package org.opensaml.saml.saml2.assertion.impl;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.DeprecationSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.OneTimeUse;
import org.opensaml.storage.ReplayCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:BOOT-INF/lib/opensaml-saml-impl-4.1.1.jar:org/opensaml/saml/saml2/assertion/impl/OneTimeUseConditionValidator.class */
public class OneTimeUseConditionValidator implements ConditionValidator {

    @NotEmpty
    @Nonnull
    public static final String CACHE_CONTEXT = OneTimeUseConditionValidator.class.getName();

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) OneTimeUseConditionValidator.class);

    @Nonnull
    private final ReplayCache replayCache;

    @Nonnull
    private Duration replayCacheExpires;

    public OneTimeUseConditionValidator(@Nonnull ReplayCache replayCache, @Nullable Duration duration) {
        this.replayCache = (ReplayCache) Constraint.isNotNull(replayCache, "Replay cache was null");
        this.replayCacheExpires = duration;
        if (this.replayCacheExpires == null) {
            this.replayCacheExpires = Duration.ofHours(8L);
        } else if (this.replayCacheExpires.isNegative()) {
            this.log.warn("Supplied value for replay cache expires '{}' was negative, using default expiration", this.replayCacheExpires);
            this.replayCacheExpires = Duration.ofHours(8L);
        }
    }

    @Override // org.opensaml.saml.saml2.assertion.ConditionValidator
    @Nonnull
    public QName getServicedCondition() {
        return OneTimeUse.DEFAULT_ELEMENT_NAME;
    }

    @Override // org.opensaml.saml.saml2.assertion.ConditionValidator
    @Nonnull
    public ValidationResult validate(@Nonnull Condition condition, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        if (!(condition instanceof OneTimeUse) && !Objects.equals(condition.getElementQName(), getServicedCondition())) {
            this.log.warn("Condition '{}' of type '{}' in assertion '{}' was not an '{}' condition.  Unable to process.", condition.getElementQName(), condition.getSchemaType(), assertion.getID(), getServicedCondition());
            return ValidationResult.INDETERMINATE;
        }
        if (this.replayCache.check(CACHE_CONTEXT, getCacheValue(assertion), getExpires(assertion, validationContext))) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage(String.format("Assertion '%s' has a one time use condition and has been used before", assertion.getID()));
        return ValidationResult.INVALID;
    }

    @Nonnull
    protected Duration getReplayCacheExpires() {
        return this.replayCacheExpires;
    }

    @Nonnull
    protected Instant getExpires(Assertion assertion, ValidationContext validationContext) {
        Duration replayCacheExpires;
        Duration duration = null;
        Object obj = validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.COND_ONE_TIME_USE_EXPIRES);
        if (obj instanceof Duration) {
            duration = (Duration) obj;
        } else if (obj instanceof Long) {
            duration = Duration.ofMillis(((Long) obj).longValue());
            DeprecationSupport.warn(DeprecationSupport.ObjectType.CONFIGURATION, SAML2AssertionValidationParameters.COND_ONE_TIME_USE_EXPIRES, null, Duration.class.getName());
        }
        this.log.debug("Saw one-time use cache expires context param: {}", duration);
        if (duration == null || duration.isZero()) {
            replayCacheExpires = getReplayCacheExpires();
        } else if (duration.isNegative()) {
            this.log.warn("Supplied context param for replay cache expires '{}' was negative, using configured expiration", duration);
            replayCacheExpires = getReplayCacheExpires();
        } else {
            replayCacheExpires = duration;
        }
        this.log.debug("Effective one-time use cache expires of: {}", replayCacheExpires);
        Instant plus = Instant.now().plus((TemporalAmount) replayCacheExpires);
        this.log.debug("Computed one-time use cache effective expiration time of: {}", plus);
        return plus;
    }

    @Nonnull
    protected String getCacheValue(@Nonnull Assertion assertion) throws AssertionValidationException {
        String str = null;
        if (assertion.getIssuer() != null && assertion.getIssuer().getValue() != null) {
            str = StringSupport.trimOrNull(assertion.getIssuer().getValue());
        }
        if (str == null) {
            str = "NoIssuer";
        }
        String trimOrNull = StringSupport.trimOrNull(assertion.getID());
        if (trimOrNull == null) {
            trimOrNull = "NoID";
        }
        String format = String.format("%s--%s", str, trimOrNull);
        this.log.debug("Generated one-time use cache value of: {}", format);
        return format;
    }
}
