package se.litsec.opensaml.saml2.common.response;

import java.time.Duration;
import java.time.Instant;
import java.util.Optional;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import se.litsec.opensaml.common.validation.AbstractSignableObjectValidator;
import se.litsec.opensaml.common.validation.CoreValidatorParameters;
import se.litsec.opensaml.common.validation.ValidationSupport;

/* loaded from: input_file:se/litsec/opensaml/saml2/common/response/ResponseValidator.class */
public class ResponseValidator extends AbstractSignableObjectValidator<Response> {
    private final Logger log;

    public ResponseValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator) {
        super(signatureTrustEngine, signaturePrevalidator);
        this.log = LoggerFactory.getLogger(ResponseValidator.class);
    }

    @Override // se.litsec.opensaml.common.validation.ObjectValidator
    public ValidationResult validate(Response response, ValidationContext validationContext) {
        try {
            ValidationSupport.check(validateID(response, validationContext));
            ValidationSupport.check(validateVersion(response, validationContext));
            ValidationSupport.check(validateStatus(response, validationContext));
            ValidationSupport.check(validateIssueInstant(response, validationContext));
            ValidationSupport.check(validateInResponseTo(response, validationContext));
            ValidationSupport.check(validateDestination(response, validationContext));
            ValidationSupport.check(validateConsent(response, validationContext));
            ValidationSupport.check(validateIssuer(response, validationContext));
            ValidationSupport.check(validateSignature(response, validationContext));
            ValidationSupport.check(validateAssertions(response, validationContext));
            ValidationSupport.check(validateExtensions(response, validationContext));
            return ValidationResult.VALID;
        } catch (ValidationSupport.ValidationResultException e) {
            return e.getResult();
        }
    }

    protected ValidationResult validateID(Response response, ValidationContext validationContext) {
        if (StringUtils.hasText(response.getID())) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("Missing ID attribute in Response");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateVersion(Response response, ValidationContext validationContext) {
        if (response.getVersion() != null && response.getVersion().toString().equals(SAMLVersion.VERSION_20.toString())) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("Invalid SAML version in Response");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateStatus(Response response, ValidationContext validationContext) {
        if (response.getStatus() != null && response.getStatus().getStatusCode() != null && response.getStatus().getStatusCode().getValue() != null) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("Missing Status/StatusCode in Response");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateIssueInstant(Response response, ValidationContext validationContext) {
        if (response.getIssueInstant() == null) {
            validationContext.setValidationFailureMessage("Missing IssueInstant attribute in Response");
            return ValidationResult.INVALID;
        }
        Instant receiveInstant = getReceiveInstant(validationContext);
        Instant issueInstant = response.getIssueInstant();
        Duration maxAgeReceivedMessage = getMaxAgeReceivedMessage(validationContext);
        Duration allowedClockSkew = getAllowedClockSkew(validationContext);
        if (Duration.between(receiveInstant, issueInstant).compareTo(maxAgeReceivedMessage.plus(allowedClockSkew)) > 0) {
            validationContext.setValidationFailureMessage(String.format("Received Response message is too old - issue-instant: %s - receive-time: %s", response.getIssueInstant(), receiveInstant));
            return ValidationResult.INVALID;
        }
        if (Duration.between(issueInstant, receiveInstant).compareTo(allowedClockSkew) <= 0) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Issue-instant of Response message (%s) is newer than receive time (%s) - Non accepted clock skew", response.getIssueInstant(), receiveInstant));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateInResponseTo(Response response, ValidationContext validationContext) {
        AuthnRequest authnRequest;
        if (response.getInResponseTo() == null) {
            validationContext.setValidationFailureMessage("Missing InResponseTo attribute in Response");
            return ValidationResult.INVALID;
        }
        String str = (String) validationContext.getStaticParameters().get(CoreValidatorParameters.AUTHN_REQUEST_ID);
        if (str == null && (authnRequest = (AuthnRequest) validationContext.getStaticParameters().get(CoreValidatorParameters.AUTHN_REQUEST)) != null) {
            str = authnRequest.getID();
        }
        if (str == null) {
            validationContext.setValidationFailureMessage("Could not validate InResponseTo of Response (no AuthnRequest ID available)");
            return ValidationResult.INDETERMINATE;
        }
        if (response.getInResponseTo().equals(str)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Expected Response message for AuthnRequest with ID '%s', but this Response is for '%s'", str, response.getInResponseTo()));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateDestination(Response response, ValidationContext validationContext) {
        if (response.getDestination() == null) {
            validationContext.setValidationFailureMessage("Missing Destination attribute in Response");
            return ValidationResult.INVALID;
        }
        String str = (String) validationContext.getStaticParameters().get(CoreValidatorParameters.RECEIVE_URL);
        if (str == null) {
            validationContext.setValidationFailureMessage("Could not validate Destination of Response (no receive URL available)");
            return ValidationResult.INDETERMINATE;
        }
        if (response.getDestination().equals(str)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Destination attribute (%s) of Response does not match URL on which response was received (%s)", response.getDestination(), str));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateConsent(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    protected ValidationResult validateIssuer(Response response, ValidationContext validationContext) {
        if (getIssuer(response) == null) {
            validationContext.setValidationFailureMessage("Missing Issuer element in Response");
            return ValidationResult.INVALID;
        }
        String str = (String) validationContext.getStaticParameters().get(CoreValidatorParameters.EXPECTED_ISSUER);
        if (str == null) {
            this.log.warn("EXPECTED_ISSUER key not set - will not check issuer of Response");
        } else if (!response.getIssuer().getValue().equals(str)) {
            validationContext.setValidationFailureMessage(String.format("Issuer of Response (%s) did not match expected issuer (%s)", response.getIssuer().getValue(), str));
            return ValidationResult.INVALID;
        }
        return ValidationResult.VALID;
    }

    protected ValidationResult validateAssertions(Response response, ValidationContext validationContext) {
        if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            if (response.getAssertions().isEmpty() && response.getEncryptedAssertions().isEmpty()) {
                validationContext.setValidationFailureMessage("Response message has success status but does not contain any assertions - invalid");
                return ValidationResult.INVALID;
            }
        } else if (response.getAssertions().size() > 0 || response.getEncryptedAssertions().size() > 0) {
            validationContext.setValidationFailureMessage("Response message has failure status but contains assertions - invalid");
            return ValidationResult.INVALID;
        }
        return ValidationResult.VALID;
    }

    protected ValidationResult validateExtensions(Response response, ValidationContext validationContext) {
        return ValidationResult.VALID;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // se.litsec.opensaml.common.validation.AbstractSignableObjectValidator
    public String getIssuer(Response response) {
        return (String) Optional.ofNullable(response.getIssuer()).map((v0) -> {
            return v0.getValue();
        }).orElse(null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // se.litsec.opensaml.common.validation.AbstractSignableObjectValidator
    public String getID(Response response) {
        return response.getID();
    }

    @Override // se.litsec.opensaml.common.validation.AbstractSignableObjectValidator
    protected String getObjectName() {
        return "Response";
    }
}
