package com.ibm.ws.security.saml.sso20.acs;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.ws.security.SecurityPolicyException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso.2.0_1.0.15.jar:com/ibm/ws/security/saml/sso20/acs/ResponseValidator.class */
public class ResponseValidator<InboundMessageType extends SAMLObject, OutboundMessageType extends SAMLObject, NameIdentifierType extends SAMLObject> {
    private static TraceComponent tc = Tr.register((Class<?>) ResponseValidator.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> context;
    Response samlResponse;
    String issuer;
    long clockSkewAllowed;
    static final long serialVersionUID = -1560360149743483689L;

    public ResponseValidator(BasicMessageContext<InboundMessageType, OutboundMessageType, NameIdentifierType> basicMessageContext, Response response) {
        this.clockSkewAllowed = 0L;
        this.context = basicMessageContext;
        this.samlResponse = response;
        this.issuer = response.getIssuer().getValue();
        this.clockSkewAllowed = basicMessageContext.getSsoConfig().getClockSkew();
    }

    public boolean validate() throws SamlException {
        validateStatus();
        if (this.samlResponse.getAssertions().isEmpty() && this.samlResponse.getEncryptedAssertions().isEmpty()) {
            throw new SamlException("SAML20_SP_NO_ASSERTION_ERROR", (Exception) null, new Object[]{this.issuer});
        }
        validateVersion();
        validateInResponseTo();
        validateIssueInstant();
        validateDestination();
        validateIssuer();
        validateResponseSignature();
        return true;
    }

    void validateInResponseTo() throws SamlException {
        RequestUtil.validateInResponseTo(this.context, this.samlResponse.getInResponseTo());
    }

    protected boolean validateStatus() throws SamlException {
        StatusCode statusCode = this.samlResponse.getStatus().getStatusCode();
        String value = statusCode.getValue();
        if (StatusCode.SUCCESS_URI.equals(value)) {
            return true;
        }
        String str = value;
        StatusMessage statusMessage = this.samlResponse.getStatus().getStatusMessage();
        if (statusMessage != null) {
            str = statusMessage.getMessage();
        } else {
            StatusCode statusCode2 = statusCode.getStatusCode();
            if (statusCode2 != null) {
                str = statusCode2.getValue();
            }
        }
        throw new SamlException("SAML20_SP_BAD_SAML_RESPONSE_ERROR", (Exception) null, new Object[]{this.issuer, value, str});
    }

    boolean validateVersion() throws SamlException {
        SAMLVersion version = this.samlResponse.getVersion();
        int majorVersion = version.getMajorVersion();
        int minorVersion = version.getMinorVersion();
        if (majorVersion == 2 && minorVersion == 0) {
            return true;
        }
        throw new SamlException("SAML20_SP_BAD_VERSION_ERROR", (Exception) null, new Object[]{version.toString()});
    }

    protected boolean validateDestination() throws SamlException {
        String destination = this.samlResponse.getDestination();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "destination is '" + destination + Expression.QUOTE, new Object[0]);
        }
        if (destination == null) {
            return true;
        }
        String acsUrl = RequestUtil.getAcsUrl(this.context.getHttpServletRequest(), Constants.SAML20_CONTEXT_PATH, this.context.getSsoService().getProviderId(), this.context.getSsoConfig());
        if (acsUrl.equals(destination)) {
            return true;
        }
        throw new SamlException("SAML20_RESPONSE_BAD_DESTINATION", (Exception) null, new Object[]{destination, acsUrl});
    }

    protected boolean validateIssuer() throws SamlException {
        return MsgCtxUtil.validateIssuer(this.samlResponse.getIssuer(), this.context, false);
    }

    protected boolean validateIssueInstant() throws SamlException {
        DateTime issueInstant = this.samlResponse.getIssueInstant();
        if (issueInstant.plus(this.clockSkewAllowed).isAfterNow() && issueInstant.minus(this.clockSkewAllowed).isBeforeNow()) {
            return true;
        }
        throw new SamlException("SAML20_RESPONSE_BAD_ISSUE_TIME", (Exception) null, new Object[]{this.samlResponse.getIssueInstant(), new DateTime(), Long.valueOf(this.clockSkewAllowed / 1000)});
    }

    protected void validateResponseSignature() throws SamlException {
        if (this.samlResponse.getSignature() != null) {
            verifyResponseSignature();
        }
    }

    protected void verifyResponseSignature() throws SamlException {
        try {
            new SAMLMessageXMLSignatureSecurityPolicyRule(MsgCtxUtil.getTrustedEngine(this.context)).evaluateProtocol(this.context);
            if (this.context.isInboundSAMLMessageAuthenticated()) {
            } else {
                throw new SamlException("SAML20_SIGNATURE_NOT_VERIFIED_ERR", (Exception) null, new Object[0]);
            }
        } catch (SecurityPolicyException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.acs.ResponseValidator", "247", this, new Object[0]);
            throw new SamlException(e);
        }
    }
}
