package com.ibm.ws.security.saml.sso20.acs;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Condition;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.OneTimeUse;
import org.opensaml.saml2.core.ProxyRestriction;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.ws.security.SecurityPolicyException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso20_1.0.14.jar:com/ibm/ws/security/saml/sso20/acs/AssertionValidator.class */
public class AssertionValidator {
    private static TraceComponent tc = Tr.register((Class<?>) AssertionValidator.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    protected BasicMessageContext context;
    protected Assertion assertion;
    protected long clockSkewAllowed;
    static final long serialVersionUID = -1684717858640142480L;

    public AssertionValidator(BasicMessageContext<?, ?, ?> basicMessageContext, Assertion assertion) {
        this.context = null;
        this.assertion = null;
        this.clockSkewAllowed = 0L;
        this.assertion = assertion;
        this.context = basicMessageContext;
        this.clockSkewAllowed = basicMessageContext.getSsoConfig().getClockSkew();
    }

    public void validateAssertion() throws SamlException {
        validateIssuer(false);
        validateSignature();
        verifySubject();
        verifyConditions();
        verifyAuthnStatement();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateIssuer(boolean z) throws SamlException {
        MsgCtxUtil.validateIssuer(this.assertion.getIssuer(), this.context, z);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateSignature() throws SamlException {
        this.context.setInboundSAMLMessageAuthenticated(false);
        if (this.assertion.getSignature() != null) {
            verifyAssertionSignature();
        }
        if (this.context.getSsoConfig().isWantAssertionsSigned() && !this.context.isInboundSAMLMessageAuthenticated()) {
            throw new SamlException("SAML20_ASSERTION_SIGNATURE_NOT_VERIFIED_ERR", (Exception) null, new Object[0]);
        }
    }

    protected void verifyAssertionSignature() throws SamlException {
        try {
            new SAMLMessageXMLSignatureSecurityPolicyRule(MsgCtxUtil.getTrustedEngine(this.context)).evaluateAssertion(this.context, this.assertion);
        } catch (SecurityPolicyException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.acs.AssertionValidator", "112", this, new Object[0]);
            throw new SamlException("SAML20_ASSERTION_SIGNATURE_FAIL_ERR", e, new Object[]{e});
        }
    }

    protected void verifySubject() throws SamlException {
        Subject subject = this.assertion.getSubject();
        String str = null;
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod())) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Subject Confirmation:", subjectConfirmation.getMethod());
                }
                SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                if (subjectConfirmationData == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no SubjectConfirmationData", new Object[0]);
                    }
                    throw new SamlException("SAML20_ELEMENT_ERR", (Exception) null, new Object[]{"SubjectConfirmationData"});
                }
                if (subjectConfirmationData.getNotBefore() != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is a NotBefore", new Object[0]);
                    }
                    throw new SamlException("SAML20_SUBJECT_NOTBEFORE_ERR", (Exception) null, new Object[0]);
                }
                if (subjectConfirmationData.getNotOnOrAfter() == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "NotOnOrAfter attribute is required inside SubjectConfirmationData element.", new Object[0]);
                    }
                    throw new SamlException("SAML20_ELEMENT_ATTR_ERR", (Exception) null, new Object[]{"NotOnOrAfter", "SubjectConfirmationData"});
                }
                if (subjectConfirmationData.getNotOnOrAfter().plus(this.clockSkewAllowed).isBeforeNow()) {
                    throw new SamlException("SAML20_SUBJECT_NOTONAFTER_ERR", (Exception) null, new Object[]{subjectConfirmationData.getNotOnOrAfter(), new Date(), Long.valueOf(this.clockSkewAllowed / 1000)});
                }
                RequestUtil.validateInResponseTo(this.context, subjectConfirmationData.getInResponseTo());
                String acsUrl = RequestUtil.getAcsUrl(this.context.getHttpServletRequest(), Constants.SAML20_CONTEXT_PATH, this.context.getSsoService().getProviderId(), this.context.getSsoConfig());
                if (subjectConfirmationData.getRecipient() == null) {
                    throw new SamlException("SAML20_ELEMENT_ATTR_ERR", (Exception) null, new Object[]{"Recipient", "SubjectConfirmationData"});
                }
                if (!acsUrl.equals(subjectConfirmationData.getRecipient())) {
                    throw new SamlException("SAML20_SUBJECT_NO_REC_MATCH_ERR", (Exception) null, new Object[]{subjectConfirmationData.getRecipient(), acsUrl});
                }
                this.context.setSubjectNameIdentifier(subject.getNameID());
                return;
            }
            str = subjectConfirmation.getMethod();
        }
        throw new SamlException("SAML20_NO_BEARER_FOUND", (Exception) null, new Object[]{str});
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyConditions() throws SamlException {
        Conditions conditions = this.assertion.getConditions();
        if (conditions == null || conditions.getAudienceRestrictions().size() == 0) {
            throw new SamlException("SAML20_ELEMENT_ERR", (Exception) null, new Object[]{"AudienceRestriction"});
        }
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minus(this.clockSkewAllowed).isAfterNow()) {
            throw new SamlException("SAML20_SUBJECT_NOBEFORE_ERR", (Exception) null, new Object[]{conditions.getNotBefore(), new Date(), Long.valueOf(this.clockSkewAllowed / 1000)});
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plus(this.clockSkewAllowed).isBeforeNow()) {
            throw new SamlException("SAML20_SUBJECT_NOAFTER_ERR", (Exception) null, new Object[]{conditions.getNotOnOrAfter(), new Date(), Long.valueOf(this.clockSkewAllowed / 1000)});
        }
        Iterator<Condition> it = conditions.getConditions().iterator();
        while (it.hasNext()) {
            QName elementQName = it.next().getElementQName();
            if (elementQName.equals(AudienceRestriction.DEFAULT_ELEMENT_NAME)) {
                verifyAudience(conditions.getAudienceRestrictions());
            } else if (!elementQName.equals(OneTimeUse.DEFAULT_ELEMENT_NAME) && !elementQName.equals(ProxyRestriction.DEFAULT_ELEMENT_NAME)) {
                throw new SamlException("SAML20_CONDITION_UNKNOWN_ERR", (Exception) null, new Object[]{elementQName});
            }
        }
    }

    protected void verifyAudience(List<AudienceRestriction> list) throws SamlException {
        String entityUrl = RequestUtil.getEntityUrl(this.context.getHttpServletRequest(), Constants.SAML20_CONTEXT_PATH, this.context.getSsoService().getProviderId(), this.context.getSsoConfig());
        SamlException samlException = null;
        Iterator<AudienceRestriction> it = list.iterator();
        while (it.hasNext()) {
            for (Audience audience : it.next().getAudiences()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Audience=" + audience.getAudienceURI(), new Object[0]);
                }
                if (entityUrl.equals(audience.getAudienceURI())) {
                    return;
                } else {
                    samlException = new SamlException("SAML20_AUDIENCE_UNKNOWN_ERR", (Exception) null, new Object[]{audience.getAudienceURI(), entityUrl});
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Invalid audience", new Object[0]);
        }
        if (samlException == null) {
            throw new SamlException("SAML20_ELEMENT_ATTR_ERR", (Exception) null, new Object[]{"Audience", "Conditions"});
        }
        throw samlException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyAuthnStatement() throws SamlException {
        for (AuthnStatement authnStatement : this.assertion.getAuthnStatements()) {
            if (authnStatement.getSessionNotOnOrAfter() != null && authnStatement.getSessionNotOnOrAfter().plus(this.clockSkewAllowed).isBeforeNow()) {
                throw new SamlException("SAML20_SESSION_ERR", (Exception) null, new Object[]{authnStatement.getSessionNotOnOrAfter(), new Date(), Long.valueOf(this.clockSkewAllowed / 1000)});
            }
        }
    }
}
