package org.cloudfoundry.identity.uaa.zone;

import java.security.GeneralSecurityException;
import java.util.Map;
import org.cloudfoundry.identity.uaa.saml.SamlKey;
import org.cloudfoundry.identity.uaa.util.KeyWithCert;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneValidator;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.8.0.jar:org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.class */
public class GeneralIdentityZoneConfigurationValidator implements IdentityZoneConfigurationValidator {
    private MfaConfigValidator mfaConfigValidator;

    @Override // org.cloudfoundry.identity.uaa.zone.IdentityZoneConfigurationValidator
    public IdentityZoneConfiguration validate(IdentityZone identityZone, IdentityZoneValidator.Mode mode) throws InvalidIdentityZoneConfigurationException {
        IdentityZoneConfiguration config = identityZone.getConfig();
        if (mode == IdentityZoneValidator.Mode.CREATE || mode == IdentityZoneValidator.Mode.MODIFY) {
            try {
                SamlConfig samlConfig = config.getSamlConfig();
                if (samlConfig != null && samlConfig.getKeys().size() > 0) {
                    String activeKeyId = samlConfig.getActiveKeyId();
                    if (activeKeyId == null || samlConfig.getKeys().get(activeKeyId) == null) {
                        throw new InvalidIdentityZoneConfigurationException(String.format("Invalid SAML active key ID: '%s'. Couldn't find any matching keys.", activeKeyId));
                    }
                    for (Map.Entry<String, SamlKey> entry : samlConfig.getKeys().entrySet()) {
                        entry.getKey();
                        String certificate = entry.getValue().getCertificate();
                        String key = entry.getValue().getKey();
                        String passphrase = entry.getValue().getPassphrase();
                        if (key != null && certificate != null) {
                            new KeyWithCert(key, passphrase, certificate);
                        }
                        failIfPartialCertKeyInfo(certificate, key, passphrase);
                    }
                }
                TokenPolicy tokenPolicy = config.getTokenPolicy();
                if (tokenPolicy != null) {
                    String activeKeyId2 = tokenPolicy.getActiveKeyId();
                    if (StringUtils.hasText(activeKeyId2)) {
                        Map<String, String> keys = tokenPolicy.getKeys();
                        if (keys == null || keys.isEmpty()) {
                            throw new InvalidIdentityZoneConfigurationException("Identity zone cannot specify an active key ID with no keys configured for the zone.", null);
                        }
                        if (!keys.containsKey(activeKeyId2)) {
                            throw new InvalidIdentityZoneConfigurationException("The specified active key ID is not present in the configured keys: " + activeKeyId2, null);
                        }
                    }
                }
            } catch (GeneralSecurityException e) {
                throw new InvalidIdentityZoneConfigurationException(String.format("There is a security problem with the SAML SP Key configuration for key '%s'.", null), e);
            }
        }
        if (config.getBranding() != null && config.getBranding().getBanner() != null) {
            BannerValidator.validate(config.getBranding().getBanner());
        }
        if (config.getMfaConfig() != null) {
            this.mfaConfigValidator.validate(config.getMfaConfig(), identityZone.getId());
        }
        return config;
    }

    private void failIfPartialCertKeyInfo(String str, String str2, String str3) throws InvalidIdentityZoneConfigurationException {
        if (str == null && str2 == null && str3 == null) {
            return;
        }
        if (str == null || str2 == null || str3 == null) {
            throw new InvalidIdentityZoneConfigurationException("Identity zone cannot be udpated with partial Saml CertKey config.", null);
        }
    }

    public GeneralIdentityZoneConfigurationValidator setMfaConfigValidator(MfaConfigValidator mfaConfigValidator) {
        this.mfaConfigValidator = mfaConfigValidator;
        return this;
    }
}
