTO.getDestination());
            if (log.isDebugEnabled()) {
                log.debug("Invalid Request message. Comparison of RequestedAuthnContext is " + sAMLSSOReqValidationResponseDTO.getRequestedAuthnContextComparison());
            }
            setErrorResponse(sAMLSSOReqValidationResponseDTO, buildErrorResponse);
        } catch (IOException | IdentityException e) {
            throw new IdentitySAML2SSOException("Issue in building error response.", e);
        }
    }

    private void setErrorResponse(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str) {
        sAMLSSOReqValidationResponseDTO.setValid(false);
        sAMLSSOReqValidationResponseDTO.setResponse(str);
        sAMLSSOReqValidationResponseDTO.setValid(false);
    }
}
