package org.apache.wss4j.dom.validate;

import java.time.Instant;
import java.util.List;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.dom.handler.RequestData;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/wss4j/dom/validate/SamlAssertionValidator.class */
public class SamlAssertionValidator extends SignatureTrustValidator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SamlAssertionValidator.class);
    private String requiredSubjectConfirmationMethod;
    private int futureTTL = 60;
    private int ttl = 1800;
    private boolean validateSignatureAgainstProfile = true;
    private boolean requireStandardSubjectConfirmationMethod = true;
    private boolean requireBearerSignature = true;

    public void setFutureTTL(int i) {
        this.futureTTL = i;
    }

    @Override // org.apache.wss4j.dom.validate.SignatureTrustValidator, org.apache.wss4j.dom.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        if (credential == null || credential.getSamlAssertion() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
        }
        SamlAssertionWrapper samlAssertion = credential.getSamlAssertion();
        verifySubjectConfirmationMethod(samlAssertion);
        checkConditions(samlAssertion, requestData.getAudienceRestrictions());
        checkAuthnStatements(samlAssertion);
        checkOneTimeUse(samlAssertion, requestData);
        validateAssertion(samlAssertion);
        if (samlAssertion.isSigned()) {
            verifySignedAssertion(samlAssertion, requestData);
        }
        return credential;
    }

    protected void verifySubjectConfirmationMethod(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        List<String> confirmationMethods = samlAssertionWrapper.getConfirmationMethods();
        if (confirmationMethods == null || confirmationMethods.isEmpty()) {
            if (this.requiredSubjectConfirmationMethod != null) {
                LOG.warn("A required subject confirmation method was not present");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
            if (this.requireStandardSubjectConfirmationMethod) {
                LOG.warn("A standard subject confirmation method was not present");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        boolean isSigned = samlAssertionWrapper.isSigned();
        boolean z = false;
        boolean z2 = false;
        if (confirmationMethods != null) {
            for (String str : confirmationMethods) {
                if (OpenSAMLUtil.isMethodHolderOfKey(str)) {
                    if (samlAssertionWrapper.getSubjectKeyInfo() == null) {
                        LOG.warn("There is no Subject KeyInfo to match the holder-of-key subject conf method");
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
                    }
                    if (!isSigned) {
                        LOG.warn("A holder-of-key assertion must be signed");
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                    }
                    z2 = true;
                }
                if (str != null) {
                    if (str.equals(this.requiredSubjectConfirmationMethod)) {
                        z = true;
                    }
                    if (SAML2Constants.CONF_BEARER.equals(str) || SAML1Constants.CONF_BEARER.equals(str)) {
                        z2 = true;
                        if (this.requireBearerSignature && !isSigned) {
                            LOG.warn("A Bearer Assertion was not signed");
                            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                        }
                    } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(str) || SAML1Constants.CONF_SENDER_VOUCHES.equals(str)) {
                        z2 = true;
                    }
                }
            }
        }
        if (!z && this.requiredSubjectConfirmationMethod != null) {
            LOG.warn("A required subject confirmation method was not present");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (z2 || !this.requireStandardSubjectConfirmationMethod) {
            return;
        }
        LOG.warn("A standard subject confirmation method was not present");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    protected Credential verifySignedAssertion(SamlAssertionWrapper samlAssertionWrapper, RequestData requestData) throws WSSecurityException {
        Credential credential = new Credential();
        SAMLKeyInfo signatureKeyInfo = samlAssertionWrapper.getSignatureKeyInfo();
        credential.setPublicKey(signatureKeyInfo.getPublicKey());
        credential.setCertificates(signatureKeyInfo.getCerts());
        return super.validate(credential, requestData);
    }

    protected void checkConditions(SamlAssertionWrapper samlAssertionWrapper, List<String> list) throws WSSecurityException {
        checkConditions(samlAssertionWrapper);
        samlAssertionWrapper.checkAudienceRestrictions(list);
    }

    protected void checkConditions(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        samlAssertionWrapper.checkConditions(this.futureTTL);
        samlAssertionWrapper.checkIssueInstant(this.futureTTL, this.ttl);
    }

    protected void checkAuthnStatements(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        samlAssertionWrapper.checkAuthnStatements(this.futureTTL);
    }

    protected void checkOneTimeUse(SamlAssertionWrapper samlAssertionWrapper, RequestData requestData) throws WSSecurityException {
        if (!samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) || samlAssertionWrapper.getSaml2().getConditions() == null || samlAssertionWrapper.getSaml2().getConditions().getOneTimeUse() == null || requestData.getSamlOneTimeUseReplayCache() == null) {
            return;
        }
        String id = samlAssertionWrapper.getId();
        ReplayCache samlOneTimeUseReplayCache = requestData.getSamlOneTimeUseReplayCache();
        if (samlOneTimeUseReplayCache.contains(id)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[]{"A replay attack has been detected"});
        }
        DateTime notOnOrAfter = samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter();
        if (notOnOrAfter != null) {
            samlOneTimeUseReplayCache.add(id, Instant.ofEpochMilli(notOnOrAfter.getMillis()));
        } else {
            samlOneTimeUseReplayCache.add(id);
        }
        samlOneTimeUseReplayCache.add(id);
    }

    protected void validateAssertion(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        if (this.validateSignatureAgainstProfile) {
            samlAssertionWrapper.validateSignatureAgainstProfile();
        }
    }

    public boolean isValidateSignatureAgainstProfile() {
        return this.validateSignatureAgainstProfile;
    }

    public void setValidateSignatureAgainstProfile(boolean z) {
        this.validateSignatureAgainstProfile = z;
    }

    public String getRequiredSubjectConfirmationMethod() {
        return this.requiredSubjectConfirmationMethod;
    }

    public void setRequiredSubjectConfirmationMethod(String str) {
        this.requiredSubjectConfirmationMethod = str;
    }

    public boolean isRequireStandardSubjectConfirmationMethod() {
        return this.requireStandardSubjectConfirmationMethod;
    }

    public void setRequireStandardSubjectConfirmationMethod(boolean z) {
        this.requireStandardSubjectConfirmationMethod = z;
    }

    public boolean isRequireBearerSignature() {
        return this.requireBearerSignature;
    }

    public void setRequireBearerSignature(boolean z) {
        this.requireBearerSignature = z;
    }

    public int getTtl() {
        return this.ttl;
    }

    public void setTtl(int i) {
        this.ttl = i;
    }
}
