package com.coveo.saml;

import com.sun.org.apache.xerces.internal.parsers.DOMParser;
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.joda.time.DateTime;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.validator.ResponseSchemaValidator;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.DOMMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.keyinfo.KeyInfoHelper;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.signature.X509Data;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

/* loaded from: input_file:com/coveo/saml/SamlClient.class */
public class SamlClient {
    private static final Logger logger = LoggerFactory.getLogger(SamlClient.class);
    private static boolean initializedOpenSaml = false;
    private String relyingPartyIdentifier;
    private String assertionConsumerServiceUrl;
    private String identityProviderUrl;
    private String responseIssuer;
    private List<Credential> credentials;
    private DateTime now;
    private long notBeforeSkew;
    private SamlIdpBinding samlBinding;

    /* loaded from: input_file:com/coveo/saml/SamlClient$SamlIdpBinding.class */
    public enum SamlIdpBinding {
        POST,
        Redirect
    }

    public String getIdentityProviderUrl() {
        return this.identityProviderUrl;
    }

    public void setDateTimeNow(DateTime dateTime) {
        this.now = dateTime;
    }

    public void setNotBeforeSkew(long j) {
        if (j < 0) {
            throw new IllegalArgumentException("Skew must be non-negative");
        }
        this.notBeforeSkew = j;
    }

    public SamlClient(String str, String str2, String str3, String str4, List<X509Certificate> list, SamlIdpBinding samlIdpBinding) throws SamlException {
        this.notBeforeSkew = 0L;
        ensureOpenSamlIsInitialized();
        if (str == null) {
            throw new IllegalArgumentException("relyingPartyIdentifier");
        }
        if (str3 == null) {
            throw new IllegalArgumentException("identityProviderUrl");
        }
        if (str4 == null) {
            throw new IllegalArgumentException("responseIssuer");
        }
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("certificates");
        }
        this.relyingPartyIdentifier = str;
        this.assertionConsumerServiceUrl = str2;
        this.identityProviderUrl = str3;
        this.responseIssuer = str4;
        this.credentials = (List) list.stream().map(SamlClient::getCredential).collect(Collectors.toList());
        this.samlBinding = samlIdpBinding;
    }

    public SamlClient(String str, String str2, String str3, String str4, List<X509Certificate> list) throws SamlException {
        this(str, str2, str3, str4, list, SamlIdpBinding.POST);
    }

    public SamlClient(String str, String str2, String str3, String str4, X509Certificate x509Certificate) throws SamlException {
        this(str, str2, str3, str4, Collections.singletonList(x509Certificate), SamlIdpBinding.POST);
    }

    public String getSamlRequest() throws SamlException {
        AuthnRequest buildSamlObject = buildSamlObject(AuthnRequest.DEFAULT_ELEMENT_NAME);
        buildSamlObject.setID("z" + UUID.randomUUID().toString());
        buildSamlObject.setVersion(SAMLVersion.VERSION_20);
        buildSamlObject.setIssueInstant(DateTime.now());
        buildSamlObject.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-" + this.samlBinding.toString());
        buildSamlObject.setAssertionConsumerServiceURL(this.assertionConsumerServiceUrl);
        Issuer buildSamlObject2 = buildSamlObject(Issuer.DEFAULT_ELEMENT_NAME);
        buildSamlObject2.setValue(this.relyingPartyIdentifier);
        buildSamlObject.setIssuer(buildSamlObject2);
        NameIDPolicy buildSamlObject3 = buildSamlObject(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        buildSamlObject3.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
        buildSamlObject.setNameIDPolicy(buildSamlObject3);
        StringWriter stringWriter = new StringWriter();
        try {
            XMLHelper.writeNode(Configuration.getMarshallerFactory().getMarshaller(buildSamlObject).marshall(buildSamlObject), stringWriter);
            logger.trace("Issuing SAML request: " + stringWriter.toString());
            try {
                return Base64.encodeBytes(stringWriter.toString().getBytes("UTF-8"));
            } catch (UnsupportedEncodingException e) {
                throw new SamlException("Error while encoding SAML request", e);
            }
        } catch (MarshallingException e2) {
            throw new SamlException("Error while marshalling SAML request to XML", e2);
        }
    }

    public SamlResponse decodeAndValidateSamlResponse(String str) throws SamlException {
        try {
            String str2 = new String(Base64.decode(str), "UTF-8");
            logger.trace("Validating SAML response: " + str2);
            try {
                DOMParser createDOMParser = createDOMParser();
                createDOMParser.parse(new InputSource(new StringReader(str2)));
                Response response = (Response) Configuration.getUnmarshallerFactory().getUnmarshaller(createDOMParser.getDocument().getDocumentElement()).unmarshall(createDOMParser.getDocument().getDocumentElement());
                validateResponse(response);
                validateAssertion(response);
                validateSignature(response);
                return new SamlResponse((Assertion) response.getAssertions().get(0));
            } catch (IOException | SAXException | UnmarshallingException e) {
                throw new SamlException("Cannot decode xml encoded response", e);
            }
        } catch (UnsupportedEncodingException e2) {
            throw new SamlException("Cannot decode base64 encoded response", e2);
        }
    }

    public void redirectToIdentityProvider(HttpServletResponse httpServletResponse, String str) throws IOException, SamlException {
        HashMap hashMap = new HashMap();
        hashMap.put("SAMLRequest", getSamlRequest());
        if (str != null) {
            hashMap.put("RelayState", str);
        }
        BrowserUtils.postUsingBrowser(this.identityProviderUrl, httpServletResponse, hashMap);
    }

    public SamlResponse processPostFromIdentityProvider(HttpServletRequest httpServletRequest) throws SamlException {
        return decodeAndValidateSamlResponse(httpServletRequest.getParameter("SAMLResponse"));
    }

    public static SamlClient fromMetadata(String str, String str2, Reader reader) throws SamlException {
        return fromMetadata(str, str2, reader, SamlIdpBinding.POST);
    }

    public static SamlClient fromMetadata(String str, String str2, Reader reader, SamlIdpBinding samlIdpBinding) throws SamlException {
        return fromMetadata(str, str2, reader, samlIdpBinding, null);
    }

    public static SamlClient fromMetadata(String str, String str2, Reader reader, SamlIdpBinding samlIdpBinding, List<X509Certificate> list) throws SamlException {
        ensureOpenSamlIsInitialized();
        EntityDescriptor entityDescriptor = getEntityDescriptor(createMetadataProvider(reader));
        IDPSSODescriptor iDPSSODescriptor = getIDPSSODescriptor(entityDescriptor);
        SingleSignOnService idpBinding = getIdpBinding(iDPSSODescriptor, samlIdpBinding);
        List<X509Certificate> certificates = getCertificates(iDPSSODescriptor);
        boolean contains = entityDescriptor.getEntityID().contains(".okta.com");
        if (str == null) {
            if (!contains) {
                throw new IllegalArgumentException("relyingPartyIdentifier");
            }
            str = entityDescriptor.getEntityID();
        }
        if (str2 == null && contains) {
            str2 = idpBinding.getLocation();
        }
        if (list != null) {
            certificates.addAll(list);
        }
        return new SamlClient(str, str2, idpBinding.getLocation(), entityDescriptor.getEntityID(), certificates, samlIdpBinding);
    }

    private void validateResponse(Response response) throws SamlException {
        try {
            new ResponseSchemaValidator().validate(response);
            if (!response.getIssuer().getValue().equals(this.responseIssuer)) {
                throw new SamlException("The response issuer didn't match the expected value");
            }
            String value = response.getStatus().getStatusCode().getValue();
            if (!value.equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
                throw new SamlException("Invalid status code: " + value);
            }
        } catch (ValidationException e) {
            throw new SamlException("The response schema validation failed", e);
        }
    }

    private void validateAssertion(Response response) throws SamlException {
        if (response.getAssertions().size() != 1) {
            throw new SamlException("The response doesn't contain exactly 1 assertion");
        }
        Assertion assertion = (Assertion) response.getAssertions().get(0);
        if (!assertion.getIssuer().getValue().equals(this.responseIssuer)) {
            throw new SamlException("The assertion issuer didn't match the expected value");
        }
        if (assertion.getSubject().getNameID() == null) {
            throw new SamlException("The NameID value is missing from the SAML response; this is likely an IDP configuration issue");
        }
        enforceConditions(assertion.getConditions());
    }

    private void enforceConditions(Conditions conditions) throws SamlException {
        DateTime now = this.now != null ? this.now : DateTime.now();
        DateTime notBefore = conditions.getNotBefore();
        if (now.isBefore(notBefore.minus(this.notBeforeSkew))) {
            throw new SamlException("The assertion cannot be used before " + notBefore.toString());
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        if (now.isAfter(notOnOrAfter)) {
            throw new SamlException("The assertion cannot be used after  " + notOnOrAfter.toString());
        }
    }

    private void validateSignature(Response response) throws SamlException {
        Signature signature = response.getSignature();
        Signature signature2 = ((Assertion) response.getAssertions().get(0)).getSignature();
        if (signature == null && signature2 == null) {
            throw new SamlException("No signature is present in either response or assertion");
        }
        if (signature != null && !validate(signature)) {
            throw new SamlException("The response signature is invalid");
        }
        if (signature2 != null && !validate(signature2)) {
            throw new SamlException("The assertion signature is invalid");
        }
    }

    private boolean validate(Signature signature) {
        if (signature == null) {
            return false;
        }
        return this.credentials.stream().anyMatch(credential -> {
            try {
                new SignatureValidator(credential).validate(signature);
                return true;
            } catch (ValidationException e) {
                return false;
            }
        });
    }

    private static synchronized void ensureOpenSamlIsInitialized() throws SamlException {
        if (initializedOpenSaml) {
            return;
        }
        try {
            DefaultBootstrap.bootstrap();
            initializedOpenSaml = true;
        } catch (Throwable th) {
            throw new SamlException("Error while initializing the Open SAML library", th);
        }
    }

    private static DOMParser createDOMParser() throws SamlException {
        return new DOMParser() { // from class: com.coveo.saml.SamlClient.1
            {
                try {
                    setFeature("http://apache.org/xml/features/include-comments", false);
                } catch (Throwable th) {
                    throw new SamlException("Cannot disable comments parsing to mitigate https://www.kb.cert.org/vuls/id/475445", th);
                }
            }
        };
    }

    private static MetadataProvider createMetadataProvider(Reader reader) throws SamlException {
        try {
            DOMParser createDOMParser = createDOMParser();
            createDOMParser.parse(new InputSource(reader));
            DOMMetadataProvider dOMMetadataProvider = new DOMMetadataProvider(createDOMParser.getDocument().getDocumentElement());
            dOMMetadataProvider.initialize();
            return dOMMetadataProvider;
        } catch (IOException | SAXException | MetadataProviderException e) {
            throw new SamlException("Cannot load identity provider metadata", e);
        }
    }

    private static EntityDescriptor getEntityDescriptor(MetadataProvider metadataProvider) throws SamlException {
        try {
            EntityDescriptor metadata = metadataProvider.getMetadata();
            if (metadata == null) {
                throw new SamlException("Cannot retrieve the entity descriptor");
            }
            return metadata;
        } catch (MetadataProviderException e) {
            throw new SamlException("Cannot retrieve the entity descriptor", e);
        }
    }

    private static IDPSSODescriptor getIDPSSODescriptor(EntityDescriptor entityDescriptor) throws SamlException {
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        if (iDPSSODescriptor == null) {
            throw new SamlException("Cannot retrieve IDP SSO descriptor");
        }
        return iDPSSODescriptor;
    }

    private static SingleSignOnService getIdpBinding(IDPSSODescriptor iDPSSODescriptor, SamlIdpBinding samlIdpBinding) throws SamlException {
        return (SingleSignOnService) iDPSSODescriptor.getSingleSignOnServices().stream().filter(singleSignOnService -> {
            return singleSignOnService.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-" + samlIdpBinding.toString());
        }).findAny().orElseThrow(() -> {
            return new SamlException("Cannot find HTTP-POST SSO binding in metadata");
        });
    }

    private static List<X509Certificate> getCertificates(IDPSSODescriptor iDPSSODescriptor) throws SamlException {
        try {
            return (List) iDPSSODescriptor.getKeyDescriptors().stream().filter(keyDescriptor -> {
                return keyDescriptor.getUse() == UsageType.SIGNING;
            }).flatMap(SamlClient::getDatasWithCertificates).map(SamlClient::getFirstCertificate).collect(Collectors.toList());
        } catch (Exception e) {
            throw new SamlException("Exception in getCertificates", e);
        }
    }

    private static Stream<X509Data> getDatasWithCertificates(KeyDescriptor keyDescriptor) {
        return keyDescriptor.getKeyInfo().getX509Datas().stream().filter(x509Data -> {
            return x509Data.getX509Certificates().size() > 0;
        });
    }

    private static X509Certificate getFirstCertificate(X509Data x509Data) {
        try {
            org.opensaml.xml.signature.X509Certificate x509Certificate = (org.opensaml.xml.signature.X509Certificate) x509Data.getX509Certificates().stream().findFirst().orElse(null);
            if (x509Certificate != null) {
                return KeyInfoHelper.getCertificate(x509Certificate);
            }
            return null;
        } catch (CertificateException e) {
            logger.error("Exception in getFirstCertificate", e);
            return null;
        }
    }

    private static Credential getCredential(X509Certificate x509Certificate) {
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setEntityCertificate(x509Certificate);
        basicX509Credential.setPublicKey(x509Certificate.getPublicKey());
        basicX509Credential.setCRLs(Collections.emptyList());
        return basicX509Credential;
    }

    private static XMLObject buildSamlObject(QName qName) {
        return Configuration.getBuilderFactory().getBuilder(qName).buildObject(qName);
    }
}
