package org.opensaml.saml.saml2.assertion.impl;

import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.utilities.java.support.primitive.ObjectSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:BOOT-INF/lib/opensaml-saml-impl-4.0.1.jar:org/opensaml/saml/saml2/assertion/impl/AbstractSubjectConfirmationValidator.class */
public abstract class AbstractSubjectConfirmationValidator implements SubjectConfirmationValidator {
    private Logger log = LoggerFactory.getLogger((Class<?>) AbstractSubjectConfirmationValidator.class);

    @Override // org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator
    @Nonnull
    public ValidationResult validate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        boolean isAddressRequired = isAddressRequired(validationContext);
        boolean isInResponseToRequired = isInResponseToRequired(validationContext);
        boolean isRecipientRequired = isRecipientRequired(validationContext);
        boolean isNotOnOrAfterRequired = isNotOnOrAfterRequired(validationContext);
        boolean isNotBeforeRequired = isNotBeforeRequired(validationContext);
        if (subjectConfirmation.getSubjectConfirmationData() != null) {
            ValidationResult validateNotBefore = validateNotBefore(subjectConfirmation, assertion, validationContext, isNotBeforeRequired);
            if (validateNotBefore != ValidationResult.VALID) {
                return validateNotBefore;
            }
            ValidationResult validateNotOnOrAfter = validateNotOnOrAfter(subjectConfirmation, assertion, validationContext, isNotOnOrAfterRequired);
            if (validateNotOnOrAfter != ValidationResult.VALID) {
                return validateNotOnOrAfter;
            }
            ValidationResult validateRecipient = validateRecipient(subjectConfirmation, assertion, validationContext, isRecipientRequired);
            if (validateRecipient != ValidationResult.VALID) {
                return validateRecipient;
            }
            ValidationResult validateAddress = validateAddress(subjectConfirmation, assertion, validationContext, isAddressRequired);
            if (validateAddress != ValidationResult.VALID) {
                return validateAddress;
            }
            ValidationResult validateInResponseTo = validateInResponseTo(subjectConfirmation, assertion, validationContext, isInResponseToRequired);
            if (validateInResponseTo != ValidationResult.VALID) {
                return validateInResponseTo;
            }
        } else if (isInResponseToRequired || isRecipientRequired || isNotOnOrAfterRequired || isNotBeforeRequired || isAddressRequired) {
            this.log.warn("SubjectConfirmationData was null, and one of more data elements were required");
            validationContext.setValidationFailureMessage("SubjectConfirmationData was null and one or more data elements were required");
            return ValidationResult.INVALID;
        }
        return doValidate(subjectConfirmation, assertion, validationContext);
    }

    protected boolean isAddressRequired(ValidationContext validationContext) {
        return ((Boolean) ObjectSupport.firstNonNull((Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_ADDRESS_REQUIRED), Boolean.FALSE)).booleanValue();
    }

    protected boolean isRecipientRequired(ValidationContext validationContext) {
        return ((Boolean) ObjectSupport.firstNonNull((Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_RECIPIENT_REQUIRED), Boolean.FALSE)).booleanValue();
    }

    protected boolean isNotBeforeRequired(ValidationContext validationContext) {
        return ((Boolean) ObjectSupport.firstNonNull((Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_NOT_BEFORE_REQUIRED), Boolean.FALSE)).booleanValue();
    }

    protected boolean isNotOnOrAfterRequired(ValidationContext validationContext) {
        return ((Boolean) ObjectSupport.firstNonNull((Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_NOT_ON_OR_AFTER_REQUIRED), Boolean.FALSE)).booleanValue();
    }

    protected boolean isInResponseToRequired(ValidationContext validationContext) {
        return ((Boolean) ObjectSupport.firstNonNull((Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_IN_RESPONSE_TO_REQUIRED), Boolean.FALSE)).booleanValue();
    }

    protected ValidationResult validateInResponseTo(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmation.getSubjectConfirmationData().getInResponseTo());
        if (trimOrNull == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            this.log.warn("SubjectConfirmationData/@InResponseTo was missing and was required");
            validationContext.setValidationFailureMessage("SubjectConfirmationData/@InResponseTo was missing and was required");
            return ValidationResult.INVALID;
        }
        this.log.debug("Evaluating SubjectConfirmationData@InResponseTo of: {}", trimOrNull);
        try {
            String str = (String) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_VALID_IN_RESPONSE_TO);
            if (str == null) {
                this.log.warn("Valid InResponseTo was not available from the validation context, unable to evaluate SubjectConfirmationData@InResponseTo");
                validationContext.setValidationFailureMessage("Unable to determine valid subject confirmation InResponseTo");
                return ValidationResult.INDETERMINATE;
            }
            if (Objects.equals(trimOrNull, str)) {
                this.log.debug("Matched valid InResponseTo: {}", trimOrNull);
                return ValidationResult.VALID;
            }
            this.log.debug("Failed to match SubjectConfirmationData@InResponse to the valid value: {}", str);
            validationContext.setValidationFailureMessage(String.format("Subject confirmation InResponseTo for assertion '%s' did not match the valid value", assertion.getID()));
            return ValidationResult.INVALID;
        } catch (ClassCastException e) {
            this.log.warn("The value of the static validation parameter '{}' was not java.lang.String", SAML2AssertionValidationParameters.SC_VALID_IN_RESPONSE_TO);
            validationContext.setValidationFailureMessage("Unable to determine valid subject confirmation InResponseTo");
            return ValidationResult.INDETERMINATE;
        }
    }

    @Nonnull
    protected ValidationResult validateNotBefore(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        Instant notBefore = subjectConfirmation.getSubjectConfirmationData().getNotBefore();
        if (notBefore == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            this.log.warn("SubjectConfirmationData/@NotBefore was missing and was required");
            validationContext.setValidationFailureMessage("SubjectConfirmationData/@NotBefore was missing and was required");
            return ValidationResult.INVALID;
        }
        Instant plus = Instant.now().plus((TemporalAmount) SAML20AssertionValidator.getClockSkew(validationContext));
        this.log.debug("Evaluating SubjectConfirmationData NotBefore '{}' against 'skewed now' time '{}'", notBefore, plus);
        if (notBefore == null || !notBefore.isAfter(plus)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateNotOnOrAfter(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        Instant notOnOrAfter = subjectConfirmation.getSubjectConfirmationData().getNotOnOrAfter();
        if (notOnOrAfter == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            this.log.warn("SubjectConfirmationData/@NotOnOrAfter was missing and was required");
            validationContext.setValidationFailureMessage("SubjectConfirmationData/@NotOnOrAfter was missing and was required");
            return ValidationResult.INVALID;
        }
        Instant minus = Instant.now().minus((TemporalAmount) SAML20AssertionValidator.getClockSkew(validationContext));
        this.log.debug("Evaluating SubjectConfirmationData NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, minus);
        if (notOnOrAfter == null || !notOnOrAfter.isBefore(minus)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Subject confirmation, in assertion '%s', with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateRecipient(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmation.getSubjectConfirmationData().getRecipient());
        if (trimOrNull == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            this.log.warn("SubjectConfirmationData/@Recipient was missing and was required");
            validationContext.setValidationFailureMessage("SubjectConfirmationData/@Recipient was missing and was required");
            return ValidationResult.INVALID;
        }
        this.log.debug("Evaluating SubjectConfirmationData@Recipient of : {}", trimOrNull);
        try {
            Set set = (Set) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS);
            if (set == null || set.isEmpty()) {
                this.log.warn("Set of valid recipient URI's was not available from the validation context, unable to evaluate SubjectConfirmationData@Recipient");
                validationContext.setValidationFailureMessage("Unable to determine list of valid subject confirmation recipient endpoints");
                return ValidationResult.INDETERMINATE;
            }
            if (set.contains(trimOrNull)) {
                this.log.debug("Matched valid recipient: {}", trimOrNull);
                return ValidationResult.VALID;
            }
            this.log.debug("Failed to match SubjectConfirmationData@Recipient to any supplied valid recipients: {}", set);
            validationContext.setValidationFailureMessage(String.format("Subject confirmation recipient for assertion '%s' did not match any valid recipients", assertion.getID()));
            return ValidationResult.INVALID;
        } catch (ClassCastException e) {
            this.log.warn("The value of the static validation parameter '{}' was not java.util.Set<String>", SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS);
            validationContext.setValidationFailureMessage("Unable to determine list of valid subject confirmation recipient endpoints");
            return ValidationResult.INDETERMINATE;
        }
    }

    @Nonnull
    protected ValidationResult validateAddress(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        Boolean bool = (Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_CHECK_ADDRESS);
        if (bool != null && !bool.booleanValue()) {
            this.log.debug("SubjectConfirmationData/@Address check is disabled, skipping");
            return ValidationResult.VALID;
        }
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmation.getSubjectConfirmationData().getAddress());
        if (trimOrNull != null) {
            return AssertionValidationSupport.checkAddress(validationContext, trimOrNull, SAML2AssertionValidationParameters.SC_VALID_ADDRESSES, assertion, "SubjectConfirmationData/@Address");
        }
        if (!z) {
            return ValidationResult.VALID;
        }
        this.log.warn("SubjectConfirmationData/@Address was missing and was required");
        validationContext.setValidationFailureMessage("SubjectConfirmationData/@Address was missing and was required");
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected abstract ValidationResult doValidate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException;
}
