package com.onelogin.saml2.authn;

import com.onelogin.saml2.exception.SettingsException;
import com.onelogin.saml2.exception.ValidationError;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.saml2.model.SamlResponseStatus;
import com.onelogin.saml2.model.SubjectConfirmationIssue;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Constants;
import com.onelogin.saml2.util.SchemaFactory;
import com.onelogin.saml2.util.Util;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPathExpressionException;
import org.joda.time.DateTime;
import org.joda.time.Instant;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:com/onelogin/saml2/authn/SamlResponse.class */
public class SamlResponse {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlResponse.class);
    private final Saml2Settings settings;
    private String samlResponseString;
    private Document samlResponseDocument;
    private Document decryptedDocument;
    private String currentUrl;
    private String error;
    private Map<String, String> nameIdData = null;
    private Boolean encrypted = false;

    public SamlResponse(Saml2Settings saml2Settings, HttpRequest httpRequest) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError {
        this.settings = saml2Settings;
        if (httpRequest != null) {
            this.currentUrl = httpRequest.getRequestURL();
            loadXmlFromBase64(httpRequest.getParameter("SAMLResponse"));
        }
    }

    public void loadXmlFromBase64(String str) throws ParserConfigurationException, XPathExpressionException, SAXException, IOException, SettingsException, ValidationError {
        this.samlResponseString = new String(Util.base64decoder(str), "UTF-8");
        this.samlResponseDocument = Util.loadXML(this.samlResponseString);
        if (this.samlResponseDocument == null) {
            throw new ValidationError("SAML Response could not be processed", 14);
        }
        if (this.samlResponseDocument.getElementsByTagNameNS(Constants.NS_SAML, EncryptedAssertion.DEFAULT_ELEMENT_LOCAL_NAME).getLength() != 0) {
            this.decryptedDocument = Util.copyDocument(this.samlResponseDocument);
            this.encrypted = true;
            this.decryptedDocument = decryptAssertion(this.decryptedDocument);
        }
    }

    public boolean isValid(String str) {
        this.error = null;
        try {
            if (this.samlResponseDocument == null) {
                throw new Exception("SAML Response is not loaded");
            }
            if (this.currentUrl == null || this.currentUrl.isEmpty()) {
                throw new Exception("The URL of the current host was not established");
            }
            Element documentElement = this.samlResponseDocument.getDocumentElement();
            documentElement.normalize();
            if (!"2.0".equals(documentElement.getAttribute("Version"))) {
                throw new ValidationError("Unsupported SAML Version.", 0);
            }
            if (!documentElement.hasAttribute("ID")) {
                throw new ValidationError("Missing ID attribute on SAML Response.", 1);
            }
            checkStatus();
            if (!validateNumAssertions().booleanValue()) {
                throw new ValidationError("SAML Response must contain 1 Assertion.", 2);
            }
            ArrayList<String> processSignedElements = processSignedElements();
            String str2 = "{" + Constants.NS_SAMLP + "}Response";
            String str3 = "{" + Constants.NS_SAML + "}Assertion";
            boolean contains = processSignedElements.contains(str2);
            boolean contains2 = processSignedElements.contains(str3);
            if (this.settings.isStrict()) {
                if (this.settings.getWantXMLValidation()) {
                    if (!Util.validateXML(this.samlResponseDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
                        throw new ValidationError("Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd", 14);
                    }
                    if (this.encrypted.booleanValue() && !Util.validateXML(this.decryptedDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
                        throw new ValidationError("Invalid decrypted SAML Response. Not match the saml-schema-protocol-2.0.xsd", 14);
                    }
                }
                String attribute = documentElement.hasAttribute("InResponseTo") ? documentElement.getAttribute("InResponseTo") : null;
                if (str == null && attribute != null && this.settings.isRejectUnsolicitedResponsesWithInResponseTo()) {
                    throw new ValidationError("The Response has an InResponseTo attribute: " + attribute + " while no InResponseTo was expected", 15);
                }
                if (str != null && !Objects.equals(attribute, str)) {
                    throw new ValidationError("The InResponseTo of the Response: " + attribute + ", does not match the ID of the AuthNRequest sent by the SP: " + str, 15);
                }
                if (!this.encrypted.booleanValue() && this.settings.getWantAssertionsEncrypted()) {
                    throw new ValidationError("The assertion of the Response is not encrypted and the SP requires it", 16);
                }
                if (this.settings.getWantNameIdEncrypted() && queryAssertion("/saml:Subject/saml:EncryptedID/xenc:EncryptedData").getLength() == 0) {
                    throw new ValidationError("The NameID of the Response is not encrypted and the SP requires it", 17);
                }
                if (!checkOneCondition().booleanValue()) {
                    throw new ValidationError("The Assertion must include a Conditions element", 18);
                }
                if (!validateTimestamps()) {
                    throw new Exception("Timing issues (please check your clock settings)");
                }
                if (!checkOneAuthnStatement().booleanValue()) {
                    throw new ValidationError("The Assertion must include an AuthnStatement element", 21);
                }
                if (queryAssertion("/saml:AttributeStatement/saml:EncryptedAttribute").getLength() > 0) {
                    throw new ValidationError("There is an EncryptedAttribute in the Response and this SP does not support them", 23);
                }
                validateDestination(documentElement);
                validateAudiences();
                for (String str4 : getIssuers()) {
                    if (str4.isEmpty() || !str4.equals(this.settings.getIdpEntityId())) {
                        throw new ValidationError(String.format("Invalid issuer in the Assertion/Response. Was '%s', but expected '%s'", str4, this.settings.getIdpEntityId()), 29);
                    }
                }
                DateTime sessionNotOnOrAfter = getSessionNotOnOrAfter();
                if (sessionNotOnOrAfter != null) {
                    DateTime plus = sessionNotOnOrAfter.plus(Constants.ALOWED_CLOCK_DRIFT.intValue() * 1000);
                    if (plus.isEqualNow() || plus.isBeforeNow()) {
                        throw new ValidationError("The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response", 30);
                    }
                }
                validateSubjectConfirmation(attribute);
                if (this.settings.getWantAssertionsSigned() && !contains2) {
                    throw new ValidationError("The Assertion of the Response is not signed and the SP requires it", 33);
                }
                if (this.settings.getWantMessagesSigned() && !contains) {
                    throw new ValidationError("The Message of the Response is not signed and the SP requires it", 32);
                }
            }
            if (processSignedElements.isEmpty() || !(contains2 || contains)) {
                throw new ValidationError("No Signature found. SAML Response rejected", 34);
            }
            X509Certificate idpx509cert = this.settings.getIdpx509cert();
            ArrayList arrayList = new ArrayList();
            List<X509Certificate> idpx509certMulti = this.settings.getIdpx509certMulti();
            if (idpx509certMulti != null && !idpx509certMulti.isEmpty()) {
                arrayList.addAll(idpx509certMulti);
            }
            if (idpx509cert != null && !arrayList.contains(idpx509cert)) {
                arrayList.add(0, idpx509cert);
            }
            String idpCertFingerprint = this.settings.getIdpCertFingerprint();
            String idpCertFingerprintAlgorithm = this.settings.getIdpCertFingerprintAlgorithm();
            if (contains && !Util.validateSign(this.samlResponseDocument, arrayList, idpCertFingerprint, idpCertFingerprintAlgorithm, Util.RESPONSE_SIGNATURE_XPATH)) {
                throw new ValidationError("Signature validation failed. SAML Response rejected", 42);
            }
            Document document = this.encrypted.booleanValue() ? this.decryptedDocument : this.samlResponseDocument;
            if (contains2 && !Util.validateSign(document, arrayList, idpCertFingerprint, idpCertFingerprintAlgorithm, Util.ASSERTION_SIGNATURE_XPATH)) {
                throw new ValidationError("Signature validation failed. SAML Response rejected", 42);
            }
            LOGGER.debug("SAMLResponse validated --> {}", this.samlResponseString);
            return true;
        } catch (Exception e) {
            this.error = e.getMessage();
            LOGGER.debug("SAMLResponse invalid --> {}", this.samlResponseString);
            LOGGER.error(this.error);
            return false;
        }
    }

    private void validateSubjectConfirmation(String str) throws XPathExpressionException, ValidationError {
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        NodeList queryAssertion = queryAssertion("/saml:Subject/saml:SubjectConfirmation");
        for (int i = 0; i < queryAssertion.getLength(); i++) {
            Node item = queryAssertion.item(i);
            Node namedItem = item.getAttributes().getNamedItem("Method");
            if (namedItem == null || namedItem.getNodeValue().equals(Constants.CM_BEARER)) {
                NodeList childNodes = item.getChildNodes();
                for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
                    if (childNodes.item(i2).getLocalName() != null && childNodes.item(i2).getLocalName().equals("SubjectConfirmationData")) {
                        SubjectConfirmationIssue validateRecipient = validateRecipient(childNodes.item(i2).getAttributes().getNamedItem("Recipient"), i);
                        if (validateRecipient != null) {
                            arrayList.add(validateRecipient);
                        } else {
                            Node namedItem2 = childNodes.item(i2).getAttributes().getNamedItem("InResponseTo");
                            if ((namedItem2 != null || str == null) && (namedItem2 == null || namedItem2.getNodeValue().equals(str))) {
                                Node namedItem3 = childNodes.item(i2).getAttributes().getNamedItem("NotOnOrAfter");
                                if (namedItem3 == null) {
                                    arrayList.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData doesn't contain a NotOnOrAfter attribute"));
                                } else {
                                    DateTime plus = Util.parseDateTime(namedItem3.getNodeValue()).plus(Constants.ALOWED_CLOCK_DRIFT.intValue() * 1000);
                                    if (plus.isEqualNow() || plus.isBeforeNow()) {
                                        arrayList.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData is no longer valid"));
                                    } else {
                                        Node namedItem4 = childNodes.item(i2).getAttributes().getNamedItem("NotBefore");
                                        if (namedItem4 == null || !Util.parseDateTime(namedItem4.getNodeValue()).minus(Constants.ALOWED_CLOCK_DRIFT.intValue() * 1000).isAfterNow()) {
                                            z = true;
                                        } else {
                                            arrayList.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData is not yet valid"));
                                        }
                                    }
                                }
                            } else {
                                arrayList.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData has an invalid InResponseTo value"));
                            }
                        }
                    }
                }
            }
        }
        if (!z) {
            throw new ValidationError(SubjectConfirmationIssue.prettyPrintIssues(arrayList), 31);
        }
    }

    public boolean isValid() {
        return isValid(null);
    }

    public Map<String, String> getNameIdData() throws Exception {
        NodeList queryAssertion;
        if (this.nameIdData != null) {
            return this.nameIdData;
        }
        HashMap hashMap = new HashMap();
        if (queryAssertion("/saml:Subject/saml:EncryptedID").getLength() == 1) {
            NodeList queryAssertion2 = queryAssertion("/saml:Subject/saml:EncryptedID/xenc:EncryptedData");
            if (queryAssertion2.getLength() == 1) {
                Element element = (Element) queryAssertion2.item(0);
                PrivateKey sPkey = this.settings.getSPkey();
                if (sPkey == null) {
                    throw new SettingsException("Key is required in order to decrypt the NameID", 4);
                }
                Util.decryptElement(element, sPkey);
            }
            queryAssertion = queryAssertion("/saml:Subject/saml:EncryptedID/saml:NameID|/saml:Subject/saml:NameID");
            if (queryAssertion == null || queryAssertion.getLength() == 0) {
                throw new Exception("Not able to decrypt the EncryptedID and get a NameID");
            }
        } else {
            queryAssertion = queryAssertion("/saml:Subject/saml:NameID");
        }
        if (queryAssertion != null && queryAssertion.getLength() == 1) {
            Element element2 = (Element) queryAssertion.item(0);
            if (element2 != null) {
                String textContent = element2.getTextContent();
                if (this.settings.isStrict() && textContent.isEmpty()) {
                    throw new ValidationError("An empty NameID value found", 39);
                }
                hashMap.put("Value", textContent);
                if (element2.hasAttribute("Format")) {
                    hashMap.put("Format", element2.getAttribute("Format"));
                }
                if (element2.hasAttribute("SPNameQualifier")) {
                    String attribute = element2.getAttribute("SPNameQualifier");
                    validateSpNameQualifier(attribute);
                    hashMap.put("SPNameQualifier", attribute);
                }
                if (element2.hasAttribute("NameQualifier")) {
                    hashMap.put("NameQualifier", element2.getAttribute("NameQualifier"));
                }
            }
        } else if (this.settings.getWantNameId()) {
            throw new ValidationError("No name id found in Document.", 38);
        }
        this.nameIdData = hashMap;
        return hashMap;
    }

    public String getNameId() throws Exception {
        Map<String, String> nameIdData = getNameIdData();
        String str = null;
        if (!nameIdData.isEmpty()) {
            LOGGER.debug("SAMLResponse has NameID --> {}", nameIdData.get("Value"));
            str = nameIdData.get("Value");
        }
        return str;
    }

    public String getNameIdFormat() throws Exception {
        Map<String, String> nameIdData = getNameIdData();
        String str = null;
        if (!nameIdData.isEmpty() && nameIdData.containsKey("Format")) {
            LOGGER.debug("SAMLResponse has NameID Format --> {}", nameIdData.get("Format"));
            str = nameIdData.get("Format");
        }
        return str;
    }

    public String getNameIdNameQualifier() throws Exception {
        Map<String, String> nameIdData = getNameIdData();
        String str = null;
        if (!nameIdData.isEmpty() && nameIdData.containsKey("NameQualifier")) {
            LOGGER.debug("SAMLResponse has NameID NameQualifier --> " + nameIdData.get("NameQualifier"));
            str = nameIdData.get("NameQualifier");
        }
        return str;
    }

    public String getNameIdSPNameQualifier() throws Exception {
        Map<String, String> nameIdData = getNameIdData();
        String str = null;
        if (!nameIdData.isEmpty() && nameIdData.containsKey("SPNameQualifier")) {
            LOGGER.debug("SAMLResponse has NameID NameQualifier --> " + nameIdData.get("SPNameQualifier"));
            str = nameIdData.get("SPNameQualifier");
        }
        return str;
    }

    public HashMap<String, List<String>> getAttributes() throws XPathExpressionException, ValidationError {
        HashMap<String, List<String>> hashMap = new HashMap<>();
        NodeList queryAssertion = queryAssertion("/saml:AttributeStatement/saml:Attribute");
        if (queryAssertion.getLength() != 0) {
            for (int i = 0; i < queryAssertion.getLength(); i++) {
                String nodeValue = queryAssertion.item(i).getAttributes().getNamedItem("Name").getNodeValue();
                if (hashMap.containsKey(nodeValue)) {
                    throw new ValidationError("Found an Attribute element with duplicated Name", 41);
                }
                NodeList childNodes = queryAssertion.item(i).getChildNodes();
                ArrayList arrayList = new ArrayList();
                for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
                    if ("AttributeValue".equals(childNodes.item(i2).getLocalName())) {
                        arrayList.add(childNodes.item(i2).getTextContent());
                    }
                }
                hashMap.put(nodeValue, arrayList);
            }
            LOGGER.debug("SAMLResponse has attributes: " + hashMap.toString());
        } else {
            LOGGER.debug("SAMLResponse has no attributes");
        }
        return hashMap;
    }

    public void checkStatus() throws ValidationError {
        SamlResponseStatus status = getStatus(this.samlResponseDocument);
        if (status.is(Constants.STATUS_SUCCESS)) {
            return;
        }
        String str = "The status code of the Response was not Success, was " + status.getStatusCode();
        if (status.getStatusMessage() != null) {
            str = str + " -> " + status.getStatusMessage();
        }
        throw new ValidationError(str, 5);
    }

    public static SamlResponseStatus getStatus(Document document) throws ValidationError {
        return Util.getStatus("/samlp:Response/samlp:Status", document);
    }

    public Boolean checkOneCondition() throws XPathExpressionException {
        return queryAssertion("/saml:Conditions").getLength() == 1;
    }

    public Boolean checkOneAuthnStatement() throws XPathExpressionException {
        return queryAssertion("/saml:AuthnStatement").getLength() == 1;
    }

    public List<String> getAudiences() throws XPathExpressionException {
        String textContent;
        ArrayList arrayList = new ArrayList();
        NodeList queryAssertion = queryAssertion("/saml:Conditions/saml:AudienceRestriction/saml:Audience");
        for (int i = 0; i < queryAssertion.getLength(); i++) {
            if (queryAssertion.item(i) != null && (textContent = queryAssertion.item(i).getTextContent()) != null && !textContent.trim().isEmpty()) {
                arrayList.add(textContent.trim());
            }
        }
        return arrayList;
    }

    public List<String> getIssuers() throws XPathExpressionException, ValidationError {
        ArrayList arrayList = new ArrayList();
        NodeList query = Util.query(this.samlResponseDocument, "/samlp:Response/saml:Issuer");
        if (query.getLength() > 1) {
            if (query.getLength() != 1) {
                throw new ValidationError("Issuer of the Response is multiple.", 27);
            }
            String textContent = query.item(0).getTextContent();
            if (!arrayList.contains(textContent)) {
                arrayList.add(textContent);
            }
        }
        NodeList queryAssertion = queryAssertion("/saml:Issuer");
        if (queryAssertion.getLength() != 1) {
            throw new ValidationError("Issuer of the Assertion not found or multiple.", 28);
        }
        String textContent2 = queryAssertion.item(0).getTextContent();
        if (!arrayList.contains(textContent2)) {
            arrayList.add(textContent2);
        }
        return arrayList;
    }

    public DateTime getSessionNotOnOrAfter() throws XPathExpressionException {
        NodeList queryAssertion = queryAssertion("/saml:AuthnStatement[@SessionNotOnOrAfter]");
        if (queryAssertion.getLength() > 0) {
            return Util.parseDateTime(queryAssertion.item(0).getAttributes().getNamedItem(AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME).getNodeValue());
        }
        return null;
    }

    public String getSessionIndex() throws XPathExpressionException {
        String str = null;
        NodeList queryAssertion = queryAssertion("/saml:AuthnStatement[@SessionIndex]");
        if (queryAssertion.getLength() > 0) {
            str = queryAssertion.item(0).getAttributes().getNamedItem("SessionIndex").getNodeValue();
        }
        return str;
    }

    public String getId() {
        return this.samlResponseDocument.getDocumentElement().getAttributes().getNamedItem("ID").getNodeValue();
    }

    public String getAssertionId() throws XPathExpressionException {
        if (validateNumAssertions().booleanValue()) {
            return queryAssertion("").item(0).getAttributes().getNamedItem("ID").getNodeValue();
        }
        throw new IllegalArgumentException("SAML Response must contain 1 Assertion.");
    }

    public List<Instant> getAssertionNotOnOrAfter() throws XPathExpressionException {
        NodeList queryAssertion = queryAssertion("/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData");
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < queryAssertion.getLength(); i++) {
            Node namedItem = queryAssertion.item(i).getAttributes().getNamedItem("NotOnOrAfter");
            if (namedItem != null) {
                arrayList.add(new Instant(namedItem.getNodeValue()));
            }
        }
        return arrayList;
    }

    public Boolean validateNumAssertions() throws IllegalArgumentException {
        Boolean valueOf = Boolean.valueOf(this.samlResponseDocument.getElementsByTagNameNS(Constants.NS_SAML, "Assertion").getLength() + this.samlResponseDocument.getElementsByTagNameNS(Constants.NS_SAML, EncryptedAssertion.DEFAULT_ELEMENT_LOCAL_NAME).getLength() == 1);
        if (this.encrypted.booleanValue()) {
            valueOf = Boolean.valueOf(valueOf.booleanValue() && this.decryptedDocument.getElementsByTagNameNS(Constants.NS_SAML, "Assertion").getLength() == 1);
        }
        return valueOf;
    }

    public ArrayList<String> processSignedElements() throws XPathExpressionException, ValidationError {
        ArrayList<String> arrayList = new ArrayList<>();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        NodeList query = query("//ds:Signature", null);
        for (int i = 0; i < query.getLength(); i++) {
            Node item = query.item(i);
            String str = "{" + item.getParentNode().getNamespaceURI() + "}" + item.getParentNode().getLocalName();
            String str2 = "{" + Constants.NS_SAMLP + "}Response";
            String str3 = "{" + Constants.NS_SAML + "}Assertion";
            if (!str.equals(str2) && !str.equals(str3)) {
                throw new ValidationError("Invalid Signature Element " + str + " SAML Response rejected", 6);
            }
            Node namedItem = item.getParentNode().getAttributes().getNamedItem("ID");
            if (namedItem == null || namedItem.getNodeValue() == null || namedItem.getNodeValue().isEmpty()) {
                throw new ValidationError("Signed Element must contain an ID. SAML Response rejected", 7);
            }
            String nodeValue = namedItem.getNodeValue();
            if (arrayList3.contains(nodeValue)) {
                throw new ValidationError("Duplicated ID. SAML Response rejected", 8);
            }
            arrayList3.add(nodeValue);
            NodeList query2 = Util.query(null, "ds:SignedInfo/ds:Reference", item);
            if (query2.getLength() != 1) {
                throw new ValidationError("Unexpected number of Reference nodes found for signature. SAML Response rejected.", 45);
            }
            Node namedItem2 = query2.item(0).getAttributes().getNamedItem("URI");
            if (namedItem2 != null && namedItem2.getNodeValue() != null && !namedItem2.getNodeValue().isEmpty()) {
                String substring = namedItem2.getNodeValue().substring(1);
                if (!substring.equals(nodeValue)) {
                    throw new ValidationError("Found an invalid Signed Element. SAML Response rejected", 9);
                }
                if (arrayList2.contains(substring)) {
                    throw new ValidationError("Duplicated Reference URI. SAML Response rejected", 10);
                }
                arrayList2.add(substring);
            }
            arrayList.add(str);
        }
        if (arrayList.isEmpty() || validateSignedElements(arrayList)) {
            return arrayList;
        }
        throw new ValidationError("Found an unexpected Signature Element. SAML Response rejected", 11);
    }

    public boolean validateSignedElements(ArrayList<String> arrayList) throws XPathExpressionException, ValidationError {
        if (arrayList.size() > 2) {
            return false;
        }
        HashMap hashMap = new HashMap();
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (hashMap.containsKey(next)) {
                hashMap.put(next, Integer.valueOf(((Integer) hashMap.get(next)).intValue() + 1));
            } else {
                hashMap.put(next, 1);
            }
        }
        String str = "{" + Constants.NS_SAMLP + "}Response";
        String str2 = "{" + Constants.NS_SAML + "}Assertion";
        if (hashMap.containsKey(str) && ((Integer) hashMap.get(str)).intValue() > 1) {
            return false;
        }
        if (hashMap.containsKey(str2) && ((Integer) hashMap.get(str2)).intValue() > 1) {
            return false;
        }
        if (!hashMap.containsKey(str) && !hashMap.containsKey(str2)) {
            return false;
        }
        if (hashMap.containsKey(str) && query(Util.RESPONSE_SIGNATURE_XPATH, null).getLength() != 1) {
            throw new ValidationError("Unexpected number of Response signatures found. SAML Response rejected.", 12);
        }
        if (!hashMap.containsKey(str2) || query(Util.ASSERTION_SIGNATURE_XPATH, null).getLength() == 1) {
            return true;
        }
        throw new ValidationError("Unexpected number of Assertion signatures found. SAML Response rejected.", 13);
    }

    public boolean validateTimestamps() throws ValidationError {
        NodeList elementsByTagNameNS = this.samlResponseDocument.getElementsByTagNameNS("*", "Conditions");
        if (elementsByTagNameNS.getLength() == 0) {
            return true;
        }
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            NamedNodeMap attributes = elementsByTagNameNS.item(i).getAttributes();
            Node namedItem = attributes.getNamedItem("NotBefore");
            Node namedItem2 = attributes.getNamedItem("NotOnOrAfter");
            if (namedItem2 != null) {
                DateTime plus = Util.parseDateTime(namedItem2.getNodeValue()).plus(Constants.ALOWED_CLOCK_DRIFT.intValue() * 1000);
                if (plus.isEqualNow() || plus.isBeforeNow()) {
                    throw new ValidationError("Could not validate timestamp: expired. Check system clock.", 20);
                }
            }
            if (namedItem != null && Util.parseDateTime(namedItem.getNodeValue()).minus(Constants.ALOWED_CLOCK_DRIFT.intValue() * 1000).isAfterNow()) {
                throw new ValidationError("Could not validate timestamp: not yet valid. Check system clock.", 19);
            }
        }
        return true;
    }

    public void setDestinationUrl(String str) {
        this.currentUrl = str;
    }

    public String getError() {
        if (this.error != null) {
            return this.error;
        }
        return null;
    }

    private NodeList queryAssertion(String str) throws XPathExpressionException {
        String str2;
        String str3;
        NodeList query = query("/samlp:Response/saml:Assertion/ds:Signature/ds:SignedInfo/ds:Reference", null);
        if (query.getLength() == 0) {
            NodeList query2 = query("/samlp:Response/ds:Signature/ds:SignedInfo/ds:Reference", null);
            if (query2.getLength() == 1) {
                Node item = query2.item(0);
                String nodeValue = item.getAttributes().getNamedItem("URI").getNodeValue();
                str3 = "/samlp:Response[@ID='" + ((nodeValue == null || nodeValue.isEmpty()) ? item.getParentNode().getParentNode().getParentNode().getAttributes().getNamedItem("ID").getNodeValue() : nodeValue.substring(1)) + "']";
            } else {
                str3 = "/samlp:Response";
            }
            str2 = str3 + "/saml:Assertion";
        } else {
            Node item2 = query.item(0);
            String nodeValue2 = item2.getAttributes().getNamedItem("URI").getNodeValue();
            str2 = "/samlp:Response//saml:Assertion[@ID='" + ((nodeValue2 == null || nodeValue2.isEmpty()) ? item2.getParentNode().getParentNode().getParentNode().getAttributes().getNamedItem("ID").getNodeValue() : nodeValue2.substring(1)) + "']";
        }
        return query(str2 + str, null);
    }

    private NodeList query(String str, Node node) throws XPathExpressionException {
        return Util.query(this.encrypted.booleanValue() ? this.decryptedDocument : this.samlResponseDocument, str, node);
    }

    private Document decryptAssertion(Document document) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError {
        PrivateKey sPkey = this.settings.getSPkey();
        if (sPkey == null) {
            throw new SettingsException("No private key available for decrypt, check settings", 4);
        }
        NodeList query = Util.query(document, "/samlp:Response/saml:EncryptedAssertion/xenc:EncryptedData");
        if (query.getLength() == 0) {
            throw new ValidationError("No /samlp:Response/saml:EncryptedAssertion/xenc:EncryptedData element found", 48);
        }
        Util.decryptElement((Element) query.item(0), sPkey);
        NodeList query2 = Util.query(document, "/samlp:Response/saml:EncryptedAssertion/saml:Assertion");
        if (query.getLength() == 0) {
            throw new ValidationError("No /samlp:Response/saml:EncryptedAssertion/saml:Assertion element found", 48);
        }
        Node item = query2.item(0);
        item.getParentNode().getParentNode().replaceChild(item, item.getParentNode());
        return Util.convertStringToDocument(Util.convertDocumentToString(document));
    }

    public String getSAMLResponseXml() {
        return this.encrypted.booleanValue() ? Util.convertDocumentToString(this.decryptedDocument) : this.samlResponseString;
    }

    protected Document getSAMLResponseDocument() {
        return this.encrypted.booleanValue() ? this.decryptedDocument : this.samlResponseDocument;
    }

    protected void validateAudiences() throws XPathExpressionException, ValidationError {
        List<String> audiences = getAudiences();
        if (!audiences.isEmpty() && !audiences.contains(this.settings.getSpEntityId())) {
            throw new ValidationError(this.settings.getSpEntityId() + " is not a valid audience for this Response", 26);
        }
    }

    protected void validateDestination(Element element) throws ValidationError {
        String attribute;
        if (!element.hasAttribute("Destination") || (attribute = element.getAttribute("Destination")) == null) {
            return;
        }
        if (attribute.isEmpty()) {
            throw new ValidationError("The response has an empty Destination value", 25);
        }
        if (!attribute.equals(this.currentUrl)) {
            throw new ValidationError("The response was received at " + this.currentUrl + " instead of " + attribute, 24);
        }
    }

    protected SubjectConfirmationIssue validateRecipient(Node node, int i) {
        if (node == null) {
            return new SubjectConfirmationIssue(i, "SubjectConfirmationData doesn't contain a Recipient");
        }
        if (node.getNodeValue().equals(this.currentUrl)) {
            return null;
        }
        return new SubjectConfirmationIssue(i, "SubjectConfirmationData doesn't match a valid Recipient");
    }

    protected void validateSpNameQualifier(String str) throws ValidationError {
        if (this.settings.isStrict() && !str.equals(this.settings.getSpEntityId())) {
            throw new ValidationError("The SPNameQualifier value mismatch the SP entityID value.", 40);
        }
    }
}
