package de.governikus.panstar.sdk.saml.response;

import de.governikus.panstar.sdk.saml.SamlInitializer;
import de.governikus.panstar.sdk.saml.configuration.SamlConfiguration;
import de.governikus.panstar.sdk.saml.configuration.SamlConfigurationHelper;
import de.governikus.panstar.sdk.saml.exception.SamlAuthenticationException;
import de.governikus.panstar.sdk.saml.exception.UnsuccessfulSamlAuthenticationProcessException;
import de.governikus.panstar.sdk.utils.exception.ErrorCodeException;
import de.governikus.panstar.sdk.utils.exception.InvalidInputException;
import de.governikus.panstar.sdk.utils.saml.SAMLUtils;
import de.governikus.panstar.sdk.utils.saml.SamlDecrypterUtils;
import de.governikus.panstar.sdk.utils.xml.XMLSignatureHandler;
import java.io.ByteArrayInputStream;
import java.net.URL;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.zip.DataFormatException;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.encryption.support.Decrypter;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:de/governikus/panstar/sdk/saml/response/SamlResponseHandler.class */
public class SamlResponseHandler {
    private static final Logger LOG = LoggerFactory.getLogger(SamlResponseHandler.class);
    private final SamlConfiguration samlConfiguration;
    protected boolean checkAssertionTime = true;

    public SamlResponseHandler(@Nonnull SamlConfiguration samlConfiguration) throws InitializationException, InvalidInputException {
        this.samlConfiguration = samlConfiguration;
        SamlConfigurationHelper.checkSamlConfiguration(this.samlConfiguration);
        SamlInitializer.initialize();
    }

    public ProcessedSamlResult parseSamlResponse(String str) throws SamlAuthenticationException, InvalidInputException, UnsuccessfulSamlAuthenticationProcessException {
        Map<String, String> parameterList = getParameterList(str, true);
        if (parameterList.containsKey("SAMLResponse") && parameterList.containsKey("Signature") && parameterList.containsKey("SigAlg")) {
            return parseSamlResponse(parameterList.get("SAMLResponse"), parameterList.get("RelayState"), parameterList.get("Signature"), parameterList.get("SigAlg"));
        }
        throw new InvalidInputException(String.format("Given query string misses some parameter. Necessary are: %s. Found parameter: %s", String.join(",", List.of("SAMLResponse", "Signature", "SigAlg")), String.join(",", parameterList.values())));
    }

    public ProcessedSamlEidasResult parseEidasSamlResponse(String str) throws SamlAuthenticationException, InvalidInputException, UnsuccessfulSamlAuthenticationProcessException {
        return new ProcessedSamlEidasResult(parseToResponse(Base64.getMimeDecoder().decode(str), true, false));
    }

    public ProcessedSamlResult parseSamlResponse(String str, @Nullable String str2, String str3, String str4) throws SamlAuthenticationException, InvalidInputException, UnsuccessfulSamlAuthenticationProcessException {
        if (str == null) {
            throw new InvalidInputException("Argument samlResponse may not be null!");
        }
        if (str3 == null) {
            throw new InvalidInputException("Argument signature may not be null!");
        }
        if (str4 == null) {
            throw new InvalidInputException("Argument signatureAlgorithm may not be null!");
        }
        if (!SAMLUtils.checkQuerySignature(str, str2, str4, str3, this.samlConfiguration.getSamlKeyMaterial().getSamlResponseSignatureValidatingCertificate(), false)) {
            throw new SamlAuthenticationException("Signature is invalid!");
        }
        try {
            ParsedResponse parseToResponse = parseToResponse(SAMLUtils.inflate(str), false, false);
            validateSamlResponse(parseToResponse, this.samlConfiguration.getSamlServiceProviderConfiguration().getSamlResponseReceiverUrl(), this.samlConfiguration.getSamlServiceProviderConfiguration().getSamlEntityId());
            return new ProcessedSamlResult(parseToResponse);
        } catch (DataFormatException e) {
            throw new InvalidInputException("samlResponse not in expected format", e);
        }
    }

    private ParsedResponse parseToResponse(byte[] bArr, boolean z, boolean z2) throws SamlAuthenticationException, InvalidInputException {
        try {
            Document parse = XMLObjectProviderRegistrySupport.getParserPool().parse(new ByteArrayInputStream(bArr));
            Response unmarshall = XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(parse.getDocumentElement()).unmarshall(parse.getDocumentElement());
            if (z) {
                try {
                    XMLSignatureHandler.checkSignature(unmarshall.getSignature(), new X509Certificate[]{this.samlConfiguration.getSamlKeyMaterial().getSamlResponseSignatureValidatingCertificate()});
                } catch (ErrorCodeException e) {
                    throw new SamlAuthenticationException((Throwable) e);
                }
            }
            HashSet hashSet = new HashSet();
            BasicCredential simpleCredential = CredentialSupport.getSimpleCredential(this.samlConfiguration.getSamlKeyMaterial().getSamlResponseDecryptionKeyPair().getPublic(), this.samlConfiguration.getSamlKeyMaterial().getSamlResponseDecryptionKeyPair().getPrivate());
            for (EncryptedAssertion encryptedAssertion : unmarshall.getEncryptedAssertions()) {
                Decrypter decrypter = SamlDecrypterUtils.setupDecrypter(simpleCredential);
                decrypter.setRootInNewDocument(true);
                try {
                    unmarshall.getAssertions().add(decrypter.decryptData(encryptedAssertion.getEncryptedData()));
                    hashSet.add(encryptedAssertion);
                } catch (DecryptionException e2) {
                    throw new SamlAuthenticationException("Could not decrypt assertion", e2);
                }
            }
            unmarshall.getEncryptedAssertions().removeAll(hashSet);
            if (z2) {
                Iterator it = unmarshall.getAssertions().iterator();
                while (it.hasNext()) {
                    try {
                        XMLSignatureHandler.checkSignature(((Assertion) it.next()).getSignature(), new X509Certificate[]{this.samlConfiguration.getSamlKeyMaterial().getSamlResponseSignatureValidatingCertificate()});
                    } catch (ErrorCodeException e3) {
                        throw new SamlAuthenticationException((Throwable) e3);
                    }
                }
            }
            return new ParsedResponse(unmarshall, this.checkAssertionTime);
        } catch (XMLParserException | UnmarshallingException | NullPointerException e4) {
            throw new InvalidInputException("Could not parse or unmarshal the saml response!", e4);
        }
    }

    private void validateSamlResponse(ParsedResponse parsedResponse, Optional<URL> optional, String str) throws SamlAuthenticationException {
        LOG.trace("validating parsed saml response");
        if (optional.isPresent() && !StringUtils.equals(optional.get().toString(), parsedResponse.getResponse().getDestination())) {
            throw new SamlAuthenticationException("expected destination does not match the real destination: \n\texpected destination: " + optional.get() + "\n\treal destination: " + parsedResponse.getResponse().getDestination());
        }
        validateParsedAssertions(parsedResponse, str);
        if (parsedResponse.isStatusSuccess()) {
            LOG.trace("saml response was parsed successfully");
        }
    }

    private void validateParsedAssertions(ParsedResponse parsedResponse, String str) throws SamlAuthenticationException {
        ParsedAssertion assertion = parsedResponse.getAssertion();
        if (str != null && assertion != null) {
            if (assertion.getAudienceRestrictions().size() != 1) {
                throw new SamlAuthenticationException("audience restriction must contain exactly a single element but it contains '" + assertion.getAudienceRestrictions().size() + "' elements.");
            }
            if (!assertion.getAudienceRestrictions().get(0).equals(str)) {
                throw new SamlAuthenticationException("audience restriction was expected to be for audience '" + str + "' but it is for '" + assertion.getAudienceRestrictions().get(0) + "'");
            }
        }
        if (!this.checkAssertionTime || assertion == null) {
            return;
        }
        Instant now = Instant.now();
        if (now.plusSeconds(10L).isBefore(assertion.getAssertion().getIssueInstant())) {
            throw new SamlAuthenticationException("SAML response is not yet valid: (issueInstant = " + assertion.getAssertion().getIssueInstant() + ")");
        }
        if (now.isAfter(assertion.getNotOnOrAfter())) {
            throw new SamlAuthenticationException("SAML response has expired: (notOnOrAfter = " + assertion.getNotOnOrAfter() + ")");
        }
    }

    private static Map<String, String> getParameterList(String str, boolean z) {
        HashMap hashMap = new HashMap();
        for (String str2 : str.split("&")) {
            String[] split = str2.split("=");
            String str3 = split[0];
            if (split.length == 1) {
                throw new IllegalArgumentException("Parameter has no value: " + str3);
            }
            if (hashMap.containsKey(str3)) {
                throw new IllegalArgumentException("Parameter must be unique: " + str3);
            }
            String str4 = split[1];
            hashMap.put(str3, z ? URLDecoder.decode(str4, StandardCharsets.UTF_8) : str4);
        }
        return hashMap;
    }

    void setCheckAssertionTime(boolean z) {
        this.checkAssertionTime = z;
    }
}
