package eu.unicore.samly2.validators;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.SAMLUtils;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.exceptions.SAMLValidationSoftException;
import eu.unicore.samly2.trust.SamlTrustChecker;
import java.util.ArrayList;
import java.util.List;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.AssertionType;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;
import xmlbeans.org.oasis.saml2.protocol.ResponseType;

/* loaded from: input_file:eu/unicore/samly2/validators/SSOAuthnResponseValidator.class */
public class SSOAuthnResponseValidator extends StatusResponseValidator {
    protected ReplayAttackChecker replayChecker;
    protected String consumerSamlName;
    protected long samlValidityGraceTime;
    protected SAMLBindings binding;
    protected List<AssertionDocument> authNAssertions;
    protected List<AssertionDocument> otherAssertions;
    protected ErrorReasons reasons;

    public SSOAuthnResponseValidator(String str, String str2, String str3, long j, SamlTrustChecker samlTrustChecker, ReplayAttackChecker replayAttackChecker, SAMLBindings sAMLBindings) {
        super(str2, str3, samlTrustChecker);
        this.consumerSamlName = str;
        this.replayChecker = replayAttackChecker;
        this.samlValidityGraceTime = j;
        this.binding = sAMLBindings;
    }

    public void validate(ResponseDocument responseDocument) throws SAMLValidationException {
        this.authNAssertions = new ArrayList();
        this.otherAssertions = new ArrayList();
        this.reasons = new ErrorReasons();
        ResponseType response = responseDocument.getResponse();
        super.validate(responseDocument, response);
        NameIDType issuer = response.getIssuer();
        if (issuer != null && issuer.getFormat() != null && !issuer.getFormat().equals(SAMLConstants.NFORMAT_ENTITY)) {
            throw new SAMLValidationException("Issuer of SAML response must be of Entity type in SSO AuthN. It is: " + issuer.getFormat());
        }
        try {
            AssertionDocument[] assertions = SAMLUtils.getAssertions(response);
            SSOAuthnAssertionValidator sSOAuthnAssertionValidator = new SSOAuthnAssertionValidator(this.consumerSamlName, this.consumerEndpointUri, this.requestId, this.samlValidityGraceTime, this.trustChecker, this.replayChecker, this.binding);
            AssertionValidator assertionValidator = new AssertionValidator(this.consumerSamlName, this.consumerEndpointUri, null, this.samlValidityGraceTime, this.trustChecker);
            for (AssertionDocument assertionDocument : assertions) {
                AssertionType assertion = assertionDocument.getAssertion();
                if (assertion.sizeOfAuthnStatementArray() > 0) {
                    tryValidateAsAuthnAssertion(sSOAuthnAssertionValidator, assertionDocument);
                } else {
                    tryValidateAsGenericAssertion(assertionValidator, assertionDocument);
                }
                if (issuer == null) {
                    issuer = assertion.getIssuer();
                } else if (!issuer.getStringValue().equals(assertion.getIssuer().getStringValue())) {
                    throw new SAMLValidationException("Inconsistent issuer in assertion: " + assertion.getIssuer() + ", previously had: " + issuer);
                }
            }
            if (this.authNAssertions.size() == 0) {
                if (this.reasons.getSize() <= 0) {
                    throw new SAMLValidationException("There was no authentication assertion found in the SAML response");
                }
                throw new SAMLValidationException("Authentication assertion(s) was found, but it was not correct wrt SSO profile: " + this.reasons);
            }
        } catch (Exception e) {
            throw new SAMLValidationException("XML handling problem during retrieval of response assertions", e);
        }
    }

    public List<AssertionDocument> getAuthNAssertions() {
        return this.authNAssertions;
    }

    public List<AssertionDocument> getOtherAssertions() {
        return this.otherAssertions;
    }

    protected void tryValidateAsAuthnAssertion(SSOAuthnAssertionValidator sSOAuthnAssertionValidator, AssertionDocument assertionDocument) throws SAMLValidationException {
        try {
            sSOAuthnAssertionValidator.validate(assertionDocument);
            this.authNAssertions.add(assertionDocument);
        } catch (SAMLValidationSoftException e) {
            this.reasons.addAssertionError(assertionDocument.getAssertion(), e.getMessage());
        }
    }

    protected void tryValidateAsGenericAssertion(AssertionValidator assertionValidator, AssertionDocument assertionDocument) throws SAMLValidationException {
        assertionValidator.validate(assertionDocument);
        AssertionType assertion = assertionDocument.getAssertion();
        NameIDType issuer = assertion.getIssuer();
        if (issuer.getFormat() != null && !issuer.getFormat().equals(SAMLConstants.NFORMAT_ENTITY)) {
            throw new SAMLValidationException("Issuer of assertion must be of Entity type in SSO AuthN. It is: " + issuer.getFormat());
        }
        if (this.binding == SAMLBindings.HTTP_POST && (assertion.getSignature() == null || assertion.getSignature().isNil())) {
            throw new SAMLValidationException("Assertion is not signed in the SSO authN used over HTTP POST, while should be.");
        }
        this.otherAssertions.add(assertionDocument);
    }
}
