package org.opensaml.saml2.binding.security;

import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.security.SecurityPolicyRule;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/opensaml-2.6.6.wso2v3.jar:org/opensaml/saml2/binding/security/SAML2AuthnRequestsSignedRule.class
 */
/* loaded from: input_file:WEB-INF/lib/opensaml-2.6.6.jar:org/opensaml/saml2/binding/security/SAML2AuthnRequestsSignedRule.class */
public class SAML2AuthnRequestsSignedRule implements SecurityPolicyRule {
    private final Logger log = LoggerFactory.getLogger((Class<?>) SAML2AuthnRequestsSignedRule.class);

    @Override // org.opensaml.ws.security.SecurityPolicyRule
    public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
        if (!(messageContext instanceof SAMLMessageContext)) {
            this.log.debug("Invalid message context type, this policy rule only supports SAMLMessageContext");
            return;
        }
        SAMLMessageContext sAMLMessageContext = (SAMLMessageContext) messageContext;
        if (!(sAMLMessageContext.getInboundSAMLMessage() instanceof AuthnRequest)) {
            this.log.debug("Inbound message is not an instance of AuthnRequest, skipping evaluation...");
            return;
        }
        String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
        if (DatatypeHelper.isEmpty(inboundMessageIssuer)) {
            this.log.warn("Inbound message issuer was empty, unable to evaluate rule");
            return;
        }
        MetadataProvider metadataProvider = sAMLMessageContext.getMetadataProvider();
        if (metadataProvider == null) {
            this.log.warn("Message context did not contain a metadata provider, unable to evaluate rule");
            return;
        }
        try {
            SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) metadataProvider.getRole(inboundMessageIssuer, SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS);
            if (sPSSODescriptor == null) {
                this.log.warn("SPSSODescriptor role metadata for entityID '{}' could not be resolved", inboundMessageIssuer);
            } else if (sPSSODescriptor.isAuthnRequestsSigned() != Boolean.TRUE) {
                this.log.debug("SPSSODescriptor for entity ID '{}' does not require AuthnRequests to be signed", inboundMessageIssuer);
            } else {
                if (isMessageSigned(sAMLMessageContext)) {
                    return;
                }
                this.log.error("SPSSODescriptor for entity ID '{}' indicates AuthnRequests must be signed, but inbound message was not signed", inboundMessageIssuer);
                throw new SecurityPolicyException("Inbound AuthnRequest was required to be signed but was not");
            }
        } catch (MetadataProviderException e) {
            this.log.warn("Error resolving SPSSODescriptor metadata for entityID '{}': {}", inboundMessageIssuer, e.getMessage());
            throw new SecurityPolicyException("Error resolving metadata for entity ID", e);
        }
    }

    protected boolean isMessageSigned(SAMLMessageContext sAMLMessageContext) {
        SAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        return ((inboundSAMLMessage instanceof SignableSAMLObject) && ((SignableSAMLObject) inboundSAMLMessage).isSigned()) || !DatatypeHelper.isEmpty(((HTTPInTransport) sAMLMessageContext.getInboundMessageTransport()).getParameterValue("Signature"));
    }
}
