package org.springframework.security.saml2.provider.service.authentication;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
import org.opensaml.saml.saml2.assertion.impl.BearerSubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.impl.CollectionCredentialResolver;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.credentials.Saml2X509Credential;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.class */
public final class OpenSamlAuthenticationProvider implements AuthenticationProvider {
    private static Log logger = LogFactory.getLog(OpenSamlAuthenticationProvider.class);
    private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
    private Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = assertion -> {
        return Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
    };
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private Duration responseTimeValidationSkew = Duration.ofMinutes(5);

    public void setAuthoritiesExtractor(Converter<Assertion, Collection<? extends GrantedAuthority>> converter) {
        Assert.notNull(converter, "authoritiesExtractor cannot be null");
        this.authoritiesExtractor = converter;
    }

    public void setAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        Assert.notNull(grantedAuthoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }

    public void setResponseTimeValidationSkew(Duration duration) {
        this.responseTimeValidationSkew = duration;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            Saml2AuthenticationToken saml2AuthenticationToken = (Saml2AuthenticationToken) authentication;
            Assertion validateSaml2Response = validateSaml2Response(saml2AuthenticationToken, saml2AuthenticationToken.getRecipientUri(), getSaml2Response(saml2AuthenticationToken.getSaml2Response()));
            String username = getUsername(saml2AuthenticationToken, validateSaml2Response);
            if (username == null) {
                throw new UsernameNotFoundException("Assertion [" + validateSaml2Response.getID() + "] is missing a user identifier");
            }
            return new Saml2Authentication(() -> {
                return username;
            }, saml2AuthenticationToken.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(validateSaml2Response)));
        } catch (IllegalArgumentException | Saml2Exception e) {
            throw new AuthenticationServiceException(e.getMessage(), e);
        }
    }

    public boolean supports(Class<?> cls) {
        return cls != null && Saml2AuthenticationToken.class.isAssignableFrom(cls);
    }

    private Collection<? extends GrantedAuthority> getAssertionAuthorities(Assertion assertion) {
        return (Collection) this.authoritiesExtractor.convert(assertion);
    }

    private String getUsername(Saml2AuthenticationToken saml2AuthenticationToken, Assertion assertion) {
        Subject subject = assertion.getSubject();
        if (subject == null) {
            return null;
        }
        if (subject.getNameID() != null) {
            return subject.getNameID().getValue();
        }
        if (subject.getEncryptedID() != null) {
            return decrypt(saml2AuthenticationToken, subject.getEncryptedID()).getValue();
        }
        return null;
    }

    private Assertion validateSaml2Response(Saml2AuthenticationToken saml2AuthenticationToken, String str, Response response) throws AuthenticationException {
        if (StringUtils.hasText(response.getDestination()) && !str.equals(response.getDestination())) {
            throw new Saml2Exception("Invalid SAML response destination: " + response.getDestination());
        }
        String value = response.getIssuer().getValue();
        if (logger.isDebugEnabled()) {
            logger.debug("Processing SAML response from " + value);
        }
        if (saml2AuthenticationToken == null) {
            throw new Saml2Exception(String.format("SAML 2 Provider for %s was not found.", value));
        }
        boolean hasValidSignature = hasValidSignature(response, saml2AuthenticationToken);
        for (Assertion assertion : response.getAssertions()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking plain assertion validity " + assertion);
            }
            if (isValidAssertion(str, assertion, saml2AuthenticationToken, !hasValidSignature)) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Found valid assertion. Skipping potential others.");
                }
                return assertion;
            }
        }
        for (EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking encrypted assertion validity " + encryptedAssertion);
            }
            Assertion decrypt = decrypt(saml2AuthenticationToken, encryptedAssertion);
            if (isValidAssertion(str, decrypt, saml2AuthenticationToken, false)) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Found valid encrypted assertion. Skipping potential others.");
                }
                return decrypt;
            }
        }
        throw new InsufficientAuthenticationException("Unable to find a valid assertion");
    }

    private boolean hasValidSignature(SignableSAMLObject signableSAMLObject, Saml2AuthenticationToken saml2AuthenticationToken) {
        if (!signableSAMLObject.isSigned()) {
            return false;
        }
        List<X509Certificate> verificationKeys = getVerificationKeys(saml2AuthenticationToken);
        if (verificationKeys.isEmpty()) {
            return false;
        }
        Iterator<X509Certificate> it = verificationKeys.iterator();
        while (it.hasNext()) {
            try {
                SignatureValidator.validate(signableSAMLObject.getSignature(), getVerificationCredential(it.next()));
                return true;
            } catch (SignatureException e) {
                logger.debug("Signature validation failed", e);
            }
        }
        return false;
    }

    private boolean isValidAssertion(String str, Assertion assertion, Saml2AuthenticationToken saml2AuthenticationToken, boolean z) {
        SAML20AssertionValidator assertionValidator = getAssertionValidator(saml2AuthenticationToken);
        HashMap hashMap = new HashMap();
        hashMap.put("saml2.SignatureRequired", false);
        hashMap.put("saml2.ClockSkew", this.responseTimeValidationSkew);
        hashMap.put("saml2.Conditions.ValidAudiences", Collections.singleton(saml2AuthenticationToken.getLocalSpEntityId()));
        if (StringUtils.hasText(str)) {
            hashMap.put("saml2.SubjectConfirmation.ValidRecipients", Collections.singleton(str));
        }
        if (z && !hasValidSignature(assertion, saml2AuthenticationToken)) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug(String.format("Assertion [%s] does not a valid signature.", assertion.getID()));
            return false;
        }
        assertion.setSignature((Signature) null);
        try {
            boolean equals = assertionValidator.validate(assertion, new ValidationContext(hashMap)).equals(ValidationResult.VALID);
            if (!equals && logger.isDebugEnabled()) {
                logger.debug(String.format("Failed to validate assertion from %s with user %s", saml2AuthenticationToken.getIdpEntityId(), getUsername(saml2AuthenticationToken, assertion)));
            }
            return equals;
        } catch (AssertionValidationException e) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("Failed to validate assertion:", e);
            return false;
        }
    }

    private Response getSaml2Response(String str) throws Saml2Exception, AuthenticationException {
        Response resolve = this.saml.resolve(str);
        if (resolve == null) {
            throw new AuthenticationCredentialsNotFoundException("SAMLResponse returned null object");
        }
        if (resolve instanceof Response) {
            return resolve;
        }
        throw new IllegalArgumentException("Invalid response class:" + resolve.getClass().getName());
    }

    private SAML20AssertionValidator getAssertionValidator(Saml2AuthenticationToken saml2AuthenticationToken) {
        List singletonList = Collections.singletonList(new AudienceRestrictionConditionValidator());
        List singletonList2 = Collections.singletonList(new BearerSubjectConfirmationValidator());
        List emptyList = Collections.emptyList();
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = getVerificationKeys(saml2AuthenticationToken).iterator();
        while (it.hasNext()) {
            hashSet.add(getVerificationCredential(it.next()));
        }
        return new SAML20AssertionValidator(singletonList, singletonList2, emptyList, new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(hashSet), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver()), new SAMLSignatureProfileValidator());
    }

    private Credential getVerificationCredential(X509Certificate x509Certificate) {
        return CredentialSupport.getSimpleCredential(x509Certificate, (PrivateKey) null);
    }

    private Decrypter getDecrypter(Saml2X509Credential saml2X509Credential) {
        Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey())), this.saml.getEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        return decrypter;
    }

    private Assertion decrypt(Saml2AuthenticationToken saml2AuthenticationToken, EncryptedAssertion encryptedAssertion) {
        Saml2Exception saml2Exception = null;
        List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(saml2AuthenticationToken);
        if (decryptionCredentials.isEmpty()) {
            throw new Saml2Exception("No valid decryption credentials found.");
        }
        Iterator<Saml2X509Credential> it = decryptionCredentials.iterator();
        while (it.hasNext()) {
            try {
                return getDecrypter(it.next()).decrypt(encryptedAssertion);
            } catch (DecryptionException e) {
                saml2Exception = new Saml2Exception((Throwable) e);
            }
        }
        throw saml2Exception;
    }

    private NameID decrypt(Saml2AuthenticationToken saml2AuthenticationToken, EncryptedID encryptedID) {
        Saml2Exception saml2Exception = null;
        List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(saml2AuthenticationToken);
        if (decryptionCredentials.isEmpty()) {
            throw new Saml2Exception("No valid decryption credentials found.");
        }
        Iterator<Saml2X509Credential> it = decryptionCredentials.iterator();
        while (it.hasNext()) {
            try {
                return getDecrypter(it.next()).decrypt(encryptedID);
            } catch (DecryptionException e) {
                saml2Exception = new Saml2Exception((Throwable) e);
            }
        }
        throw saml2Exception;
    }

    private List<Saml2X509Credential> getDecryptionCredentials(Saml2AuthenticationToken saml2AuthenticationToken) {
        LinkedList linkedList = new LinkedList();
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getX509Credentials()) {
            if (saml2X509Credential.isDecryptionCredential()) {
                linkedList.add(saml2X509Credential);
            }
        }
        return linkedList;
    }

    private List<X509Certificate> getVerificationKeys(Saml2AuthenticationToken saml2AuthenticationToken) {
        LinkedList linkedList = new LinkedList();
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getX509Credentials()) {
            if (saml2X509Credential.isSignatureVerficationCredential()) {
                linkedList.add(saml2X509Credential.getCertificate());
            }
        }
        return linkedList;
    }
}
