package se.litsec.opensaml.saml2.common.assertion;

import java.time.Instant;
import javax.xml.namespace.QName;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.StatementValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Statement;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.common.validation.AbstractObjectValidator;
import se.litsec.opensaml.common.validation.CoreValidatorParameters;
import se.litsec.opensaml.common.validation.ValidationSupport;

/* loaded from: input_file:se/litsec/opensaml/saml2/common/assertion/AuthnStatementValidator.class */
public class AuthnStatementValidator implements StatementValidator {
    public static final String AUTHN_REQUEST_FORCE_AUTHN = "saml2.AuthnRequestForceAuthn";
    public static final String AUTHN_REQUEST_ISSUE_INSTANT = "saml2.AuthnRequestIssueInstant";
    public static final String MAX_ACCEPTED_SSO_SESSION_TIME = "saml2.MaxAcceptedSsoSessionTime";
    private final Logger log = LoggerFactory.getLogger(AuthnStatementValidator.class);

    public QName getServicedStatement() {
        return AuthnStatement.DEFAULT_ELEMENT_NAME;
    }

    public final ValidationResult validate(Statement statement, Assertion assertion, ValidationContext validationContext) throws AssertionValidationException {
        if (statement instanceof AuthnStatement) {
            return validate((AuthnStatement) statement, assertion, validationContext);
        }
        throw new AssertionValidationException("Illegal call - statement is of type " + statement.getClass().getSimpleName());
    }

    protected ValidationResult validate(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        try {
            ValidationSupport.check(validateAuthnInstant(authnStatement, assertion, validationContext));
            ValidationSupport.check(validateSessionIndex(authnStatement, assertion, validationContext));
            ValidationSupport.check(validateSessionNotOnOrAfter(authnStatement, assertion, validationContext));
            ValidationSupport.check(validateSubjectLocality(authnStatement, assertion, validationContext));
            ValidationSupport.check(validateAuthnContext(authnStatement, assertion, validationContext));
            return ValidationResult.VALID;
        } catch (ValidationSupport.ValidationResultException e) {
            return e.getResult();
        }
    }

    protected ValidationResult validateAuthnInstant(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        if (authnStatement.getAuthnInstant() == null) {
            validationContext.setValidationFailureMessage("AuthnInstant of Assertion/@AuthnStatement is missing");
            return ValidationResult.INVALID;
        }
        if (!authnStatement.getAuthnInstant().isAfter(assertion.getIssueInstant())) {
            return validateSsoAndSession(authnStatement.getAuthnInstant(), authnStatement, assertion, validationContext);
        }
        validationContext.setValidationFailureMessage("AuthnInstant is after assertion issue instant - invalid");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateSsoAndSession(Instant instant, AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        Boolean forceAuthnFlag = getForceAuthnFlag(validationContext);
        Long authnRequestIssueInstant = getAuthnRequestIssueInstant(validationContext);
        if (forceAuthnFlag == null || !forceAuthnFlag.booleanValue()) {
            Long l = (Long) validationContext.getStaticParameters().get(MAX_ACCEPTED_SSO_SESSION_TIME);
            if (l != null && instant.toEpochMilli() + l.longValue() < AbstractObjectValidator.getReceiveInstant(validationContext)) {
                validationContext.setValidationFailureMessage(String.format("Session length violation. Authentication instant (%s) is too far back in time to be accepted by SP SSO policy", instant));
                return ValidationResult.INVALID;
            }
        } else if (authnRequestIssueInstant == null) {
            this.log.warn("%s (or %s) not suppplied - cannot check SSO", AUTHN_REQUEST_ISSUE_INSTANT, CoreValidatorParameters.AUTHN_REQUEST);
        } else if (instant.toEpochMilli() + AbstractObjectValidator.getAllowedClockSkew(validationContext) < authnRequestIssueInstant.longValue()) {
            validationContext.setValidationFailureMessage(String.format("Invalid Assertion. Force authentication was requested, but authentication instant (%s) is before the issuance time of the authentication request (%s)", instant, Instant.ofEpochMilli(authnRequestIssueInstant.longValue())));
            return ValidationResult.INVALID;
        }
        return ValidationResult.VALID;
    }

    protected Boolean getForceAuthnFlag(ValidationContext validationContext) {
        AuthnRequest authnRequest;
        Boolean bool = (Boolean) validationContext.getStaticParameters().get(AUTHN_REQUEST_FORCE_AUTHN);
        if (bool == null && (authnRequest = (AuthnRequest) validationContext.getStaticParameters().get(CoreValidatorParameters.AUTHN_REQUEST)) != null) {
            bool = authnRequest.isForceAuthn();
        }
        return bool;
    }

    protected Long getAuthnRequestIssueInstant(ValidationContext validationContext) {
        AuthnRequest authnRequest;
        Long l = (Long) validationContext.getStaticParameters().get(AUTHN_REQUEST_ISSUE_INSTANT);
        if (l == null && (authnRequest = (AuthnRequest) validationContext.getStaticParameters().get(CoreValidatorParameters.AUTHN_REQUEST)) != null) {
            l = Long.valueOf(authnRequest.getIssueInstant().toEpochMilli());
        }
        return l;
    }

    protected ValidationResult validateSessionIndex(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    protected ValidationResult validateSessionNotOnOrAfter(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    protected ValidationResult validateSubjectLocality(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    protected ValidationResult validateAuthnContext(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        if (authnStatement.getAuthnContext() != null) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("AuthnContext element is missing in Assertion/@AuthnStatement");
        return ValidationResult.INVALID;
    }
}
