package org.springframework.security.saml.spi;

import java.net.URI;
import java.net.URISyntaxException;
import java.time.Clock;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import org.joda.time.DateTime;
import org.joda.time.Interval;
import org.springframework.security.saml.SamlValidator;
import org.springframework.security.saml.key.SimpleKey;
import org.springframework.security.saml.provider.HostedProviderService;
import org.springframework.security.saml.saml2.Saml2Object;
import org.springframework.security.saml.saml2.authentication.Assertion;
import org.springframework.security.saml.saml2.authentication.AssertionCondition;
import org.springframework.security.saml.saml2.authentication.AudienceRestriction;
import org.springframework.security.saml.saml2.authentication.AuthenticationRequest;
import org.springframework.security.saml.saml2.authentication.AuthenticationStatement;
import org.springframework.security.saml.saml2.authentication.Conditions;
import org.springframework.security.saml.saml2.authentication.Issuer;
import org.springframework.security.saml.saml2.authentication.LogoutRequest;
import org.springframework.security.saml.saml2.authentication.LogoutResponse;
import org.springframework.security.saml.saml2.authentication.Response;
import org.springframework.security.saml.saml2.authentication.StatusCode;
import org.springframework.security.saml.saml2.authentication.SubjectConfirmation;
import org.springframework.security.saml.saml2.authentication.SubjectConfirmationData;
import org.springframework.security.saml.saml2.authentication.SubjectConfirmationMethod;
import org.springframework.security.saml.saml2.metadata.Endpoint;
import org.springframework.security.saml.saml2.metadata.IdentityProviderMetadata;
import org.springframework.security.saml.saml2.metadata.Metadata;
import org.springframework.security.saml.saml2.metadata.NameId;
import org.springframework.security.saml.saml2.metadata.ServiceProviderMetadata;
import org.springframework.security.saml.saml2.signature.Signature;
import org.springframework.security.saml.saml2.signature.SignatureException;
import org.springframework.security.saml.util.DateUtils;
import org.springframework.security.saml.validation.ValidationException;
import org.springframework.security.saml.validation.ValidationResult;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-2.0.0.M30.jar:org/springframework/security/saml/spi/DefaultValidator.class */
public class DefaultValidator implements SamlValidator {
    private SpringSecuritySaml implementation;
    private int responseSkewTimeMillis = 120000;
    private boolean allowUnsolicitedResponses = true;
    private int maxAuthenticationAgeMillis = 86400000;
    private Clock time = Clock.systemUTC();

    public DefaultValidator(SpringSecuritySaml springSecuritySaml) {
        setImplementation(springSecuritySaml);
    }

    private void setImplementation(SpringSecuritySaml springSecuritySaml) {
        this.implementation = springSecuritySaml;
    }

    public DefaultValidator setTime(Clock clock) {
        this.time = clock;
        return this;
    }

    @Override // org.springframework.security.saml.SamlValidator
    public Signature validateSignature(Saml2Object saml2Object, List<SimpleKey> list) throws SignatureException {
        try {
            return this.implementation.validateSignature(saml2Object, list);
        } catch (Exception e) {
            if (e instanceof SignatureException) {
                throw e;
            }
            throw new SignatureException(e.getMessage(), e);
        }
    }

    @Override // org.springframework.security.saml.SamlValidator
    public void validate(Saml2Object saml2Object, HostedProviderService hostedProviderService) throws ValidationException {
        ValidationResult validate;
        if (saml2Object == null) {
            throw new NullPointerException("Object to be validated cannot be null");
        }
        if (saml2Object instanceof ServiceProviderMetadata) {
            validate = validate((ServiceProviderMetadata) saml2Object, hostedProviderService);
        } else if (saml2Object instanceof IdentityProviderMetadata) {
            validate = validate((IdentityProviderMetadata) saml2Object, hostedProviderService);
        } else if (saml2Object instanceof AuthenticationRequest) {
            validate = validate((AuthenticationRequest) saml2Object, hostedProviderService);
        } else if (saml2Object instanceof LogoutRequest) {
            validate = validate((LogoutRequest) saml2Object, hostedProviderService);
        } else if (saml2Object instanceof LogoutResponse) {
            validate = validate((LogoutResponse) saml2Object, hostedProviderService);
        } else if (saml2Object instanceof Response) {
            Response response = (Response) saml2Object;
            validate = validate(response, null, (ServiceProviderMetadata) hostedProviderService.getMetadata(), (IdentityProviderMetadata) hostedProviderService.getRemoteProvider(response));
        } else {
            if (!(saml2Object instanceof Assertion)) {
                throw new ValidationException("No validation implemented for class:" + saml2Object.getClass().getName(), new ValidationResult(saml2Object).addError("Unable to validate SAML object. No implementation."));
            }
            Assertion assertion = (Assertion) saml2Object;
            ServiceProviderMetadata serviceProviderMetadata = (ServiceProviderMetadata) hostedProviderService.getMetadata();
            validate = validate(assertion, null, serviceProviderMetadata, (IdentityProviderMetadata) hostedProviderService.getRemoteProvider(assertion), serviceProviderMetadata.getServiceProvider().isWantAssertionsSigned());
        }
        if (!validate.isSuccess()) {
            throw new ValidationException("Unable to validate SAML object.", validate);
        }
    }

    protected ValidationResult validate(IdentityProviderMetadata identityProviderMetadata, HostedProviderService hostedProviderService) {
        return new ValidationResult(identityProviderMetadata);
    }

    protected ValidationResult validate(ServiceProviderMetadata serviceProviderMetadata, HostedProviderService hostedProviderService) {
        return new ValidationResult(serviceProviderMetadata);
    }

    protected ValidationResult validate(AuthenticationRequest authenticationRequest, HostedProviderService hostedProviderService) {
        return new ValidationResult(authenticationRequest);
    }

    protected ValidationResult validate(LogoutRequest logoutRequest, HostedProviderService hostedProviderService) {
        return new ValidationResult(logoutRequest);
    }

    protected ValidationResult validate(LogoutResponse logoutResponse, HostedProviderService hostedProviderService) {
        return new ValidationResult(logoutResponse);
    }

    protected ValidationResult validate(Assertion assertion, List<String> list, ServiceProviderMetadata serviceProviderMetadata, IdentityProviderMetadata identityProviderMetadata, boolean z) {
        if (z && (assertion.getSignature() == null || !assertion.getSignature().isValidated())) {
            return new ValidationResult(assertion).addError(new ValidationResult.ValidationError("Assertion is not signed or signature was not validated"));
        }
        if (identityProviderMetadata == null) {
            return new ValidationResult(assertion).addError("Remote provider for assertion was not found");
        }
        LinkedList linkedList = new LinkedList();
        ValidationResult validationResult = new ValidationResult(assertion);
        for (SubjectConfirmation subjectConfirmation : assertion.getSubject().getConfirmations()) {
            validationResult.setErrors(Collections.emptyList());
            if (SubjectConfirmationMethod.BEARER.equals(subjectConfirmation.getMethod())) {
                SubjectConfirmationData confirmationData = subjectConfirmation.getConfirmationData();
                if (confirmationData == null) {
                    validationResult.addError(new ValidationResult.ValidationError("Empty subject confirmation data"));
                } else if (confirmationData.getNotBefore() != null) {
                    validationResult.addError(new ValidationResult.ValidationError("Subject confirmation data should not have NotBefore date"));
                } else if (confirmationData.getNotOnOrAfter() == null) {
                    validationResult.addError(new ValidationResult.ValidationError("Subject confirmation data is missing NotOnOfAfter date"));
                } else {
                    if (confirmationData.getNotOnOrAfter().plusMillis(getResponseSkewTimeMillis()).isBeforeNow()) {
                        validationResult.addError(new ValidationResult.ValidationError(String.format("Invalid NotOnOrAfter date: '%s'", confirmationData.getNotOnOrAfter())));
                    }
                    if (StringUtils.hasText(confirmationData.getInResponseTo())) {
                        if (list != null) {
                            if (!list.contains(confirmationData.getInResponseTo())) {
                                validationResult.addError(new ValidationResult.ValidationError(String.format("No match for InResponseTo: '%s' found", confirmationData.getInResponseTo())));
                            }
                        } else if (!isAllowUnsolicitedResponses()) {
                            validationResult.addError(new ValidationResult.ValidationError("InResponseTo missing and system not configured to allow unsolicited messages"));
                        }
                    }
                    if (!StringUtils.hasText(confirmationData.getRecipient())) {
                        validationResult.addError(new ValidationResult.ValidationError("Assertion Recipient field missing"));
                    } else if (!compareURIs(serviceProviderMetadata.getServiceProvider().getAssertionConsumerService(), confirmationData.getRecipient())) {
                        validationResult.addError(new ValidationResult.ValidationError("Invalid assertion Recipient field: " + confirmationData.getRecipient()));
                    } else if (!validationResult.hasErrors()) {
                        linkedList.add(subjectConfirmation);
                    }
                }
            } else {
                validationResult.addError("Invalid confirmation method:" + subjectConfirmation.getMethod());
            }
        }
        if (validationResult.hasErrors()) {
            return validationResult;
        }
        assertion.getSubject().setConfirmations(linkedList);
        return assertion.getSubject().getPrincipal() == null ? new ValidationResult(assertion).addError("Assertion principal is missing") : new ValidationResult(assertion);
    }

    protected ValidationResult validate(Response response, List<String> list, ServiceProviderMetadata serviceProviderMetadata, IdentityProviderMetadata identityProviderMetadata) {
        String entityId = serviceProviderMetadata.getEntityId();
        if (response == null) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("Response is null"));
        }
        if (response.getStatus() == null || response.getStatus().getCode() == null) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("Response status or code is null"));
        }
        StatusCode code = response.getStatus().getCode();
        if (code != StatusCode.SUCCESS) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("An error response was returned: " + code.toString()));
        }
        if (identityProviderMetadata == null) {
            return new ValidationResult(response).addError("Remote provider for response was not found");
        }
        if (response.getSignature() != null && !response.getSignature().isValidated()) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("No validated signature present"));
        }
        DateTime issueInstant = response.getIssueInstant();
        if (!isDateTimeSkewValid(getResponseSkewTimeMillis(), 0, issueInstant)) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("Issue time is either too old or in the future:" + issueInstant.toString()));
        }
        String inResponseTo = response.getInResponseTo();
        if (!isAllowUnsolicitedResponses() && !StringUtils.hasText(inResponseTo)) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("InResponseTo is missing and unsolicited responses are disabled"));
        }
        if (StringUtils.hasText(inResponseTo) && !isAllowUnsolicitedResponses() && (list == null || !list.contains(inResponseTo))) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("Invalid InResponseTo ID, not found in supplied list"));
        }
        if (StringUtils.hasText(response.getDestination()) && !compareURIs(serviceProviderMetadata.getServiceProvider().getAssertionConsumerService(), response.getDestination())) {
            return new ValidationResult(response).addError(new ValidationResult.ValidationError("Destination mismatch: " + response.getDestination()));
        }
        ValidationResult verifyIssuer = verifyIssuer(response.getIssuer(), identityProviderMetadata);
        if (verifyIssuer != null) {
            return verifyIssuer;
        }
        boolean isWantAssertionsSigned = serviceProviderMetadata.getServiceProvider().isWantAssertionsSigned();
        if (response.getSignature() != null) {
            isWantAssertionsSigned = isWantAssertionsSigned && !response.getSignature().isValidated();
        }
        Assertion assertion = null;
        ValidationResult validationResult = new ValidationResult(response);
        Iterator<Assertion> it = response.getAssertions().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Assertion next = it.next();
            if (!validate(next, list, serviceProviderMetadata, identityProviderMetadata, isWantAssertionsSigned).hasErrors()) {
                assertion = next;
                break;
            }
        }
        if (assertion == null) {
            validationResult.addError(new ValidationResult.ValidationError("No valid assertion with principal found."));
            return validationResult;
        }
        for (AuthenticationStatement authenticationStatement : (List) Optional.ofNullable(assertion.getAuthenticationStatements()).orElse(Collections.emptyList())) {
            if (!isDateTimeSkewValid(getResponseSkewTimeMillis(), getMaxAuthenticationAgeMillis(), authenticationStatement.getAuthInstant())) {
                return new ValidationResult(response).addError(String.format("Authentication statement is too old to be used with value: '%s' current time: '%s'", DateUtils.toZuluTime(authenticationStatement.getAuthInstant()), DateUtils.toZuluTime(new DateTime())));
            }
            if (authenticationStatement.getSessionNotOnOrAfter() != null && authenticationStatement.getSessionNotOnOrAfter().isBeforeNow()) {
                return new ValidationResult(response).addError(String.format("Authentication session expired on: '%s', current time: '%s'", DateUtils.toZuluTime(authenticationStatement.getSessionNotOnOrAfter()), DateUtils.toZuluTime(new DateTime())));
            }
        }
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            if (conditions.getNotBefore() != null && conditions.getNotBefore().minusMillis(getResponseSkewTimeMillis()).isAfterNow()) {
                return new ValidationResult(response).addError("Conditions expired (not before): " + conditions.getNotBefore());
            }
            if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusMillis(getResponseSkewTimeMillis()).isBeforeNow()) {
                return new ValidationResult(response).addError("Conditions expired (not on or after): " + conditions.getNotOnOrAfter());
            }
            for (AssertionCondition assertionCondition : conditions.getCriteria()) {
                if (assertionCondition instanceof AudienceRestriction) {
                    AudienceRestriction audienceRestriction = (AudienceRestriction) assertionCondition;
                    audienceRestriction.evaluate(entityId, time());
                    if (!audienceRestriction.isValid()) {
                        return new ValidationResult(response).addError(String.format("Audience restriction evaluation failed for assertion condition. Expected '%s' Was '%s'", entityId, audienceRestriction.getAudiences()));
                    }
                }
            }
        }
        response.setAssertions(Arrays.asList(assertion));
        return new ValidationResult(response);
    }

    protected boolean isDateTimeSkewValid(int i, int i2, DateTime dateTime) {
        if (dateTime == null) {
            return false;
        }
        DateTime dateTime2 = new DateTime();
        return new Interval(dateTime2.minusMillis(i + i2), dateTime2.plusMillis(i)).contains(dateTime);
    }

    public int getResponseSkewTimeMillis() {
        return this.responseSkewTimeMillis;
    }

    public DefaultValidator setResponseSkewTimeMillis(int i) {
        this.responseSkewTimeMillis = i;
        return this;
    }

    public boolean isAllowUnsolicitedResponses() {
        return this.allowUnsolicitedResponses;
    }

    public DefaultValidator setAllowUnsolicitedResponses(boolean z) {
        this.allowUnsolicitedResponses = z;
        return this;
    }

    protected boolean compareURIs(List<Endpoint> list, String str) {
        Iterator<Endpoint> it = list.iterator();
        while (it.hasNext()) {
            if (compareURIs(it.next().getLocation(), str)) {
                return true;
            }
        }
        return false;
    }

    protected ValidationResult verifyIssuer(Issuer issuer, Metadata metadata) {
        if (issuer == null) {
            return null;
        }
        if (!metadata.getEntityId().equals(issuer.getValue())) {
            return new ValidationResult(metadata).addError(new ValidationResult.ValidationError(String.format("Issuer mismatch. Expected: '%s' Actual: '%s'", metadata.getEntityId(), issuer.getValue())));
        }
        if (issuer.getFormat() == null || issuer.getFormat().equals(NameId.ENTITY)) {
            return null;
        }
        return new ValidationResult(metadata).addError(new ValidationResult.ValidationError(String.format("Issuer name format mismatch. Expected: '%s' Actual: '%s'", NameId.ENTITY, issuer.getFormat())));
    }

    public int getMaxAuthenticationAgeMillis() {
        return this.maxAuthenticationAgeMillis;
    }

    public Clock time() {
        return this.time;
    }

    protected boolean compareURIs(String str, String str2) {
        if (str == null && str2 == null) {
            return true;
        }
        try {
            new URI(str);
            new URI(str2);
            return removeQueryString(str).equalsIgnoreCase(removeQueryString(str2));
        } catch (URISyntaxException e) {
            return false;
        }
    }

    public String removeQueryString(String str) {
        int indexOf = str.indexOf(63);
        return indexOf >= 0 ? str.substring(0, indexOf) : str;
    }

    public void setMaxAuthenticationAgeMillis(int i) {
        this.maxAuthenticationAgeMillis = i;
    }
}
