package com.appiancorp.security.auth.saml;

import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collection;
import javax.annotation.Nonnull;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.collection.LazyMap;
import org.apache.log4j.Logger;
import org.joda.time.DateTime;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
import org.opensaml.saml.saml2.assertion.impl.OneTimeUseConditionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.OneTimeUse;
import org.opensaml.storage.ReplayCache;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlAssertionValidator.class */
public class SamlAssertionValidator extends SAML20AssertionValidator {
    private static final Logger LOG = Logger.getLogger(SamlMessageValidator.class);
    private LazyMap<QName, ConditionValidator> conditionValidators;

    public SamlAssertionValidator(ReplayCache replayCache) {
        super((Collection) null, (Collection) null, (Collection) null, (SignatureTrustEngine) null, (SignaturePrevalidator) null);
        ArrayList<ConditionValidator> newArrayList = Lists.newArrayList();
        newArrayList.add(new AudienceRestrictionConditionValidator());
        newArrayList.add(new OneTimeUseConditionValidator(replayCache, OneTimeUseConditionValidator.DEFAULT_CACHE_EXPIRES));
        this.conditionValidators = new LazyMap<>();
        for (ConditionValidator conditionValidator : newArrayList) {
            if (conditionValidator != null) {
                this.conditionValidators.put(conditionValidator.getServicedCondition(), conditionValidator);
            }
        }
    }

    @Nonnull
    public ValidationResult validate(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        ValidationResult validateIssueInstant;
        ValidationResult validateVersion = validateVersion(assertion, validationContext);
        return validateVersion != ValidationResult.VALID ? validateVersion : (assertion.getIssueInstant() == null || (validateIssueInstant = validateIssueInstant(assertion, validationContext)) == ValidationResult.VALID) ? validateConditions(assertion, validationContext) : validateIssueInstant;
    }

    @Nonnull
    protected ValidationResult validateConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            return ValidationResult.VALID;
        }
        ValidationResult validateConditionsTimeBounds = validateConditionsTimeBounds(assertion, validationContext);
        if (validateConditionsTimeBounds != ValidationResult.VALID) {
            return validateConditionsTimeBounds;
        }
        for (Condition condition : conditions.getConditions()) {
            if ((condition instanceof AudienceRestriction) || (condition instanceof OneTimeUse)) {
                ConditionValidator conditionValidator = (ConditionValidator) this.conditionValidators.get(condition.getElementQName());
                if (conditionValidator == null && condition.getSchemaType() != null) {
                    conditionValidator = (ConditionValidator) this.conditionValidators.get(condition.getSchemaType());
                }
                if (conditionValidator == null) {
                    validationContext.setValidationFailureMessage(String.format("Unknown Condition '%s' of type '%s' in assertion '%s'", condition.getElementQName(), condition.getSchemaType(), assertion.getID()));
                    return ValidationResult.INDETERMINATE;
                }
                if (conditionValidator.validate(condition, assertion, validationContext) != ValidationResult.VALID) {
                    String format = String.format("Condition '%s' of type '%s' in assertion '%s' was not valid.", condition.getElementQName(), condition.getSchemaType(), assertion.getID());
                    if (validationContext.getValidationFailureMessage() != null) {
                        format = format + ": " + validationContext.getValidationFailureMessage();
                    }
                    validationContext.setValidationFailureMessage(format);
                    return ValidationResult.INVALID;
                }
            }
        }
        return ValidationResult.VALID;
    }

    private ValidationResult validateIssueInstant(@Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) {
        DateTime issueInstant = assertion.getIssueInstant();
        DateTime minusMillis = DateTime.now().minusMillis(SamlConstants.CLOCK_SKEW_IN_MS);
        DateTime plusMillis = DateTime.now().plusMillis(SamlConstants.CLOCK_SKEW_IN_MS);
        if (!issueInstant.isBefore(minusMillis) && !issueInstant.isAfter(plusMillis)) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Invalid IssueInstant '%s' on Assertion '%s'", issueInstant.toString(), assertion.getID()));
        return ValidationResult.INVALID;
    }
}
