package org.apache.cxf.rs.security.saml.sso;

import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.util.DOM2Writer;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.class */
public class SAMLSSOResponseValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLSSOResponseValidator.class);
    private String issuerIDP;
    private String assertionConsumerURL;
    private String clientAddress;
    private String requestId;
    private String spIdentifier;
    private boolean enforceResponseSigned;
    private boolean enforceAssertionsSigned = true;
    private boolean enforceKnownIssuer = true;
    private TokenReplayCache<String> replayCache;

    public void setEnforceAssertionsSigned(boolean z) {
        this.enforceAssertionsSigned = z;
    }

    public void setEnforceKnownIssuer(boolean z) {
        this.enforceKnownIssuer = z;
    }

    public SSOValidatorResponse validateSamlResponse(Response response, boolean z) throws WSSecurityException {
        validateIssuer(response.getIssuer());
        if (response.getAssertions() == null || response.getAssertions().isEmpty()) {
            LOG.fine("The Response must contain at least one Assertion");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        String destination = response.getDestination();
        if (response.isSigned() && (destination == null || !destination.equals(this.assertionConsumerURL))) {
            LOG.fine("The Response must contain a destination that matches the assertion consumer URL");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (this.enforceResponseSigned && !response.isSigned()) {
            LOG.fine("The Response must be signed!");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        Assertion assertion = null;
        Date date = null;
        for (Assertion assertion2 : response.getAssertions()) {
            if (assertion2.getIssuer() == null) {
                LOG.fine("Assertion Issuer must not be null");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            validateIssuer(assertion2.getIssuer());
            if (this.enforceAssertionsSigned && z && assertion2.getSignature() == null) {
                LOG.fine("If the HTTP Post binding is used to deliver the Response, the enclosed assertions must be signed");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            if (assertion2.getAuthnStatements() != null && !assertion2.getAuthnStatements().isEmpty() && validateAuthenticationSubject(assertion2.getSubject(), assertion2.getID(), z)) {
                validateAudienceRestrictionCondition(assertion2.getConditions());
                assertion = assertion2;
                for (AuthnStatement authnStatement : assertion2.getAuthnStatements()) {
                    if (authnStatement.getSessionNotOnOrAfter() != null) {
                        date = authnStatement.getSessionNotOnOrAfter().toDate();
                    }
                }
            }
        }
        if (assertion == null) {
            LOG.fine("The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        SSOValidatorResponse sSOValidatorResponse = new SSOValidatorResponse();
        sSOValidatorResponse.setResponseId(response.getID());
        sSOValidatorResponse.setSessionNotOnOrAfter(date);
        sSOValidatorResponse.setAssertion(DOM2Writer.nodeToString((Element) assertion.getDOM().cloneNode(true)));
        return sSOValidatorResponse;
    }

    private void validateIssuer(Issuer issuer) throws WSSecurityException {
        if (issuer == null) {
            return;
        }
        if (this.enforceKnownIssuer && !this.issuerIDP.startsWith(issuer.getValue())) {
            LOG.fine("Issuer value: " + issuer.getValue() + " does not match issuer IDP: " + this.issuerIDP);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (issuer.getFormat() == null || "urn:oasis:names:tc:SAML:2.0:nameid-format:entity".equals(issuer.getFormat())) {
            return;
        }
        LOG.fine("Issuer format is not null and does not equal: urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        throw new WSSecurityException(0, "invalidSAMLsecurity");
    }

    private boolean validateAuthenticationSubject(Subject subject, String str, boolean z) throws WSSecurityException {
        if (subject.getSubjectConfirmations() == null) {
            return false;
        }
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod())) {
                validateSubjectConfirmation(subjectConfirmation.getSubjectConfirmationData(), str, z);
            }
        }
        return true;
    }

    private void validateSubjectConfirmation(SubjectConfirmationData subjectConfirmationData, String str, boolean z) throws WSSecurityException {
        if (subjectConfirmationData == null) {
            LOG.fine("Subject Confirmation Data of a Bearer Subject Confirmation is null");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        String recipient = subjectConfirmationData.getRecipient();
        if (recipient == null || !recipient.equals(this.assertionConsumerURL)) {
            LOG.fine("Recipient " + recipient + " does not match assertion consumer URL " + this.assertionConsumerURL);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (subjectConfirmationData.getNotOnOrAfter() == null || subjectConfirmationData.getNotOnOrAfter().isBeforeNow()) {
            LOG.fine("Subject Conf Data does not contain NotOnOrAfter or it has expired");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (z && this.replayCache != null) {
            if (this.replayCache.getId(str) != null) {
                LOG.fine("Replay attack with token id: " + str);
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            this.replayCache.putId(str, (subjectConfirmationData.getNotOnOrAfter().toDate().getTime() - new Date().getTime()) / 1000);
        }
        if (subjectConfirmationData.getAddress() != null && !subjectConfirmationData.getAddress().equals(this.clientAddress)) {
            LOG.fine("Subject Conf Data address " + subjectConfirmationData.getAddress() + " does match client address " + this.clientAddress);
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (subjectConfirmationData.getNotBefore() != null) {
            LOG.fine("The Subject Conf Data must not contain a NotBefore timestamp");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (this.requestId == null || this.requestId.equals(subjectConfirmationData.getInResponseTo())) {
            return;
        }
        LOG.fine("The InResponseTo String does match the original request id " + this.requestId);
        throw new WSSecurityException(0, "invalidSAMLsecurity");
    }

    private void validateAudienceRestrictionCondition(Conditions conditions) throws WSSecurityException {
        if (conditions == null) {
            LOG.fine("Conditions are null");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (matchSaml2AudienceRestriction(this.spIdentifier, conditions.getAudienceRestrictions())) {
            return;
        }
        LOG.fine("Assertion does not contain unique subject provider identifier " + this.spIdentifier + " in the audience restriction conditions");
        throw new WSSecurityException(0, "invalidSAMLsecurity");
    }

    private boolean matchSaml2AudienceRestriction(String str, List<AudienceRestriction> list) {
        if (list != null && !list.isEmpty()) {
            for (AudienceRestriction audienceRestriction : list) {
                if (audienceRestriction.getAudiences() != null) {
                    Iterator it = audienceRestriction.getAudiences().iterator();
                    while (it.hasNext()) {
                        if (str.equals(((Audience) it.next()).getAudienceURI())) {
                            return true;
                        }
                    }
                }
            }
        }
        return false;
    }

    public String getIssuerIDP() {
        return this.issuerIDP;
    }

    public void setIssuerIDP(String str) {
        this.issuerIDP = str;
    }

    public String getAssertionConsumerURL() {
        return this.assertionConsumerURL;
    }

    public void setAssertionConsumerURL(String str) {
        this.assertionConsumerURL = str;
    }

    public String getClientAddress() {
        return this.clientAddress;
    }

    public void setClientAddress(String str) {
        this.clientAddress = str;
    }

    public String getRequestId() {
        return this.requestId;
    }

    public void setRequestId(String str) {
        this.requestId = str;
    }

    public String getSpIdentifier() {
        return this.spIdentifier;
    }

    public void setSpIdentifier(String str) {
        this.spIdentifier = str;
    }

    public void setReplayCache(TokenReplayCache<String> tokenReplayCache) {
        this.replayCache = tokenReplayCache;
    }

    public boolean isEnforceResponseSigned() {
        return this.enforceResponseSigned;
    }

    public void setEnforceResponseSigned(boolean z) {
        this.enforceResponseSigned = z;
    }
}
