package com.coveo.saml;

import java.util.List;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;

/* loaded from: input_file:com/coveo/saml/ValidatorUtils.class */
class ValidatorUtils {
    ValidatorUtils() {
    }

    private static void validateResponse(StatusResponseType statusResponseType, String str) throws SamlException {
        try {
            new ResponseSchemaValidator().validate(statusResponseType);
            validateIssuer(statusResponseType, str);
        } catch (SamlException e) {
            throw new SamlException("The response schema validation failed", e);
        }
    }

    private static void validateStatus(StatusResponseType statusResponseType) throws SamlException {
        String value = statusResponseType.getStatus().getStatusCode().getValue();
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(value)) {
            throw new SamlException("Invalid status code: " + value);
        }
    }

    private static void validateIssuer(StatusResponseType statusResponseType, String str) throws SamlException {
        if (!statusResponseType.getIssuer().getValue().equals(str)) {
            throw new SamlException("The response issuer didn't match the expected value");
        }
    }

    private static void validateIssuer(RequestAbstractType requestAbstractType, String str) throws SamlException {
        if (!requestAbstractType.getIssuer().getValue().equals(str)) {
            throw new SamlException("The request issuer didn't match the expected value");
        }
    }

    private static void validateAssertion(Response response, String str, DateTime dateTime, long j) throws SamlException {
        if (response.getAssertions().size() != 1) {
            throw new SamlException("The response doesn't contain exactly 1 assertion");
        }
        Assertion assertion = (Assertion) response.getAssertions().get(0);
        if (!assertion.getIssuer().getValue().equals(str)) {
            throw new SamlException("The assertion issuer didn't match the expected value");
        }
        if (assertion.getSubject().getNameID() == null) {
            throw new SamlException("The NameID value is missing from the SAML response; this is likely an IDP configuration issue");
        }
        enforceConditions(assertion.getConditions(), dateTime, j);
    }

    private static void enforceConditions(Conditions conditions, DateTime dateTime, long j) throws SamlException {
        DateTime now = dateTime != null ? dateTime : DateTime.now();
        DateTime notBefore = conditions.getNotBefore();
        if (now.isBefore(notBefore.minus(j))) {
            throw new SamlException("The assertion cannot be used before " + notBefore.toString());
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        if (now.isAfter(notOnOrAfter)) {
            throw new SamlException("The assertion cannot be used after  " + notOnOrAfter.toString());
        }
    }

    private static void validateSignature(SignableSAMLObject signableSAMLObject, List<Credential> list) throws SamlException {
        if (signableSAMLObject.getSignature() != null && !validate(signableSAMLObject.getSignature(), list)) {
            throw new SamlException("The response signature is invalid");
        }
    }

    private static void validateAssertionSignature(Response response, List<Credential> list) throws SamlException {
        Signature signature = ((Assertion) response.getAssertions().get(0)).getSignature();
        if (response.getSignature() == null && signature == null) {
            throw new SamlException("No signature is present in either response or assertion");
        }
        if (signature != null && !validate(signature, list)) {
            throw new SamlException("The assertion signature is invalid");
        }
    }

    private static boolean validate(Signature signature, List<Credential> list) {
        if (signature == null) {
            return false;
        }
        return list.stream().anyMatch(credential -> {
            try {
                SignatureValidator.validate(signature, credential);
                return true;
            } catch (SignatureException e) {
                return false;
            }
        });
    }

    public static void validate(Response response, String str, List<Credential> list, DateTime dateTime, long j) throws SamlException {
        validateResponse(response, str);
        validateAssertion(response, str, dateTime, j);
        validateSignature(response, list);
        validateAssertionSignature(response, list);
    }

    public static void validate(LogoutRequest logoutRequest, String str, List<Credential> list, String str2) throws SamlException {
        validateLogoutRequest(logoutRequest, str, str2);
        validateSignature(logoutRequest, list);
    }

    public static void validate(LogoutRequest logoutRequest, String str, List<Credential> list) throws SamlException {
        validateLogoutRequest(logoutRequest, str);
        validateSignature(logoutRequest, list);
    }

    public static void validate(LogoutResponse logoutResponse, String str, List<Credential> list) throws SamlException {
        validateResponse((StatusResponseType) logoutResponse, str);
        validateSignature(logoutResponse, list);
    }

    private static void validateResponse(Response response, String str) throws SamlException {
        try {
            new ResponseSchemaValidator().validate(response);
            validateIssuer((StatusResponseType) response, str);
            validateStatus(response);
        } catch (SamlException e) {
            throw new SamlException("The response schema validation failed", e);
        }
    }

    private static void validateLogoutRequest(LogoutRequest logoutRequest, String str, String str2) throws SamlException {
        try {
            new LogoutRequestSchemaValidator().validate(logoutRequest);
            validateIssuer((RequestAbstractType) logoutRequest, str);
            validateNameId(logoutRequest, str2);
        } catch (SamlException e) {
            throw new SamlException("The request schema validation failed", e);
        }
    }

    private static void validateLogoutRequest(LogoutRequest logoutRequest, String str) throws SamlException {
        try {
            new LogoutRequestSchemaValidator().validate(logoutRequest);
            validateIssuer((RequestAbstractType) logoutRequest, str);
        } catch (SamlException e) {
            throw new SamlException("The request schema validation failed", e);
        }
    }

    private static void validateNameId(LogoutRequest logoutRequest, String str) throws SamlException {
        if (str == null || !str.equals(logoutRequest.getNameID().getValue())) {
            throw new SamlException("The nameID of the logout request is incorrect");
        }
    }
}
