package dk.itst.oiosaml.sp.model.validation;

import dk.itst.oiosaml.sp.model.OIOAssertion;
import org.joda.time.DateTime;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnStatement;

/* loaded from: input_file:dk/itst/oiosaml/sp/model/validation/OIOSAMLAssertionValidator.class */
public class OIOSAMLAssertionValidator extends BasicAssertionValidator {
    @Override // dk.itst.oiosaml.sp.model.validation.BasicAssertionValidator, dk.itst.oiosaml.sp.model.validation.AssertionValidator
    public void validate(OIOAssertion oIOAssertion, String str, String str2) throws ValidationException {
        super.validate(oIOAssertion, str, str2);
        Assertion assertion = oIOAssertion.getAssertion();
        DateTime confirmationTime = oIOAssertion.getConfirmationTime();
        if (confirmationTime == null || !ClockSkewValidator.isAfterNow(confirmationTime)) {
            throw new ValidationException("Subject Confirmation Data is expired: " + confirmationTime + " before " + new DateTime());
        }
        if (assertion.getAuthnStatements().size() != 1) {
            throw new ValidationException("The assertion must contain exactly one AuthnStatement. Was " + assertion.getAuthnStatements().size());
        }
        AuthnStatement authnStatement = (AuthnStatement) assertion.getAuthnStatements().get(0);
        if (oIOAssertion.getSessionIndex() == null) {
            throw new ValidationException("The assertion must contain a AuthnStatement@SessionIndex");
        }
        if (assertion.getAttributeStatements().size() != 1) {
            throw new ValidationException("The assertion must contain exactly one AttributeStatement. Contains " + assertion.getAttributeStatements().size());
        }
        if (assertion.getAuthzDecisionStatements().size() != 0) {
            throw new ValidationException("The assertion must not contain a AuthzDecisionStatement. Contains " + assertion.getAuthzDecisionStatements().size());
        }
        if (!oIOAssertion.checkRecipient(str2)) {
            throw new ValidationException("The assertion must contain the recipient " + str2);
        }
        if (authnStatement.getSessionNotOnOrAfter() != null && !ClockSkewValidator.isAfterNow(authnStatement.getSessionNotOnOrAfter())) {
            throw new ValidationException("The assertion must have a AuthnStatement@SessionNotOnOrAfter and it must not have expired. SessionNotOnOrAfter: " + authnStatement.getSessionNotOnOrAfter());
        }
    }
}
