package org.opensaml.saml.saml2.assertion.impl;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.joda.time.DateTime;
import org.joda.time.chrono.ISOChronology;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:plugins/opensaml-3.3.1.wso2v11.jar:org/opensaml/saml/saml2/assertion/impl/AbstractSubjectConfirmationValidator.class */
public abstract class AbstractSubjectConfirmationValidator implements SubjectConfirmationValidator {
    private Logger log = LoggerFactory.getLogger(AbstractSubjectConfirmationValidator.class);

    @Override // org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator
    @Nonnull
    public ValidationResult validate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        if (subjectConfirmation.getSubjectConfirmationData() != null) {
            ValidationResult validateNotBefore = validateNotBefore(subjectConfirmation, assertion, validationContext);
            if (validateNotBefore != ValidationResult.VALID) {
                return validateNotBefore;
            }
            ValidationResult validateNotOnOrAfter = validateNotOnOrAfter(subjectConfirmation, assertion, validationContext);
            if (validateNotOnOrAfter != ValidationResult.VALID) {
                return validateNotOnOrAfter;
            }
            ValidationResult validateRecipient = validateRecipient(subjectConfirmation, assertion, validationContext);
            if (validateRecipient != ValidationResult.VALID) {
                return validateRecipient;
            }
            ValidationResult validateAddress = validateAddress(subjectConfirmation, assertion, validationContext);
            if (validateAddress != ValidationResult.VALID) {
                return validateAddress;
            }
        }
        return doValidate(subjectConfirmation, assertion, validationContext);
    }

    @Nonnull
    protected ValidationResult validateNotBefore(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        DateTime plus = new DateTime(ISOChronology.getInstanceUTC()).plus(SAML20AssertionValidator.getClockSkew(validationContext));
        DateTime notBefore = subjectConfirmation.getSubjectConfirmationData().getNotBefore();
        this.log.debug("Evaluating SubjectConfirmationData NotBefore '{}' against 'skewed now' time '{}'", notBefore, plus);
        if (notBefore == null || !notBefore.isAfter(plus)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateNotOnOrAfter(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        DateTime minus = new DateTime(ISOChronology.getInstanceUTC()).minus(SAML20AssertionValidator.getClockSkew(validationContext));
        DateTime notOnOrAfter = subjectConfirmation.getSubjectConfirmationData().getNotOnOrAfter();
        this.log.debug("Evaluating SubjectConfirmationData NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, minus);
        if (notOnOrAfter == null || !notOnOrAfter.isBefore(minus)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Subject confirmation, in assertion '%s', with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateRecipient(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmation.getSubjectConfirmationData().getRecipient());
        if (trimOrNull == null) {
            return ValidationResult.VALID;
        }
        this.log.debug("Evaluating SubjectConfirmationData@Recipient of : {}", trimOrNull);
        try {
            Set set = (Set) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS);
            if (set == null || set.isEmpty()) {
                this.log.warn("Set of valid recipient URI's was not available from the validation context, unable to evaluate SubjectConfirmationData@Recipient");
                validationContext.setValidationFailureMessage("Unable to determine list of valid subject confirmation recipient endpoints");
                return ValidationResult.INDETERMINATE;
            }
            if (set.contains(trimOrNull)) {
                this.log.debug("Matched valid recipient: {}", trimOrNull);
                return ValidationResult.VALID;
            }
            this.log.debug("Failed to match SubjectConfirmationData@Recipient to any supplied valid recipients: {}", set);
            validationContext.setValidationFailureMessage(String.format("Subject confirmation recipient for asertion '%s' did not match any valid recipients", assertion.getID()));
            return ValidationResult.INVALID;
        } catch (ClassCastException e) {
            this.log.warn("The value of the static validation parameter '{}' was not java.util.Set<String>", SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS);
            validationContext.setValidationFailureMessage("Unable to determine list of valid subject confirmation recipient endpoints");
            return ValidationResult.INDETERMINATE;
        }
    }

    @Nonnull
    protected ValidationResult validateAddress(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmation.getSubjectConfirmationData().getAddress());
        if (trimOrNull == null) {
            return ValidationResult.VALID;
        }
        this.log.debug("Evaluating SubjectConfirmationData@Address of : {}", trimOrNull);
        try {
            InetAddress[] allByName = InetAddress.getAllByName(trimOrNull);
            if (this.log.isDebugEnabled()) {
                this.log.debug("SubjectConfirmationData/@Address was resolved to addresses: {}", Arrays.asList(allByName));
            }
            try {
                Set set = (Set) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_VALID_ADDRESSES);
                if (set == null || set.isEmpty()) {
                    this.log.warn("Set of valid addresses was not available from the validation context, unable to evaluate SubjectConfirmationData@Address");
                    validationContext.setValidationFailureMessage("Unable to determine list of valid subject confirmation addresses");
                    return ValidationResult.INDETERMINATE;
                }
                for (InetAddress inetAddress : allByName) {
                    if (set.contains(inetAddress)) {
                        this.log.debug("Matched SubjectConfirmationData address '{}' to valid address", inetAddress.getHostAddress());
                        return ValidationResult.VALID;
                    }
                }
                this.log.debug("Failed to match SubjectConfirmationData@Address to any supplied valid addresses", set);
                validationContext.setValidationFailureMessage(String.format("Subject confirmation address for asertion '%s' did not match any valid addresses", assertion.getID()));
                return ValidationResult.INVALID;
            } catch (ClassCastException e) {
                this.log.warn("The value of the static validation parameter '{}' was not java.util.Set<InetAddress>", SAML2AssertionValidationParameters.SC_VALID_ADDRESSES);
                validationContext.setValidationFailureMessage("Unable to determine list of valid subject confirmation addresses");
                return ValidationResult.INDETERMINATE;
            }
        } catch (UnknownHostException e2) {
            this.log.warn("The subject confirmation address '{}' in assetion '{}' can not be resolved to a valid set of IP address(s)", trimOrNull, assertion.getID());
            validationContext.setValidationFailureMessage(String.format("Subject confirmation address '%s' is not resolvable hostname or IP address", trimOrNull));
            return ValidationResult.INDETERMINATE;
        }
    }

    @Nonnull
    protected abstract ValidationResult doValidate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException;
}
