package pl.edu.icm.unity.saml.idp;

import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.idp.ActiveValueClient;
import pl.edu.icm.unity.engine.api.idp.IdpPolicyAgreementsConfigurationParser;
import pl.edu.icm.unity.engine.api.idp.PropertiesTranslationProfileLoader;
import pl.edu.icm.unity.engine.api.idp.UserImportConfig;
import pl.edu.icm.unity.engine.api.idp.UserImportConfigs;
import pl.edu.icm.unity.engine.api.translation.TranslationProfileGenerator;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.idp.SAMLIdPConfiguration;
import pl.edu.icm.unity.saml.sp.SAMLSPProperties;
import pl.edu.icm.unity.saml.sp.config.BaseSamlConfiguration;
import pl.edu.icm.unity.types.I18nString;
import pl.edu.icm.unity.types.translation.TranslationProfile;

@Component
/* loaded from: input_file:pl/edu/icm/unity/saml/idp/SAMLIdPConfigurationParser.class */
public class SAMLIdPConfigurationParser {
    private final PKIManagement pkiMan;
    private final MessageSource msg;

    public SAMLIdPConfigurationParser(@Qualifier("insecure") PKIManagement pKIManagement, MessageSource messageSource) {
        this.pkiMan = pKIManagement;
        this.msg = messageSource;
    }

    public SAMLIdPConfiguration parse(SamlIdpProperties samlIdpProperties) {
        return fromProperties(samlIdpProperties);
    }

    public SAMLIdPConfiguration parse(Properties properties) {
        return fromProperties(loadAsSamlIdPProperties(properties));
    }

    public SAMLIdPConfiguration parse(String str) {
        return parse(loadAsProperties(str));
    }

    private Properties loadAsProperties(String str) {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            return properties;
        } catch (IOException e) {
            throw new InternalException("Invalid configuration of the SAML verificator(?)", e);
        }
    }

    private SamlIdpProperties loadAsSamlIdPProperties(Properties properties) {
        try {
            return new SamlIdpProperties(properties);
        } catch (ConfigurationException e) {
            throw new InternalException("Invalid configuration of the SAML verificator", e);
        }
    }

    private SAMLIdPConfiguration fromProperties(SamlIdpProperties samlIdpProperties) {
        return SAMLIdPConfiguration.builder().withTrustedServiceProviders(getTrustedServiceProviders(samlIdpProperties)).withIdentityTypeMapper(getEffectiveMappings(samlIdpProperties)).withUserImportConfigs(getUserImportConfigs(samlIdpProperties)).withOutputTranslationProfile(PropertiesTranslationProfileLoader.getTranslationProfile(samlIdpProperties, "translationProfile", "embeddedTranslationProfile")).withSkipConsent(samlIdpProperties.getBooleanValue("skipConsent").booleanValue()).withActiveValueClient(getActiveValueClients(samlIdpProperties)).withPolicyAgreements(IdpPolicyAgreementsConfigurationParser.fromPropoerties(this.msg, samlIdpProperties)).withChainValidator(getX509CertChainValidator(samlIdpProperties)).withAuthenticationTimeout(samlIdpProperties.getIntValue(SamlIdpProperties.AUTHENTICATION_TIMEOUT).intValue()).withSignResponses((SAMLIdPConfiguration.ResponseSigningPolicy) samlIdpProperties.getEnumValue(SamlIdpProperties.SIGN_RESPONSE, SAMLIdPConfiguration.ResponseSigningPolicy.class)).withSignAssertion((SAMLIdPConfiguration.AssertionSigningPolicy) samlIdpProperties.getEnumValue(SamlIdpProperties.SIGN_ASSERTION, SAMLIdPConfiguration.AssertionSigningPolicy.class)).withCredentialName(samlIdpProperties.getValue(SamlIdpProperties.CREDENTIAL)).withCredential(getSamlIssuerCredential(samlIdpProperties.getValue(SamlIdpProperties.CREDENTIAL))).withTruststore(samlIdpProperties.getValue(SamlIdpProperties.TRUSTSTORE)).withValidityPeriod(Duration.of(samlIdpProperties.getIntValue(SamlIdpProperties.DEF_ATTR_ASSERTION_VALIDITY).intValue(), ChronoUnit.SECONDS)).withRequestValidityPeriod(Duration.of(samlIdpProperties.getIntValue(SamlIdpProperties.SAML_REQUEST_VALIDITY).intValue(), ChronoUnit.SECONDS)).withIssuerURI(samlIdpProperties.getValue(SamlIdpProperties.ISSUER_URI)).withReturnSingleAssertion(samlIdpProperties.getBooleanValue(SamlIdpProperties.RETURN_SINGLE_ASSERTION).booleanValue()).withSpAcceptPolicy((SAMLIdPConfiguration.RequestAcceptancePolicy) samlIdpProperties.getEnumValue(SamlIdpProperties.SP_ACCEPT_POLICY, SAMLIdPConfiguration.RequestAcceptancePolicy.class)).withGroupChooser(getGroups(samlIdpProperties), samlIdpProperties.getValue(SamlIdpProperties.DEFAULT_GROUP)).withTrustedMetadataSources(getMetadataSources(samlIdpProperties)).withUserCanEditConsent(samlIdpProperties.getBooleanValue(SamlIdpProperties.USER_EDIT_CONSENT).booleanValue()).withPublishMetadata(samlIdpProperties.getBooleanValue(SamlProperties.PUBLISH_METADATA).booleanValue()).withMetadataURLPath(samlIdpProperties.getValue(SamlProperties.METADATA_URL)).withOurMetadataFilePath(samlIdpProperties.getValue(SamlProperties.METADATA_SOURCE)).withSignMetadata(samlIdpProperties.getBooleanValue(SamlProperties.SIGN_METADATA).booleanValue()).build();
    }

    private X509CertChainValidator getX509CertChainValidator(SamlIdpProperties samlIdpProperties) {
        try {
            SAMLIdPConfiguration.RequestAcceptancePolicy requestAcceptancePolicy = (SAMLIdPConfiguration.RequestAcceptancePolicy) samlIdpProperties.getEnumValue(SamlIdpProperties.SP_ACCEPT_POLICY, SAMLIdPConfiguration.RequestAcceptancePolicy.class);
            if (requestAcceptancePolicy != SAMLIdPConfiguration.RequestAcceptancePolicy.validSigner) {
                String value = samlIdpProperties.getValue(SamlIdpProperties.CREDENTIAL);
                if (this.pkiMan.getCredentialNames().contains(value)) {
                    return null;
                }
                throw new ConfigurationException("The SAML credential " + value + " is unknown");
            }
            String value2 = samlIdpProperties.getValue(SamlIdpProperties.TRUSTSTORE);
            if (value2 == null) {
                throw new ConfigurationException("The SAML truststore must be defined for the selected SP acceptance policy " + requestAcceptancePolicy);
            }
            if (this.pkiMan.getValidatorNames().contains(value2)) {
                return this.pkiMan.getValidator(value2);
            }
            throw new ConfigurationException("The SAML truststore " + value2 + " is unknown");
        } catch (EngineException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private X509Credential getSamlIssuerCredential(String str) {
        try {
            return this.pkiMan.getCredential(str);
        } catch (EngineException e) {
            throw new InternalException("Can't retrieve SAML credential", e);
        }
    }

    private TrustedServiceProviders getTrustedServiceProviders(SamlIdpProperties samlIdpProperties) {
        return new TrustedServiceProviders((List) samlIdpProperties.getStructuredListKeys(SamlIdpProperties.ALLOWED_SP_PREFIX).stream().map(str -> {
            return getTrustedSP(samlIdpProperties, str);
        }).collect(Collectors.toList()));
    }

    private UserImportConfigs getUserImportConfigs(SamlIdpProperties samlIdpProperties) {
        Set structuredListKeys = samlIdpProperties.getStructuredListKeys("userImport.");
        boolean booleanValue = samlIdpProperties.getBooleanValue("skipUserImport").booleanValue();
        return (structuredListKeys.isEmpty() || booleanValue) ? new UserImportConfigs(booleanValue, Set.of()) : new UserImportConfigs(booleanValue, (Set) structuredListKeys.stream().map(str -> {
            return new UserImportConfig(str, samlIdpProperties.getValue(str + "importer"), samlIdpProperties.getValue(str + "identityType"));
        }).collect(Collectors.toSet()));
    }

    private Set<ActiveValueClient> getActiveValueClients(SamlIdpProperties samlIdpProperties) {
        return (Set) samlIdpProperties.getStructuredListKeys("activeValue.").stream().map(str -> {
            return new ActiveValueClient(str, samlIdpProperties.getValue(str + "client"), samlIdpProperties.getListOfValues(str + "singleValueAttributes."), samlIdpProperties.getListOfValues(str + "multiValueAttributes."));
        }).collect(Collectors.toSet());
    }

    private List<BaseSamlConfiguration.RemoteMetadataSource> getMetadataSources(SamlIdpProperties samlIdpProperties) {
        return (List) samlIdpProperties.getStructuredListKeys(SamlIdpProperties.SPMETA_PREFIX).stream().map(str -> {
            return BaseSamlConfiguration.RemoteMetadataSource.builder().withUrl(samlIdpProperties.getValue(str + "url")).withHttpsTruststore(samlIdpProperties.getValue(str + "httpsTruststore")).withIssuerCertificate(samlIdpProperties.getValue(str + "signatureVerificationCertificate")).withRefreshInterval(Duration.ofSeconds(samlIdpProperties.getIntValue(str + "refreshInterval").intValue())).withSignatureValidation((SAMLSPProperties.MetadataSignatureValidation) samlIdpProperties.getEnumValue(str + "signaturVerification", SAMLSPProperties.MetadataSignatureValidation.class)).withTranslationProfile(generateMetadataTranslationProfile(samlIdpProperties, str)).build();
        }).collect(Collectors.toList());
    }

    private Map<String, String> getGroups(SamlIdpProperties samlIdpProperties) {
        return (Map) samlIdpProperties.getStructuredListKeys(SamlIdpProperties.GROUP_PFX).stream().collect(Collectors.toMap(str -> {
            return samlIdpProperties.getValue(str + "mappingGroup");
        }, str2 -> {
            return samlIdpProperties.getValue(str2 + "serviceProvider");
        }));
    }

    private TrustedServiceProvider getTrustedSP(SamlIdpProperties samlIdpProperties, String str) {
        return TrustedServiceProvider.builder().withAllowedKey(str).withDnSamlId(samlIdpProperties.getValue(str + "dn")).withEntityId(samlIdpProperties.getValue(str + "entity")).withEncrypt(samlIdpProperties.getBooleanValue(str + "encryptAssertion").booleanValue()).withReturnUrl(samlIdpProperties.getValue(str + "returnURL")).withReturnUrls(new HashSet(samlIdpProperties.getListOfValues(str + "returnURLs."))).withSoapLogoutUrl(samlIdpProperties.getValue(str + "soapLogoutEndpoint")).withRedirectLogoutUrl(samlIdpProperties.getValue(str + "redirectLogoutEndpoint")).withPostLogoutUrl(samlIdpProperties.getValue(str + "postLogoutEndpoint")).withRedirectLogoutRetUrl(samlIdpProperties.getValue(str + "redirectLogoutResponseEndpoint")).withPostLogoutRetUrl(samlIdpProperties.getValue(str + "postLogoutResponseEndpoint")).withName(getIdpName(samlIdpProperties, str)).withLogoUri(getIdpLogoUrl(samlIdpProperties, str)).withCertificate(getCertificate(str, samlIdpProperties)).withCertificates(getCertificates(str, samlIdpProperties)).withCertificateName(samlIdpProperties.getValue(str + "certificate")).withCertificateNames(new HashSet(samlIdpProperties.getListOfValues(str + "certificates."))).build();
    }

    private Set<X509Certificate> getCertificates(String str, SamlIdpProperties samlIdpProperties) {
        return (Set) samlIdpProperties.getListOfValues(str + "certificates.").stream().map(str2 -> {
            return getCertificate(str, str2);
        }).collect(Collectors.toSet());
    }

    private X509Certificate getCertificate(String str, SamlIdpProperties samlIdpProperties) {
        String value = samlIdpProperties.getValue(str + "certificate");
        if (value == null) {
            return null;
        }
        return getCertificate(str, value);
    }

    private X509Certificate getCertificate(String str, String str2) {
        try {
            return this.pkiMan.getCertificate(str2).value;
        } catch (EngineException e) {
            throw new InternalException("Can't retrieve SAML encryption certificate " + str2 + " for requester with config key " + str, e);
        }
    }

    private I18nString getIdpName(SamlIdpProperties samlIdpProperties, String str) {
        if (samlIdpProperties.isSet(str + "name")) {
            return samlIdpProperties.getLocalizedString(this.msg, str + "name");
        }
        return null;
    }

    private I18nString getIdpLogoUrl(SamlIdpProperties samlIdpProperties, String str) {
        if (samlIdpProperties.isSet(str + "logoURI")) {
            return samlIdpProperties.getLocalizedString(this.msg, str + "logoURI");
        }
        return null;
    }

    private TranslationProfile generateMetadataTranslationProfile(SamlIdpProperties samlIdpProperties, String str) {
        return generateTranslationProfile(samlIdpProperties, str, SAMLSPProperties.IDPMETA_EMBEDDED_TRANSLATION_PROFILE, SAMLSPProperties.IDPMETA_TRANSLATION_PROFILE);
    }

    private TranslationProfile generateIndividualIdPTranslationProfile(SamlIdpProperties samlIdpProperties, String str) {
        return generateTranslationProfile(samlIdpProperties, str, "embeddedTranslationProfile", "translationProfile");
    }

    private TranslationProfile generateTranslationProfile(SamlIdpProperties samlIdpProperties, String str, String str2, String str3) {
        return samlIdpProperties.isSet(str + str2) ? TranslationProfileGenerator.getProfileFromString(samlIdpProperties.getValue(str + str2)) : samlIdpProperties.isSet(str + str3) ? TranslationProfileGenerator.generateIncludeInputProfile(samlIdpProperties.getValue(str + str3)) : TranslationProfileGenerator.generateIncludeInputProfile("sys:saml");
    }

    private Map<String, String> getEffectiveMappings(SamlIdpProperties samlIdpProperties) {
        Set<String> structuredListKeys = samlIdpProperties.getStructuredListKeys(SamlProperties.IDENTITY_MAPPING_PFX);
        HashMap hashMap = new HashMap(structuredListKeys.size());
        hashMap.putAll(IdentityTypeMapper.DEFAULTS);
        for (String str : structuredListKeys) {
            String value = samlIdpProperties.getValue(str + "localIdentity");
            String value2 = samlIdpProperties.getValue(str + "samlIdentity");
            if (value.trim().equals("")) {
                hashMap.remove(value2);
            } else {
                hashMap.put(value2, value);
            }
        }
        return hashMap;
    }
}
