package org.cloudfoundry.identity.uaa.provider.saml.idp;

import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import org.cloudfoundry.identity.uaa.provider.saml.ConfigMetadataProvider;
import org.cloudfoundry.identity.uaa.provider.saml.FixedHttpMetaDataProvider;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.BasicParserPool;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestClientException;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.27.0.jar:org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderConfigurator.class */
public class SamlServiceProviderConfigurator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SamlServiceProviderConfigurator.class);
    private FixedHttpMetaDataProvider fixedHttpMetaDataProvider;
    private BasicParserPool parserPool;
    private SamlServiceProviderProvisioning providerProvisioning;
    private Set<String> supportedNameIDs = new HashSet(Arrays.asList("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", NameIDType.PERSISTENT, "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"));

    public List<SamlServiceProviderHolder> getSamlServiceProviders() {
        return getSamlServiceProvidersForZone(IdentityZoneHolder.get());
    }

    public List<SamlServiceProviderHolder> getSamlServiceProvidersForZone(IdentityZone identityZone) {
        LinkedList linkedList = new LinkedList();
        for (SamlServiceProvider samlServiceProvider : this.providerProvisioning.retrieveActive(identityZone.getId())) {
            try {
                linkedList.add(new SamlServiceProviderHolder(getExtendedMetadataDelegate(samlServiceProvider), samlServiceProvider));
            } catch (MetadataProviderException e) {
                LOG.error("Unable to configure SAML SP Metadata for ServiceProvider:" + samlServiceProvider.getEntityId(), (Throwable) e);
            }
        }
        return Collections.unmodifiableList(linkedList);
    }

    public void validateSamlServiceProvider(SamlServiceProvider samlServiceProvider) throws MetadataProviderException {
        validateSamlServiceProvider(samlServiceProvider, IdentityZoneHolder.get());
    }

    synchronized void validateSamlServiceProvider(SamlServiceProvider samlServiceProvider, IdentityZone identityZone) throws MetadataProviderException {
        if (samlServiceProvider == null) {
            throw new NullPointerException();
        }
        if (!StringUtils.hasText(samlServiceProvider.getIdentityZoneId())) {
            throw new NullPointerException("You must set the SAML SP Identity Zone Id.");
        }
        if (!identityZone.getId().equals(samlServiceProvider.getIdentityZoneId())) {
            throw new IllegalArgumentException("The SAML SP Identity Zone Id does not match the curent zone.");
        }
        ExtendedMetadataDelegate extendedMetadataDelegate = getExtendedMetadataDelegate(samlServiceProvider);
        String entityID = ((ConfigMetadataProvider) extendedMetadataDelegate.getDelegate()).getEntityID();
        if (samlServiceProvider.getEntityId() == null) {
            samlServiceProvider.setEntityId(entityID);
        } else if (!entityID.equals(samlServiceProvider.getEntityId())) {
            throw new MetadataProviderException("Metadata entity id does not match SAML SP entity id: " + samlServiceProvider.getEntityId());
        }
        extendedMetadataDelegate.initialize();
        SPSSODescriptor sPSSODescriptor = extendedMetadataDelegate.getEntityDescriptor(entityID).getSPSSODescriptor(SAMLConstants.SAML20P_NS);
        if (null != sPSSODescriptor && null != sPSSODescriptor.getNameIDFormats() && !sPSSODescriptor.getNameIDFormats().isEmpty() && !sPSSODescriptor.getNameIDFormats().stream().anyMatch(nameIDFormat -> {
            return this.supportedNameIDs.contains(nameIDFormat.getFormat());
        })) {
            throw new MetadataProviderException("UAA does not support any of the NameIDFormats specified in the metadata for entity: " + samlServiceProvider.getEntityId());
        }
        getSamlServiceProvidersForZone(identityZone);
    }

    public ExtendedMetadataDelegate getExtendedMetadataDelegate(SamlServiceProvider samlServiceProvider) throws MetadataProviderException {
        ExtendedMetadataDelegate configureURLMetadata;
        switch (samlServiceProvider.getConfig().getType()) {
            case DATA:
                configureURLMetadata = configureXMLMetadata(samlServiceProvider);
                break;
            case URL:
                configureURLMetadata = configureURLMetadata(samlServiceProvider);
                break;
            default:
                throw new MetadataProviderException("Invalid metadata type for alias[" + samlServiceProvider.getEntityId() + "]:" + samlServiceProvider.getConfig().getMetaDataLocation());
        }
        return configureURLMetadata;
    }

    protected ExtendedMetadataDelegate configureXMLMetadata(SamlServiceProvider samlServiceProvider) {
        ConfigMetadataProvider configMetadataProvider = new ConfigMetadataProvider(samlServiceProvider.getIdentityZoneId(), samlServiceProvider.getEntityId(), samlServiceProvider.getConfig().getMetaDataLocation());
        configMetadataProvider.setParserPool(getParserPool());
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();
        extendedMetadata.setLocal(false);
        extendedMetadata.setAlias(samlServiceProvider.getEntityId());
        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(configMetadataProvider, extendedMetadata);
        extendedMetadataDelegate.setMetadataTrustCheck(samlServiceProvider.getConfig().isMetadataTrustCheck());
        return extendedMetadataDelegate;
    }

    protected ExtendedMetadataDelegate configureURLMetadata(SamlServiceProvider samlServiceProvider) throws MetadataProviderException {
        SamlServiceProviderDefinition m4095clone = samlServiceProvider.getConfig().m4095clone();
        new ExtendedMetadata().setAlias(samlServiceProvider.getEntityId());
        try {
            m4095clone.setMetaDataLocation(new String(this.fixedHttpMetaDataProvider.fetchMetadata(m4095clone.getMetaDataLocation(), m4095clone.isSkipSslValidation()), StandardCharsets.UTF_8));
            return configureXMLMetadata(samlServiceProvider);
        } catch (URISyntaxException e) {
            throw new MetadataProviderException("Invalid metadata URI: " + m4095clone.getMetaDataLocation(), e);
        } catch (RestClientException e2) {
            throw new MetadataProviderException("Unavailable Metadata Provider", e2);
        }
    }

    public SamlServiceProviderProvisioning getProviderProvisioning() {
        return this.providerProvisioning;
    }

    public void setProviderProvisioning(SamlServiceProviderProvisioning samlServiceProviderProvisioning) {
        this.providerProvisioning = samlServiceProviderProvisioning;
    }

    public BasicParserPool getParserPool() {
        return this.parserPool;
    }

    public void setParserPool(BasicParserPool basicParserPool) {
        this.parserPool = basicParserPool;
    }

    public void setSupportedNameIDs(Set<String> set) {
        this.supportedNameIDs = set;
    }

    public void setFixedHttpMetaDataProvider(FixedHttpMetaDataProvider fixedHttpMetaDataProvider) {
        this.fixedHttpMetaDataProvider = fixedHttpMetaDataProvider;
    }
}
