package com.ibm.ws.security.saml.sso20.rs;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.acs.AssertionValidator;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso20_1.0.14.jar:com/ibm/ws/security/saml/sso20/rs/RsAssertionValidator.class */
public class RsAssertionValidator extends AssertionValidator {
    private static TraceComponent tc = Tr.register((Class<?>) RsAssertionValidator.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    protected SsoSamlService ssoSamlService;
    static final long serialVersionUID = -5162286195364471646L;

    public RsAssertionValidator(BasicMessageContext<?, ?, ?> basicMessageContext, Assertion assertion) {
        super(basicMessageContext, assertion);
        this.ssoSamlService = null;
        this.ssoSamlService = basicMessageContext.getSsoService();
    }

    @Override // com.ibm.ws.security.saml.sso20.acs.AssertionValidator
    public void validateAssertion() throws SamlException {
        validateIssuer(true);
        validateSignature();
        verifySubject();
        verifyConditions();
        verifyAuthnStatement();
    }

    @Override // com.ibm.ws.security.saml.sso20.acs.AssertionValidator
    protected void verifySubject() throws SamlException {
        Subject subject = this.assertion.getSubject();
        String str = null;
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod())) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Subject Confirmation:", subjectConfirmation.getMethod());
                }
                SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                if (subjectConfirmationData == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no SubjectConfirmationData", new Object[0]);
                    }
                    throw new SamlException("SAML20_ELEMENT_ERR", (Exception) null, new Object[]{"SubjectConfirmationData"});
                }
                if (subjectConfirmationData.getNotBefore() != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is a NotBefore", new Object[0]);
                    }
                    throw new SamlException("SAML20_SUBJECT_NOTBEFORE_ERR", (Exception) null, new Object[0]);
                }
                if (subjectConfirmationData.getNotOnOrAfter() == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "NotOnOrAfter attribute is required inside SubjectConfirmationData element.", new Object[0]);
                    }
                    throw new SamlException("SAML20_ELEMENT_ATTR_ERR", (Exception) null, new Object[]{"NotOnOrAfter", "SubjectConfirmationData"});
                }
                if (subjectConfirmationData.getNotOnOrAfter().plus(this.clockSkewAllowed).isBeforeNow()) {
                    throw new SamlException("SAML20_SUBJECT_NOTONAFTER_ERR", (Exception) null, new Object[]{subjectConfirmationData.getNotOnOrAfter(), new Date(), Long.valueOf(this.clockSkewAllowed / 1000)});
                }
                this.context.setSubjectNameIdentifier(subject.getNameID());
                return;
            }
            str = subjectConfirmation.getMethod();
        }
        throw new SamlException("SAML20_NO_BEARER_FOUND", (Exception) null, new Object[]{str});
    }

    @Override // com.ibm.ws.security.saml.sso20.acs.AssertionValidator
    protected void verifyAudience(List<AudienceRestriction> list) throws SamlException {
        boolean z = false;
        String[] audiences = this.ssoSamlService.getConfig().getAudiences();
        if (audiences == null || audiences.length == 0) {
            z = true;
        } else {
            int length = audiences.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (audiences[i].equals("ANY")) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        if (z) {
            return;
        }
        SamlException samlException = null;
        Iterator<AudienceRestriction> it = list.iterator();
        while (it.hasNext()) {
            for (Audience audience : it.next().getAudiences()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Audience=" + audience.getAudienceURI(), new Object[0]);
                }
                for (String str : audiences) {
                    if (str.equals(audience.getAudienceURI())) {
                        return;
                    }
                }
                samlException = new SamlException("SAML20_AUDIENCE_UNKNOWN_ERR", (Exception) null, new Object[]{audience.getAudienceURI(), audiences[0]});
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Invalid audience", new Object[0]);
        }
        if (samlException == null) {
            throw new SamlException("SAML20_ELEMENT_ATTR_ERR", (Exception) null, new Object[]{"Audience", "Conditions"});
        }
        throw samlException;
    }
}
