package pl.edu.icm.yadda.aas.assertion.validator.impl;

import an.xacml.ExtendedRequest;
import an.xacml.engine.EvaluationContext;
import java.util.Collection;
import java.util.List;
import org.opensaml.lite.common.SAMLObject;
import org.opensaml.lite.common.SignableSAMLObject;
import org.opensaml.lite.saml2.core.Assertion;
import org.opensaml.lite.saml2.core.EncryptedAssertion;
import org.opensaml.lite.saml2.core.EncryptedElementType;
import org.opensaml.lite.security.TrustLevel;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.edu.icm.yadda.aas.err.holder.IErrorHolder;
import pl.edu.icm.yadda.aas.refresher.IExpirationValidator;
import pl.edu.icm.yadda.aas.refresher.RefresherException;
import pl.edu.icm.yadda.aas.saml.validator.ISAMLObjectValidator;
import pl.edu.icm.yadda.aas.saml.validator.SAMLObjectValidationContext;
import pl.edu.icm.yadda.aas.saml.validator.SAMLObjectValidationException;
import pl.edu.icm.yadda.aas.security.ISecurityFacade;
import pl.edu.icm.yadda.aas.security.SecurityFacadeException;
import pl.edu.icm.yadda.aas.timesync.IDateTimeProvider;
import pl.edu.icm.yadda.aas.xacml.policy.parser.Token;
import pl.edu.icm.yadda.aas.xacml.policy.parser.cond.ITokenCondition;
import pl.edu.icm.yadda.aas.xacml.policy.parser.cond.TypeCondition;
import pl.edu.icm.yadda.service2.aas.AAError;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-1.7.3-SNAPSHOT.jar:pl/edu/icm/yadda/aas/assertion/validator/impl/AbstractSAMLObjectValidator.class */
public abstract class AbstractSAMLObjectValidator<GenericCriteriaSet> implements ISAMLObjectValidator<GenericCriteriaSet> {
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected TrustLevel defaultTrustLevel = null;
    protected boolean evaluationCachingEnabled = true;
    protected IDateTimeProvider dateTimeProvider;
    protected ISecurityFacade<GenericCriteriaSet> securityFacade;
    protected IErrorHolder auxErrorHolder;
    protected IExpirationValidator<Assertion> assertionExpirationValidator;

    @Override // pl.edu.icm.yadda.aas.saml.validator.ISAMLObjectValidator
    public boolean validate(SAMLObjectValidationContext sAMLObjectValidationContext) throws SAMLObjectValidationException {
        if (sAMLObjectValidationContext.getSuccessfullyValidated() != null) {
            this.log.debug("SAML object was already validated with the result: " + sAMLObjectValidationContext.getSuccessfullyValidated());
            return sAMLObjectValidationContext.getSuccessfullyValidated().booleanValue();
        }
        SAMLObject decryptedSAMLObject = sAMLObjectValidationContext.getStoredSAMLObject() instanceof EncryptedElementType ? sAMLObjectValidationContext.getDecryptedSAMLObject() : sAMLObjectValidationContext.getStoredSAMLObject();
        if (decryptedSAMLObject == null) {
            throw new SAMLObjectValidationException("No decrypted SAML object provided for validation!");
        }
        boolean z = false;
        if (verifyMainEncryption(sAMLObjectValidationContext) && verifyMainSignature(decryptedSAMLObject, sAMLObjectValidationContext) && verifyMainExpiration(decryptedSAMLObject, sAMLObjectValidationContext, true)) {
            z = true;
        }
        sAMLObjectValidationContext.setSuccessfullyValidated(Boolean.valueOf(z));
        return z;
    }

    protected boolean verifyMainEncryption(SAMLObjectValidationContext sAMLObjectValidationContext) {
        if (sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_SAML_OBJECT_ENCRYPTED)) {
            return sAMLObjectValidationContext.getStoredSAMLObject() instanceof EncryptedElementType;
        }
        return true;
    }

    protected boolean verifyMainSignature(SAMLObject sAMLObject, SAMLObjectValidationContext sAMLObjectValidationContext) throws SAMLObjectValidationException {
        if (!sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_SAML_OBJECT_SIGNED)) {
            return true;
        }
        if (!(sAMLObject instanceof SignableSAMLObject)) {
            this.log.warn("SAMLObject: " + sAMLObject + " should be signed, but it is not SignableSAMLObject instance!");
            return false;
        }
        Boolean evaluationResult = getEvaluationResult(sAMLObjectValidationContext, sAMLObjectValidationContext.getTokenMode(SAMLObjectValidationContext.MODE_SAML_OBJECT_SIGNED));
        if (evaluationResult != null) {
            this.log.debug("got signature evaluation result from cache: " + evaluationResult);
            return evaluationResult.booleanValue();
        }
        boolean verifySignature = verifySignature((SignableSAMLObject) sAMLObject, sAMLObjectValidationContext);
        cacheEvaluationResult(sAMLObjectValidationContext, sAMLObjectValidationContext.getTokenMode(SAMLObjectValidationContext.MODE_SAML_OBJECT_SIGNED), verifySignature);
        return verifySignature;
    }

    protected boolean verifySignature(SignableSAMLObject signableSAMLObject, SAMLObjectValidationContext sAMLObjectValidationContext) throws SAMLObjectValidationException {
        if (!signableSAMLObject.isSigned() || signableSAMLObject.getSignature() == null) {
            this.log.warn("SAMLObject " + signableSAMLObject + " wasn't signed!");
            return false;
        }
        try {
            return this.securityFacade.verifySignature(signableSAMLObject.getSignature(), provideSigningCriteria(sAMLObjectValidationContext));
        } catch (SecurityFacadeException e) {
            this.log.error("Unable to successfully verify signature for SAMLObject " + signableSAMLObject, (Throwable) e);
            return false;
        }
    }

    protected abstract GenericCriteriaSet provideSigningCriteria(SAMLObjectValidationContext sAMLObjectValidationContext) throws SAMLObjectValidationException;

    protected boolean verifyMainExpiration(SAMLObject sAMLObject, SAMLObjectValidationContext sAMLObjectValidationContext, boolean z) throws SAMLObjectValidationException {
        if (!sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_ASSERTION_EXPIRABLE) && !sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_ASSERTION_REFRESHABLE)) {
            return true;
        }
        if (!(sAMLObject instanceof Assertion)) {
            this.log.warn("Cannot verify object's expiration: " + sAMLObject + ". Not an assertion instance!");
            return false;
        }
        Boolean evaluationResult = getEvaluationResult(sAMLObjectValidationContext, sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_ASSERTION_REFRESHABLE) ? sAMLObjectValidationContext.getTokenMode(SAMLObjectValidationContext.MODE_ASSERTION_REFRESHABLE) : sAMLObjectValidationContext.getTokenMode(SAMLObjectValidationContext.MODE_ASSERTION_EXPIRABLE));
        if (evaluationResult != null) {
            this.log.debug("got assertion exp/refr evaluation result from cache: " + evaluationResult);
            return evaluationResult.booleanValue();
        }
        boolean verifyExpiration = verifyExpiration((Assertion) sAMLObject, sAMLObjectValidationContext, z);
        cacheEvaluationResult(sAMLObjectValidationContext, sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_ASSERTION_REFRESHABLE) ? sAMLObjectValidationContext.getTokenMode(SAMLObjectValidationContext.MODE_ASSERTION_REFRESHABLE) : sAMLObjectValidationContext.getTokenMode(SAMLObjectValidationContext.MODE_ASSERTION_EXPIRABLE), verifyExpiration);
        return verifyExpiration;
    }

    protected boolean verifyExpiration(Assertion assertion, SAMLObjectValidationContext sAMLObjectValidationContext, boolean z) throws SAMLObjectValidationException {
        IExpirationValidator.ExpirationStatus validate = this.assertionExpirationValidator.validate(assertion);
        switch (validate) {
            case permanently_expired:
                AAError aAError = new AAError(AAError.WARN_ASSERTION_PERM_EXPIRED);
                aAError.setData(assertion.getID());
                this.log.debug("storing permanently expired assertion id " + assertion.getID() + " in error holder");
                this.auxErrorHolder.addError(aAError);
                return false;
            case expired_refreshable:
                if (z) {
                    AAError aAError2 = new AAError(AAError.WARN_ASSERTION_OUTDATED);
                    aAError2.setData(assertion.getID());
                    this.log.debug("storing outdated assertion id " + assertion.getID() + " in error holder");
                    this.auxErrorHolder.addError(aAError2);
                }
                if (!z || !sAMLObjectValidationContext.isModeEnabled(SAMLObjectValidationContext.MODE_ASSERTION_REFRESHABLE)) {
                    return false;
                }
                this.log.debug("refreshing assertion: " + assertion.getID());
                try {
                    SAMLObject refreshAssertion = refreshAssertion(assertion, sAMLObjectValidationContext.getStoredSAMLObject() instanceof EncryptedAssertion);
                    if (refreshAssertion instanceof EncryptedAssertion) {
                        Assertion assertion2 = (Assertion) this.securityFacade.decrypt((EncryptedAssertion) refreshAssertion);
                        if (assertion2 == null) {
                            this.log.warn("got null assertion after decryption!");
                            return false;
                        }
                        if (!verifyExpiration(assertion2, sAMLObjectValidationContext, false)) {
                            this.log.warn("Newly refreshed assertion is still expired!");
                            return false;
                        }
                        if (!verifyMainSignature(assertion2, sAMLObjectValidationContext)) {
                            this.log.warn("Newly refreshed assertion's signature is invalid!");
                            return false;
                        }
                        if (sAMLObjectValidationContext.getStoredSAMLObject() instanceof EncryptedAssertion) {
                            updateInEvaluationContext(sAMLObjectValidationContext.getStoredSAMLObject(), refreshAssertion, sAMLObjectValidationContext.getEvaluationContext());
                            sAMLObjectValidationContext.setStoredSAMLObject((EncryptedAssertion) refreshAssertion, assertion2);
                            return true;
                        }
                        updateInEvaluationContext(sAMLObjectValidationContext.getStoredSAMLObject(), assertion2, sAMLObjectValidationContext.getEvaluationContext());
                        sAMLObjectValidationContext.setStoredSAMLObject(assertion2);
                        return true;
                    }
                    if (!(refreshAssertion instanceof Assertion)) {
                        if (refreshAssertion == null) {
                            this.log.warn("got null refreshedSAMLObject!");
                            return false;
                        }
                        this.log.error("got usnupported refreshedSAMLObject instance: " + refreshAssertion.getClass().getName());
                        return false;
                    }
                    if (!verifyExpiration((Assertion) refreshAssertion, sAMLObjectValidationContext, false)) {
                        this.log.warn("Newly refreshed assertion is still expired!");
                        return false;
                    }
                    if (!verifyMainSignature(refreshAssertion, sAMLObjectValidationContext)) {
                        this.log.warn("Newly refreshed assertion's signature is invalid!");
                        return false;
                    }
                    if (!(sAMLObjectValidationContext.getStoredSAMLObject() instanceof EncryptedAssertion)) {
                        updateInEvaluationContext(sAMLObjectValidationContext.getStoredSAMLObject(), (Assertion) refreshAssertion, sAMLObjectValidationContext.getEvaluationContext());
                        sAMLObjectValidationContext.setStoredSAMLObject((Assertion) refreshAssertion);
                        return true;
                    }
                    this.log.warn("Expired SAMLObject was an instance of EncryptedAssertion, but after refreshing got unencrypted Assertion object!");
                    updateInEvaluationContext(sAMLObjectValidationContext.getStoredSAMLObject(), refreshAssertion, sAMLObjectValidationContext.getEvaluationContext());
                    sAMLObjectValidationContext.setStoredSAMLObject((Assertion) refreshAssertion);
                    return true;
                } catch (RefresherException e) {
                    this.log.error("Exception occured when refreshing assertion " + assertion.getID(), (Throwable) e);
                    return false;
                } catch (SecurityFacadeException e2) {
                    this.log.error("Couldn't decrypt refreshed EncryptedAssertion!", (Throwable) e2);
                    return false;
                }
            case indeterminate:
                this.log.warn("expiration status of assertion: " + assertion.getID() + " is " + validate);
                return false;
            case notYetValid:
                this.log.warn("expiration status of assertion: " + assertion.getID() + " is " + validate);
                return false;
            case valid:
                this.log.debug("expiration status of assertion: " + assertion.getID() + " is " + validate);
                return true;
            default:
                throw new SAMLObjectValidationException("unsupported expiration status of assertion: " + assertion.getID() + " - " + validate);
        }
    }

    protected abstract SAMLObject refreshAssertion(Assertion assertion, boolean z) throws RefresherException;

    protected void updateInEvaluationContext(SAMLObject sAMLObject, SAMLObject sAMLObject2, EvaluationContext evaluationContext) {
        if (sAMLObject == null || sAMLObject2 == null) {
            this.log.error("Neither old SAMLObject nor new SAMLObject can be null when storing in EvaluationContext");
            return;
        }
        if (!(evaluationContext.getRequest() instanceof ExtendedRequest)) {
            this.log.error("Cannot replace assertion, Request is not an instance of ExtendedRequest!");
            return;
        }
        List<SAMLObject> sAMLObjects = ((ExtendedRequest) evaluationContext.getRequest()).getSAMLObjects();
        if (sAMLObjects == null || sAMLObjects.size() == 0) {
            this.log.error("No objects to be replaced in EvaluationContext!");
            return;
        }
        for (int i = 0; i < sAMLObjects.size(); i++) {
            if (sAMLObject == sAMLObjects.get(i)) {
                sAMLObjects.set(i, sAMLObject2);
                this.log.debug("samlObject succesfully updated in EvaluationContext");
                return;
            }
        }
        this.log.error("Couldn't find assertion to be repaced in EvaluationContext!");
    }

    protected Boolean getEvaluationResult(SAMLObjectValidationContext sAMLObjectValidationContext, Token token) {
        if (!isEvaluationCachingEnabled()) {
            this.log.debug("SAMLObject evaluation caching is disabled");
            return null;
        }
        if (sAMLObjectValidationContext.getEvaluationContext().getRequest() instanceof ExtendedRequest) {
            return ((ExtendedRequest) sAMLObjectValidationContext.getEvaluationContext().getRequest()).getEvaluationCache().getEvaluationResult(sAMLObjectValidationContext.getStoredSAMLObject(), token);
        }
        this.log.warn("cannot get evaluation result: request is not an instance of ExtendedRequest");
        return null;
    }

    protected void cacheEvaluationResult(SAMLObjectValidationContext sAMLObjectValidationContext, Token token, boolean z) {
        if (!isEvaluationCachingEnabled()) {
            this.log.debug("SAMLObject evaluation caching is disabled");
        } else if (sAMLObjectValidationContext.getEvaluationContext().getRequest() instanceof ExtendedRequest) {
            ((ExtendedRequest) sAMLObjectValidationContext.getEvaluationContext().getRequest()).getEvaluationCache().setEvaluationResult(sAMLObjectValidationContext.getStoredSAMLObject(), token, z);
        } else {
            this.log.warn("cannot cache evaluation result: request is not an instance of ExtendedRequest");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TrustLevel getTrustLevel(SAMLObjectValidationContext sAMLObjectValidationContext) throws SAMLObjectValidationException {
        if (sAMLObjectValidationContext == null) {
            return this.defaultTrustLevel;
        }
        Collection<ITokenCondition> properties = sAMLObjectValidationContext.getProperties(SAMLObjectValidationContext.MODE_SAML_OBJECT_SIGNED);
        if (properties == null || properties.size() <= 0) {
            return this.defaultTrustLevel;
        }
        ITokenCondition next = properties.iterator().next();
        if (!(next instanceof TypeCondition)) {
            throw new SAMLObjectValidationException("invalid condition in 'signed' element defined in policy, cannot determine proper trust level!");
        }
        try {
            return TrustLevel.valueOf(((TypeCondition) next).getType());
        } catch (Exception e) {
            throw new SAMLObjectValidationException("invalid condition in 'signed' element defined in policy, cannot determine proper trust level!", e);
        }
    }

    public boolean isEvaluationCachingEnabled() {
        return this.evaluationCachingEnabled;
    }

    public void setEvaluationCachingEnabled(boolean z) {
        this.evaluationCachingEnabled = z;
    }

    @Override // pl.edu.icm.yadda.aas.saml.validator.ISAMLObjectValidator
    public TrustLevel getDefaultTrustLevel() {
        return this.defaultTrustLevel;
    }

    public void setDefaultTrustLevel(TrustLevel trustLevel) {
        this.defaultTrustLevel = trustLevel;
    }

    public void setDateTimeProvider(IDateTimeProvider iDateTimeProvider) {
        this.dateTimeProvider = iDateTimeProvider;
    }

    public void setSecurityFacade(ISecurityFacade<GenericCriteriaSet> iSecurityFacade) {
        this.securityFacade = iSecurityFacade;
    }

    public void setAuxErrorHolder(IErrorHolder iErrorHolder) {
        this.auxErrorHolder = iErrorHolder;
    }

    public void setAssertionExpirationValidator(IExpirationValidator<Assertion> iExpirationValidator) {
        this.assertionExpirationValidator = iExpirationValidator;
    }
}
