package org.cloudfoundry.identity.uaa.zone;

import java.security.GeneralSecurityException;
import java.util.Map;
import org.cloudfoundry.identity.uaa.util.KeyWithCert;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfigurationValidator;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.class */
public class GeneralIdentityZoneConfigurationValidator implements IdentityZoneConfigurationValidator {
    @Override // org.cloudfoundry.identity.uaa.zone.IdentityZoneConfigurationValidator
    public IdentityZoneConfiguration validate(IdentityZoneConfiguration identityZoneConfiguration, IdentityZoneConfigurationValidator.Mode mode) throws InvalidIdentityZoneConfigurationException {
        if (mode == IdentityZoneConfigurationValidator.Mode.CREATE || mode == IdentityZoneConfigurationValidator.Mode.MODIFY) {
            try {
                SamlConfig samlConfig = identityZoneConfiguration.getSamlConfig();
                if (samlConfig != null) {
                    String certificate = samlConfig.getCertificate();
                    String privateKey = samlConfig.getPrivateKey();
                    String privateKeyPassword = samlConfig.getPrivateKeyPassword();
                    if (privateKey != null && certificate != null) {
                        new KeyWithCert(privateKey, privateKeyPassword, certificate);
                    }
                }
                TokenPolicy tokenPolicy = identityZoneConfiguration.getTokenPolicy();
                if (tokenPolicy != null) {
                    String activeKeyId = tokenPolicy.getActiveKeyId();
                    if (StringUtils.hasText(activeKeyId)) {
                        Map<String, String> keys = tokenPolicy.getKeys();
                        if (keys == null || keys.isEmpty()) {
                            throw new InvalidIdentityZoneConfigurationException("Identity zone cannot specify an active key ID with no keys configured for the zone.", null);
                        }
                        if (!keys.containsKey(activeKeyId)) {
                            throw new InvalidIdentityZoneConfigurationException("The specified active key ID is not present in the configured keys: " + activeKeyId, null);
                        }
                    }
                }
            } catch (GeneralSecurityException e) {
                throw new InvalidIdentityZoneConfigurationException("There is a security problem with the SAML SP configuration.", e);
            }
        }
        return identityZoneConfiguration;
    }
}
