package uk.gov.ida.saml.security;

import com.google.common.base.Strings;
import java.util.Optional;
import javax.xml.namespace.QName;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.security.SecurityException;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import uk.gov.ida.saml.core.validation.SamlValidationResponse;
import uk.gov.ida.saml.security.errors.SamlTransformationErrorFactory;
import uk.gov.ida.saml.security.validators.signature.SamlSignatureUtil;

/* loaded from: input_file:uk/gov/ida/saml/security/SamlMessageSignatureValidator.class */
public class SamlMessageSignatureValidator {
    private static final Logger LOG = LoggerFactory.getLogger(SamlMessageSignatureValidator.class);
    private final SignatureValidator signatureValidator;

    public SamlMessageSignatureValidator(SignatureValidator signatureValidator) {
        this.signatureValidator = signatureValidator;
    }

    public SamlValidationResponse validate(Response response, QName qName) {
        Issuer issuer = response.getIssuer();
        Optional<SamlValidationResponse> validateIssuer = validateIssuer(issuer);
        return validateIssuer.isPresent() ? validateIssuer.get() : validateSignature(response, issuer.getValue(), qName);
    }

    public SamlValidationResponse validate(Assertion assertion, QName qName) {
        Issuer issuer = assertion.getIssuer();
        Optional<SamlValidationResponse> validateIssuer = validateIssuer(issuer);
        return validateIssuer.isPresent() ? validateIssuer.get() : validateSignature(assertion, issuer.getValue(), qName);
    }

    public SamlValidationResponse validate(RequestAbstractType requestAbstractType, QName qName) {
        Issuer issuer = requestAbstractType.getIssuer();
        Optional<SamlValidationResponse> validateIssuer = validateIssuer(issuer);
        return validateIssuer.isPresent() ? validateIssuer.get() : validateSignature(requestAbstractType, issuer.getValue(), qName);
    }

    private Optional<SamlValidationResponse> validateIssuer(Issuer issuer) {
        return issuer == null ? Optional.of(SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.missingIssuer())) : Strings.isNullOrEmpty(issuer.getValue()) ? Optional.of(SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.emptyIssuer())) : Optional.empty();
    }

    private SamlValidationResponse validateSignature(SignableSAMLObject signableSAMLObject, String str, QName qName) {
        if (signableSAMLObject.getSignature() == null) {
            return SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.missingSignature());
        }
        if (!SamlSignatureUtil.isSignaturePresent(signableSAMLObject.getSignature())) {
            return SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.signatureNotSigned());
        }
        try {
            return this.signatureValidator.validate(signableSAMLObject, str, qName) ? SamlValidationResponse.aValidResponse() : SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.invalidMessageSignature());
        } catch (SecurityException e) {
            LOG.warn("There was an unexpected error validating the message signature using the provided certificate.", e);
            return SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.unableToValidateMessageSignature(), e);
        } catch (SignatureException e2) {
            LOG.error("XML Signature invalid (SAML core section 5.4)", e2);
            return SamlValidationResponse.anInvalidResponse(SamlTransformationErrorFactory.unableToValidateMessageSignature(), e2);
        }
    }
}
