package org.wso2.carbon.identity.sso.saml.cloud.validators;

import java.io.IOException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Subject;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.cloud.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.cloud.context.SAMLMessageContext;
import org.wso2.carbon.identity.sso.saml.cloud.exception.SAML2ClientException;
import org.wso2.carbon.identity.sso.saml.cloud.util.SAMLSSOUtil;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/cloud/validators/SPInitSSOAuthnRequestValidator.class */
public class SPInitSSOAuthnRequestValidator implements SSOAuthnRequestValidator {
    private static Log log = LogFactory.getLog(SPInitSSOAuthnRequestValidator.class);
    private SAMLMessageContext messageContext;

    public SPInitSSOAuthnRequestValidator(SAMLMessageContext sAMLMessageContext) throws IdentityException {
        this.messageContext = sAMLMessageContext;
    }

    @Override // org.wso2.carbon.identity.sso.saml.cloud.validators.SSOAuthnRequestValidator
    public boolean validate(AuthnRequest authnRequest) throws IdentityException, IOException {
        Issuer issuer = authnRequest.getIssuer();
        Subject subject = authnRequest.getSubject();
        if (!SAMLVersion.VERSION_20.equals(authnRequest.getVersion())) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid version in the SAMLRequest" + authnRequest.getVersion());
            }
            this.messageContext.setValid(false);
            throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.VERSION_MISMATCH, "Invalid SAML Version in Authentication Request. SAML Version should be equal to 2.0", this.messageContext.getAssertionConsumerURL()), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, authnRequest.getAssertionConsumerServiceURL());
        }
        if (StringUtils.isNotBlank(issuer.getValue())) {
            this.messageContext.setIssuer(issuer.getValue());
        } else {
            if (!StringUtils.isNotBlank(issuer.getSPProvidedID())) {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Request issuer validation failed. Issuer should not be empty");
                }
                this.messageContext.setValid(false);
                throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer/ProviderName should not be empty in the Authentication Request.", authnRequest.getAssertionConsumerServiceURL()));
            }
            this.messageContext.setIssuer(issuer.getSPProvidedID());
        }
        try {
            if (!SAMLSSOUtil.isSAMLIssuerExists(splitAppendedTenantDomain(issuer.getValue()), SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
                String str = "A Service Provider with the Issuer '" + issuer.getValue() + "' is not registered. Service Provider should be registered in advance";
                if (log.isDebugEnabled()) {
                    log.debug(str);
                }
                this.messageContext.setValid(false);
                throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str, null));
            }
            if (StringUtils.isNotBlank(issuer.getFormat()) && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Issuer Format attribute value " + issuer.getFormat());
                }
                this.messageContext.setValid(false);
                throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer Format attribute value is invalid", authnRequest.getAssertionConsumerServiceURL()));
            }
            SAMLSSOServiceProviderDO serviceProviderConfig = SAMLSSOUtil.getServiceProviderConfig(this.messageContext);
            if (serviceProviderConfig == null) {
                String str2 = "A Service Provider with the Issuer '" + this.messageContext.getIssuer() + "' is not registered. Service Provider should be registered in advance.";
                if (log.isDebugEnabled()) {
                    log.debug(str2);
                }
                this.messageContext.setValid(false);
                throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str2, authnRequest.getAssertionConsumerServiceURL()));
            }
            this.messageContext.setSamlssoServiceProviderDO(serviceProviderConfig);
            String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
            if (StringUtils.isBlank(assertionConsumerServiceURL)) {
                this.messageContext.setAssertionConsumerUrl(SAMLSSOUtil.getDefaultACS(this.messageContext.getTenantDomain(), SAMLSSOUtil.splitAppendedTenantDomain(this.messageContext.getIssuer()), authnRequest.getAssertionConsumerServiceURL()));
            } else if (!SAMLSSOUtil.validateACS(this.messageContext.getTenantDomain(), SAMLSSOUtil.splitAppendedTenantDomain(this.messageContext.getIssuer()), authnRequest.getAssertionConsumerServiceURL())) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid ACS URL value " + assertionConsumerServiceURL + " in the AuthnRequest message from " + serviceProviderConfig.getIssuer() + "\nPossibly an attempt for a spoofing attack from Provider " + authnRequest.getIssuer().getValue());
                }
                this.messageContext.setValid(false);
                throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid Assertion Consumer Service URL in the Authentication Request.", assertionConsumerServiceURL));
            }
            if (subject != null && subject.getNameID() != null) {
                this.messageContext.setSubject(subject.getNameID().getValue());
            }
            if (subject != null && subject.getSubjectConfirmations() != null && !subject.getSubjectConfirmations().isEmpty()) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Request message. A Subject confirmation method found " + subject.getSubjectConfirmations().get(0));
                }
                this.messageContext.setValid(false);
                throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Subject Confirmation methods should NOT be in the request.", authnRequest.getAssertionConsumerServiceURL()));
            }
            this.messageContext.setValid(true);
            this.messageContext.addParameter("forceAuth", authnRequest.isForceAuthn());
            this.messageContext.addParameter("passiveAuth", authnRequest.isPassive());
            Integer attributeConsumingServiceIndex = authnRequest.getAttributeConsumingServiceIndex();
            if (attributeConsumingServiceIndex != null && attributeConsumingServiceIndex.intValue() >= 1) {
                this.messageContext.setAttributeConsumingServiceIndex(attributeConsumingServiceIndex.intValue());
            }
            if (log.isDebugEnabled()) {
                log.debug("Authentication Request Validation is successful.");
            }
            this.messageContext.setValid(true);
            return true;
        } catch (IdentityException e) {
            log.error(SAMLSSOConstants.Notification.EXCEPTION_STATUS, e);
            this.messageContext.setValid(false);
            throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error when processing the authentication request", null), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null);
        } catch (UserStoreException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while handling SAML2 SSO request", e2);
            }
            this.messageContext.setValid(false);
            throw SAML2ClientException.error(SAMLSSOUtil.buildErrorResponse(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error occurred while handling SAML2 SSO request", null), SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null);
        }
    }

    protected String splitAppendedTenantDomain(String str) throws UserStoreException, IdentityException {
        if (IdentityUtil.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal()) && str.contains("@")) {
            String substring = str.substring(str.lastIndexOf(64) + 1);
            str = str.substring(0, str.lastIndexOf(64));
            if (StringUtils.isNotBlank(substring) && StringUtils.isNotBlank(str)) {
                SAMLSSOUtil.setTenantDomainInThreadLocal(substring);
                this.messageContext.setTenantDomain(substring);
                if (log.isDebugEnabled()) {
                    log.debug("Tenant Domain: " + substring + " & Issuer name: " + str + "has been split");
                }
            }
        }
        if (IdentityUtil.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
            SAMLSSOUtil.setTenantDomainInThreadLocal("carbon.super");
            this.messageContext.setTenantDomain("carbon.super");
        }
        return str;
    }
}
