package com.imcode.saml2;

import com.imcode.saml2.store.SAMLRequestStore;
import com.imcode.saml2.utils.SAMLUtils;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/imcode/saml2/SAMLResponseVerifier.class */
public class SAMLResponseVerifier {
    private static Logger log = LoggerFactory.getLogger(SAMLResponseVerifier.class);
    private SAMLRequestStore samlRequestStore = SAMLRequestStore.getInstance();

    public void verify(SAMLMessageContext<Response, SAMLObject, NameID> sAMLMessageContext) throws SAMLException {
        Response response = (Response) sAMLMessageContext.getInboundSAMLMessage();
        log.debug("SAML Response message : {}", SAMLUtils.SAMLObjectToString(response));
        verifyInResponseTo(response);
        StatusCode statusCode = response.getStatus().getStatusCode();
        if (!statusCode.getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
            log.warn("Incorrect SAML message code : {} ", statusCode.getStatusCode().getValue());
            throw new SAMLException("Incorrect SAML message code : " + statusCode.getValue());
        }
        if (response.getAssertions().size() == 0) {
            log.error("Response does not contain any acceptable assertions");
            throw new SAMLException("Response does not contain any acceptable assertions");
        }
        Assertion assertion = (Assertion) response.getAssertions().get(0);
        NameID nameID = assertion.getSubject().getNameID();
        if (nameID == null) {
            log.error("Name ID not present in subject");
            throw new SAMLException("Name ID not present in subject");
        }
        log.debug("SAML authenticated user " + nameID.getValue());
        verifyConditions(assertion.getConditions(), sAMLMessageContext);
    }

    private void verifyInResponseTo(Response response) {
        if (this.samlRequestStore.exists(response.getInResponseTo())) {
            this.samlRequestStore.removeRequest(response.getInResponseTo());
        } else {
            log.error("Response does not match an authentication request");
            throw new RuntimeException("Response does not match an authentication request");
        }
    }

    private void verifyConditions(Conditions conditions, SAMLMessageContext sAMLMessageContext) throws SAMLException {
        verifyExpirationConditions(conditions);
    }

    private void verifyExpirationConditions(Conditions conditions) throws SAMLException {
        log.debug("Verifying conditions");
        DateTime dateTime = new DateTime(DateTimeZone.UTC);
        log.debug("Current time in UTC : " + dateTime);
        DateTime notBefore = conditions.getNotBefore();
        log.debug("Not before condition : " + notBefore);
        if (notBefore != null && dateTime.isBefore(notBefore)) {
            throw new SAMLException("Assertion is not conformed with notBefore condition");
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        log.debug("Not on or after condition : " + notOnOrAfter);
        if (notOnOrAfter != null && dateTime.isAfter(notOnOrAfter)) {
            throw new SAMLException("Assertion is not conformed with notOnOrAfter condition");
        }
    }
}
