package com.appiancorp.security.auth.saml;

import com.appiancorp.security.auth.saml.exception.AssertionFailedException;
import com.appiancorp.security.auth.saml.exception.IdpEntityMismatchException;
import com.appiancorp.security.auth.saml.exception.NoTrustedAssertionException;
import com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException;
import com.appiancorp.suite.cfg.FeatureToggleConfiguration;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Sets;
import java.util.HashMap;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.apache.log4j.Logger;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerChain;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlMessageValidator.class */
public class SamlMessageValidator {
    private static final Logger LOG = Logger.getLogger(SamlMessageValidator.class);
    private final MessageHandlerChain messageHandlerChain;
    private final SamlConfiguration samlConfig;
    private final SamlSignatureValidator samlSignatureValidator;
    private final ReceivedEndpointSecurityHandlerFactory receivedEndpointSecurityHandlerFactory;
    private final SAML20AssertionValidator samlAssertionValidator;
    private final FeatureToggleConfiguration featureToggleConfiguration;

    public SamlMessageValidator(MessageHandlerChain messageHandlerChain, SamlConfiguration samlConfiguration, SamlSignatureValidator samlSignatureValidator, ReceivedEndpointSecurityHandlerFactory receivedEndpointSecurityHandlerFactory, SAML20AssertionValidator sAML20AssertionValidator, FeatureToggleConfiguration featureToggleConfiguration) {
        this.messageHandlerChain = messageHandlerChain;
        this.samlConfig = samlConfiguration;
        this.samlSignatureValidator = samlSignatureValidator;
        this.receivedEndpointSecurityHandlerFactory = receivedEndpointSecurityHandlerFactory;
        this.samlAssertionValidator = sAML20AssertionValidator;
        this.featureToggleConfiguration = featureToggleConfiguration;
    }

    public Assertion getTrustedAssertionFromMessage(SamlAuthToken samlAuthToken) throws MessageHandlerException {
        SamlMessageContextWrapper<Response> m4010getCredentials = samlAuthToken.m4010getCredentials();
        LOG.debug("Validating inbound SAML message: " + m4010getCredentials.getMessageId());
        if (m4010getCredentials.getMessage() == null) {
            throw new MessageHandlerException("Inbound Message is not a SignableSAMLObject");
        }
        executeSecurityPolicyRules(m4010getCredentials, samlAuthToken.getRequest());
        SignableSAMLObject signableSAMLObject = (Response) m4010getCredentials.getMessage();
        if (signableSAMLObject.isSigned()) {
            this.samlSignatureValidator.verifySignature(this.samlConfig.getIdpEntityId(), signableSAMLObject);
        }
        Assertion firstValidatedTrustedAssertion = this.featureToggleConfiguration.isSamlAdditionalAssertionValidationEnabled() ? getFirstValidatedTrustedAssertion(m4010getCredentials) : getFirstTrustedAssertion(m4010getCredentials);
        if (firstValidatedTrustedAssertion == null) {
            throw new NoTrustedAssertionException("SAML Response didn't contain an assertion which passed validation");
        }
        if (firstValidatedTrustedAssertion.isSigned() || signableSAMLObject.isSigned()) {
            return firstValidatedTrustedAssertion;
        }
        throw new MessageHandlerException("Message did not contain any signed objects.");
    }

    @VisibleForTesting
    void executeSecurityPolicyRules(SamlMessageContextWrapper samlMessageContextWrapper, HttpServletRequest httpServletRequest) {
        ReceivedEndpointSecurityHandler receivedEndpointSecurityHandler = null;
        try {
            try {
                receivedEndpointSecurityHandler = this.receivedEndpointSecurityHandlerFactory.create(httpServletRequest);
                MessageContext unwrap = samlMessageContextWrapper.unwrap();
                this.messageHandlerChain.invoke(unwrap);
                receivedEndpointSecurityHandler.invoke(unwrap);
                if (receivedEndpointSecurityHandler != null) {
                    receivedEndpointSecurityHandler.destroy();
                }
                RequestAbstractType requestAbstractType = (XMLObject) samlMessageContextWrapper.getMessage();
                if (requestAbstractType instanceof RequestAbstractType) {
                    verifyIssuer(requestAbstractType.getIssuer());
                } else if (requestAbstractType instanceof Response) {
                    verifyStatus(((Response) requestAbstractType).getStatus());
                    verifyIssuer(((Response) requestAbstractType).getIssuer());
                }
            } catch (MessageHandlerException | ComponentInitializationException e) {
                throw new SecurityPolicyViolatedException("SAML Message context failed message handler check", e);
            }
        } catch (Throwable th) {
            if (receivedEndpointSecurityHandler != null) {
                receivedEndpointSecurityHandler.destroy();
            }
            throw th;
        }
    }

    private void verifyStatus(Status status) {
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(status.getStatusCode().getValue())) {
            throw new AssertionFailedException("SAML Response status code was " + status);
        }
    }

    public void verifyIssuer(Issuer issuer) {
        String idpEntityId = this.samlConfig.getIdpEntityId();
        if (!issuer.getValue().equals(idpEntityId)) {
            throw new IdpEntityMismatchException("SAML Issuer did not match configured IdP entity Id. Expected " + idpEntityId + ", received " + issuer.getValue());
        }
    }

    public void validateLogoutRequest(HttpServletRequest httpServletRequest, SamlMessageContextWrapper<LogoutRequest> samlMessageContextWrapper) throws MessageHandlerException {
        executeSecurityPolicyRules(samlMessageContextWrapper, httpServletRequest);
        this.samlSignatureValidator.verifySignature(this.samlConfig.getIdpEntityId(), (SignableSAMLObject) samlMessageContextWrapper.getMessage());
    }

    @Deprecated
    private Assertion getFirstTrustedAssertion(SamlMessageContextWrapper samlMessageContextWrapper) throws MessageHandlerException {
        SignableSAMLObject signableSAMLObject = null;
        Iterator<Assertion> it = samlMessageContextWrapper.getAssertionList().iterator();
        while (signableSAMLObject == null && it.hasNext()) {
            SignableSAMLObject signableSAMLObject2 = (Assertion) it.next();
            if (!signableSAMLObject2.getAuthnStatements().isEmpty()) {
                verifyIssuer(signableSAMLObject2.getIssuer());
                if (signableSAMLObject2.isSigned()) {
                    this.samlSignatureValidator.verifySignature(this.samlConfig.getIdpEntityId(), signableSAMLObject2);
                }
                signableSAMLObject = signableSAMLObject2;
            }
        }
        return signableSAMLObject;
    }

    @VisibleForTesting
    Assertion getFirstValidatedTrustedAssertion(SamlMessageContextWrapper samlMessageContextWrapper) throws MessageHandlerException {
        SignableSAMLObject signableSAMLObject = null;
        Iterator<Assertion> it = samlMessageContextWrapper.getAssertionList().iterator();
        StringBuilder sb = new StringBuilder();
        while (signableSAMLObject == null && it.hasNext()) {
            SignableSAMLObject signableSAMLObject2 = (Assertion) it.next();
            if (signableSAMLObject2.getAuthnStatements().isEmpty()) {
                sb.append("Assertion " + signableSAMLObject2.getID() + " has no AuthnStatement, skipping...");
            } else {
                verifyIssuer(signableSAMLObject2.getIssuer());
                if (signableSAMLObject2.isSigned()) {
                    this.samlSignatureValidator.verifySignature(this.samlConfig.getIdpEntityId(), signableSAMLObject2);
                }
                SamlAssertionValidatorResult validateAssertion = validateAssertion(signableSAMLObject2, buildContext());
                if (validateAssertion.getResult() == ValidationResult.VALID) {
                    signableSAMLObject = signableSAMLObject2;
                } else {
                    sb.append(validateAssertion.getError());
                }
            }
        }
        if (signableSAMLObject == null) {
            throw new NoTrustedAssertionException("SAML Response didn't contain an assertion which passed validation.  Errors: " + sb.toString());
        }
        return signableSAMLObject;
    }

    @VisibleForTesting
    SamlAssertionValidatorResult validateAssertion(Assertion assertion, ValidationContext validationContext) {
        try {
            ValidationResult validate = this.samlAssertionValidator.validate(assertion, validationContext);
            String validationFailureMessage = validationContext.getValidationFailureMessage();
            if (validationFailureMessage != null && !validationFailureMessage.isEmpty()) {
                LOG.debug(validationFailureMessage);
            }
            return new SamlAssertionValidatorResult(validate, validationFailureMessage);
        } catch (AssertionValidationException e) {
            LOG.warn("Unable to validate assertion", e);
            return new SamlAssertionValidatorResult(ValidationResult.INVALID, e.toString());
        }
    }

    private ValidationContext buildContext() {
        HashMap hashMap = new HashMap();
        hashMap.put("saml2.Conditions.ValidAudiences", Sets.newHashSet(new String[]{this.samlConfig.getSpIdentity()}));
        hashMap.put("saml2.ClockSkew", Integer.valueOf(SamlConstants.CLOCK_SKEW_IN_MS));
        return new ValidationContext(hashMap);
    }
}
