package org.apereo.cas.support.saml.services.idp.metadata.cache.resolver;

import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties;
import org.apereo.cas.configuration.model.support.saml.idp.metadata.SamlIdPMetadataProperties;
import org.apereo.cas.support.saml.InMemoryResourceMetadataResolver;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlMetadataDocument;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.ResourceUtils;
import org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain;
import org.opensaml.saml.metadata.resolver.filter.impl.EntityRoleFilter;
import org.opensaml.saml.metadata.resolver.filter.impl.PredicateFilter;
import org.opensaml.saml.metadata.resolver.filter.impl.RequiredValidUntilFilter;
import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
import org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-metadata-6.5.8.jar:org/apereo/cas/support/saml/services/idp/metadata/cache/resolver/BaseSamlRegisteredServiceMetadataResolver.class */
public abstract class BaseSamlRegisteredServiceMetadataResolver implements SamlRegisteredServiceMetadataResolver {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) BaseSamlRegisteredServiceMetadataResolver.class);
    protected final SamlIdPProperties samlIdPProperties;
    protected final OpenSamlConfigBean configBean;

    private static void buildEntityRoleFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) {
        if (StringUtils.isNotBlank(samlRegisteredService.getMetadataCriteriaRoles())) {
            ArrayList arrayList = new ArrayList();
            org.springframework.util.StringUtils.commaDelimitedListToSet(samlRegisteredService.getMetadataCriteriaRoles()).forEach(str -> {
                if (str.equalsIgnoreCase(SPSSODescriptor.DEFAULT_ELEMENT_NAME.getLocalPart())) {
                    LOGGER.debug("Added entity role filter [{}]", SPSSODescriptor.DEFAULT_ELEMENT_NAME);
                    arrayList.add(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
                }
                if (str.equalsIgnoreCase(IDPSSODescriptor.DEFAULT_ELEMENT_NAME.getLocalPart())) {
                    LOGGER.debug("Added entity role filter [{}]", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
                    arrayList.add(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
                }
            });
            EntityRoleFilter entityRoleFilter = new EntityRoleFilter(arrayList);
            entityRoleFilter.setRemoveEmptyEntitiesDescriptors(samlRegisteredService.isMetadataCriteriaRemoveEmptyEntitiesDescriptors());
            entityRoleFilter.setRemoveRolelessEntityDescriptors(samlRegisteredService.isMetadataCriteriaRemoveRolelessEntityDescriptors());
            list.add(entityRoleFilter);
            LOGGER.debug("Added entity role filter with roles [{}]", arrayList);
        }
    }

    private static void buildPredicateFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) {
        if (StringUtils.isNotBlank(samlRegisteredService.getMetadataCriteriaDirection()) && StringUtils.isNotBlank(samlRegisteredService.getMetadataCriteriaPattern()) && RegexUtils.isValidRegex(samlRegisteredService.getMetadataCriteriaPattern())) {
            PredicateFilter.Direction valueOf = PredicateFilter.Direction.valueOf(samlRegisteredService.getMetadataCriteriaDirection());
            LOGGER.debug("Metadata predicate filter configuring with direction [{}] and pattern [{}]", samlRegisteredService.getMetadataCriteriaDirection(), samlRegisteredService.getMetadataCriteriaPattern());
            list.add(new PredicateFilter(valueOf, entityDescriptor -> {
                return StringUtils.isNotBlank(entityDescriptor.getEntityID()) && entityDescriptor.getEntityID().matches(samlRegisteredService.getMetadataCriteriaPattern());
            }));
            LOGGER.debug("Added metadata predicate filter with direction [{}] and pattern [{}]", samlRegisteredService.getMetadataCriteriaDirection(), samlRegisteredService.getMetadataCriteriaPattern());
        }
    }

    private static void addSignatureValidationFilterIfNeeded(SamlRegisteredService samlRegisteredService, SignatureValidationFilter signatureValidationFilter, List<MetadataFilter> list) {
        if (signatureValidationFilter == null) {
            LOGGER.warn("Skipped metadata SignatureValidationFilter since signature cannot be located for [{}]", samlRegisteredService.getServiceId());
            return;
        }
        signatureValidationFilter.setRequireSignedRoot(false);
        list.add(signatureValidationFilter);
        LOGGER.debug("Added metadata SignatureValidationFilter for [{}]", samlRegisteredService.getServiceId());
    }

    protected static void buildSignatureValidationFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) throws Exception {
        if (StringUtils.isBlank(samlRegisteredService.getMetadataSignatureLocation())) {
            LOGGER.info("Metadata signature location is undefined for [{}]; metadata signature validation will not be invoked", samlRegisteredService.getMetadataLocation());
        } else {
            buildSignatureValidationFilterIfNeeded(samlRegisteredService, list, SpringExpressionLanguageValueResolver.getInstance().resolve(samlRegisteredService.getMetadataSignatureLocation()));
        }
    }

    protected static void buildSignatureValidationFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list, String str) throws Exception {
        LOGGER.debug("Building SAML2 signature validation filter based on [{}]", str);
        SignatureValidationFilter buildSignatureValidationFilter = SamlUtils.buildSignatureValidationFilter(str);
        buildSignatureValidationFilter.setRequireSignedRoot(samlRegisteredService.isRequireSignedRoot());
        addSignatureValidationFilterIfNeeded(samlRegisteredService, buildSignatureValidationFilter, list);
    }

    protected static void buildSignatureValidationFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list, Resource resource) throws Exception {
        addSignatureValidationFilterIfNeeded(samlRegisteredService, SamlUtils.buildSignatureValidationFilter(resource), list);
    }

    protected AbstractMetadataResolver buildMetadataResolverFrom(SamlRegisteredService samlRegisteredService, SamlMetadataDocument samlMetadataDocument) {
        try {
            String defaultString = StringUtils.defaultString(samlRegisteredService.getDescription(), samlRegisteredService.getName());
            InMemoryResourceMetadataResolver inMemoryResourceMetadataResolver = new InMemoryResourceMetadataResolver(ResourceUtils.buildInputStreamResourceFrom(samlMetadataDocument.getDecodedValue(), defaultString), this.configBean);
            ArrayList arrayList = new ArrayList(1);
            if (StringUtils.isNotBlank(samlMetadataDocument.getSignature())) {
                buildSignatureValidationFilterIfNeeded(samlRegisteredService, arrayList, ResourceUtils.buildInputStreamResourceFrom(samlMetadataDocument.getSignature(), defaultString));
            }
            configureAndInitializeSingleMetadataResolver(inMemoryResourceMetadataResolver, samlRegisteredService, arrayList);
            return inMemoryResourceMetadataResolver;
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    protected void configureAndInitializeSingleMetadataResolver(AbstractMetadataResolver abstractMetadataResolver, SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) throws Exception {
        SamlIdPMetadataProperties metadata = this.samlIdPProperties.getMetadata();
        abstractMetadataResolver.setParserPool(this.configBean.getParserPool());
        abstractMetadataResolver.setFailFastInitialization(metadata.getCore().isFailFast());
        abstractMetadataResolver.setRequireValidMetadata(metadata.getCore().isRequireValidMetadata());
        abstractMetadataResolver.setId(abstractMetadataResolver.getClass().getCanonicalName());
        buildMetadataFilters(samlRegisteredService, abstractMetadataResolver, list);
        LOGGER.debug("Initializing metadata resolver from [{}]", samlRegisteredService.getMetadataLocation());
        abstractMetadataResolver.initialize();
        LOGGER.info("Initialized metadata resolver from [{}]", samlRegisteredService.getMetadataLocation());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureAndInitializeSingleMetadataResolver(AbstractMetadataResolver abstractMetadataResolver, SamlRegisteredService samlRegisteredService) throws Exception {
        configureAndInitializeSingleMetadataResolver(abstractMetadataResolver, samlRegisteredService, new ArrayList(0));
    }

    protected void buildMetadataFilters(SamlRegisteredService samlRegisteredService, AbstractMetadataResolver abstractMetadataResolver, List<MetadataFilter> list) throws Exception {
        buildRequiredValidUntilFilterIfNeeded(samlRegisteredService, list);
        buildSignatureValidationFilterIfNeeded(samlRegisteredService, list);
        buildEntityRoleFilterIfNeeded(samlRegisteredService, list);
        buildPredicateFilterIfNeeded(samlRegisteredService, list);
        if (list.isEmpty()) {
            return;
        }
        addMetadataFiltersToMetadataResolver(abstractMetadataResolver, list);
    }

    protected void addMetadataFiltersToMetadataResolver(AbstractMetadataResolver abstractMetadataResolver, List<MetadataFilter> list) {
        MetadataFilterChain metadataFilterChain = new MetadataFilterChain();
        metadataFilterChain.setFilters(list);
        LOGGER.debug("Metadata filter chain initialized with [{}] filters", Integer.valueOf(list.size()));
        abstractMetadataResolver.setMetadataFilter(metadataFilterChain);
    }

    protected void buildRequiredValidUntilFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) {
        if (samlRegisteredService.getMetadataMaxValidity() <= 0) {
            LOGGER.debug("No metadata maximum validity criteria is defined for [{}], so RequiredValidUntilFilter will not be invoked", samlRegisteredService.getMetadataLocation());
            return;
        }
        RequiredValidUntilFilter requiredValidUntilFilter = new RequiredValidUntilFilter();
        requiredValidUntilFilter.setMaxValidityInterval(Duration.ofSeconds(samlRegisteredService.getMetadataMaxValidity()));
        list.add(requiredValidUntilFilter);
        LOGGER.debug("Added metadata RequiredValidUntilFilter with max validity of [{}]", Long.valueOf(samlRegisteredService.getMetadataMaxValidity()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Generated
    public BaseSamlRegisteredServiceMetadataResolver(SamlIdPProperties samlIdPProperties, OpenSamlConfigBean openSamlConfigBean) {
        this.samlIdPProperties = samlIdPProperties;
        this.configBean = openSamlConfigBean;
    }
}
