package at.gv.egovernment.moa.id.protocols.pvp2x.verification;

import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.logging.Logger;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.joda.time.DateTime;
import org.opensaml.common.binding.decoding.BasicURLComparator;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.validator.AudienceRestrictionSchemaValidator;
import org.opensaml.saml2.core.validator.AudienceSchemaValidator;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.validation.ValidationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service("SAMLVerificationEngineSP")
/* loaded from: input_file:at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.class */
public class SAMLVerificationEngineSP extends SAMLVerificationEngine {

    @Autowired
    AuthConfiguration authConfig;

    public void validateAssertion(Response response, boolean z, Credential credential, String str, String str2) throws AssertionValidationExeption {
        validateAssertion(response, z, credential, str, str2, true);
    }

    public void validateAssertion(Response response, boolean z, Credential credential, String str, String str2, boolean z2) throws AssertionValidationExeption {
        try {
            if (!response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
                Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " + response.getStatus().getStatusCode().getValue());
                throw new AssertionValidationExeption("sp.pvp2.05", new Object[]{str2, response.getIssuer().getValue(), response.getStatus().getStatusCode().getValue(), response.getStatus().getStatusMessage().getMessage()});
            }
            ArrayList<Assertion> arrayList = new ArrayList();
            boolean z3 = false;
            Iterator it = this.authConfig.getPublicURLPrefix().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String str3 = (String) it.next();
                if (z && response.getDestination().startsWith(str3)) {
                    z3 = true;
                    break;
                }
            }
            if (!z3 && z) {
                Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
                throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{str2, "'Destination' attribute is not valid"});
            }
            DateTime issueInstant = response.getIssueInstant();
            if (issueInstant == null) {
                Logger.warn("PVP response does not include a 'IssueInstant' attribute");
                throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{str2, "'IssueInstant' attribute is not included"});
            }
            if (z2 && issueInstant.minusMinutes(5).isAfterNow()) {
                Logger.warn("PVP response: IssueInstant DateTime is not valid anymore.");
                throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{str2, "'IssueInstant' Time is not valid any more"});
            }
            List encryptedAssertions = response.getEncryptedAssertions();
            if (encryptedAssertions == null || encryptedAssertions.size() <= 0) {
                arrayList.addAll(response.getAssertions());
            } else {
                Logger.debug("Found encryped assertion. Start decryption ...");
                StaticKeyInfoCredentialResolver staticKeyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(credential);
                ChainingEncryptedKeyResolver chainingEncryptedKeyResolver = new ChainingEncryptedKeyResolver();
                chainingEncryptedKeyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
                chainingEncryptedKeyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
                chainingEncryptedKeyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());
                Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, staticKeyInfoCredentialResolver, chainingEncryptedKeyResolver);
                Iterator it2 = encryptedAssertions.iterator();
                while (it2.hasNext()) {
                    arrayList.add(decrypter.decrypt((EncryptedAssertion) it2.next()));
                }
                Logger.debug("Assertion decryption finished. ");
            }
            ArrayList arrayList2 = new ArrayList();
            for (Assertion assertion : arrayList) {
                boolean z4 = true;
                try {
                    performSchemaValidation(assertion.getDOM());
                    Conditions conditions = assertion.getConditions();
                    if (conditions != null) {
                        DateTime minusMinutes = conditions.getNotBefore().minusMinutes(5);
                        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
                        if (z2 && (minusMinutes.isAfterNow() || notOnOrAfter.isBeforeNow())) {
                            z4 = false;
                            Logger.info("Assertion:" + assertion.getID() + " is out of Date. { Current : " + new DateTime() + " NotBefore: " + minusMinutes + " NotAfter : " + notOnOrAfter + " }");
                        }
                        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
                        if (audienceRestrictions == null || audienceRestrictions.size() == 0) {
                            Logger.info("Assertion:" + assertion.getID() + " has not 'AudienceRestriction' element");
                            z4 = false;
                        } else {
                            for (AudienceRestriction audienceRestriction : audienceRestrictions) {
                                audienceRestriction.registerValidator(new AudienceRestrictionSchemaValidator());
                                audienceRestriction.validate(false);
                                for (Audience audience : audienceRestriction.getAudiences()) {
                                    audience.registerValidator(new AudienceSchemaValidator());
                                    audience.validate(false);
                                    if (!urlCompare(str, audience.getAudienceURI())) {
                                        Logger.info("Assertion:" + assertion.getID() + " 'AudienceRestriction' is not valid.");
                                        z4 = false;
                                    }
                                }
                            }
                        }
                    } else {
                        Logger.info("Assertion:" + assertion.getID() + " contains not 'Conditions' element");
                        z4 = false;
                    }
                    if (z4) {
                        Logger.debug("Add valid Assertion:" + assertion.getID());
                        arrayList2.add(assertion);
                    } else {
                        Logger.warn("Remove non-valid Assertion:" + assertion.getID());
                    }
                } catch (ValidationException e) {
                    Logger.info("Assertion:" + assertion.getID() + " AudienceRestriction schema-validation FAILED. Msg:" + e.getMessage());
                } catch (SchemaValidationException e2) {
                    Logger.info("Assertion:" + assertion.getID() + " Schema validation FAILED. Msg:" + e2.getMessage());
                }
            }
            if (arrayList2.isEmpty()) {
                Logger.info("No valid PVP 2.1 assertion received.");
                throw new AssertionValidationExeption("sp.pvp2.10", new Object[]{str2});
            }
            response.getAssertions().clear();
            response.getEncryptedAssertions().clear();
            response.getAssertions().addAll(arrayList2);
        } catch (DecryptionException e3) {
            Logger.warn("Assertion decrypt FAILED.", e3);
            throw new AssertionValidationExeption("sp.pvp2.11", (Object[]) null, e3);
        } catch (ConfigurationException e4) {
            throw new AssertionValidationExeption("pvp.12", (Object[]) null, e4);
        }
    }

    protected static boolean urlCompare(String str, String str2) {
        BasicURLComparator basicURLComparator = new BasicURLComparator();
        basicURLComparator.setCaseInsensitive(false);
        return basicURLComparator.compare(str, str2);
    }
}
