package pl.edu.icm.unity.saml.metadata.cfg;

import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.metadata.cfg.MetadataVerificator;
import pl.edu.icm.unity.saml.metadata.srv.RemoteMetadataService;
import pl.edu.icm.unity.saml.sp.config.BaseSamlConfiguration;
import pl.edu.icm.unity.saml.sp.config.SAMLSPConfiguration;
import pl.edu.icm.unity.saml.sp.config.TrustedIdPs;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/SPRemoteMetaManager.class */
public class SPRemoteMetaManager {
    private static final Logger log = Log.getLogger("unity.server.saml", SPRemoteMetaManager.class);
    private final PKIManagement pkiManagement;
    private final MetadataToSPConfigConverter converter;
    private final RemoteMetadataService metadataService;
    private TrustedIdPs combinedTrustedIdPs;
    private SAMLSPConfiguration configuration;
    private final Map<String, MetadataConsumer> registeredConsumers = new HashMap();
    private final MetadataVerificator verificator = new MetadataVerificator();

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/SPRemoteMetaManager$Factory.class */
    public static class Factory {
        private final PKIManagement pkiManagement;
        private final MetadataToSPConfigConverter converter;
        private final RemoteMetadataService metadataService;

        Factory(@Qualifier("insecure") PKIManagement pKIManagement, MetadataToSPConfigConverter metadataToSPConfigConverter, RemoteMetadataService remoteMetadataService) {
            this.pkiManagement = pKIManagement;
            this.converter = metadataToSPConfigConverter;
            this.metadataService = remoteMetadataService;
        }

        public SPRemoteMetaManager getInstance() {
            return new SPRemoteMetaManager(this.pkiManagement, this.converter, this.metadataService);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/SPRemoteMetaManager$MetadataConsumer.class */
    public class MetadataConsumer {
        private final BaseSamlConfiguration.RemoteMetadataSource metadataConfig;
        private String federationId;

        public MetadataConsumer(BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource) {
            this.metadataConfig = remoteMetadataSource;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onUpdatedMetadata(EntitiesDescriptorDocument entitiesDescriptorDocument, String str) {
            if (SPRemoteMetaManager.this.isMetadataValid(entitiesDescriptorDocument, this.metadataConfig)) {
                TrustedIdPs parseMetadata = SPRemoteMetaManager.this.parseMetadata(entitiesDescriptorDocument, this.metadataConfig);
                String id = entitiesDescriptorDocument.getEntitiesDescriptor().getID();
                if (this.federationId == null) {
                    this.federationId = id;
                } else if (!this.federationId.equals(id)) {
                    throw new IllegalStateException("Consumer got metadata from different federation than before. Was " + this.federationId + " now it is " + id);
                }
                SPRemoteMetaManager.this.assembleCombinedConfiguration(parseMetadata, id, str);
            }
        }
    }

    private SPRemoteMetaManager(PKIManagement pKIManagement, MetadataToSPConfigConverter metadataToSPConfigConverter, RemoteMetadataService remoteMetadataService) {
        this.converter = metadataToSPConfigConverter;
        this.metadataService = remoteMetadataService;
        this.pkiManagement = pKIManagement;
    }

    public synchronized TrustedIdPs getTrustedIdPs() {
        return this.combinedTrustedIdPs;
    }

    public synchronized void setBaseConfiguration(SAMLSPConfiguration sAMLSPConfiguration) {
        if (this.configuration == null) {
            this.configuration = sAMLSPConfiguration;
            reinitialize(sAMLSPConfiguration);
            return;
        }
        boolean z = (this.configuration.trustedMetadataSourcesByUrl.equals(sAMLSPConfiguration.trustedMetadataSourcesByUrl) && this.configuration.individualTrustedIdPs.equals(sAMLSPConfiguration.individualTrustedIdPs)) ? false : true;
        this.configuration = sAMLSPConfiguration;
        if (z) {
            reinitialize(sAMLSPConfiguration);
        }
    }

    private void reinitialize(SAMLSPConfiguration sAMLSPConfiguration) {
        this.combinedTrustedIdPs = sAMLSPConfiguration.individualTrustedIdPs;
        unregisterAll();
        registerMetadataConsumers();
    }

    private void registerMetadataConsumers() {
        log.trace("Registering remote metadata consumers");
        for (BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource : this.configuration.trustedMetadataSourcesByUrl.values()) {
            String str = remoteMetadataSource.url;
            Duration duration = remoteMetadataSource.refreshInterval;
            String str2 = remoteMetadataSource.httpsTruststore;
            MetadataConsumer metadataConsumer = new MetadataConsumer(remoteMetadataSource);
            String preregisterConsumer = this.metadataService.preregisterConsumer(str);
            this.registeredConsumers.put(preregisterConsumer, metadataConsumer);
            RemoteMetadataService remoteMetadataService = this.metadataService;
            Objects.requireNonNull(metadataConsumer);
            remoteMetadataService.registerConsumer(preregisterConsumer, duration, str2, (entitiesDescriptorDocument, str3) -> {
                metadataConsumer.onUpdatedMetadata(entitiesDescriptorDocument, str3);
            }, true);
        }
    }

    public synchronized void unregisterAll() {
        log.trace("Unregistering all remote metadata consumers");
        this.registeredConsumers.keySet().forEach(str -> {
            this.metadataService.unregisterConsumer(str);
        });
        this.registeredConsumers.clear();
    }

    private synchronized void assembleCombinedConfiguration(TrustedIdPs trustedIdPs, String str, String str2) {
        if (this.registeredConsumers.containsKey(str2)) {
            checkDuplicatedFederations(str, str2);
            this.combinedTrustedIdPs = this.combinedTrustedIdPs.replaceFederation(trustedIdPs, str).overrideIdPs(this.configuration.individualTrustedIdPs);
        }
    }

    private void checkDuplicatedFederations(String str, String str2) {
        this.registeredConsumers.forEach((str3, metadataConsumer) -> {
            if (str2.equals(str3) || !str.equals(metadataConsumer.federationId)) {
                return;
            }
            log.error("The federation {} is configured with two metadata sources. This won't work, results will be unpredictible.", str);
        });
    }

    private TrustedIdPs parseMetadata(EntitiesDescriptorDocument entitiesDescriptorDocument, BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource) {
        TrustedIdPs convertToTrustedIdPs = this.converter.convertToTrustedIdPs(entitiesDescriptorDocument, remoteMetadataSource);
        log.trace("Converted metadata from {} to virtual configuration", remoteMetadataSource.url);
        return convertToTrustedIdPs;
    }

    private boolean isMetadataValid(EntitiesDescriptorDocument entitiesDescriptorDocument, BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource) {
        X509Certificate x509Certificate;
        String str = remoteMetadataSource.issuerCertificate;
        if (str != null) {
            try {
                x509Certificate = this.pkiManagement.getCertificate(str).value;
            } catch (MetadataVerificator.MetadataValidationException e) {
                log.error("Metadata from " + remoteMetadataSource.url + " is invalid, won't be used", e);
                return false;
            } catch (EngineException e2) {
                log.error("Problem establishing certificate for metadata validation " + str, e2);
                return false;
            }
        } else {
            x509Certificate = null;
        }
        this.verificator.validate(entitiesDescriptorDocument, new Date(), remoteMetadataSource.signatureValidation, x509Certificate);
        return true;
    }
}
