package org.wso2.carbon.identity.sso.saml.validators;

import java.util.ArrayList;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Subject;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.builders.ErrorResponseBuilder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/validators/SPInitSSOAuthnRequestValidator.class */
public class SPInitSSOAuthnRequestValidator {
    private static Log log = LogFactory.getLog(SPInitSSOAuthnRequestValidator.class);
    AuthnRequest authnReq;

    public SPInitSSOAuthnRequestValidator(AuthnRequest authnRequest) throws IdentityException {
        this.authnReq = authnRequest;
    }

    public SAMLSSOReqValidationResponseDTO validate() throws IdentityException {
        try {
            SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
            Issuer issuer = this.authnReq.getIssuer();
            Subject subject = this.authnReq.getSubject();
            if (!this.authnReq.getVersion().equals(SAMLVersion.VERSION_20)) {
                String buildErrorResponse = buildErrorResponse(SAMLSSOConstants.StatusCodes.VERSION_MISMATCH, "Invalid SAML Version in Authentication Request. SAML Version should be equal to 2.0");
                if (log.isDebugEnabled()) {
                    log.debug("Invalid version in the SAMLRequest" + this.authnReq.getVersion());
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            if (issuer.getValue() != null) {
                sAMLSSOReqValidationResponseDTO.setIssuer(issuer.getValue());
            } else {
                if (issuer.getSPProvidedID() == null) {
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    String buildErrorResponse2 = buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer/ProviderName should not be empty in the Authentication Request.");
                    log.debug("SAML Request issuer validation failed. Issuer should not be empty");
                    sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse2);
                    sAMLSSOReqValidationResponseDTO.setValid(false);
                    return sAMLSSOReqValidationResponseDTO;
                }
                sAMLSSOReqValidationResponseDTO.setIssuer(issuer.getSPProvidedID());
            }
            if (issuer.getFormat() != null && issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
                sAMLSSOReqValidationResponseDTO.setValid(false);
                String buildErrorResponse3 = buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer Format attribute value is invalid");
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Issuer Format attribute value " + issuer.getFormat());
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse3);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            SAMLSSOServiceProviderDO serviceProvider = SSOServiceProviderConfigManager.getInstance().getServiceProvider(issuer.getValue());
            String str = null;
            if (serviceProvider != null) {
                sAMLSSOReqValidationResponseDTO.setLoginPageURL(serviceProvider.getLoginPageURL());
                str = serviceProvider.getAssertionConsumerUrl();
            }
            String assertionConsumerServiceURL = this.authnReq.getAssertionConsumerServiceURL();
            if (str != null && assertionConsumerServiceURL != null && !assertionConsumerServiceURL.equals(str)) {
                log.error("Invalid ACS URL value " + assertionConsumerServiceURL + " in the AuthnRequest message from " + serviceProvider.getIssuer() + "\nPossibly an attempt for a spoofing attack from Provider " + this.authnReq.getIssuer().getValue());
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid Assertion Consumer Service URL in the Authentication Request."));
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            if (subject != null && subject.getNameID() != null) {
                sAMLSSOReqValidationResponseDTO.setSubject(subject.getNameID().getValue());
            }
            if (subject != null && subject.getSubjectConfirmations() != null) {
                sAMLSSOReqValidationResponseDTO.setValid(false);
                String buildErrorResponse4 = buildErrorResponse(SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Subject Confirmation methods should NOT be in the request.");
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Request message. A Subject confirmation method found " + subject.getSubjectConfirmations().get(0));
                }
                sAMLSSOReqValidationResponseDTO.setResponse(buildErrorResponse4);
                sAMLSSOReqValidationResponseDTO.setValid(false);
                return sAMLSSOReqValidationResponseDTO;
            }
            sAMLSSOReqValidationResponseDTO.setId(this.authnReq.getID());
            sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(this.authnReq.getAssertionConsumerServiceURL());
            sAMLSSOReqValidationResponseDTO.setDestination(this.authnReq.getDestination());
            sAMLSSOReqValidationResponseDTO.setValid(true);
            sAMLSSOReqValidationResponseDTO.setPassive(this.authnReq.isPassive().booleanValue());
            if (log.isDebugEnabled()) {
                log.debug("Authentication Request Validation is successful..");
            }
            return sAMLSSOReqValidationResponseDTO;
        } catch (Exception e) {
            throw new IdentityException("Error validating the authentication request", e);
        }
    }

    private String buildErrorResponse(String str, String str2) throws Exception {
        ErrorResponseBuilder errorResponseBuilder = new ErrorResponseBuilder();
        ArrayList arrayList = new ArrayList();
        arrayList.add(str);
        return SAMLSSOUtil.encode(SAMLSSOUtil.marshall(errorResponseBuilder.buildResponse(this.authnReq.getID(), arrayList, str2)));
    }
}
