package org.pac4j.saml.profile.impl;

import java.time.Duration;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.List;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.net.URIComparator;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.StatusMessage;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.pac4j.core.logout.handler.LogoutHandler;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.crypto.SAML2SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SAMLEndpointMismatchException;
import org.pac4j.saml.exceptions.SAMLException;
import org.pac4j.saml.exceptions.SAMLIssueInstantException;
import org.pac4j.saml.exceptions.SAMLIssuerException;
import org.pac4j.saml.exceptions.SAMLNameIdDecryptionException;
import org.pac4j.saml.exceptions.SAMLReplayException;
import org.pac4j.saml.exceptions.SAMLSignatureValidationException;
import org.pac4j.saml.profile.api.SAML2ResponseValidator;
import org.pac4j.saml.replay.ReplayCacheProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/saml/profile/impl/AbstractSAML2ResponseValidator.class */
public abstract class AbstractSAML2ResponseValidator implements SAML2ResponseValidator {
    protected final SAML2SignatureTrustEngineProvider signatureTrustEngineProvider;
    protected final URIComparator uriComparator;
    protected final Decrypter decrypter;
    protected final LogoutHandler logoutHandler;
    protected final ReplayCacheProvider replayCache;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    protected long acceptedSkew = 120;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractSAML2ResponseValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, Decrypter decrypter, LogoutHandler logoutHandler, ReplayCacheProvider replayCacheProvider, URIComparator uRIComparator) {
        this.signatureTrustEngineProvider = sAML2SignatureTrustEngineProvider;
        this.decrypter = decrypter;
        this.logoutHandler = logoutHandler;
        this.replayCache = replayCacheProvider;
        this.uriComparator = uRIComparator;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateSuccess(Status status) {
        if (status == null || status.getStatusCode() == null) {
            throw new SAMLException("Missing response status or status code");
        }
        String value = status.getStatusCode().getValue();
        if (StatusCode.SUCCESS.equals(value)) {
            return;
        }
        StatusMessage statusMessage = status.getStatusMessage();
        if (statusMessage != null) {
            value = value + " / " + statusMessage.getValue();
        }
        throw new SAMLException("Response is not success ; actual " + value);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateSignatureIfItExists(Signature signature, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        if (signature == null) {
            this.logger.debug("Cannot locate a signature from the message; skipping validation");
            return;
        }
        String entityId = sAML2MessageContext.getSAMLPeerEntityContext().getEntityId();
        validateSignature(signature, entityId, signatureTrustEngine);
        sAML2MessageContext.getSAMLPeerEntityContext().setAuthenticated(true);
        this.logger.debug("Successfully validated signature for entity id {}", entityId);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateSignature(Signature signature, String str, SignatureTrustEngine signatureTrustEngine) {
        SAMLSignatureProfileValidator sAMLSignatureProfileValidator = new SAMLSignatureProfileValidator();
        try {
            this.logger.debug("Validating profile signature for entity id {}", str);
            sAMLSignatureProfileValidator.validate(signature);
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
            criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
            criteriaSet.add(new EntityIdCriterion(str));
            try {
                this.logger.debug("Validating signature via trust engine for entity id {}", str);
                if (!signatureTrustEngine.validate(signature, criteriaSet)) {
                    throw new SAMLSignatureValidationException("Signature is not trusted");
                }
            } catch (SecurityException e) {
                throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
            }
        } catch (SignatureException e2) {
            throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateIssuerIfItExists(Issuer issuer, SAML2MessageContext sAML2MessageContext) {
        if (issuer != null) {
            validateIssuer(issuer, sAML2MessageContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateIssuer(Issuer issuer, SAML2MessageContext sAML2MessageContext) {
        if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) {
            throw new SAMLIssuerException("Issuer type is not entity but " + issuer.getFormat());
        }
        String entityId = sAML2MessageContext.getSAMLPeerEntityContext().getEntityId();
        this.logger.debug("Comparing issuer {} against {}", issuer.getValue(), entityId);
        if (entityId == null || !entityId.equals(issuer.getValue())) {
            throw new SAMLIssuerException("Issuer " + issuer.getValue() + " does not match idp entityId " + entityId);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateIssueInstant(Instant instant) {
        if (!isIssueInstantValid(instant)) {
            throw new SAMLIssueInstantException("Issue instant is too old or in the future");
        }
    }

    protected boolean isIssueInstantValid(Instant instant) {
        return isDateValid(instant, 0L);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isDateValid(Instant instant, long j) {
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        ZonedDateTime plusSeconds = now.plusSeconds(this.acceptedSkew);
        ZonedDateTime minusSeconds = now.minusSeconds(this.acceptedSkew + j);
        ZonedDateTime ofInstant = ZonedDateTime.ofInstant(instant, ZoneOffset.UTC);
        boolean z = ofInstant.isBefore(plusSeconds) && ofInstant.isAfter(minusSeconds);
        if (!z) {
            this.logger.warn("interval={},before={},after={},issueInstant={}", Long.valueOf(j), plusSeconds, minusSeconds, ofInstant);
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyEndpoint(List<String> list, String str, boolean z) {
        if (str != null || z) {
            if (str == null) {
                throw new SAMLEndpointMismatchException("SAML configuration does not allow response Destination to be null");
            }
            if (!list.stream().allMatch(str2 -> {
                return compareEndpoints(str, str2);
            })) {
                throw new SAMLEndpointMismatchException("Intended destination " + str + " doesn't match any of the endpoint URLs  " + list);
            }
        }
    }

    protected boolean compareEndpoints(String str, String str2) {
        try {
            return this.uriComparator.compare(str, str2);
        } catch (Exception e) {
            throw new SAMLEndpointMismatchException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyMessageReplay(SAML2MessageContext sAML2MessageContext) {
        if (this.replayCache == null) {
            this.logger.warn("No replay cache specified, skipping replay verification");
            return;
        }
        try {
            MessageReplaySecurityHandler messageReplaySecurityHandler = new MessageReplaySecurityHandler();
            messageReplaySecurityHandler.setExpires(Duration.ofMillis(this.acceptedSkew * 1000));
            messageReplaySecurityHandler.setReplayCache(this.replayCache.get());
            messageReplaySecurityHandler.initialize();
            messageReplaySecurityHandler.invoke(sAML2MessageContext.getMessageContext());
        } catch (ComponentInitializationException e) {
            throw new SAMLException(e);
        } catch (MessageHandlerException e2) {
            throw new SAMLReplayException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NameID decryptEncryptedId(EncryptedID encryptedID, Decrypter decrypter) throws SAMLException {
        if (encryptedID == null) {
            return null;
        }
        if (decrypter == null) {
            this.logger.warn("Encrypted attributes returned, but no keystore was provided.");
            return null;
        }
        try {
            this.logger.debug("Decrypting name id {}", encryptedID);
            return (NameID) decrypter.decrypt(encryptedID);
        } catch (DecryptionException e) {
            throw new SAMLNameIdDecryptionException("Decryption of an EncryptedID failed.", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String computeSloKey(String str, SAML2Credentials.SAMLNameID sAMLNameID) {
        if (str != null) {
            return str;
        }
        if (sAMLNameID != null) {
            return sAMLNameID.getValue();
        }
        return null;
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public final void setAcceptedSkew(long j) {
        this.acceptedSkew = j;
    }
}
