package org.springframework.security.saml.provider;

import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.UUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.springframework.security.saml.SamlException;
import org.springframework.security.saml.SamlMetadataCache;
import org.springframework.security.saml.SamlMetadataException;
import org.springframework.security.saml.SamlProviderNotFoundException;
import org.springframework.security.saml.SamlTransformer;
import org.springframework.security.saml.SamlValidator;
import org.springframework.security.saml.key.SimpleKey;
import org.springframework.security.saml.provider.config.ExternalProviderConfiguration;
import org.springframework.security.saml.provider.config.LocalProviderConfiguration;
import org.springframework.security.saml.saml2.Saml2Object;
import org.springframework.security.saml.saml2.authentication.Issuer;
import org.springframework.security.saml.saml2.authentication.LogoutRequest;
import org.springframework.security.saml.saml2.authentication.LogoutResponse;
import org.springframework.security.saml.saml2.authentication.NameIdPrincipal;
import org.springframework.security.saml.saml2.authentication.Status;
import org.springframework.security.saml.saml2.authentication.StatusCode;
import org.springframework.security.saml.saml2.metadata.Binding;
import org.springframework.security.saml.saml2.metadata.Endpoint;
import org.springframework.security.saml.saml2.metadata.IdentityProviderMetadata;
import org.springframework.security.saml.saml2.metadata.Metadata;
import org.springframework.security.saml.saml2.metadata.ServiceProviderMetadata;
import org.springframework.security.saml.saml2.metadata.SsoProvider;
import org.springframework.security.saml.saml2.signature.Signature;
import org.springframework.security.saml.saml2.signature.SignatureException;
import org.springframework.security.saml.validation.ValidationException;
import org.springframework.security.saml.validation.ValidationResult;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-2.0.0.M30.jar:org/springframework/security/saml/provider/AbstractHostedProviderService.class */
public abstract class AbstractHostedProviderService<Configuration extends LocalProviderConfiguration, LocalMetadata extends Metadata<LocalMetadata>, RemoteMetadata extends Metadata<RemoteMetadata>> implements HostedProviderService<Configuration, LocalMetadata, RemoteMetadata> {
    private static Log logger = LogFactory.getLog(AbstractHostedProviderService.class);
    private final Configuration configuration;
    private final LocalMetadata metadata;
    private final SamlTransformer transformer;
    private final SamlValidator validator;
    private final SamlMetadataCache cache;
    private Clock clock = Clock.systemUTC();

    public AbstractHostedProviderService(Configuration configuration, LocalMetadata localmetadata, SamlTransformer samlTransformer, SamlValidator samlValidator, SamlMetadataCache samlMetadataCache) {
        this.configuration = configuration;
        this.metadata = localmetadata;
        this.transformer = samlTransformer;
        this.validator = samlValidator;
        this.cache = samlMetadataCache;
    }

    public Clock getClock() {
        return this.clock;
    }

    public AbstractHostedProviderService<Configuration, LocalMetadata, RemoteMetadata> setClock(Clock clock) {
        this.clock = clock;
        return this;
    }

    public SamlMetadataCache getCache() {
        return this.cache;
    }

    protected RemoteMetadata getRemoteProvider(Issuer issuer) {
        if (issuer == null) {
            return null;
        }
        return getRemoteProvider(issuer.getValue());
    }

    protected RemoteMetadata throwIfNull(RemoteMetadata remotemetadata, String str, String str2) {
        if (remotemetadata == null) {
            throw new SamlProviderNotFoundException(String.format("Provider for key '%s' with value '%s' not found.", str, str2));
        }
        return remotemetadata;
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public Configuration getConfiguration() {
        return this.configuration;
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public LocalMetadata getMetadata() {
        return this.metadata;
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public List<RemoteMetadata> getRemoteProviders() {
        LinkedList linkedList = new LinkedList();
        for (ExternalProviderConfiguration externalProviderConfiguration : getConfiguration().getProviders()) {
            try {
                RemoteMetadata remoteProvider = getRemoteProvider(externalProviderConfiguration);
                if (remoteProvider != null) {
                    remoteProvider.setEntityAlias(externalProviderConfiguration.getAlias());
                    linkedList.add(remoteProvider);
                }
            } catch (SamlException e) {
                logger.debug("Unable to resolve identity provider metadata.", e);
            }
        }
        return linkedList;
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public LogoutRequest logoutRequest(RemoteMetadata remotemetadata, NameIdPrincipal nameIdPrincipal) {
        LocalMetadata metadata = getMetadata();
        return new LogoutRequest().setId("LRQ" + UUID.randomUUID().toString()).setDestination(getPreferredEndpoint(remotemetadata.getSsoProviders().get(0).getSingleLogoutService(), null, -1)).setIssuer(new Issuer().setValue(metadata.getEntityId())).setIssueInstant(DateTime.now()).setNameId(nameIdPrincipal).setSigningKey(metadata.getSigningKey(), metadata.getAlgorithm(), metadata.getDigest());
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public LogoutResponse logoutResponse(LogoutRequest logoutRequest, RemoteMetadata remotemetadata) {
        Endpoint preferredEndpoint = getPreferredEndpoint(remotemetadata.getSsoProviders().get(0).getSingleLogoutService(), null, -1);
        return new LogoutResponse().setId("LRP" + UUID.randomUUID().toString()).setInResponseTo(logoutRequest != null ? logoutRequest.getId() : null).setDestination(preferredEndpoint != null ? preferredEndpoint.getLocation() : null).setStatus(new Status().setCode(StatusCode.SUCCESS)).setIssuer(new Issuer().setValue(getMetadata().getEntityId())).setSigningKey(getMetadata().getSigningKey(), getMetadata().getAlgorithm(), getMetadata().getDigest()).setIssueInstant(new DateTime()).setVersion("2.0");
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public abstract RemoteMetadata getRemoteProvider(Saml2Object saml2Object);

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public RemoteMetadata getRemoteProvider(String str) {
        for (RemoteMetadata remotemetadata : getRemoteProviders()) {
            while (true) {
                RemoteMetadata remotemetadata2 = remotemetadata;
                if (remotemetadata2 != null) {
                    if (str.equals(remotemetadata2.getEntityId())) {
                        return remotemetadata2;
                    }
                    remotemetadata = remotemetadata2.hasNext() ? (RemoteMetadata) remotemetadata2.getNext() : null;
                }
            }
        }
        return throwIfNull(null, "remote provider entityId", str);
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public RemoteMetadata getRemoteProvider(ExternalProviderConfiguration externalProviderConfiguration) {
        RemoteMetadata resolve = resolve(externalProviderConfiguration.getMetadata(), externalProviderConfiguration.isSkipSslValidation());
        if (externalProviderConfiguration.isMetadataTrustCheck()) {
            resolve = metadataTrustCheck(externalProviderConfiguration, resolve);
        }
        if (resolve != null) {
            addStaticKeys(externalProviderConfiguration, resolve);
        }
        return resolve;
    }

    private void addStaticKeys(ExternalProviderConfiguration externalProviderConfiguration, RemoteMetadata remotemetadata) {
        if (externalProviderConfiguration.getVerificationKeys().isEmpty() || remotemetadata == null) {
            return;
        }
        for (SsoProvider ssoProvider : remotemetadata.getSsoProviders()) {
            LinkedList linkedList = new LinkedList(ssoProvider.getKeys());
            linkedList.addAll(externalProviderConfiguration.getVerificationKeyData());
            ssoProvider.setKeys(linkedList);
        }
    }

    private RemoteMetadata metadataTrustCheck(ExternalProviderConfiguration externalProviderConfiguration, RemoteMetadata remotemetadata) {
        if (!externalProviderConfiguration.isMetadataTrustCheck()) {
            return remotemetadata;
        }
        if (externalProviderConfiguration.getVerificationKeys().isEmpty()) {
            logger.warn("No keys to verify metadata for " + externalProviderConfiguration.getMetadata() + " with. Unable to trust.");
            return null;
        }
        try {
            Signature validateSignature = this.validator.validateSignature(remotemetadata, externalProviderConfiguration.getVerificationKeyData());
            if (validateSignature != null && validateSignature.isValidated() && validateSignature.getValidatingKey() != null) {
                return remotemetadata;
            }
            logger.warn("Missing signature for " + externalProviderConfiguration.getMetadata() + ". Unable to trust.");
            return null;
        } catch (SignatureException e) {
            logger.warn("Invalid signature for remote provider metadata " + externalProviderConfiguration.getMetadata() + ". Unable to trust.", e);
            return null;
        }
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public ValidationResult validate(Saml2Object saml2Object) {
        List<SimpleKey> verificationKeys = getVerificationKeys(getRemoteProvider(saml2Object));
        if (verificationKeys != null) {
            try {
                if (!verificationKeys.isEmpty()) {
                    getValidator().validateSignature(saml2Object, verificationKeys);
                }
            } catch (SignatureException e) {
                return new ValidationResult(saml2Object).addError(new ValidationResult.ValidationError(e.getMessage()));
            }
        }
        try {
            getValidator().validate(saml2Object, this);
            return new ValidationResult(saml2Object);
        } catch (ValidationException e2) {
            return e2.getErrors();
        }
    }

    private List<SimpleKey> getVerificationKeys(RemoteMetadata remotemetadata) {
        List<SimpleKey> emptyList = Collections.emptyList();
        if (remotemetadata instanceof ServiceProviderMetadata) {
            emptyList = ((ServiceProviderMetadata) remotemetadata).getServiceProvider().getKeys();
        } else if (remotemetadata instanceof IdentityProviderMetadata) {
            emptyList = ((IdentityProviderMetadata) remotemetadata).getIdentityProvider().getKeys();
        }
        return emptyList;
    }

    public SamlValidator getValidator() {
        return this.validator;
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public <T extends Saml2Object> T fromXml(String str, boolean z, boolean z2, Class<T> cls) {
        List<SimpleKey> list = getConfiguration().getKeys().toList();
        if (z) {
            str = getTransformer().samlDecode(str, z2);
        }
        return cls.cast(getTransformer().fromXml(str, getRemoteProvider(cls.cast(getTransformer().fromXml(str, (List<SimpleKey>) null, list))).getSsoProviders().get(0).getKeys(), list));
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public String toXml(Saml2Object saml2Object) {
        return getTransformer().toXml(saml2Object);
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public String toEncodedXml(Saml2Object saml2Object, boolean z) {
        return toEncodedXml(toXml(saml2Object), z);
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public String toEncodedXml(String str, boolean z) {
        return getTransformer().samlEncode(str, z);
    }

    @Override // org.springframework.security.saml.provider.HostedProviderService
    public Endpoint getPreferredEndpoint(List<Endpoint> list, Binding binding, int i) {
        if (list == null || list.isEmpty()) {
            return null;
        }
        Endpoint endpoint = null;
        if (binding != null) {
            Iterator<Endpoint> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Endpoint next = it.next();
                if (binding.equals(next.getBinding())) {
                    endpoint = next;
                    break;
                }
            }
        }
        if (endpoint == null) {
            Iterator<Endpoint> it2 = list.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Endpoint next2 = it2.next();
                if (next2.getIndex() == i) {
                    endpoint = next2;
                    break;
                }
            }
        }
        if (endpoint == null) {
            Iterator<Endpoint> it3 = list.iterator();
            while (true) {
                if (!it3.hasNext()) {
                    break;
                }
                Endpoint next3 = it3.next();
                if (next3.isDefault()) {
                    endpoint = next3;
                    break;
                }
            }
        }
        if (endpoint == null) {
            endpoint = list.get(0);
        }
        return endpoint;
    }

    public SamlTransformer getTransformer() {
        return this.transformer;
    }

    private RemoteMetadata resolve(String str, boolean z) {
        RemoteMetadata transformMetadata;
        if (isUri(str)) {
            try {
                transformMetadata = transformMetadata(new String(this.cache.getMetadata(str, z), StandardCharsets.UTF_8));
            } catch (SamlException e) {
                throw e;
            } catch (Exception e2) {
                String format = String.format("Unable to fetch metadata from: %s with message: %s", str, e2.getMessage());
                if (logger.isDebugEnabled()) {
                    logger.debug(format, e2);
                } else {
                    logger.info(format);
                }
                throw new SamlMetadataException("Unable to successfully get metadata from:" + str, e2);
            }
        } else {
            transformMetadata = transformMetadata(str);
        }
        return throwIfNull(transformMetadata, "metadata", str);
    }

    protected abstract RemoteMetadata transformMetadata(String str);

    private boolean isUri(String str) {
        boolean z = false;
        try {
            new URI(str);
            z = true;
        } catch (URISyntaxException e) {
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RemoteMetadata getRemoteProvider(LogoutResponse logoutResponse) {
        return getRemoteProvider(logoutResponse.getIssuer() != null ? logoutResponse.getIssuer().getValue() : null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RemoteMetadata getRemoteProvider(LogoutRequest logoutRequest) {
        return getRemoteProvider(logoutRequest.getIssuer() != null ? logoutRequest.getIssuer().getValue() : null);
    }
}
