package org.opensaml.saml.saml2.assertion.impl;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import javax.annotation.Nonnull;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.assertion.StatementValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Statement;
import org.opensaml.saml.saml2.core.SubjectLocality;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-4.1.1.jar:org/opensaml/saml/saml2/assertion/impl/AuthnStatementValidator.class */
public class AuthnStatementValidator implements StatementValidator {
    private Logger log = LoggerFactory.getLogger(AuthnStatementValidator.class);

    @Override // org.opensaml.saml.saml2.assertion.StatementValidator
    public QName getServicedStatement() {
        return AuthnStatement.DEFAULT_ELEMENT_NAME;
    }

    @Override // org.opensaml.saml.saml2.assertion.StatementValidator
    public ValidationResult validate(@Nonnull Statement statement, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        if (!(statement instanceof AuthnStatement)) {
            this.log.warn("Statement '{}' of type '{}' in assertion '{}' was not an '{}' statement.  Unable to process.", new Object[]{statement.getElementQName(), statement.getSchemaType(), assertion.getID(), getServicedStatement()});
            return ValidationResult.INDETERMINATE;
        }
        try {
            AuthnStatement authnStatement = (AuthnStatement) statement;
            ValidationResult validateAuthnInstant = validateAuthnInstant(authnStatement, assertion, validationContext);
            if (validateAuthnInstant != ValidationResult.VALID) {
                return validateAuthnInstant;
            }
            ValidationResult validateSubjectLocality = validateSubjectLocality(authnStatement, assertion, validationContext);
            if (validateSubjectLocality != ValidationResult.VALID) {
                return validateSubjectLocality;
            }
            ValidationResult validateAuthnContext = validateAuthnContext(authnStatement, assertion, validationContext);
            return validateAuthnContext != ValidationResult.VALID ? validateAuthnContext : ValidationResult.VALID;
        } catch (RuntimeException | AssertionValidationException e) {
            this.log.warn("There was a problem determining AuthnStatement validity", e);
            return ValidationResult.INDETERMINATE;
        }
    }

    protected ValidationResult validateAuthnInstant(@Nonnull AuthnStatement authnStatement, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Duration duration = (Duration) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.STMT_AUTHN_MAX_TIME);
        if (duration == null) {
            this.log.debug("Max time since authn for evaluation of AuthnStatement/@AuthnInstant not supplied, skipping");
            return ValidationResult.VALID;
        }
        this.log.debug("Max time since authn for evaluation of AuthnStatement/@AuthnInstant was: {}", duration);
        Instant authnInstant = authnStatement.getAuthnInstant();
        if (authnInstant == null) {
            this.log.warn("AuthnStatement/@AuthnInstant is required but was not supplied, failing");
            return ValidationResult.INVALID;
        }
        Instant plus = authnInstant.plus((TemporalAmount) duration).plus((TemporalAmount) SAML20AssertionValidator.getClockSkew(validationContext));
        if (!Instant.now().isAfter(plus)) {
            return ValidationResult.VALID;
        }
        this.log.warn("AuthnStatement/@AuthnInstant '{}' eval failed, now is after latest valid (including skew) '{}'", authnInstant, plus);
        return ValidationResult.INVALID;
    }

    protected ValidationResult validateSubjectLocality(@Nonnull AuthnStatement authnStatement, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        Boolean bool = (Boolean) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.STMT_AUTHN_CHECK_ADDRESS);
        if (bool != null && !bool.booleanValue()) {
            this.log.debug("SubjectLocality/@Address check is disabled, skipping");
            return ValidationResult.VALID;
        }
        SubjectLocality subjectLocality = authnStatement.getSubjectLocality();
        if (subjectLocality != null && subjectLocality.getAddress() != null) {
            return AssertionValidationSupport.checkAddress(validationContext, StringSupport.trimOrNull(subjectLocality.getAddress()), SAML2AssertionValidationParameters.STMT_AUTHN_VALID_ADDRESSES, assertion, "SubjectLocality/@Address");
        }
        this.log.debug("AuthnStatement contained no SubjectLocality/@Address, skipping");
        return ValidationResult.VALID;
    }

    protected ValidationResult validateAuthnContext(@Nonnull AuthnStatement authnStatement, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        return ValidationResult.VALID;
    }
}
