package com.alfaariss.oa.authentication.remote.saml2.util;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.RequestorEvent;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.crypto.CryptoException;
import com.alfaariss.oa.engine.core.crypto.CryptoManager;
import com.alfaariss.oa.util.saml2.SAML2SecurityException;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.ChainingCredentialResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.StaticCredentialResolver;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/util/ResponseValidator.class */
public class ResponseValidator {
    private Log _logger;
    private Credential _credential;
    private CryptoManager _cryptoManager;
    private SAML2IDP _organization;
    private KeyInfoCredentialResolver _keyInfoCredResolver;
    private SAMLSignatureProfileValidator _profileValidator;
    private BasicParserPool _pool;
    private ChainingCredentialResolver _chainingCredentialResolver;
    private SignatureTrustEngine _sigTrustEngine;
    private String _sEntityID;
    private String _issuer;
    private boolean _signatureRequired;

    public ResponseValidator(String str, SAML2IDP saml2idp, boolean z) {
        this._logger = null;
        this._credential = null;
        this._cryptoManager = null;
        this._organization = null;
        this._keyInfoCredResolver = null;
        this._profileValidator = null;
        this._pool = null;
        this._chainingCredentialResolver = null;
        this._sigTrustEngine = null;
        this._signatureRequired = false;
        this._logger = LogFactory.getLog(ResponseValidator.class);
        this._cryptoManager = Engine.getInstance().getCryptoManager();
        this._sEntityID = str;
        this._organization = saml2idp;
        this._signatureRequired = z;
        try {
            this._credential = SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._sEntityID);
        } catch (OAException e) {
        }
        this._keyInfoCredResolver = Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
        this._profileValidator = new SAMLSignatureProfileValidator();
        this._pool = new BasicParserPool();
        this._pool.setNamespaceAware(true);
        this._chainingCredentialResolver = new ChainingCredentialResolver();
        if (this._organization != null) {
            this._issuer = this._organization.getID();
            MetadataProvider metadataProvider = null;
            try {
                metadataProvider = this._organization.getMetadataProvider();
            } catch (OAException e2) {
                this._logger.debug("Could not resolve Metadata provider found for issuer: " + this._issuer);
            }
            if (metadataProvider != null) {
                this._logger.debug("Metadata provider found for issuer: " + this._issuer);
                this._chainingCredentialResolver.getResolverChain().add(new MetadataCredentialResolver(metadataProvider));
            }
        }
        try {
            if (this._credential != null) {
                this._chainingCredentialResolver.getResolverChain().add(new StaticCredentialResolver(SAML2CryptoUtils.retrieveSigningCredentials(this._cryptoManager, this._issuer)));
            }
        } catch (CryptoException e3) {
            this._logger.debug("No trusted certificate found for issuer: " + this._issuer);
        }
        this._sigTrustEngine = new ExplicitKeySignatureTrustEngine(this._chainingCredentialResolver, this._keyInfoCredResolver);
    }

    public void validateResponse(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext) throws SAML2SecurityException, OAException {
        sAMLMessageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
        validateMessage(sAMLMessageContext);
    }

    public boolean validateMessage(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, SignableSAMLObject signableSAMLObject) throws OAException {
        boolean z;
        Signature signature = signableSAMLObject.getSignature();
        if (signableSAMLObject.isSigned()) {
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EntityIDCriteria(this._issuer));
            criteriaSet.add(new MetadataCriteria(sAMLMessageContext.getPeerEntityRole(), sAMLMessageContext.getInboundSAMLProtocol()));
            criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
            try {
                z = this._sigTrustEngine.validate(signature, criteriaSet);
            } catch (SecurityException e) {
                this._logger.error("Processing error evaluating the signature", e);
                throw new OAException(1);
            }
        } else {
            z = !this._signatureRequired;
        }
        return z;
    }

    protected boolean validateSignature(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext) throws OAException {
        boolean z = false;
        try {
            SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLMessageContext.getInboundSAMLMessage();
            Signature signature = signableSAMLObject.getSignature();
            if (signableSAMLObject.isSigned()) {
                this._profileValidator.validate(signature);
            }
            if (this._chainingCredentialResolver.getResolverChain().isEmpty()) {
                this._logger.warn("No trusted certificate or metadata found for issuer: " + this._issuer);
            } else {
                z = validateMessage(sAMLMessageContext, signableSAMLObject);
                if (z) {
                    new SAML2HTTPRedirectDeflateSignatureRule(this._sigTrustEngine).evaluate(sAMLMessageContext);
                    new SAML2HTTPPostSimpleSignRule(this._sigTrustEngine, this._pool, this._keyInfoCredResolver).evaluate(sAMLMessageContext);
                }
            }
        } catch (SecurityPolicyException e) {
            this._logger.debug("Invalid signature", e);
            z = false;
        } catch (ValidationException e2) {
            this._logger.debug("Invalid signature", e2);
            z = false;
        }
        return z;
    }

    private void validateMessage(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext) throws SAML2SecurityException, OAException {
        SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (sAMLMessageContext.getInboundMessageIssuer() == null) {
            this._organization.getID();
        }
        String str = null;
        HTTPInTransport inboundMessageTransport = sAMLMessageContext.getInboundMessageTransport();
        if (inboundMessageTransport != null) {
            str = inboundMessageTransport.getParameterValue("Signature");
        }
        if (!(!DatatypeHelper.isEmpty(str)) && !inboundSAMLMessage.isSigned()) {
            if (this._signatureRequired) {
                this._logger.debug("No signature received for message, which is required");
                throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
            }
        } else if (validateSignature(sAMLMessageContext)) {
            this._logger.debug("XML signature validation okay");
        } else {
            this._logger.debug("Invalid XML signature received for message");
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
    }
}
