package se.litsec.opensaml.saml2.common.response;

import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import se.litsec.opensaml.common.validation.AbstractObjectValidator;
import se.litsec.opensaml.common.validation.ValidationSupport;

/* loaded from: input_file:se/litsec/opensaml/saml2/common/response/ResponseProfileValidator.class */
public class ResponseProfileValidator extends AbstractObjectValidator<Response> {
    private final Logger log = LoggerFactory.getLogger(ResponseProfileValidator.class);

    @Override // se.litsec.opensaml.common.validation.ObjectValidator
    public ValidationResult validate(Response response, ValidationContext validationContext) {
        try {
            ValidationSupport.check(validateRequired(response, validationContext));
            ValidationSupport.check(validateInResponseTo(response, validationContext));
            ValidationSupport.check(validateDestination(response, validationContext));
            ValidationSupport.check(validateConsent(response, validationContext));
            ValidationSupport.check(validateIssuer(response, validationContext));
            ValidationSupport.check(validateSignaturePresent(response, validationContext));
            ValidationSupport.check(validateAssertions(response, validationContext));
            if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
                if (!response.getAssertions().isEmpty()) {
                    this.log.warn("Response element contains non encrypted Assertion(s) - this is not valid");
                }
                if (response.getEncryptedAssertions().isEmpty()) {
                    this.log.warn("Response element does not contain an EncryptedAssertion");
                }
                if (response.getEncryptedAssertions().size() > 1) {
                    if (isStrictValidation()) {
                        validationContext.setValidationFailureMessage("Response element contains more than one EncryptedAssertion - this is not valid");
                        return ValidationResult.INVALID;
                    }
                    this.log.warn("Response element contains more than one EncryptedAssertion - this is not valid");
                }
            }
            return ValidationResult.VALID;
        } catch (ValidationSupport.ValidationResultException e) {
            return e.getResult();
        }
    }

    public ValidationResult validateRequired(Response response, ValidationContext validationContext) {
        if (!StringUtils.hasText(response.getID())) {
            validationContext.setValidationFailureMessage("Missing ID attribute in Response");
            return ValidationResult.INVALID;
        }
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null || response.getStatus().getStatusCode().getValue() == null) {
            validationContext.setValidationFailureMessage("Missing Status/StatusCode in Response");
            return ValidationResult.INVALID;
        }
        if (response.getVersion() == null || !response.getVersion().toString().equals(SAMLVersion.VERSION_20.toString())) {
            validationContext.setValidationFailureMessage("Invalid SAML version in Response");
            return ValidationResult.INVALID;
        }
        if (response.getIssueInstant() != null) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("Missing IssueInstant attribute in Response");
        return ValidationResult.INVALID;
    }

    public ValidationResult validateInResponseTo(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    public ValidationResult validateDestination(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    public ValidationResult validateConsent(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    public ValidationResult validateIssuer(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    public ValidationResult validateSignaturePresent(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    public ValidationResult validateAssertions(Response response, ValidationContext validationContext) {
        if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            if (response.getAssertions().isEmpty() && response.getEncryptedAssertions().isEmpty()) {
                validationContext.setValidationFailureMessage("Response message has success status but does not contain assertions - invalid");
            }
        } else if (response.getAssertions().size() > 0 || response.getEncryptedAssertions().size() > 0) {
            validationContext.setValidationFailureMessage("Response message has failure status but contains assertions - invalid");
        }
        return ValidationResult.VALID;
    }

    public ValidationResult validateExtensions(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }
}
