package uk.gov.ida.saml.core.validation.assertion;

import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import uk.gov.ida.saml.core.domain.AuthnContext;
import uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory;
import uk.gov.ida.saml.core.validation.SamlTransformationErrorException;
import uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure;
import uk.gov.ida.saml.core.validation.subjectconfirmation.AssertionSubjectConfirmationValidator;
import uk.gov.ida.saml.core.validators.subject.AssertionSubjectValidator;
import uk.gov.ida.saml.security.validators.issuer.IssuerValidator;

/* loaded from: input_file:uk/gov/ida/saml/core/validation/assertion/IdentityProviderAssertionValidator.class */
public class IdentityProviderAssertionValidator extends AssertionValidator {
    private final AssertionSubjectConfirmationValidator subjectConfirmationValidator;

    public IdentityProviderAssertionValidator(IssuerValidator issuerValidator, AssertionSubjectValidator assertionSubjectValidator, AssertionAttributeStatementValidator assertionAttributeStatementValidator, AssertionSubjectConfirmationValidator assertionSubjectConfirmationValidator) {
        super(issuerValidator, assertionSubjectValidator, assertionAttributeStatementValidator, assertionSubjectConfirmationValidator);
        this.subjectConfirmationValidator = assertionSubjectConfirmationValidator;
    }

    public void validateConsistency(Assertion assertion, Assertion assertion2) {
        validateConsistency(Arrays.asList(assertion, assertion2));
    }

    public void validateConsistency(List<Assertion> list) {
        ensurePidsMatch(list);
        ensureIssuersMatch(list);
    }

    private void ensurePidsMatch(List<Assertion> list) {
        if (list.stream().map(assertion -> {
            return assertion.getSubject().getNameID().getValue();
        }).distinct().count() > 1) {
            SamlValidationSpecificationFailure mismatchedPersistentIdentifiers = SamlTransformationErrorFactory.mismatchedPersistentIdentifiers();
            throw new SamlTransformationErrorException(mismatchedPersistentIdentifiers.getErrorMessage(), mismatchedPersistentIdentifiers.getLogLevel());
        }
    }

    private void ensureIssuersMatch(List<Assertion> list) {
        if (list.stream().map(assertion -> {
            return assertion.getIssuer().getValue();
        }).distinct().count() > 1) {
            SamlValidationSpecificationFailure mismatchedIssuers = SamlTransformationErrorFactory.mismatchedIssuers();
            throw new SamlTransformationErrorException(mismatchedIssuers.getErrorMessage(), mismatchedIssuers.getLogLevel());
        }
    }

    @Override // uk.gov.ida.saml.core.validation.assertion.AssertionValidator
    public void validateSubject(Assertion assertion, String str, String str2) {
        super.validateSubject(assertion, str, str2);
        ensurePresenceOfBearerSubjectConfirmation(assertion);
        validateAllBearerSubjectConfirmations(assertion, str, str2);
        validateFraudAttribute(assertion);
    }

    private void validateAllBearerSubjectConfirmations(Assertion assertion, String str, String str2) {
        for (SubjectConfirmation subjectConfirmation : assertion.getSubject().getSubjectConfirmations()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod())) {
                this.subjectConfirmationValidator.validate(subjectConfirmation, str, str2);
            }
        }
    }

    private void ensurePresenceOfBearerSubjectConfirmation(Assertion assertion) {
        boolean z = false;
        Iterator it = assertion.getSubject().getSubjectConfirmations().iterator();
        while (it.hasNext()) {
            if ("urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(((SubjectConfirmation) it.next()).getMethod())) {
                z = true;
            }
        }
        if (z) {
            return;
        }
        SamlValidationSpecificationFailure noSubjectConfirmationWithBearerMethod = SamlTransformationErrorFactory.noSubjectConfirmationWithBearerMethod(assertion.getID());
        throw new SamlTransformationErrorException(noSubjectConfirmationWithBearerMethod.getErrorMessage(), noSubjectConfirmationWithBearerMethod.getLogLevel());
    }

    private void validateFraudAttribute(Assertion assertion) {
        if (assertion.getAuthnStatements().size() == 1 && ((AuthnStatement) assertion.getAuthnStatements().get(0)).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef().equals(AuthnContext.LEVEL_X.getUri())) {
            this.assertionAttributeStatementValidator.validateFraudEvent(assertion);
        }
    }
}
