package dk.gov.oio.saml.service.validation;

import dk.gov.oio.saml.config.Configuration;
import dk.gov.oio.saml.model.NSISLevel;
import dk.gov.oio.saml.service.IdPMetadataService;
import dk.gov.oio.saml.service.OIOSAML3Service;
import dk.gov.oio.saml.session.AuthnRequestWrapper;
import dk.gov.oio.saml.util.Constants;
import dk.gov.oio.saml.util.ExternalException;
import dk.gov.oio.saml.util.InternalException;
import dk.gov.oio.saml.util.SamlHelper;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.apache.log4j.Logger;
import org.joda.time.DateTime;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler;
import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;

/* loaded from: input_file:dk/gov/oio/saml/service/validation/AssertionValidationService.class */
public class AssertionValidationService {
    private static final Logger log = Logger.getLogger(AssertionValidationService.class);

    public void validate(HttpServletRequest httpServletRequest, MessageContext<SAMLObject> messageContext, Response response, Assertion assertion, AuthnRequestWrapper authnRequestWrapper) throws AssertionValidationException, InternalException, ExternalException {
        validateDestination(httpServletRequest, messageContext);
        validateLifetime(messageContext, response, assertion);
        validateResponse(response, authnRequestWrapper);
        validateAssertion(assertion, authnRequestWrapper);
    }

    private void validateDestination(HttpServletRequest httpServletRequest, MessageContext<SAMLObject> messageContext) throws InternalException, ExternalException {
        ReceivedEndpointSecurityHandler receivedEndpointSecurityHandler = null;
        try {
            try {
                receivedEndpointSecurityHandler = new ReceivedEndpointSecurityHandler();
                receivedEndpointSecurityHandler.setHttpServletRequest(httpServletRequest);
                receivedEndpointSecurityHandler.initialize();
                receivedEndpointSecurityHandler.invoke(messageContext);
                if (receivedEndpointSecurityHandler == null || !receivedEndpointSecurityHandler.isInitialized() || receivedEndpointSecurityHandler.isDestroyed()) {
                    return;
                }
                receivedEndpointSecurityHandler.destroy();
            } catch (MessageHandlerException e) {
                throw new ExternalException("Destination incorrect", e);
            } catch (ComponentInitializationException e2) {
                throw new InternalException("Could not initialize ReceivedEndpointSecurityHandler", e2);
            }
        } catch (Throwable th) {
            if (receivedEndpointSecurityHandler != null && receivedEndpointSecurityHandler.isInitialized() && !receivedEndpointSecurityHandler.isDestroyed()) {
                receivedEndpointSecurityHandler.destroy();
            }
            throw th;
        }
    }

    private void validateLifetime(MessageContext<SAMLObject> messageContext, Response response, Assertion assertion) throws InternalException, AssertionValidationException {
        int clockSkew = OIOSAML3Service.getConfig().getClockSkew();
        MessageLifetimeSecurityHandler messageLifetimeSecurityHandler = null;
        try {
            try {
                messageLifetimeSecurityHandler = new MessageLifetimeSecurityHandler();
                messageLifetimeSecurityHandler.setClockSkew(60000 * clockSkew);
                messageLifetimeSecurityHandler.initialize();
                messageLifetimeSecurityHandler.invoke(messageContext);
                if (messageLifetimeSecurityHandler != null && messageLifetimeSecurityHandler.isInitialized() && !messageLifetimeSecurityHandler.isDestroyed()) {
                    messageLifetimeSecurityHandler.destroy();
                }
                if (response.getIssueInstant().isBefore(DateTime.now().minusSeconds(clockSkew))) {
                    throw new AssertionValidationException("Response Lifetime incorrect");
                }
                if (assertion.getIssueInstant().isBefore(DateTime.now().minusSeconds(clockSkew))) {
                    throw new AssertionValidationException("Assertion Lifetime incorrect");
                }
                Conditions conditions = assertion.getConditions();
                if (conditions != null) {
                    if (conditions.getNotOnOrAfter() != null && !DateTime.now().minusSeconds(clockSkew).isBefore(conditions.getNotOnOrAfter())) {
                        throw new AssertionValidationException("Assertion conditions notOnOrAfter expired");
                    }
                    if (conditions.getNotBefore() != null && !DateTime.now().plusSeconds(clockSkew).isAfter(conditions.getNotBefore())) {
                        throw new AssertionValidationException("Assertion conditions notBefore not reached yet");
                    }
                }
            } catch (ComponentInitializationException e) {
                throw new InternalException("Could not initialize MessageLifetimeSecurityHandler", e);
            } catch (MessageHandlerException e2) {
                throw new AssertionValidationException("Message lifetime incorrect", e2);
            }
        } catch (Throwable th) {
            if (messageLifetimeSecurityHandler != null && messageLifetimeSecurityHandler.isInitialized() && !messageLifetimeSecurityHandler.isDestroyed()) {
                messageLifetimeSecurityHandler.destroy();
            }
            throw th;
        }
    }

    private void validateResponse(Response response, AuthnRequestWrapper authnRequestWrapper) throws AssertionValidationException {
        validateStatus(response);
        validateInResponseTo(response, authnRequestWrapper);
        if (OIOSAML3Service.getConfig().isValidationEnabled()) {
            if (response.isSigned()) {
                log.warn("Successful responses SHOULD NOT be directly signed.");
            }
            List assertions = response.getAssertions();
            if (assertions != null && assertions.size() != 0) {
                throw new AssertionValidationException("MUST contain exactly one SAML Assertion, which should be encrypted");
            }
            List encryptedAssertions = response.getEncryptedAssertions();
            if (encryptedAssertions == null || encryptedAssertions.size() != 1) {
                throw new AssertionValidationException("MUST contain exactly one SAML Assertion");
            }
        }
    }

    private void validateAssertion(Assertion assertion, AuthnRequestWrapper authnRequestWrapper) throws AssertionValidationException, ExternalException, InternalException {
        validateSignature(assertion);
        validateIssuer(assertion);
        Configuration config = OIOSAML3Service.getConfig();
        if (config.isValidationEnabled()) {
            validateSubject(assertion, authnRequestWrapper);
        }
        validateAudienceRestriction(assertion);
        List authnStatements = assertion.getAuthnStatements();
        if (authnStatements == null || authnStatements.size() != 1) {
            throw new AssertionValidationException("Assertions MUST contain exactly one AuthnStatement sub-element");
        }
        List attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.size() != 1) {
            throw new AssertionValidationException("Assertions MUST contain exactly one AttributeStatement sub-element");
        }
        Map<String, String> extractAttributeValues = SamlHelper.extractAttributeValues((AttributeStatement) attributeStatements.get(0));
        if (config.isValidationEnabled()) {
            validateAttributeStatement(extractAttributeValues, assertion.getSubject().getNameID().getValue().startsWith("https://data.gov.dk/model/core/eid/professional"));
            validateAssurance(extractAttributeValues, authnRequestWrapper);
            if (!assertion.isSigned()) {
                throw new AssertionValidationException("The Assertion within the response MUST be directly signed");
            }
        }
    }

    private void validateAttributeStatement(Map<String, String> map, boolean z) throws AssertionValidationException {
        String str = map.get(Constants.SPEC_VER);
        if (!Constants.SPEC_VER_VAL.equals(str)) {
            throw new AssertionValidationException("specVersion Was: " + str + " Expected: " + Constants.SPEC_VER_VAL);
        }
        if (z) {
            String str2 = map.get(Constants.CVR_NUMBER);
            if (str2 == null || !str2.matches("^\\d{8}$")) {
                throw new AssertionValidationException("CVR should be present and should be an 8-digit number");
            }
            String str3 = map.get(Constants.ORGANIZATION_NAME);
            if (str3 == null || str3.isEmpty()) {
                throw new AssertionValidationException("Organization Name should be present");
            }
        }
    }

    private void validateAssurance(Map<String, String> map, AuthnRequestWrapper authnRequestWrapper) throws AssertionValidationException {
        Configuration config = OIOSAML3Service.getConfig();
        String str = map.get(Constants.ASSURANCE_LEVEL);
        if (authnRequestWrapper.getRequestedNsisLevel() == NSISLevel.NONE && str != null) {
            log.info("Assurance level of " + str + " received. Accepting, requested NSIS LoA was NONE");
            return;
        }
        if (!config.isAssuranceLevelAllowed() && str != null) {
            throw new AssertionValidationException("NSIS LoA required, but received AssuranceLevel");
        }
        if (config.isAssuranceLevelSufficient(str)) {
            log.info("Assurance level of " + str + " received instead of NSIS LoA. Accepted because of configuration");
            return;
        }
        String str2 = map.get(Constants.LOA);
        if (str2 == null) {
            throw new AssertionValidationException("Must Contain Level of assurance");
        }
        NSISLevel nSISLevelFromAttributeValue = NSISLevel.getNSISLevelFromAttributeValue(str2, null);
        if (nSISLevelFromAttributeValue == null) {
            throw new AssertionValidationException("Level of assurance was not correct value. Was: " + str2);
        }
        NSISLevel nSISLevel = NSISLevel.NONE;
        Iterator<String> it = authnRequestWrapper.getAuthnContextClassRefValues().iterator();
        while (it.hasNext()) {
            NSISLevel nSISLevelFromUrl = NSISLevel.getNSISLevelFromUrl(it.next(), null);
            if (nSISLevelFromUrl != null) {
                nSISLevel = nSISLevelFromUrl;
            }
        }
        if (nSISLevel.isGreater(nSISLevelFromAttributeValue)) {
            throw new AssertionValidationException("Assertion NSIS Level not sufficient. Was: '" + nSISLevelFromAttributeValue + "' Expected: '" + nSISLevel + "'");
        }
    }

    private void validateStatus(Response response) throws AssertionValidationException {
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null) {
            throw new AssertionValidationException("Response status or Response status statuscode was null");
        }
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            throw new AssertionValidationException("Response status code is not Success. Expected: urn:oasis:names:tc:SAML:2.0:status:Success Was: " + response.getStatus().getStatusCode().getValue());
        }
    }

    private void validateInResponseTo(Response response, AuthnRequestWrapper authnRequestWrapper) throws AssertionValidationException {
        if (!Objects.equals(authnRequestWrapper.getId(), response.getInResponseTo())) {
            throw new AssertionValidationException("InResponseTo does not match AuthnRequest ID. Expected: " + authnRequestWrapper.getId() + " Was: " + response.getInResponseTo());
        }
    }

    private void validateSignature(Assertion assertion) throws ExternalException, InternalException, AssertionValidationException {
        try {
            SignatureValidator.validate(assertion.getSignature(), new BasicX509Credential(IdPMetadataService.getInstance().getIdPMetadata().getValidX509Certificate(UsageType.SIGNING)));
        } catch (SignatureException e) {
            throw new AssertionValidationException("Could not validate assertion signature", e);
        }
    }

    private void validateAudienceRestriction(Assertion assertion) throws AssertionValidationException {
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            throw new AssertionValidationException("The assertion MUST contain an AudienceRestriction including the ServiceProvider's unique identifier as an Audience, no conditions present");
        }
        Configuration config = OIOSAML3Service.getConfig();
        boolean z = false;
        Iterator it = conditions.getAudienceRestrictions().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((AudienceRestriction) it.next()).getAudiences().iterator();
            while (it2.hasNext()) {
                if (((Audience) it2.next()).getAudienceURI().equals(config.getSpEntityID())) {
                    z = true;
                }
            }
        }
        if (!z) {
            throw new AssertionValidationException("The assertion MUST contain an AudienceRestriction including the ServiceProvider's unique identifier as an Audience");
        }
    }

    private void validateSubject(Assertion assertion, AuthnRequestWrapper authnRequestWrapper) throws AssertionValidationException {
        Subject subject = assertion.getSubject();
        if (subject == null || subject.getNameID() == null) {
            throw new AssertionValidationException("Assertions MUST contain one Subject");
        }
        NameID nameID = subject.getNameID();
        if (nameID == null) {
            throw new AssertionValidationException("Assertions MUST contain one Subject With a NameID element ");
        }
        if (!"urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(nameID.getFormat()) && !"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".equals(nameID.getFormat())) {
            throw new AssertionValidationException("Subject NameID should have format set to urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
        }
        String value = nameID.getValue();
        if (value == null || !value.startsWith("https://data.gov.dk/model/core/eid/")) {
            throw new AssertionValidationException("Subject NameID error");
        }
        try {
            String[] split = value.split("/uuid/");
            UUID.fromString(split[split.length - 1]);
            String str = null;
            Iterator<String> it = authnRequestWrapper.getAuthnContextClassRefValues().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (Constants.ATTRIBUTE_PROFILE_PERSON.equals(next)) {
                    str = "https://data.gov.dk/model/core/eid/person";
                    break;
                } else if (Constants.ATTRIBUTE_PROFILE_PERSON.equals(next)) {
                    str = "https://data.gov.dk/model/core/eid/professional";
                    break;
                }
            }
            if (str != null && !value.startsWith(str)) {
                throw new AssertionValidationException("Subject NameID was: " + value + " but the AuthnRequest requested it should be of type: " + str);
            }
            SubjectConfirmation subjectConfirmation = null;
            Iterator it2 = subject.getSubjectConfirmations().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                SubjectConfirmation subjectConfirmation2 = (SubjectConfirmation) it2.next();
                if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation2.getMethod())) {
                    subjectConfirmation = subjectConfirmation2;
                    break;
                }
            }
            if (subjectConfirmation == null) {
                throw new AssertionValidationException("The Subject element MUST contain at least one SubjectConfirmation with conformation method of urn:oasis:names:tc:SAML:2.0:cm:bearer.");
            }
            SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
            if (subjectConfirmationData == null) {
                throw new AssertionValidationException("The SubjectConfirmation element described above MUST contain a SubjectConfirmationData");
            }
            Configuration config = OIOSAML3Service.getConfig();
            if (!(config.getBaseUrl() + "/saml/assertionConsumer").equals(subjectConfirmationData.getRecipient())) {
                throw new AssertionValidationException("The SubjectConfirmationData element MUST contain a recipient attribute containing the SP's assertion consumer service URL");
            }
            DateTime notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
            if (notOnOrAfter == null) {
                throw new AssertionValidationException("The SubjectConfirmationData element MUST a NotOnOrAfter attribute");
            }
            if (!DateTime.now().isBefore(notOnOrAfter.plusSeconds(config.getClockSkew()))) {
                throw new AssertionValidationException("This instant was validated after SubjectConfirmationData 'NotOnOrAfter' attribute plus clockskew");
            }
        } catch (IllegalArgumentException e) {
            throw new AssertionValidationException("Subject NameID should be based on a UUID");
        }
    }

    private void validateIssuer(Assertion assertion) throws AssertionValidationException, InternalException, ExternalException {
        Issuer issuer = assertion.getIssuer();
        if (issuer == null) {
            throw new AssertionValidationException("Assertions MUST contain an Issuer");
        }
        String format = issuer.getFormat();
        if (format != null && !"urn:oasis:names:tc:SAML:2.0:nameid-format:entity".equals(format)) {
            throw new AssertionValidationException("Issuer format attribute MUST be omitted or have a value of urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        }
        String value = issuer.getValue();
        String entityID = IdPMetadataService.getInstance().getIdPMetadata().getEntityDescriptor().getEntityID();
        if (value == null || "".equals(value) || !Objects.equals(value, entityID)) {
            throw new AssertionValidationException("Issuer does not match IdP EntityID from metadata");
        }
    }
}
