package org.opensaml.common.binding.security;

import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.xml.security.trust.TrustEngine;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.validation.ValidationException;
import org.opensaml.xml.validation.Validator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-2.6.4.jar:org/opensaml/common/binding/security/SAMLProtocolMessageXMLSignatureSecurityPolicyRule.class */
public class SAMLProtocolMessageXMLSignatureSecurityPolicyRule extends BaseSAMLXMLSignatureSecurityPolicyRule {
    private final Logger log;
    private Validator<Signature> sigValidator;

    public SAMLProtocolMessageXMLSignatureSecurityPolicyRule(TrustEngine<Signature> trustEngine) {
        super(trustEngine);
        this.log = LoggerFactory.getLogger(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.class);
        this.sigValidator = new SAMLSignatureProfileValidator();
    }

    public SAMLProtocolMessageXMLSignatureSecurityPolicyRule(TrustEngine<Signature> trustEngine, Validator<Signature> validator) {
        super(trustEngine);
        this.log = LoggerFactory.getLogger(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.class);
        this.sigValidator = validator;
    }

    @Override // org.opensaml.ws.security.SecurityPolicyRule
    public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
        if (!(messageContext instanceof SAMLMessageContext)) {
            this.log.debug("Invalid message context type, this policy rule only supports SAMLMessageContext");
            return;
        }
        SAMLMessageContext sAMLMessageContext = (SAMLMessageContext) messageContext;
        SAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (!(inboundSAMLMessage instanceof SignableSAMLObject)) {
            this.log.debug("Extracted SAML message was not a SignableSAMLObject, can not process signature");
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) inboundSAMLMessage;
        if (!signableSAMLObject.isSigned()) {
            this.log.info("SAML protocol message was not signed, skipping XML signature processing");
            return;
        }
        Signature signature = signableSAMLObject.getSignature();
        performPreValidation(signature);
        doEvaluate(signature, signableSAMLObject, sAMLMessageContext);
    }

    protected void doEvaluate(Signature signature, SignableSAMLObject signableSAMLObject, SAMLMessageContext sAMLMessageContext) throws SecurityPolicyException {
        String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
        if (inboundMessageIssuer == null) {
            this.log.debug("Context issuer unavailable, can not attempt SAML protocol message signature validation");
            throw new SecurityPolicyException("Context issuer unavailable, can not validate signature");
        }
        String qName = signableSAMLObject.getElementQName().toString();
        this.log.debug("Attempting to verify signature on signed SAML protocol message using context issuer message type: {}", qName);
        if (!evaluate(signature, inboundMessageIssuer, sAMLMessageContext)) {
            this.log.debug("Validation of protocol message signature failed for context issuer '" + inboundMessageIssuer + "', message type: " + qName);
            throw new SecurityPolicyException("Validation of protocol message signature failed");
        }
        this.log.info("Validation of protocol message signature succeeded, message type: {}", qName);
        if (sAMLMessageContext.isInboundSAMLMessageAuthenticated()) {
            return;
        }
        this.log.debug("Authentication via protocol message signature succeeded for context issuer entity ID {}", inboundMessageIssuer);
        sAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
    }

    protected Validator<Signature> getSignaturePrevalidator() {
        return this.sigValidator;
    }

    protected void performPreValidation(Signature signature) throws SecurityPolicyException {
        if (getSignaturePrevalidator() != null) {
            try {
                getSignaturePrevalidator().validate(signature);
            } catch (ValidationException e) {
                this.log.debug("Protocol message signature failed signature pre-validation", e);
                throw new SecurityPolicyException("Protocol message signature failed signature pre-validation", e);
            }
        }
    }
}
