package org.opensaml.saml.common.binding.security.impl;

import com.google.common.base.Strings;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.codec.DecodingException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.AbstractMessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/opensaml-saml-impl-4.2.0.jar:org/opensaml/saml/common/binding/security/impl/BaseSAMLSimpleSignatureSecurityHandler.class */
public abstract class BaseSAMLSimpleSignatureSecurityHandler extends AbstractMessageHandler {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) BaseSAMLSimpleSignatureSecurityHandler.class);

    @NonnullAfterInit
    private HttpServletRequest httpServletRequest;

    @Nullable
    private SAMLPeerEntityContext peerContext;

    @Nullable
    private SAMLProtocolContext samlProtocolContext;

    @Nullable
    private SignatureTrustEngine trustEngine;

    @Nullable
    protected SignatureTrustEngine getTrustEngine() {
        return this.trustEngine;
    }

    @NonnullAfterInit
    public HttpServletRequest getHttpServletRequest() {
        return this.httpServletRequest;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public void setHttpServletRequest(@Nonnull HttpServletRequest httpServletRequest) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.httpServletRequest = (HttpServletRequest) Constraint.isNotNull(httpServletRequest, "HttpServletRequest cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.httpServletRequest == null) {
            throw new ComponentInitializationException("HttpServletRequest cannot be null");
        }
    }

    protected boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!super.doPreInvoke(messageContext)) {
            return false;
        }
        this.peerContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        if (this.peerContext == null || this.peerContext.getRole() == null) {
            throw new MessageHandlerException("SAMLPeerEntityContext was missing or unpopulated");
        }
        this.samlProtocolContext = (SAMLProtocolContext) messageContext.getSubcontext(SAMLProtocolContext.class);
        if (this.samlProtocolContext == null || this.samlProtocolContext.getProtocol() == null) {
            throw new MessageHandlerException("SAMLProtocolContext was missing or unpopulated");
        }
        SecurityParametersContext securityParametersContext = (SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class);
        if (securityParametersContext == null || securityParametersContext.getSignatureValidationParameters() == null || securityParametersContext.getSignatureValidationParameters().getSignatureTrustEngine() == null) {
            throw new MessageHandlerException("No SignatureTrustEngine was available from the MessageContext");
        }
        this.trustEngine = securityParametersContext.getSignatureValidationParameters().getSignatureTrustEngine();
        return true;
    }

    protected void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        this.log.debug("{} Evaluating simple signature rule of type: {}", getLogPrefix(), getClass().getName());
        if (!ruleHandles(messageContext)) {
            this.log.debug("{} Handler can not handle this request, skipping", getLogPrefix());
            return;
        }
        byte[] signature = getSignature();
        if (signature == null || signature.length == 0) {
            this.log.debug("{} HTTP request was not signed via simple signature mechanism, skipping", getLogPrefix());
            return;
        }
        String signatureAlgorithm = getSignatureAlgorithm();
        if (Strings.isNullOrEmpty(signatureAlgorithm)) {
            this.log.warn("{} Signature algorithm could not be extracted from request, cannot validate simple signature", getLogPrefix());
            return;
        }
        byte[] signedContent = getSignedContent();
        if (signedContent == null || signedContent.length == 0) {
            this.log.warn("{} Signed content could not be extracted from HTTP request, cannot validate", getLogPrefix());
        } else {
            doEvaluate(signature, signedContent, signatureAlgorithm, messageContext);
        }
    }

    private void doEvaluate(@NotEmpty @Nonnull byte[] bArr, @NotEmpty @Nonnull byte[] bArr2, @NotEmpty @Nonnull String str, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        List<Credential> requestCredentials = getRequestCredentials(messageContext);
        String entityId = this.peerContext.getEntityId();
        if (entityId != null) {
            this.log.debug("{} Attempting to validate SAML protocol message simple signature using context entityID: {}", getLogPrefix(), entityId);
            if (!validateSignature(bArr, bArr2, str, buildCriteriaSet(entityId, messageContext), requestCredentials)) {
                this.log.warn("{} Validation of request simple signature failed for context issuer: {}", getLogPrefix(), entityId);
                throw new MessageHandlerException("Validation of request simple signature failed for context issuer");
            }
            this.log.debug("{} Validation of request simple signature succeeded", getLogPrefix());
            if (this.peerContext.isAuthenticated()) {
                return;
            }
            this.log.debug("{} Authentication via request simple signature succeeded for context issuer entity ID {}", getLogPrefix(), entityId);
            this.peerContext.setAuthenticated(true);
            return;
        }
        String deriveSignerEntityID = deriveSignerEntityID(messageContext);
        if (deriveSignerEntityID == null) {
            this.log.warn("{} Neither context nor derived issuer available, cannot attempt SAML simple signature validation", getLogPrefix());
            throw new MessageHandlerException("No message issuer available, cannot attempt simple signature validation");
        }
        this.log.debug("{} Attempting to validate SAML protocol message simple signature using derived entityID: {}", getLogPrefix(), deriveSignerEntityID);
        if (!validateSignature(bArr, bArr2, str, buildCriteriaSet(deriveSignerEntityID, messageContext), requestCredentials)) {
            this.log.warn("{} Validation of request simple signature failed for derived issuer: {}", getLogPrefix(), deriveSignerEntityID);
            throw new MessageHandlerException("Validation of request simple signature failed for derived issuer");
        }
        this.log.debug("{} Validation of request simple signature succeeded", getLogPrefix());
        if (this.peerContext.isAuthenticated()) {
            return;
        }
        this.log.debug("{} Authentication via request simple signature succeeded for derived issuer {}", getLogPrefix(), deriveSignerEntityID);
        this.peerContext.setEntityId(deriveSignerEntityID);
        this.peerContext.setAuthenticated(true);
    }

    protected boolean validateSignature(@NotEmpty @Nonnull byte[] bArr, @NotEmpty @Nonnull byte[] bArr2, @NotEmpty @Nonnull String str, @Nonnull CriteriaSet criteriaSet, @NonnullElements @Nonnull List<Credential> list) throws MessageHandlerException {
        SignatureTrustEngine trustEngine = getTrustEngine();
        if (list != null) {
            try {
                if (!list.isEmpty()) {
                    Iterator<Credential> it = list.iterator();
                    while (it.hasNext()) {
                        if (trustEngine.validate(bArr, bArr2, str, criteriaSet, it.next())) {
                            this.log.debug("{} Simple signature validation succeeded with a request-derived credential", getLogPrefix());
                            return true;
                        }
                    }
                    this.log.warn("{} Signature validation using request-derived credentials failed", getLogPrefix());
                    return false;
                }
            } catch (SecurityException e) {
                this.log.warn("{} Error evaluating the request's simple signature using the trust engine: {}", getLogPrefix(), e.getMessage());
                throw new MessageHandlerException("Error during trust engine evaluation of the simple signature", e);
            }
        }
        if (trustEngine.validate(bArr, bArr2, str, criteriaSet, null)) {
            this.log.debug("{} Simple signature validation (with no request-derived credentials) was successful", getLogPrefix());
            return true;
        }
        this.log.warn("{} Simple signature validation (with no request-derived credentials) failed", getLogPrefix());
        return false;
    }

    @NonnullElements
    @Nonnull
    protected List<Credential> getRequestCredentials(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        return Collections.emptyList();
    }

    @Nullable
    protected byte[] getSignature() throws MessageHandlerException {
        String parameter = getHttpServletRequest().getParameter("Signature");
        if (Strings.isNullOrEmpty(parameter)) {
            return null;
        }
        try {
            return Base64Support.decode(parameter);
        } catch (DecodingException e) {
            throw new MessageHandlerException("Signature could not be base64 decoded", e);
        }
    }

    @Nullable
    protected String getSignatureAlgorithm() throws MessageHandlerException {
        return getHttpServletRequest().getParameter("SigAlg");
    }

    @Nullable
    protected String deriveSignerEntityID(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        return null;
    }

    @Nonnull
    protected CriteriaSet buildCriteriaSet(@Nullable String str, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!Strings.isNullOrEmpty(str)) {
            criteriaSet.add(new EntityIdCriterion(str));
        }
        criteriaSet.add(new EntityRoleCriterion(this.peerContext.getRole()));
        criteriaSet.add(new ProtocolCriterion(this.samlProtocolContext.getProtocol()));
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        SecurityParametersContext securityParametersContext = (SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class);
        if (securityParametersContext != null && securityParametersContext.getSignatureValidationParameters() != null) {
            criteriaSet.add(new SignatureValidationParametersCriterion(securityParametersContext.getSignatureValidationParameters()));
        }
        return criteriaSet;
    }

    @Nullable
    protected abstract byte[] getSignedContent() throws MessageHandlerException;

    protected abstract boolean ruleHandles(@Nonnull MessageContext messageContext) throws MessageHandlerException;
}
