package uk.gov.ida.saml.hub.validators.authnrequest;

import com.google.common.base.Strings;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.xmlsec.signature.Signature;
import uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory;
import uk.gov.ida.saml.core.validation.SamlTransformationErrorException;
import uk.gov.ida.saml.core.validation.SamlTransformationErrorManager;
import uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure;
import uk.gov.ida.saml.core.validators.SamlValidator;
import uk.gov.ida.saml.hub.exception.SamlDuplicateRequestIdException;
import uk.gov.ida.saml.hub.exception.SamlRequestTooOldException;
import uk.gov.ida.saml.security.validators.issuer.IssuerValidator;
import uk.gov.ida.saml.security.validators.signature.SamlSignatureUtil;

/* loaded from: input_file:uk/gov/ida/saml/hub/validators/authnrequest/AuthnRequestFromTransactionValidator.class */
public class AuthnRequestFromTransactionValidator implements SamlValidator<AuthnRequest> {
    private final IssuerValidator issuerValidator;
    private final DuplicateAuthnRequestValidator duplicateAuthnRequestValidator;
    private final AuthnRequestIssueInstantValidator issueInstantValidator;

    public AuthnRequestFromTransactionValidator(IssuerValidator issuerValidator, DuplicateAuthnRequestValidator duplicateAuthnRequestValidator, AuthnRequestIssueInstantValidator authnRequestIssueInstantValidator) {
        this.issuerValidator = issuerValidator;
        this.duplicateAuthnRequestValidator = duplicateAuthnRequestValidator;
        this.issueInstantValidator = authnRequestIssueInstantValidator;
    }

    @Override // uk.gov.ida.saml.core.validators.SamlValidator
    public void validate(AuthnRequest authnRequest) {
        this.issuerValidator.validate(authnRequest.getIssuer());
        validateRequestId(authnRequest);
        validateIssueInstant(authnRequest);
        validateSignaturePresence(authnRequest);
        validateVersion(authnRequest);
        validateNameIdPolicy(authnRequest);
        validateScoping(authnRequest);
        validateProtocolBinding(authnRequest);
        validatePassiveXSBoolean(authnRequest);
    }

    private void validateScoping(AuthnRequest authnRequest) {
        if (authnRequest.getScoping() != null) {
            SamlValidationSpecificationFailure scopingNotAllowed = SamlTransformationErrorFactory.scopingNotAllowed();
            throw new SamlTransformationErrorException(scopingNotAllowed.getErrorMessage(), scopingNotAllowed.getLogLevel());
        }
    }

    private void validatePassiveXSBoolean(AuthnRequest authnRequest) {
        if (authnRequest.isPassiveXSBoolean() != null) {
            SamlValidationSpecificationFailure isPassiveNotAllowed = SamlTransformationErrorFactory.isPassiveNotAllowed();
            throw new SamlTransformationErrorException(isPassiveNotAllowed.getErrorMessage(), isPassiveNotAllowed.getLogLevel());
        }
    }

    private void validateRequestId(AuthnRequest authnRequest) {
        String id = authnRequest.getID();
        if (Strings.isNullOrEmpty(id)) {
            SamlValidationSpecificationFailure missingRequestId = SamlTransformationErrorFactory.missingRequestId();
            throw new SamlTransformationErrorException(missingRequestId.getErrorMessage(), missingRequestId.getLogLevel());
        }
        if (!requestIdStartsWithUnderscoreOrLetter(id)) {
            SamlValidationSpecificationFailure invalidRequestID = SamlTransformationErrorFactory.invalidRequestID();
            throw new SamlTransformationErrorException(invalidRequestID.getErrorMessage(), invalidRequestID.getLogLevel());
        }
        if (this.duplicateAuthnRequestValidator.valid(authnRequest.getID())) {
            return;
        }
        SamlValidationSpecificationFailure duplicateRequestId = SamlTransformationErrorFactory.duplicateRequestId(authnRequest.getID(), authnRequest.getIssuer().getValue());
        throw new SamlDuplicateRequestIdException(duplicateRequestId.getErrorMessage(), duplicateRequestId.getLogLevel());
    }

    private boolean requestIdStartsWithUnderscoreOrLetter(String str) {
        String substring = str.substring(0, 1);
        return substring.equals("_") || substring.matches("[a-zA-Z]");
    }

    private void validateSignaturePresence(AuthnRequest authnRequest) {
        Signature signature = authnRequest.getSignature();
        if (signature == null) {
            SamlValidationSpecificationFailure missingSignature = SamlTransformationErrorFactory.missingSignature();
            throw new SamlTransformationErrorException(missingSignature.getErrorMessage(), missingSignature.getLogLevel());
        }
        if (SamlSignatureUtil.isSignaturePresent(signature)) {
            return;
        }
        SamlValidationSpecificationFailure signatureNotSigned = SamlTransformationErrorFactory.signatureNotSigned();
        throw new SamlTransformationErrorException(signatureNotSigned.getErrorMessage(), signatureNotSigned.getLogLevel());
    }

    private void validateVersion(AuthnRequest authnRequest) {
        String id = authnRequest.getID();
        if (authnRequest.getVersion() == null) {
            SamlValidationSpecificationFailure missingRequestVersion = SamlTransformationErrorFactory.missingRequestVersion(id);
            throw new SamlTransformationErrorException(missingRequestVersion.getErrorMessage(), missingRequestVersion.getLogLevel());
        }
        if (authnRequest.getVersion() != SAMLVersion.VERSION_20) {
            SamlValidationSpecificationFailure illegalRequestVersionNumber = SamlTransformationErrorFactory.illegalRequestVersionNumber();
            throw new SamlTransformationErrorException(illegalRequestVersionNumber.getErrorMessage(), illegalRequestVersionNumber.getLogLevel());
        }
    }

    private void validateIssueInstant(AuthnRequest authnRequest) {
        String id = authnRequest.getID();
        DateTime issueInstant = authnRequest.getIssueInstant();
        if (issueInstant == null) {
            SamlValidationSpecificationFailure missingRequestIssueInstant = SamlTransformationErrorFactory.missingRequestIssueInstant(id);
            throw new SamlTransformationErrorException(missingRequestIssueInstant.getErrorMessage(), missingRequestIssueInstant.getLogLevel());
        }
        if (this.issueInstantValidator.isValid(issueInstant)) {
            return;
        }
        SamlValidationSpecificationFailure requestTooOld = SamlTransformationErrorFactory.requestTooOld(authnRequest.getID(), issueInstant, DateTime.now());
        throw new SamlRequestTooOldException(requestTooOld.getErrorMessage(), requestTooOld.getLogLevel());
    }

    private void validateNameIdPolicy(AuthnRequest authnRequest) {
        NameIDPolicy nameIDPolicy = authnRequest.getNameIDPolicy();
        if (nameIDPolicy != null) {
            if (nameIDPolicy.getFormat() == null) {
                SamlTransformationErrorManager.warn(SamlTransformationErrorFactory.missingNameIDPolicy());
            } else {
                if (nameIDPolicy.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")) {
                    return;
                }
                SamlTransformationErrorManager.warn(SamlTransformationErrorFactory.illegalNameIDPolicy(nameIDPolicy.getFormat()));
            }
        }
    }

    private void validateProtocolBinding(AuthnRequest authnRequest) {
        String protocolBinding = authnRequest.getProtocolBinding();
        if (protocolBinding == null || protocolBinding.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")) {
            return;
        }
        SamlValidationSpecificationFailure illegalProtocolBindingError = SamlTransformationErrorFactory.illegalProtocolBindingError(protocolBinding, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        throw new SamlTransformationErrorException(illegalProtocolBindingError.getErrorMessage(), illegalProtocolBindingError.getLogLevel());
    }
}
