package org.apache.cxf.fediz.core.samlsso;

import java.util.ArrayList;
import java.util.regex.Pattern;
import org.apache.cxf.fediz.core.config.CertificateValidationMethod;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.TrustManager;
import org.apache.cxf.fediz.core.config.TrustedIssuer;
import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.opensaml.saml.saml1.core.Response;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/fediz-core-1.4.6.jar:org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.class */
public class SAMLProtocolResponseValidator {
    public static final String SAML2_STATUSCODE_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
    public static final String SAML1_STATUSCODE_SUCCESS = "Success";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SAMLProtocolResponseValidator.class);

    public void validateSamlResponse(StatusResponseType statusResponseType, FedizContext fedizContext) throws WSSecurityException {
        if (statusResponseType.getStatus() == null || statusResponseType.getStatus().getStatusCode() == null) {
            LOG.debug("Either the SAML Response Status or StatusCode is null");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(statusResponseType.getStatus().getStatusCode().getValue())) {
            validateResponseSignature(statusResponseType, fedizContext);
        } else {
            LOG.debug("SAML Status code of " + statusResponseType.getStatus().getStatusCode().getValue() + "does not equal urn:oasis:names:tc:SAML:2.0:status:Success");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    public void validateSamlResponse(Response response, FedizContext fedizContext) throws WSSecurityException {
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null || response.getStatus().getStatusCode().getValue() == null) {
            LOG.debug("Either the SAML Response Status or StatusCode is null");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if ("Success".equals(response.getStatus().getStatusCode().getValue().getLocalPart())) {
            validateResponseSignature(response, fedizContext);
        } else {
            LOG.debug("SAML Status code of " + response.getStatus().getStatusCode().getValue() + "does not equal Success");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    private void validateResponseSignature(StatusResponseType statusResponseType, FedizContext fedizContext) throws WSSecurityException {
        if (statusResponseType.isSigned()) {
            validateResponseSignature(statusResponseType.getSignature(), statusResponseType.getDOM().getOwnerDocument(), fedizContext);
        }
    }

    private void validateResponseSignature(Response response, FedizContext fedizContext) throws WSSecurityException {
        if (response.isSigned()) {
            validateResponseSignature(response.getSignature(), response.getDOM().getOwnerDocument(), fedizContext);
        }
    }

    private void validateResponseSignature(Signature signature, Document document, FedizContext fedizContext) throws WSSecurityException {
        RequestData requestData = new RequestData();
        requestData.setWssConfig(WSSConfig.getNewInstance());
        SAMLKeyInfo sAMLKeyInfo = null;
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo != null) {
            try {
                sAMLKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(document)), requestData.getSigVerCrypto());
            } catch (WSSecurityException e) {
                LOG.debug("Error in getting KeyInfo from SAML Response: " + e.getMessage(), (Throwable) e);
                throw e;
            }
        }
        if (sAMLKeyInfo == null) {
            LOG.debug("No KeyInfo supplied in the SAMLResponse signature");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        validateSignatureAgainstProfiles(signature, sAMLKeyInfo);
        Credential credential = new Credential();
        credential.setPublicKey(sAMLKeyInfo.getPublicKey());
        credential.setCertificates(sAMLKeyInfo.getCerts());
        FedizSignatureTrustValidator fedizSignatureTrustValidator = new FedizSignatureTrustValidator();
        boolean z = false;
        for (TrustedIssuer trustedIssuer : fedizContext.getTrustedIssuers()) {
            Pattern compiledSubject = trustedIssuer.getCompiledSubject();
            ArrayList arrayList = new ArrayList(1);
            if (compiledSubject != null) {
                arrayList.add(compiledSubject);
            }
            if (trustedIssuer.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
                fedizSignatureTrustValidator.setSubjectConstraints(arrayList);
                fedizSignatureTrustValidator.setSignatureTrustType(FedizSignatureTrustValidator.TrustType.CHAIN_TRUST_CONSTRAINTS);
            } else {
                if (!trustedIssuer.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
                    throw new IllegalStateException("Unsupported certificate validation method: " + trustedIssuer.getCertificateValidationMethod());
                }
                fedizSignatureTrustValidator.setSignatureTrustType(FedizSignatureTrustValidator.TrustType.PEER_TRUST);
            }
            try {
                for (TrustManager trustManager : fedizContext.getCertificateStores()) {
                    try {
                        requestData.setSigVerCrypto(trustManager.getCrypto());
                        fedizSignatureTrustValidator.validate(credential, requestData);
                        z = true;
                        break;
                    } catch (Exception e2) {
                        LOG.debug("Issuer '{}' not validated in keystore '{}'", trustedIssuer.getName(), trustManager.getName());
                    }
                }
                if (z) {
                    break;
                }
            } catch (Exception e3) {
                LOG.info("Error in validating signature on SAML Response: " + e3.getMessage(), (Throwable) e3);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        if (z) {
            return;
        }
        LOG.warn("SAML Response is not trusted");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
    }

    private void validateSignatureAgainstProfiles(Signature signature, SAMLKeyInfo sAMLKeyInfo) throws WSSecurityException {
        BasicCredential basicCredential;
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            if (sAMLKeyInfo.getCerts() != null) {
                basicCredential = new BasicX509Credential(sAMLKeyInfo.getCerts()[0]);
            } else {
                if (sAMLKeyInfo.getPublicKey() == null) {
                    LOG.debug("Can't get X509Certificate or PublicKey to verify signature");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                }
                basicCredential = new BasicCredential(sAMLKeyInfo.getPublicKey());
            }
            try {
                SignatureValidator.validate(signature, basicCredential);
            } catch (SignatureException e) {
                LOG.debug("Error in validating the SAML Signature: " + e.getMessage(), (Throwable) e);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        } catch (SignatureException e2) {
            LOG.debug("Error in validating the SAML Signature: " + e2.getMessage(), (Throwable) e2);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }
}
