package org.opensaml.saml.saml2.assertion;

import java.util.Collection;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.collection.LazyMap;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.joda.time.Chronology;
import org.joda.time.DateTime;
import org.joda.time.chrono.ISOChronology;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Statement;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/ehealth_connector-fatjar-ch-1.7.0-201909.jar:org/opensaml/saml/saml2/assertion/SAML20AssertionValidator.class */
public class SAML20AssertionValidator {
    public static final long DEFAULT_CLOCK_SKEW = 300000;
    private final Logger log = LoggerFactory.getLogger((Class<?>) SAML20AssertionValidator.class);
    private LazyMap<QName, ConditionValidator> conditionValidators = new LazyMap<>();
    private LazyMap<String, SubjectConfirmationValidator> subjectConfirmationValidators;
    private LazyMap<QName, StatementValidator> statementValidators;
    private SignatureTrustEngine trustEngine;
    private SignaturePrevalidator signaturePrevalidator;

    public SAML20AssertionValidator(@Nullable Collection<ConditionValidator> collection, @Nullable Collection<SubjectConfirmationValidator> collection2, @Nullable Collection<StatementValidator> collection3, @Nullable SignatureTrustEngine signatureTrustEngine, @Nullable SignaturePrevalidator signaturePrevalidator) {
        if (collection != null) {
            for (ConditionValidator conditionValidator : collection) {
                if (conditionValidator != null) {
                    this.conditionValidators.put(conditionValidator.getServicedCondition(), conditionValidator);
                }
            }
        }
        this.subjectConfirmationValidators = new LazyMap<>();
        if (collection2 != null) {
            for (SubjectConfirmationValidator subjectConfirmationValidator : collection2) {
                if (subjectConfirmationValidator != null) {
                    this.subjectConfirmationValidators.put(subjectConfirmationValidator.getServicedMethod(), subjectConfirmationValidator);
                }
            }
        }
        this.statementValidators = new LazyMap<>();
        if (collection3 != null) {
            for (StatementValidator statementValidator : collection3) {
                if (statementValidator != null) {
                    this.statementValidators.put(statementValidator.getServicedStatement(), statementValidator);
                }
            }
        }
        this.trustEngine = signatureTrustEngine;
        this.signaturePrevalidator = signaturePrevalidator;
    }

    public static long getClockSkew(@Nonnull ValidationContext validationContext) {
        long j = 300000;
        if (validationContext.getStaticParameters().containsKey(SAML2AssertionValidationParameters.CLOCK_SKEW)) {
            try {
                j = ((Long) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.CLOCK_SKEW)).longValue();
                if (j < 1) {
                    j = 300000;
                }
            } catch (ClassCastException e) {
                j = 300000;
            }
        }
        return j;
    }

    @Nonnull
    public ValidationResult validate(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        log(assertion, validationContext);
        ValidationResult validateVersion = validateVersion(assertion, validationContext);
        if (validateVersion != ValidationResult.VALID) {
            return validateVersion;
        }
        ValidationResult validateSignature = validateSignature(assertion, validationContext);
        if (validateSignature != ValidationResult.VALID) {
            return validateSignature;
        }
        ValidationResult validateConditions = validateConditions(assertion, validationContext);
        if (validateConditions != ValidationResult.VALID) {
            return validateConditions;
        }
        ValidationResult validateSubjectConfirmation = validateSubjectConfirmation(assertion, validationContext);
        return validateSubjectConfirmation != ValidationResult.VALID ? validateSubjectConfirmation : validateStatements(assertion, validationContext);
    }

    protected void log(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) {
        if (this.log.isTraceEnabled()) {
            try {
                this.log.trace("SAML 2 Assertion being validated:\n{}", SerializeSupport.prettyPrintXML(XMLObjectSupport.marshall(assertion)));
            } catch (MarshallingException e) {
                this.log.error("Unable to marshall SAML 2 Assertion for logging purposes", (Throwable) e);
            }
            this.log.trace("SAML 2 Assertion ValidationContext - static parameters: {}", validationContext.getStaticParameters());
            this.log.trace("SAML 2 Assertion ValidationContext - dynamic parameters: {}", validationContext.getDynamicParameters());
        }
    }

    @Nonnull
    protected ValidationResult validateVersion(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        if (assertion.getVersion() == SAMLVersion.VERSION_20) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Assertion '%s' is not a SAML 2.0 version Assertion", assertion.getID()));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateSignature(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Boolean bool = (Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED);
        if (bool == null) {
            bool = Boolean.TRUE;
        }
        if (assertion.isSigned()) {
            if (this.trustEngine != null) {
                return performSignatureValidation(assertion, validationContext);
            }
            this.log.warn("Signature validation was necessary, but no signature trust engine was available");
            validationContext.setValidationFailureMessage("Assertion signature could not be evaluated due to internal error");
            return ValidationResult.INDETERMINATE;
        }
        if (bool.booleanValue()) {
            validationContext.setValidationFailureMessage("Assertion was required to be signed, but was not");
            return ValidationResult.INVALID;
        }
        this.log.debug("Assertion was not required to be signed, and was not signed.  Skipping further signature evaluation");
        return ValidationResult.VALID;
    }

    @Nonnull
    protected ValidationResult performSignatureValidation(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Signature signature = assertion.getSignature();
        String str = null;
        if (assertion.getIssuer() != null) {
            str = assertion.getIssuer().getValue();
        }
        this.log.debug("Attempting signature validation on Assertion '{}' from Issuer '{}'", assertion.getID(), str);
        try {
            this.signaturePrevalidator.validate(signature);
            try {
                if (this.trustEngine.validate(signature, getSignatureValidationCriteriaSet(assertion, validationContext))) {
                    this.log.debug("Validation of signature of Assertion '{}' from Issuer '{}' was successful", assertion.getID(), str);
                    return ValidationResult.VALID;
                }
                String format = String.format("Signature of Assertion '%s' from Issuer '%s' was not valid", assertion.getID(), str);
                this.log.warn(format);
                validationContext.setValidationFailureMessage(format);
                return ValidationResult.INVALID;
            } catch (SecurityException e) {
                String format2 = String.format("A problem was encountered evaluating the signature over Assertion with ID '%s': %s", assertion.getID(), e.getMessage());
                this.log.warn(format2);
                validationContext.setValidationFailureMessage(format2);
                return ValidationResult.INDETERMINATE;
            }
        } catch (SignatureException e2) {
            String format3 = String.format("Assertion Signature failed pre-validation: %s", e2.getMessage());
            this.log.warn(format3);
            validationContext.setValidationFailureMessage(format3);
            return ValidationResult.INVALID;
        }
    }

    @Nonnull
    protected CriteriaSet getSignatureValidationCriteriaSet(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) {
        CriteriaSet criteriaSet = (CriteriaSet) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET);
        if (criteriaSet == null) {
            criteriaSet = new CriteriaSet();
        }
        if (!criteriaSet.contains(EntityIdCriterion.class)) {
            String str = null;
            if (assertion.getIssuer() != null) {
                str = StringSupport.trimOrNull(assertion.getIssuer().getValue());
            }
            if (str != null) {
                criteriaSet.add(new EntityIdCriterion(str));
            }
        }
        if (!criteriaSet.contains(UsageCriterion.class)) {
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        }
        return criteriaSet;
    }

    @Nonnull
    protected ValidationResult validateConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            this.log.debug("Assertion contained no Conditions element");
            return ValidationResult.VALID;
        }
        ValidationResult validateConditionsTimeBounds = validateConditionsTimeBounds(assertion, validationContext);
        if (validateConditionsTimeBounds != ValidationResult.VALID) {
            return validateConditionsTimeBounds;
        }
        for (Condition condition : conditions.getConditions()) {
            ConditionValidator conditionValidator = this.conditionValidators.get(condition.getElementQName());
            if (conditionValidator == null && condition.getSchemaType() != null) {
                conditionValidator = this.conditionValidators.get(condition.getSchemaType());
            }
            if (conditionValidator == null) {
                String format = String.format("Unknown Condition '%s' of type '%s' in assertion '%s'", condition.getElementQName(), condition.getSchemaType(), assertion.getID());
                this.log.debug(format);
                validationContext.setValidationFailureMessage(format);
                return ValidationResult.INDETERMINATE;
            }
            if (conditionValidator.validate(condition, assertion, validationContext) != ValidationResult.VALID) {
                String format2 = String.format("Condition '%s' of type '%s' in assertion '%s' was not valid.", condition.getElementQName(), condition.getSchemaType(), assertion.getID());
                if (validationContext.getValidationFailureMessage() != null) {
                    format2 = format2 + ": " + validationContext.getValidationFailureMessage();
                }
                this.log.debug(format2);
                validationContext.setValidationFailureMessage(format2);
                return ValidationResult.INVALID;
            }
        }
        return ValidationResult.VALID;
    }

    @Nonnull
    protected ValidationResult validateConditionsTimeBounds(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            return ValidationResult.VALID;
        }
        DateTime dateTime = new DateTime((Chronology) ISOChronology.getInstanceUTC());
        long clockSkew = getClockSkew(validationContext);
        DateTime notBefore = conditions.getNotBefore();
        this.log.debug("Evaluating Conditions NotBefore '{}' against 'skewed now' time '{}'", notBefore, dateTime.plus(clockSkew));
        if (notBefore != null && notBefore.isAfter(dateTime.plus(clockSkew))) {
            validationContext.setValidationFailureMessage(String.format("Assertion '%s' with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore));
            return ValidationResult.INVALID;
        }
        DateTime notOnOrAfter = conditions.getNotOnOrAfter();
        this.log.debug("Evaluating Conditions NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, dateTime.minus(clockSkew));
        if (notOnOrAfter == null || !notOnOrAfter.isBefore(dateTime.minus(clockSkew))) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Assertion '%s' with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateSubjectConfirmation(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Subject subject = assertion.getSubject();
        if (subject == null) {
            this.log.debug("Assertion contains no Subject, skipping subject confirmation");
            return ValidationResult.VALID;
        }
        List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations();
        if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
            this.log.debug("Assertion contains no SubjectConfirmations, skipping subject confirmation");
            return ValidationResult.VALID;
        }
        this.log.debug("Assertion contains at least 1 SubjectConfirmation, proceeding with subject confirmation");
        for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
            SubjectConfirmationValidator subjectConfirmationValidator = this.subjectConfirmationValidators.get(subjectConfirmation.getMethod());
            if (subjectConfirmationValidator != null) {
                try {
                    if (subjectConfirmationValidator.validate(subjectConfirmation, assertion, validationContext) == ValidationResult.VALID) {
                        validationContext.getDynamicParameters().put(SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION, subjectConfirmation);
                        return ValidationResult.VALID;
                    }
                    continue;
                } catch (AssertionValidationException e) {
                    this.log.warn("Error while executing subject confirmation validation " + subjectConfirmationValidator.getClass().getName(), (Throwable) e);
                }
            }
        }
        String format = String.format("No subject confirmation methods were met for assertion with ID '%s'", assertion.getID());
        this.log.debug(format);
        validationContext.setValidationFailureMessage(format);
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateStatements(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        ValidationResult validate;
        List<Statement> statements = assertion.getStatements();
        if (statements == null || statements.isEmpty()) {
            return ValidationResult.VALID;
        }
        for (Statement statement : statements) {
            StatementValidator statementValidator = this.statementValidators.get(statement.getElementQName());
            if (statementValidator == null && statement.getSchemaType() != null) {
                statementValidator = this.statementValidators.get(statement.getSchemaType());
            }
            if (statementValidator != null && (validate = statementValidator.validate(statement, assertion, validationContext)) != ValidationResult.VALID) {
                return validate;
            }
        }
        return ValidationResult.VALID;
    }
}
