package org.springframework.security.saml.websso;

import java.io.Serializable;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.xml.namespace.QName;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Condition;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.EncryptedAttribute;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.OneTimeUse;
import org.opensaml.saml2.core.ProxyRestriction;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.validation.ValidationException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.processor.SAMLProcessor;
import org.springframework.security.saml.storage.SAMLMessageStorage;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.4.RELEASE.jar:org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.class */
public class WebSSOProfileConsumerImpl extends AbstractProfileBase implements WebSSOProfileConsumer {
    private long maxAuthenticationAge;
    private boolean includeAllAttributes;
    private boolean releaseDOM;

    public WebSSOProfileConsumerImpl() {
        this.maxAuthenticationAge = 7200L;
        this.includeAllAttributes = false;
        this.releaseDOM = true;
    }

    public WebSSOProfileConsumerImpl(SAMLProcessor sAMLProcessor, MetadataManager metadataManager) {
        super(sAMLProcessor, metadataManager);
        this.maxAuthenticationAge = 7200L;
        this.includeAllAttributes = false;
        this.releaseDOM = true;
    }

    @Override // org.springframework.security.saml.websso.AbstractProfileBase
    public String getProfileIdentifier() {
        return SAMLConstants.SAML2_WEBSSO_PROFILE_URI;
    }

    @Override // org.springframework.security.saml.websso.WebSSOProfileConsumer
    public SAMLCredential processAuthenticationResponse(SAMLMessageContext sAMLMessageContext) throws SAMLException, SecurityException, ValidationException, DecryptionException {
        AuthnRequest authnRequest = null;
        SAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (!(inboundSAMLMessage instanceof Response)) {
            throw new SAMLException("Message is not of a Response object type");
        }
        Response response = (Response) inboundSAMLMessage;
        String value = response.getStatus().getStatusCode().getValue();
        if (!StatusCode.SUCCESS_URI.equals(value)) {
            StatusMessage statusMessage = response.getStatus().getStatusMessage();
            throw new SAMLException("Response has invalid status code " + value + ", status message is " + (statusMessage != null ? statusMessage.getMessage() : null));
        }
        if (response.getSignature() != null && !sAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
            this.log.debug("Verifying Response signature");
            verifySignature(response.getSignature(), sAMLMessageContext.getPeerEntityId(), sAMLMessageContext.getLocalTrustEngine());
            sAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
        }
        DateTime issueInstant = response.getIssueInstant();
        if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), issueInstant)) {
            throw new SAMLException("Response issue time is either too old or with date in the future, skew " + getResponseSkew() + ", time " + issueInstant);
        }
        if (!sAMLMessageContext.getPeerExtendedMetadata().isSupportUnsolicitedResponse() && response.getInResponseTo() == null) {
            throw new SAMLException("Reception of Unsolicited Response messages (without InResponseToField) is disabled");
        }
        SAMLMessageStorage messageStorage = sAMLMessageContext.getMessageStorage();
        if (messageStorage != null && response.getInResponseTo() != null) {
            XMLObject retrieveMessage = messageStorage.retrieveMessage(response.getInResponseTo());
            if (retrieveMessage == null) {
                throw new SAMLException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
            }
            if (!(retrieveMessage instanceof AuthnRequest)) {
                throw new SAMLException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
            }
            authnRequest = (AuthnRequest) retrieveMessage;
        }
        verifyEndpoint(sAMLMessageContext.getLocalEntityEndpoint(), response.getDestination());
        if (authnRequest != null) {
            AssertionConsumerService assertionConsumerService = (AssertionConsumerService) sAMLMessageContext.getLocalEntityEndpoint();
            if (authnRequest.getAssertionConsumerServiceIndex() == null) {
                String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
                String protocolBinding = authnRequest.getProtocolBinding();
                if (assertionConsumerServiceURL != null) {
                    String responseLocation = assertionConsumerService.getResponseLocation() != null ? assertionConsumerService.getResponseLocation() : assertionConsumerService.getLocation();
                    if (!assertionConsumerServiceURL.equals(responseLocation)) {
                        this.log.info("Response was received at a different endpoint URL {} than was requested {}", responseLocation, assertionConsumerServiceURL);
                    }
                }
                if (protocolBinding != null && !protocolBinding.equals(sAMLMessageContext.getInboundSAMLBinding())) {
                    this.log.info("Response was received using a different binding {} than was requested {}", sAMLMessageContext.getInboundSAMLBinding(), protocolBinding);
                }
            } else if (!authnRequest.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
                this.log.info("Response was received at a different endpoint index than was requested");
            }
        }
        if (response.getIssuer() != null) {
            this.log.debug("Verifying issuer of the Response");
            verifyIssuer(response.getIssuer(), sAMLMessageContext);
        }
        Assertion assertion = null;
        ArrayList arrayList = new ArrayList();
        List<Assertion> assertions = response.getAssertions();
        if (response.getEncryptedAssertions().size() > 0) {
            assertions = new ArrayList(response.getAssertions().size() + response.getEncryptedAssertions().size());
            assertions.addAll(response.getAssertions());
            for (EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) {
                try {
                    Assert.notNull(sAMLMessageContext.getLocalDecrypter(), "Can't decrypt Assertion, no decrypter is set in the context");
                    this.log.debug("Decrypting assertion");
                    assertions.add(sAMLMessageContext.getLocalDecrypter().decrypt(encryptedAssertion));
                } catch (DecryptionException e) {
                    this.log.debug("Decryption of received assertion failed, assertion will be skipped", (Throwable) e);
                }
            }
        }
        Exception exc = null;
        for (Assertion assertion2 : assertions) {
            if (assertion2.getAuthnStatements().size() > 0) {
                try {
                    verifyAssertion(assertion2, authnRequest, sAMLMessageContext);
                    assertion = assertion2;
                    this.log.debug("Validation of authentication statement in assertion {} was successful", assertion2.getID());
                    break;
                } catch (Exception e2) {
                    this.log.debug("Validation of authentication statement in assertion failed, skipping", (Throwable) e2);
                    exc = e2;
                }
            } else {
                this.log.debug("Assertion {} did not contain any authentication statements, skipping", assertion2.getID());
            }
        }
        if (assertion == null) {
            throw new SAMLException("Response doesn't have any valid assertion which would pass subject validation", exc);
        }
        for (Assertion assertion3 : assertions) {
            if (assertion3 == assertion || isIncludeAllAttributes()) {
                for (AttributeStatement attributeStatement : assertion3.getAttributeStatements()) {
                    for (Attribute attribute : attributeStatement.getAttributes()) {
                        this.log.debug("Including attribute {} from assertion {}", attribute.getName(), assertion3.getID());
                        arrayList.add(attribute);
                    }
                    for (EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
                        Assert.notNull(sAMLMessageContext.getLocalDecrypter(), "Can't decrypt Attribute, no decrypter is set in the context");
                        Attribute decrypt = sAMLMessageContext.getLocalDecrypter().decrypt(encryptedAttribute);
                        this.log.debug("Including decrypted attribute {} from assertion {}", decrypt.getName(), assertion3.getID());
                        arrayList.add(decrypt);
                    }
                }
            }
        }
        NameID nameID = (NameID) sAMLMessageContext.getSubjectNameIdentifier();
        if (nameID == null) {
            throw new SAMLException("NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration");
        }
        Serializable processAdditionalData = processAdditionalData(sAMLMessageContext);
        if (isReleaseDOM()) {
            assertion.releaseDOM();
            assertion.releaseChildrenDOM(true);
        }
        return new SAMLCredential(nameID, assertion, sAMLMessageContext.getPeerEntityMetadata().getEntityID(), sAMLMessageContext.getRelayState(), arrayList, sAMLMessageContext.getLocalEntityId(), processAdditionalData);
    }

    protected Serializable processAdditionalData(SAMLMessageContext sAMLMessageContext) throws SAMLException {
        return null;
    }

    protected void verifyAssertion(Assertion assertion, AuthnRequest authnRequest, SAMLMessageContext sAMLMessageContext) throws AuthenticationException, SAMLException, SecurityException, ValidationException, DecryptionException {
        if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) {
            throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant());
        }
        verifyIssuer(assertion.getIssuer(), sAMLMessageContext);
        verifyAssertionSignature(assertion.getSignature(), sAMLMessageContext);
        if (assertion.getSubject() == null) {
            throw new SAMLException("Assertion does not contain subject and is discarded");
        }
        verifySubject(assertion.getSubject(), authnRequest, sAMLMessageContext);
        if (assertion.getAuthnStatements().size() <= 0) {
            verifyAssertionConditions(assertion.getConditions(), sAMLMessageContext, false);
            return;
        }
        verifyAssertionConditions(assertion.getConditions(), sAMLMessageContext, true);
        for (AuthnStatement authnStatement : assertion.getAuthnStatements()) {
            if (authnRequest != null) {
                verifyAuthenticationStatement(authnStatement, authnRequest.getRequestedAuthnContext(), sAMLMessageContext);
            } else {
                verifyAuthenticationStatement(authnStatement, null, sAMLMessageContext);
            }
        }
    }

    protected void verifySubject(Subject subject, AuthnRequest authnRequest, SAMLMessageContext sAMLMessageContext) throws SAMLException, DecryptionException {
        NameID nameID;
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if (SubjectConfirmation.METHOD_BEARER.equals(subjectConfirmation.getMethod())) {
                this.log.debug("Processing Bearer subject confirmation");
                SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                if (subjectConfirmationData == null) {
                    this.log.debug("Bearer SubjectConfirmation invalidated by missing confirmation data");
                } else if (subjectConfirmationData.getNotBefore() != null) {
                    this.log.debug("Bearer SubjectConfirmation invalidated by not before which is forbidden");
                } else if (subjectConfirmationData.getNotOnOrAfter() == null) {
                    this.log.debug("Bearer SubjectConfirmation invalidated by missing notOnOrAfter");
                } else if (subjectConfirmationData.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) {
                    this.log.debug("Bearer SubjectConfirmation invalidated by notOnOrAfter");
                } else {
                    if (authnRequest != null) {
                        if (subjectConfirmationData.getInResponseTo() == null) {
                            this.log.debug("Bearer SubjectConfirmation invalidated by missing inResponseTo field");
                        } else if (!subjectConfirmationData.getInResponseTo().equals(authnRequest.getID())) {
                            this.log.debug("Bearer SubjectConfirmation invalidated by invalid in response to");
                        }
                    }
                    if (subjectConfirmationData.getRecipient() == null) {
                        this.log.debug("Bearer SubjectConfirmation invalidated by missing recipient");
                    } else {
                        try {
                            verifyEndpoint(sAMLMessageContext.getLocalEntityEndpoint(), subjectConfirmationData.getRecipient());
                            if (subject.getEncryptedID() != null) {
                                Assert.notNull(sAMLMessageContext.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
                                nameID = (NameID) sAMLMessageContext.getLocalDecrypter().decrypt(subject.getEncryptedID());
                            } else {
                                nameID = subject.getNameID();
                            }
                            sAMLMessageContext.setSubjectNameIdentifier(nameID);
                            return;
                        } catch (SAMLException e) {
                            this.log.debug("Bearer SubjectConfirmation invalidated by recipient assertion consumer URL, found {}", subjectConfirmationData.getRecipient());
                        }
                    }
                }
            }
        }
        throw new SAMLException("Assertion invalidated by subject confirmation - can't be confirmed by the bearer method");
    }

    protected void verifyAssertionSignature(Signature signature, SAMLMessageContext sAMLMessageContext) throws SAMLException, SecurityException, ValidationException {
        boolean booleanValue = ((SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata()).getWantAssertionsSigned().booleanValue();
        if (signature != null) {
            verifySignature(signature, sAMLMessageContext.getPeerEntityMetadata().getEntityID(), sAMLMessageContext.getLocalTrustEngine());
        } else if (booleanValue && !sAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
            throw new SAMLException("Metadata includes wantAssertionSigned, but neither Response nor included Assertion is signed");
        }
    }

    protected void verifyAssertionConditions(Conditions conditions, SAMLMessageContext sAMLMessageContext, boolean z) throws SAMLException {
        if (z && (conditions == null || conditions.getAudienceRestrictions().size() == 0)) {
            throw new SAMLException("Assertion invalidated by missing Audience Restriction");
        }
        if (conditions == null) {
            return;
        }
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(getResponseSkew()).isAfterNow()) {
            throw new SAMLException("Assertion is not yet valid, invalidated by condition notBefore " + conditions.getNotBefore());
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) {
            throw new SAMLException("Assertion is no longer valid, invalidated by condition notOnOrAfter " + conditions.getNotOnOrAfter());
        }
        LinkedList linkedList = new LinkedList();
        for (Condition condition : conditions.getConditions()) {
            QName elementQName = condition.getElementQName();
            if (elementQName.equals(AudienceRestriction.DEFAULT_ELEMENT_NAME)) {
                verifyAudience(sAMLMessageContext, conditions.getAudienceRestrictions());
            } else {
                if (elementQName.equals(OneTimeUse.DEFAULT_ELEMENT_NAME)) {
                    throw new SAMLException("System cannot honor OneTimeUse condition of the Assertion for WebSSO");
                }
                if (elementQName.equals(ProxyRestriction.DEFAULT_ELEMENT_NAME)) {
                    this.log.debug("Honoring ProxyRestriction with count {}, system does not issue assertions to 3rd parties", ((ProxyRestriction) condition).getProxyCount());
                } else {
                    this.log.debug("Condition {} is not understood", condition);
                    linkedList.add(condition);
                }
            }
        }
        verifyConditions(sAMLMessageContext, linkedList);
    }

    protected void verifyAudience(SAMLMessageContext sAMLMessageContext, List<AudienceRestriction> list) throws SAMLException {
        for (AudienceRestriction audienceRestriction : list) {
            if (audienceRestriction.getAudiences().size() == 0) {
                throw new SAMLException("No audit audience specified for the assertion");
            }
            Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
            while (it.hasNext()) {
                if (sAMLMessageContext.getLocalEntityId().equals(it.next().getAudienceURI())) {
                    break;
                }
            }
            throw new SAMLException("Local entity is not the intended audience of the assertion in at least one AudienceRestriction");
        }
    }

    protected void verifyConditions(SAMLMessageContext sAMLMessageContext, List<Condition> list) throws SAMLException {
        if (list != null && list.size() > 0) {
            throw new SAMLException("Assertion contains conditions which are not understood");
        }
    }

    protected void verifyAuthenticationStatement(AuthnStatement authnStatement, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext sAMLMessageContext) throws AuthenticationException {
        if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), getMaxAuthenticationAge(), authnStatement.getAuthnInstant())) {
            throw new CredentialsExpiredException("Authentication statement is too old to be used with value " + authnStatement.getAuthnInstant());
        }
        if (authnStatement.getSessionNotOnOrAfter() != null && authnStatement.getSessionNotOnOrAfter().isBeforeNow()) {
            throw new CredentialsExpiredException("Authentication session is not valid on or after " + authnStatement.getSessionNotOnOrAfter());
        }
        verifyAuthnContext(requestedAuthnContext, authnStatement.getAuthnContext(), sAMLMessageContext);
    }

    protected void verifyAuthnContext(RequestedAuthnContext requestedAuthnContext, AuthnContext authnContext, SAMLMessageContext sAMLMessageContext) throws InsufficientAuthenticationException {
        this.log.debug("Verifying received AuthnContext {} against requested {}", authnContext, requestedAuthnContext);
        if (requestedAuthnContext == null || !AuthnContextComparisonTypeEnumeration.EXACT.equals(requestedAuthnContext.getComparison())) {
            return;
        }
        String str = null;
        String str2 = null;
        if (authnContext.getAuthnContextClassRef() != null) {
            str = authnContext.getAuthnContextClassRef().getAuthnContextClassRef();
        }
        if (requestedAuthnContext.getAuthnContextClassRefs() != null) {
            Iterator<AuthnContextClassRef> it = requestedAuthnContext.getAuthnContextClassRefs().iterator();
            while (it.hasNext()) {
                if (it.next().getAuthnContextClassRef().equals(str)) {
                    this.log.debug("AuthContext matched with value {}", str);
                    return;
                }
            }
        }
        if (authnContext.getAuthnContextDeclRef() != null) {
            str2 = authnContext.getAuthnContextDeclRef().getAuthnContextDeclRef();
        }
        if (requestedAuthnContext.getAuthnContextDeclRefs() != null) {
            Iterator<AuthnContextDeclRef> it2 = requestedAuthnContext.getAuthnContextDeclRefs().iterator();
            while (it2.hasNext()) {
                if (it2.next().getAuthnContextDeclRef().equals(str2)) {
                    this.log.debug("AuthContext matched with value {}", str2);
                    return;
                }
            }
        }
        throw new InsufficientAuthenticationException("Response doesn't contain any of the requested authentication context class or declaration references");
    }

    public long getMaxAuthenticationAge() {
        return this.maxAuthenticationAge;
    }

    public void setMaxAuthenticationAge(long j) {
        this.maxAuthenticationAge = j;
    }

    public boolean isIncludeAllAttributes() {
        return this.includeAllAttributes;
    }

    public void setIncludeAllAttributes(boolean z) {
        this.includeAllAttributes = z;
    }

    public boolean isReleaseDOM() {
        return this.releaseDOM;
    }

    public void setReleaseDOM(boolean z) {
        this.releaseDOM = z;
    }
}
