package org.springframework.security.saml2.provider.service.authentication;

import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import javax.annotation.Nonnull;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.schema.XSAny;
import org.opensaml.core.xml.schema.XSBoolean;
import org.opensaml.core.xml.schema.XSBooleanValue;
import org.opensaml.core.xml.schema.XSDateTime;
import org.opensaml.core.xml.schema.XSInteger;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.core.xml.schema.XSURI;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.metadata.criteria.role.impl.EvaluableProtocolRoleDescriptorCriterion;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.StatementValidator;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
import org.opensaml.saml.saml2.assertion.impl.BearerSubjectConfirmationValidator;
import org.opensaml.saml.saml2.assertion.impl.DelegationRestrictionConditionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.OneTimeUse;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.impl.ResponseUnmarshaller;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion;
import org.opensaml.security.credential.criteria.impl.EvaluableUsageCredentialCriterion;
import org.opensaml.security.credential.impl.CollectionCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.class */
public final class OpenSamlAuthenticationProvider implements AuthenticationProvider {
    private static Log logger;
    private Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = assertion -> {
        return Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
    };
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private Duration responseTimeValidationSkew = Duration.ofMinutes(5);
    private Converter<ResponseToken, Saml2ResponseValidatorResult> responseSignatureValidator = createDefaultResponseSignatureValidator();
    private Consumer<ResponseToken> responseElementsDecrypter = createDefaultResponseElementsDecrypter();
    private Converter<ResponseToken, Saml2ResponseValidatorResult> responseValidator = createDefaultResponseValidator();
    private Converter<AssertionToken, Saml2ResponseValidatorResult> assertionSignatureValidator = createDefaultAssertionSignatureValidator();
    private Consumer<AssertionToken> assertionElementsDecrypter = createDefaultAssertionElementsDecrypter();
    private Converter<AssertionToken, Saml2ResponseValidatorResult> assertionValidator = createCompatibleAssertionValidator();
    private Converter<ResponseToken, ? extends AbstractAuthenticationToken> responseAuthenticationConverter = createCompatibleResponseAuthenticationConverter();
    private Converter<Saml2AuthenticationToken, SignatureTrustEngine> signatureTrustEngineConverter = new SignatureTrustEngineConverter();
    private Converter<Saml2AuthenticationToken, Decrypter> decrypterConverter = new DecrypterConverter();
    private final XMLObjectProviderRegistry registry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
    private final ResponseUnmarshaller responseUnmarshaller = this.registry.getUnmarshallerFactory().getUnmarshaller(Response.DEFAULT_ELEMENT_NAME);
    private final ParserPool parserPool = this.registry.getParserPool();

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider$AssertionToken.class */
    public static class AssertionToken {
        private final Saml2AuthenticationToken token;
        private final Assertion assertion;

        AssertionToken(Assertion assertion, Saml2AuthenticationToken saml2AuthenticationToken) {
            this.token = saml2AuthenticationToken;
            this.assertion = assertion;
        }

        public Assertion getAssertion() {
            return this.assertion;
        }

        public Saml2AuthenticationToken getToken() {
            return this.token;
        }
    }

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider$DecrypterConverter.class */
    private static class DecrypterConverter implements Converter<Saml2AuthenticationToken, Decrypter> {
        private final EncryptedKeyResolver encryptedKeyResolver;

        private DecrypterConverter() {
            this.encryptedKeyResolver = new ChainingEncryptedKeyResolver(Arrays.asList(new InlineEncryptedKeyResolver(), new EncryptedElementTypeEncryptedKeyResolver(), new SimpleRetrievalMethodEncryptedKeyResolver()));
        }

        public Decrypter convert(Saml2AuthenticationToken saml2AuthenticationToken) {
            ArrayList arrayList = new ArrayList();
            for (Saml2X509Credential saml2X509Credential : saml2AuthenticationToken.getRelyingPartyRegistration().getDecryptionX509Credentials()) {
                arrayList.add(CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey()));
            }
            Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new CollectionKeyInfoCredentialResolver(arrayList), this.encryptedKeyResolver);
            decrypter.setRootInNewDocument(true);
            return decrypter;
        }
    }

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider$ResponseToken.class */
    public static class ResponseToken {
        private final Saml2AuthenticationToken token;
        private final Response response;

        ResponseToken(Response response, Saml2AuthenticationToken saml2AuthenticationToken) {
            this.token = saml2AuthenticationToken;
            this.response = response;
        }

        public Response getResponse() {
            return this.response;
        }

        public Saml2AuthenticationToken getToken() {
            return this.token;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider$SAML20AssertionValidators.class */
    public static class SAML20AssertionValidators {
        private static final Collection<ConditionValidator> conditions = new ArrayList();
        private static final Collection<SubjectConfirmationValidator> subjects = new ArrayList();
        private static final Collection<StatementValidator> statements = new ArrayList();
        private static final SignaturePrevalidator validator = new SAMLSignatureProfileValidator();
        private static final SAML20AssertionValidator attributeValidator;

        private SAML20AssertionValidators() {
        }

        static SAML20AssertionValidator createSignatureValidator(SignatureTrustEngine signatureTrustEngine) {
            return new SAML20AssertionValidator(new ArrayList(), new ArrayList(), new ArrayList(), signatureTrustEngine, validator) { // from class: org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.SAML20AssertionValidators.4
                @Nonnull
                protected ValidationResult validateConditions(Assertion assertion, ValidationContext validationContext) {
                    return ValidationResult.VALID;
                }

                @Nonnull
                protected ValidationResult validateSubjectConfirmation(Assertion assertion, ValidationContext validationContext) {
                    return ValidationResult.VALID;
                }

                @Nonnull
                protected ValidationResult validateStatements(Assertion assertion, ValidationContext validationContext) {
                    return ValidationResult.VALID;
                }
            };
        }

        static {
            conditions.add(new AudienceRestrictionConditionValidator());
            conditions.add(new DelegationRestrictionConditionValidator());
            conditions.add(new ConditionValidator() { // from class: org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.SAML20AssertionValidators.1
                @Nonnull
                public QName getServicedCondition() {
                    return OneTimeUse.DEFAULT_ELEMENT_NAME;
                }

                @Nonnull
                public ValidationResult validate(Condition condition, Assertion assertion, ValidationContext validationContext) {
                    return ValidationResult.VALID;
                }
            });
            subjects.add(new BearerSubjectConfirmationValidator() { // from class: org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.SAML20AssertionValidators.2
                @Nonnull
                protected ValidationResult validateAddress(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) {
                    return ValidationResult.VALID;
                }
            });
            attributeValidator = new SAML20AssertionValidator(conditions, subjects, statements, null, null) { // from class: org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.SAML20AssertionValidators.3
                @Nonnull
                protected ValidationResult validateSignature(Assertion assertion, ValidationContext validationContext) {
                    return ValidationResult.VALID;
                }
            };
        }
    }

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider$SignatureTrustEngineConverter.class */
    private static class SignatureTrustEngineConverter implements Converter<Saml2AuthenticationToken, SignatureTrustEngine> {
        private SignatureTrustEngineConverter() {
        }

        public SignatureTrustEngine convert(Saml2AuthenticationToken saml2AuthenticationToken) {
            HashSet hashSet = new HashSet();
            Iterator<Saml2X509Credential> it = saml2AuthenticationToken.getRelyingPartyRegistration().getAssertingPartyDetails().getVerificationX509Credentials().iterator();
            while (it.hasNext()) {
                BasicX509Credential basicX509Credential = new BasicX509Credential(it.next().getCertificate());
                basicX509Credential.setUsageType(UsageType.SIGNING);
                basicX509Credential.setEntityId(saml2AuthenticationToken.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId());
                hashSet.add(basicX509Credential);
            }
            return new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(hashSet), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        }
    }

    public void setResponseElementsDecrypter(Consumer<ResponseToken> consumer) {
        Assert.notNull(consumer, "responseElementsDecrypter cannot be null");
        this.responseElementsDecrypter = consumer;
    }

    public void setAssertionValidator(Converter<AssertionToken, Saml2ResponseValidatorResult> converter) {
        Assert.notNull(converter, "assertionValidator cannot be null");
        this.assertionValidator = converter;
    }

    public void setAssertionElementsDecrypter(Consumer<AssertionToken> consumer) {
        Assert.notNull(consumer, "assertionDecrypter cannot be null");
        this.assertionElementsDecrypter = consumer;
    }

    public void setResponseAuthenticationConverter(Converter<ResponseToken, ? extends AbstractAuthenticationToken> converter) {
        Assert.notNull(converter, "responseAuthenticationConverter cannot be null");
        this.responseAuthenticationConverter = converter;
    }

    public void setAuthoritiesExtractor(Converter<Assertion, Collection<? extends GrantedAuthority>> converter) {
        Assert.notNull(converter, "authoritiesExtractor cannot be null");
        this.authoritiesExtractor = converter;
    }

    public void setAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        Assert.notNull(grantedAuthoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }

    public void setResponseTimeValidationSkew(Duration duration) {
        this.responseTimeValidationSkew = duration;
    }

    public static Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionValidator() {
        return createAssertionValidator("invalid_assertion", assertionToken -> {
            return SAML20AssertionValidators.attributeValidator;
        }, assertionToken2 -> {
            return createValidationContext(assertionToken2, map -> {
            });
        });
    }

    public static Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionValidator(Converter<AssertionToken, ValidationContext> converter) {
        return createAssertionValidator("invalid_assertion", assertionToken -> {
            return SAML20AssertionValidators.attributeValidator;
        }, converter);
    }

    public static Converter<ResponseToken, Saml2Authentication> createDefaultResponseAuthenticationConverter() {
        return responseToken -> {
            Saml2AuthenticationToken saml2AuthenticationToken = responseToken.token;
            Assertion assertion = (Assertion) CollectionUtils.firstElement(responseToken.response.getAssertions());
            return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(assertion.getSubject().getNameID().getValue(), getAssertionAttributes(assertion)), saml2AuthenticationToken.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
        };
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            Saml2AuthenticationToken saml2AuthenticationToken = (Saml2AuthenticationToken) authentication;
            Response parse = parse(saml2AuthenticationToken.getSaml2Response());
            process(saml2AuthenticationToken, parse);
            return (Authentication) this.responseAuthenticationConverter.convert(new ResponseToken(parse, saml2AuthenticationToken));
        } catch (Exception e) {
            throw createAuthenticationException("internal_validation_error", e.getMessage(), e);
        } catch (Saml2AuthenticationException e2) {
            throw e2;
        }
    }

    public boolean supports(Class<?> cls) {
        return cls != null && Saml2AuthenticationToken.class.isAssignableFrom(cls);
    }

    private Response parse(String str) throws Saml2Exception, Saml2AuthenticationException {
        try {
            return this.responseUnmarshaller.unmarshall(this.parserPool.parse(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))).getDocumentElement());
        } catch (Exception e) {
            throw createAuthenticationException("malformed_response_data", e.getMessage(), e);
        }
    }

    private void process(Saml2AuthenticationToken saml2AuthenticationToken, Response response) {
        logger.debug(LogMessage.format("Processing SAML response from %s", response.getIssuer().getValue()));
        boolean isSigned = response.isSigned();
        ResponseToken responseToken = new ResponseToken(response, saml2AuthenticationToken);
        Saml2ResponseValidatorResult saml2ResponseValidatorResult = (Saml2ResponseValidatorResult) this.responseSignatureValidator.convert(responseToken);
        if (isSigned) {
            this.responseElementsDecrypter.accept(responseToken);
        }
        Saml2ResponseValidatorResult concat = saml2ResponseValidatorResult.concat((Saml2ResponseValidatorResult) this.responseValidator.convert(responseToken));
        boolean z = true;
        for (Assertion assertion : response.getAssertions()) {
            AssertionToken assertionToken = new AssertionToken(assertion, saml2AuthenticationToken);
            Saml2ResponseValidatorResult concat2 = concat.concat((Saml2ResponseValidatorResult) this.assertionSignatureValidator.convert(assertionToken));
            z = z && assertion.isSigned();
            if (isSigned || assertion.isSigned()) {
                this.assertionElementsDecrypter.accept(new AssertionToken(assertion, saml2AuthenticationToken));
            }
            concat = concat2.concat((Saml2ResponseValidatorResult) this.assertionValidator.convert(assertionToken));
        }
        if (!isSigned && !z) {
            throw createAuthenticationException("invalid_signature", "Either the response or one of the assertions is unsigned. Please either sign the response or all of the assertions.", null);
        }
        Assertion assertion2 = (Assertion) CollectionUtils.firstElement(response.getAssertions());
        if (!hasName(assertion2)) {
            concat = concat.concat(new org.springframework.security.saml2.core.Saml2Error("subject_not_found", "Assertion [" + assertion2.getID() + "] is missing a subject"));
        }
        if (concat.hasErrors()) {
            Collection<org.springframework.security.saml2.core.Saml2Error> errors = concat.getErrors();
            if (logger.isTraceEnabled()) {
                logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
            } else if (logger.isDebugEnabled()) {
                logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
            }
            org.springframework.security.saml2.core.Saml2Error next = errors.iterator().next();
            throw createAuthenticationException(next.getErrorCode(), next.getDescription(), null);
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
        }
    }

    private Converter<ResponseToken, Saml2ResponseValidatorResult> createDefaultResponseSignatureValidator() {
        return responseToken -> {
            Response response = responseToken.getResponse();
            Saml2AuthenticationToken token = responseToken.getToken();
            ArrayList arrayList = new ArrayList();
            String value = response.getIssuer().getValue();
            if (response.isSigned()) {
                try {
                    new SAMLSignatureProfileValidator().validate(response.getSignature());
                } catch (Exception e) {
                    arrayList.add(new org.springframework.security.saml2.core.Saml2Error("invalid_signature", "Invalid signature for SAML Response [" + response.getID() + "]: "));
                }
                try {
                    CriteriaSet criteriaSet = new CriteriaSet();
                    criteriaSet.add(new EvaluableEntityIDCredentialCriterion(new EntityIdCriterion(value)));
                    criteriaSet.add(new EvaluableProtocolRoleDescriptorCriterion(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol")));
                    criteriaSet.add(new EvaluableUsageCredentialCriterion(new UsageCriterion(UsageType.SIGNING)));
                    if (!((SignatureTrustEngine) this.signatureTrustEngineConverter.convert(token)).validate(response.getSignature(), criteriaSet)) {
                        arrayList.add(new org.springframework.security.saml2.core.Saml2Error("invalid_signature", "Invalid signature for SAML Response [" + response.getID() + "]"));
                    }
                } catch (Exception e2) {
                    arrayList.add(new org.springframework.security.saml2.core.Saml2Error("invalid_signature", "Invalid signature for SAML Response [" + response.getID() + "]: "));
                }
            }
            return Saml2ResponseValidatorResult.failure(arrayList);
        };
    }

    private Consumer<ResponseToken> createDefaultResponseElementsDecrypter() {
        return responseToken -> {
            Decrypter decrypter = (Decrypter) this.decrypterConverter.convert(responseToken.getToken());
            Response response = responseToken.getResponse();
            Iterator it = responseToken.getResponse().getEncryptedAssertions().iterator();
            while (it.hasNext()) {
                try {
                    response.getAssertions().add(decrypter.decrypt((EncryptedAssertion) it.next()));
                } catch (Exception e) {
                    throw createAuthenticationException("decryption_error", e.getMessage(), e);
                }
            }
        };
    }

    private Converter<ResponseToken, Saml2ResponseValidatorResult> createDefaultResponseValidator() {
        return responseToken -> {
            Response response = responseToken.getResponse();
            Saml2AuthenticationToken token = responseToken.getToken();
            Saml2ResponseValidatorResult success = Saml2ResponseValidatorResult.success();
            String statusCode = getStatusCode(response);
            if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(statusCode)) {
                success = success.concat(new org.springframework.security.saml2.core.Saml2Error(org.springframework.security.saml2.core.Saml2ErrorCodes.INVALID_RESPONSE, String.format("Invalid status [%s] for SAML response [%s]", statusCode, response.getID())));
            }
            String value = response.getIssuer().getValue();
            String destination = response.getDestination();
            String assertionConsumerServiceLocation = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
            if (StringUtils.hasText(destination) && !destination.equals(assertionConsumerServiceLocation)) {
                success = success.concat(new org.springframework.security.saml2.core.Saml2Error("invalid_destination", "Invalid destination [" + destination + "] for SAML response [" + response.getID() + "]"));
            }
            String entityId = token.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId();
            if (!StringUtils.hasText(value) || !value.equals(entityId)) {
                success = success.concat(new org.springframework.security.saml2.core.Saml2Error("invalid_issuer", String.format("Invalid issuer [%s] for SAML response [%s]", value, response.getID())));
            }
            if (response.getAssertions().isEmpty()) {
                throw createAuthenticationException("malformed_response_data", "No assertions found in response.", null);
            }
            return success;
        };
    }

    private String getStatusCode(Response response) {
        return (response.getStatus() == null || response.getStatus().getStatusCode() == null) ? "urn:oasis:names:tc:SAML:2.0:status:Success" : response.getStatus().getStatusCode().getValue();
    }

    private Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionSignatureValidator() {
        return createAssertionValidator("invalid_signature", assertionToken -> {
            return SAML20AssertionValidators.createSignatureValidator((SignatureTrustEngine) this.signatureTrustEngineConverter.convert(assertionToken.token));
        }, assertionToken2 -> {
            return new ValidationContext(Collections.singletonMap("saml2.SignatureRequired", false));
        });
    }

    private Consumer<AssertionToken> createDefaultAssertionElementsDecrypter() {
        return assertionToken -> {
            Decrypter decrypter = (Decrypter) this.decrypterConverter.convert(assertionToken.getToken());
            Assertion assertion = assertionToken.getAssertion();
            for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
                Iterator it = attributeStatement.getEncryptedAttributes().iterator();
                while (it.hasNext()) {
                    try {
                        attributeStatement.getAttributes().add(decrypter.decrypt((EncryptedAttribute) it.next()));
                    } catch (Exception e) {
                        throw createAuthenticationException("decryption_error", e.getMessage(), e);
                    }
                }
            }
            if (assertion.getSubject() == null || assertion.getSubject().getEncryptedID() == null) {
                return;
            }
            try {
                assertion.getSubject().setNameID(decrypter.decrypt(assertion.getSubject().getEncryptedID()));
            } catch (Exception e2) {
                throw createAuthenticationException("decryption_error", e2.getMessage(), e2);
            }
        };
    }

    private Converter<AssertionToken, Saml2ResponseValidatorResult> createCompatibleAssertionValidator() {
        return createAssertionValidator("invalid_assertion", assertionToken -> {
            return SAML20AssertionValidators.attributeValidator;
        }, assertionToken2 -> {
            return createValidationContext(assertionToken2, map -> {
                map.put("saml2.ClockSkew", Long.valueOf(this.responseTimeValidationSkew.toMillis()));
            });
        });
    }

    private Converter<ResponseToken, Saml2Authentication> createCompatibleResponseAuthenticationConverter() {
        return responseToken -> {
            Response response = responseToken.response;
            Saml2AuthenticationToken saml2AuthenticationToken = responseToken.token;
            Assertion assertion = (Assertion) CollectionUtils.firstElement(response.getAssertions());
            return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(assertion.getSubject().getNameID().getValue(), getAssertionAttributes(assertion)), saml2AuthenticationToken.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
        };
    }

    private Collection<? extends GrantedAuthority> getAssertionAuthorities(Assertion assertion) {
        return (Collection) this.authoritiesExtractor.convert(assertion);
    }

    private boolean hasName(Assertion assertion) {
        return (assertion == null || assertion.getSubject() == null || assertion.getSubject().getNameID() == null || assertion.getSubject().getNameID().getValue() == null) ? false : true;
    }

    private static Map<String, List<Object>> getAssertionAttributes(Assertion assertion) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Iterator it = assertion.getAttributeStatements().iterator();
        while (it.hasNext()) {
            for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                ArrayList arrayList = new ArrayList();
                Iterator it2 = attribute.getAttributeValues().iterator();
                while (it2.hasNext()) {
                    Object xmlObjectValue = getXmlObjectValue((XMLObject) it2.next());
                    if (xmlObjectValue != null) {
                        arrayList.add(xmlObjectValue);
                    }
                }
                linkedHashMap.put(attribute.getName(), arrayList);
            }
        }
        return linkedHashMap;
    }

    private static Object getXmlObjectValue(XMLObject xMLObject) {
        DateTime value;
        if (xMLObject instanceof XSAny) {
            return ((XSAny) xMLObject).getTextContent();
        }
        if (xMLObject instanceof XSString) {
            return ((XSString) xMLObject).getValue();
        }
        if (xMLObject instanceof XSInteger) {
            return ((XSInteger) xMLObject).getValue();
        }
        if (xMLObject instanceof XSURI) {
            return ((XSURI) xMLObject).getValue();
        }
        if (xMLObject instanceof XSBoolean) {
            XSBooleanValue value2 = ((XSBoolean) xMLObject).getValue();
            if (value2 != null) {
                return value2.getValue();
            }
            return null;
        }
        if (!(xMLObject instanceof XSDateTime) || (value = ((XSDateTime) xMLObject).getValue()) == null) {
            return null;
        }
        return Instant.ofEpochMilli(value.getMillis());
    }

    private static Saml2AuthenticationException createAuthenticationException(String str, String str2, Exception exc) {
        return new Saml2AuthenticationException(new org.springframework.security.saml2.core.Saml2Error(str, str2), exc);
    }

    private static Converter<AssertionToken, Saml2ResponseValidatorResult> createAssertionValidator(String str, Converter<AssertionToken, SAML20AssertionValidator> converter, Converter<AssertionToken, ValidationContext> converter2) {
        return assertionToken -> {
            Assertion assertion = assertionToken.assertion;
            SAML20AssertionValidator sAML20AssertionValidator = (SAML20AssertionValidator) converter.convert(assertionToken);
            ValidationContext validationContext = (ValidationContext) converter2.convert(assertionToken);
            try {
                return sAML20AssertionValidator.validate(assertion, validationContext) == ValidationResult.VALID ? Saml2ResponseValidatorResult.success() : Saml2ResponseValidatorResult.failure(new org.springframework.security.saml2.core.Saml2Error(str, String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(), assertion.getParent().getID(), validationContext.getValidationFailureMessage())));
            } catch (Exception e) {
                return Saml2ResponseValidatorResult.failure(new org.springframework.security.saml2.core.Saml2Error(str, String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(), assertion.getParent().getID(), e.getMessage())));
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ValidationContext createValidationContext(AssertionToken assertionToken, Consumer<Map<String, Object>> consumer) {
        String entityId = assertionToken.token.getRelyingPartyRegistration().getEntityId();
        String assertionConsumerServiceLocation = assertionToken.token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
        HashMap hashMap = new HashMap();
        hashMap.put("saml2.Conditions.ValidAudiences", Collections.singleton(entityId));
        hashMap.put("saml2.SubjectConfirmation.ValidRecipients", Collections.singleton(assertionConsumerServiceLocation));
        consumer.accept(hashMap);
        return new ValidationContext(hashMap);
    }

    static {
        OpenSamlInitializationService.initialize();
        logger = LogFactory.getLog(OpenSamlAuthenticationProvider.class);
    }
}
