package es.develex.saml;

import es.develex.saml.util.CertificateManager;
import es.develex.saml.util.Utils;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import javax.xml.bind.DatatypeConverter;
import javax.xml.xpath.XPathExpressionException;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:es/develex/saml/Response.class */
public class Response {
    private Document document;
    private Element rootElement;
    private final CertificateManager certificateManager;
    private String response;
    private String currentUrl;
    private StringBuffer error;
    private static final String STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
    private static final Logger log = LoggerFactory.getLogger(Response.class);

    public Response(CertificateManager certificateManager) throws CertificateException {
        this.error = new StringBuffer();
        this.certificateManager = certificateManager;
    }

    public Response(CertificateManager certificateManager, String str, String str2) throws Exception {
        this(certificateManager);
        loadXmlFromBase64(str);
        this.currentUrl = str2;
    }

    public void loadXmlFromBase64(String str) throws Exception {
        this.response = new String(new Base64().decode(str));
        this.document = Utils.loadXML(this.response);
        if (this.document == null) {
            throw new Exception("SAML Response could not be processed");
        }
    }

    public boolean isValid(String... strArr) {
        String attribute;
        try {
            Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
            if (this.document == null) {
                throw new Exception("SAML Response is not loaded");
            }
            if (this.currentUrl == null || this.currentUrl.isEmpty()) {
                throw new Exception("The URL of the current host was not established");
            }
            this.rootElement = this.document.getDocumentElement();
            this.rootElement.normalize();
            if (!this.rootElement.getAttribute("Version").equals("2.0")) {
                throw new Exception("Unsupported SAML Version.");
            }
            if (!this.rootElement.hasAttribute("ID")) {
                throw new Exception("Missing ID attribute on SAML Response.");
            }
            checkStatus();
            if (!validateNumAssertions()) {
                throw new Exception("SAML Response must contain 1 Assertion.");
            }
            NodeList elementsByTagNameNS = this.document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            ArrayList<String> arrayList = new ArrayList<>();
            for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
                arrayList.add(elementsByTagNameNS.item(i).getParentNode().getLocalName());
            }
            if (!arrayList.isEmpty() && !validateSignedElements(arrayList)) {
                throw new Exception("Found an unexpected Signature Element. SAML Response rejected");
            }
            if (this.rootElement.hasAttribute("InResponseTo")) {
                String attribute2 = this.document.getDocumentElement().getAttribute("InResponseTo");
                if (strArr.length > 0 && attribute2.compareTo(strArr[0]) != 0) {
                    throw new Exception("The InResponseTo of the Response: " + attribute2 + ", does not match the ID of the AuthNRequest sent by the SP: " + strArr[0]);
                }
            }
            if (!validateTimestamps()) {
                throw new Exception("Timing issues (please check your clock configuration)");
            }
            if (queryAssertion("/saml:AttributeStatement/saml:EncryptedAttribute").getLength() > 0) {
                throw new Exception("There is an EncryptedAttribute in the Response and this SP not support them");
            }
            if (this.rootElement.hasAttribute("Destination") && (attribute = this.rootElement.getAttribute("Destination")) != null && !attribute.isEmpty() && !attribute.equals(this.currentUrl)) {
                throw new Exception("The response was received at " + this.currentUrl + " instead of " + attribute);
            }
            Iterator<String> it = getIssuers().iterator();
            while (it.hasNext()) {
                if (it.next().isEmpty()) {
                    throw new Exception("Invalid issuer in the Assertion/Response");
                }
            }
            Calendar sessionNotOnOrAfter = getSessionNotOnOrAfter();
            if (sessionNotOnOrAfter != null && (calendar.equals(sessionNotOnOrAfter) || calendar.after(sessionNotOnOrAfter))) {
                throw new Exception("The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response");
            }
            boolean z = true;
            NodeList queryAssertion = queryAssertion("/saml:Subject/saml:SubjectConfirmation");
            for (int i2 = 0; i2 < queryAssertion.getLength(); i2++) {
                Node item = queryAssertion.item(i2);
                Node namedItem = item.getAttributes().getNamedItem("Method");
                if (namedItem == null || namedItem.getNodeValue().equals("urn:oasis:names:tc:SAML:2.0:cm:bearer")) {
                    NodeList childNodes = item.getChildNodes();
                    for (int i3 = 0; i3 < childNodes.getLength(); i3++) {
                        if (childNodes.item(i3).getLocalName() != null && childNodes.item(i3).getLocalName().equals("SubjectConfirmationData")) {
                            Node namedItem2 = childNodes.item(i3).getAttributes().getNamedItem("Recipient");
                            if (namedItem2 != null && !namedItem2.getNodeValue().isEmpty() && !namedItem2.getNodeValue().equals(this.currentUrl)) {
                                z = false;
                            }
                            Node namedItem3 = childNodes.item(i3).getAttributes().getNamedItem("NotOnOrAfter");
                            if (namedItem3 != null) {
                                Calendar parseDateTime = DatatypeConverter.parseDateTime(namedItem3.getNodeValue());
                                if (calendar.equals(parseDateTime) || calendar.after(parseDateTime)) {
                                    z = false;
                                }
                            }
                            Node namedItem4 = childNodes.item(i3).getAttributes().getNamedItem("NotBefore");
                            if (namedItem4 != null && calendar.before(DatatypeConverter.parseDateTime(namedItem4.getNodeValue()))) {
                                z = false;
                            }
                        }
                    }
                }
            }
            if (!z) {
                throw new Exception("A valid SubjectConfirmation was not found on this Response");
            }
            if (arrayList.isEmpty()) {
                throw new Exception("No Signature found. SAML Response rejected");
            }
            if (Utils.validateSign(elementsByTagNameNS.item(0), this.certificateManager.getIdpCert(), new String[0])) {
                return true;
            }
            throw new Exception("Signature validation failed. SAML Response rejected");
        } catch (Error e) {
            this.error.append(e.getMessage());
            return false;
        } catch (Exception e2) {
            e2.printStackTrace();
            this.error.append(e2.getMessage());
            return false;
        }
    }

    public String getNameId() throws Exception {
        NodeList elementsByTagNameNS = this.document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "NameID");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new Exception("No name id found in Document.");
        }
        return elementsByTagNameNS.item(0).getTextContent();
    }

    private Map<String, String> checkStatus() throws Exception {
        Map<String, String> status = Utils.getStatus(this.document);
        if (!status.containsKey("code") || status.get("code").equals(STATUS_SUCCESS)) {
            return status;
        }
        String str = "The status code of the Response was not Success, was " + status.get("code").substring(status.get("code").lastIndexOf(58) + 1);
        if (status.containsKey("msg")) {
            str = str + " -> " + status.containsKey("msg");
        }
        throw new Exception(str);
    }

    public Set<String> getIssuers() throws XPathExpressionException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        NodeList queryAssertion = queryAssertion("/samlp:Response/saml:Issuer");
        if (queryAssertion.getLength() == 1) {
            linkedHashSet.add(queryAssertion.item(0).getTextContent());
        }
        NodeList queryAssertion2 = queryAssertion("/saml:Issuer");
        if (queryAssertion2.getLength() == 1) {
            linkedHashSet.add(queryAssertion2.item(0).getTextContent());
        }
        return linkedHashSet;
    }

    public Calendar getSessionNotOnOrAfter() throws XPathExpressionException {
        NodeList queryAssertion = queryAssertion("/saml:AuthnStatement[@SessionNotOnOrAfter]");
        if (queryAssertion.getLength() > 0) {
            return DatatypeConverter.parseDateTime(queryAssertion.item(0).getAttributes().getNamedItem("SessionNotOnOrAfter").getNodeValue());
        }
        return null;
    }

    private boolean validateNumAssertions() {
        NodeList elementsByTagNameNS = this.document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
        return elementsByTagNameNS != null && elementsByTagNameNS.getLength() == 1;
    }

    private boolean validateSignedElements(ArrayList<String> arrayList) {
        if (arrayList.size() > 2) {
            return false;
        }
        HashMap hashMap = new HashMap();
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (hashMap.containsKey(next)) {
                hashMap.put(next, Integer.valueOf(((Integer) hashMap.get(next)).intValue() + 1));
            } else {
                hashMap.put(next, 1);
            }
        }
        return (!hashMap.containsKey("Response") || ((Integer) hashMap.get("Response")).intValue() <= 1) && (!hashMap.containsKey("Assertion") || ((Integer) hashMap.get("Assertion")).intValue() <= 1) && (hashMap.containsKey("Response") || hashMap.containsKey("Assertion"));
    }

    private boolean validateTimestamps() {
        NodeList elementsByTagNameNS = this.document.getElementsByTagNameNS("*", "Conditions");
        if (elementsByTagNameNS.getLength() == 0) {
            return true;
        }
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            NamedNodeMap attributes = elementsByTagNameNS.item(i).getAttributes();
            Node namedItem = attributes.getNamedItem("NotBefore");
            Node namedItem2 = attributes.getNamedItem("NotOnOrAfter");
            Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
            log.debug("now :" + calendar.get(11) + ":" + calendar.get(12) + ":" + calendar.get(13));
            if (namedItem2 != null) {
                Calendar parseDateTime = DatatypeConverter.parseDateTime(namedItem2.getNodeValue());
                log.debug("notOnOrAfterDate :" + parseDateTime.get(11) + ":" + parseDateTime.get(12) + ":" + parseDateTime.get(13));
                if (calendar.equals(parseDateTime) || calendar.after(parseDateTime)) {
                    return false;
                }
            }
            if (namedItem != null) {
                Calendar parseDateTime2 = DatatypeConverter.parseDateTime(namedItem.getNodeValue());
                log.debug("notBeforeDate :" + parseDateTime2.get(11) + ":" + parseDateTime2.get(12) + ":" + parseDateTime2.get(13));
                if (calendar.before(parseDateTime2)) {
                    return false;
                }
            }
        }
        return true;
    }

    public void setDestinationUrl(String str) {
        this.currentUrl = str;
    }

    public String getError() {
        return this.error != null ? this.error.toString() : "";
    }

    private NodeList queryAssertion(String str) throws XPathExpressionException {
        String str2;
        NodeList query = Utils.query(this.document, "/samlp:Response/saml:Assertion/ds:Signature/ds:SignedInfo/ds:Reference", null);
        if (query.getLength() > 0) {
            str2 = "/samlp:Response/saml:Assertion[@ID='" + query.item(0).getAttributes().getNamedItem("URI").getNodeValue().substring(1) + "']" + str;
        } else {
            NodeList query2 = Utils.query(this.document, "/samlp:Response/ds:Signature/ds:SignedInfo/ds:Reference", null);
            if (query2.getLength() > 0) {
                str2 = "/samlp:Response[@ID='" + query2.item(0).getAttributes().getNamedItem("URI").getNodeValue().substring(1) + "']/saml:Assertion" + str;
            } else {
                str2 = "/samlp:Response/saml:Assertion" + str;
            }
        }
        return Utils.query(this.document, str2, null);
    }
}
