package se.litsec.swedisheid.opensaml.saml2.validation;

import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.StatementValidator;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.saml2.common.assertion.AssertionValidator;

/* loaded from: input_file:se/litsec/swedisheid/opensaml/saml2/validation/SwedishEidAssertionValidator.class */
public class SwedishEidAssertionValidator extends AssertionValidator {
    private final Logger log;

    public SwedishEidAssertionValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator) {
        this(signatureTrustEngine, signaturePrevalidator, Arrays.asList(new SwedishEidSubjectConfirmationValidator()), Arrays.asList(new AudienceRestrictionConditionValidator()), Arrays.asList(new SwedishEidAuthnStatementValidator(), new SwedishEidAttributeStatementValidator()));
    }

    public SwedishEidAssertionValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signaturePrevalidator, Collection<SubjectConfirmationValidator> collection, Collection<ConditionValidator> collection2, Collection<StatementValidator> collection3) {
        super(signatureTrustEngine, signaturePrevalidator, collection, collection2, collection3);
        this.log = LoggerFactory.getLogger(SwedishEidAssertionValidator.class);
    }

    protected ValidationResult validateSubject(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getSubject() == null) {
            validationContext.setValidationFailureMessage("Missing Subject element in Assertion");
            return ValidationResult.INVALID;
        }
        if (assertion.getSubject().getNameID() == null) {
            validationContext.setValidationFailureMessage("Missing NameID in Subject element of Assertion");
            return ValidationResult.INVALID;
        }
        if (assertion.getSubject().getNameID().getValue() == null) {
            validationContext.setValidationFailureMessage("Missing NameID value in Subject element of Assertion");
            return ValidationResult.INVALID;
        }
        if (assertion.getSubject().getNameID().getFormat() != null) {
            String format = assertion.getSubject().getNameID().getFormat();
            if (!format.equals("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent") && !format.equals("urn:oasis:names:tc:SAML:2.0:nameid-format:transient")) {
                String format2 = String.format("NameID format in Subject of Assertion is not valid (%s) - '%s' or '%s' is required", format, "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
                if (isStrictValidation(validationContext)) {
                    validationContext.setValidationFailureMessage(format2);
                    return ValidationResult.INVALID;
                }
                this.log.warn(format2);
            }
        } else {
            if (isStrictValidation(validationContext)) {
                validationContext.setValidationFailureMessage("NameID element of Assertion/@Subject is missing Format attribute");
                return ValidationResult.INVALID;
            }
            this.log.warn("NameID element of Assertion/@Subject is missing Format attribute");
        }
        List subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
        if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
            validationContext.setValidationFailureMessage("Assertion/@Subject element contains no SubjectConfirmation elements - invalid");
            return ValidationResult.INVALID;
        }
        boolean z = false;
        Iterator it = subjectConfirmations.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(((SubjectConfirmation) it.next()).getMethod())) {
                z = true;
                break;
            }
        }
        if (z) {
            return super.validateSubject(assertion, validationContext);
        }
        validationContext.setValidationFailureMessage(String.format("No SubjectConfirmation with method '%s' is available under Assertion's Subject element", "urn:oasis:names:tc:SAML:2.0:cm:bearer"));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateConditions(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getConditions() == null) {
            validationContext.setValidationFailureMessage("Missing Conditions element in Assertion");
            return ValidationResult.INVALID;
        }
        if (assertion.getConditions().getNotBefore() == null) {
            validationContext.setValidationFailureMessage("Missing NotBefore attribute of Conditions element in Assertion");
            return ValidationResult.INVALID;
        }
        if (assertion.getConditions().getNotOnOrAfter() == null) {
            validationContext.setValidationFailureMessage("Missing NotOnOrAfter attribute of Conditions element in Assertion");
            return ValidationResult.INVALID;
        }
        if (!assertion.getConditions().getAudienceRestrictions().isEmpty()) {
            return super.validateConditions(assertion, validationContext);
        }
        validationContext.setValidationFailureMessage("Missing AudienceRestriction element of Conditions element in Assertion");
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateStatements(Assertion assertion, ValidationContext validationContext) {
        if (assertion.getAuthnStatements() == null || assertion.getAuthnStatements().isEmpty()) {
            validationContext.setValidationFailureMessage("No AuthnStatement in Assertion");
            return ValidationResult.INVALID;
        }
        if (assertion.getAttributeStatements() != null && !assertion.getAttributeStatements().isEmpty()) {
            return super.validateStatements(assertion, validationContext);
        }
        validationContext.setValidationFailureMessage("No AttributeStatement in Assertion");
        return ValidationResult.INVALID;
    }
}
