package se.litsec.opensaml.saml2.common.assertion;

import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import org.joda.time.DateTime;
import org.joda.time.chrono.ISOChronology;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.StatementValidator;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Statement;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import se.litsec.opensaml.common.validation.AbstractSignableObjectValidator;
import se.litsec.opensaml.common.validation.CoreValidatorParameters;
import se.litsec.opensaml.common.validation.ValidationSupport;

/* loaded from: input_file:se/litsec/opensaml/saml2/common/assertion/AssertionValidator.class */
public class AssertionValidator extends AbstractSignableObjectValidator<Assertion> {
    public static final String RESPONSE_ISSUE_INSTANT = "saml2.ResponseIssueInstant";
    private final Logger log;
    protected Map<String, SubjectConfirmationValidator> subjectConfirmationValidators;
    protected Map<QName, ConditionValidator> conditionValidators;
    private Map<QName, StatementValidator> statementValidators;

    public AssertionValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator, Collection<SubjectConfirmationValidator> collection, Collection<ConditionValidator> collection2, Collection<StatementValidator> collection3) {
        super(signatureTrustEngine, signaturePrevalidator);
        this.log = LoggerFactory.getLogger(AssertionValidator.class);
        this.subjectConfirmationValidators = new HashMap();
        if (collection != null) {
            for (SubjectConfirmationValidator subjectConfirmationValidator : collection) {
                if (subjectConfirmationValidator != null) {
                    this.subjectConfirmationValidators.put(subjectConfirmationValidator.getServicedMethod(), subjectConfirmationValidator);
                }
            }
        }
        this.conditionValidators = new HashMap();
        if (collection2 != null) {
            for (ConditionValidator conditionValidator : collection2) {
                if (conditionValidator != null) {
                    this.conditionValidators.put(conditionValidator.getServicedCondition(), conditionValidator);
                }
            }
        }
        this.statementValidators = new HashMap();
        if (collection3 != null) {
            for (StatementValidator statementValidator : collection3) {
                if (statementValidator != null) {
                    this.statementValidators.put(statementValidator.getServicedStatement(), statementValidator);
                }
            }
        }
    }

    @Override // se.litsec.opensaml.common.validation.ObjectValidator
    public ValidationResult validate(Assertion assertion, ValidationContext validationContext) {
        try {
            ValidationSupport.check(validateID(assertion, validationContext));
            ValidationSupport.check(validateVersion(assertion, validationContext));
            ValidationSupport.check(validateIssueInstant(assertion, validationContext));
            ValidationSupport.check(validateIssuer(assertion, validationContext));
            ValidationSupport.check(validateSignature(assertion, validationContext));
            ValidationSupport.check(validateSubject(assertion, validationContext));
            ValidationSupport.check(validateConditions(assertion, validationContext));
            ValidationSupport.check(validateStatements(assertion, validationContext));
            return ValidationResult.VALID;
        } catch (ValidationSupport.ValidationResultException e) {
            return e.getResult();
        }
    }

    protected ValidationResult validateID(Assertion assertion, ValidationContext validationContext) {
        if (StringUtils.hasText(assertion.getID())) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("Missing ID attribute in Assertion");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateVersion(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getVersion() != null && assertion.getVersion().toString().equals(SAMLVersion.VERSION_20.toString())) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("Invalid SAML version in Assertion");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateIssueInstant(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getIssueInstant() == null) {
            validationContext.setValidationFailureMessage("Missing IssueInstant attribute in Assertion");
            return ValidationResult.INVALID;
        }
        Long l = (Long) validationContext.getStaticParameters().get(RESPONSE_ISSUE_INSTANT);
        if (l == null) {
            long receiveInstant = getReceiveInstant(validationContext);
            long millis = assertion.getIssueInstant().getMillis();
            long maxAgeReceivedMessage = getMaxAgeReceivedMessage(validationContext);
            long allowedClockSkew = getAllowedClockSkew(validationContext);
            if (receiveInstant - millis > maxAgeReceivedMessage + allowedClockSkew) {
                validationContext.setValidationFailureMessage(String.format("Received Assertion is too old - issue-instant: %s - receive-time: %s", assertion.getIssueInstant(), new DateTime(receiveInstant, ISOChronology.getInstanceUTC())));
                return ValidationResult.INVALID;
            }
            if (millis - receiveInstant > allowedClockSkew) {
                validationContext.setValidationFailureMessage(String.format("Issue-instant of Assertion (%s) is newer than receive time (%s) - Non accepted clock skew", assertion.getIssueInstant(), new DateTime(receiveInstant, ISOChronology.getInstanceUTC())));
                return ValidationResult.INVALID;
            }
        } else if (assertion.getIssueInstant().isAfter(l.longValue())) {
            validationContext.setValidationFailureMessage(String.format("Invalid Assertion - Its issue-instant (%s) is after the response message issue-instant (%s)", assertion.getIssueInstant(), new DateTime(l, ISOChronology.getInstanceUTC())));
            return ValidationResult.INVALID;
        }
        return ValidationResult.VALID;
    }

    protected ValidationResult validateIssuer(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getIssuer() == null || assertion.getIssuer().getValue() == null) {
            validationContext.setValidationFailureMessage("Missing Issuer element in Assertion");
            return ValidationResult.INVALID;
        }
        String str = (String) validationContext.getStaticParameters().get(CoreValidatorParameters.EXPECTED_ISSUER);
        if (str == null) {
            this.log.warn("EXPECTED_ISSUER key not set - will not check issuer of Assertion");
        } else if (!assertion.getIssuer().getValue().equals(str)) {
            validationContext.setValidationFailureMessage(String.format("Issuer of Assertion (%s) did not match expected issuer (%s)", assertion.getIssuer().getValue(), str));
            return ValidationResult.INVALID;
        }
        return ValidationResult.VALID;
    }

    protected ValidationResult validateSubject(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getSubject() == null) {
            if (assertion.getAuthnStatements() == null || assertion.getAuthnStatements().isEmpty()) {
                this.log.debug("Assertion does not contain a Subject element - allowed by default assertion validator");
                return ValidationResult.VALID;
            }
            validationContext.setValidationFailureMessage("Assertion contains AuthnStatement but no Subject - invalid");
            return ValidationResult.INVALID;
        }
        List<SubjectConfirmation> subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
        if (subjectConfirmations != null && !subjectConfirmations.isEmpty()) {
            return validateSubjectConfirmations(assertion, subjectConfirmations, validationContext);
        }
        this.log.debug("Assertion contains no SubjectConfirmations, default assertion validator skips subject confirmation");
        return ValidationResult.VALID;
    }

    protected ValidationResult validateSubjectConfirmations(Assertion assertion, List<SubjectConfirmation> list, ValidationContext validationContext) {
        for (SubjectConfirmation subjectConfirmation : list) {
            SubjectConfirmationValidator subjectConfirmationValidator = this.subjectConfirmationValidators.get(subjectConfirmation.getMethod());
            if (subjectConfirmationValidator != null) {
                try {
                    if (subjectConfirmationValidator.validate(subjectConfirmation, assertion, validationContext) == ValidationResult.VALID) {
                        validationContext.getDynamicParameters().put("saml2.ConfirmedSubjectConfirmation", subjectConfirmation);
                        return ValidationResult.VALID;
                    }
                    this.log.info("Validation of SubjectConfirmation with method '{}' failed - {}", subjectConfirmation.getMethod(), validationContext.getValidationFailureMessage());
                } catch (AssertionValidationException e) {
                    this.log.warn("Error while executing subject confirmation validation " + subjectConfirmationValidator.getClass().getName(), e);
                }
            }
        }
        String format = String.format("No subject confirmation methods were met for assertion with ID '%s'", assertion.getID());
        this.log.debug(format);
        validationContext.setValidationFailureMessage(format);
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateConditions(Assertion assertion, ValidationContext validationContext) {
        ValidationResult validationResult;
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            this.log.debug("Assertion contained no Conditions element - allowed by default assertion validator");
            return ValidationResult.VALID;
        }
        ValidationResult validateConditionsTimeBounds = validateConditionsTimeBounds(assertion, validationContext);
        if (validateConditionsTimeBounds != ValidationResult.VALID) {
            return validateConditionsTimeBounds;
        }
        for (Condition condition : conditions.getConditions()) {
            ConditionValidator conditionValidator = this.conditionValidators.get(condition.getElementQName());
            if (conditionValidator == null && condition.getSchemaType() != null) {
                conditionValidator = this.conditionValidators.get(condition.getSchemaType());
            }
            if (conditionValidator == null) {
                String format = String.format("Unknown Condition '%s' of type '%s' in assertion '%s'", condition.getElementQName(), condition.getSchemaType(), assertion.getID());
                this.log.warn(format);
                if (isStrictValidation(validationContext)) {
                    validationContext.setValidationFailureMessage(format);
                    return ValidationResult.INDETERMINATE;
                }
            } else {
                try {
                    validationResult = conditionValidator.validate(condition, assertion, validationContext);
                } catch (AssertionValidationException e) {
                    this.log.error("Failed Conditions validation - {}", e.getMessage());
                    this.log.debug("", e);
                    validationContext.setValidationFailureMessage(e.getMessage());
                    validationResult = ValidationResult.INVALID;
                }
                if (validationResult != ValidationResult.VALID) {
                    String format2 = String.format("Condition '%s' of type '%s' in assertion '%s' was not valid - %s.", condition.getElementQName(), condition.getSchemaType(), assertion.getID(), validationContext.getValidationFailureMessage());
                    if (validationContext.getValidationFailureMessage() != null) {
                        format2 = format2 + ": " + validationContext.getValidationFailureMessage();
                    }
                    this.log.debug(format2);
                    validationContext.setValidationFailureMessage(format2);
                    return ValidationResult.INVALID;
                }
            }
        }
        return ValidationResult.VALID;
    }

    protected ValidationResult validateConditionsTimeBounds(Assertion assertion, ValidationContext validationContext) {
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            return ValidationResult.VALID;
        }
        long allowedClockSkew = getAllowedClockSkew(validationContext);
        Long l = (Long) validationContext.getStaticParameters().get(CoreValidatorParameters.RECEIVE_INSTANT);
        DateTime dateTime = l != null ? new DateTime(l, ISOChronology.getInstanceUTC()) : new DateTime(ISOChronology.getInstanceUTC());
        DateTime notBefore = conditions.getNotBefore();
        this.log.debug("Evaluating Conditions NotBefore '{}' against 'skewed now' time '{}'", notBefore, dateTime.plus(allowedClockSkew));
        if (notBefore != null && notBefore.isAfter(dateTime.plus(allowedClockSkew))) {
            validationContext.setValidationFailureMessage(String.format("Assertion '%s' with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore));
            return ValidationResult.INVALID;
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        this.log.debug("Evaluating Conditions NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, dateTime.minus(allowedClockSkew));
        if (notOnOrAfter == null || !notOnOrAfter.isBefore(dateTime.minus(allowedClockSkew))) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Assertion '%s' with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateStatements(Assertion assertion, ValidationContext validationContext) {
        ValidationResult validationResult;
        List<Statement> statements = assertion.getStatements();
        if (statements == null || statements.isEmpty()) {
            return ValidationResult.VALID;
        }
        for (Statement statement : statements) {
            StatementValidator statementValidator = this.statementValidators.get(statement.getElementQName());
            if (statementValidator == null && statement.getSchemaType() != null) {
                statementValidator = this.statementValidators.get(statement.getSchemaType());
            }
            if (statementValidator != null) {
                try {
                    validationResult = statementValidator.validate(statement, assertion, validationContext);
                } catch (AssertionValidationException e) {
                    this.log.error("Failed Statement validation - {}", e.getMessage());
                    this.log.debug("", e);
                    validationContext.setValidationFailureMessage(e.getMessage());
                    validationResult = ValidationResult.INVALID;
                }
                if (validationResult != ValidationResult.VALID) {
                    return validationResult;
                }
            }
        }
        return ValidationResult.VALID;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // se.litsec.opensaml.common.validation.AbstractSignableObjectValidator
    public String getIssuer(Assertion assertion) {
        if (assertion.getIssuer() != null) {
            return assertion.getIssuer().getValue();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // se.litsec.opensaml.common.validation.AbstractSignableObjectValidator
    public String getID(Assertion assertion) {
        return assertion.getID();
    }

    @Override // se.litsec.opensaml.common.validation.AbstractSignableObjectValidator
    protected String getObjectName() {
        return "Assertion";
    }
}
