package eu.unicore.samly2.validators;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.exceptions.SAMLValidationSoftException;
import eu.unicore.samly2.trust.SamlTrustChecker;
import java.util.Calendar;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.AssertionType;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationDataType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationType;
import xmlbeans.org.oasis.saml2.assertion.SubjectType;

/* loaded from: input_file:eu/unicore/samly2/validators/SSOAuthnAssertionValidator.class */
public class SSOAuthnAssertionValidator extends AssertionValidator {
    protected ReplayAttackChecker replayChecker;
    protected SAMLBindings binding;
    protected boolean laxInResponseToChecking;

    public SSOAuthnAssertionValidator(String str, String str2, String str3, long j, SamlTrustChecker samlTrustChecker, ReplayAttackChecker replayAttackChecker, SAMLBindings sAMLBindings) {
        super(str, str2, str3, j, samlTrustChecker);
        this.laxInResponseToChecking = false;
        this.replayChecker = replayAttackChecker;
        this.binding = sAMLBindings;
    }

    public void setLaxInResponseToChecking(boolean z) {
        this.laxInResponseToChecking = z;
    }

    @Override // eu.unicore.samly2.validators.AssertionValidator
    public void validate(AssertionDocument assertionDocument) throws SAMLValidationException {
        super.validate(assertionDocument);
        AssertionType assertion = assertionDocument.getAssertion();
        checkStatements(assertion);
        NameIDType issuer = assertion.getIssuer();
        if (issuer.getFormat() != null && !SAMLConstants.NFORMAT_ENTITY.equals(issuer.getFormat())) {
            throw new SAMLValidationException("SAML SSO authentication profile requires issuer to be of entity type. Was: " + issuer.getFormat());
        }
        if (assertion.getAuthnStatementArray() == null || assertion.getAuthnStatementArray().length == 0) {
            throw new SAMLValidationException("Not an authentication assertion - no authN satements");
        }
        Calendar checkAuthNSubject = checkAuthNSubject(assertion.getSubject());
        if (assertion.getConditions() == null || assertion.getConditions().getAudienceRestrictionArray() == null || assertion.getConditions().getAudienceRestrictionArray().length == 0) {
            throw new SAMLValidationSoftException("SAML SSO authentication profile requires that audience restriction must be set and it wasn't.");
        }
        if (this.binding == SAMLBindings.HTTP_POST) {
            this.replayChecker.checkAndStore(assertion.getID(), checkAuthNSubject);
            if (assertion.getSignature() == null || assertion.getSignature().isNil()) {
                throw new SAMLValidationException("Assertion is not signed in the SSO authN used over HTTP POST, while should be.");
            }
        }
    }

    protected Calendar checkAuthNSubject(SubjectType subjectType) throws SAMLValidationSoftException {
        SubjectConfirmationType[] subjectConfirmationArray = subjectType.getSubjectConfirmationArray();
        if (subjectConfirmationArray == null || subjectConfirmationArray.length == 0) {
            throw new SAMLValidationSoftException("Authentication assertion subject confirmation is not set");
        }
        for (SubjectConfirmationType subjectConfirmationType : subjectConfirmationArray) {
            SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
            if (SAMLConstants.CONFIRMATION_BEARER.equals(subjectConfirmationType.getMethod())) {
                if (subjectConfirmationData == null || subjectConfirmationData.isNil()) {
                    throw new SAMLValidationSoftException("In authentication assertion the bearer subject confirmation must have confirmation data set");
                }
                if (subjectConfirmationData.getRecipient() == null) {
                    throw new SAMLValidationSoftException("Authentication assertion confirmation receipent URL must be set");
                }
                if (subjectConfirmationData.getNotOnOrAfter() == null) {
                    throw new SAMLValidationSoftException("Bearer subject confirmation must have notOnOrAfter defined");
                }
                if (subjectConfirmationData.getNotBefore() != null) {
                    throw new SAMLValidationSoftException("Bearer subject confirmation must not have notBefore defined");
                }
                if (this.requestId == null && subjectConfirmationData.isSetInResponseTo() && !this.laxInResponseToChecking) {
                    throw new SAMLValidationSoftException("InResponseTo present, while it was expected to have an unsolicited response");
                }
                return subjectConfirmationData.getNotOnOrAfter();
            }
        }
        throw new SAMLValidationSoftException("Authentication assertion subject doesn't posses any bearer type subject confirmation");
    }
}
