package com.ibm.ws.wssecurity.cxf.validator;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.sso.common.SsoService;
import com.ibm.ws.wssecurity.internal.WSSecurityConstants;
import com.ibm.ws.wssecurity.token.TokenUtils;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.SamlAssertionValidator;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.wssecurity_1.0.18.jar:com/ibm/ws/wssecurity/cxf/validator/WssSamlAssertionValidator.class */
public class WssSamlAssertionValidator extends SamlAssertionValidator {
    private static final TraceComponent tc = Tr.register(WssSamlAssertionValidator.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    List<String> audienceRestrictions;
    int iFutureTTL;
    int ttl;
    static final long serialVersionUID = -8524080986938050110L;

    public WssSamlAssertionValidator(Map<String, Object> map) {
        this.audienceRestrictions = null;
        this.iFutureTTL = 300;
        this.ttl = 1800;
        setValidateSignatureAgainstProfile(true);
        setRequireStandardSubjectConfirmationMethod(true);
        if (map != null) {
            setRequiredSubjectConfirmationMethod((String) map.get(WSSecurityConstants.KEY_requiredSubjectConfirmationMethod));
            setRequireBearerSignature(((Boolean) map.get(WSSecurityConstants.KEY_wantAssertionsSigned)).booleanValue());
            this.iFutureTTL = ((Long) map.get(WSSecurityConstants.KEY_clockSkew)).intValue();
            setFutureTTL(this.iFutureTTL);
            this.ttl = ((Long) map.get("timeToLive")).intValue();
            setTtl(this.ttl);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "futureTTL:" + this.iFutureTTL + " ttl:" + this.ttl, new Object[0]);
            }
            String[] strArr = (String[]) map.get(WSSecurityConstants.KEY_audienceRestrictions);
            if (strArr == null) {
                this.audienceRestrictions = null;
                return;
            }
            this.audienceRestrictions = new ArrayList();
            for (int i = 0; i < strArr.length; i++) {
                this.audienceRestrictions.add(strArr[i]);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "audienceRestriction:" + strArr[i], new Object[0]);
                }
            }
        }
    }

    @Override // org.apache.ws.security.validate.SamlAssertionValidator, org.apache.ws.security.validate.SignatureTrustValidator, org.apache.ws.security.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        if (TokenUtils.getCommonSsoService(SsoService.TYPE_WSS_SAML) == null) {
            throw new WSSecurityException("No wsSecuritySaml-1.1 feature is up. Make sure your server.xml has wsSecuritySaml-1.1 feature set up properly");
        }
        requestData.setAudienceRestrictions(this.audienceRestrictions);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, " audienceRestriction:" + this.audienceRestrictions, new Object[0]);
        }
        return super.validate(credential, requestData);
    }

    @Override // org.apache.ws.security.validate.SamlAssertionValidator
    protected void checkConditions(AssertionWrapper assertionWrapper) throws WSSecurityException {
        DateTime dateTime = null;
        DateTime dateTime2 = null;
        DateTime dateTime3 = null;
        if (assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertionWrapper.getSaml2().getConditions() != null) {
            dateTime = assertionWrapper.getSaml2().getConditions().getNotBefore();
            dateTime2 = assertionWrapper.getSaml2().getConditions().getNotOnOrAfter();
            dateTime3 = assertionWrapper.getSaml2().getIssueInstant();
        } else if (assertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_11) && assertionWrapper.getSaml1().getConditions() != null) {
            dateTime = assertionWrapper.getSaml1().getConditions().getNotBefore();
            dateTime2 = assertionWrapper.getSaml1().getConditions().getNotOnOrAfter();
            dateTime3 = assertionWrapper.getSaml1().getIssueInstant();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "futureTTL(clockSkew):" + this.iFutureTTL + " ttl:" + this.ttl, new Object[0]);
        }
        if (dateTime != null) {
            DateTime dateTime4 = new DateTime();
            if (dateTime.isAfter(dateTime4.plusSeconds(this.iFutureTTL))) {
                Tr.error(tc, "saml_token_not_yet_valid", new Object[]{dateTime, dateTime4, Integer.valueOf(this.iFutureTTL)});
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        }
        if (dateTime2 != null) {
            DateTime plusSeconds = dateTime2.plusSeconds(this.iFutureTTL);
            DateTime dateTime5 = new DateTime();
            if (plusSeconds.isBeforeNow()) {
                Tr.error(tc, "saml_token_expired", new Object[]{dateTime2, dateTime5, Integer.valueOf(this.iFutureTTL)});
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        } else if (dateTime3 != null) {
            DateTime dateTime6 = new DateTime();
            if (dateTime3.isBefore(dateTime6.minusSeconds(this.ttl + this.iFutureTTL))) {
                Tr.error(tc, "saml_token_issued_too_long_ago", new Object[]{dateTime3, dateTime6, Integer.valueOf(this.iFutureTTL)});
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        }
        if (dateTime3 != null) {
            DateTime dateTime7 = new DateTime();
            if (dateTime3.isAfter(dateTime7.plusSeconds(this.iFutureTTL))) {
                Tr.error(tc, "saml_token_issue_instant_in_future", new Object[]{dateTime3, dateTime7, Integer.valueOf(this.iFutureTTL)});
                throw new WSSecurityException(0, "invalidSAMLsecurity");
            }
        }
    }
}
