package org.springframework.security.saml2.provider.service.authentication;

import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.function.Consumer;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
import org.springframework.security.saml2.provider.service.authentication.BaseOpenSamlAuthenticationProvider;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider.class */
public final class OpenSaml5AuthenticationProvider implements AuthenticationProvider {
    private final BaseOpenSamlAuthenticationProvider delegate = new BaseOpenSamlAuthenticationProvider(new OpenSaml5Template());

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider$AssertionToken.class */
    public static class AssertionToken {
        private final Saml2AuthenticationToken token;
        private final Assertion assertion;

        AssertionToken(Assertion assertion, Saml2AuthenticationToken saml2AuthenticationToken) {
            this.token = saml2AuthenticationToken;
            this.assertion = assertion;
        }

        AssertionToken(BaseOpenSamlAuthenticationProvider.AssertionToken assertionToken) {
            this.token = assertionToken.getToken();
            this.assertion = assertionToken.getAssertion();
        }

        public Assertion getAssertion() {
            return this.assertion;
        }

        public Saml2AuthenticationToken getToken() {
            return this.token;
        }
    }

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider$ResponseToken.class */
    public static class ResponseToken {
        private final Saml2AuthenticationToken token;
        private final Response response;

        ResponseToken(Response response, Saml2AuthenticationToken saml2AuthenticationToken) {
            this.token = saml2AuthenticationToken;
            this.response = response;
        }

        ResponseToken(BaseOpenSamlAuthenticationProvider.ResponseToken responseToken) {
            this.token = responseToken.getToken();
            this.response = responseToken.getResponse();
        }

        public Response getResponse() {
            return this.response;
        }

        public Saml2AuthenticationToken getToken() {
            return this.token;
        }
    }

    public OpenSaml5AuthenticationProvider() {
        setAssertionValidator(createDefaultAssertionValidator());
    }

    public void setResponseElementsDecrypter(Consumer<ResponseToken> consumer) {
        Assert.notNull(consumer, "responseElementsDecrypter cannot be null");
        this.delegate.setResponseElementsDecrypter(responseToken -> {
            consumer.accept(new ResponseToken(responseToken));
        });
    }

    public void setResponseValidator(Converter<ResponseToken, Saml2ResponseValidatorResult> converter) {
        Assert.notNull(converter, "responseValidator cannot be null");
        this.delegate.setResponseValidator(responseToken -> {
            return (Saml2ResponseValidatorResult) converter.convert(new ResponseToken(responseToken));
        });
    }

    public void setAssertionValidator(Converter<AssertionToken, Saml2ResponseValidatorResult> converter) {
        Assert.notNull(converter, "assertionValidator cannot be null");
        this.delegate.setAssertionValidator(assertionToken -> {
            return (Saml2ResponseValidatorResult) converter.convert(new AssertionToken(assertionToken));
        });
    }

    public void setAssertionElementsDecrypter(Consumer<AssertionToken> consumer) {
        Assert.notNull(consumer, "assertionDecrypter cannot be null");
        this.delegate.setAssertionElementsDecrypter(assertionToken -> {
            consumer.accept(new AssertionToken(assertionToken));
        });
    }

    public void setResponseAuthenticationConverter(Converter<ResponseToken, ? extends AbstractAuthenticationToken> converter) {
        Assert.notNull(converter, "responseAuthenticationConverter cannot be null");
        this.delegate.setResponseAuthenticationConverter(responseToken -> {
            return (AbstractAuthenticationToken) converter.convert(new ResponseToken(responseToken));
        });
    }

    public static Converter<ResponseToken, Saml2ResponseValidatorResult> createDefaultResponseValidator() {
        Converter<BaseOpenSamlAuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> createDefaultResponseValidator = BaseOpenSamlAuthenticationProvider.createDefaultResponseValidator();
        return responseToken -> {
            return (Saml2ResponseValidatorResult) createDefaultResponseValidator.convert(new BaseOpenSamlAuthenticationProvider.ResponseToken(responseToken.getResponse(), responseToken.getToken()));
        };
    }

    public static Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionValidator() {
        return createDefaultAssertionValidatorWithParameters(map -> {
            map.put("saml2.ClockSkew", Duration.ofMinutes(5L));
        });
    }

    @Deprecated
    public static Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionValidator(Converter<AssertionToken, ValidationContext> converter) {
        return createAssertionValidator(Saml2ErrorCodes.INVALID_ASSERTION, assertionToken -> {
            return BaseOpenSamlAuthenticationProvider.SAML20AssertionValidators.attributeValidator;
        }, converter);
    }

    public static Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionValidatorWithParameters(Consumer<Map<String, Object>> consumer) {
        return createAssertionValidator(Saml2ErrorCodes.INVALID_ASSERTION, assertionToken -> {
            return BaseOpenSamlAuthenticationProvider.SAML20AssertionValidators.attributeValidator;
        }, assertionToken2 -> {
            return createValidationContext(assertionToken2, consumer);
        });
    }

    public static Converter<ResponseToken, Saml2Authentication> createDefaultResponseAuthenticationConverter() {
        Converter<BaseOpenSamlAuthenticationProvider.ResponseToken, Saml2Authentication> createDefaultResponseAuthenticationConverter = BaseOpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter();
        return responseToken -> {
            return (Saml2Authentication) createDefaultResponseAuthenticationConverter.convert(new BaseOpenSamlAuthenticationProvider.ResponseToken(responseToken.getResponse(), responseToken.getToken()));
        };
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        return this.delegate.authenticate(authentication);
    }

    public boolean supports(Class<?> cls) {
        return cls != null && Saml2AuthenticationToken.class.isAssignableFrom(cls);
    }

    private static Converter<AssertionToken, Saml2ResponseValidatorResult> createAssertionValidator(String str, Converter<AssertionToken, SAML20AssertionValidator> converter, Converter<AssertionToken, ValidationContext> converter2) {
        return assertionToken -> {
            Assertion assertion = assertionToken.getAssertion();
            SAML20AssertionValidator sAML20AssertionValidator = (SAML20AssertionValidator) converter.convert(assertionToken);
            ValidationContext validationContext = (ValidationContext) converter2.convert(assertionToken);
            try {
                return sAML20AssertionValidator.validate(assertion, validationContext) == ValidationResult.VALID ? Saml2ResponseValidatorResult.success() : Saml2ResponseValidatorResult.failure(new Saml2Error(str, String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(), assertion.getParent().getID(), validationContext.getValidationFailureMessages())));
            } catch (Exception e) {
                return Saml2ResponseValidatorResult.failure(new Saml2Error(str, String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(), assertion.getParent().getID(), e.getMessage())));
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ValidationContext createValidationContext(AssertionToken assertionToken, Consumer<Map<String, Object>> consumer) {
        Saml2AuthenticationToken token = assertionToken.getToken();
        RelyingPartyRegistration relyingPartyRegistration = token.getRelyingPartyRegistration();
        String entityId = relyingPartyRegistration.getEntityId();
        String assertionConsumerServiceLocation = relyingPartyRegistration.getAssertionConsumerServiceLocation();
        String entityId2 = relyingPartyRegistration.getAssertingPartyMetadata().getEntityId();
        HashMap hashMap = new HashMap();
        if (assertionContainsInResponseTo(assertionToken.getAssertion())) {
            hashMap.put("saml2.SubjectConfirmation.ValidInResponseTo", getAuthnRequestId(token.getAuthenticationRequest()));
        }
        hashMap.put("saml2.Conditions.ValidAudiences", Collections.singleton(entityId));
        hashMap.put("saml2.SubjectConfirmation.ValidRecipients", Collections.singleton(assertionConsumerServiceLocation));
        hashMap.put("saml2.ValidIssuers", Collections.singleton(entityId2));
        consumer.accept(hashMap);
        return new ValidationContext(hashMap);
    }

    private static boolean assertionContainsInResponseTo(Assertion assertion) {
        if (assertion.getSubject() == null) {
            return false;
        }
        Iterator it = assertion.getSubject().getSubjectConfirmations().iterator();
        while (it.hasNext()) {
            SubjectConfirmationData subjectConfirmationData = ((SubjectConfirmation) it.next()).getSubjectConfirmationData();
            if (subjectConfirmationData != null && StringUtils.hasText(subjectConfirmationData.getInResponseTo())) {
                return true;
            }
        }
        return false;
    }

    private static String getAuthnRequestId(AbstractSaml2AuthenticationRequest abstractSaml2AuthenticationRequest) {
        if (abstractSaml2AuthenticationRequest != null) {
            return abstractSaml2AuthenticationRequest.getId();
        }
        return null;
    }
}
