package eu.unicore.samly2.validators;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.trust.SamlTrustChecker;
import java.text.DateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.log4j.spi.LoggingEventFieldResolver;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.AssertionType;
import xmlbeans.org.oasis.saml2.assertion.AudienceRestrictionType;
import xmlbeans.org.oasis.saml2.assertion.ConditionsType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationDataType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationType;

/* loaded from: input_file:eu/unicore/samly2/validators/AssertionValidator.class */
public class AssertionValidator {
    public static final long DEFAULT_VALIDITY_GRACE_PERIOD = 180000;
    private static final DateFormat DATE_FORMATTER = DateFormat.getDateTimeInstance(2, 2);
    protected Set<String> consumerSamlNames = new HashSet();
    protected String consumerEndpointUri;
    protected String requestId;
    protected long samlValidityGraceTime;
    protected SamlTrustChecker trustChecker;

    public AssertionValidator(String str, String str2, String str3, long j, SamlTrustChecker samlTrustChecker) {
        if (str != null) {
            this.consumerSamlNames.add(str);
        }
        this.consumerEndpointUri = str2;
        this.requestId = str3;
        this.samlValidityGraceTime = j;
        this.trustChecker = samlTrustChecker;
    }

    public void addConsumerSamlNameAlias(String str) {
        this.consumerSamlNames.add(str);
    }

    public void validate(AssertionDocument assertionDocument) throws SAMLValidationException {
        AssertionType assertion = assertionDocument.getAssertion();
        checkMandatoryElements(assertion);
        this.trustChecker.checkTrust(assertionDocument);
        checkConditions(assertion);
        checkSubject(assertion);
    }

    protected void checkMandatoryElements(AssertionType assertionType) throws SAMLValidationException {
        if (assertionType.getID() == null || assertionType.getID().equals(LoggingEventFieldResolver.EMPTY_STRING)) {
            throw new SAMLValidationException("Assertion must posses an ID");
        }
        if (assertionType.getVersion() == null || !assertionType.getVersion().equals(SAMLConstants.SAML2_VERSION)) {
            throw new SAMLValidationException("Assertion must posses 2.0 version");
        }
        if (assertionType.getIssueInstant() == null) {
            throw new SAMLValidationException("Assertion must posses an IssueInstant");
        }
        if (assertionType.getIssuer() == null || assertionType.getIssuer().isNil()) {
            throw new SAMLValidationException("Assertion must have its Issuer set");
        }
        if (assertionType.getIssuer().getStringValue() == null) {
            throw new SAMLValidationException("Assertion must have its Issuer value set");
        }
        if (assertionType.getSubject() == null || assertionType.getSubject().isNil()) {
            throw new SAMLValidationException("Assertion must have its Subject set");
        }
    }

    protected void checkSubject(AssertionType assertionType) throws SAMLValidationException {
        SubjectConfirmationType[] subjectConfirmationArray = assertionType.getSubject().getSubjectConfirmationArray();
        if (subjectConfirmationArray == null || subjectConfirmationArray.length == 0) {
            return;
        }
        ErrorReasons errorReasons = new ErrorReasons();
        boolean z = false;
        int i = 1;
        for (SubjectConfirmationType subjectConfirmationType : subjectConfirmationArray) {
            SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
            if (subjectConfirmationData.getRecipient() == null || this.consumerEndpointUri == null || subjectConfirmationData.getRecipient().equals(this.consumerEndpointUri)) {
                try {
                    checkTimeBounds("Audience restriction", subjectConfirmationData.getNotBefore(), subjectConfirmationData.getNotOnOrAfter());
                    if (this.requestId != null) {
                        if (!subjectConfirmationData.isSetInResponseTo() && SAMLConstants.CONFIRMATION_BEARER.equals(subjectConfirmationType.getMethod())) {
                            errorReasons.addConfirmationError(i, "InResponseTo is not set for an assertion with a bearer confirmation, and an expected requestId is " + this.requestId);
                        } else if (subjectConfirmationData.isSetInResponseTo() && !this.requestId.equals(subjectConfirmationData.getInResponseTo())) {
                            errorReasons.addConfirmationError(i, "InResponseTo (" + subjectConfirmationData.getInResponseTo() + ") is not equal to expected request id which was " + this.requestId);
                        }
                    }
                    z = true;
                    i++;
                } catch (SAMLValidationException e) {
                    errorReasons.addConfirmationError(i, e.getMessage());
                }
            } else {
                errorReasons.addConfirmationError(i, "subject confirmation receipent URL " + subjectConfirmationData.getRecipient() + " is different from the expected one: " + this.consumerEndpointUri);
            }
        }
        if (!z) {
            throw new SAMLValidationException("None of subject confirmations is valid: " + errorReasons.toString());
        }
    }

    protected void checkConditions(AssertionType assertionType) throws SAMLValidationException {
        ConditionsType conditions = assertionType.getConditions();
        if (conditions == null || conditions.isNil()) {
            return;
        }
        if (conditions.getOneTimeUseArray() != null && conditions.getOneTimeUseArray().length > 1) {
            throw new SAMLValidationException("Assertion may possess 0 or 1 OneTimeUse condition");
        }
        if (conditions.getProxyRestrictionArray() != null && conditions.getProxyRestrictionArray().length > 1) {
            throw new SAMLValidationException("Assertion may possess 0 or 1 ProxyRestriction condition");
        }
        checkTimeBounds("Assertion", conditions.getNotBefore(), conditions.getNotOnOrAfter());
        checkAudienceRestriction(conditions.getAudienceRestrictionArray());
        checkGenericConditions(conditions);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkStatements(AssertionType assertionType) throws SAMLValidationException {
        int i = 0;
        if (assertionType.getAttributeStatementArray() != null && assertionType.getAttributeStatementArray().length > 0) {
            i = 0 + 1;
        }
        if (assertionType.getAuthzDecisionStatementArray() != null && assertionType.getAuthzDecisionStatementArray().length > 0) {
            i++;
        }
        if (assertionType.getAuthnStatementArray() != null && assertionType.getAuthnStatementArray().length > 0) {
            i++;
        }
        if (i > 1) {
            throw new SAMLValidationException("Assertions with different statement types are unsupported");
        }
        if (i == 0) {
            throw new SAMLValidationException("Assertions without any statement are unsupported");
        }
    }

    protected void checkGenericConditions(ConditionsType conditionsType) throws SAMLValidationException {
        if (conditionsType.getConditionArray() != null && conditionsType.getConditionArray().length > 0) {
            throw new SAMLValidationException("Got unsupported conditions in the assertion: " + conditionsType.xmlText());
        }
    }

    protected void checkAudienceRestriction(AudienceRestrictionType[] audienceRestrictionTypeArr) throws SAMLValidationException {
        if (audienceRestrictionTypeArr == null || audienceRestrictionTypeArr.length == 0 || this.consumerSamlNames.isEmpty()) {
            return;
        }
        for (AudienceRestrictionType audienceRestrictionType : audienceRestrictionTypeArr) {
            String[] audienceArray = audienceRestrictionType.getAudienceArray();
            if (audienceArray == null) {
                throw new SAMLValidationException("Assertion has wrong audience restriction: no audiences defined inside");
            }
            boolean z = false;
            for (String str : audienceArray) {
                Iterator<String> it = this.consumerSamlNames.iterator();
                while (true) {
                    if (it.hasNext()) {
                        if (audienceMatching(it.next(), str)) {
                            z = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
                if (z) {
                    break;
                }
            }
            if (!z) {
                throw new SAMLValidationException("Assertion audience restriction doesn't include any of this service identifiers: " + this.consumerSamlNames.toString() + " Audience is restricted to: " + audienceRestrictionType.xmlText());
            }
        }
    }

    protected boolean audienceMatching(String str, String str2) {
        if (str.equals(str2)) {
            return true;
        }
        try {
            return X500NameUtils.equal(str, str2);
        } catch (Exception e) {
            return false;
        }
    }

    protected void checkTimeBounds(String str, Calendar calendar, Calendar calendar2) throws SAMLValidationException {
        long currentTimeMillis = System.currentTimeMillis();
        if (calendar != null && currentTimeMillis < calendar.getTimeInMillis() - this.samlValidityGraceTime) {
            throw new SAMLValidationException(str + " is not yet valid, will be from " + DATE_FORMATTER.format(calendar.getTime()) + " and current time is " + DATE_FORMATTER.format(new Date()));
        }
        if (calendar2 != null && currentTimeMillis >= calendar2.getTimeInMillis() + this.samlValidityGraceTime) {
            throw new SAMLValidationException(str + " expired at " + DATE_FORMATTER.format(calendar2.getTime()) + " and current time is " + DATE_FORMATTER.format(new Date()));
        }
    }
}
