package org.pac4j.saml.sso.impl;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import net.shibboleth.utilities.java.support.net.BasicURLComparator;
import net.shibboleth.utilities.java.support.net.URIComparator;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.crypto.SAML2SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SAMLAssertionAudienceException;
import org.pac4j.saml.exceptions.SAMLAssertionConditionException;
import org.pac4j.saml.exceptions.SAMLEndpointMismatchException;
import org.pac4j.saml.exceptions.SAMLException;
import org.pac4j.saml.exceptions.SAMLInResponseToMismatchException;
import org.pac4j.saml.exceptions.SAMLIssueInstantException;
import org.pac4j.saml.exceptions.SAMLIssuerException;
import org.pac4j.saml.exceptions.SAMLNameIdDecryptionException;
import org.pac4j.saml.exceptions.SAMLSignatureRequiredException;
import org.pac4j.saml.exceptions.SAMLSignatureValidationException;
import org.pac4j.saml.sso.SAML2ResponseValidator;
import org.pac4j.saml.storage.SAMLMessageStorage;
import org.pac4j.saml.util.UriUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/pac4j-saml-3.0.0-RC2.jar:org/pac4j/saml/sso/impl/SAML2LogoutResponseValidator.class */
public class SAML2LogoutResponseValidator implements SAML2ResponseValidator {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SAML2LogoutResponseValidator.class);
    private int acceptedSkew;
    private final SAML2SignatureTrustEngineProvider signatureTrustEngineProvider;
    private final URIComparator uriComparator;

    public SAML2LogoutResponseValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider) {
        this(sAML2SignatureTrustEngineProvider, new BasicURLComparator());
    }

    public SAML2LogoutResponseValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, URIComparator uRIComparator) {
        this.acceptedSkew = 120;
        this.signatureTrustEngineProvider = sAML2SignatureTrustEngineProvider;
        this.uriComparator = uRIComparator;
    }

    @Override // org.pac4j.saml.sso.SAML2ResponseValidator
    public Credentials validate(SAML2MessageContext sAML2MessageContext) {
        SAMLObject sAMLObject = (SAMLObject) sAML2MessageContext.getMessage();
        if (!(sAMLObject instanceof Response)) {
            throw new SAMLException("Response instance is an unsupported type");
        }
        validateSamlProtocolResponse((Response) sAMLObject, sAML2MessageContext, this.signatureTrustEngineProvider.build());
        return null;
    }

    protected final void validateSamlProtocolResponse(Response response, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            String value = response.getStatus().getStatusCode().getValue();
            if (response.getStatus().getStatusMessage() != null) {
                value = value + " / " + response.getStatus().getStatusMessage().getMessage();
            }
            throw new SAMLException("Logout response is not success ; actual " + value);
        }
        if (response.getSignature() != null) {
            validateSignature(response.getSignature(), sAML2MessageContext.getSAMLPeerEntityContext().getEntityId(), signatureTrustEngine);
            sAML2MessageContext.getSAMLPeerEntityContext().setAuthenticated(true);
        }
        if (!isIssueInstantValid(response.getIssueInstant())) {
            throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
        }
        SAMLMessageStorage sAMLMessageStorage = sAML2MessageContext.getSAMLMessageStorage();
        if (sAMLMessageStorage != null && response.getInResponseTo() != null) {
            XMLObject retrieveMessage = sAMLMessageStorage.retrieveMessage(response.getInResponseTo());
            if (retrieveMessage == null) {
                throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
            }
            if (!(retrieveMessage instanceof LogoutRequest)) {
                throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected LogoutRequest " + response.getInResponseTo());
            }
        }
        verifyEndpoint(sAML2MessageContext.getSAMLEndpointContext().getEndpoint(), response.getDestination());
        if (response.getIssuer() != null) {
            validateIssuer(response.getIssuer(), sAML2MessageContext);
        }
    }

    protected final void verifyEndpoint(Endpoint endpoint, String str) {
        if (str != null) {
            try {
                if (!this.uriComparator.compare(str, endpoint.getLocation()) && !this.uriComparator.compare(str, endpoint.getResponseLocation())) {
                    throw new SAMLEndpointMismatchException("Intended destination " + str + " doesn't match any of the endpoint URLs on endpoint " + endpoint.getLocation());
                }
            } catch (Exception e) {
                throw new SAMLEndpointMismatchException(e);
            }
        }
    }

    protected final void validateIssuer(Issuer issuer, SAML2MessageContext sAML2MessageContext) {
        if (issuer.getFormat() != null && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
            throw new SAMLIssuerException("Issuer type is not entity but " + issuer.getFormat());
        }
        String entityId = sAML2MessageContext.getSAMLPeerEntityContext().getEntityId();
        if (entityId == null || !entityId.equals(issuer.getValue())) {
            throw new SAMLIssuerException("Issuer " + issuer.getValue() + " does not match idp entityId " + entityId);
        }
    }

    protected final NameID decryptEncryptedId(EncryptedID encryptedID, Decrypter decrypter) throws SAMLException {
        if (encryptedID == null) {
            return null;
        }
        if (decrypter == null) {
            logger.warn("Encrypted attributes returned, but no keystore was provided.");
            return null;
        }
        try {
            return decrypter.decrypt(encryptedID);
        } catch (DecryptionException e) {
            throw new SAMLNameIdDecryptionException("Decryption of an EncryptedID failed.", e);
        }
    }

    protected final boolean isValidBearerSubjectConfirmationData(SubjectConfirmationData subjectConfirmationData, SAML2MessageContext sAML2MessageContext) {
        if (subjectConfirmationData == null) {
            logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotBefore() != null) {
            logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter() == null) {
            logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBeforeNow()) {
            logger.debug("SubjectConfirmationData notOnOrAfter is too old");
            return false;
        }
        try {
            if (subjectConfirmationData.getRecipient() == null) {
                logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
                return false;
            }
            Endpoint endpoint = sAML2MessageContext.getSAMLEndpointContext().getEndpoint();
            if (endpoint == null) {
                logger.warn("No endpoint was found in the SAML endpoint context");
                return false;
            }
            URI uri = new URI(subjectConfirmationData.getRecipient());
            URI uri2 = new URI(endpoint.getLocation());
            if (UriUtils.urisEqualAfterPortNormalization(uri, uri2)) {
                return true;
            }
            logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. SP ACS URL from context: {}", uri, uri2);
            return false;
        } catch (URISyntaxException e) {
            logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", (Throwable) e);
            return false;
        }
    }

    protected final void validateAssertionConditions(Conditions conditions, SAML2MessageContext sAML2MessageContext) {
        if (conditions == null) {
            throw new SAMLAssertionConditionException("Assertion conditions cannot be null");
        }
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(this.acceptedSkew).isAfterNow()) {
            throw new SAMLAssertionConditionException("Assertion condition notBefore is not valid");
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBeforeNow()) {
            throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid");
        }
        validateAudienceRestrictions(conditions.getAudienceRestrictions(), sAML2MessageContext.getSAMLSelfEntityContext().getEntityId());
    }

    protected final void validateAudienceRestrictions(List<AudienceRestriction> list, String str) {
        if (list == null || list.isEmpty()) {
            throw new SAMLException("Audience restrictions cannot be null or empty");
        }
        HashSet hashSet = new HashSet();
        for (AudienceRestriction audienceRestriction : list) {
            if (audienceRestriction.getAudiences() != null) {
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (it.hasNext()) {
                    hashSet.add(((Audience) it.next()).getAudienceURI());
                }
            }
        }
        if (!hashSet.contains(str)) {
            throw new SAMLAssertionAudienceException("Assertion audience " + hashSet + " does not match SP configuration " + str);
        }
    }

    protected final void validateAssertionSignature(Signature signature, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        SAMLPeerEntityContext sAMLPeerEntityContext = sAML2MessageContext.getSAMLPeerEntityContext();
        if (signature != null) {
            validateSignature(signature, sAMLPeerEntityContext.getEntityId(), signatureTrustEngine);
        } else if (!sAMLPeerEntityContext.isAuthenticated()) {
            throw new SAMLSignatureRequiredException("Assertion or response must be signed");
        }
    }

    protected final void validateSignature(Signature signature, String str, SignatureTrustEngine signatureTrustEngine) {
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
            criteriaSet.add(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol"));
            criteriaSet.add(new EntityIdCriterion(str));
            try {
                if (!signatureTrustEngine.validate(signature, criteriaSet)) {
                    throw new SAMLSignatureValidationException("Signature is not trusted");
                }
            } catch (SecurityException e) {
                throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
            }
        } catch (SignatureException e2) {
            throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e2);
        }
    }

    private boolean isDateValid(DateTime dateTime, int i) {
        DateTime plusSeconds = DateTime.now(DateTimeZone.UTC).plusSeconds(this.acceptedSkew);
        DateTime minusSeconds = DateTime.now(DateTimeZone.UTC).minusSeconds(this.acceptedSkew + i);
        DateTime dateTime2 = dateTime.toDateTime(DateTimeZone.UTC);
        boolean z = dateTime2.isBefore(plusSeconds) && dateTime2.isAfter(minusSeconds);
        if (!z) {
            logger.trace("interval={},before={},after={},issueInstant={}", Integer.valueOf(i), plusSeconds.toDateTime(dateTime2.getZone()), minusSeconds.toDateTime(dateTime2.getZone()), dateTime2);
        }
        return z;
    }

    private boolean isIssueInstantValid(DateTime dateTime) {
        return isDateValid(dateTime, 0);
    }

    @Override // org.pac4j.saml.sso.SAML2ResponseValidator
    public final void setAcceptedSkew(int i) {
        this.acceptedSkew = i;
    }

    @Override // org.pac4j.saml.sso.SAML2ResponseValidator
    public final void setMaximumAuthenticationLifetime(int i) {
    }
}
