package pl.edu.icm.yadda.aas.oblig.analyzer.module.impl;

import org.joda.time.DateTime;
import org.opensaml.lite.common.SAMLObject;
import org.opensaml.lite.saml2.core.Assertion;
import org.opensaml.lite.saml2.core.EncryptedAssertion;
import org.opensaml.lite.security.Credential;
import org.opensaml.lite.security.CriteriaSet;
import org.opensaml.lite.security.criteria.PublicKeyCriteria;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.edu.icm.yadda.aas.keystore.IInternalKeyStore;
import pl.edu.icm.yadda.aas.oblig.analyzer.AnalyzerResultObject;
import pl.edu.icm.yadda.aas.oblig.analyzer.InternalObligationAnalyzerException;
import pl.edu.icm.yadda.aas.oblig.analyzer.module.IInternalObligationAnalyzerModule;
import pl.edu.icm.yadda.aas.oblig.analyzer.module.ObligationAnalyzerModuleRequest;
import pl.edu.icm.yadda.aas.refresher.IExpirationValidator;
import pl.edu.icm.yadda.aas.refresher.IRefresher;
import pl.edu.icm.yadda.aas.refresher.RefresherException;
import pl.edu.icm.yadda.aas.security.ISecurityFacade;
import pl.edu.icm.yadda.aas.security.SecurityFacadeException;
import pl.edu.icm.yadda.aas.time.IDateTimeEvaluator;
import pl.edu.icm.yadda.aas.timesync.IDateTimeProvider;
import pl.edu.icm.yadda.service2.aas.AAError;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-4.1.1.jar:pl/edu/icm/yadda/aas/oblig/analyzer/module/impl/AssertionRefresherObligationAnalyzerModule.class */
public class AssertionRefresherObligationAnalyzerModule implements IInternalObligationAnalyzerModule {
    private ISecurityFacade<CriteriaSet> securityFacade;
    private IInternalKeyStore<Credential> internalKeyStore;
    private IRefresher<Assertion> refresher;
    protected IExpirationValidator<Assertion> assertionExpirationValidator;
    protected IDateTimeEvaluator preemptiveRefreshTimePointEvaluator;
    protected IDateTimeProvider dateTimeProvider;
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected boolean allowPreemptiveRefresh = true;
    private boolean handleUnsignedAssertions = false;

    @Override // pl.edu.icm.yadda.aas.oblig.analyzer.module.IInternalObligationAnalyzerModule
    public boolean performAtPostprocessing() {
        return false;
    }

    @Override // pl.edu.icm.yadda.aas.oblig.analyzer.module.IInternalObligationAnalyzerModule
    public AnalyzerResultObject maintain(ObligationAnalyzerModuleRequest obligationAnalyzerModuleRequest) throws InternalObligationAnalyzerException {
        if (obligationAnalyzerModuleRequest.getSourceSAMLObjects() == null || obligationAnalyzerModuleRequest.getSourceSAMLObjects().size() == 0) {
            throw new InternalObligationAnalyzerException("No assertion provided for refreshing!");
        }
        if (obligationAnalyzerModuleRequest.getSourceSAMLObjects().size() > 1) {
            throw new InternalObligationAnalyzerException("expected 1 assertion, got: " + obligationAnalyzerModuleRequest.getSourceSAMLObjects().size());
        }
        SAMLObject sAMLObject = obligationAnalyzerModuleRequest.getSourceSAMLObjects().get(0);
        if (sAMLObject instanceof EncryptedAssertion) {
            throw new InternalObligationAnalyzerException("refreshing of EncryptedAssertion objects is not supported yet!");
        }
        if (!(sAMLObject instanceof Assertion)) {
            throw new InternalObligationAnalyzerException("unsupported saml object instance: " + sAMLObject.getClass().getName());
        }
        Assertion assertion = (Assertion) sAMLObject;
        if (!assertion.isSigned()) {
            if (this.handleUnsignedAssertions) {
                return new AnalyzerResultObject(handleRefreshing(assertion));
            }
            throw new InternalObligationAnalyzerException("Unsigned assertion cannot be refreshed!");
        }
        try {
            if (this.securityFacade.verifySignature(assertion.getSignature(), new CriteriaSet(new PublicKeyCriteria(this.internalKeyStore.getInternalSigningCredential().getPublicKey())))) {
                return new AnalyzerResultObject(handleRefreshing(assertion));
            }
            throw new InternalObligationAnalyzerException("Assertion " + assertion.getID() + " wasn't signed by this AAS instance or it's content was modified!");
        } catch (SecurityFacadeException e) {
            throw new InternalObligationAnalyzerException("Exception occured when checking assertion's signature!", e);
        }
    }

    protected Assertion handleRefreshing(Assertion assertion) throws InternalObligationAnalyzerException {
        if (assertion == null) {
            throw new InternalObligationAnalyzerException("Cannot refresh: assertion is null");
        }
        if (assertion.getConditions() == null || assertion.getConditions().getNotOnOrAfter() == null) {
            throw new InternalObligationAnalyzerException("Cannot determine assertion's " + assertion.getID() + " expiration time!");
        }
        IExpirationValidator.ExpirationStatus validate = this.assertionExpirationValidator.validate(assertion);
        switch (validate) {
            case expired_refreshable:
                try {
                    Assertion refresh = this.refresher.refresh(assertion);
                    if (refresh != null) {
                        return revalidateAssertion(refresh);
                    }
                    throw new InternalObligationAnalyzerException("Got null assertion from refresher module! Source assertion id: " + assertion.getID());
                } catch (RefresherException e) {
                    throw new InternalObligationAnalyzerException("Couldn't refresh assertion: " + assertion.getID() + ", exception occured in refresher module! ", e);
                }
            case valid:
                if (!this.allowPreemptiveRefresh) {
                    throw new InternalObligationAnalyzerException("preemptive refresh is not allowed!");
                }
                this.log.info("Assertion is valid, trying preemptive refresh...");
                DateTime evaluate = this.preemptiveRefreshTimePointEvaluator.evaluate(assertion);
                if (!this.dateTimeProvider.getCurrentDateTime().isAfter(evaluate)) {
                    throw new InternalObligationAnalyzerException("preemptive refresh is not allowed before: " + evaluate);
                }
                try {
                    Assertion refresh2 = this.refresher.refresh(assertion);
                    if (refresh2 != null) {
                        return revalidateAssertion(refresh2);
                    }
                    throw new InternalObligationAnalyzerException("Got null assertion from refresher module! Source assertion id: " + assertion.getID());
                } catch (RefresherException e2) {
                    throw new InternalObligationAnalyzerException("Couldn't refresh assertion: " + assertion.getID() + ", exception occured in refresher module! ", e2);
                }
            case permanently_expired:
                AAError aAError = new AAError(AAError.WARN_ASSERTION_PERM_EXPIRED);
                aAError.setData(assertion.getID());
                this.log.warn("unable to refresh assertion: " + assertion.getID() + " due to permanent expiration");
                throw new InternalObligationAnalyzerException(aAError);
            case indeterminate:
                throw new InternalObligationAnalyzerException("unable to determine assertion: " + assertion.getID() + " valid expiration status!");
            default:
                throw new InternalObligationAnalyzerException("unsupported expiration status of assertion: " + assertion.getID() + " - " + validate);
        }
    }

    protected Assertion revalidateAssertion(Assertion assertion) throws InternalObligationAnalyzerException {
        IExpirationValidator.ExpirationStatus validate = this.assertionExpirationValidator.validate(assertion);
        if (validate == IExpirationValidator.ExpirationStatus.valid) {
            return assertion;
        }
        throw new InternalObligationAnalyzerException("Refreshed assertion " + assertion.getID() + " is still invalid! Got status AssertionDateTimeStatus: " + validate);
    }

    public void setSecurityFacade(ISecurityFacade<CriteriaSet> iSecurityFacade) {
        this.securityFacade = iSecurityFacade;
    }

    public void setInternalKeyStore(IInternalKeyStore<Credential> iInternalKeyStore) {
        this.internalKeyStore = iInternalKeyStore;
    }

    public void setRefresher(IRefresher<Assertion> iRefresher) {
        this.refresher = iRefresher;
    }

    public IRefresher<Assertion> getRefresher() {
        return this.refresher;
    }

    public void setHandleUnsignedAssertions(boolean z) {
        this.handleUnsignedAssertions = z;
    }

    public IExpirationValidator<Assertion> getAssertionExpirationValidator() {
        return this.assertionExpirationValidator;
    }

    public void setAssertionExpirationValidator(IExpirationValidator<Assertion> iExpirationValidator) {
        this.assertionExpirationValidator = iExpirationValidator;
    }

    public void setAllowPreemptiveRefresh(boolean z) {
        this.allowPreemptiveRefresh = z;
    }

    public void setPreemptiveRefreshTimePointEvaluator(IDateTimeEvaluator iDateTimeEvaluator) {
        this.preemptiveRefreshTimePointEvaluator = iDateTimeEvaluator;
    }

    public void setDateTimeProvider(IDateTimeProvider iDateTimeProvider) {
        this.dateTimeProvider = iDateTimeProvider;
    }
}
