package se.litsec.opensaml.saml2.common.response;

import java.io.ByteArrayInputStream;
import java.util.Optional;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.EncryptedElementType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;
import se.litsec.opensaml.saml2.common.assertion.AssertionValidationParametersBuilder;
import se.litsec.opensaml.saml2.common.assertion.AssertionValidator;
import se.litsec.opensaml.saml2.metadata.PeerMetadataResolver;
import se.litsec.opensaml.utils.ObjectUtils;
import se.litsec.opensaml.xmlsec.SAMLObjectDecrypter;

/* loaded from: input_file:se/litsec/opensaml/saml2/common/response/ResponseProcessorImpl.class */
public class ResponseProcessorImpl implements ResponseProcessor {
    protected SAMLObjectDecrypter decrypter;
    protected MessageReplayChecker messageReplayChecker;
    protected MetadataCredentialResolver metadataCredentialResolver;
    protected SignatureTrustEngine signatureTrustEngine;
    protected ResponseValidator responseValidator;
    protected AssertionValidator assertionValidator;
    protected ResponseValidationSettings responseValidationSettings;
    private final Logger log = LoggerFactory.getLogger(ResponseProcessorImpl.class);
    protected SignaturePrevalidator signatureProfileValidator = new SAMLSignatureProfileValidator();
    private boolean isInitialized = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: se.litsec.opensaml.saml2.common.response.ResponseProcessorImpl$1, reason: invalid class name */
    /* loaded from: input_file:se/litsec/opensaml/saml2/common/response/ResponseProcessorImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$opensaml$saml$common$assertion$ValidationResult = new int[ValidationResult.values().length];

        static {
            try {
                $SwitchMap$org$opensaml$saml$common$assertion$ValidationResult[ValidationResult.VALID.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$opensaml$saml$common$assertion$ValidationResult[ValidationResult.INDETERMINATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$opensaml$saml$common$assertion$ValidationResult[ValidationResult.INVALID.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @Override // se.litsec.opensaml.saml2.common.response.ResponseProcessor
    public ResponseProcessingResult processSamlResponse(String str, String str2, ResponseProcessingInput responseProcessingInput, PeerMetadataResolver peerMetadataResolver, ValidationContext validationContext) throws ResponseStatusErrorException, ResponseProcessingException {
        try {
            SAMLObject decodeResponse = decodeResponse(str);
            if (this.log.isTraceEnabled()) {
                this.log.trace("[{}] Decoded Response: {}", logId(decodeResponse), ObjectUtils.toStringSafe(decodeResponse));
            }
            String value = decodeResponse.getIssuer() != null ? decodeResponse.getIssuer().getValue() : null;
            EntityDescriptor metadata = value != null ? peerMetadataResolver.getMetadata(value) : null;
            validateResponse(decodeResponse, str2, responseProcessingInput, metadata, validationContext);
            this.messageReplayChecker.checkReplay(decodeResponse);
            if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(decodeResponse.getStatus().getStatusCode().getValue())) {
                this.log.info("Authentication failed with status '{}' [{}]", ResponseStatusErrorException.statusToString(decodeResponse.getStatus()), logId(decodeResponse));
                throw new ResponseStatusErrorException(decodeResponse.getStatus(), decodeResponse.getID());
            }
            validateRelayState(decodeResponse, str2, responseProcessingInput);
            Assertion assertion = (Assertion) this.decrypter.decrypt((EncryptedElementType) decodeResponse.getEncryptedAssertions().get(0), Assertion.class);
            if (this.log.isTraceEnabled()) {
                this.log.trace("[{}] Decrypted Assertion: {}", logId(decodeResponse, assertion), ObjectUtils.toStringSafe(assertion));
            }
            validateAssertion(assertion, decodeResponse, responseProcessingInput, metadata, validationContext);
            return new ResponseProcessingResultImpl(assertion);
        } catch (MessageReplayException e) {
            throw new ResponseProcessingException("Message replay: " + e.getMessage(), e);
        } catch (DecryptionException e2) {
            throw new ResponseProcessingException("Failed to decrypt assertion: " + e2.getMessage(), e2);
        }
    }

    public void initialize() throws Exception {
        Assert.notNull(this.decrypter, "Property 'decrypter' must be assigned");
        Assert.notNull(this.messageReplayChecker, "Property 'messageReplayChecker' must be assigned");
        if (this.responseValidationSettings == null) {
            this.responseValidationSettings = new ResponseValidationSettings();
            this.log.info("Using default responseValidationSettings [{}]", this.responseValidationSettings);
        }
        if (this.isInitialized) {
            return;
        }
        this.metadataCredentialResolver = new MetadataCredentialResolver();
        this.metadataCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        this.metadataCredentialResolver.initialize();
        this.signatureTrustEngine = new ExplicitKeySignatureTrustEngine(this.metadataCredentialResolver, DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        this.responseValidator = createResponseValidator(this.signatureTrustEngine, this.signatureProfileValidator);
        Assert.notNull(this.responseValidator, "createResponseValidator must not return null");
        this.assertionValidator = createAssertionValidator(this.signatureTrustEngine, this.signatureProfileValidator);
        Assert.notNull(this.assertionValidator, "createAssertionValidator must not return null");
        this.isInitialized = true;
    }

    protected ResponseValidator createResponseValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator) {
        return new ResponseValidator(signatureTrustEngine, signaturePrevalidator);
    }

    protected AssertionValidator createAssertionValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator) {
        return null;
    }

    protected Response decodeResponse(String str) throws ResponseProcessingException {
        try {
            byte[] decode = Base64Support.decode(str);
            if (decode != null) {
                return ObjectUtils.unmarshall(new ByteArrayInputStream(decode), Response.class);
            }
            this.log.error("Unable to Base64 decode SAML response message");
            throw new MessageDecodingException("Unable to Base64 decode SAML response message");
        } catch (MessageDecodingException | XMLParserException | UnmarshallingException e) {
            throw new ResponseProcessingException("Failed to decode message", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void validateResponse(Response response, String str, ResponseProcessingInput responseProcessingInput, EntityDescriptor entityDescriptor, ValidationContext validationContext) throws ResponseValidationException {
        if (responseProcessingInput.getAuthnRequest() == null) {
            String format = String.format("No AuthnRequest available when processing Response [%s]", logId(response));
            this.log.error("{}", format);
            throw new ResponseValidationException(format);
        }
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor != null ? entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol") : null;
        if (iDPSSODescriptor == null) {
            throw new ResponseValidationException("Invalid/missing IdP metadata - cannot verify Response signature");
        }
        ResponseValidationParametersBuilder authnRequest = ((ResponseValidationParametersBuilder) ((ResponseValidationParametersBuilder) ((ResponseValidationParametersBuilder) ((ResponseValidationParametersBuilder) ((ResponseValidationParametersBuilder) ResponseValidationParametersBuilder.builder().strictValidation(Boolean.valueOf(this.responseValidationSettings.isStrictValidation()))).allowedClockSkew(Long.valueOf(this.responseValidationSettings.getAllowedClockSkew()))).maxAgeReceivedMessage(Long.valueOf(this.responseValidationSettings.getMaxAgeResponse()))).signatureRequired(Boolean.TRUE)).signatureValidationCriteriaSet(new CriteriaSet(new Criterion[]{new RoleDescriptorCriterion(iDPSSODescriptor), new UsageCriterion(UsageType.SIGNING)}))).receiveInstant(Long.valueOf(responseProcessingInput.getReceiveInstant())).receiveUrl(responseProcessingInput.getReceiveURL()).authnRequest(responseProcessingInput.getAuthnRequest());
        if (validationContext != null) {
            authnRequest.addStaticParameters(validationContext.getStaticParameters());
            authnRequest.addDynamicParameters(validationContext.getDynamicParameters());
        }
        ValidationContext build = authnRequest.build();
        ValidationResult validate = this.responseValidator.validate(response, build);
        if (validationContext != null) {
            validationContext.getDynamicParameters().putAll(build.getDynamicParameters());
        }
        switch (AnonymousClass1.$SwitchMap$org$opensaml$saml$common$assertion$ValidationResult[validate.ordinal()]) {
            case 1:
                this.log.debug("Response was successfully validated [{}]", logId(response));
                return;
            case 2:
                this.log.warn("Validation of Response was indeterminate - {} [{}]", build.getValidationFailureMessage(), logId(response));
                return;
            case 3:
                this.log.error("Validation of Response failed - {} [{}]", build.getValidationFailureMessage(), logId(response));
                throw new ResponseValidationException(build.getValidationFailureMessage());
            default:
                return;
        }
    }

    protected void validateRelayState(Response response, String str, ResponseProcessingInput responseProcessingInput) throws ResponseValidationException {
        Optional empty = (str == null || str.trim().length() == 0) ? Optional.empty() : Optional.of(str);
        Optional empty2 = (responseProcessingInput.getRelayState() == null || responseProcessingInput.getRelayState().trim().length() == 0) ? Optional.empty() : Optional.of(responseProcessingInput.getRelayState());
        if (!(empty.isPresent() || empty2.isPresent()) || (empty.isPresent() && str.equals(responseProcessingInput.getRelayState())) || (empty2.isPresent() && responseProcessingInput.getRelayState().equals(str))) {
            return;
        }
        String format = String.format("RelayState variable received with response (%s) does not match the sent one (%s)", str, responseProcessingInput.getRelayState());
        this.log.error("{} [{}]", format, logId(response));
        throw new ResponseValidationException(format);
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void validateAssertion(Assertion assertion, Response response, ResponseProcessingInput responseProcessingInput, EntityDescriptor entityDescriptor, ValidationContext validationContext) throws ResponseValidationException {
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor != null ? entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol") : null;
        if (iDPSSODescriptor == null) {
            throw new ResponseValidationException("Invalid/missing IdP metadata - cannot verify Assertion");
        }
        AuthnRequest authnRequest = responseProcessingInput.getAuthnRequest();
        String str = null;
        if (authnRequest != null) {
            str = authnRequest.getIssuer().getValue();
        }
        AssertionValidationParametersBuilder validRecipients = ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) ((AssertionValidationParametersBuilder) AssertionValidationParametersBuilder.builder().strictValidation(Boolean.valueOf(this.responseValidationSettings.isStrictValidation()))).allowedClockSkew(Long.valueOf(this.responseValidationSettings.getAllowedClockSkew()))).maxAgeReceivedMessage(Long.valueOf(this.responseValidationSettings.getMaxAgeResponse()))).signatureRequired(Boolean.valueOf(this.responseValidationSettings.isRequireSignedAssertions()))).signatureValidationCriteriaSet(new CriteriaSet(new Criterion[]{new RoleDescriptorCriterion(iDPSSODescriptor), new UsageCriterion(UsageType.SIGNING)}))).receiveInstant(Long.valueOf(responseProcessingInput.getReceiveInstant()))).receiveUrl(responseProcessingInput.getReceiveURL())).authnRequest(authnRequest)).expectedIssuer(entityDescriptor.getEntityID())).responseIssueInstant(Long.valueOf(response.getIssueInstant().getMillis())).validAudiences(str).validRecipients(responseProcessingInput.getReceiveURL(), str);
        if (validationContext != null) {
            validRecipients.addStaticParameters(validationContext.getStaticParameters());
            validRecipients.addDynamicParameters(validationContext.getDynamicParameters());
        }
        ValidationContext build = validRecipients.build();
        ValidationResult validate = this.assertionValidator.validate(assertion, build);
        if (validationContext != null) {
            validationContext.getDynamicParameters().putAll(build.getDynamicParameters());
        }
        switch (AnonymousClass1.$SwitchMap$org$opensaml$saml$common$assertion$ValidationResult[validate.ordinal()]) {
            case 1:
                this.log.debug("Assertion with ID '{}' was successfully validated", assertion.getID());
                return;
            case 2:
                this.log.warn("Validation of Assertion with ID '{}' was indeterminate - {}", assertion.getID(), build.getValidationFailureMessage());
                return;
            case 3:
                this.log.error("Validation of Assertion failed - {}", build.getValidationFailureMessage());
                throw new ResponseValidationException(build.getValidationFailureMessage());
            default:
                return;
        }
    }

    public void setDecrypter(SAMLObjectDecrypter sAMLObjectDecrypter) {
        this.decrypter = sAMLObjectDecrypter;
    }

    public void setMessageReplayChecker(MessageReplayChecker messageReplayChecker) {
        this.messageReplayChecker = messageReplayChecker;
    }

    public void setResponseValidationSettings(ResponseValidationSettings responseValidationSettings) {
        this.responseValidationSettings = responseValidationSettings;
    }

    private static String logId(Response response) {
        Object[] objArr = new Object[1];
        objArr[0] = response.getID() != null ? response.getID() : "<empty>";
        return String.format("response-id:'%s'", objArr);
    }

    private static String logId(Response response, Assertion assertion) {
        Object[] objArr = new Object[2];
        objArr[0] = response.getID() != null ? response.getID() : "<empty>";
        objArr[1] = assertion.getID() != null ? assertion.getID() : "<empty>";
        return String.format("response-id:'%s',assertion-id:'%s'", objArr);
    }
}
