package org.apache.cxf.rs.security.saml.sso;

import java.util.List;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.validate.SamlAssertionValidator;

/* loaded from: input_file:org/apache/cxf/rs/security/saml/sso/SamlSSOAssertionValidator.class */
public class SamlSSOAssertionValidator extends SamlAssertionValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(SamlSSOAssertionValidator.class);
    private final boolean signedResponse;

    public SamlSSOAssertionValidator(boolean z) {
        this.signedResponse = z;
    }

    @Override // org.apache.wss4j.dom.validate.SamlAssertionValidator
    protected void verifySubjectConfirmationMethod(SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        List<String> confirmationMethods = samlAssertionWrapper.getConfirmationMethods();
        if (confirmationMethods == null || confirmationMethods.isEmpty()) {
            if (super.getRequiredSubjectConfirmationMethod() != null) {
                LOG.warning("A required subject confirmation method was not present");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
            if (super.isRequireStandardSubjectConfirmationMethod()) {
                LOG.warning("A standard subject confirmation method was not present");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        boolean isSigned = samlAssertionWrapper.isSigned();
        boolean z = false;
        boolean z2 = false;
        for (String str : confirmationMethods) {
            if (OpenSAMLUtil.isMethodHolderOfKey(str)) {
                if (samlAssertionWrapper.getSubjectKeyInfo() == null) {
                    LOG.warning("There is no Subject KeyInfo to match the holder-of-key subject conf method");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
                }
                if (!isSigned) {
                    LOG.warning("A holder-of-key assertion must be signed");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                }
                z2 = true;
            }
            if (str != null) {
                if (str.equals(super.getRequiredSubjectConfirmationMethod())) {
                    z = true;
                }
                if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(str) || "urn:oasis:names:tc:SAML:1.0:cm:bearer".equals(str)) {
                    z2 = true;
                    if (super.isRequireBearerSignature() && !isSigned && !this.signedResponse) {
                        LOG.warning("A Bearer Assertion was not signed");
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                    }
                } else if ("urn:oasis:names:tc:SAML:2.0:cm:sender-vouches".equals(str) || "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches".equals(str)) {
                    z2 = true;
                }
            }
        }
        if (!z && super.getRequiredSubjectConfirmationMethod() != null) {
            LOG.warning("A required subject confirmation method was not present");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (z2 || !super.isRequireStandardSubjectConfirmationMethod()) {
            return;
        }
        LOG.warning("A standard subject confirmation method was not present");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
}
