package pl.edu.icm.unity.saml;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.assertion.AttributeAssertionParser;
import eu.unicore.samly2.attrprofile.ParsedAttribute;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.samly2.validators.SSOAuthnResponseValidator;
import eu.unicore.util.configuration.ConfigurationException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import pl.edu.icm.unity.saml.sp.SAMLSPProperties;
import pl.edu.icm.unity.server.authn.AuthenticationException;
import pl.edu.icm.unity.server.authn.remote.RemoteAttribute;
import pl.edu.icm.unity.server.authn.remote.RemoteGroupMembership;
import pl.edu.icm.unity.server.authn.remote.RemoteIdentity;
import pl.edu.icm.unity.server.authn.remote.RemotelyAuthenticatedInput;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/SAMLResponseValidatorUtil.class */
public class SAMLResponseValidatorUtil {
    private SAMLSPProperties samlProperties;
    private ReplayAttackChecker replayAttackChecker;
    private String responseConsumerAddress;

    public SAMLResponseValidatorUtil(SAMLSPProperties sAMLSPProperties, ReplayAttackChecker replayAttackChecker, String str) {
        this.samlProperties = sAMLSPProperties;
        this.replayAttackChecker = replayAttackChecker;
        this.responseConsumerAddress = str;
    }

    public RemotelyAuthenticatedInput verifySAMLResponse(ResponseDocument responseDocument, String str, SAMLBindings sAMLBindings, String str2) throws AuthenticationException {
        try {
            SSOAuthnResponseValidator sSOAuthnResponseValidator = new SSOAuthnResponseValidator(this.samlProperties.getValue(SAMLSPProperties.REQUESTER_ID), this.responseConsumerAddress, str, 180000L, this.samlProperties.getTrustChecker(), this.replayAttackChecker, sAMLBindings);
            try {
                sSOAuthnResponseValidator.validate(responseDocument);
                return convertAssertion(responseDocument, sSOAuthnResponseValidator, str2);
            } catch (SAMLValidationException e) {
                throw new AuthenticationException("The SAML response is either invalid or is issued by an untrusted identity provider.", e);
            }
        } catch (ConfigurationException e2) {
            throw new AuthenticationException("The SAML response can not be verified - there is an internal configuration error", e2);
        }
    }

    private RemotelyAuthenticatedInput convertAssertion(ResponseDocument responseDocument, SSOAuthnResponseValidator sSOAuthnResponseValidator, String str) throws AuthenticationException {
        RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(responseDocument.getResponse().getIssuer().getStringValue());
        remotelyAuthenticatedInput.setIdentities(getAuthenticatedIdentities(sSOAuthnResponseValidator));
        List<RemoteAttribute> attributes = getAttributes(sSOAuthnResponseValidator);
        remotelyAuthenticatedInput.setAttributes(attributes);
        remotelyAuthenticatedInput.setGroups(getGroups(attributes, str));
        return remotelyAuthenticatedInput;
    }

    private List<RemoteIdentity> getAuthenticatedIdentities(SSOAuthnResponseValidator sSOAuthnResponseValidator) {
        List authNAssertions = sSOAuthnResponseValidator.getAuthNAssertions();
        ArrayList arrayList = new ArrayList(authNAssertions.size());
        for (int i = 0; i < authNAssertions.size(); i++) {
            NameIDType nameID = ((AssertionDocument) authNAssertions.get(i)).getAssertion().getSubject().getNameID();
            arrayList.add(new RemoteIdentity(nameID.getStringValue(), nameID.getFormat()));
        }
        return arrayList;
    }

    private List<RemoteAttribute> getAttributes(SSOAuthnResponseValidator sSOAuthnResponseValidator) throws AuthenticationException {
        List otherAssertions = sSOAuthnResponseValidator.getOtherAssertions();
        ArrayList arrayList = new ArrayList(otherAssertions.size());
        Iterator it = otherAssertions.iterator();
        while (it.hasNext()) {
            try {
                for (ParsedAttribute parsedAttribute : new AttributeAssertionParser((AssertionDocument) it.next()).getAttributes()) {
                    List stringValues = parsedAttribute.getStringValues();
                    arrayList.add(new RemoteAttribute(parsedAttribute.getName(), stringValues.toArray(new String[stringValues.size()])));
                }
            } catch (SAMLValidationException e) {
                throw new AuthenticationException("Problem retrieving attributes from the SAML data", e);
            }
        }
        return arrayList;
    }

    private List<RemoteGroupMembership> getGroups(List<RemoteAttribute> list, String str) {
        ArrayList arrayList = new ArrayList();
        if (str == null) {
            return arrayList;
        }
        for (RemoteAttribute remoteAttribute : list) {
            if (remoteAttribute.getName().equals(str)) {
                Iterator it = remoteAttribute.getValues().iterator();
                while (it.hasNext()) {
                    arrayList.add(new RemoteGroupMembership((String) it.next()));
                }
            }
        }
        return arrayList;
    }
}
