package org.opensaml.saml.saml2.assertion.impl;

import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.Condition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:addressbookconnector-2.14-jar-with-dependencies.jar:org/opensaml/saml/saml2/assertion/impl/AudienceRestrictionConditionValidator.class */
public class AudienceRestrictionConditionValidator implements ConditionValidator {
    private Logger log = LoggerFactory.getLogger(AudienceRestrictionConditionValidator.class);

    @Override // org.opensaml.saml.saml2.assertion.ConditionValidator
    @Nonnull
    public QName getServicedCondition() {
        return AudienceRestriction.DEFAULT_ELEMENT_NAME;
    }

    @Override // org.opensaml.saml.saml2.assertion.ConditionValidator
    @Nonnull
    public ValidationResult validate(@Nonnull Condition condition, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        if (!(condition instanceof AudienceRestriction)) {
            this.log.warn("Condition '{}' of type '{}' in assertion '{}' was not an '{}' condition.  Unable to process.", new Object[]{condition.getElementQName(), condition.getSchemaType(), assertion.getID(), getServicedCondition()});
            return ValidationResult.INDETERMINATE;
        }
        try {
            Set set = (Set) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES);
            if (set == null || set.isEmpty()) {
                this.log.warn("Set of valid audiences was not available from the validation context, unable to evaluate AudienceRestriction Condition");
                validationContext.setValidationFailureMessage("Unable to determine list of valid audiences");
                return ValidationResult.INDETERMINATE;
            }
            this.log.debug("Evaluating the Assertion's AudienceRestriction/Audience values against the list of valid audiences: {}", set.toString());
            List<Audience> audiences = ((AudienceRestriction) condition).getAudiences();
            if (audiences == null || audiences.isEmpty()) {
                validationContext.setValidationFailureMessage(String.format("'%s' condition in assertion '%s' is malformed as it does not contain any audiences", getServicedCondition(), assertion.getID()));
                return ValidationResult.INVALID;
            }
            Iterator<Audience> it = audiences.iterator();
            while (it.hasNext()) {
                String trimOrNull = StringSupport.trimOrNull(it.next().getAudienceURI());
                if (set.contains(trimOrNull)) {
                    this.log.debug("Matched valid audience: {}", trimOrNull);
                    return ValidationResult.VALID;
                }
            }
            String format = String.format("None of the audiences within Assertion '%s' matched the list of valid audiances", assertion.getID());
            this.log.debug(format);
            validationContext.setValidationFailureMessage(format);
            return ValidationResult.INVALID;
        } catch (ClassCastException e) {
            this.log.warn("The value of the static validation parameter '{}' was not java.util.Set<String>", SAML2AssertionValidationParameters.COND_VALID_AUDIENCES);
            validationContext.setValidationFailureMessage("Unable to determine list of valid audiences");
            return ValidationResult.INDETERMINATE;
        }
    }
}
