package se.litsec.swedisheid.opensaml.saml2.validation;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.stream.Collectors;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.saml2.common.assertion.AuthnStatementValidator;

/* loaded from: input_file:se/litsec/swedisheid/opensaml/saml2/validation/SwedishEidAuthnStatementValidator.class */
public class SwedishEidAuthnStatementValidator extends AuthnStatementValidator {
    public static final String AUTHN_REQUEST_REQUESTED_AUTHNCONTEXTURIS = "saml2.AuthnRequestRequestedAuthnContextURIs";
    private final Logger log = LoggerFactory.getLogger(SwedishEidAuthnStatementValidator.class);

    protected ValidationResult validateAuthnContext(AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        ValidationResult validateAuthnContext = super.validateAuthnContext(authnStatement, assertion, validationContext);
        if (validateAuthnContext != ValidationResult.VALID) {
            return validateAuthnContext;
        }
        if (authnStatement.getAuthnContext().getAuthnContextClassRef() == null || authnStatement.getAuthnContext().getAuthnContextClassRef().getURI() == null) {
            validationContext.setValidationFailureMessage("Missing AuthnContextClassRef URI from Assertion/@AuthnStatement/@AuthnContext");
            return ValidationResult.INVALID;
        }
        Collection<String> requestedAuthnContextUris = getRequestedAuthnContextUris(validationContext);
        if (!requestedAuthnContextUris.isEmpty()) {
            return validateAuthnContextClassRef(authnStatement.getAuthnContext().getAuthnContextClassRef().getURI(), requestedAuthnContextUris, authnStatement, assertion, validationContext);
        }
        this.log.debug("No RequestedAuthnContext URI was requested - will not check issued AuthnContextClassRef");
        return ValidationResult.VALID;
    }

    protected ValidationResult validateAuthnContextClassRef(String str, Collection<String> collection, AuthnStatement authnStatement, Assertion assertion, ValidationContext validationContext) {
        if (collection.contains(str)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Assertion contained AuthnContextClassRef '%s', but that one was not requested (%s)", str, collection));
        return ValidationResult.INVALID;
    }

    protected static Collection<String> getRequestedAuthnContextUris(ValidationContext validationContext) {
        AuthnRequest authnRequest;
        Collection<String> collection = (Collection) validationContext.getStaticParameters().get(AUTHN_REQUEST_REQUESTED_AUTHNCONTEXTURIS);
        if ((collection == null || collection.isEmpty()) && (authnRequest = (AuthnRequest) validationContext.getStaticParameters().get("saml2.AuthnRequest")) != null && authnRequest.getRequestedAuthnContext() != null && authnRequest.getRequestedAuthnContext().getAuthnContextClassRefs() != null && !authnRequest.getRequestedAuthnContext().getAuthnContextClassRefs().isEmpty()) {
            collection = new ArrayList();
            collection.addAll((Collection) authnRequest.getRequestedAuthnContext().getAuthnContextClassRefs().stream().map(authnContextClassRef -> {
                return authnContextClassRef.getURI();
            }).collect(Collectors.toList()));
        }
        return collection != null ? collection : Collections.emptyList();
    }
}
