package org.apache.wss4j.stax.validate;

import java.util.Date;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;

/* loaded from: input_file:org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.class */
public class SamlTokenValidatorImpl extends SignatureTokenValidatorImpl implements SamlTokenValidator {
    private int futureTTL = 60;
    private boolean validateSignatureAgainstProfile = true;

    public void setFutureTTL(int i) {
        this.futureTTL = i;
    }

    public boolean isValidateSignatureAgainstProfile() {
        return this.validateSignatureAgainstProfile;
    }

    public void setValidateSignatureAgainstProfile(boolean z) {
        this.validateSignatureAgainstProfile = z;
    }

    @Override // org.apache.wss4j.stax.validate.SamlTokenValidator
    public <T extends SamlSecurityToken & InboundSecurityToken> T validate(SamlAssertionWrapper samlAssertionWrapper, InboundSecurityToken inboundSecurityToken, TokenContext tokenContext) throws WSSecurityException {
        checkConditions(samlAssertionWrapper);
        checkOneTimeUse(samlAssertionWrapper, tokenContext.getWssSecurityProperties().getSamlOneTimeUseReplayCache());
        validateAssertion(samlAssertionWrapper);
        Crypto crypto = null;
        if (samlAssertionWrapper.isSigned()) {
            crypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();
        }
        SamlSecurityTokenImpl samlSecurityTokenImpl = new SamlSecurityTokenImpl(samlAssertionWrapper, inboundSecurityToken, tokenContext.getWsSecurityContext(), crypto, WSSecurityTokenConstants.KeyIdentifier_NoKeyInfo, tokenContext.getWssSecurityProperties());
        samlSecurityTokenImpl.setElementPath(tokenContext.getElementPath());
        samlSecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
        return samlSecurityTokenImpl;
    }

    protected void checkConditions(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        samlAssertionWrapper.checkConditions(this.futureTTL);
    }

    protected void checkOneTimeUse(SamlAssertionWrapper samlAssertionWrapper, ReplayCache replayCache) throws WSSecurityException {
        if (replayCache == null || !samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) || samlAssertionWrapper.getSaml2().getConditions() == null || samlAssertionWrapper.getSaml2().getConditions().getOneTimeUse() == null) {
            return;
        }
        String id = samlAssertionWrapper.getId();
        if (replayCache.contains(id)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[]{"A replay attack has been detected"});
        }
        DateTime notOnOrAfter = samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter();
        if (notOnOrAfter != null) {
            replayCache.add(id, 1 + ((notOnOrAfter.getMillis() - new Date().getTime()) / 1000));
        } else {
            replayCache.add(id);
        }
    }

    protected void validateAssertion(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        samlAssertionWrapper.validateAssertion(this.validateSignatureAgainstProfile);
    }
}
