package se.litsec.swedisheid.opensaml.saml2.validation;

import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.impl.AbstractSubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.common.validation.AbstractObjectValidator;

/* loaded from: input_file:se/litsec/swedisheid/opensaml/saml2/validation/SwedishEidSubjectConfirmationValidator.class */
public class SwedishEidSubjectConfirmationValidator extends AbstractSubjectConfirmationValidator {
    private final Logger log = LoggerFactory.getLogger(SwedishEidSubjectConfirmationValidator.class);

    public String getServicedMethod() {
        return "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    }

    protected ValidationResult doValidate(SubjectConfirmation subjectConfirmation, Assertion assertion, ValidationContext validationContext) throws AssertionValidationException {
        if (subjectConfirmation.getSubjectConfirmationData() == null) {
            validationContext.setValidationFailureMessage(String.format("SubjectConfirmationData is missing from Subject/@SubjectConfirmation for method '%s' for Assertion '%s'", getServicedMethod(), assertion.getID()));
            return ValidationResult.INVALID;
        }
        validateInResponseTo(subjectConfirmation, assertion, validationContext);
        if (subjectConfirmation.getSubjectConfirmationData().getNotOnOrAfter() == null) {
            validationContext.setValidationFailureMessage(String.format("NotOnOrAfter attribute is missing from Subject/@SubjectConfirmationData for method '%s' for Assertion '%s'", getServicedMethod(), assertion.getID()));
            return ValidationResult.INVALID;
        }
        if (subjectConfirmation.getSubjectConfirmationData().getRecipient() != null) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Recipient attribute is missing from Subject/@SubjectConfirmationData for method '%s' for Assertion '%s'", getServicedMethod(), assertion.getID()));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateInResponseTo(SubjectConfirmation subjectConfirmation, Assertion assertion, ValidationContext validationContext) {
        AuthnRequest authnRequest;
        if (subjectConfirmation.getSubjectConfirmationData().getInResponseTo() == null) {
            validationContext.setValidationFailureMessage(String.format("InResponseTo attribute is missing from Subject/@SubjectConfirmationData for method '%s' for Assertion '%s'", getServicedMethod(), assertion.getID()));
            return ValidationResult.INVALID;
        }
        String inResponseTo = subjectConfirmation.getSubjectConfirmationData().getInResponseTo();
        String str = (String) validationContext.getStaticParameters().get("saml2.AuthnRequestID");
        if (str == null && (authnRequest = (AuthnRequest) validationContext.getStaticParameters().get("saml2.AuthnRequest")) != null) {
            str = authnRequest.getID();
        }
        if (str == null) {
            validationContext.setValidationFailureMessage(String.format("Could not validate InResponseTo attribute is missing from Subject/@SubjectConfirmationData for method '%s' for Assertion '%s' (no AuthnRequest ID available)", getServicedMethod(), assertion.getID()));
            return ValidationResult.INDETERMINATE;
        }
        if (inResponseTo.equals(str)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Mismatching InResponseTo attribute is missing from Subject/@SubjectConfirmationData for method '%s' for Assertion '%s'. Expected: '%s', was: '%s'", getServicedMethod(), assertion.getID(), str, inResponseTo));
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateAddress(SubjectConfirmation subjectConfirmation, Assertion assertion, ValidationContext validationContext) throws AssertionValidationException {
        if (StringSupport.trimOrNull(subjectConfirmation.getSubjectConfirmationData().getAddress()) == null) {
            String format = String.format("SubjectConfirmationData of Assertion '%s' is missing Address attribute", assertion.getID());
            if (AbstractObjectValidator.isStrictValidation(validationContext)) {
                validationContext.setValidationFailureMessage(format);
                return ValidationResult.INVALID;
            }
            this.log.warn(format);
        }
        if (!AbstractObjectValidator.isStrictValidation(validationContext) && validationContext.getStaticParameters().get("saml2.SubjectConfirmation.ValidAddresses") == null) {
            this.log.info("Address check skipped for SubjectConfirmationData - no indata supplied");
            return ValidationResult.VALID;
        }
        ValidationResult validateAddress = super.validateAddress(subjectConfirmation, assertion, validationContext);
        if (validateAddress == ValidationResult.VALID || AbstractObjectValidator.isStrictValidation(validationContext)) {
            return validateAddress;
        }
        this.log.warn(validationContext.getValidationFailureMessage());
        validationContext.setValidationFailureMessage((String) null);
        return ValidationResult.VALID;
    }
}
