package pl.edu.icm.unity.saml;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.assertion.AttributeAssertionParser;
import eu.unicore.samly2.attrprofile.ParsedAttribute;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.samly2.validators.SSOAuthnResponseValidator;
import eu.unicore.util.configuration.ConfigurationException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAttribute;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteGroupMembership;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteIdentity;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.saml.slo.LogoutContextsStore;
import pl.edu.icm.unity.saml.sp.SAMLSPProperties;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.AssertionType;
import xmlbeans.org.oasis.saml2.assertion.AuthnStatementType;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/SAMLResponseValidatorUtil.class */
public class SAMLResponseValidatorUtil {
    private SAMLSPProperties samlProperties;
    private ReplayAttackChecker replayAttackChecker;
    private String responseConsumerAddress;

    public SAMLResponseValidatorUtil(SAMLSPProperties sAMLSPProperties, ReplayAttackChecker replayAttackChecker, String str) {
        this.samlProperties = sAMLSPProperties;
        this.replayAttackChecker = replayAttackChecker;
        this.responseConsumerAddress = str;
    }

    public RemotelyAuthenticatedInput verifySAMLResponse(ResponseDocument responseDocument, String str, SAMLBindings sAMLBindings, String str2, String str3) throws AuthenticationException {
        String value = this.samlProperties.getValue(SAMLSPProperties.REQUESTER_ID);
        try {
            SamlTrustChecker trustChecker = this.samlProperties.getTrustChecker();
            X509Credential requesterCredential = this.samlProperties.getRequesterCredential();
            SSOAuthnResponseValidator sSOAuthnResponseValidator = new SSOAuthnResponseValidator(value, this.responseConsumerAddress, str, LogoutContextsStore.MAX_AGE, trustChecker, this.replayAttackChecker, sAMLBindings, requesterCredential == null ? null : requesterCredential.getKey());
            try {
                sSOAuthnResponseValidator.validate(responseDocument);
                return convertAssertion(responseDocument, sSOAuthnResponseValidator, str2, str3);
            } catch (SAMLValidationException e) {
                throw new AuthenticationException("The SAML response is either invalid or is issued by an untrusted identity provider.", e);
            }
        } catch (ConfigurationException e2) {
            throw new AuthenticationException("The SAML response can not be verified - there is an internal configuration error", e2);
        }
    }

    private RemotelyAuthenticatedInput convertAssertion(ResponseDocument responseDocument, SSOAuthnResponseValidator sSOAuthnResponseValidator, String str, String str2) throws AuthenticationException {
        NameIDType issuer = responseDocument.getResponse().getIssuer();
        RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(issuer.getStringValue());
        remotelyAuthenticatedInput.setIdentities(getAuthenticatedIdentities(sSOAuthnResponseValidator));
        List<RemoteAttribute> attributes = getAttributes(sSOAuthnResponseValidator);
        remotelyAuthenticatedInput.setAttributes(attributes);
        remotelyAuthenticatedInput.setGroups(getGroups(attributes, str));
        addSessionParticipants(sSOAuthnResponseValidator, issuer, remotelyAuthenticatedInput, str2);
        return remotelyAuthenticatedInput;
    }

    private List<RemoteIdentity> getAuthenticatedIdentities(SSOAuthnResponseValidator sSOAuthnResponseValidator) {
        List authNAssertions = sSOAuthnResponseValidator.getAuthNAssertions();
        ArrayList arrayList = new ArrayList(authNAssertions.size());
        for (int i = 0; i < authNAssertions.size(); i++) {
            NameIDType nameID = ((AssertionDocument) authNAssertions.get(i)).getAssertion().getSubject().getNameID();
            arrayList.add(new RemoteIdentity(nameID.getStringValue(), nameID.getFormat()));
        }
        return arrayList;
    }

    private void addSessionParticipants(SSOAuthnResponseValidator sSOAuthnResponseValidator, NameIDType nameIDType, RemotelyAuthenticatedInput remotelyAuthenticatedInput, String str) {
        List<SAMLEndpointDefinition> logoutEndpointsFromStructuredList = this.samlProperties.getLogoutEndpointsFromStructuredList(str);
        String value = this.samlProperties.getValue(SAMLSPProperties.REQUESTER_ID);
        String value2 = this.samlProperties.getValue(SAMLSPProperties.CREDENTIAL);
        Set<String> certificateNames = this.samlProperties.getCertificateNames(str);
        List authNAssertions = sSOAuthnResponseValidator.getAuthNAssertions();
        for (int i = 0; i < authNAssertions.size(); i++) {
            AssertionType assertion = ((AssertionDocument) authNAssertions.get(i)).getAssertion();
            for (AuthnStatementType authnStatementType : assertion.getAuthnStatementArray()) {
                String sessionIndex = authnStatementType.getSessionIndex();
                if (sessionIndex != null) {
                    remotelyAuthenticatedInput.addSessionParticipant(new SAMLSessionParticipant(nameIDType.getStringValue(), assertion.getSubject().getNameID(), sessionIndex, logoutEndpointsFromStructuredList, value, value2, certificateNames));
                }
            }
        }
    }

    private List<RemoteAttribute> getAttributes(SSOAuthnResponseValidator sSOAuthnResponseValidator) throws AuthenticationException {
        List otherAssertions = sSOAuthnResponseValidator.getOtherAssertions();
        ArrayList arrayList = new ArrayList(otherAssertions.size());
        Iterator it = otherAssertions.iterator();
        while (it.hasNext()) {
            try {
                for (ParsedAttribute parsedAttribute : new AttributeAssertionParser((AssertionDocument) it.next()).getAttributes()) {
                    List stringValues = parsedAttribute.getStringValues();
                    arrayList.add(new RemoteAttribute(parsedAttribute.getName(), stringValues.toArray(new String[stringValues.size()])));
                }
            } catch (SAMLValidationException e) {
                throw new AuthenticationException("Problem retrieving attributes from the SAML data", e);
            }
        }
        return arrayList;
    }

    private List<RemoteGroupMembership> getGroups(List<RemoteAttribute> list, String str) {
        ArrayList arrayList = new ArrayList();
        if (str == null) {
            return arrayList;
        }
        for (RemoteAttribute remoteAttribute : list) {
            if (remoteAttribute.getName().equals(str)) {
                Iterator it = remoteAttribute.getValues().iterator();
                while (it.hasNext()) {
                    arrayList.add(new RemoteGroupMembership((String) it.next()));
                }
            }
        }
        return arrayList;
    }
}
