package se.litsec.swedisheid.opensaml.saml2.validation;

import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.saml2.common.response.ResponseValidator;

/* loaded from: input_file:se/litsec/swedisheid/opensaml/saml2/validation/SwedishEidResponseValidator.class */
public class SwedishEidResponseValidator extends ResponseValidator {
    private final Logger log;

    public SwedishEidResponseValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator) throws IllegalArgumentException {
        super(signatureTrustEngine, signaturePrevalidator);
        this.log = LoggerFactory.getLogger(SwedishEidResponseValidator.class);
        if (signatureTrustEngine == null) {
            throw new IllegalArgumentException("trustEngine must not be null");
        }
        if (signaturePrevalidator == null) {
            throw new IllegalArgumentException("signaturePrevalidator must not be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ValidationResult validateSignature(Response response, ValidationContext validationContext) {
        Boolean bool = (Boolean) validationContext.getStaticParameters().get("saml2.SignatureRequired");
        if (bool != null && !bool.booleanValue()) {
            this.log.warn("The flag CoreValidatorParameters.SIGNATURE_REQUIRED is false - signature validation MUST be performed according to the Swedish eID Framework - Setting flag to true");
        }
        if (response.isSigned()) {
            return performSignatureValidation(response, validationContext);
        }
        validationContext.setValidationFailureMessage(String.format("%s was required to be signed, but was not", getObjectName()));
        return ValidationResult.INVALID;
    }

    public ValidationResult validateAssertions(Response response, ValidationContext validationContext) {
        ValidationResult validateAssertions = super.validateAssertions(response, validationContext);
        if (!validateAssertions.equals(ValidationResult.VALID)) {
            return validateAssertions;
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            if (response.getEncryptedAssertions().isEmpty()) {
                validationContext.setValidationFailureMessage("Response does not contain EncryptedAssertion");
                return ValidationResult.INVALID;
            }
            if (response.getEncryptedAssertions().size() > 1) {
                if (isStrictValidation(validationContext)) {
                    validationContext.setValidationFailureMessage("Response contains more than one EncryptedAssertion");
                    return ValidationResult.INVALID;
                }
                this.log.warn("Response contains more than one EncryptedAssertion");
            }
            if (!response.getAssertions().isEmpty()) {
                if (isStrictValidation(validationContext)) {
                    validationContext.setValidationFailureMessage("Response contains non encrypted Assertion(s)");
                    return ValidationResult.INVALID;
                }
                this.log.warn("Response contains non encrypted Assertion(s)");
            }
        }
        return ValidationResult.VALID;
    }
}
