package pl.edu.icm.yadda.aas.assertion.validator.impl;

import java.util.Collection;
import java.util.Iterator;
import org.opensaml.lite.common.SAMLObject;
import org.opensaml.lite.saml2.core.Assertion;
import org.opensaml.lite.security.Credential;
import org.opensaml.lite.security.Criteria;
import org.opensaml.lite.security.CriteriaSet;
import org.opensaml.lite.security.TrustLevel;
import org.opensaml.lite.security.criteria.TrustLevelCriteria;
import org.opensaml.lite.security.criteria.UsageCriteria;
import org.opensaml.lite.xacml.ctx.DecisionType;
import org.springframework.remoting.RemoteAccessException;
import pl.edu.icm.yadda.aas.audit.user.IIdExtractor;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.helper.AASRequestHelper;
import pl.edu.icm.yadda.aas.refresher.RefresherException;
import pl.edu.icm.yadda.aas.saml.validator.ISAMLObjectValidator;
import pl.edu.icm.yadda.aas.saml.validator.SAMLObjectValidationContext;
import pl.edu.icm.yadda.aas.saml.validator.SAMLObjectValidationException;
import pl.edu.icm.yadda.aas.service.holder.IServiceClientStubHolder;
import pl.edu.icm.yadda.service2.aas.AAError;
import pl.edu.icm.yadda.service2.aas.AuthenticateResponse;
import pl.edu.icm.yadda.service2.aas.IAAService;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-1.13.2-SNAPSHOT.jar:pl/edu/icm/yadda/aas/assertion/validator/impl/DefaultSAMLObjectValidator.class */
public class DefaultSAMLObjectValidator extends AbstractSAMLObjectValidator<CriteriaSet> implements ISAMLObjectValidator<CriteriaSet> {
    private IServiceClientStubHolder<IAAService> clientStubHolder;
    protected Collection<Criteria> fixedCriteria = null;
    private ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();
    private IIdExtractor idExtractor;

    @Override // pl.edu.icm.yadda.aas.assertion.validator.impl.AbstractSAMLObjectValidator
    protected SAMLObject refreshAssertion(Assertion assertion, boolean z) throws RefresherException {
        if (assertion == null || assertion.getIssuer() == null) {
            throw new RefresherException(new StringBuilder().append("couldn't find Issuer in assertion ").append(assertion).toString() != null ? assertion.getID() : null);
        }
        IAAService localInstance = z ? this.clientStubHolder.getLocalInstance(assertion.getIssuer().getValue()) : this.clientStubHolder.getInstance(assertion.getIssuer().getValue());
        if (localInstance == null) {
            throw new RefresherException("Couldn't find suitable AAService instance for issuer " + assertion.getIssuer().getValue());
        }
        try {
            return extractAssertion(localInstance.authenticate(AASRequestHelper.buildAssertionRefreshingRequest(assertion, this.securityRequestHandler, this.idExtractor)));
        } catch (RemoteAccessException e) {
            throw new RefresherException("Couldn't perform authentication on AAService instance: " + assertion.getIssuer().getValue(), e);
        }
    }

    protected SAMLObject extractAssertion(AuthenticateResponse authenticateResponse) throws RefresherException {
        if (authenticateResponse.getSAMLObject() != null) {
            return authenticateResponse.getSAMLObject();
        }
        if (authenticateResponse.getErrors() != null && authenticateResponse.getErrors().size() > 0) {
            AAError aAError = authenticateResponse.getErrors().get(0);
            throw new RefresherException("" + aAError.getErrorId() + ':' + aAError.getMessage(), aAError.getThrowable());
        }
        if (authenticateResponse.getResult() == null || authenticateResponse.getResult().getDecision() == null || authenticateResponse.getResult().getDecision().getDecision() == DecisionType.DECISION.Permit) {
            throw new RefresherException("Got no assertion in AAService response, probably assertion wasn't refreshable!");
        }
        throw new RefresherException("Couldn't refresh assertion, got decision: " + authenticateResponse.getResult().getDecision().getDecision());
    }

    public void setClientStubHolder(IServiceClientStubHolder<IAAService> iServiceClientStubHolder) {
        this.clientStubHolder = iServiceClientStubHolder;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // pl.edu.icm.yadda.aas.assertion.validator.impl.AbstractSAMLObjectValidator
    public CriteriaSet provideSigningCriteria(SAMLObjectValidationContext sAMLObjectValidationContext) throws SAMLObjectValidationException {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriteria(Credential.UsageType.SIGNING));
        TrustLevel trustLevel = getTrustLevel(sAMLObjectValidationContext);
        if (trustLevel != null) {
            criteriaSet.add(new TrustLevelCriteria(trustLevel));
        }
        if (this.fixedCriteria != null) {
            Iterator<Criteria> it = this.fixedCriteria.iterator();
            while (it.hasNext()) {
                criteriaSet.add(it.next());
            }
        }
        return criteriaSet;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // pl.edu.icm.yadda.aas.saml.validator.ISAMLObjectValidator
    public CriteriaSet getFixedCriteriaSet() {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (this.fixedCriteria != null) {
            Iterator<Criteria> it = this.fixedCriteria.iterator();
            while (it.hasNext()) {
                criteriaSet.add(it.next());
            }
        }
        return criteriaSet;
    }

    public void setFixedCriteria(Collection<Criteria> collection) {
        this.fixedCriteria = collection;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }

    public void setIdExtractor(IIdExtractor iIdExtractor) {
        this.idExtractor = iIdExtractor;
    }
}
