package uk.gov.ida.saml.hub.validators.response.idp.components;

import com.google.common.base.Strings;
import java.lang.Enum;
import java.util.List;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.xmlsec.signature.Signature;
import uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory;
import uk.gov.ida.saml.hub.exception.SamlValidationException;
import uk.gov.ida.saml.hub.transformers.inbound.SamlStatusToAuthenticationStatusCodeMapper;
import uk.gov.ida.saml.hub.validators.response.common.IssuerValidator;
import uk.gov.ida.saml.hub.validators.response.common.RequestIdValidator;
import uk.gov.ida.saml.security.validators.signature.SamlSignatureUtil;

/* loaded from: input_file:uk/gov/ida/saml/hub/validators/response/idp/components/EncryptedResponseFromIdpValidator.class */
public class EncryptedResponseFromIdpValidator<T extends Enum<T>> {
    private static final int SUB_STATUS_CODE_LIMIT = 1;
    private SamlStatusToAuthenticationStatusCodeMapper<T> statusCodeMapper;

    public EncryptedResponseFromIdpValidator(SamlStatusToAuthenticationStatusCodeMapper<T> samlStatusToAuthenticationStatusCodeMapper) {
        this.statusCodeMapper = samlStatusToAuthenticationStatusCodeMapper;
    }

    protected void validateAssertionPresence(Response response) {
        if (!response.getAssertions().isEmpty()) {
            throw new SamlValidationException(SamlTransformationErrorFactory.unencryptedAssertion());
        }
        boolean equals = response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success");
        List encryptedAssertions = response.getEncryptedAssertions();
        if (equals && encryptedAssertions.isEmpty()) {
            throw new SamlValidationException(SamlTransformationErrorFactory.missingSuccessUnEncryptedAssertions());
        }
        if (!equals && !encryptedAssertions.isEmpty()) {
            throw new SamlValidationException(SamlTransformationErrorFactory.nonSuccessHasUnEncryptedAssertions());
        }
        if (equals && encryptedAssertions.size() != 2) {
            throw new SamlValidationException(SamlTransformationErrorFactory.unexpectedNumberOfAssertions(2, encryptedAssertions.size()));
        }
    }

    public void validate(Response response) {
        IssuerValidator.validate(response);
        RequestIdValidator.validate(response);
        validateResponse(response);
    }

    private void validateResponse(Response response) {
        if (Strings.isNullOrEmpty(response.getID())) {
            throw new SamlValidationException(SamlTransformationErrorFactory.missingId());
        }
        if (response.getIssueInstant() == null) {
            throw new SamlValidationException(SamlTransformationErrorFactory.missingIssueInstant(response.getID()));
        }
        Signature signature = response.getSignature();
        if (signature == null) {
            throw new SamlValidationException(SamlTransformationErrorFactory.missingSignature());
        }
        if (!SamlSignatureUtil.isSignaturePresent(signature)) {
            throw new SamlValidationException(SamlTransformationErrorFactory.signatureNotSigned());
        }
        validateStatus(response.getStatus());
        validateAssertionPresence(response);
    }

    private void validateStatus(Status status) {
        validateStatusCode(status.getStatusCode(), 0);
        if (this.statusCodeMapper.map(status).isEmpty()) {
            fail(status);
        }
    }

    private void fail(Status status) {
        StatusCode statusCode = status.getStatusCode();
        StatusCode statusCode2 = statusCode.getStatusCode();
        if (statusCode2 != null) {
            throw new SamlValidationException(SamlTransformationErrorFactory.invalidSubStatusCode(statusCode2.getValue(), statusCode.getValue()));
        }
        throw new SamlValidationException(SamlTransformationErrorFactory.invalidStatusCode(statusCode.getValue()));
    }

    private void validateStatusCode(StatusCode statusCode, int i) {
        if (i > SUB_STATUS_CODE_LIMIT) {
            throw new SamlValidationException(SamlTransformationErrorFactory.nestedSubStatusCodesBreached(SUB_STATUS_CODE_LIMIT));
        }
        StatusCode statusCode2 = statusCode.getStatusCode();
        if (statusCode2 != null) {
            validateStatusCode(statusCode2, i + SUB_STATUS_CODE_LIMIT);
        }
    }
}
