package org.apache.ws.security.validate;

import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.cache.ReplayCache;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.saml.ext.builder.SAML1Constants;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.apache.ws.security.util.InetAddressUtils;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml1.core.AuthenticationStatement;
import org.opensaml.saml1.core.Conditions;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.xml.validation.ValidationException;
import org.opensaml.xml.validation.ValidatorSuite;

/* JADX WARN: Classes with same name are omitted:
  input_file:targets/liberty855/third-party/com.ibm.websphere.appserver.thirdparty.wsSecurity_1.0.8.jar:org/apache/ws/security/validate/SamlAssertionValidator.class
 */
/* loaded from: input_file:targets/liberty8557/third-party/com.ibm.websphere.appserver.thirdparty.wsSecurity_2.0.10.jar:org/apache/ws/security/validate/SamlAssertionValidator.class */
public class SamlAssertionValidator extends SignatureTrustValidator {
    private static final Log LOG = LogFactory.getLog(SamlAssertionValidator.class);
    private String requiredSubjectConfirmationMethod;
    private int futureTTL = 60;
    private int ttl = 1800;
    private boolean validateSignatureAgainstProfile = true;
    private boolean requireStandardSubjectConfirmationMethod = true;
    private boolean requireBearerSignature = true;

    public void setFutureTTL(int i) {
        this.futureTTL = i;
    }

    @Override // org.apache.ws.security.validate.SignatureTrustValidator, org.apache.ws.security.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        if (credential == null || credential.getAssertion() == null) {
            throw new WSSecurityException(0, "noCredential");
        }
        AssertionWrapper assertion = credential.getAssertion();
        verifySubjectConfirmationMethod(assertion);
        checkConditions(assertion);
        checkAudienceRestrictions(assertion, requestData.getAudienceRestrictions());
        checkAuthnStatements(assertion);
        checkOneTimeUse(assertion, requestData);
        validateAssertion(assertion);
        if (assertion.isSigned()) {
            verifySignedAssertion(assertion, requestData);
        }
        return credential;
    }

    protected void verifySubjectConfirmationMethod(AssertionWrapper assertionWrapper) throws WSSecurityException {
        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
        if (confirmationMethods == null || confirmationMethods.isEmpty()) {
            if (this.requiredSubjectConfirmationMethod != null) {
                LOG.debug("A required subject confirmation method was not present");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            if (this.requireStandardSubjectConfirmationMethod) {
                LOG.debug("A standard subject confirmation method was not present");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        }
        boolean isSigned = assertionWrapper.isSigned();
        boolean z = false;
        boolean z2 = false;
        for (String str : confirmationMethods) {
            if (OpenSAMLUtil.isMethodHolderOfKey(str)) {
                if (assertionWrapper.getSubjectKeyInfo() == null) {
                    LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method");
                    throw new WSSecurityException(0, "noKeyInSAMLToken");
                }
                if (!isSigned) {
                    LOG.debug("A holder-of-key assertion must be signed");
                    throw new WSSecurityException(0, "invalidSAMLsecurity");
                }
                z2 = true;
            }
            if (str != null) {
                if (str.equals(this.requiredSubjectConfirmationMethod)) {
                    z = true;
                }
                if (SAML2Constants.CONF_BEARER.equals(str) || SAML1Constants.CONF_BEARER.equals(str)) {
                    z2 = true;
                    if (this.requireBearerSignature && !isSigned) {
                        LOG.debug("A Bearer Assertion was not signed");
                        throw new WSSecurityException(0, "invalidSAMLsecurity");
                    }
                } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(str) || SAML1Constants.CONF_SENDER_VOUCHES.equals(str)) {
                    z2 = true;
                }
            }
        }
        if (!z && this.requiredSubjectConfirmationMethod != null) {
            LOG.debug("A required subject confirmation method was not present");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (z2 || !this.requireStandardSubjectConfirmationMethod) {
            return;
        }
        LOG.debug("A standard subject confirmation method was not present");
        throw new WSSecurityException(0, "invalidSAMLsecurity");
    }

    protected Credential verifySignedAssertion(AssertionWrapper assertionWrapper, RequestData requestData) throws WSSecurityException {
        Credential credential = new Credential();
        SAMLKeyInfo signatureKeyInfo = assertionWrapper.getSignatureKeyInfo();
        credential.setPublicKey(signatureKeyInfo.getPublicKey());
        credential.setCertificates(signatureKeyInfo.getCerts());
        return super.validate(credential, requestData);
    }

    protected void checkConditions(AssertionWrapper assertionWrapper) throws WSSecurityException {
        DateTime dateTime = null;
        DateTime dateTime2 = null;
        DateTime dateTime3 = null;
        if (assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertionWrapper.getSaml2().getConditions() != null) {
            dateTime = assertionWrapper.getSaml2().getConditions().getNotBefore();
            dateTime2 = assertionWrapper.getSaml2().getConditions().getNotOnOrAfter();
            dateTime3 = assertionWrapper.getSaml2().getIssueInstant();
        } else if (assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_11) && assertionWrapper.getSaml1().getConditions() != null) {
            dateTime = assertionWrapper.getSaml1().getConditions().getNotBefore();
            dateTime2 = assertionWrapper.getSaml1().getConditions().getNotOnOrAfter();
            dateTime3 = assertionWrapper.getSaml1().getIssueInstant();
        }
        if (dateTime != null) {
            if (dateTime.isAfter(new DateTime().plusSeconds(this.futureTTL))) {
                LOG.debug("SAML Token condition (Not Before) not met");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        }
        if (dateTime2 != null && dateTime2.isBeforeNow()) {
            LOG.debug("SAML Token condition (Not On Or After) not met");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (dateTime3 != null) {
            if (dateTime3.isAfter(new DateTime().plusSeconds(this.futureTTL))) {
                LOG.debug("SAML Token IssueInstant not met");
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            if (dateTime2 == null) {
                DateTime dateTime4 = new DateTime();
                dateTime4.minusSeconds(this.ttl);
                if (dateTime3.isBefore(dateTime4)) {
                    LOG.debug("SAML Token IssueInstant not met. The assertion was created too long ago.");
                    throw new WSSecurityException(0, "invalidSAMLsecurity");
                }
            }
        }
    }

    public void checkAudienceRestrictions(AssertionWrapper assertionWrapper, List<String> list) throws WSSecurityException {
        Conditions conditions;
        if (list == null || list.isEmpty()) {
            return;
        }
        if (assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertionWrapper.getSaml2().getConditions() != null) {
            org.opensaml.saml2.core.Conditions conditions2 = assertionWrapper.getSaml2().getConditions();
            if (conditions2 == null || conditions2.getAudienceRestrictions() == null || conditions2.getAudienceRestrictions().isEmpty()) {
                return;
            }
            boolean z = false;
            for (AudienceRestriction audienceRestriction : conditions2.getAudienceRestrictions()) {
                if (audienceRestriction.getAudiences() != null) {
                    Iterator it = audienceRestriction.getAudiences().iterator();
                    while (true) {
                        if (it.hasNext()) {
                            if (list.contains(((Audience) it.next()).getAudienceURI())) {
                                z = true;
                                break;
                            }
                        } else {
                            break;
                        }
                    }
                }
            }
            if (!z) {
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
            return;
        }
        if (!assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_11) || assertionWrapper.getSaml1().getConditions() == null || (conditions = assertionWrapper.getSaml1().getConditions()) == null || conditions.getAudienceRestrictionConditions() == null || conditions.getAudienceRestrictionConditions().isEmpty()) {
            return;
        }
        boolean z2 = false;
        for (AudienceRestrictionCondition audienceRestrictionCondition : conditions.getAudienceRestrictionConditions()) {
            if (audienceRestrictionCondition.getAudiences() != null) {
                Iterator it2 = audienceRestrictionCondition.getAudiences().iterator();
                while (true) {
                    if (it2.hasNext()) {
                        if (list.contains(((org.opensaml.saml1.core.Audience) it2.next()).getUri())) {
                            z2 = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
            }
        }
        if (!z2) {
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
    }

    protected void checkAuthnStatements(AssertionWrapper assertionWrapper) throws WSSecurityException {
        if (assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertionWrapper.getSaml2().getAuthnStatements() != null) {
            for (AuthnStatement authnStatement : assertionWrapper.getSaml2().getAuthnStatements()) {
                DateTime authnInstant = authnStatement.getAuthnInstant();
                DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter();
                String str = null;
                if (authnStatement.getSubjectLocality() != null && authnStatement.getSubjectLocality().getAddress() != null) {
                    str = authnStatement.getSubjectLocality().getAddress();
                }
                validateAuthnStatement(authnInstant, sessionNotOnOrAfter, str, this.futureTTL);
            }
            return;
        }
        if (!assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_11) || assertionWrapper.getSaml1().getAuthenticationStatements() == null) {
            return;
        }
        for (AuthenticationStatement authenticationStatement : assertionWrapper.getSaml1().getAuthenticationStatements()) {
            DateTime authenticationInstant = authenticationStatement.getAuthenticationInstant();
            String str2 = null;
            if (authenticationStatement.getSubjectLocality() != null && authenticationStatement.getSubjectLocality().getIPAddress() != null) {
                str2 = authenticationStatement.getSubjectLocality().getIPAddress();
            }
            validateAuthnStatement(authenticationInstant, null, str2, this.futureTTL);
        }
    }

    private void validateAuthnStatement(DateTime dateTime, DateTime dateTime2, String str, int i) throws WSSecurityException {
        if (dateTime.isAfter(new DateTime().plusSeconds(i))) {
            LOG.debug("SAML Token AuthnInstant not met");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (dateTime2 != null && dateTime2.isBeforeNow()) {
            LOG.debug("SAML Token SessionNotOnOrAfter not met");
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        if (str == null || InetAddressUtils.isIPv4Address(str) || InetAddressUtils.isIPv6Address(str)) {
            return;
        }
        LOG.debug("SAML Token SubjectLocality address is not valid: " + str);
        throw new WSSecurityException(0, "invalidSAMLsecurity");
    }

    protected void checkOneTimeUse(AssertionWrapper assertionWrapper, RequestData requestData) throws WSSecurityException {
        if (!assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) || assertionWrapper.getSaml2().getConditions() == null || assertionWrapper.getSaml2().getConditions().getOneTimeUse() == null || requestData.getSamlOneTimeUseReplayCache() == null) {
            return;
        }
        String id = assertionWrapper.getId();
        ReplayCache samlOneTimeUseReplayCache = requestData.getSamlOneTimeUseReplayCache();
        if (samlOneTimeUseReplayCache.contains(id)) {
            throw new WSSecurityException(3, "badSamlToken", new Object[]{"A replay attack has been detected"});
        }
        DateTime notOnOrAfter = assertionWrapper.getSaml2().getConditions().getNotOnOrAfter();
        if (notOnOrAfter != null) {
            samlOneTimeUseReplayCache.add(id, 1 + ((notOnOrAfter.getMillis() - new Date().getTime()) / 1000));
        } else {
            samlOneTimeUseReplayCache.add(id);
        }
        samlOneTimeUseReplayCache.add(id);
    }

    protected void validateAssertion(AssertionWrapper assertionWrapper) throws WSSecurityException {
        if (this.validateSignatureAgainstProfile) {
            assertionWrapper.validateSignatureAgainstProfile();
        }
        if (assertionWrapper.getSaml1() != null) {
            ValidatorSuite validatorSuite = Configuration.getValidatorSuite("saml1-schema-validator");
            ValidatorSuite validatorSuite2 = Configuration.getValidatorSuite("saml1-spec-validator");
            try {
                validatorSuite.validate(assertionWrapper.getSaml1());
                validatorSuite2.validate(assertionWrapper.getSaml1());
                return;
            } catch (ValidationException e) {
                LOG.debug("Saml Validation error: " + e.getMessage(), e);
                throw new WSSecurityException(0, "invalidSAMLsecurity", null, e);
            }
        }
        if (assertionWrapper.getSaml2() != null) {
            ValidatorSuite validatorSuite3 = Configuration.getValidatorSuite("saml2-core-schema-validator");
            ValidatorSuite validatorSuite4 = Configuration.getValidatorSuite("saml2-core-spec-validator");
            try {
                validatorSuite3.validate(assertionWrapper.getSaml2());
                validatorSuite4.validate(assertionWrapper.getSaml2());
            } catch (ValidationException e2) {
                LOG.debug("Saml Validation error: " + e2.getMessage(), e2);
                throw new WSSecurityException(0, "invalidSAMLsecurity", null, e2);
            }
        }
    }

    public boolean isValidateSignatureAgainstProfile() {
        return this.validateSignatureAgainstProfile;
    }

    public void setValidateSignatureAgainstProfile(boolean z) {
        this.validateSignatureAgainstProfile = z;
    }

    public String getRequiredSubjectConfirmationMethod() {
        return this.requiredSubjectConfirmationMethod;
    }

    public void setRequiredSubjectConfirmationMethod(String str) {
        this.requiredSubjectConfirmationMethod = str;
    }

    public boolean isRequireStandardSubjectConfirmationMethod() {
        return this.requireStandardSubjectConfirmationMethod;
    }

    public void setRequireStandardSubjectConfirmationMethod(boolean z) {
        this.requireStandardSubjectConfirmationMethod = z;
    }

    public boolean isRequireBearerSignature() {
        return this.requireBearerSignature;
    }

    public void setRequireBearerSignature(boolean z) {
        this.requireBearerSignature = z;
    }

    public int getTtl() {
        return this.ttl;
    }

    public void setTtl(int i) {
        this.ttl = i;
    }
}
