package pl.edu.icm.unity.saml.sp;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import org.springframework.beans.factory.annotation.Autowired;
import pl.edu.icm.unity.base.translation.TranslationProfile;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException;
import pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultTranslator;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedPrincipal;
import pl.edu.icm.unity.engine.api.endpoint.SharedEndpointManagement;
import pl.edu.icm.unity.engine.api.server.AdvertisedAddressProvider;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.saml.SAMLResponseValidatorUtil;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLResponseVerificator.class */
public class SAMLResponseVerificator {
    private static final Logger log = Log.getLogger("unity.server.saml", SAMLResponseVerificator.class);
    private final String responseConsumerAddress;
    private final ReplayAttackChecker replayAttackChecker;
    private final RemoteAuthnResultTranslator translator;

    @Autowired
    public SAMLResponseVerificator(ReplayAttackChecker replayAttackChecker, SharedEndpointManagement sharedEndpointManagement, AdvertisedAddressProvider advertisedAddressProvider, RemoteAuthnResultTranslator remoteAuthnResultTranslator) {
        this(replayAttackChecker, assembleResponseConsumerAddress(sharedEndpointManagement, advertisedAddressProvider), remoteAuthnResultTranslator);
    }

    public SAMLResponseVerificator(ReplayAttackChecker replayAttackChecker, String str, RemoteAuthnResultTranslator remoteAuthnResultTranslator) {
        this.replayAttackChecker = replayAttackChecker;
        this.translator = remoteAuthnResultTranslator;
        this.responseConsumerAddress = str;
    }

    private static String assembleResponseConsumerAddress(SharedEndpointManagement sharedEndpointManagement, AdvertisedAddressProvider advertisedAddressProvider) {
        return advertisedAddressProvider.get() + sharedEndpointManagement.getBaseContextPath() + "/spSAMLResponseConsumer";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationResult processResponse(RedirectedAuthnState redirectedAuthnState, TranslationProfile translationProfile) {
        try {
            return verifySAMLResponse((RemoteAuthnContext) redirectedAuthnState, translationProfile);
        } catch (Exception e) {
            log.error("Runtime error during SAML response processing or principal mapping", e);
            return RemoteAuthenticationResult.failed((RemotelyAuthenticatedPrincipal) null, e, new AuthenticationResult.ResolvableError("WebSAMLRetrieval.authnFailedError", new Object[0]));
        }
    }

    private AuthenticationResult verifySAMLResponse(RemoteAuthnContext remoteAuthnContext, TranslationProfile translationProfile) {
        try {
            return this.translator.getTranslatedResult(getRemotelyAuthenticatedInput(remoteAuthnContext), translationProfile, remoteAuthnContext.getAuthenticationTriggeringContext().isSandboxTriggered(), Optional.empty(), remoteAuthnContext.getRegistrationFormForUnknown(), remoteAuthnContext.isEnableAssociation());
        } catch (RemoteAuthenticationException e) {
            log.info("SAML response verification or processing failed", e);
            return RemoteAuthenticationResult.failed(e.getResult().getRemotelyAuthenticatedPrincipal(), e, new AuthenticationResult.ResolvableError("WebSAMLRetrieval.authnFailedError", new Object[0]));
        }
    }

    private RemotelyAuthenticatedInput getRemotelyAuthenticatedInput(RemoteAuthnContext remoteAuthnContext) throws RemoteAuthenticationException {
        try {
            ResponseDocument parse = ResponseDocument.Factory.parse(remoteAuthnContext.getResponse());
            return new SAMLResponseValidatorUtil(remoteAuthnContext.getSpConfiguration(), this.replayAttackChecker, this.responseConsumerAddress).verifySAMLResponse(parse, remoteAuthnContext.getVerifiableResponse(), remoteAuthnContext.getRequestId(), SAMLBindings.valueOf(remoteAuthnContext.getResponseBinding().toString()), remoteAuthnContext.getGroupAttribute(), remoteAuthnContext.getIdp(), remoteAuthnContext.getSpConfiguration().getTrustCheckerForIdP(remoteAuthnContext.getIdp()));
        } catch (XmlException e) {
            throw new RemoteAuthenticationException("The SAML response can not be parsed - XML data is corrupted", e);
        }
    }
}
