package org.apereo.cas.mgmt;

import com.mchange.io.FileUtils;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasManagementConfigurationProperties;
import org.apereo.cas.mgmt.domain.FormData;
import org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider;
import org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.ResourceUtils;
import org.apereo.cas.util.crypto.CertUtils;
import org.apereo.cas.util.model.TriStateBoolean;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.ext.saml2mdui.UIInfo;
import org.opensaml.saml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.Extensions;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.NameIDFormat;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;
import org.thymeleaf.spring5.processor.SpringInputGeneralFieldTagProcessor;

@RequestMapping(path = {"api/saml"}, produces = {"application/json"})
@RestController("casManagementSamlController")
/* loaded from: input_file:WEB-INF/lib/cas-mgmt-support-saml-6.5.3.jar:org/apereo/cas/mgmt/SamlController.class */
public class SamlController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlController.class);
    private static final String EPPN_NAME_ID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6";
    protected final MgmtManagerFactory<? extends ServicesManager> managerFactory;
    protected final CasManagementConfigurationProperties managementProperties;
    private final MetadataAggregateResolver sps;
    private final FormData formData;
    private final OpenSamlConfigBean configBean;
    private final UrlMetadataResolver urlMetadataResolver;
    private List<String> entities;

    public SamlController(MgmtManagerFactory<? extends ServicesManager> mgmtManagerFactory, CasManagementConfigurationProperties casManagementConfigurationProperties, FormData formData, OpenSamlConfigBean openSamlConfigBean, MetadataAggregateResolver metadataAggregateResolver, UrlMetadataResolver urlMetadataResolver) {
        this.managerFactory = mgmtManagerFactory;
        this.managementProperties = casManagementConfigurationProperties;
        this.formData = formData;
        this.configBean = openSamlConfigBean;
        this.sps = metadataAggregateResolver;
        this.urlMetadataResolver = urlMetadataResolver;
        try {
            this.entities = (List) ((ManagementServicesManager) mgmtManagerFactory.master()).findServiceBy(registeredService -> {
                return registeredService instanceof SamlRegisteredService;
            }).stream().map((v0) -> {
                return v0.getServiceId();
            }).collect(Collectors.toList());
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
        }
    }

    private static PrincipalAttributeRegisteredServiceUsernameProvider createUsernameProvider(String str) {
        if ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".equals(str)) {
            PrincipalAttributeRegisteredServiceUsernameProvider principalAttributeRegisteredServiceUsernameProvider = new PrincipalAttributeRegisteredServiceUsernameProvider();
            principalAttributeRegisteredServiceUsernameProvider.setUsernameAttribute("mailidMail");
            return principalAttributeRegisteredServiceUsernameProvider;
        }
        if (!EPPN_NAME_ID.equals(str)) {
            return null;
        }
        PrincipalAttributeRegisteredServiceUsernameProvider principalAttributeRegisteredServiceUsernameProvider2 = new PrincipalAttributeRegisteredServiceUsernameProvider();
        principalAttributeRegisteredServiceUsernameProvider2.setUsernameAttribute("eduPersonPrincipalName");
        return principalAttributeRegisteredServiceUsernameProvider2;
    }

    @GetMapping({"find"})
    public List<String> find(@RequestParam String str) {
        return (List) this.entities.stream().filter(str2 -> {
            return str2.contains(str);
        }).collect(Collectors.toList());
    }

    @GetMapping({SpringInputGeneralFieldTagProcessor.SEARCH_INPUT_TYPE_ATTR_VALUE})
    public List<String> search(@RequestParam String str) {
        return this.sps.query(str);
    }

    @PostMapping({"upload"})
    @ResponseStatus(HttpStatus.OK)
    public SamlRegisteredService upload(@RequestBody String str) {
        EntityDescriptor fromXML = MetadataUtil.fromXML(str, this.configBean);
        SamlRegisteredService createService = createService(fromXML);
        String entityID = fromXML.getEntityID();
        if (exists(entityID)) {
            throw new IllegalArgumentException("Service already registered");
        }
        String str2 = DigestUtils.sha(entityID) + ".xml";
        Files.write(Path.of(this.managementProperties.getMetadataRepoDir() + "/" + str2, new String[0]), str.getBytes(StandardCharsets.UTF_8), new OpenOption[0]);
        createService.setMetadataLocation("file:/" + this.managementProperties.getMetadataDir() + "/" + str2);
        return createService;
    }

    @GetMapping({"add"})
    public SamlRegisteredService add(@RequestParam String str) throws SignatureException {
        if (exists(str)) {
            throw new IllegalArgumentException("Service already registered");
        }
        SamlRegisteredService createService = createService(this.sps.find(str));
        createService.setMetadataLocation(this.sps.location());
        createService.setMetadataSignatureLocation(this.managementProperties.getInCommonCertLocation());
        return createService;
    }

    @GetMapping({"download"})
    public SamlRegisteredService download(@RequestParam String str) {
        String xml = this.urlMetadataResolver.xml(str);
        LOGGER.error(xml);
        SamlRegisteredService createService = createService(MetadataUtil.fromXML(xml, this.configBean));
        createService.setMetadataLocation(str);
        return createService;
    }

    @GetMapping({"/metadata/{id}"})
    public Metadata getMetadata(@PathVariable Long l) {
        SamlRegisteredService samlRegisteredService = (SamlRegisteredService) this.managerFactory.master().findServiceBy(l.longValue());
        if (!this.sps.query(samlRegisteredService.getServiceId()).isEmpty()) {
            return new Metadata(true, this.sps.xml(samlRegisteredService.getServiceId()));
        }
        return new Metadata(false, FileUtils.getContentsAsString(ResourceUtils.getResourceFrom("file:/" + this.managementProperties.getMetadataRepoDir() + "/" + (DigestUtils.sha(samlRegisteredService.getServiceId()) + ".xml")).getFile()));
    }

    @PostMapping({"/metadata/{id}"})
    public void saveMetadata(@PathVariable Long l, @RequestBody String str) {
        Files.writeString(Paths.get("/" + this.managementProperties.getMetadataRepoDir() + "/" + (DigestUtils.sha(((SamlRegisteredService) this.managerFactory.master().findServiceBy(l.longValue())).getServiceId()) + ".xml"), new String[0]), str, new OpenOption[0]);
    }

    private boolean exists(String str) {
        return this.managerFactory.master().findServiceByName(str, SamlRegisteredService.class) != null;
    }

    private SamlRegisteredService createService(EntityDescriptor entityDescriptor) {
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setServiceId(entityDescriptor.getEntityID());
        SPSSODescriptor sPSSODescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
        samlRegisteredService.setSignAssertions(TriStateBoolean.fromBoolean(sPSSODescriptor.getWantAssertionsSigned().booleanValue()));
        Optional<NameIDFormat> findFirst = sPSSODescriptor.getNameIDFormats().stream().findFirst();
        if (findFirst.isPresent()) {
            samlRegisteredService.setRequiredNameIdFormat(findFirst.get().toString());
            samlRegisteredService.setUsernameAttributeProvider(createUsernameProvider(samlRegisteredService.getRequiredNameIdFormat()));
        }
        Extensions extensions = sPSSODescriptor.getExtensions();
        if (extensions != null) {
            Optional findFirst2 = ((List) Objects.requireNonNull(extensions.getOrderedChildren())).stream().filter(xMLObject -> {
                return xMLObject instanceof UIInfo;
            }).findFirst();
            if (findFirst2.isPresent()) {
                UIInfo uIInfo = (UIInfo) findFirst2.get();
                if (!uIInfo.getDisplayNames().isEmpty()) {
                    samlRegisteredService.setName(uIInfo.getDisplayNames().get(0).getValue());
                }
                if (!uIInfo.getDescriptions().isEmpty()) {
                    samlRegisteredService.setDescription(uIInfo.getDescriptions().get(0).getValue());
                }
            }
        }
        AttributeConsumingService defaultAttributeConsumingService = sPSSODescriptor.getDefaultAttributeConsumingService();
        samlRegisteredService.setAttributeReleasePolicy(createAttributePolicy(samlRegisteredService, defaultAttributeConsumingService));
        if (defaultAttributeConsumingService != null) {
            if (StringUtils.isBlank(samlRegisteredService.getName()) && !defaultAttributeConsumingService.getNames().isEmpty()) {
                samlRegisteredService.setName(defaultAttributeConsumingService.getNames().get(0).getValue());
            }
            if (StringUtils.isBlank(samlRegisteredService.getDescription()) && !defaultAttributeConsumingService.getDescriptions().isEmpty()) {
                samlRegisteredService.setDescription(defaultAttributeConsumingService.getDescriptions().get(0).getValue());
            }
        }
        List<KeyDescriptor> keyDescriptors = sPSSODescriptor.getKeyDescriptors();
        if (keyDescriptors != null) {
            Optional<KeyDescriptor> findFirst3 = keyDescriptors.stream().filter(keyDescriptor -> {
                return "encryption".equals(keyDescriptor.getUse().getValue());
            }).findFirst();
            Optional<KeyDescriptor> findFirst4 = keyDescriptors.stream().filter(keyDescriptor2 -> {
                return "signing".equals(keyDescriptor2.getUse().getValue());
            }).findFirst();
            if (findFirst3.isPresent()) {
                samlRegisteredService.setEncryptAssertions(true);
            }
            if (findFirst4.isPresent()) {
                if (findFirst4.get().getKeyInfo().getX509Datas().isEmpty()) {
                    samlRegisteredService.setSigningCredentialType(HttpServletRequest.BASIC_AUTH);
                } else {
                    samlRegisteredService.setSigningCredentialType(CertUtils.X509_CERTIFICATE_TYPE);
                }
            }
            if (findFirst3.isEmpty() && findFirst4.isEmpty() && !keyDescriptors.isEmpty() && !keyDescriptors.get(0).getKeyInfo().getX509Datas().isEmpty()) {
                samlRegisteredService.setEncryptAssertions(true);
                samlRegisteredService.setSignResponses(true);
                samlRegisteredService.setSigningCredentialType(CertUtils.X509_CERTIFICATE_TYPE);
            }
        }
        return samlRegisteredService;
    }

    private ReturnAllowedAttributeReleasePolicy createAttributePolicy(SamlRegisteredService samlRegisteredService, AttributeConsumingService attributeConsumingService) {
        ReturnAllowedAttributeReleasePolicy returnAllowedAttributeReleasePolicy = new ReturnAllowedAttributeReleasePolicy();
        returnAllowedAttributeReleasePolicy.setAuthorizedToReleaseAuthenticationAttributes(false);
        HashSet hashSet = new HashSet();
        if (samlRegisteredService.getUsernameAttributeProvider() instanceof PrincipalAttributeRegisteredServiceUsernameProvider) {
            hashSet.add(((PrincipalAttributeRegisteredServiceUsernameProvider) samlRegisteredService.getUsernameAttributeProvider()).getUsernameAttribute());
        }
        if (attributeConsumingService != null) {
            attributeConsumingService.getRequestedAttributes().forEach(requestedAttribute -> {
                Optional<String> mapAttribute = mapAttribute(requestedAttribute.getName());
                Objects.requireNonNull(hashSet);
                mapAttribute.ifPresent((v1) -> {
                    r1.add(v1);
                });
            });
        }
        if (!hashSet.isEmpty()) {
            returnAllowedAttributeReleasePolicy.setAllowedAttributes(new ArrayList(hashSet));
        }
        returnAllowedAttributeReleasePolicy.setExcludeDefaultAttributes(true);
        return returnAllowedAttributeReleasePolicy;
    }

    private Optional<String> mapAttribute(String str) {
        return this.formData.getSamlIdpAttributeUriIds().entrySet().stream().filter(entry -> {
            return ((String) entry.getValue()).equals(str);
        }).map((v0) -> {
            return v0.getKey();
        }).findFirst();
    }
}
