package org.opensaml.saml.saml2.profile.impl;

import com.google.common.base.Predicates;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeMap;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.collection.LazySet;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.net.HttpServletSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.MessageException;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.MessageContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLMessageInfoContext;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.common.messaging.context.navigate.SAMLEntityIDFunction;
import org.opensaml.saml.common.messaging.context.navigate.SAMLMessageInfoContextIDFunction;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.profile.impl.ValidateAssertions;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.messaging.ServletRequestX509CredentialAdapter;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-4.3.1.jar:org/opensaml/saml/saml2/profile/impl/DefaultAssertionValidationContextBuilder.class */
public class DefaultAssertionValidationContextBuilder implements Function<ValidateAssertions.AssertionValidationInput, ValidationContext> {

    @Nullable
    private Function<ProfileRequestContext, Duration> clockSkew;

    @Nullable
    private Function<ProfileRequestContext, Duration> lifetime;

    @Nullable
    private Function<Pair<ProfileRequestContext, Assertion>, CriteriaSet> signatureCriteriaSetFunction;

    @Nullable
    private Function<ProfileRequestContext, Duration> maximumTimeSinceAuthn;

    @Nullable
    private Function<ProfileRequestContext, Set<String>> additionalAudiences;

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) DefaultAssertionValidationContextBuilder.class);

    @Nonnull
    private Predicate<ProfileRequestContext> signatureRequired = Predicates.alwaysTrue();

    @Nonnull
    private Predicate<ProfileRequestContext> includeSelfEntityIDAsRecipient = Predicates.alwaysFalse();

    @Nonnull
    private Predicate<ProfileRequestContext> checkAddress = Predicates.alwaysTrue();

    @Nullable
    private Function<ProfileRequestContext, String> inResponseTo = new DefaultValidInResponseToLookupFunction();

    @Nonnull
    private Predicate<ProfileRequestContext> inResponseToRequired = Predicates.alwaysFalse();

    @Nonnull
    private Predicate<ProfileRequestContext> recipientRequired = Predicates.alwaysFalse();

    @Nonnull
    private Predicate<ProfileRequestContext> notOnOrAfterRequired = Predicates.alwaysFalse();

    @Nonnull
    private Predicate<ProfileRequestContext> notBeforeRequired = Predicates.alwaysFalse();

    @Nonnull
    private Predicate<ProfileRequestContext> addressRequired = Predicates.alwaysFalse();

    @Nonnull
    private Set<QName> requiredConditions = Collections.emptySet();

    @Nonnull
    private Function<ProfileRequestContext, Set<String>> validIssuers = new DefaultValidIssuersLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, SecurityParametersContext> securityParametersLookupStrategy = new ChildContextLookup(SecurityParametersContext.class).compose(new InboundMessageContextLookup());

    /* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-4.3.1.jar:org/opensaml/saml/saml2/profile/impl/DefaultAssertionValidationContextBuilder$DefaultValidInResponseToLookupFunction.class */
    public static class DefaultValidInResponseToLookupFunction implements Function<ProfileRequestContext, String> {
        private Function<MessageContext, String> delegate = new SAMLMessageInfoContextIDFunction().compose(new ChildContextLookup(SAMLMessageInfoContext.class, true).compose(new MessageContextLookup(MessageContextLookup.Direction.OUTBOUND)));

        @Override // java.util.function.Function
        public String apply(@Nullable ProfileRequestContext profileRequestContext) {
            if (profileRequestContext == null || profileRequestContext.getInboundMessageContext() == null) {
                return null;
            }
            return this.delegate.apply(profileRequestContext.getInboundMessageContext());
        }
    }

    /* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-4.3.1.jar:org/opensaml/saml/saml2/profile/impl/DefaultAssertionValidationContextBuilder$DefaultValidIssuersLookupFunction.class */
    public static class DefaultValidIssuersLookupFunction implements Function<ProfileRequestContext, Set<String>> {
        private Function<MessageContext, String> delegate = new SAMLEntityIDFunction().compose(new ChildContextLookup(SAMLPeerEntityContext.class).compose(new MessageContextLookup(MessageContextLookup.Direction.OUTBOUND)));

        @Override // java.util.function.Function
        public Set<String> apply(@Nullable ProfileRequestContext profileRequestContext) {
            if (profileRequestContext == null || profileRequestContext.getInboundMessageContext() == null) {
                return null;
            }
            String apply = this.delegate.apply(profileRequestContext.getInboundMessageContext());
            return apply != null ? Collections.singleton(apply) : Collections.emptySet();
        }
    }

    @Nullable
    public Function<ProfileRequestContext, Duration> getClockSkew() {
        return this.clockSkew;
    }

    public void setClockSkew(@Nullable Duration duration) {
        this.clockSkew = FunctionSupport.constant(duration);
    }

    public void setClockSkewLookupStrategy(@Nullable Function<ProfileRequestContext, Duration> function) {
        this.clockSkew = function;
    }

    @Nullable
    public Function<ProfileRequestContext, Duration> getLifetime() {
        return this.lifetime;
    }

    public void setLifetime(@Nullable Duration duration) {
        this.lifetime = FunctionSupport.constant(duration);
    }

    public void setLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext, Duration> function) {
        this.lifetime = function;
    }

    @Nonnull
    public Function<ProfileRequestContext, SecurityParametersContext> getSecurityParametersLookupStrategy() {
        return this.securityParametersLookupStrategy;
    }

    public void setSecurityParametersLookupStrategy(@Nonnull Function<ProfileRequestContext, SecurityParametersContext> function) {
        this.securityParametersLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParametersContext lookup strategy was null");
    }

    @Nonnull
    public Set<QName> getRequiredConditions() {
        return this.requiredConditions;
    }

    public void setRequiredConditions(@Nullable Set<QName> set) {
        if (set != null) {
            this.requiredConditions = (Set) set.stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toUnmodifiableSet());
        } else {
            this.requiredConditions = Collections.emptySet();
        }
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getIncludeSelfEntityIDAsRecipient() {
        return this.includeSelfEntityIDAsRecipient;
    }

    public void setIncludeSelfEntityIDAsRecipient(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.includeSelfEntityIDAsRecipient = (Predicate) Constraint.isNotNull(predicate, "Signature required predicate was null");
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getSignatureRequired() {
        return this.signatureRequired;
    }

    public void setSignatureRequired(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.signatureRequired = (Predicate) Constraint.isNotNull(predicate, "Signature required predicate was null");
    }

    public void setInResponseTo(@Nullable Function<ProfileRequestContext, String> function) {
        this.inResponseTo = function;
    }

    @Nullable
    public Function<ProfileRequestContext, String> getInResponseTo() {
        return this.inResponseTo;
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getInResponseToRequired() {
        return this.inResponseToRequired;
    }

    public void setInResponseToRequired(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.inResponseToRequired = (Predicate) Constraint.isNotNull(predicate, "InResponseTo required predicate was null");
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getRecipientRequired() {
        return this.recipientRequired;
    }

    public void setRecipientRequired(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.recipientRequired = (Predicate) Constraint.isNotNull(predicate, "Recipient required predicate was null");
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getNotBeforeRequired() {
        return this.notBeforeRequired;
    }

    public void setNotBeforeRequired(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.notBeforeRequired = (Predicate) Constraint.isNotNull(predicate, "NotBefore required predicate was null");
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getNotOnOrAfterRequired() {
        return this.notOnOrAfterRequired;
    }

    public void setNotOnOrAfterRequired(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.notOnOrAfterRequired = (Predicate) Constraint.isNotNull(predicate, "NotOnOrAfter required predicate was null");
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getAddressRequired() {
        return this.addressRequired;
    }

    public void setAddressRequired(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.addressRequired = (Predicate) Constraint.isNotNull(predicate, "Address required predicate was null");
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getCheckAddress() {
        return this.checkAddress;
    }

    public void setCheckAddress(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.checkAddress = (Predicate) Constraint.isNotNull(predicate, "Check address predicate was null");
    }

    @Nullable
    public Function<ProfileRequestContext, Set<String>> getAdditionalAudiences() {
        return this.additionalAudiences;
    }

    public void setAdditionalAudiences(@Nullable Function<ProfileRequestContext, Set<String>> function) {
        this.additionalAudiences = function;
    }

    @Nonnull
    public Function<ProfileRequestContext, Set<String>> getValidIssuers() {
        return this.validIssuers;
    }

    public void setValidIssuers(@Nonnull Function<ProfileRequestContext, Set<String>> function) {
        this.validIssuers = (Function) Constraint.isNotNull(function, "Valied Issuers function was null");
    }

    @Nullable
    public Function<ProfileRequestContext, Duration> getMaximumTimeSinceAuthn() {
        return this.maximumTimeSinceAuthn;
    }

    public void setMaximumTimeSinceAuthn(@Nullable Function<ProfileRequestContext, Duration> function) {
        this.maximumTimeSinceAuthn = function;
    }

    @Nullable
    public Function<Pair<ProfileRequestContext, Assertion>, CriteriaSet> getSignatureCriteriaSetFunction() {
        return this.signatureCriteriaSetFunction;
    }

    public void setSignatureCriteriaSetFunction(@Nullable Function<Pair<ProfileRequestContext, Assertion>, CriteriaSet> function) {
        this.signatureCriteriaSetFunction = function;
    }

    @Override // java.util.function.Function
    @Nullable
    public ValidationContext apply(@Nullable ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        if (assertionValidationInput == null) {
            return null;
        }
        return new ValidationContext(buildStaticParameters(assertionValidationInput));
    }

    @Nonnull
    protected Map<String, Object> buildStaticParameters(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        TreeMap treeMap = new TreeMap();
        if (getClockSkew() != null) {
            treeMap.put(SAML2AssertionValidationParameters.CLOCK_SKEW, getClockSkew().apply(assertionValidationInput.getProfileRequestContext()));
        }
        if (getLifetime() != null) {
            treeMap.put(SAML2AssertionValidationParameters.LIFETIME, getLifetime().apply(assertionValidationInput.getProfileRequestContext()));
        }
        treeMap.put(SAML2AssertionValidationParameters.VALID_ISSUERS, getValidIssuers().apply(assertionValidationInput.getProfileRequestContext()));
        populateSignatureParameters(treeMap, assertionValidationInput);
        populateConditionsParameters(treeMap, assertionValidationInput);
        Set<InetAddress> validAddresses = getValidAddresses(assertionValidationInput);
        Boolean valueOf = Boolean.valueOf(getCheckAddress().test(assertionValidationInput.getProfileRequestContext()));
        populateSubjectConfirmationParameters(treeMap, assertionValidationInput, validAddresses, valueOf);
        populateStatementParams(treeMap, assertionValidationInput, validAddresses, valueOf);
        this.log.trace("Built static parameters map: {}", treeMap);
        return treeMap;
    }

    private void populateSignatureParameters(@Nonnull Map<String, Object> map, @Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        map.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, Boolean.valueOf(getSignatureRequired().test(assertionValidationInput.getProfileRequestContext())));
        map.put(SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET, getSignatureCriteriaSet(assertionValidationInput));
        SecurityParametersContext apply = getSecurityParametersLookupStrategy().apply(assertionValidationInput.getProfileRequestContext());
        if (apply == null || apply.getSignatureValidationParameters() == null) {
            return;
        }
        map.put(SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_TRUST_ENGINE, apply.getSignatureValidationParameters().getSignatureTrustEngine());
    }

    private void populateConditionsParameters(@Nonnull Map<String, Object> map, @Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        map.put(SAML2AssertionValidationParameters.COND_REQUIRED_CONDITIONS, getRequiredConditions(assertionValidationInput));
        map.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, getValidAudiences(assertionValidationInput));
    }

    private void populateSubjectConfirmationParameters(@Nonnull Map<String, Object> map, @Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput, @Nonnull Set<InetAddress> set, @Nonnull Boolean bool) {
        X509Certificate attesterCertificate = getAttesterCertificate(assertionValidationInput);
        if (attesterCertificate != null) {
            map.put(SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT, attesterCertificate);
        }
        PublicKey attesterPublicKey = getAttesterPublicKey(assertionValidationInput);
        if (attesterPublicKey != null) {
            map.put(SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY, attesterPublicKey);
        }
        map.put(SAML2AssertionValidationParameters.SC_RECIPIENT_REQUIRED, Boolean.valueOf(getRecipientRequired().test(assertionValidationInput.getProfileRequestContext())));
        map.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, getValidRecipients(assertionValidationInput));
        map.put(SAML2AssertionValidationParameters.SC_ADDRESS_REQUIRED, Boolean.valueOf(getAddressRequired().test(assertionValidationInput.getProfileRequestContext())));
        map.put(SAML2AssertionValidationParameters.SC_VALID_ADDRESSES, set);
        map.put(SAML2AssertionValidationParameters.SC_CHECK_ADDRESS, bool);
        map.put(SAML2AssertionValidationParameters.SC_IN_RESPONSE_TO_REQUIRED, Boolean.valueOf(getInResponseToRequired().test(assertionValidationInput.getProfileRequestContext())));
        if (getInResponseTo() != null) {
            map.put(SAML2AssertionValidationParameters.SC_VALID_IN_RESPONSE_TO, getInResponseTo().apply(assertionValidationInput.getProfileRequestContext()));
        }
        map.put(SAML2AssertionValidationParameters.SC_NOT_BEFORE_REQUIRED, Boolean.valueOf(getNotBeforeRequired().test(assertionValidationInput.getProfileRequestContext())));
        map.put(SAML2AssertionValidationParameters.SC_NOT_ON_OR_AFTER_REQUIRED, Boolean.valueOf(getNotOnOrAfterRequired().test(assertionValidationInput.getProfileRequestContext())));
    }

    private void populateStatementParams(@Nonnull Map<String, Object> map, @Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput, @Nonnull Set<InetAddress> set, @Nonnull Boolean bool) {
        map.put(SAML2AssertionValidationParameters.STMT_AUTHN_VALID_ADDRESSES, set);
        map.put(SAML2AssertionValidationParameters.STMT_AUTHN_CHECK_ADDRESS, bool);
        if (getMaximumTimeSinceAuthn() != null) {
            map.put(SAML2AssertionValidationParameters.STMT_AUTHN_MAX_TIME, getMaximumTimeSinceAuthn().apply(assertionValidationInput.getProfileRequestContext()));
        }
    }

    @Nonnull
    protected Set<QName> getRequiredConditions(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        return getRequiredConditions();
    }

    @Nonnull
    protected CriteriaSet getSignatureCriteriaSet(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        CriteriaSet apply;
        CriteriaSet criteriaSet = new CriteriaSet();
        if (getSignatureCriteriaSetFunction() != null && (apply = getSignatureCriteriaSetFunction().apply(new Pair<>(assertionValidationInput.getProfileRequestContext(), assertionValidationInput.getAssertion()))) != null) {
            criteriaSet.addAll(apply);
        }
        if (!criteriaSet.contains(EntityIdCriterion.class)) {
            String str = null;
            if (assertionValidationInput.getAssertion().getIssuer() != null) {
                str = StringSupport.trimOrNull(assertionValidationInput.getAssertion().getIssuer().getValue());
            }
            if (str != null) {
                this.log.debug("Adding internally-generated EntityIdCriterion with value of: {}", str);
                criteriaSet.add(new EntityIdCriterion(str));
            }
        }
        if (!criteriaSet.contains(UsageCriterion.class)) {
            this.log.debug("Adding internally-generated UsageCriterion with value of: {}", UsageType.SIGNING);
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        }
        MessageContext inboundMessageContext = assertionValidationInput.getProfileRequestContext().getInboundMessageContext();
        if (inboundMessageContext != null) {
            populateSignatureCriteriaFromInboundContext(criteriaSet, inboundMessageContext);
        }
        this.log.debug("Resolved Signature validation CriteriaSet: {}", criteriaSet);
        return criteriaSet;
    }

    protected void populateSignatureCriteriaFromInboundContext(@Nonnull CriteriaSet criteriaSet, @Nonnull MessageContext messageContext) {
        SecurityParametersContext securityParametersContext;
        QName role;
        SAMLMetadataContext sAMLMetadataContext;
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        if (sAMLPeerEntityContext != null) {
            if (!criteriaSet.contains(RoleDescriptorCriterion.class) && (sAMLMetadataContext = (SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)) != null && sAMLMetadataContext.getRoleDescriptor() != null) {
                criteriaSet.add(new RoleDescriptorCriterion(sAMLMetadataContext.getRoleDescriptor()));
            }
            if (!criteriaSet.contains(EntityRoleCriterion.class) && (role = sAMLPeerEntityContext.getRole()) != null) {
                criteriaSet.add(new EntityRoleCriterion(role));
            }
        }
        SAMLProtocolContext sAMLProtocolContext = (SAMLProtocolContext) messageContext.getSubcontext(SAMLProtocolContext.class);
        if (!criteriaSet.contains(ProtocolCriterion.class) && sAMLProtocolContext != null && sAMLProtocolContext.getProtocol() != null) {
            criteriaSet.add(new ProtocolCriterion(sAMLProtocolContext.getProtocol()));
        }
        if (criteriaSet.contains(SignatureValidationParametersCriterion.class) || (securityParametersContext = (SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class)) == null || securityParametersContext.getSignatureValidationParameters() == null) {
            return;
        }
        criteriaSet.add(new SignatureValidationParametersCriterion(securityParametersContext.getSignatureValidationParameters()));
    }

    @Nullable
    protected X509Certificate getAttesterCertificate(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        try {
            return new ServletRequestX509CredentialAdapter(assertionValidationInput.getHttpServletRequest()).getEntityCertificate();
        } catch (SecurityException e) {
            this.log.debug("Peer TLS X.509 certificate was not present. Holder-of-key proof-of-possession via client TLS cert will not be possible");
            return null;
        }
    }

    @Nullable
    protected PublicKey getAttesterPublicKey(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        return null;
    }

    @Nonnull
    protected Set<String> getValidRecipients(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        String selfEntityID;
        LazySet lazySet = new LazySet();
        try {
            String actualReceiverEndpointURI = SAMLBindingSupport.getActualReceiverEndpointURI(assertionValidationInput.getProfileRequestContext().getInboundMessageContext(), assertionValidationInput.getHttpServletRequest());
            if (actualReceiverEndpointURI != null) {
                lazySet.add(actualReceiverEndpointURI);
            }
        } catch (MessageException e) {
            this.log.warn("Attempt to resolve recipient endpoint failed", (Throwable) e);
        }
        if (getIncludeSelfEntityIDAsRecipient().test(assertionValidationInput.getProfileRequestContext()) && (selfEntityID = getSelfEntityID(assertionValidationInput)) != null) {
            lazySet.add(selfEntityID);
        }
        this.log.debug("Resolved valid subject confirmation recipients set: {}", lazySet);
        return lazySet;
    }

    @Nonnull
    protected Set<InetAddress> getValidAddresses(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        try {
            LazySet lazySet = new LazySet();
            String attesterIPAddress = getAttesterIPAddress(assertionValidationInput);
            this.log.debug("Saw attester IP address: {}", attesterIPAddress);
            if (attesterIPAddress == null) {
                this.log.warn("Could not determine attester IP address. Validation of Assertion may or may not succeed");
                return Collections.emptySet();
            }
            lazySet.addAll(Arrays.asList(InetAddress.getAllByName(attesterIPAddress)));
            this.log.debug("Resolved valid subject confirmation InetAddress set: {}", lazySet);
            return lazySet;
        } catch (UnknownHostException e) {
            this.log.warn("Processing of attester IP address failed. Validation of Assertion may or may not succeed", (Throwable) e);
            return Collections.emptySet();
        }
    }

    @Nonnull
    protected String getAttesterIPAddress(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        return HttpServletSupport.getRemoteAddr(assertionValidationInput.getHttpServletRequest());
    }

    @Nonnull
    protected Set<String> getValidAudiences(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        Set<String> apply;
        LazySet lazySet = new LazySet();
        String selfEntityID = getSelfEntityID(assertionValidationInput);
        if (selfEntityID != null) {
            lazySet.add(selfEntityID);
        }
        if (getAdditionalAudiences() != null && (apply = getAdditionalAudiences().apply(assertionValidationInput.getProfileRequestContext())) != null) {
            lazySet.addAll(apply);
        }
        this.log.debug("Resolved valid audiences set: {}", lazySet);
        return lazySet;
    }

    @Nullable
    protected String getSelfEntityID(@Nonnull ValidateAssertions.AssertionValidationInput assertionValidationInput) {
        SAMLSelfEntityContext sAMLSelfEntityContext = (SAMLSelfEntityContext) assertionValidationInput.getProfileRequestContext().getInboundMessageContext().getSubcontext(SAMLSelfEntityContext.class);
        if (sAMLSelfEntityContext != null) {
            return sAMLSelfEntityContext.getEntityId();
        }
        return null;
    }
}
