package org.wso2.carbon.idp.mgt.util;

import edu.emory.mathcs.backport.java.util.Arrays;
import java.io.ByteArrayInputStream;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Response;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.wso2.carbon.idp.mgt.dto.TrustedIdPDTO;
import org.wso2.carbon.idp.mgt.exception.IdentityProviderMgtException;
import org.wso2.carbon.idp.mgt.util.IdentityProviderMgtConstants;

/* loaded from: input_file:org/wso2/carbon/idp/mgt/util/SAMLValidator.class */
public class SAMLValidator {
    private static final Log log = LogFactory.getLog(SAMLValidator.class);
    private static boolean bootstrapped = false;

    public static boolean validateSAMLResponse(TrustedIdPDTO trustedIdPDTO, String str, String[] strArr, boolean z, boolean z2) throws IdentityProviderMgtException {
        Thread thread = null;
        ClassLoader classLoader = null;
        try {
            try {
                if (!bootstrapped) {
                    thread = Thread.currentThread();
                    classLoader = thread.getContextClassLoader();
                    thread.setContextClassLoader(SAMLValidator.class.getClassLoader());
                    DefaultBootstrap.bootstrap();
                }
                if (log.isDebugEnabled()) {
                    log.debug("Encoded SAML Response string: " + str);
                }
                Response unmarshall = unmarshall(new String(Base64.decode(str)));
                if (unmarshall.getStatus() != null && unmarshall.getStatus().getStatusCode() != null && unmarshall.getStatus().getStatusCode().getValue().equals(IdentityProviderMgtConstants.StatusCodes.IDENTITY_PROVIDER_ERROR) && unmarshall.getStatus().getStatusCode().getStatusCode() != null && unmarshall.getStatus().getStatusCode().getStatusCode().getValue().equals(IdentityProviderMgtConstants.StatusCodes.NO_PASSIVE)) {
                    return false;
                }
                List assertions = unmarshall.getAssertions();
                Assertion assertion = null;
                if (assertions != null && assertions.size() > 0) {
                    assertion = (Assertion) assertions.get(0);
                }
                if (assertion == null) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Assertion not found in the Response");
                    return false;
                }
                if (!assertion.getIssuer().getValue().equals(trustedIdPDTO.getIdPIssuerId())) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("Invalid IssuerId");
                    return false;
                }
                String str2 = null;
                if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
                    str2 = assertion.getSubject().getNameID().getValue();
                }
                if (str2 == null) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Response does not contain the name of the subject");
                    return false;
                }
                validateAudienceRestriction(assertion, trustedIdPDTO, strArr);
                try {
                    X509CredentialImpl x509CredentialImpl = new X509CredentialImpl((X509Certificate) IdentityProviderMgtUtil.getCertificate(trustedIdPDTO.getPublicCert()));
                    if (z) {
                        validateResponseSignature(unmarshall, x509CredentialImpl);
                    }
                    if (!z2) {
                        return true;
                    }
                    validateAssertionSignature(assertion, x509CredentialImpl);
                    return true;
                } catch (IdentityProviderMgtException e) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("Error while retrieving trusted certificate of IdP " + trustedIdPDTO.getIdPIssuerId());
                    return false;
                }
            } catch (ConfigurationException e2) {
                log.error("Error bootstrapping OpenSAML library", e2);
                throw new IdentityProviderMgtException("Error bootstrapping OpenSAML library");
            }
        } finally {
            thread.setContextClassLoader(classLoader);
        }
    }

    public static boolean validateSAMLAssertion(TrustedIdPDTO trustedIdPDTO, String str, String[] strArr, boolean z) throws IdentityProviderMgtException {
        try {
            if (!bootstrapped) {
                DefaultBootstrap.bootstrap();
            }
            if (log.isDebugEnabled()) {
                log.debug("Encoded SAML Assertion string: " + str);
            }
            Assertion unmarshall = unmarshall(new String(Base64.decode(str)));
            if (!unmarshall.getIssuer().getValue().equals(trustedIdPDTO.getIdPIssuerId())) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Invalid IssuerId");
                return false;
            }
            String str2 = null;
            if (unmarshall.getSubject() != null && unmarshall.getSubject().getNameID() != null) {
                str2 = unmarshall.getSubject().getNameID().getValue();
            }
            if (str2 == null) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("SAML Response does not contain the name of the subject");
                return false;
            }
            validateAudienceRestriction(unmarshall, trustedIdPDTO, strArr);
            try {
                X509CredentialImpl x509CredentialImpl = new X509CredentialImpl((X509Certificate) IdentityProviderMgtUtil.getCertificate(trustedIdPDTO.getPublicCert()));
                if (!z) {
                    return true;
                }
                validateAssertionSignature(unmarshall, x509CredentialImpl);
                return true;
            } catch (IdentityProviderMgtException e) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Error while retrieving trusted certificate of IdP " + trustedIdPDTO.getIdPIssuerId());
                return false;
            }
        } catch (ConfigurationException e2) {
            log.error("Error bootstrapping OpenSAML library", e2);
            throw new IdentityProviderMgtException("Error bootstrapping OpenSAML library");
        }
    }

    private static XMLObject unmarshall(String str) throws IdentityProviderMgtException {
        String decodeHTMLCharacters = decodeHTMLCharacters(str);
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            Element documentElement = newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(decodeHTMLCharacters.getBytes())).getDocumentElement();
            return Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug(e.getMessage(), e);
            }
            throw new IdentityProviderMgtException(e.getMessage());
        }
    }

    private static boolean validateAudienceRestriction(Assertion assertion, TrustedIdPDTO trustedIdPDTO, String[] strArr) {
        ArrayList<String> arrayList = (strArr == null || strArr.length <= 0) ? new ArrayList() : new ArrayList(Arrays.asList(strArr));
        for (String str : trustedIdPDTO.getAudience()) {
            arrayList.add(str);
        }
        if (arrayList == null || arrayList.size() <= 0) {
            return true;
        }
        for (String str2 : arrayList) {
            Conditions conditions = assertion.getConditions();
            if (conditions == null) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("SAML Response doesn't contain Conditions");
                return false;
            }
            List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
            if (audienceRestrictions == null || audienceRestrictions.isEmpty()) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("SAML Response doesn't contain AudienceRestrictions");
                return false;
            }
            boolean z = false;
            for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                if (audienceRestriction.getAudiences() == null || audienceRestriction.getAudiences().size() <= 0) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("SAML Response's AudienceRestriction doesn't contain Audiences");
                    return false;
                }
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (((Audience) it.next()).getAudienceURI().equals(str2)) {
                        z = true;
                        break;
                    }
                }
                if (z) {
                    break;
                }
            }
            if (!z) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("SAML Assertion Audience Restriction validation failed");
                return false;
            }
        }
        return true;
    }

    private static boolean validateResponseSignature(Response response, Credential credential) {
        if (response.getSignature() == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature element is not found in SAML Response element");
            return false;
        }
        try {
            new SignatureValidator(credential).validate(response.getSignature());
            return true;
        } catch (ValidationException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature validation failed for SAML Response");
            return false;
        }
    }

    private static boolean validateAssertionSignature(Assertion assertion, Credential credential) {
        if (assertion.getSignature() == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature element is not found in SAML Assertion element");
            return false;
        }
        try {
            new SignatureValidator(credential).validate(assertion.getSignature());
            return true;
        } catch (ValidationException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature validation failed for SAML Assertion");
            return false;
        }
    }

    private static String decodeHTMLCharacters(String str) {
        return str.replaceAll("&amp;", "&").replaceAll("&lt;", "<").replaceAll("&gt;", ">").replaceAll("&quot;", "\"").replaceAll("&apos;", "'");
    }
}
