package org.opensaml.common.binding.security;

import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.security.SecurityPolicyRule;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-219.zip:modules/system/layers/fuse/org/opensaml/2.6/opensaml-2.6.1.jar:org/opensaml/common/binding/security/BaseSAMLSimpleSignatureSecurityPolicyRule.class */
public abstract class BaseSAMLSimpleSignatureSecurityPolicyRule implements SecurityPolicyRule {
    private final Logger log = LoggerFactory.getLogger(BaseSAMLSimpleSignatureSecurityPolicyRule.class);
    private SignatureTrustEngine trustEngine;

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseSAMLSimpleSignatureSecurityPolicyRule(SignatureTrustEngine signatureTrustEngine) {
        this.trustEngine = signatureTrustEngine;
    }

    @Override // org.opensaml.ws.security.SecurityPolicyRule
    public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
        this.log.debug("Evaluating simple signature rule of type: {}", getClass().getName());
        if (!(messageContext instanceof SAMLMessageContext)) {
            this.log.debug("Invalid message context type, this policy rule only supports SAMLMessageContext");
            return;
        }
        if (!(messageContext.getInboundMessageTransport() instanceof HttpServletRequestAdapter)) {
            this.log.debug("Invalid inbound message transport type, this rule only supports HttpServletRequestAdapter");
            return;
        }
        SAMLMessageContext sAMLMessageContext = (SAMLMessageContext) messageContext;
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) messageContext.getInboundMessageTransport()).getWrappedRequest();
        if (!ruleHandles(wrappedRequest, sAMLMessageContext)) {
            this.log.debug("Rule can not handle this request, skipping processing");
            return;
        }
        byte[] signature = getSignature(wrappedRequest);
        if (signature == null || signature.length == 0) {
            this.log.debug("HTTP request was not signed via simple signature mechanism, skipping");
            return;
        }
        String signatureAlgorithm = getSignatureAlgorithm(wrappedRequest);
        if (DatatypeHelper.isEmpty(signatureAlgorithm)) {
            this.log.warn("Signature algorithm could not be extracted from request, can not validate simple signature");
            return;
        }
        byte[] signedContent = getSignedContent(wrappedRequest);
        if (signedContent == null || signedContent.length == 0) {
            this.log.warn("Signed content could not be extracted from HTTP request, can not validate");
        } else {
            doEvaluate(signature, signedContent, signatureAlgorithm, wrappedRequest, sAMLMessageContext);
        }
    }

    private void doEvaluate(byte[] bArr, byte[] bArr2, String str, HttpServletRequest httpServletRequest, SAMLMessageContext sAMLMessageContext) throws SecurityPolicyException {
        List<Credential> requestCredentials = getRequestCredentials(httpServletRequest, sAMLMessageContext);
        String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
        if (inboundMessageIssuer != null) {
            this.log.debug("Attempting to validate SAML protocol message simple signature using context issuer: {}", inboundMessageIssuer);
            if (!validateSignature(bArr, bArr2, str, buildCriteriaSet(inboundMessageIssuer, sAMLMessageContext), requestCredentials)) {
                this.log.warn("Validation of request simple signature failed for context issuer: {}", inboundMessageIssuer);
                throw new SecurityPolicyException("Validation of request simple signature failed for context issuer");
            }
            this.log.info("Validation of request simple signature succeeded");
            if (sAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
                return;
            }
            this.log.info("Authentication via request simple signature succeeded for context issuer entity ID {}", inboundMessageIssuer);
            sAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
            return;
        }
        String deriveSignerEntityID = deriveSignerEntityID(sAMLMessageContext);
        if (deriveSignerEntityID == null) {
            this.log.warn("Neither context nor derived issuer available, can not attempt SAML simple signature validation");
            throw new SecurityPolicyException("No message issuer available, can not attempt simple signature validation");
        }
        this.log.debug("Attempting to validate SAML protocol message simple signature using derived issuer: {}", deriveSignerEntityID);
        if (!validateSignature(bArr, bArr2, str, buildCriteriaSet(deriveSignerEntityID, sAMLMessageContext), requestCredentials)) {
            this.log.warn("Validation of request simple signature failed for derived issuer: {}", deriveSignerEntityID);
            throw new SecurityPolicyException("Validation of request simple signature failed for derived issuer");
        }
        this.log.info("Validation of request simple signature succeeded");
        if (sAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
            return;
        }
        this.log.info("Authentication via request simple signature succeeded for derived issuer {}", deriveSignerEntityID);
        sAMLMessageContext.setInboundMessageIssuer(deriveSignerEntityID);
        sAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
    }

    protected boolean validateSignature(byte[] bArr, byte[] bArr2, String str, CriteriaSet criteriaSet, List<Credential> list) throws SecurityPolicyException {
        SignatureTrustEngine trustEngine = getTrustEngine();
        if (list != null) {
            try {
                if (!list.isEmpty()) {
                    Iterator<Credential> it = list.iterator();
                    while (it.hasNext()) {
                        if (trustEngine.validate(bArr, bArr2, str, criteriaSet, it.next())) {
                            this.log.debug("Simple signature validation succeeded with a request-derived credential");
                            return true;
                        }
                    }
                    this.log.warn("Signature validation using request-derived credentials failed");
                    return false;
                }
            } catch (SecurityException e) {
                this.log.warn("There was an error evaluating the request's simple signature using the trust engine", e);
                throw new SecurityPolicyException("Error during trust engine evaluation of the simple signature", e);
            }
        }
        if (trustEngine.validate(bArr, bArr2, str, criteriaSet, null)) {
            this.log.debug("Simple signature validation (with no request-derived credentials) was successful");
            return true;
        }
        this.log.warn("Simple signature validation (with no request-derived credentials) failed");
        return false;
    }

    protected List<Credential> getRequestCredentials(HttpServletRequest httpServletRequest, SAMLMessageContext sAMLMessageContext) throws SecurityPolicyException {
        return null;
    }

    protected SignatureTrustEngine getTrustEngine() {
        return this.trustEngine;
    }

    protected byte[] getSignature(HttpServletRequest httpServletRequest) throws SecurityPolicyException {
        String parameter = httpServletRequest.getParameter("Signature");
        if (DatatypeHelper.isEmpty(parameter)) {
            return null;
        }
        return Base64.decode(parameter);
    }

    protected String getSignatureAlgorithm(HttpServletRequest httpServletRequest) throws SecurityPolicyException {
        return httpServletRequest.getParameter("SigAlg");
    }

    protected String deriveSignerEntityID(SAMLMessageContext sAMLMessageContext) throws SecurityPolicyException {
        return null;
    }

    protected CriteriaSet buildCriteriaSet(String str, SAMLMessageContext sAMLMessageContext) throws SecurityPolicyException {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!DatatypeHelper.isEmpty(str)) {
            criteriaSet.add(new EntityIDCriteria(str));
        }
        criteriaSet.add(new MetadataCriteria(sAMLMessageContext.getPeerEntityRole(), sAMLMessageContext.getInboundSAMLProtocol()));
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
        return criteriaSet;
    }

    protected abstract byte[] getSignedContent(HttpServletRequest httpServletRequest) throws SecurityPolicyException;

    protected abstract boolean ruleHandles(HttpServletRequest httpServletRequest, SAMLMessageContext sAMLMessageContext) throws SecurityPolicyException;
}
