package org.springframework.security.saml2.provider.service.authentication;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
import org.opensaml.saml.saml2.assertion.impl.BearerSubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.impl.CollectionCredentialResolver;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.credentials.Saml2X509Credential;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.class */
public final class OpenSamlAuthenticationProvider implements AuthenticationProvider {
    private static Log logger = LogFactory.getLog(OpenSamlAuthenticationProvider.class);
    private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
    private Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = assertion -> {
        return Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
    };
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private Duration responseTimeValidationSkew = Duration.ofMinutes(5);

    public void setAuthoritiesExtractor(Converter<Assertion, Collection<? extends GrantedAuthority>> converter) {
        Assert.notNull(converter, "authoritiesExtractor cannot be null");
        this.authoritiesExtractor = converter;
    }

    public void setAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        Assert.notNull(grantedAuthoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }

    public void setResponseTimeValidationSkew(Duration duration) {
        this.responseTimeValidationSkew = duration;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            Saml2AuthenticationToken saml2AuthenticationToken = (Saml2AuthenticationToken) authentication;
            Assertion validateSaml2Response = validateSaml2Response(saml2AuthenticationToken, saml2AuthenticationToken.getRecipientUri(), getSaml2Response(saml2AuthenticationToken));
            return new Saml2Authentication(new SimpleSaml2AuthenticatedPrincipal(getUsername(saml2AuthenticationToken, validateSaml2Response)), saml2AuthenticationToken.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(validateSaml2Response)));
        } catch (Exception e) {
            throw authException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, e.getMessage(), e);
        } catch (Saml2AuthenticationException e2) {
            throw e2;
        }
    }

    public boolean supports(Class<?> cls) {
        return cls != null && Saml2AuthenticationToken.class.isAssignableFrom(cls);
    }

    private Collection<? extends GrantedAuthority> getAssertionAuthorities(Assertion assertion) {
        return (Collection) this.authoritiesExtractor.convert(assertion);
    }

    private String getUsername(Saml2AuthenticationToken saml2AuthenticationToken, Assertion assertion) throws Saml2AuthenticationException {
        String str = null;
        Subject subject = assertion.getSubject();
        if (subject == null) {
            throw authException(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + assertion.getID() + "] is missing a subject");
        }
        if (subject.getNameID() != null) {
            str = subject.getNameID().getValue();
        } else if (subject.getEncryptedID() != null) {
            str = decrypt(saml2AuthenticationToken, subject.getEncryptedID()).getValue();
        }
        if (str == null) {
            throw authException(Saml2ErrorCodes.USERNAME_NOT_FOUND, "Assertion [" + assertion.getID() + "] is missing a user identifier");
        }
        return str;
    }

    private Assertion validateSaml2Response(Saml2AuthenticationToken saml2AuthenticationToken, String str, Response response) throws Saml2AuthenticationException {
        if (StringUtils.hasText(response.getDestination()) && !str.equals(response.getDestination())) {
            throw authException(Saml2ErrorCodes.INVALID_DESTINATION, "Invalid SAML response destination: " + response.getDestination());
        }
        String value = response.getIssuer().getValue();
        if (logger.isDebugEnabled()) {
            logger.debug("Validating SAML response from " + value);
        }
        if (!StringUtils.hasText(value) || !value.equals(saml2AuthenticationToken.getIdpEntityId())) {
            throw authException(Saml2ErrorCodes.INVALID_ISSUER, String.format("Response issuer '%s' doesn't match '%s'", value, saml2AuthenticationToken.getIdpEntityId()));
        }
        AuthenticationException authenticationException = null;
        boolean hasValidSignature = hasValidSignature(response, saml2AuthenticationToken);
        for (Assertion assertion : response.getAssertions()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking plain assertion validity " + assertion);
            }
            try {
                validateAssertion(str, assertion, saml2AuthenticationToken, !hasValidSignature);
                return assertion;
            } catch (Saml2AuthenticationException e) {
                authenticationException = e;
            }
        }
        for (EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking encrypted assertion validity " + encryptedAssertion);
            }
            try {
                Assertion decrypt = decrypt(saml2AuthenticationToken, encryptedAssertion);
                validateAssertion(str, decrypt, saml2AuthenticationToken, !hasValidSignature);
                return decrypt;
            } catch (Saml2AuthenticationException e2) {
                authenticationException = e2;
            }
        }
        if (authenticationException != null) {
            throw authenticationException;
        }
        throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, "No assertions found in response.");
    }

    private boolean hasValidSignature(SignableSAMLObject signableSAMLObject, Saml2AuthenticationToken saml2AuthenticationToken) {
        if (!signableSAMLObject.isSigned()) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("SAML object is not signed, no signatures found");
            return false;
        }
        List<X509Certificate> verificationCertificates = getVerificationCertificates(saml2AuthenticationToken);
        if (verificationCertificates.isEmpty()) {
            return false;
        }
        for (X509Certificate x509Certificate : verificationCertificates) {
            try {
                SignatureValidator.validate(signableSAMLObject.getSignature(), getVerificationCredential(x509Certificate));
                if (!logger.isDebugEnabled()) {
                    return true;
                }
                logger.debug("Valid signature found in SAML object:" + signableSAMLObject.getClass().getName());
                return true;
            } catch (SignatureException e) {
                if (logger.isTraceEnabled()) {
                    logger.trace("Signature validation failed with cert:" + x509Certificate.toString(), e);
                } else if (logger.isDebugEnabled()) {
                    logger.debug("Signature validation failed with cert:" + x509Certificate.toString());
                }
            }
        }
        return false;
    }

    private void validateAssertion(String str, Assertion assertion, Saml2AuthenticationToken saml2AuthenticationToken, boolean z) {
        SAML20AssertionValidator assertionValidator = getAssertionValidator(saml2AuthenticationToken);
        HashMap hashMap = new HashMap();
        hashMap.put("saml2.SignatureRequired", false);
        hashMap.put("saml2.ClockSkew", Long.valueOf(this.responseTimeValidationSkew.toMillis()));
        hashMap.put("saml2.Conditions.ValidAudiences", Collections.singleton(saml2AuthenticationToken.getLocalSpEntityId()));
        if (StringUtils.hasText(str)) {
            hashMap.put("saml2.SubjectConfirmation.ValidRecipients", Collections.singleton(str));
        }
        if (z && !hasValidSignature(assertion, saml2AuthenticationToken)) {
            if (logger.isDebugEnabled()) {
                logger.debug(String.format("Assertion [%s] does not a valid signature.", assertion.getID()));
            }
            throw authException(Saml2ErrorCodes.INVALID_SIGNATURE, "Assertion doesn't have a valid signature.");
        }
        assertion.setSignature((Signature) null);
        if (assertion.getSubject() != null) {
            for (SubjectConfirmation subjectConfirmation : assertion.getSubject().getSubjectConfirmations()) {
                if (subjectConfirmation.getSubjectConfirmationData() != null) {
                    subjectConfirmation.getSubjectConfirmationData().setAddress((String) null);
                }
            }
        }
        ValidationContext validationContext = new ValidationContext(hashMap);
        try {
            if (assertionValidator.validate(assertion, validationContext).equals(ValidationResult.VALID)) {
                return;
            }
            if (logger.isDebugEnabled()) {
                logger.debug(String.format("Failed to validate assertion from %s", saml2AuthenticationToken.getIdpEntityId()));
            }
            throw authException(Saml2ErrorCodes.INVALID_ASSERTION, validationContext.getValidationFailureMessage());
        } catch (AssertionValidationException e) {
            if (logger.isDebugEnabled()) {
                logger.debug("Failed to validate assertion:", e);
            }
            throw authException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, e.getMessage(), e);
        }
    }

    private Response getSaml2Response(Saml2AuthenticationToken saml2AuthenticationToken) throws Saml2Exception, Saml2AuthenticationException {
        try {
            Response resolve = this.saml.resolve(saml2AuthenticationToken.getSaml2Response());
            if (resolve instanceof Response) {
                return resolve;
            }
            throw authException(Saml2ErrorCodes.UNKNOWN_RESPONSE_CLASS, "Invalid response class:" + resolve.getClass().getName());
        } catch (Saml2Exception e) {
            throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, e.getMessage(), e);
        }
    }

    private Saml2Error validationError(String str, String str2) {
        return new Saml2Error(str, str2);
    }

    private Saml2AuthenticationException authException(String str, String str2) throws Saml2AuthenticationException {
        return new Saml2AuthenticationException(validationError(str, str2));
    }

    private Saml2AuthenticationException authException(String str, String str2, Exception exc) throws Saml2AuthenticationException {
        return new Saml2AuthenticationException(validationError(str, str2), exc);
    }

    private SAML20AssertionValidator getAssertionValidator(Saml2AuthenticationToken saml2AuthenticationToken) {
        List singletonList = Collections.singletonList(new AudienceRestrictionConditionValidator());
        List singletonList2 = Collections.singletonList(new BearerSubjectConfirmationValidator());
        List emptyList = Collections.emptyList();
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = getVerificationCertificates(saml2AuthenticationToken).iterator();
        while (it.hasNext()) {
            hashSet.add(getVerificationCredential(it.next()));
        }
        return new SAML20AssertionValidator(singletonList, singletonList2, emptyList, new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(hashSet), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver()), new SAMLSignatureProfileValidator());
    }

    private Credential getVerificationCredential(X509Certificate x509Certificate) {
        return CredentialSupport.getSimpleCredential(x509Certificate, (PrivateKey) null);
    }

    private Decrypter getDecrypter(Saml2X509Credential saml2X509Credential) {
        Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey())), this.saml.getEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        return decrypter;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Throwable] */
    private Assertion decrypt(Saml2AuthenticationToken saml2AuthenticationToken, EncryptedAssertion encryptedAssertion) throws Saml2AuthenticationException {
        Saml2AuthenticationException saml2AuthenticationException = null;
        List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(saml2AuthenticationToken);
        if (decryptionCredentials.isEmpty()) {
            throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, "No valid decryption credentials found.");
        }
        Iterator<Saml2X509Credential> it = decryptionCredentials.iterator();
        while (it.hasNext()) {
            try {
                return getDecrypter(it.next()).decrypt(encryptedAssertion);
            } catch (DecryptionException e) {
                saml2AuthenticationException = authException(Saml2ErrorCodes.DECRYPTION_ERROR, e.getMessage(), e);
            }
        }
        throw saml2AuthenticationException;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Throwable] */
    private NameID decrypt(Saml2AuthenticationToken saml2AuthenticationToken, EncryptedID encryptedID) throws Saml2AuthenticationException {
        Saml2AuthenticationException saml2AuthenticationException = null;
        List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(saml2AuthenticationToken);
        if (decryptionCredentials.isEmpty()) {
            throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, "No valid decryption credentials found.");
        }
        Iterator<Saml2X509Credential> it = decryptionCredentials.iterator();
        while (it.hasNext()) {
            try {
                return getDecrypter(it.next()).decrypt(encryptedID);
            } catch (DecryptionException e) {
                saml2AuthenticationException = authException(Saml2ErrorCodes.DECRYPTION_ERROR, e.getMessage(), e);
            }
        }
        throw saml2AuthenticationException;
    }

    private List<Saml2X509Credential> getDecryptionCredentials(Saml2AuthenticationToken saml2AuthenticationToken) {
        LinkedList linkedList = new LinkedList();
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getX509Credentials()) {
            if (saml2X509Credential.isDecryptionCredential()) {
                linkedList.add(saml2X509Credential);
            }
        }
        return linkedList;
    }

    private List<X509Certificate> getVerificationCertificates(Saml2AuthenticationToken saml2AuthenticationToken) {
        LinkedList linkedList = new LinkedList();
        for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getX509Credentials()) {
            if (saml2X509Credential.isSignatureVerficationCredential()) {
                linkedList.add(saml2X509Credential.getCertificate());
            }
        }
        return linkedList;
    }
}
