package org.opensaml.saml.saml2.wssecurity.messaging.impl;

import com.google.common.base.Strings;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.collection.LazyList;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.NonnullSupplier;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.AbstractMessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.wssecurity.SAML20AssertionToken;
import org.opensaml.soap.messaging.SOAPMessagingSupport;
import org.opensaml.soap.soap11.FaultCode;
import org.opensaml.soap.wssecurity.Security;
import org.opensaml.soap.wssecurity.WSSecurityConstants;
import org.opensaml.soap.wssecurity.messaging.Token;
import org.opensaml.soap.wssecurity.messaging.WSSecurityContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-4.3.2.jar:org/opensaml/saml/saml2/wssecurity/messaging/impl/WSSecuritySAML20AssertionTokenSecurityHandler.class */
public class WSSecuritySAML20AssertionTokenSecurityHandler extends AbstractMessageHandler {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) WSSecuritySAML20AssertionTokenSecurityHandler.class);

    @Nullable
    private NonnullSupplier<HttpServletRequest> httpServletRequestSupplier;
    private boolean invalidFatal;

    @Nullable
    private SAML20AssertionValidator assertionValidator;

    @Nullable
    private Function<Pair<MessageContext, Assertion>, SAML20AssertionValidator> assertionValidatorLookup;

    @NonnullAfterInit
    private Function<SAML20AssertionTokenValidationInput, ValidationContext> validationContextBuilder;

    public WSSecuritySAML20AssertionTokenSecurityHandler() {
        setInvalidFatal(true);
        setValidationContextBuilder(new DefaultSAML20AssertionValidationContextBuilder());
    }

    @NonnullAfterInit
    public Function<SAML20AssertionTokenValidationInput, ValidationContext> getValidationContextBuilder() {
        return this.validationContextBuilder;
    }

    public void setValidationContextBuilder(@Nonnull Function<SAML20AssertionTokenValidationInput, ValidationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.validationContextBuilder = (Function) Constraint.isNotNull(function, "Validation context builder may not be null");
    }

    @Nullable
    public HttpServletRequest getHttpServletRequest() {
        if (this.httpServletRequestSupplier == null) {
            return null;
        }
        return this.httpServletRequestSupplier.get();
    }

    @Nullable
    public NonnullSupplier<HttpServletRequest> getHttpServletRequestSupplier() {
        return this.httpServletRequestSupplier;
    }

    public void setHttpServletRequestSupplier(@Nullable NonnullSupplier<HttpServletRequest> nonnullSupplier) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.httpServletRequestSupplier = nonnullSupplier;
    }

    public boolean isInvalidFatal() {
        return this.invalidFatal;
    }

    public void setInvalidFatal(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.invalidFatal = z;
    }

    @Nullable
    public SAML20AssertionValidator getAssertionValidator() {
        return this.assertionValidator;
    }

    public void setAssertionValidator(@Nullable SAML20AssertionValidator sAML20AssertionValidator) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.assertionValidator = sAML20AssertionValidator;
    }

    @Nullable
    public Function<Pair<MessageContext, Assertion>, SAML20AssertionValidator> getAssertionValidatorLookup() {
        return this.assertionValidatorLookup;
    }

    public void setAssertionValidatorLookup(@Nullable Function<Pair<MessageContext, Assertion>, SAML20AssertionValidator> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.assertionValidatorLookup = function;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (getValidationContextBuilder() == null) {
            throw new ComponentInitializationException("ValidationContext builder cannot be null");
        }
        if (getHttpServletRequest() == null) {
            throw new ComponentInitializationException("HttpServletRequest cannot be null");
        }
        if (getAssertionValidator() == null) {
            if (getAssertionValidatorLookup() == null) {
                throw new ComponentInitializationException("Both Assertion validator and lookup function were null");
            }
            this.log.info("Assertion validator is null, must be resovleable via the lookup function");
        }
    }

    @Override // org.opensaml.messaging.handler.AbstractMessageHandler
    protected void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!SOAPMessagingSupport.isSOAPMessage(messageContext)) {
            this.log.info("Message context does not contain a SOAP envelope. Skipping rule...");
            return;
        }
        List<Assertion> resolveAssertions = resolveAssertions(messageContext);
        if (resolveAssertions == null || resolveAssertions.isEmpty()) {
            this.log.info("Inbound SOAP envelope contained no Assertion tokens. Skipping further processing");
            return;
        }
        WSSecurityContext wSSecurityContext = (WSSecurityContext) messageContext.getSubcontext(WSSecurityContext.class, true);
        for (Assertion assertion : resolveAssertions) {
            SAML20AssertionValidator resolveValidator = resolveValidator(messageContext, assertion);
            if (resolveValidator == null) {
                this.log.warn("No SAML20AssertionValidator was available, terminating");
                SOAPMessagingSupport.registerSOAP11Fault(messageContext, FaultCode.SERVER, "Internal processing error", null, null, null);
                throw new MessageHandlerException("No SAML20AssertionValidator was available");
            }
            ValidationContext buildValidationContext = buildValidationContext(messageContext, assertion);
            try {
                ValidationResult validate = resolveValidator.validate(assertion, buildValidationContext);
                SAML20AssertionToken sAML20AssertionToken = new SAML20AssertionToken(assertion);
                processResult(buildValidationContext, validate, sAML20AssertionToken, messageContext);
                wSSecurityContext.getTokens().add(sAML20AssertionToken);
            } catch (AssertionValidationException e) {
                this.log.warn("There was a problem determining Assertion validity: {}", e.getMessage());
                SOAPMessagingSupport.registerSOAP11Fault(messageContext, FaultCode.SERVER, "Internal security token processing error", null, null, null);
                throw new MessageHandlerException("Error determining SAML 2.0 Assertion validity", e);
            }
        }
    }

    protected void processResult(@Nonnull ValidationContext validationContext, @Nonnull ValidationResult validationResult, @Nonnull SAML20AssertionToken sAML20AssertionToken, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        this.log.debug("Assertion token validation result was: {}", validationResult);
        String validationFailureMessage = validationContext.getValidationFailureMessage();
        if (Strings.isNullOrEmpty(validationFailureMessage)) {
            validationFailureMessage = "unspecified";
        }
        switch (validationResult) {
            case VALID:
                sAML20AssertionToken.setValidationStatus(Token.ValidationStatus.VALID);
                sAML20AssertionToken.setSubjectConfirmation((SubjectConfirmation) validationContext.getDynamicParameters().get(SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION));
                return;
            case INVALID:
                this.log.warn("Assertion token validation was INVALID.  Reason: {}", validationFailureMessage);
                if (isInvalidFatal()) {
                    SOAPMessagingSupport.registerSOAP11Fault(messageContext, WSSecurityConstants.SOAP_FAULT_INVALID_SECURITY_TOKEN, "The SAML 2.0 Assertion token was invalid", null, null, null);
                    throw new MessageHandlerException("Assertion token validation result was INVALID");
                }
                sAML20AssertionToken.setValidationStatus(Token.ValidationStatus.INVALID);
                sAML20AssertionToken.setSubjectConfirmation((SubjectConfirmation) validationContext.getDynamicParameters().get(SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION));
                return;
            case INDETERMINATE:
                this.log.warn("Assertion token validation was INDETERMINATE. Reason: {}", validationFailureMessage);
                if (isInvalidFatal()) {
                    SOAPMessagingSupport.registerSOAP11Fault(messageContext, WSSecurityConstants.SOAP_FAULT_INVALID_SECURITY_TOKEN, "The SAML 2.0 Assertion token's validity could not be determined", null, null, null);
                    throw new MessageHandlerException("Assertion token validation result was INDETERMINATE");
                }
                sAML20AssertionToken.setValidationStatus(Token.ValidationStatus.INDETERMINATE);
                sAML20AssertionToken.setSubjectConfirmation((SubjectConfirmation) validationContext.getDynamicParameters().get(SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION));
                return;
            default:
                this.log.warn("Assertion validation result indicated an unknown value: {}", validationResult);
                SOAPMessagingSupport.registerSOAP11Fault(messageContext, FaultCode.SERVER, "Internal processing error", null, null, null);
                throw new IllegalArgumentException("Assertion validation result indicated an unknown value: " + validationResult);
        }
    }

    @Nullable
    protected SAML20AssertionValidator resolveValidator(@Nonnull MessageContext messageContext, @Nonnull Assertion assertion) {
        if (getAssertionValidatorLookup() != null) {
            this.log.debug("Attempting to resolve SAML 2 Assertion validator via lookup function");
            SAML20AssertionValidator apply = getAssertionValidatorLookup().apply(new Pair<>(messageContext, assertion));
            if (apply != null) {
                this.log.debug("Resolved SAML 2 Assertion validator via lookup function");
                return apply;
            }
        }
        if (getAssertionValidator() != null) {
            this.log.debug("Resolved locally configured SAML 2 Assertion validator");
            return getAssertionValidator();
        }
        this.log.debug("No SAML 2 Assertion validator could be resolved");
        return null;
    }

    @Nonnull
    protected ValidationContext buildValidationContext(@Nonnull MessageContext messageContext, @Nonnull Assertion assertion) throws MessageHandlerException {
        ValidationContext apply = getValidationContextBuilder().apply(new SAML20AssertionTokenValidationInput(messageContext, getHttpServletRequest(), assertion));
        if (apply != null) {
            return apply;
        }
        this.log.warn("ValidationContext produced was null");
        SOAPMessagingSupport.registerSOAP11Fault(messageContext, FaultCode.SERVER, "Internal processing error", null, null, null);
        throw new MessageHandlerException("No ValidationContext was produced");
    }

    @Nonnull
    protected List<Assertion> resolveAssertions(@Nonnull MessageContext messageContext) {
        List<XMLObject> inboundHeaderBlock = SOAPMessagingSupport.getInboundHeaderBlock(messageContext, Security.ELEMENT_NAME);
        if (inboundHeaderBlock == null || inboundHeaderBlock.isEmpty()) {
            this.log.debug("No WS-Security Security header found in inbound SOAP message. Skipping further processing.");
            return Collections.emptyList();
        }
        LazyList lazyList = new LazyList();
        Iterator<XMLObject> it = inboundHeaderBlock.iterator();
        while (it.hasNext()) {
            List<XMLObject> unknownXMLObjects = ((Security) it.next()).getUnknownXMLObjects(Assertion.DEFAULT_ELEMENT_NAME);
            if (unknownXMLObjects != null && !unknownXMLObjects.isEmpty()) {
                Iterator<XMLObject> it2 = unknownXMLObjects.iterator();
                while (it2.hasNext()) {
                    lazyList.add((Assertion) it2.next());
                }
            }
        }
        return lazyList;
    }
}
