package org.springframework.security.saml.util;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.servlet.http.HttpServletRequest;
import org.joda.time.DateTime;
import org.joda.time.Interval;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLRuntimeException;
import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.saml2.metadata.ArtifactResolutionService;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.transport.InTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.SignableXMLObject;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.XMLHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.MetadataManager;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-core-1.0.9.RELEASE.jar:org/springframework/security/saml/util/SAMLUtil.class */
public class SAMLUtil {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SAMLUtil.class);
    private static final URIComparator DEFAULT_URI_COMPARATOR = new DefaultURLComparator();

    public static String getBindingForEndpoint(Endpoint endpoint) {
        String binding = endpoint.getBinding();
        if (SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(binding)) {
            String str = endpoint.getUnknownAttributes().get((Object) SAMLConstants.WEBSSO_HOK_METADATA_ATT_NAME);
            if (str == null) {
                throw new SAMLRuntimeException("Holder of Key profile endpoint doesn't contain attribute hoksso:ProtocolBinding");
            }
            binding = str;
        }
        return binding;
    }

    public static SingleLogoutService getLogoutServiceForBinding(SSODescriptor sSODescriptor, String str) throws MetadataProviderException {
        for (SingleLogoutService singleLogoutService : sSODescriptor.getSingleLogoutServices()) {
            if (str.equals(singleLogoutService.getBinding())) {
                return singleLogoutService;
            }
        }
        log.debug("No binding found for IDP with binding " + str);
        throw new MetadataProviderException("Binding " + str + " is not supported for this IDP");
    }

    public static String getLogoutBinding(IDPSSODescriptor iDPSSODescriptor, SPSSODescriptor sPSSODescriptor) throws MetadataProviderException {
        List<SingleLogoutService> singleLogoutServices = iDPSSODescriptor.getSingleLogoutServices();
        if (singleLogoutServices.size() == 0) {
            throw new MetadataProviderException("IDP doesn't contain any SingleLogout endpoints");
        }
        String str = null;
        Iterator<SingleLogoutService> it = singleLogoutServices.iterator();
        loop0: while (true) {
            if (!it.hasNext()) {
                break;
            }
            SingleLogoutService next = it.next();
            Iterator<SingleLogoutService> it2 = sPSSODescriptor.getSingleLogoutServices().iterator();
            while (it2.hasNext()) {
                if (next.getBinding().equals(it2.next().getBinding())) {
                    str = next.getBinding();
                    break loop0;
                }
            }
        }
        if (str == null) {
            str = iDPSSODescriptor.getSingleLogoutServices().iterator().next().getBinding();
        }
        return str;
    }

    public static IDPSSODescriptor getIDPSSODescriptor(EntityDescriptor entityDescriptor) throws MessageDecodingException {
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor(org.opensaml.common.xml.SAMLConstants.SAML20P_NS);
        if (iDPSSODescriptor != null) {
            return iDPSSODescriptor;
        }
        log.error("Could not find an IDPSSODescriptor in metadata.");
        throw new MessageDecodingException("Could not find an IDPSSODescriptor in metadata.");
    }

    public static AssertionConsumerService getConsumerService(SPSSODescriptor sPSSODescriptor, Integer num) {
        if (num == null) {
            log.debug("Index for AssertionConsumerService not specified, returning default");
            return sPSSODescriptor.getDefaultAssertionConsumerService();
        }
        for (AssertionConsumerService assertionConsumerService : sPSSODescriptor.getAssertionConsumerServices()) {
            if (num.equals(assertionConsumerService.getIndex())) {
                log.debug("Found assertionConsumerService with index {} and binding {}", num, assertionConsumerService.getBinding());
                return assertionConsumerService;
            }
        }
        throw new SAMLRuntimeException("AssertionConsumerService with index " + num + " wasn't found for ServiceProvider " + sPSSODescriptor.getID() + ", please check your metadata");
    }

    public static ArtifactResolutionService getArtifactResolutionService(IDPSSODescriptor iDPSSODescriptor, int i) throws MessageDecodingException {
        List<ArtifactResolutionService> artifactResolutionServices = iDPSSODescriptor.getArtifactResolutionServices();
        if (artifactResolutionServices == null || artifactResolutionServices.size() == 0) {
            log.error("Could not find any artifact resolution services in metadata.");
            throw new MessageDecodingException("Could not find any artifact resolution services in metadata.");
        }
        ArtifactResolutionService artifactResolutionService = null;
        Iterator<ArtifactResolutionService> it = artifactResolutionServices.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ArtifactResolutionService next = it.next();
            if (next.getIndex().intValue() == i) {
                artifactResolutionService = next;
                break;
            }
        }
        if (artifactResolutionService == null) {
            throw new MessageDecodingException("Could not find artifact resolution service with index " + i + " in IDP data.");
        }
        return artifactResolutionService;
    }

    public static boolean processFilter(String str, HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().contains(str);
    }

    public static boolean compare(byte[] bArr, String str) throws MetadataProviderException {
        try {
            byte[] digest = MessageDigest.getInstance("SHA-1").digest(str.getBytes());
            for (int i = 0; i < digest.length; i++) {
                if (digest[i] != bArr[i]) {
                    return false;
                }
            }
            return true;
        } catch (NoSuchAlgorithmException e) {
            throw new MetadataProviderException("SHA-1 message digest not available", e);
        }
    }

    public static void verifyAlias(String str, String str2) throws MetadataProviderException {
        if (str == null) {
            throw new MetadataProviderException("Alias for entity " + str2 + " is null");
        }
        if (str.length() == 0) {
            throw new MetadataProviderException("Alias for entity " + str2 + " is empty");
        }
        if (!str.matches("\\p{ASCII}*")) {
            throw new MetadataProviderException("Only ASCII characters can be used in the alias " + str + " for entity " + str2);
        }
    }

    public static List<String> getBase64EncodeCertificates(KeyInfo keyInfo) {
        LinkedList linkedList = new LinkedList();
        if (keyInfo == null) {
            return linkedList;
        }
        for (X509Data x509Data : keyInfo.getX509Datas()) {
            if (x509Data != null) {
                linkedList.addAll(getBase64EncodedCertificates(x509Data));
            }
        }
        return linkedList;
    }

    public static List<String> getBase64EncodedCertificates(X509Data x509Data) {
        LinkedList linkedList = new LinkedList();
        if (x509Data == null) {
            return linkedList;
        }
        for (X509Certificate x509Certificate : x509Data.getX509Certificates()) {
            if (x509Certificate != null && x509Certificate.getValue() != null) {
                linkedList.add(x509Certificate.getValue());
            }
        }
        return linkedList;
    }

    public static boolean isECPRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Accept");
        String header2 = httpServletRequest.getHeader(SAMLConstants.PAOS_HTTP_HEADER);
        return header != null && header2 != null && header.contains(SAMLConstants.PAOS_HTTP_ACCEPT_HEADER) && header2.contains(org.opensaml.common.xml.SAMLConstants.PAOS_NS) && header2.contains("urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp");
    }

    public static <T extends Endpoint> T getEndpoint(List<T> list, String str, InTransport inTransport) throws SAMLException {
        return (T) getEndpoint(list, str, inTransport, DEFAULT_URI_COMPARATOR);
    }

    public static <T extends Endpoint> T getEndpoint(List<T> list, String str, InTransport inTransport, URIComparator uRIComparator) throws SAMLException {
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(wrappedRequest.getRequestURL().toString());
        String safeTrimOrNullString2 = DatatypeHelper.safeTrimOrNullString(wrappedRequest.getQueryString());
        if (safeTrimOrNullString2 != null) {
            safeTrimOrNullString = safeTrimOrNullString + '?' + safeTrimOrNullString2;
        }
        for (T t : list) {
            if (getBindingForEndpoint(t).equals(str)) {
                if (t.getLocation() != null && uRIComparator.compare(t.getLocation(), safeTrimOrNullString)) {
                    log.debug("Found endpoint {} for request URL {} based on location attribute in metadata", t, safeTrimOrNullString);
                    return t;
                }
                if (t.getResponseLocation() != null && uRIComparator.compare(t.getResponseLocation(), safeTrimOrNullString)) {
                    log.debug("Found endpoint {} for request URL {} based on response location attribute in metadata", t, safeTrimOrNullString);
                    return t;
                }
            }
        }
        throw new SAMLException("Endpoint with message binding " + str + " and URL " + safeTrimOrNullString + " wasn't found in local metadata");
    }

    public static IDPSSODescriptor getIDPDescriptor(MetadataManager metadataManager, String str) throws MetadataProviderException {
        if (!metadataManager.isIDPValid(str)) {
            log.debug("IDP name of the authenticated user is not valid", str);
            throw new MetadataProviderException("IDP with name " + str + " wasn't found in the list of configured IDPs");
        }
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) metadataManager.getRole(str, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, org.opensaml.common.xml.SAMLConstants.SAML20P_NS);
        if (iDPSSODescriptor == null) {
            throw new MetadataProviderException("Given IDP " + str + " doesn't contain any IDPSSODescriptor element");
        }
        return iDPSSODescriptor;
    }

    public static Element marshallMessage(XMLObject xMLObject) throws MessageEncodingException {
        try {
            if (xMLObject.getDOM() != null) {
                log.debug("XMLObject already had cached DOM, returning that element");
                return xMLObject.getDOM();
            }
            Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xMLObject);
            if (marshaller == null) {
                throw new MessageEncodingException("Unable to marshall message, no marshaller registered for message object: " + xMLObject.getElementQName());
            }
            Element marshall = marshaller.marshall(xMLObject);
            if (log.isTraceEnabled()) {
                log.trace("Marshalled message into DOM:\n{}", XMLHelper.nodeToString(marshall));
            }
            return marshall;
        } catch (MarshallingException e) {
            log.error("Encountered error marshalling message to its DOM representation", (Throwable) e);
            throw new MessageEncodingException("Encountered error marshalling message into its DOM representation", e);
        }
    }

    public static Element marshallAndSignMessage(SignableXMLObject signableXMLObject, Credential credential, String str, String str2, String str3) throws MessageEncodingException {
        if (credential == null || signableXMLObject.isSigned()) {
            return marshallMessage(signableXMLObject);
        }
        Signature signature = (Signature) org.opensaml.Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        if (str != null) {
            signature.setSignatureAlgorithm(str);
        }
        signature.setSigningCredential(credential);
        BasicSecurityConfiguration basicSecurityConfiguration = null;
        if (str2 != null) {
            basicSecurityConfiguration = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
            basicSecurityConfiguration.setSignatureReferenceDigestMethod(str2);
        }
        try {
            SecurityHelper.prepareSignatureParams(signature, credential, basicSecurityConfiguration, str3);
            signableXMLObject.setSignature(signature);
            Element marshallMessage = marshallMessage(signableXMLObject);
            try {
                Signer.signObject(signature);
                return marshallMessage;
            } catch (SignatureException e) {
                log.error("Unable to sign protocol message", (Throwable) e);
                throw new MessageEncodingException("Unable to sign protocol message", e);
            }
        } catch (SecurityException e2) {
            throw new MessageEncodingException("Error preparing signature for signing", e2);
        }
    }

    public static boolean isDateTimeSkewValid(int i, DateTime dateTime) {
        return isDateTimeSkewValid(i, 0L, dateTime);
    }

    public static boolean isDateTimeSkewValid(int i, long j, DateTime dateTime) {
        DateTime dateTime2 = new DateTime();
        return new Interval(dateTime2.minusSeconds(i + ((int) j)), dateTime2.plusSeconds(i)).contains(dateTime);
    }

    public static String getNCNameString(String str) {
        if (str == null) {
            return null;
        }
        String replaceAll = str.replaceAll("[^a-zA-Z0-9-_.]", "_");
        if (replaceAll.startsWith("-")) {
            replaceAll = "_" + replaceAll.substring(1);
        }
        return replaceAll;
    }

    public static HostnameVerifier getHostnameVerifier(String str) {
        return "default".equalsIgnoreCase(str) ? org.apache.commons.ssl.HostnameVerifier.DEFAULT : "defaultAndLocalhost".equalsIgnoreCase(str) ? org.apache.commons.ssl.HostnameVerifier.DEFAULT_AND_LOCALHOST : "strict".equalsIgnoreCase(str) ? org.apache.commons.ssl.HostnameVerifier.STRICT : "allowAll".equalsIgnoreCase(str) ? org.apache.commons.ssl.HostnameVerifier.ALLOW_ALL : org.apache.commons.ssl.HostnameVerifier.DEFAULT;
    }

    public static String getMetadataAsString(MetadataManager metadataManager, KeyManager keyManager, EntityDescriptor entityDescriptor, ExtendedMetadata extendedMetadata) throws MarshallingException {
        Element marshallMessage;
        if (extendedMetadata == null) {
            try {
                extendedMetadata = metadataManager.getExtendedMetadata(entityDescriptor.getEntityID());
            } catch (MetadataProviderException e) {
                log.error("Unable to locate extended metadata", (Throwable) e);
                throw new MarshallingException("Unable to locate extended metadata", e);
            }
        }
        try {
            if (extendedMetadata.isLocal() && extendedMetadata.isSignMetadata()) {
                marshallMessage = marshallAndSignMessage(entityDescriptor, keyManager.getCredential(extendedMetadata.getSigningKey()), extendedMetadata.getSigningAlgorithm(), extendedMetadata.getDigestMethodAlgorithm(), extendedMetadata.getKeyInfoGeneratorName());
            } else {
                marshallMessage = marshallMessage(entityDescriptor);
            }
            return XMLHelper.nodeToString(marshallMessage);
        } catch (MessageEncodingException e2) {
            log.error("Unable to marshall message", (Throwable) e2);
            throw new MarshallingException("Unable to marshall message", e2);
        }
    }
}
