package dk.digitalidentity.samlmodule.service.validation;

import dk.digitalidentity.samlmodule.service.metadata.DISAML_IdPMetadataService;
import dk.digitalidentity.samlmodule.util.exceptions.ExternalException;
import dk.digitalidentity.samlmodule.util.exceptions.InternalException;
import java.util.Objects;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;

@Service
/* loaded from: input_file:dk/digitalidentity/samlmodule/service/validation/DISAML_AssertionValidationService.class */
public class DISAML_AssertionValidationService {
    private static final Logger log = LoggerFactory.getLogger(DISAML_AssertionValidationService.class);

    @Autowired
    private DISAML_IdPMetadataService idPMetadataService;

    public void validate(MessageContext<SAMLObject> messageContext, Assertion assertion) throws InternalException, ExternalException {
        log.debug("Started validation of Assertion");
        validateSignature(assertion);
        validateLifeTime(messageContext);
        validateIssuer(assertion);
        validateSubjectNameID(assertion);
        log.debug("Completed validation of Assertion");
    }

    private void validateSignature(Assertion assertion) throws InternalException, ExternalException {
        log.debug("Validating Signature");
        if (!assertion.isSigned()) {
            throw new ExternalException("Assertion is not signed");
        }
        try {
            SignatureValidator.validate(assertion.getSignature(), new BasicX509Credential(this.idPMetadataService.getX509Certificate(UsageType.SIGNING)));
        } catch (SignatureException e) {
            throw new ExternalException("Could not validate assertion signature", e);
        }
    }

    private void validateLifeTime(MessageContext<SAMLObject> messageContext) throws InternalException, ExternalException {
        log.debug("Validating Lifetime");
        MessageLifetimeSecurityHandler messageLifetimeSecurityHandler = null;
        try {
            try {
                try {
                    messageLifetimeSecurityHandler = new MessageLifetimeSecurityHandler();
                    messageLifetimeSecurityHandler.setClockSkew(300000L);
                    messageLifetimeSecurityHandler.initialize();
                    messageLifetimeSecurityHandler.invoke(messageContext);
                    if (messageLifetimeSecurityHandler == null || !messageLifetimeSecurityHandler.isInitialized() || messageLifetimeSecurityHandler.isDestroyed()) {
                        return;
                    }
                    messageLifetimeSecurityHandler.destroy();
                } catch (MessageHandlerException e) {
                    throw new ExternalException("Message lifetime incorrect", e);
                }
            } catch (ComponentInitializationException e2) {
                throw new InternalException("Could not initialize MessageLifetimeSecurityHandler", e2);
            }
        } catch (Throwable th) {
            if (messageLifetimeSecurityHandler != null && messageLifetimeSecurityHandler.isInitialized() && !messageLifetimeSecurityHandler.isDestroyed()) {
                messageLifetimeSecurityHandler.destroy();
            }
            throw th;
        }
    }

    private void validateIssuer(Assertion assertion) throws InternalException, ExternalException {
        log.debug("Validating Issuer");
        String entityID = this.idPMetadataService.getMetadata().getEntityID();
        Issuer issuer = assertion.getIssuer();
        if (issuer == null) {
            throw new ExternalException("No Issuer found");
        }
        if (!Objects.equals(entityID, issuer.getValue())) {
            throw new ExternalException("Issuer does not match IdP metadata. Expected: " + entityID + " Was: " + issuer.getValue());
        }
    }

    private void validateSubjectNameID(Assertion assertion) throws ExternalException {
        log.debug("Validating Subject");
        Subject subject = assertion.getSubject();
        if (subject == null) {
            throw new ExternalException("No Subject found on Assertion");
        }
        NameID nameID = subject.getNameID();
        if (nameID == null) {
            throw new ExternalException("No Subject.NameID found on Assertion");
        }
        if (!StringUtils.hasLength(nameID.getValue())) {
            throw new ExternalException("Assertion.Subject.NameID was null or empty");
        }
    }
}
