package org.springframework.security.saml2.provider.service.authentication;

import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.annotation.Nonnull;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.metadata.criteria.role.impl.EvaluableProtocolRoleDescriptorCriterion;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.StatementValidator;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
import org.opensaml.saml.saml2.assertion.impl.BearerSubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion;
import org.opensaml.security.credential.criteria.impl.EvaluableUsageCredentialCriterion;
import org.opensaml.security.credential.impl.CollectionCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.credentials.Saml2X509Credential;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.class */
public final class OpenSamlAuthenticationProvider implements AuthenticationProvider {
    private static Log logger = LogFactory.getLog(OpenSamlAuthenticationProvider.class);
    private final List<ConditionValidator> conditions = Collections.singletonList(new AudienceRestrictionConditionValidator());
    private final SubjectConfirmationValidator subjectConfirmationValidator = new BearerSubjectConfirmationValidator() { // from class: org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.1
        @Nonnull
        protected ValidationResult validateAddress(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) {
            return ValidationResult.VALID;
        }
    };
    private final List<SubjectConfirmationValidator> subjects = Collections.singletonList(this.subjectConfirmationValidator);
    private final List<StatementValidator> statements = Collections.emptyList();
    private final SignaturePrevalidator signaturePrevalidator = new SAMLSignatureProfileValidator();
    private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
    private Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = assertion -> {
        return Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
    };
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private Duration responseTimeValidationSkew = Duration.ofMinutes(5);

    public void setAuthoritiesExtractor(Converter<Assertion, Collection<? extends GrantedAuthority>> converter) {
        Assert.notNull(converter, "authoritiesExtractor cannot be null");
        this.authoritiesExtractor = converter;
    }

    public void setAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        Assert.notNull(grantedAuthoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }

    public void setResponseTimeValidationSkew(Duration duration) {
        this.responseTimeValidationSkew = duration;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            Saml2AuthenticationToken saml2AuthenticationToken = (Saml2AuthenticationToken) authentication;
            Assertion assertion = validateResponse(saml2AuthenticationToken, parse(saml2AuthenticationToken.getSaml2Response())).get(0);
            return new Saml2Authentication(new SimpleSaml2AuthenticatedPrincipal(getUsername(saml2AuthenticationToken, assertion)), saml2AuthenticationToken.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
        } catch (Exception e) {
            throw authException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, e.getMessage(), e);
        } catch (Saml2AuthenticationException e2) {
            throw e2;
        }
    }

    public boolean supports(Class<?> cls) {
        return cls != null && Saml2AuthenticationToken.class.isAssignableFrom(cls);
    }

    private Collection<? extends GrantedAuthority> getAssertionAuthorities(Assertion assertion) {
        return (Collection) this.authoritiesExtractor.convert(assertion);
    }

    private Response parse(String str) throws Saml2Exception, Saml2AuthenticationException {
        try {
            Response resolve = this.saml.resolve(str);
            if (resolve instanceof Response) {
                return resolve;
            }
            throw authException(Saml2ErrorCodes.UNKNOWN_RESPONSE_CLASS, "Invalid response class:" + resolve.getClass().getName());
        } catch (Saml2Exception e) {
            throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, e.getMessage(), e);
        }
    }

    private List<Assertion> validateResponse(Saml2AuthenticationToken saml2AuthenticationToken, Response response) throws Saml2AuthenticationException {
        ArrayList arrayList = new ArrayList();
        String value = response.getIssuer().getValue();
        if (logger.isDebugEnabled()) {
            logger.debug("Validating SAML response from " + value);
        }
        ArrayList arrayList2 = new ArrayList(response.getAssertions());
        Iterator it = response.getEncryptedAssertions().iterator();
        while (it.hasNext()) {
            arrayList2.add(decrypt(saml2AuthenticationToken, (EncryptedAssertion) it.next()));
        }
        if (arrayList2.isEmpty()) {
            throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, "No assertions found in response.");
        }
        if (!isSigned(response, arrayList2)) {
            throw authException(Saml2ErrorCodes.INVALID_SIGNATURE, "Either the response or one of the assertions is unsigned. Please either sign the response or all of the assertions.");
        }
        SignatureTrustEngine buildSignatureTrustEngine = buildSignatureTrustEngine(saml2AuthenticationToken);
        HashMap hashMap = new HashMap();
        if (response.isSigned()) {
            try {
                new SAMLSignatureProfileValidator().validate(response.getSignature());
            } catch (Exception e) {
                hashMap.put(Saml2ErrorCodes.INVALID_SIGNATURE, authException(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for SAML Response [" + response.getID() + "]", e));
            }
            try {
                CriteriaSet criteriaSet = new CriteriaSet();
                criteriaSet.add(new EvaluableEntityIDCredentialCriterion(new EntityIdCriterion(value)));
                criteriaSet.add(new EvaluableProtocolRoleDescriptorCriterion(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol")));
                criteriaSet.add(new EvaluableUsageCredentialCriterion(new UsageCriterion(UsageType.SIGNING)));
                if (!buildSignatureTrustEngine.validate(response.getSignature(), criteriaSet)) {
                    hashMap.put(Saml2ErrorCodes.INVALID_SIGNATURE, authException(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for SAML Response [" + response.getID() + "]"));
                }
            } catch (Exception e2) {
                hashMap.put(Saml2ErrorCodes.INVALID_SIGNATURE, authException(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for SAML Response [" + response.getID() + "]", e2));
            }
        }
        String destination = response.getDestination();
        if (StringUtils.hasText(destination) && !destination.equals(saml2AuthenticationToken.getRecipientUri())) {
            hashMap.put(Saml2ErrorCodes.INVALID_DESTINATION, authException(Saml2ErrorCodes.INVALID_DESTINATION, "Invalid destination [" + destination + "] for SAML response [" + response.getID() + "]"));
        }
        if (!StringUtils.hasText(value) || !value.equals(saml2AuthenticationToken.getIdpEntityId())) {
            hashMap.put(Saml2ErrorCodes.INVALID_ISSUER, authException(Saml2ErrorCodes.INVALID_ISSUER, String.format("Invalid issuer [%s] for SAML response [%s]", value, response.getID())));
        }
        SAML20AssertionValidator buildSamlAssertionValidator = buildSamlAssertionValidator(buildSignatureTrustEngine);
        ValidationContext buildValidationContext = buildValidationContext(saml2AuthenticationToken, response);
        if (logger.isDebugEnabled()) {
            logger.debug("Validating " + arrayList2.size() + " assertions");
        }
        for (Assertion assertion : arrayList2) {
            if (logger.isTraceEnabled()) {
                logger.trace("Validating assertion " + assertion.getID());
            }
            try {
                arrayList.add(validateAssertion(assertion, buildSamlAssertionValidator, buildValidationContext));
            } catch (Exception e3) {
                hashMap.put(Saml2ErrorCodes.INVALID_ASSERTION, authException(Saml2ErrorCodes.INVALID_ASSERTION, String.format("Invalid assertion [%s] for SAML response [%s]", assertion.getID(), response.getID()), e3));
            }
        }
        if (hashMap.isEmpty()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Successfully validated SAML Response [" + response.getID() + "]");
            }
        } else if (logger.isTraceEnabled()) {
            logger.debug("Found " + hashMap.size() + " validation errors in SAML response [" + response.getID() + "]: " + hashMap.values());
        } else if (logger.isDebugEnabled()) {
            logger.debug("Found " + hashMap.size() + " validation errors in SAML response [" + response.getID() + "]");
        }
        if (!hashMap.isEmpty()) {
            throw ((Saml2AuthenticationException) hashMap.values().iterator().next());
        }
        if (arrayList.isEmpty()) {
            throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, "No valid assertions found in response.");
        }
        return arrayList;
    }

    private boolean isSigned(Response response, List<Assertion> list) {
        if (response.isSigned()) {
            return true;
        }
        Iterator<Assertion> it = list.iterator();
        while (it.hasNext()) {
            if (!it.next().isSigned()) {
                return false;
            }
        }
        return true;
    }

    private SignatureTrustEngine buildSignatureTrustEngine(Saml2AuthenticationToken saml2AuthenticationToken) {
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = getVerificationCertificates(saml2AuthenticationToken).iterator();
        while (it.hasNext()) {
            BasicX509Credential basicX509Credential = new BasicX509Credential(it.next());
            basicX509Credential.setUsageType(UsageType.SIGNING);
            basicX509Credential.setEntityId(saml2AuthenticationToken.getIdpEntityId());
            hashSet.add(basicX509Credential);
        }
        return new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(hashSet), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
    }

    private ValidationContext buildValidationContext(Saml2AuthenticationToken saml2AuthenticationToken, Response response) {
        HashMap hashMap = new HashMap();
        hashMap.put("saml2.SignatureRequired", Boolean.valueOf(!response.isSigned()));
        hashMap.put("saml2.ClockSkew", Long.valueOf(this.responseTimeValidationSkew.toMillis()));
        hashMap.put("saml2.Conditions.ValidAudiences", Collections.singleton(saml2AuthenticationToken.getLocalSpEntityId()));
        if (StringUtils.hasText(saml2AuthenticationToken.getRecipientUri())) {
            hashMap.put("saml2.SubjectConfirmation.ValidRecipients", Collections.singleton(saml2AuthenticationToken.getRecipientUri()));
        }
        return new ValidationContext(hashMap);
    }

    private SAML20AssertionValidator buildSamlAssertionValidator(SignatureTrustEngine signatureTrustEngine) {
        return new SAML20AssertionValidator(this.conditions, this.subjects, this.statements, signatureTrustEngine, this.signaturePrevalidator);
    }

    private Assertion validateAssertion(Assertion assertion, SAML20AssertionValidator sAML20AssertionValidator, ValidationContext validationContext) {
        try {
            if (sAML20AssertionValidator.validate(assertion, validationContext) != ValidationResult.VALID) {
                throw new Saml2Exception("An error occurred while validating the assertion: " + validationContext.getValidationFailureMessage());
            }
            return assertion;
        } catch (Exception e) {
            throw new Saml2Exception("An error occurred while validation the assertion", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Throwable] */
    private Assertion decrypt(Saml2AuthenticationToken saml2AuthenticationToken, EncryptedAssertion encryptedAssertion) throws Saml2AuthenticationException {
        Saml2AuthenticationException saml2AuthenticationException = null;
        List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(saml2AuthenticationToken);
        if (decryptionCredentials.isEmpty()) {
            throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, "No valid decryption credentials found.");
        }
        Iterator<Saml2X509Credential> it = decryptionCredentials.iterator();
        while (it.hasNext()) {
            try {
                return getDecrypter(it.next()).decrypt(encryptedAssertion);
            } catch (DecryptionException e) {
                saml2AuthenticationException = authException(Saml2ErrorCodes.DECRYPTION_ERROR, e.getMessage(), e);
            }
        }
        throw saml2AuthenticationException;
    }

    private Decrypter getDecrypter(Saml2X509Credential saml2X509Credential) {
        Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey())), this.saml.getEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        return decrypter;
    }

    private List<Saml2X509Credential> getDecryptionCredentials(Saml2AuthenticationToken saml2AuthenticationToken) {
        LinkedList linkedList = new LinkedList();
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getX509Credentials()) {
            if (saml2X509Credential.isDecryptionCredential()) {
                linkedList.add(saml2X509Credential);
            }
        }
        return linkedList;
    }

    private List<X509Certificate> getVerificationCertificates(Saml2AuthenticationToken saml2AuthenticationToken) {
        LinkedList linkedList = new LinkedList();
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getX509Credentials()) {
            if (saml2X509Credential.isSignatureVerficationCredential()) {
                linkedList.add(saml2X509Credential.getCertificate());
            }
        }
        return linkedList;
    }

    private String getUsername(Saml2AuthenticationToken saml2AuthenticationToken, Assertion assertion) throws Saml2AuthenticationException {
        String str = null;
        Subject subject = assertion.getSubject();
        if (subject == null) {
            throw authException(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + assertion.getID() + "] is missing a subject");
        }
        if (subject.getNameID() != null) {
            str = subject.getNameID().getValue();
        } else if (subject.getEncryptedID() != null) {
            str = decrypt(saml2AuthenticationToken, subject.getEncryptedID()).getValue();
        }
        if (str == null) {
            throw authException(Saml2ErrorCodes.USERNAME_NOT_FOUND, "Assertion [" + assertion.getID() + "] is missing a user identifier");
        }
        return str;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Throwable] */
    private NameID decrypt(Saml2AuthenticationToken saml2AuthenticationToken, EncryptedID encryptedID) throws Saml2AuthenticationException {
        Saml2AuthenticationException saml2AuthenticationException = null;
        List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(saml2AuthenticationToken);
        if (decryptionCredentials.isEmpty()) {
            throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, "No valid decryption credentials found.");
        }
        Iterator<Saml2X509Credential> it = decryptionCredentials.iterator();
        while (it.hasNext()) {
            try {
                return getDecrypter(it.next()).decrypt(encryptedID);
            } catch (DecryptionException e) {
                saml2AuthenticationException = authException(Saml2ErrorCodes.DECRYPTION_ERROR, e.getMessage(), e);
            }
        }
        throw saml2AuthenticationException;
    }

    private Saml2Error validationError(String str, String str2) {
        return new Saml2Error(str, str2);
    }

    private Saml2AuthenticationException authException(String str, String str2) throws Saml2AuthenticationException {
        return new Saml2AuthenticationException(validationError(str, str2));
    }

    private Saml2AuthenticationException authException(String str, String str2, Exception exc) throws Saml2AuthenticationException {
        return new Saml2AuthenticationException(validationError(str, str2), exc);
    }
}
