package org.springframework.security.saml.websso;

import java.io.Serializable;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.xml.namespace.QName;
import org.eclipse.persistence.exceptions.ValidationException;
import org.opensaml.common.SAMLException;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Condition;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.OneTimeUse;
import org.opensaml.saml2.core.ProxyRestriction;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.signature.Signature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.processor.SAMLProcessor;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.0.RC2.jar:org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.class */
public class WebSSOProfileConsumerImpl extends AbstractProfileBase implements WebSSOProfileConsumer {
    private static final Logger log = LoggerFactory.getLogger(WebSSOProfileConsumerImpl.class);
    private int maxAuthenticationAge;

    public WebSSOProfileConsumerImpl() {
        this.maxAuthenticationAge = ValidationException.EMBEDDABLE_ATTRIBUTE_OVERRIDE_NOT_FOUND;
    }

    public WebSSOProfileConsumerImpl(SAMLProcessor sAMLProcessor, MetadataManager metadataManager) {
        super(sAMLProcessor, metadataManager);
        this.maxAuthenticationAge = ValidationException.EMBEDDABLE_ATTRIBUTE_OVERRIDE_NOT_FOUND;
    }

    @Override // org.springframework.security.saml.websso.AbstractProfileBase
    public String getProfileIdentifier() {
        return SAMLConstants.SAML2_WEBSSO_PROFILE_URI;
    }

    /* JADX WARN: Removed duplicated region for block: B:95:0x03f2  */
    /* JADX WARN: Removed duplicated region for block: B:97:0x0406  */
    @Override // org.springframework.security.saml.websso.WebSSOProfileConsumer
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public org.springframework.security.saml.SAMLCredential processAuthenticationResponse(org.springframework.security.saml.context.SAMLMessageContext r11) throws org.opensaml.common.SAMLException, org.opensaml.xml.security.SecurityException, org.opensaml.xml.validation.ValidationException, org.opensaml.xml.encryption.DecryptionException {
        /*
            Method dump skipped, instructions count: 1104
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(org.springframework.security.saml.context.SAMLMessageContext):org.springframework.security.saml.SAMLCredential");
    }

    protected Serializable processAdditionalData(SAMLMessageContext sAMLMessageContext) throws SAMLException {
        return null;
    }

    protected void verifyAssertion(Assertion assertion, AuthnRequest authnRequest, SAMLMessageContext sAMLMessageContext) throws AuthenticationException, SAMLException, SecurityException, org.opensaml.xml.validation.ValidationException, DecryptionException {
        if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) {
            log.debug("Assertion is too old to be used, value can be customized by setting maxAssertionTime value", assertion.getIssueInstant());
            throw new CredentialsExpiredException("Users authentication credential is too old to be used");
        }
        verifyIssuer(assertion.getIssuer(), sAMLMessageContext);
        verifyAssertionSignature(assertion.getSignature(), sAMLMessageContext);
        if (assertion.getSubject() == null) {
            log.debug("Assertion does not contain subject and is discarded");
            throw new SAMLException("Assertion does not contain subject and is discarded");
        }
        verifySubject(assertion.getSubject(), authnRequest, sAMLMessageContext);
        if (assertion.getAuthnStatements().size() <= 0) {
            verifyAssertionConditions(assertion.getConditions(), sAMLMessageContext, false);
            return;
        }
        verifyAssertionConditions(assertion.getConditions(), sAMLMessageContext, true);
        for (AuthnStatement authnStatement : assertion.getAuthnStatements()) {
            if (authnRequest != null) {
                verifyAuthenticationStatement(authnStatement, authnRequest.getRequestedAuthnContext(), sAMLMessageContext);
            } else {
                verifyAuthenticationStatement(authnStatement, null, sAMLMessageContext);
            }
        }
    }

    protected void verifySubject(Subject subject, AuthnRequest authnRequest, SAMLMessageContext sAMLMessageContext) throws SAMLException, DecryptionException {
        NameID nameID;
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if (SubjectConfirmation.METHOD_BEARER.equals(subjectConfirmation.getMethod())) {
                log.debug("Processing Bearer subject confirmation");
                SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                if (subjectConfirmationData == null) {
                    log.debug("Bearer SubjectConfirmation invalidated by missing confirmation data");
                } else if (subjectConfirmationData.getNotBefore() != null) {
                    log.debug("Bearer SubjectConfirmation invalidated by not before which is forbidden");
                } else if (subjectConfirmationData.getNotOnOrAfter() == null) {
                    log.debug("Bearer SubjectConfirmation invalidated by missing notOnOrAfter");
                } else if (subjectConfirmationData.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) {
                    log.debug("Bearer SubjectConfirmation invalidated by notOnOrAfter");
                } else {
                    if (authnRequest != null) {
                        if (subjectConfirmationData.getInResponseTo() == null) {
                            log.debug("Bearer SubjectConfirmation invalidated by missing inResponseTo field");
                        } else if (!subjectConfirmationData.getInResponseTo().equals(authnRequest.getID())) {
                            log.debug("Bearer SubjectConfirmation invalidated by invalid in response to");
                        }
                    }
                    if (subjectConfirmationData.getRecipient() == null) {
                        log.debug("Bearer SubjectConfirmation invalidated by missing recipient");
                    } else {
                        try {
                            verifyEndpoint(sAMLMessageContext.getLocalEntityEndpoint(), subjectConfirmationData.getRecipient());
                            if (subject.getEncryptedID() != null) {
                                Assert.notNull(sAMLMessageContext.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
                                nameID = (NameID) sAMLMessageContext.getLocalDecrypter().decrypt(subject.getEncryptedID());
                            } else {
                                nameID = subject.getNameID();
                            }
                            sAMLMessageContext.setSubjectNameIdentifier(nameID);
                            return;
                        } catch (SAMLException e) {
                            log.debug("Bearer SubjectConfirmation invalidated by recipient assertion consumer URL, found {}", subjectConfirmationData.getRecipient());
                        }
                    }
                }
            }
        }
        log.debug("Assertion invalidated by subject confirmation - can't be confirmed by the bearer method");
        throw new SAMLException("Assertion invalidated by subject confirmation - can't be confirmed by the bearer method");
    }

    protected void verifyAssertionSignature(Signature signature, SAMLMessageContext sAMLMessageContext) throws SAMLException, SecurityException, org.opensaml.xml.validation.ValidationException {
        boolean booleanValue = ((SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata()).getWantAssertionsSigned().booleanValue();
        if (signature != null) {
            verifySignature(signature, sAMLMessageContext.getPeerEntityMetadata().getEntityID(), sAMLMessageContext.getLocalTrustEngine());
        } else {
            if (!booleanValue || sAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
                return;
            }
            log.debug("Metadata includes wantAssertionSigned, but neither SAML message nor Assertion is signed");
            throw new SAMLException("Assertion or SAML message must be signed");
        }
    }

    protected void verifyAssertionConditions(Conditions conditions, SAMLMessageContext sAMLMessageContext, boolean z) throws SAMLException {
        if (z && (conditions == null || conditions.getAudienceRestrictions().size() == 0)) {
            log.debug("Assertion invalidated by missing Audience Restriction");
            throw new SAMLException("Assertion invalidated by missing Audience Restriction");
        }
        if (conditions == null) {
            return;
        }
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(getResponseSkew()).isAfterNow()) {
            log.debug("Assertion is not yet valid, invalidated by condition notBefore {}", conditions.getNotBefore());
            throw new SAMLException("Assertion is not yet valid, invalidated by condition notBefore");
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) {
            log.debug("Assertion is no longer valid, invalidated by condition notOnOrAfter {}", conditions.getNotOnOrAfter());
            throw new SAMLException("Assertion is no longer valid, invalidated by condition notOnOrAfter");
        }
        LinkedList linkedList = new LinkedList();
        for (Condition condition : conditions.getConditions()) {
            QName elementQName = condition.getElementQName();
            if (elementQName.equals(AudienceRestriction.DEFAULT_ELEMENT_NAME)) {
                for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions()) {
                    if (audienceRestriction.getAudiences().size() == 0) {
                        log.debug("No audit audience specified for the assertion");
                        throw new SAMLException("No audit audience specified for the assertion");
                    }
                    Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
                    while (it.hasNext()) {
                        if (sAMLMessageContext.getLocalEntityId().equals(it.next().getAudienceURI())) {
                            break;
                        }
                    }
                    log.debug("Our entity is not the intended audience of the assertion");
                    throw new SAMLException("Our entity is not the intended audience of the assertion");
                }
            }
            if (elementQName.equals(OneTimeUse.DEFAULT_ELEMENT_NAME)) {
                log.debug("System cannot honor OneTimeUse condition of the SAML Assertion for WebSSO");
                throw new SAMLException("System cannot honor OneTimeUse condition of the SAML Assertion for WebSSO");
            }
            if (elementQName.equals(ProxyRestriction.DEFAULT_ELEMENT_NAME)) {
                log.debug("Honoring ProxyRestriction with count {}, system does not issue assertions to 3rd parties", ((ProxyRestriction) condition).getProxyCount());
            } else {
                log.debug("Condition {} is not understood", condition);
                linkedList.add(condition);
            }
        }
        verifyConditions(sAMLMessageContext, linkedList);
    }

    protected void verifyConditions(SAMLMessageContext sAMLMessageContext, List<Condition> list) throws SAMLException {
        if (list == null || list.size() <= 0) {
            return;
        }
        log.debug("Assertion contain not understood conditions");
        throw new SAMLException("Assertion contain not understood conditions");
    }

    protected void verifyAuthenticationStatement(AuthnStatement authnStatement, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext sAMLMessageContext) throws AuthenticationException {
        if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), getMaxAuthenticationAge(), authnStatement.getAuthnInstant())) {
            log.debug("Authentication statement is too old to be used with value {}", authnStatement.getAuthnInstant());
            throw new CredentialsExpiredException("Authentication statement is too old to be used");
        }
        if (authnStatement.getSessionNotOnOrAfter() == null || !authnStatement.getSessionNotOnOrAfter().isBeforeNow()) {
            verifyAuthnContext(requestedAuthnContext, authnStatement.getAuthnContext(), sAMLMessageContext);
        } else {
            log.debug("Authentication session is not valid on or after {}", authnStatement.getSessionNotOnOrAfter());
            throw new CredentialsExpiredException("Authentication session is not valid anymore");
        }
    }

    protected void verifyAuthnContext(RequestedAuthnContext requestedAuthnContext, AuthnContext authnContext, SAMLMessageContext sAMLMessageContext) throws InsufficientAuthenticationException {
        log.debug("Verifying received AuthnContext {} against requested {}", authnContext, requestedAuthnContext);
        if (requestedAuthnContext == null || !AuthnContextComparisonTypeEnumeration.EXACT.equals(requestedAuthnContext.getComparison())) {
            return;
        }
        String str = null;
        String str2 = null;
        if (authnContext.getAuthnContextClassRef() != null) {
            str = authnContext.getAuthnContextClassRef().getAuthnContextClassRef();
        }
        if (requestedAuthnContext.getAuthnContextClassRefs() != null) {
            Iterator<AuthnContextClassRef> it = requestedAuthnContext.getAuthnContextClassRefs().iterator();
            while (it.hasNext()) {
                if (it.next().getAuthnContextClassRef().equals(str)) {
                    log.debug("AuthContext matched");
                    return;
                }
            }
        }
        if (authnContext.getAuthnContextDeclRef() != null) {
            str2 = authnContext.getAuthnContextDeclRef().getAuthnContextDeclRef();
        }
        if (requestedAuthnContext.getAuthnContextDeclRefs() != null) {
            Iterator<AuthnContextDeclRef> it2 = requestedAuthnContext.getAuthnContextDeclRefs().iterator();
            while (it2.hasNext()) {
                if (it2.next().getAuthnContextDeclRef().equals(str2)) {
                    log.debug("AuthContext matched");
                    return;
                }
            }
        }
        throw new InsufficientAuthenticationException("Response doesn't contain any of the requested authentication context class or declaration references");
    }

    public int getMaxAuthenticationAge() {
        return this.maxAuthenticationAge;
    }

    public void setMaxAuthenticationAge(int i) {
        this.maxAuthenticationAge = i;
    }
}
