package org.keycloak.saml.validators;

import java.net.URI;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.xml.datatype.XMLGregorianCalendar;
import org.jboss.logging.Logger;
import org.keycloak.dom.saml.common.CommonConditionsType;
import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
import org.keycloak.dom.saml.v2.assertion.ConditionAbstractType;
import org.keycloak.dom.saml.v2.assertion.ConditionsType;
import org.keycloak.dom.saml.v2.assertion.OneTimeUseType;
import org.keycloak.dom.saml.v2.assertion.ProxyRestrictionType;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;

/* loaded from: input_file:BOOT-INF/lib/keycloak-saml-core-11.0.2.jar:org/keycloak/saml/validators/ConditionsValidator.class */
public class ConditionsValidator {
    private static final Logger LOG = Logger.getLogger((Class<?>) ConditionsValidator.class);
    private final CommonConditionsType conditions;
    private final int clockSkewInMillis;
    private final String assertionId;
    private final XMLGregorianCalendar now;
    private final Set<URI> allowedAudiences;
    private final DestinationValidator destinationValidator;
    private int oneTimeConditionsCount;
    private int proxyRestrictionsCount;

    /* loaded from: input_file:BOOT-INF/lib/keycloak-saml-core-11.0.2.jar:org/keycloak/saml/validators/ConditionsValidator$Builder.class */
    public static class Builder {
        private final String assertionId;
        private final CommonConditionsType conditions;
        private final DestinationValidator destinationValidator;
        private int clockSkewInMillis = 0;
        private final Set<URI> allowedAudiences = new HashSet();

        public Builder(String str, CommonConditionsType commonConditionsType, DestinationValidator destinationValidator) {
            this.assertionId = str;
            this.conditions = commonConditionsType;
            this.destinationValidator = destinationValidator;
        }

        public Builder clockSkewInMillis(int i) {
            this.clockSkewInMillis = i;
            return this;
        }

        public Builder addAllowedAudience(URI... uriArr) {
            this.allowedAudiences.addAll(Arrays.asList(uriArr));
            return this;
        }

        public ConditionsValidator build() {
            return new ConditionsValidator(this.assertionId, this.conditions, this.clockSkewInMillis, this.allowedAudiences, this.destinationValidator);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/keycloak-saml-core-11.0.2.jar:org/keycloak/saml/validators/ConditionsValidator$Result.class */
    public enum Result {
        VALID { // from class: org.keycloak.saml.validators.ConditionsValidator.Result.1
            @Override // org.keycloak.saml.validators.ConditionsValidator.Result
            public Result joinResult(Result result) {
                return result;
            }
        },
        INDETERMINATE { // from class: org.keycloak.saml.validators.ConditionsValidator.Result.2
            @Override // org.keycloak.saml.validators.ConditionsValidator.Result
            public Result joinResult(Result result) {
                return result == INVALID ? INVALID : INDETERMINATE;
            }
        },
        INVALID { // from class: org.keycloak.saml.validators.ConditionsValidator.Result.3
            @Override // org.keycloak.saml.validators.ConditionsValidator.Result
            public Result joinResult(Result result) {
                return INVALID;
            }
        };

        protected abstract Result joinResult(Result result);
    }

    private ConditionsValidator(String str, CommonConditionsType commonConditionsType, int i, Set<URI> set, DestinationValidator destinationValidator) {
        this.now = XMLTimeUtil.getIssueInstant();
        this.oneTimeConditionsCount = 0;
        this.proxyRestrictionsCount = 0;
        this.assertionId = str;
        this.conditions = commonConditionsType;
        this.clockSkewInMillis = i;
        this.allowedAudiences = set;
        this.destinationValidator = destinationValidator;
    }

    public boolean isValid() {
        Result result;
        if (this.conditions == null) {
            return true;
        }
        Result validateExpiration = validateExpiration();
        if (this.conditions instanceof ConditionsType) {
            result = validateConditions((ConditionsType) this.conditions, validateExpiration);
        } else {
            result = Result.INDETERMINATE;
            LOG.infof("Unknown conditions in assertion %s: %s", this.assertionId, this.conditions == null ? "<null>" : this.conditions.getClass().getSimpleName());
        }
        LOG.debugf("Assertion %s validity is %s", this.assertionId, result.name());
        return Result.VALID == result;
    }

    private Result validateConditions(ConditionsType conditionsType, Result result) {
        Result result2;
        Iterator<ConditionAbstractType> it = conditionsType.getConditions() == null ? Collections.emptySet().iterator() : conditionsType.getConditions().iterator();
        while (it.hasNext() && result == Result.VALID) {
            ConditionAbstractType next = it.next();
            if (next instanceof OneTimeUseType) {
                result2 = validateOneTimeUse((OneTimeUseType) next);
            } else if (next instanceof AudienceRestrictionType) {
                result2 = validateAudienceRestriction((AudienceRestrictionType) next);
            } else if (next instanceof ProxyRestrictionType) {
                result2 = validateProxyRestriction((ProxyRestrictionType) next);
            } else {
                result2 = Result.INDETERMINATE;
                LOG.infof("Unknown condition in assertion %s: %s", this.assertionId, next == null ? "<null>" : next.getClass());
            }
            result = result2.joinResult(result);
        }
        return result;
    }

    private Result validateExpiration() {
        XMLGregorianCalendar notBefore = this.conditions.getNotBefore();
        XMLGregorianCalendar notOnOrAfter = this.conditions.getNotOnOrAfter();
        if (notBefore == null && notOnOrAfter == null) {
            return Result.VALID;
        }
        if (notBefore != null && notOnOrAfter != null && notBefore.compare(notOnOrAfter) != -1) {
            return Result.INVALID;
        }
        XMLGregorianCalendar subtract = XMLTimeUtil.subtract(notBefore, this.clockSkewInMillis);
        XMLGregorianCalendar add = XMLTimeUtil.add(notOnOrAfter, this.clockSkewInMillis);
        LOG.debugf("Evaluating Conditions of Assertion %s. notBefore=%s, notOnOrAfter=%s, updatedNotBefore: %s, updatedOnOrAfter=%s, now: %s", this.assertionId, notBefore, notOnOrAfter, subtract, add, this.now);
        boolean isValid = XMLTimeUtil.isValid(this.now, subtract, add);
        if (!isValid) {
            LOG.infof("Assertion %s expired.", this.assertionId);
        }
        return isValid ? Result.VALID : Result.INVALID;
    }

    private Result validateAudienceRestriction(AudienceRestrictionType audienceRestrictionType) {
        for (URI uri : audienceRestrictionType.getAudience()) {
            Iterator<URI> it = this.allowedAudiences.iterator();
            while (it.hasNext()) {
                if (this.destinationValidator.validate(uri, it.next())) {
                    return Result.VALID;
                }
            }
        }
        LOG.infof("Assertion %s is not addressed to this SP.", this.assertionId);
        LOG.debugf("Allowed audiences are: %s", this.allowedAudiences);
        return Result.INVALID;
    }

    private Result validateOneTimeUse(OneTimeUseType oneTimeUseType) {
        this.oneTimeConditionsCount++;
        if (this.oneTimeConditionsCount <= 1) {
            return Result.VALID;
        }
        LOG.info("Invalid conditions: Multiple <OneTimeUse/> conditions found.");
        return Result.INVALID;
    }

    private Result validateProxyRestriction(ProxyRestrictionType proxyRestrictionType) {
        this.proxyRestrictionsCount++;
        if (this.proxyRestrictionsCount <= 1) {
            return Result.VALID;
        }
        LOG.info("Invalid conditions: Multiple <ProxyRestriction/> conditions found.");
        return Result.INVALID;
    }
}
