package pl.edu.icm.unity.saml.metadata.cfg;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlCursor;
import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.exceptions.InternalException;
import pl.edu.icm.unity.base.i18n.I18nString;
import pl.edu.icm.unity.base.message.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.pki.NamedCertificate;
import pl.edu.icm.unity.saml.idp.SAMLIdPConfiguration;
import pl.edu.icm.unity.saml.idp.SamlEntityId;
import pl.edu.icm.unity.saml.idp.TrustedServiceProvider;
import pl.edu.icm.unity.saml.idp.TrustedServiceProviders;
import xmlbeans.org.oasis.saml2.assertion.AttributeType;
import xmlbeans.org.oasis.saml2.metadata.EndpointType;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorDocument;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorType;
import xmlbeans.org.oasis.saml2.metadata.EntityDescriptorType;
import xmlbeans.org.oasis.saml2.metadata.ExtensionsType;
import xmlbeans.org.oasis.saml2.metadata.IndexedEndpointType;
import xmlbeans.org.oasis.saml2.metadata.KeyDescriptorType;
import xmlbeans.org.oasis.saml2.metadata.KeyTypes;
import xmlbeans.org.oasis.saml2.metadata.SSODescriptorType;
import xmlbeans.org.oasis.saml2.metadata.extattribute.EntityAttributesDocument;
import xmlbeans.org.oasis.saml2.metadata.extattribute.EntityAttributesType;
import xmlbeans.org.oasis.saml2.metadata.extui.UIInfoType;
import xmlbeans.org.w3.x2000.x09.xmldsig.X509DataType;

/* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/MetaToIDPConfigConverter.class */
public class MetaToIDPConfigConverter {
    private static final Logger log = Log.getLogger("unity.server.saml", MetaToIDPConfigConverter.class);
    private static final String IDP_META_CERT = "_IDP_METADATA_CERT_";
    private final PKIManagement pkiManagement;
    private final MessageSource msg;

    public MetaToIDPConfigConverter(PKIManagement pKIManagement, MessageSource messageSource) {
        this.pkiManagement = pKIManagement;
        this.msg = messageSource;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<TrustedServiceProvider> convertToTrustedSps(EntitiesDescriptorDocument entitiesDescriptorDocument, SAMLIdPConfiguration sAMLIdPConfiguration) {
        EntitiesDescriptorType entitiesDescriptor = entitiesDescriptorDocument.getEntitiesDescriptor();
        HashSet hashSet = new HashSet();
        for (EntityDescriptorType entityDescriptorType : entitiesDescriptor.getEntityDescriptorArray()) {
            SSODescriptorType[] sPSSODescriptorArray = entityDescriptorType.getSPSSODescriptorArray();
            SAMLIdPConfiguration.RequestAcceptancePolicy requestAcceptancePolicy = sAMLIdPConfiguration.spAcceptPolicy;
            if (sPSSODescriptorArray != null && sPSSODescriptorArray.length != 0) {
                SamlEntityId samlEntityId = new SamlEntityId(entityDescriptorType.getEntityID(), null);
                for (SSODescriptorType sSODescriptorType : sPSSODescriptorArray) {
                    TrustedServiceProvider sPConfig = sAMLIdPConfiguration.trustedServiceProviders.getSPConfig(samlEntityId);
                    if (sPConfig != null && sPConfig.allowedKey != null) {
                        log.trace("SP of entity " + samlEntityId + " is configured in property, so cannot be overwrite.");
                    } else if (!MetaToConfigConverterHelper.supportsSaml2(sSODescriptorType)) {
                        log.trace("SP of entity " + samlEntityId + " doesn't support SAML2 - ignoring.");
                    } else if (isDisabled(parseMDAttributes(entityDescriptorType.getExtensions(), samlEntityId))) {
                        log.trace("SP of entity " + samlEntityId + " is hidden from discovery - ignoring.");
                    } else {
                        List<X509Certificate> signingCerts = getSigningCerts(sSODescriptorType.getKeyDescriptorArray(), samlEntityId);
                        if (!signingCerts.isEmpty()) {
                            try {
                                updatePKICerts(signingCerts, samlEntityId, IDP_META_CERT);
                            } catch (EngineException e) {
                                log.error("Adding remote SPs certs to local certs store failed, skipping IdP: " + samlEntityId, e);
                            }
                        } else if (requestAcceptancePolicy == SAMLIdPConfiguration.RequestAcceptancePolicy.strict) {
                            log.info("No signing certificate found for SP, skipping it as the 'strict' trust model is used: " + samlEntityId);
                        }
                        Map<Integer, String> endpointURLs = getEndpointURLs(sSODescriptorType.getAssertionConsumerServiceArray(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
                        String defaultEndpoint = getDefaultEndpoint(sSODescriptorType.getAssertionConsumerServiceArray(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
                        if (defaultEndpoint != null && !endpointURLs.isEmpty()) {
                            EndpointType selectEndpointByBinding = selectEndpointByBinding(sSODescriptorType.getSingleLogoutServiceArray(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
                            EndpointType selectEndpointByBinding2 = selectEndpointByBinding(sSODescriptorType.getSingleLogoutServiceArray(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
                            EndpointType selectEndpointByBinding3 = selectEndpointByBinding(sSODescriptorType.getSingleLogoutServiceArray(), "urn:oasis:names:tc:SAML:2.0:bindings:SOAP");
                            UIInfoType parseMDUIInfo = MetaToConfigConverterHelper.parseMDUIInfo(sSODescriptorType.getExtensions(), samlEntityId.id);
                            hashSet.add(generateOverriddenSP(samlEntityId, defaultEndpoint, endpointURLs, selectEndpointByBinding3, selectEndpointByBinding2, selectEndpointByBinding, sAMLIdPConfiguration.trustedServiceProviders, signingCerts, MetaToConfigConverterHelper.getLocalizedNamesAsI18nString(this.msg, parseMDUIInfo, sSODescriptorType, entityDescriptorType), MetaToConfigConverterHelper.getLocalizedLogosAsI18nString(parseMDUIInfo)));
                        }
                    }
                }
            }
        }
        return hashSet;
    }

    private boolean isDisabled(EntityAttributesType entityAttributesType) {
        if (entityAttributesType == null) {
            return false;
        }
        for (AttributeType attributeType : entityAttributesType.getAttributeArray()) {
            if ("http://macedir.org/entity-category".equals(attributeType.getName())) {
                for (XmlObject xmlObject : attributeType.getAttributeValueArray()) {
                    XmlCursor newCursor = xmlObject.newCursor();
                    String textValue = newCursor.getTextValue();
                    newCursor.dispose();
                    if (textValue.equals("http://refeds.org/category/hide-from-discovery")) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private EntityAttributesType parseMDAttributes(ExtensionsType extensionsType, SamlEntityId samlEntityId) {
        if (extensionsType == null) {
            return null;
        }
        NodeList childNodes = extensionsType.getDomNode().getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1) {
                Element element = (Element) item;
                if ("EntityAttributes".equals(element.getLocalName()) && "urn:oasis:names:tc:SAML:metadata:attribute".equals(element.getNamespaceURI())) {
                    try {
                        return EntityAttributesDocument.Factory.parse(element).getEntityAttributes();
                    } catch (XmlException e) {
                        log.warn("Can not parse entity attributes metadata extension for " + samlEntityId, e);
                    }
                }
            }
        }
        return null;
    }

    private void updatePKICerts(List<X509Certificate> list, SamlEntityId samlEntityId, String str) throws EngineException {
        synchronized (this.pkiManagement) {
            for (X509Certificate x509Certificate : list) {
                String certificateKey = getCertificateKey(x509Certificate, samlEntityId, str);
                try {
                    if (!this.pkiManagement.getCertificate(certificateKey).value.equals(x509Certificate)) {
                        this.pkiManagement.updateCertificate(new NamedCertificate(certificateKey, x509Certificate));
                        log.debug("Updated already installed certificate of SAML entity {}, DN: {}, serial: {}", samlEntityId, x509Certificate.getSubjectX500Principal().getName(), x509Certificate.getSerialNumber());
                    }
                } catch (IllegalArgumentException e) {
                    this.pkiManagement.addVolatileCertificate(certificateKey, x509Certificate);
                    log.debug("Installed a new certificate for SAML entity {}, DN: {}, serial: {}", samlEntityId, x509Certificate.getSubjectX500Principal().getName(), x509Certificate.getSerialNumber());
                }
            }
        }
    }

    private List<X509Certificate> getSigningCerts(KeyDescriptorType[] keyDescriptorTypeArr, SamlEntityId samlEntityId) {
        ArrayList arrayList = new ArrayList();
        for (KeyDescriptorType keyDescriptorType : keyDescriptorTypeArr) {
            if (!keyDescriptorType.isSetUse() || KeyTypes.SIGNING.equals(keyDescriptorType.getUse())) {
                X509DataType[] x509DataArray = keyDescriptorType.getKeyInfo().getX509DataArray();
                if (x509DataArray == null || x509DataArray.length == 0) {
                    log.info("Key in SAML metadata is ignored as it doesn't contain X.509 certificate. Entity " + samlEntityId);
                } else {
                    for (X509DataType x509DataType : x509DataArray) {
                        try {
                            arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509DataType.getX509CertificateArray()[0])));
                        } catch (CertificateException e) {
                            log.warn("Can not load/parse a certificate from metadata of " + samlEntityId + ", ignoring it", e);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    private TrustedServiceProvider generateOverriddenSP(SamlEntityId samlEntityId, String str, Map<Integer, String> map, EndpointType endpointType, EndpointType endpointType2, EndpointType endpointType3, TrustedServiceProviders trustedServiceProviders, List<X509Certificate> list, I18nString i18nString, I18nString i18nString2) {
        TrustedServiceProvider sPConfig = trustedServiceProviders.getSPConfig(samlEntityId);
        boolean z = sPConfig == null;
        TrustedServiceProvider.TrustedServiceProviderConfigurationBuilder builder = sPConfig == null ? TrustedServiceProvider.builder() : sPConfig.copyToBuilder();
        if (z) {
            builder.withEntityId(samlEntityId.id);
            builder.withReturnUrl(str);
            builder.withReturnUrls((Set) map.entrySet().stream().map(entry -> {
                return "[" + entry.getKey() + "]" + ((String) entry.getValue());
            }).collect(Collectors.toSet()));
            builder.withReturnUrl(str);
            if (endpointType != null) {
                builder.withSoapLogoutUrl(endpointType.getLocation());
            }
            if (endpointType2 != null) {
                builder.withPostLogoutUrl(endpointType2.getLocation());
                if (endpointType2.getResponseLocation() != null) {
                    builder.withPostLogoutRetUrl(endpointType2.getResponseLocation());
                }
            }
            if (endpointType3 != null) {
                builder.withRedirectLogoutUrl(endpointType3.getLocation());
                if (endpointType3.getResponseLocation() != null) {
                    builder.withRedirectLogoutRetUrl(endpointType3.getResponseLocation());
                }
            }
            Set<String> set = (Set) list.stream().map(x509Certificate -> {
                return getCertificateKey(x509Certificate, samlEntityId, IDP_META_CERT);
            }).collect(Collectors.toSet());
            builder.withCertificateNames(set);
            builder.withCertificates((Set) set.stream().map(this::getCertificate).collect(Collectors.toSet()));
            builder.withName(i18nString);
            builder.withLogoUri(i18nString2);
        }
        return builder.build();
    }

    private X509Certificate getCertificate(String str) {
        try {
            return this.pkiManagement.getCertificate(str).value;
        } catch (EngineException e) {
            throw new InternalException("Can't retrieve SAML credential", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getCertificateKey(X509Certificate x509Certificate, SamlEntityId samlEntityId, String str) {
        String comparableForm = X500NameUtils.getComparableForm(x509Certificate.getSubjectX500Principal().getName());
        return str + DigestUtils.md5Hex(samlEntityId.id) + "#" + DigestUtils.md5Hex(comparableForm) + "#" + x509Certificate.getSerialNumber().toString();
    }

    private EndpointType selectEndpointByBinding(EndpointType[] endpointTypeArr, String str) {
        for (EndpointType endpointType : endpointTypeArr) {
            if (endpointType.getBinding() != null && endpointType.getLocation() != null && endpointType.getBinding().equals(str)) {
                return endpointType;
            }
        }
        return null;
    }

    private String getDefaultEndpoint(IndexedEndpointType[] indexedEndpointTypeArr, String str) {
        Optional findFirst = Arrays.stream(indexedEndpointTypeArr).filter(indexedEndpointType -> {
            return str.equals(indexedEndpointType.getBinding());
        }).filter((v0) -> {
            return v0.getIsDefault();
        }).findFirst();
        EndpointType selectEndpointByBinding = findFirst.isPresent() ? (EndpointType) findFirst.get() : selectEndpointByBinding(indexedEndpointTypeArr, str);
        if (selectEndpointByBinding == null) {
            return null;
        }
        return selectEndpointByBinding.getLocation();
    }

    private Map<Integer, String> getEndpointURLs(IndexedEndpointType[] indexedEndpointTypeArr, String str) {
        return (Map) Arrays.stream(indexedEndpointTypeArr).filter(indexedEndpointType -> {
            return str.equals(indexedEndpointType.getBinding());
        }).collect(Collectors.toMap(indexedEndpointType2 -> {
            return Integer.valueOf(indexedEndpointType2.getIndex());
        }, indexedEndpointType3 -> {
            return indexedEndpointType3.getLocation();
        }));
    }
}
