package otoroshi.auth;

import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import play.api.Logger;
import play.api.Logger$;
import play.api.MarkerContext$;
import scala.MatchError;
import scala.collection.immutable.List;
import scala.package$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;
import scala.util.Try$;

/* compiled from: ValidatorUtils.scala */
/* loaded from: input_file:otoroshi/auth/ValidatorUtils$.class */
public final class ValidatorUtils$ {
    public static ValidatorUtils$ MODULE$;
    private Logger logger;
    private volatile boolean bitmap$0;

    static {
        new ValidatorUtils$();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8, types: [otoroshi.auth.ValidatorUtils$] */
    private Logger logger$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (!this.bitmap$0) {
                this.logger = Logger$.MODULE$.apply("otoroshi-saml-validator-utils");
                r0 = this;
                r0.bitmap$0 = true;
            }
        }
        return this.logger;
    }

    public Logger logger() {
        return !this.bitmap$0 ? logger$lzycompute() : this.logger;
    }

    public Either<String, BoxedUnit> validate(Response response, String str, List<org.opensaml.security.credential.Credential> list, boolean z, boolean z2) {
        Left validateSignature;
        Left left;
        Left validateResponse = validateResponse(response, str);
        if (validateResponse instanceof Left) {
            left = package$.MODULE$.Left().apply((String) validateResponse.value());
        } else {
            if (!(validateResponse instanceof Right)) {
                throw new MatchError(validateResponse);
            }
            Left validateAssertion = validateAssertion(response, str, list, z2);
            if (validateAssertion instanceof Left) {
                validateSignature = package$.MODULE$.Left().apply((String) validateAssertion.value());
            } else {
                if (!(validateAssertion instanceof Right)) {
                    throw new MatchError(validateAssertion);
                }
                validateSignature = validateSignature(response, list, z);
            }
            left = validateSignature;
        }
        return left;
    }

    public Either<String, BoxedUnit> validateStatus(StatusResponseType statusResponseType) {
        String value = statusResponseType.getStatus().getStatusCode().getValue();
        return "urn:oasis:names:tc:SAML:2.0:status:Success".equals(value) ? package$.MODULE$.Right().apply(BoxedUnit.UNIT) : package$.MODULE$.Left().apply(new StringBuilder(21).append("Invalid status code: ").append(value).toString());
    }

    public Either<String, BoxedUnit> validateIssuer(StatusResponseType statusResponseType, String str) {
        if (!statusResponseType.getIssuer().getValue().equals(str)) {
            return package$.MODULE$.Left().apply("The response issuer didn't match the expected value");
        }
        if (logger().isDebugEnabled(MarkerContext$.MODULE$.NoMarker())) {
            logger().debug(() -> {
                return new StringBuilder(28).append("Response Issuer validated : ").append(str).toString();
            }, MarkerContext$.MODULE$.NoMarker());
        }
        return package$.MODULE$.Right().apply(BoxedUnit.UNIT);
    }

    public Either<String, BoxedUnit> validateIssuer(RequestAbstractType requestAbstractType, String str) {
        if (requestAbstractType.getIssuer().getValue().equals(str)) {
            return package$.MODULE$.Left().apply("The request issuer didn't match the expected value");
        }
        if (logger().isDebugEnabled(MarkerContext$.MODULE$.NoMarker())) {
            logger().debug(() -> {
                return new StringBuilder(27).append("Request Issuer validated : ").append(str).toString();
            }, MarkerContext$.MODULE$.NoMarker());
        }
        return package$.MODULE$.Right().apply(BoxedUnit.UNIT);
    }

    public Either<String, BoxedUnit> validateAssertion(Response response, String str, List<org.opensaml.security.credential.Credential> list, boolean z) {
        if (response.getAssertions().size() != 1) {
            return package$.MODULE$.Left().apply("The response doesn't contain exactly 1 assertion");
        }
        Assertion assertion = (Assertion) response.getAssertions().get(0);
        return !assertion.getIssuer().getValue().equals(str) ? package$.MODULE$.Left().apply("The assertion issuer didn't match the expected value") : assertion.getSubject().getNameID() == null ? package$.MODULE$.Left().apply("The NameID value is missing from the SAML response this is likely an IDP configuration issue") : !validate(assertion.getSignature(), list, z) ? package$.MODULE$.Left().apply("The assertion signature is invalid : wrong certificate") : package$.MODULE$.Right().apply(BoxedUnit.UNIT);
    }

    public Either<String, BoxedUnit> validateSignature(SignableSAMLObject signableSAMLObject, List<org.opensaml.security.credential.Credential> list, boolean z) {
        if (signableSAMLObject.getSignature() != null && !validate(signableSAMLObject.getSignature(), list, z)) {
            return package$.MODULE$.Left().apply("The response signature is invalid");
        }
        if (z) {
            if (logger().isDebugEnabled(MarkerContext$.MODULE$.NoMarker())) {
                logger().debug(() -> {
                    return "Response Signature validated";
                }, MarkerContext$.MODULE$.NoMarker());
            } else if (logger().isDebugEnabled(MarkerContext$.MODULE$.NoMarker())) {
                logger().debug(() -> {
                    return "Validation of Response Signature not required";
                }, MarkerContext$.MODULE$.NoMarker());
            }
        }
        return package$.MODULE$.Right().apply(BoxedUnit.UNIT);
    }

    public boolean validate(Signature signature, List<org.opensaml.security.credential.Credential> list, boolean z) {
        if (!z) {
            return true;
        }
        if (list.isEmpty()) {
            return false;
        }
        return list.exists(credential -> {
            return BoxesRunTime.boxToBoolean($anonfun$validate$1(signature, credential));
        });
    }

    public Either<String, BoxedUnit> validateResponse(Response response, String str) {
        validateIssuer((StatusResponseType) response, str);
        return validateStatus(response);
    }

    public Either<String, BoxedUnit> validateLogoutRequest(LogoutRequest logoutRequest, String str, String str2) {
        Left validateNameId;
        Left validateIssuer = validateIssuer((RequestAbstractType) logoutRequest, str);
        if (validateIssuer instanceof Left) {
            validateNameId = package$.MODULE$.Left().apply((String) validateIssuer.value());
        } else {
            if (!(validateIssuer instanceof Right)) {
                throw new MatchError(validateIssuer);
            }
            validateNameId = validateNameId(logoutRequest, str2);
        }
        return validateNameId;
    }

    public Either<String, BoxedUnit> validateNameId(LogoutRequest logoutRequest, String str) {
        return (str == null || !str.equals(logoutRequest.getNameID().getValue())) ? package$.MODULE$.Left().apply("The nameID of the logout request is incorrect") : package$.MODULE$.Right().apply(BoxedUnit.UNIT);
    }

    public static final /* synthetic */ boolean $anonfun$validate$1(Signature signature, org.opensaml.security.credential.Credential credential) {
        return BoxesRunTime.unboxToBoolean(Try$.MODULE$.apply(() -> {
            SignatureValidator.validate(signature, credential);
            return true;
        }).recover(new ValidatorUtils$$anonfun$$nestedInanonfun$validate$1$1()).get());
    }

    private ValidatorUtils$() {
        MODULE$ = this;
    }
}
