package org.nuxeo.ecm.platform.auth.saml;

import java.util.UUID;
import javax.servlet.ServletRequest;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.nuxeo.ecm.platform.ui.web.auth.LoginScreenHelper;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:org/nuxeo/ecm/platform/auth/saml/AbstractSAMLProfile.class */
public abstract class AbstractSAMLProfile {
    protected static final Log log = LogFactory.getLog(AbstractSAMLProfile.class);
    private final Endpoint endpoint;
    private SignatureTrustEngine trustEngine;
    private Decrypter decrypter;
    protected final XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
    private int skewTimeMillis = SAMLConfiguration.getSkewTimeMillis();

    public AbstractSAMLProfile(Endpoint endpoint) {
        this.endpoint = endpoint;
    }

    public abstract String getProfileIdentifier();

    /* JADX INFO: Access modifiers changed from: protected */
    public <T extends SAMLObject> T build(QName qName) {
        return this.builderFactory.getBuilder(qName).buildObject(qName);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateSignature(Signature signature, String str) throws SAMLException {
        if (this.trustEngine == null) {
            throw new SAMLException("Trust engine is not set, signature can't be verified");
        }
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EntityIDCriteria(str));
            criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol"));
            criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
            log.debug("Verifying signature: " + signature);
            if (getTrustEngine().validate(signature, criteriaSet)) {
            } else {
                throw new SAMLException("Signature is not trusted or invalid");
            }
        } catch (ValidationException | SecurityException e) {
            throw new SAMLException("Error validating signature", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateIssuer(Issuer issuer, SAMLMessageContext sAMLMessageContext) throws SAMLException {
        if (issuer.getFormat() != null && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
            throw new SAMLException("Assertion invalidated by issuer type");
        }
        if (sAMLMessageContext.getPeerEntityMetadata() != null && !sAMLMessageContext.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) {
            throw new SAMLException("Assertion invalidated by unexpected issuer value");
        }
    }

    protected void validateEndpoint(Response response, Endpoint endpoint) throws SAMLException {
        String destination = response.getDestination();
        if (destination != null && !destination.equals(endpoint.getLocation()) && !destination.equals(endpoint.getResponseLocation())) {
            log.debug("Intended destination " + destination + " doesn't match any of the endpoint URLs");
            throw new SAMLException("Intended destination " + destination + " doesn't match any of the endpoint URLs");
        }
        AuthnRequest retrieveRequest = retrieveRequest(response);
        if (retrieveRequest != null) {
            AssertionConsumerService assertionConsumerService = (AssertionConsumerService) endpoint;
            if (retrieveRequest.getAssertionConsumerServiceIndex() != null) {
                if (retrieveRequest.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
                    return;
                }
                log.info("SAML response was received at a different endpoint index than was requested");
                return;
            }
            String assertionConsumerServiceURL = retrieveRequest.getAssertionConsumerServiceURL();
            retrieveRequest.getProtocolBinding();
            if (assertionConsumerServiceURL != null) {
                String responseLocation = assertionConsumerService.getResponseLocation() != null ? assertionConsumerService.getResponseLocation() : assertionConsumerService.getLocation();
                if (assertionConsumerServiceURL.equals(responseLocation)) {
                    return;
                }
                log.info("SAML response was received at a different endpoint URL " + responseLocation + " than was requested " + assertionConsumerServiceURL);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateAssertion(Assertion assertion, SAMLMessageContext sAMLMessageContext) throws SAMLException {
        validateIssuer(assertion.getIssuer(), sAMLMessageContext);
        Conditions conditions = assertion.getConditions();
        DateTime dateTime = new DateTime();
        DateTime notBefore = conditions.getNotBefore();
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        if (notBefore != null && notBefore.minusMillis(getSkewTimeMillis()).isAfterNow()) {
            log.debug("Current time: [" + dateTime + "] NotBefore: [" + notBefore + "]");
            throw new SAMLException("Conditions are not yet active");
        }
        if (notOnOrAfter != null && notOnOrAfter.plusMillis(getSkewTimeMillis()).isBeforeNow()) {
            log.debug("Current time: [" + dateTime + "] NotOnOrAfter: [" + notOnOrAfter + "]");
            throw new SAMLException("Conditions have expired");
        }
        Signature signature = assertion.getSignature();
        if (signature != null) {
            validateSignature(signature, sAMLMessageContext.getPeerEntityMetadata().getEntityID());
        }
    }

    protected AuthnRequest retrieveRequest(Response response) throws SAMLException {
        return null;
    }

    public Endpoint getEndpoint() {
        return this.endpoint;
    }

    public SignatureTrustEngine getTrustEngine() {
        return this.trustEngine;
    }

    public void setTrustEngine(SignatureTrustEngine signatureTrustEngine) {
        this.trustEngine = signatureTrustEngine;
    }

    public Decrypter getDecrypter() {
        return this.decrypter;
    }

    public void setDecrypter(Decrypter decrypter) {
        this.decrypter = decrypter;
    }

    public int getSkewTimeMillis() {
        return this.skewTimeMillis;
    }

    public void setSkewTimeMillis(int i) {
        this.skewTimeMillis = i;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String newUUID() {
        return "_" + UUID.randomUUID().toString();
    }

    protected String getBaseURL(ServletRequest servletRequest) {
        return VirtualHostHelper.getBaseURL(servletRequest);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getStartPageURL(ServletRequest servletRequest) {
        return getBaseURL(servletRequest) + LoginScreenHelper.getStartupPagePath();
    }
}
