package org.opensaml.saml.saml2.binding.security.impl;

import com.google.common.base.Strings;
import javax.annotation.Nonnull;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.AbstractMessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.slf4j.Logger;

/* loaded from: input_file:org/opensaml/saml/saml2/binding/security/impl/SAML2AuthnRequestsSignedSecurityHandler.class */
public class SAML2AuthnRequestsSignedSecurityHandler extends AbstractMessageHandler {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(SAML2AuthnRequestsSignedSecurityHandler.class);
    static final /* synthetic */ boolean $assertionsDisabled;

    public void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!(messageContext.getMessage() instanceof AuthnRequest)) {
            this.log.debug("Inbound message is not an instance of AuthnRequest, skipping evaluation...");
        } else {
            if (!isRequestSigningRequired(messageContext) || isMessageSigned(messageContext)) {
                return;
            }
            this.log.warn("Inbound AuthnRequest message was not signed");
            throw new MessageHandlerException("Inbound AuthnRequest was required to be signed but was not");
        }
    }

    protected boolean isMessageSigned(@Nonnull MessageContext messageContext) {
        return SAMLBindingSupport.isMessageSigned(messageContext);
    }

    protected boolean isRequestSigningRequired(@Nonnull MessageContext messageContext) {
        SAMLPeerEntityContext ensureSubcontext = messageContext.ensureSubcontext(SAMLPeerEntityContext.class);
        if (ensureSubcontext == null || Strings.isNullOrEmpty(ensureSubcontext.getEntityId())) {
            this.log.warn("SAML peer entityID was not available, unable to evaluate rule");
            return false;
        }
        String entityId = ensureSubcontext.getEntityId();
        SAMLMetadataContext ensureSubcontext2 = ensureSubcontext.ensureSubcontext(SAMLMetadataContext.class);
        if (ensureSubcontext2 == null || ensureSubcontext2.getRoleDescriptor() == null) {
            this.log.warn("SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule");
            return false;
        }
        if (!(ensureSubcontext2.getRoleDescriptor() instanceof SPSSODescriptor)) {
            RoleDescriptor roleDescriptor = ensureSubcontext2.getRoleDescriptor();
            this.log.warn("RoleDescriptor was not an SPSSODescriptor, it was a {}. Unable to evaluate rule", roleDescriptor != null ? roleDescriptor.getClass().getName() : "(null)");
            return false;
        }
        SPSSODescriptor roleDescriptor2 = ensureSubcontext2.getRoleDescriptor();
        if (!$assertionsDisabled && roleDescriptor2 == null) {
            throw new AssertionError();
        }
        if (Boolean.TRUE.equals(roleDescriptor2.isAuthnRequestsSigned())) {
            this.log.debug("SPSSODescriptor for entity ID '{}' indicates AuthnRequests must be signed", entityId);
            return true;
        }
        this.log.debug("SPSSODescriptor for entity ID '{}' does not require AuthnRequests to be signed", entityId);
        return false;
    }

    static {
        $assertionsDisabled = !SAML2AuthnRequestsSignedSecurityHandler.class.desiredAssertionStatus();
    }
}
