package org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate;

import com.google.common.collect.Sets;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.SignatureValidationConfiguration;
import org.opensaml.xmlsec.SignatureValidationParameters;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.criterion.SignatureValidationConfigurationCriterion;
import org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-web-6.5.8.jar:org/apereo/cas/support/saml/web/idp/profile/builders/enc/validate/SamlObjectSignatureValidator.class */
public class SamlObjectSignatureValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlObjectSignatureValidator.class);
    protected final List<String> overrideSignatureReferenceDigestMethods;
    protected final List<String> overrideSignatureAlgorithms;
    protected final List<String> overrideBlockedSignatureAlgorithms;
    protected final List<String> overrideAllowedAlgorithms;
    protected final CasConfigurationProperties casProperties;

    public void verifySamlProfileRequestIfNeeded(RequestAbstractType requestAbstractType, MetadataResolver metadataResolver, HttpServletRequest httpServletRequest, MessageContext messageContext) throws Exception {
        RoleDescriptorResolver roleDescriptorResolver = getRoleDescriptorResolver(metadataResolver, messageContext, requestAbstractType);
        LOGGER.debug("Validating signature for [{}]", requestAbstractType.getClass().getName());
        Signature signature = requestAbstractType.getSignature();
        if (signature != null) {
            validateSignatureOnProfileRequest(requestAbstractType, signature, roleDescriptorResolver);
        } else {
            validateSignatureOnAuthenticationRequest(requestAbstractType, httpServletRequest, messageContext, roleDescriptorResolver);
        }
    }

    public void verifySamlProfileRequestIfNeeded(RequestAbstractType requestAbstractType, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, HttpServletRequest httpServletRequest, MessageContext messageContext) throws Exception {
        verifySamlProfileRequestIfNeeded(requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade.getMetadataResolver(), httpServletRequest, messageContext);
    }

    protected RoleDescriptorResolver getRoleDescriptorResolver(MetadataResolver metadataResolver, MessageContext messageContext, RequestAbstractType requestAbstractType) throws Exception {
        return SamlIdPUtils.getRoleDescriptorResolver(metadataResolver, this.casProperties.getAuthn().getSamlIdp().getMetadata().getCore().isRequireValidMetadata());
    }

    private void validateSignatureOnAuthenticationRequest(RequestAbstractType requestAbstractType, HttpServletRequest httpServletRequest, MessageContext messageContext, RoleDescriptorResolver roleDescriptorResolver) throws Exception {
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class, true);
        sAMLPeerEntityContext.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(requestAbstractType));
        String str = (String) Objects.requireNonNull(sAMLPeerEntityContext.getEntityId());
        LOGGER.debug("Validating request signature for [{}]...", str);
        sAMLPeerEntityContext.setRole(roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(str), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))).getElementQName());
        ((SAMLProtocolContext) messageContext.getSubcontext(SAMLProtocolContext.class, true)).setProtocol(SAMLConstants.SAML20P_NS);
        LOGGER.debug("Building security parameters context for signature validation of [{}]", str);
        SecurityParametersContext securityParametersContext = (SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class, true);
        SignatureValidationParameters signatureValidationParameters = new SignatureValidationParameters();
        if (this.overrideBlockedSignatureAlgorithms != null && !this.overrideBlockedSignatureAlgorithms.isEmpty()) {
            signatureValidationParameters.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
            LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
        }
        if (this.overrideAllowedAlgorithms != null && !this.overrideAllowedAlgorithms.isEmpty()) {
            signatureValidationParameters.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
            LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
        }
        LOGGER.debug("Resolving signing credentials for [{}]", str);
        Set<Credential> signingCredential = getSigningCredential(roleDescriptorResolver, requestAbstractType);
        if (signingCredential.isEmpty()) {
            throw new SamlException("Signing credentials for validation could not be resolved");
        }
        boolean z = false;
        Iterator<Credential> it = signingCredential.iterator();
        while (!z && it.hasNext()) {
            SAML2HTTPRedirectDeflateSignatureSecurityHandler sAML2HTTPRedirectDeflateSignatureSecurityHandler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
            try {
                try {
                    Credential next = it.next();
                    signatureValidationParameters.setSignatureTrustEngine(new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(next), new StaticKeyInfoCredentialResolver(next)));
                    securityParametersContext.setSignatureValidationParameters(signatureValidationParameters);
                    sAML2HTTPRedirectDeflateSignatureSecurityHandler.setHttpServletRequest(httpServletRequest);
                    LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", sAML2HTTPRedirectDeflateSignatureSecurityHandler.getClass().getSimpleName(), str);
                    sAML2HTTPRedirectDeflateSignatureSecurityHandler.initialize();
                    LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", sAML2HTTPRedirectDeflateSignatureSecurityHandler.getClass().getSimpleName(), str);
                    sAML2HTTPRedirectDeflateSignatureSecurityHandler.invoke(messageContext);
                    LOGGER.debug("Successfully validated request signature for [{}].", requestAbstractType.getIssuer());
                    z = true;
                    sAML2HTTPRedirectDeflateSignatureSecurityHandler.destroy();
                } catch (Exception e) {
                    LOGGER.debug(e.getMessage(), (Throwable) e);
                    sAML2HTTPRedirectDeflateSignatureSecurityHandler.destroy();
                }
            } catch (Throwable th) {
                sAML2HTTPRedirectDeflateSignatureSecurityHandler.destroy();
                throw th;
            }
        }
        if (z) {
            return;
        }
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", requestAbstractType.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }

    private void validateSignatureOnProfileRequest(RequestAbstractType requestAbstractType, Signature signature, RoleDescriptorResolver roleDescriptorResolver) throws Exception {
        SAMLSignatureProfileValidator sAMLSignatureProfileValidator = new SAMLSignatureProfileValidator();
        LOGGER.debug("Validating profile signature for [{}] via [{}]...", requestAbstractType.getIssuer(), sAMLSignatureProfileValidator.getClass().getSimpleName());
        sAMLSignatureProfileValidator.validate(signature);
        LOGGER.debug("Successfully validated profile signature for [{}].", requestAbstractType.getIssuer());
        Set<Credential> signingCredential = getSigningCredential(roleDescriptorResolver, requestAbstractType);
        if (signingCredential.isEmpty()) {
            throw new SamlException("Signing credentials for validation could not be resolved based on the provided signature");
        }
        boolean z = false;
        Iterator<Credential> it = signingCredential.iterator();
        while (!z && it.hasNext()) {
            try {
                Credential next = it.next();
                LOGGER.debug("Validating signature using credentials for [{}]", next.getEntityId());
                SignatureValidator.validate(signature, next);
                LOGGER.info("Successfully validated the request signature.");
                z = true;
            } catch (Exception e) {
                LOGGER.debug(e.getMessage(), (Throwable) e);
            }
        }
        if (z) {
            return;
        }
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", requestAbstractType.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }

    private Set<Credential> getSigningCredential(RoleDescriptorResolver roleDescriptorResolver, RequestAbstractType requestAbstractType) {
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        SignatureValidationConfiguration signatureValidationConfiguration = getSignatureValidationConfiguration();
        metadataCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
        metadataCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        metadataCredentialResolver.initialize();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new SignatureValidationConfigurationCriterion(signatureValidationConfiguration));
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        buildEntityCriteriaForSigningCredential(requestAbstractType, criteriaSet);
        return Sets.newLinkedHashSet(metadataCredentialResolver.resolve(criteriaSet));
    }

    protected void buildEntityCriteriaForSigningCredential(RequestAbstractType requestAbstractType, CriteriaSet criteriaSet) {
        criteriaSet.add(new EntityIdCriterion(SamlIdPUtils.getIssuerFromSamlObject(requestAbstractType)));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    }

    protected SignatureValidationConfiguration getSignatureValidationConfiguration() {
        BasicSignatureValidationConfiguration buildDefaultSignatureValidationConfiguration = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureValidationConfiguration();
        SamlIdPProperties samlIdp = this.casProperties.getAuthn().getSamlIdp();
        if (this.overrideBlockedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlockedSignatureSigningAlgorithms().isEmpty()) {
            buildDefaultSignatureValidationConfiguration.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
            buildDefaultSignatureValidationConfiguration.setExcludeMerge(true);
        }
        if (this.overrideAllowedAlgorithms != null && !this.overrideAllowedAlgorithms.isEmpty()) {
            buildDefaultSignatureValidationConfiguration.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
            buildDefaultSignatureValidationConfiguration.setIncludeMerge(true);
        }
        LOGGER.debug("Signature validation blocked algorithms: [{}]", buildDefaultSignatureValidationConfiguration.getExcludedAlgorithms());
        LOGGER.debug("Signature validation allowed algorithms: [{}]", buildDefaultSignatureValidationConfiguration.getIncludedAlgorithms());
        return buildDefaultSignatureValidationConfiguration;
    }

    @Generated
    public SamlObjectSignatureValidator(List<String> list, List<String> list2, List<String> list3, List<String> list4, CasConfigurationProperties casConfigurationProperties) {
        this.overrideSignatureReferenceDigestMethods = list;
        this.overrideSignatureAlgorithms = list2;
        this.overrideBlockedSignatureAlgorithms = list3;
        this.overrideAllowedAlgorithms = list4;
        this.casProperties = casConfigurationProperties;
    }
}
