package org.opensaml.saml.saml2.assertion.impl;

import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.ObjectSupport;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.slf4j.Logger;

@ThreadSafe
/* loaded from: input_file:org/opensaml/saml/saml2/assertion/impl/AbstractSubjectConfirmationValidator.class */
public abstract class AbstractSubjectConfirmationValidator implements SubjectConfirmationValidator {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(AbstractSubjectConfirmationValidator.class);

    @Nonnull
    public ValidationResult validate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        boolean isAddressRequired = isAddressRequired(validationContext);
        boolean isInResponseToRequired = isInResponseToRequired(validationContext);
        boolean isRecipientRequired = isRecipientRequired(validationContext);
        boolean isNotOnOrAfterRequired = isNotOnOrAfterRequired(validationContext);
        boolean isNotBeforeRequired = isNotBeforeRequired(validationContext);
        SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
        if (subjectConfirmationData != null) {
            ValidationResult validateNotBefore = validateNotBefore(subjectConfirmationData, assertion, validationContext, isNotBeforeRequired);
            if (validateNotBefore != ValidationResult.VALID) {
                return validateNotBefore;
            }
            ValidationResult validateNotOnOrAfter = validateNotOnOrAfter(subjectConfirmationData, assertion, validationContext, isNotOnOrAfterRequired);
            if (validateNotOnOrAfter != ValidationResult.VALID) {
                return validateNotOnOrAfter;
            }
            ValidationResult validateRecipient = validateRecipient(subjectConfirmationData, assertion, validationContext, isRecipientRequired);
            if (validateRecipient != ValidationResult.VALID) {
                return validateRecipient;
            }
            ValidationResult validateAddress = validateAddress(subjectConfirmationData, assertion, validationContext, isAddressRequired);
            if (validateAddress != ValidationResult.VALID) {
                return validateAddress;
            }
            ValidationResult validateInResponseTo = validateInResponseTo(subjectConfirmationData, assertion, validationContext, isInResponseToRequired);
            if (validateInResponseTo != ValidationResult.VALID) {
                return validateInResponseTo;
            }
        } else if (isInResponseToRequired || isRecipientRequired || isNotOnOrAfterRequired || isNotBeforeRequired || isAddressRequired) {
            validationContext.getValidationFailureMessages().add("SubjectConfirmationData was null and one or more data elements were required");
            return ValidationResult.INVALID;
        }
        return doValidate(subjectConfirmation, assertion, validationContext);
    }

    protected boolean isAddressRequired(ValidationContext validationContext) {
        Boolean bool = (Boolean) ObjectSupport.firstNonNull(new Boolean[]{(Boolean) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.AddressRequired"), Boolean.FALSE});
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    protected boolean isRecipientRequired(ValidationContext validationContext) {
        Boolean bool = (Boolean) ObjectSupport.firstNonNull(new Boolean[]{(Boolean) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.RecipientRequired"), Boolean.FALSE});
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    protected boolean isNotBeforeRequired(ValidationContext validationContext) {
        Boolean bool = (Boolean) ObjectSupport.firstNonNull(new Boolean[]{(Boolean) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.NotBeforeRequired"), Boolean.FALSE});
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    protected boolean isNotOnOrAfterRequired(ValidationContext validationContext) {
        Boolean bool = (Boolean) ObjectSupport.firstNonNull(new Boolean[]{(Boolean) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.NoOnOrAfterRequired"), Boolean.FALSE});
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    protected boolean isInResponseToRequired(ValidationContext validationContext) {
        Boolean bool = (Boolean) ObjectSupport.firstNonNull(new Boolean[]{(Boolean) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.InResponseToRequired"), Boolean.FALSE});
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    @Nonnull
    protected ValidationResult validateInResponseTo(@Nonnull SubjectConfirmationData subjectConfirmationData, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmationData.getInResponseTo());
        if (trimOrNull == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            validationContext.getValidationFailureMessages().add("SubjectConfirmationData/@InResponseTo was missing and was required");
            return ValidationResult.INVALID;
        }
        this.log.debug("Evaluating SubjectConfirmationData@InResponseTo of: {}", trimOrNull);
        try {
            String str = (String) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.ValidInResponseTo");
            if (str == null) {
                validationContext.getValidationFailureMessages().add("Valid InResponseTo was not available from the validation context, unable to evaluate SubjectConfirmationData@InResponseTo");
                return ValidationResult.INDETERMINATE;
            }
            if (Objects.equals(trimOrNull, str)) {
                this.log.debug("Matched valid InResponseTo: {}", trimOrNull);
                return ValidationResult.VALID;
            }
            validationContext.getValidationFailureMessages().add(String.format("Subject confirmation InResponseTo for assertion '%s' did not match the valid value: %s", assertion.getID(), str));
            return ValidationResult.INVALID;
        } catch (ClassCastException e) {
            validationContext.getValidationFailureMessages().add("Unable to determine valid subject confirmation InResponseTo");
            return ValidationResult.INDETERMINATE;
        }
    }

    @Nonnull
    protected ValidationResult validateNotBefore(@Nonnull SubjectConfirmationData subjectConfirmationData, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        Instant notBefore = subjectConfirmationData.getNotBefore();
        if (notBefore == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            validationContext.getValidationFailureMessages().add("SubjectConfirmationData/@NotBefore was missing and was required");
            return ValidationResult.INVALID;
        }
        Instant plus = Instant.now().plus((TemporalAmount) SAML20AssertionValidator.getClockSkew(validationContext));
        this.log.debug("Evaluating SubjectConfirmationData NotBefore '{}' against 'skewed now' time '{}'", notBefore, plus);
        if (notBefore == null || !notBefore.isAfter(plus)) {
            return ValidationResult.VALID;
        }
        validationContext.getValidationFailureMessages().add(String.format("Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateNotOnOrAfter(@Nonnull SubjectConfirmationData subjectConfirmationData, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        Instant notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
        if (notOnOrAfter == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            validationContext.getValidationFailureMessages().add("SubjectConfirmationData/@NotOnOrAfter was missing and was required");
            return ValidationResult.INVALID;
        }
        Instant minus = Instant.now().minus((TemporalAmount) SAML20AssertionValidator.getClockSkew(validationContext));
        this.log.debug("Evaluating SubjectConfirmationData NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, minus);
        if (notOnOrAfter == null || !notOnOrAfter.isBefore(minus)) {
            return ValidationResult.VALID;
        }
        validationContext.getValidationFailureMessages().add(String.format("Subject confirmation, in assertion '%s', with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected ValidationResult validateRecipient(@Nonnull SubjectConfirmationData subjectConfirmationData, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmationData.getRecipient());
        if (trimOrNull == null) {
            if (!z) {
                return ValidationResult.VALID;
            }
            validationContext.getValidationFailureMessages().add("SubjectConfirmationData/@Recipient was missing and was required");
            return ValidationResult.INVALID;
        }
        this.log.debug("Evaluating SubjectConfirmationData@Recipient of: {}", trimOrNull);
        try {
            Set set = (Set) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.ValidRecipients");
            if (set == null || set.isEmpty()) {
                validationContext.getValidationFailureMessages().add("Set of valid recipient URI's was not available from the validation context, unable to evaluate SubjectConfirmationData@Recipient");
                return ValidationResult.INDETERMINATE;
            }
            if (set.contains(trimOrNull)) {
                this.log.debug("Matched valid recipient: {}", trimOrNull);
                return ValidationResult.VALID;
            }
            validationContext.getValidationFailureMessages().add(String.format("Subject confirmation recipient for assertion '%s' did not match any valid recipients: %s", assertion.getID(), set));
            return ValidationResult.INVALID;
        } catch (ClassCastException e) {
            validationContext.getValidationFailureMessages().add("Unable to determine list of valid subject confirmation recipient endpoints");
            return ValidationResult.INDETERMINATE;
        }
    }

    @Nonnull
    protected ValidationResult validateAddress(@Nonnull SubjectConfirmationData subjectConfirmationData, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext, boolean z) throws AssertionValidationException {
        Boolean bool = (Boolean) validationContext.getStaticParameters().get("saml2.SubjectConfirmation.CheckAddress");
        if (bool != null && !bool.booleanValue()) {
            this.log.debug("SubjectConfirmationData/@Address check is disabled, skipping");
            return ValidationResult.VALID;
        }
        String trimOrNull = StringSupport.trimOrNull(subjectConfirmationData.getAddress());
        if (trimOrNull != null) {
            return AssertionValidationSupport.checkAddress(validationContext, trimOrNull, "saml2.SubjectConfirmation.ValidAddresses", assertion, "SubjectConfirmationData/@Address");
        }
        if (!z) {
            return ValidationResult.VALID;
        }
        validationContext.getValidationFailureMessages().add("SubjectConfirmationData/@Address was missing and was required");
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected abstract ValidationResult doValidate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException;
}
