package dk.itst.oiosaml.sp.model;

import dk.itst.oiosaml.helper.DeveloperHelper;
import dk.itst.oiosaml.logging.Logger;
import dk.itst.oiosaml.logging.LoggerFactory;
import dk.itst.oiosaml.sp.model.validation.ValidationException;
import dk.itst.oiosaml.sp.service.session.SessionHandler;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Response;
import org.opensaml.xml.security.credential.Credential;

/* loaded from: input_file:dk/itst/oiosaml/sp/model/OIOResponse.class */
public class OIOResponse extends OIOAbstractResponse {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OIOResponse.class);
    private final Response response;
    private OIOAssertion assertion;

    public OIOResponse(Response response) {
        super(response);
        this.response = response;
    }

    public String getOriginatingIdpEntityId(SessionHandler sessionHandler) {
        if (this.response.getInResponseTo() != null) {
            return sessionHandler.removeEntityIdForRequest(this.response.getInResponseTo());
        }
        Issuer issuer = null;
        if (!this.response.getAssertions().isEmpty()) {
            issuer = ((Assertion) this.response.getAssertions().get(0)).getIssuer();
        }
        if (issuer == null) {
            issuer = this.response.getIssuer();
        }
        if (issuer == null) {
            throw new ValidationException("SAML Response does not contain a issuer, this is required for unsolicited Responses");
        }
        return issuer.getValue();
    }

    public void validateAssertionSignature(Certificate certificate) {
        validateAssertionSignature(Collections.singletonList(certificate));
    }

    public void validateAssertionSignature(Collection<? extends Certificate> collection) {
        if (this.response.getAssertions().isEmpty()) {
            return;
        }
        boolean z = false;
        if (collection.size() == 0) {
            DeveloperHelper.log("It is not possible to validate the signature on the assertion, because there are no valid certificates to check the signature against. This might be because revocation checking has failed on the IdP certificates");
        }
        Iterator<? extends Certificate> it = collection.iterator();
        while (it.hasNext()) {
            if (getAssertion().verifySignature(it.next().getPublicKey())) {
                z = true;
            }
        }
        if (!z) {
            throw new ValidationException("The assertion is not signed correctly");
        }
    }

    public void validateResponse(String str, Certificate certificate, boolean z) throws ValidationException {
        validateResponse(str, Collections.singletonList(certificate), z);
    }

    public void validateResponse(String str, Collection<? extends Certificate> collection, boolean z) throws ValidationException {
        validateResponse((String) null, str, z);
        if (!isPassive() && this.response.getAssertions().isEmpty() && this.response.getEncryptedAssertions().isEmpty()) {
            throw new ValidationException("Response must contain an Assertion or EncryptedAssertion.");
        }
        if (hasSignature()) {
            boolean z2 = false;
            Iterator<? extends Certificate> it = collection.iterator();
            while (it.hasNext()) {
                if (verifySignature(it.next().getPublicKey())) {
                    z2 = true;
                }
            }
            if (!z2) {
                throw new ValidationException("The response is not signed correctly");
            }
        }
    }

    public OIOAssertion getAssertion() {
        if (this.assertion == null) {
            return OIOAssertion.fromResponse(this.response);
        }
        if (log.isDebugEnabled()) {
            log.debug("Found encrypted assertion, returning decrypted");
        }
        return this.assertion;
    }

    public void decryptAssertion(Credential credential, boolean z) {
        if (this.response.getEncryptedAssertions().size() > 0) {
            this.assertion = new OIOEncryptedAssertion((EncryptedAssertion) this.response.getEncryptedAssertions().get(0)).decryptAssertion(credential);
            this.response.getAssertions().add(this.assertion.getAssertion());
        } else if (!z && !this.response.getAssertions().isEmpty()) {
            throw new ValidationException("Assertion is not encrypted");
        }
    }

    public Response getResponse() {
        return this.response;
    }

    public boolean isPassive() {
        if (this.response.getStatus() == null || this.response.getStatus().getStatusCode() == null || this.response.getStatus().getStatusCode().getStatusCode() == null) {
            return false;
        }
        return "urn:oasis:names:tc:SAML:2.0:status:NoPassive".equals(this.response.getStatus().getStatusCode().getStatusCode().getValue());
    }
}
