package org.opensaml.common.binding.security;

import javax.servlet.ServletRequest;
import org.apache.log4j.Logger;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.security.BaseSAMLSignatureSecurityPolicyRuleFactory;
import org.opensaml.ws.security.SecurityPolicyContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.security.SecurityPolicyRule;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.trust.TrustEngine;
import org.opensaml.xml.signature.Signature;

/* loaded from: input_file:org/opensaml/common/binding/security/SAMLProtocolMessageXMLSignatureSecurityPolicyRuleFactory.class */
public class SAMLProtocolMessageXMLSignatureSecurityPolicyRuleFactory extends BaseSAMLSignatureSecurityPolicyRuleFactory {

    /* loaded from: input_file:org/opensaml/common/binding/security/SAMLProtocolMessageXMLSignatureSecurityPolicyRuleFactory$SAMLProtocolMessageXMLSignatureSecurityPolicyRule.class */
    protected class SAMLProtocolMessageXMLSignatureSecurityPolicyRule extends BaseSAMLSignatureSecurityPolicyRuleFactory.BaseSAMLSignatureSecurityPolicyRule {
        private Logger log;

        public SAMLProtocolMessageXMLSignatureSecurityPolicyRule(TrustEngine<Signature> trustEngine) {
            super(trustEngine);
            this.log = Logger.getLogger(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.class);
        }

        public void evaluate(ServletRequest servletRequest, XMLObject xMLObject, SecurityPolicyContext securityPolicyContext) throws SecurityPolicyException {
            SAMLObject sAMLMessage = SAMLSecurityPolicyHelper.getSAMLMessage(xMLObject);
            if (sAMLMessage == null) {
                this.log.debug("Could not extract SAML message");
                return;
            }
            if (!(sAMLMessage instanceof SignableSAMLObject)) {
                this.log.debug("Extracted SAML message was not a SignableSAMLObject, can not process signature");
                return;
            }
            SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLMessage;
            if (!signableSAMLObject.isSigned()) {
                this.log.info("SAML protocol message was not signed, skipping XML signature processing");
                return;
            }
            Signature signature = signableSAMLObject.getSignature();
            String issuer = securityPolicyContext.getIssuer();
            if (issuer == null) {
                this.log.error("Context issuer unavailable, can not attempt SAML protocol message signature validation");
                throw new SecurityPolicyException("Context issuer unavailable, can not validate signature");
            }
            String qName = signableSAMLObject.getElementQName().toString();
            if (this.log.isDebugEnabled()) {
                this.log.debug("Attempting to verify signature on signed SAML protocol message using context issuer, message type: " + qName);
            }
            if (!evaluate(signature, buildCriteriaSet(securityPolicyContext.getIssuer(), servletRequest, xMLObject, securityPolicyContext))) {
                this.log.error("Validation of protocol message signature failed for context issuer '" + issuer + "', message type: " + qName);
                throw new SecurityPolicyException("Validation of protocol message signature failed");
            }
            this.log.info("Validation of protocol message signature succeeded, message type: " + qName);
            if (securityPolicyContext.isIssuerAuthenticated() != Boolean.TRUE) {
                this.log.info("Authentication via protocol message signature succeeded for context issuer entity ID '" + issuer + "'");
                securityPolicyContext.setIssuerAuthenticated(true);
            }
        }
    }

    public SecurityPolicyRule<ServletRequest> createRuleInstance() {
        return new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(getTrustEngine());
    }
}
