package org.pac4j.saml.sso.impl;

import com.google.common.annotations.VisibleForTesting;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import net.shibboleth.utilities.java.support.net.BasicURLComparator;
import net.shibboleth.utilities.java.support.net.URIComparator;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.BaseID;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.logout.handler.LogoutHandler;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.crypto.SAML2SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SAMAssertionSubjectException;
import org.pac4j.saml.exceptions.SAMLAssertionAudienceException;
import org.pac4j.saml.exceptions.SAMLAssertionConditionException;
import org.pac4j.saml.exceptions.SAMLAuthnInstantException;
import org.pac4j.saml.exceptions.SAMLAuthnSessionCriteriaException;
import org.pac4j.saml.exceptions.SAMLException;
import org.pac4j.saml.exceptions.SAMLInResponseToMismatchException;
import org.pac4j.saml.exceptions.SAMLSignatureRequiredException;
import org.pac4j.saml.exceptions.SAMLSubjectConfirmationException;
import org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator;
import org.pac4j.saml.storage.SAMLMessageStorage;
import org.pac4j.saml.util.SAML2Utils;

/* loaded from: input_file:BOOT-INF/lib/pac4j-saml-3.6.1.jar:org/pac4j/saml/sso/impl/SAML2AuthnResponseValidator.class */
public class SAML2AuthnResponseValidator extends AbstractSAML2ResponseValidator {
    private int maximumAuthenticationLifetime;
    private final boolean wantsAssertionsSigned;

    public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, Decrypter decrypter, LogoutHandler logoutHandler, int i, boolean z) {
        this(sAML2SignatureTrustEngineProvider, decrypter, logoutHandler, i, z, new BasicURLComparator());
    }

    public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, Decrypter decrypter, LogoutHandler logoutHandler, int i, boolean z, URIComparator uRIComparator) {
        super(sAML2SignatureTrustEngineProvider, decrypter, logoutHandler, uRIComparator);
        this.maximumAuthenticationLifetime = i;
        this.wantsAssertionsSigned = z;
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public Credentials validate(SAML2MessageContext sAML2MessageContext) {
        SAMLObject message = sAML2MessageContext.getMessage();
        if (!(message instanceof Response)) {
            throw new SAMLException("Must be a Response type");
        }
        Response response = (Response) message;
        SignatureTrustEngine build = this.signatureTrustEngineProvider.build();
        validateSamlProtocolResponse(response, sAML2MessageContext, build);
        if (this.decrypter != null) {
            decryptEncryptedAssertions(response, this.decrypter);
        }
        validateSamlSSOResponse(response, sAML2MessageContext, build, this.decrypter);
        return buildSAML2Credentials(sAML2MessageContext);
    }

    protected final SAML2Credentials buildSAML2Credentials(SAML2MessageContext sAML2MessageContext) {
        NameID sAML2SubjectNameID = sAML2MessageContext.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
        Assertion subjectAssertion = sAML2MessageContext.getSubjectAssertion();
        String sessionIndex = getSessionIndex(subjectAssertion);
        String computeSloKey = computeSloKey(sessionIndex, sAML2SubjectNameID);
        if (computeSloKey != null) {
            this.logoutHandler.recordSession(sAML2MessageContext.getWebContext(), computeSloKey);
        }
        String value = subjectAssertion.getIssuer().getValue();
        List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
        ArrayList arrayList = new ArrayList();
        for (AuthnStatement authnStatement : authnStatements) {
            if (authnStatement.getAuthnContext().getAuthnContextClassRef() != null) {
                arrayList.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
            }
        }
        ArrayList arrayList2 = new ArrayList();
        for (AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
            Iterator<Attribute> it = attributeStatement.getAttributes().iterator();
            while (it.hasNext()) {
                arrayList2.add(it.next());
            }
            if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
                if (this.decrypter == null) {
                    this.logger.warn("Encrypted attributes returned, but no keystore was provided.");
                } else {
                    Iterator<EncryptedAttribute> it2 = attributeStatement.getEncryptedAttributes().iterator();
                    while (it2.hasNext()) {
                        try {
                            arrayList2.add(this.decrypter.decrypt(it2.next()));
                        } catch (DecryptionException e) {
                            this.logger.warn("Decryption of attribute failed, continue with the next one", (Throwable) e);
                        }
                    }
                }
            }
        }
        return new SAML2Credentials(sAML2SubjectNameID, value, arrayList2, subjectAssertion.getConditions(), sessionIndex, arrayList);
    }

    protected String getSessionIndex(Assertion assertion) {
        AuthnStatement authnStatement;
        List<AuthnStatement> authnStatements = assertion.getAuthnStatements();
        if (authnStatements == null || authnStatements.size() <= 0 || (authnStatement = authnStatements.get(0)) == null) {
            return null;
        }
        return authnStatement.getSessionIndex();
    }

    protected final void validateSamlProtocolResponse(Response response, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        validateSuccess(response.getStatus());
        validateSignatureIfItExists(response.getSignature(), sAML2MessageContext, signatureTrustEngine);
        validateIssueInstant(response.getIssueInstant());
        AuthnRequest authnRequest = null;
        SAMLMessageStorage sAMLMessageStorage = sAML2MessageContext.getSAMLMessageStorage();
        if (sAMLMessageStorage != null && response.getInResponseTo() != null) {
            XMLObject retrieveMessage = sAMLMessageStorage.retrieveMessage(response.getInResponseTo());
            if (retrieveMessage == null) {
                throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
            }
            if (!(retrieveMessage instanceof AuthnRequest)) {
                throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
            }
            authnRequest = (AuthnRequest) retrieveMessage;
        }
        verifyEndpoint(sAML2MessageContext.getSAMLEndpointContext().getEndpoint(), response.getDestination());
        if (authnRequest != null) {
            verifyRequest(authnRequest, sAML2MessageContext);
        }
        validateIssuerIfItExists(response.getIssuer(), sAML2MessageContext);
    }

    protected void verifyRequest(AuthnRequest authnRequest, SAML2MessageContext sAML2MessageContext) {
        AssertionConsumerService assertionConsumerService = (AssertionConsumerService) sAML2MessageContext.getSAMLEndpointContext().getEndpoint();
        if (authnRequest.getAssertionConsumerServiceIndex() != null) {
            if (authnRequest.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
                return;
            }
            this.logger.warn("Response was received at a different endpoint index than was requested");
            return;
        }
        String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
        String protocolBinding = authnRequest.getProtocolBinding();
        if (assertionConsumerServiceURL != null) {
            String responseLocation = assertionConsumerService.getResponseLocation() != null ? assertionConsumerService.getResponseLocation() : assertionConsumerService.getLocation();
            if (!assertionConsumerServiceURL.equals(responseLocation)) {
                this.logger.warn("Response was received at a different endpoint URL {} than was requested {}", responseLocation, assertionConsumerServiceURL);
            }
        }
        if (protocolBinding == null || protocolBinding.equals(sAML2MessageContext.getSAMLBindingContext().getBindingUri())) {
            return;
        }
        this.logger.warn("Response was received using a different binding {} than was requested {}", sAML2MessageContext.getSAMLBindingContext().getBindingUri(), protocolBinding);
    }

    protected final void validateSamlSSOResponse(Response response, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        ArrayList arrayList = new ArrayList();
        Iterator<Assertion> it = response.getAssertions().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Assertion next = it.next();
            if (!next.getAuthnStatements().isEmpty()) {
                try {
                    validateAssertion(next, sAML2MessageContext, signatureTrustEngine, decrypter);
                    sAML2MessageContext.setSubjectAssertion(next);
                    break;
                } catch (SAMLException e) {
                    this.logger.error("Current assertion validation failed, continue with the next one", (Throwable) e);
                    arrayList.add(e);
                }
            }
        }
        if (!arrayList.isEmpty()) {
            throw ((SAMLException) arrayList.get(0));
        }
        if (sAML2MessageContext.getSubjectAssertion() == null) {
            throw new SAMAssertionSubjectException("No valid subject assertion found in response");
        }
        List<SubjectConfirmation> subjectConfirmations = sAML2MessageContext.getSubjectConfirmations();
        NameID nameID = (NameID) sAML2MessageContext.getSAMLSubjectNameIdentifierContext().getSubjectNameIdentifier();
        if ((nameID == null || nameID.getValue() == null) && sAML2MessageContext.getBaseID() == null) {
            if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
                throw new SAMLException("Subject NameID, BaseID and EncryptedID cannot be all null at the same time if there are no Subject Confirmations.");
            }
        }
    }

    protected final void decryptEncryptedAssertions(Response response, Decrypter decrypter) {
        Iterator<EncryptedAssertion> it = response.getEncryptedAssertions().iterator();
        while (it.hasNext()) {
            try {
                response.getAssertions().add(decrypter.decrypt(it.next()));
            } catch (DecryptionException e) {
                this.logger.error("Decryption of assertion failed, continue with the next one", (Throwable) e);
            }
        }
    }

    protected final void validateAssertion(Assertion assertion, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        validateIssueInstant(assertion.getIssueInstant());
        validateIssuer(assertion.getIssuer(), sAML2MessageContext);
        if (assertion.getSubject() == null) {
            throw new SAMAssertionSubjectException("Assertion subject cannot be null");
        }
        validateSubject(assertion.getSubject(), sAML2MessageContext, decrypter);
        validateAssertionConditions(assertion.getConditions(), sAML2MessageContext);
        validateAuthenticationStatements(assertion.getAuthnStatements(), sAML2MessageContext);
        validateAssertionSignature(assertion.getSignature(), sAML2MessageContext, signatureTrustEngine);
    }

    protected final void validateSubject(Subject subject, SAML2MessageContext sAML2MessageContext, Decrypter decrypter) {
        boolean z = false;
        NameID nameID = subject.getNameID();
        BaseID baseID = subject.getBaseID();
        NameID decryptEncryptedId = decryptEncryptedId(subject.getEncryptedID(), decrypter);
        if (decryptEncryptedId != null) {
            nameID = decryptEncryptedId;
        }
        if (nameID != null || baseID != null) {
            sAML2MessageContext.getSAMLSubjectNameIdentifierContext().setSubjectNameIdentifier(nameID);
            sAML2MessageContext.setBaseID(baseID);
            z = true;
        }
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod()) && isValidBearerSubjectConfirmationData(subjectConfirmation.getSubjectConfirmationData(), sAML2MessageContext)) {
                NameID nameID2 = subjectConfirmation.getNameID();
                BaseID baseID2 = subjectConfirmation.getBaseID();
                NameID decryptEncryptedId2 = decryptEncryptedId(subjectConfirmation.getEncryptedID(), decrypter);
                if (decryptEncryptedId2 != null) {
                    nameID2 = decryptEncryptedId2;
                }
                if (!z && (nameID2 != null || baseID2 != null)) {
                    sAML2MessageContext.getSAMLSubjectNameIdentifierContext().setSubjectNameIdentifier(nameID2);
                    sAML2MessageContext.setBaseID(baseID2);
                    sAML2MessageContext.getSubjectConfirmations().add(subjectConfirmation);
                    z = true;
                }
                if (z) {
                    return;
                }
                this.logger.warn("Could not find any Subject NameID/BaseID/EncryptedID, neither directly in the Subject nor in any Subject Confirmation.");
                return;
            }
        }
        throw new SAMLSubjectConfirmationException("Subject confirmation validation failed");
    }

    protected final boolean isValidBearerSubjectConfirmationData(SubjectConfirmationData subjectConfirmationData, SAML2MessageContext sAML2MessageContext) {
        if (subjectConfirmationData == null) {
            this.logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotBefore() != null) {
            this.logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter() == null) {
            this.logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBeforeNow()) {
            this.logger.debug("SubjectConfirmationData notOnOrAfter is too old");
            return false;
        }
        try {
            if (subjectConfirmationData.getRecipient() == null) {
                this.logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
                return false;
            }
            Endpoint endpoint = sAML2MessageContext.getSAMLEndpointContext().getEndpoint();
            if (endpoint == null) {
                this.logger.warn("No endpoint was found in the SAML endpoint context");
                return false;
            }
            URI uri = new URI(subjectConfirmationData.getRecipient());
            URI uri2 = new URI(endpoint.getLocation());
            if (SAML2Utils.urisEqualAfterPortNormalization(uri, uri2)) {
                return true;
            }
            this.logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. SP ACS URL from context: {}", uri, uri2);
            return false;
        } catch (URISyntaxException e) {
            this.logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", (Throwable) e);
            return false;
        }
    }

    protected final void validateAssertionConditions(Conditions conditions, SAML2MessageContext sAML2MessageContext) {
        if (conditions == null) {
            return;
        }
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(this.acceptedSkew).isAfterNow()) {
            throw new SAMLAssertionConditionException("Assertion condition notBefore is not valid");
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBeforeNow()) {
            throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid");
        }
        validateAudienceRestrictions(conditions.getAudienceRestrictions(), sAML2MessageContext.getSAMLSelfEntityContext().getEntityId());
    }

    protected final void validateAudienceRestrictions(List<AudienceRestriction> list, String str) {
        if (list == null || list.isEmpty()) {
            throw new SAMLAssertionAudienceException("Audience restrictions cannot be null or empty");
        }
        HashSet hashSet = new HashSet();
        for (AudienceRestriction audienceRestriction : list) {
            if (audienceRestriction.getAudiences() != null) {
                Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
                while (it.hasNext()) {
                    hashSet.add(it.next().getAudienceURI());
                }
            }
        }
        if (!hashSet.contains(str)) {
            throw new SAMLAssertionAudienceException("Assertion audience " + hashSet + " does not match SP configuration " + str);
        }
    }

    protected final void validateAuthenticationStatements(List<AuthnStatement> list, SAML2MessageContext sAML2MessageContext) {
        for (AuthnStatement authnStatement : list) {
            if (!isAuthnInstantValid(authnStatement.getAuthnInstant())) {
                throw new SAMLAuthnInstantException("Authentication issue instant is too old or in the future");
            }
            if (authnStatement.getSessionNotOnOrAfter() != null && authnStatement.getSessionNotOnOrAfter().isBeforeNow()) {
                throw new SAMLAuthnSessionCriteriaException("Authentication session between IDP and subject has ended");
            }
        }
    }

    protected final void validateAssertionSignature(Signature signature, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        SAMLPeerEntityContext sAMLPeerEntityContext = sAML2MessageContext.getSAMLPeerEntityContext();
        if (signature != null) {
            validateSignature(signature, sAMLPeerEntityContext.getEntityId(), signatureTrustEngine);
        } else if (wantsAssertionsSigned(sAML2MessageContext).booleanValue() && !sAMLPeerEntityContext.isAuthenticated()) {
            throw new SAMLSignatureRequiredException("Assertion or response must be signed");
        }
    }

    @VisibleForTesting
    Boolean wantsAssertionsSigned(SAML2MessageContext sAML2MessageContext) {
        SPSSODescriptor sPSSODescriptor;
        if (sAML2MessageContext != null && (sPSSODescriptor = sAML2MessageContext.getSPSSODescriptor()) != null) {
            return sPSSODescriptor.getWantAssertionsSigned();
        }
        return Boolean.valueOf(this.wantsAssertionsSigned);
    }

    private boolean isAuthnInstantValid(DateTime dateTime) {
        return isDateValid(dateTime, this.maximumAuthenticationLifetime);
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public final void setMaximumAuthenticationLifetime(int i) {
        this.maximumAuthenticationLifetime = i;
    }
}
