package pl.edu.icm.unity.saml.metadata.cfg;

import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Random;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.WrongArgumentException;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.sp.SAMLSPProperties;
import pl.edu.icm.unity.server.api.PKIManagement;
import pl.edu.icm.unity.server.utils.Log;
import xmlbeans.org.oasis.saml2.metadata.EndpointType;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorDocument;
import xmlbeans.org.oasis.saml2.metadata.EntityDescriptorType;
import xmlbeans.org.oasis.saml2.metadata.ExtensionsType;
import xmlbeans.org.oasis.saml2.metadata.IDPSSODescriptorType;
import xmlbeans.org.oasis.saml2.metadata.KeyDescriptorType;
import xmlbeans.org.oasis.saml2.metadata.KeyTypes;
import xmlbeans.org.oasis.saml2.metadata.LocalizedNameType;
import xmlbeans.org.oasis.saml2.metadata.OrganizationType;
import xmlbeans.org.oasis.saml2.metadata.extui.LogoType;
import xmlbeans.org.oasis.saml2.metadata.extui.UIInfoDocument;
import xmlbeans.org.oasis.saml2.metadata.extui.UIInfoType;
import xmlbeans.org.w3.x2000.x09.xmldsig.X509DataType;

/* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/MetaToSPConfigConverter.class */
public class MetaToSPConfigConverter extends AbstractMetaToConfigConverter {
    private static final Logger log = Log.getLogger("unity.server.saml", MetaToSPConfigConverter.class);
    private PKIManagement pkiManagement;

    public MetaToSPConfigConverter(PKIManagement pKIManagement) {
        this.pkiManagement = pKIManagement;
    }

    public void convertToProperties(EntitiesDescriptorDocument entitiesDescriptorDocument, Properties properties, SAMLSPProperties sAMLSPProperties, String str) {
        super.convertToProperties(entitiesDescriptorDocument, properties, (SamlProperties) sAMLSPProperties, str);
    }

    @Override // pl.edu.icm.unity.saml.metadata.cfg.AbstractMetaToConfigConverter
    protected void convertToProperties(EntityDescriptorType entityDescriptorType, Properties properties, SamlProperties samlProperties, String str) {
        SAMLSPProperties sAMLSPProperties = (SAMLSPProperties) samlProperties;
        IDPSSODescriptorType[] iDPSSODescriptorArray = entityDescriptorType.getIDPSSODescriptorArray();
        if (iDPSSODescriptorArray == null || iDPSSODescriptorArray.length == 0) {
            return;
        }
        String entityID = entityDescriptorType.getEntityID();
        Random random = new Random();
        for (IDPSSODescriptorType iDPSSODescriptorType : iDPSSODescriptorArray) {
            if (supportsSaml2(iDPSSODescriptorType)) {
                List<X509Certificate> signingCerts = getSigningCerts(iDPSSODescriptorType.getKeyDescriptorArray(), entityID);
                if (signingCerts.isEmpty()) {
                    log.info("No signing certificate found for IdP, skipping it: " + entityID);
                } else {
                    boolean isSetWantAuthnRequestsSigned = iDPSSODescriptorType.isSetWantAuthnRequestsSigned();
                    EndpointType selectWebEndpoint = selectWebEndpoint(iDPSSODescriptorType);
                    EndpointType selectSOAPEndpoint = selectSOAPEndpoint(iDPSSODescriptorType);
                    if (selectWebEndpoint != null || selectSOAPEndpoint != null) {
                        try {
                            updatePKICerts(signingCerts, entityID);
                            UIInfoType parseMDUIInfo = parseMDUIInfo(iDPSSODescriptorType.getExtensions(), entityID);
                            Map<String, String> localizedNames = getLocalizedNames(parseMDUIInfo, iDPSSODescriptorType);
                            Map<String, LogoType> localizedLogos = getLocalizedLogos(parseMDUIInfo);
                            if (selectWebEndpoint != null) {
                                addEntryToProperties(entityID, selectWebEndpoint, isSetWantAuthnRequestsSigned, sAMLSPProperties, str, properties, random, signingCerts, localizedNames, localizedLogos);
                            }
                            if (selectSOAPEndpoint != null) {
                                addEntryToProperties(entityID, selectSOAPEndpoint, isSetWantAuthnRequestsSigned, sAMLSPProperties, str, properties, random, signingCerts, localizedNames, localizedLogos);
                            }
                        } catch (EngineException e) {
                            log.error("Adding remote IDPs certs to local certs store failed, skipping IdP: " + entityID, e);
                        }
                    }
                }
            } else {
                log.trace("IDP of entity " + entityID + " doesn't support SAML2 - ignoring.");
            }
        }
    }

    private void addEntryToProperties(String str, EndpointType endpointType, boolean z, SAMLSPProperties sAMLSPProperties, String str2, Properties properties, Random random, List<X509Certificate> list, Map<String, String> map, Map<String, LogoType> map2) {
        String existingKey = getExistingKey(str, endpointType, sAMLSPProperties);
        String value = sAMLSPProperties.getValue(str2 + SAMLSPProperties.IDPMETA_TRANSLATION_PROFILE);
        String value2 = sAMLSPProperties.getValue(str2 + SAMLSPProperties.IDPMETA_REGISTRATION_FORM);
        boolean z2 = existingKey == null;
        if (existingKey == null) {
            existingKey = "unity.saml.requester.remoteIdp._entryFromMetadata_" + random.nextInt() + ".";
        }
        if (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_ID)) {
            properties.setProperty(existingKey + SAMLSPProperties.IDP_ID, str);
        }
        if (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_BINDING)) {
            properties.setProperty(existingKey + SAMLSPProperties.IDP_BINDING, convertBinding(endpointType.getBinding()));
        }
        if (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_ADDRESS)) {
            properties.setProperty(existingKey + SAMLSPProperties.IDP_ADDRESS, endpointType.getLocation());
        }
        if (z2 || !properties.containsKey(existingKey + "certificate")) {
            int i = 1;
            for (X509Certificate x509Certificate : list) {
                if (!properties.containsKey(existingKey + SAMLSPProperties.IDP_CERTIFICATES + i)) {
                    properties.setProperty(existingKey + SAMLSPProperties.IDP_CERTIFICATES + i, getCertificateKey(x509Certificate, str));
                }
                i++;
            }
        }
        for (Map.Entry<String, String> entry : map.entrySet()) {
            if (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_NAME + entry.getKey())) {
                properties.setProperty(existingKey + SAMLSPProperties.IDP_NAME + entry.getKey(), entry.getValue());
            }
        }
        for (Map.Entry<String, LogoType> entry2 : map2.entrySet()) {
            if (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_LOGO + entry2.getKey())) {
                properties.setProperty(existingKey + SAMLSPProperties.IDP_LOGO + entry2.getKey(), entry2.getValue().getStringValue());
            }
        }
        if (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_SIGN_REQUEST)) {
            properties.setProperty(existingKey + SAMLSPProperties.IDP_SIGN_REQUEST, Boolean.toString(z));
        }
        if (value != null && (z2 || !properties.containsKey(existingKey + "translationProfile"))) {
            properties.setProperty(existingKey + "translationProfile", value);
        }
        if (value2 != null && (z2 || !properties.containsKey(existingKey + SAMLSPProperties.IDP_REGISTRATION_FORM))) {
            properties.setProperty(existingKey + SAMLSPProperties.IDP_REGISTRATION_FORM, value2);
        }
        log.debug("Added a trusted IdP loaded from SAML metadata: " + str + " with " + endpointType.getBinding() + " binding");
    }

    private void updatePKICerts(List<X509Certificate> list, String str) throws EngineException {
        for (X509Certificate x509Certificate : list) {
            String certificateKey = getCertificateKey(x509Certificate, str);
            try {
                if (!this.pkiManagement.getCertificate(certificateKey).equals(x509Certificate)) {
                    this.pkiManagement.updateCertificate(certificateKey, x509Certificate);
                }
            } catch (WrongArgumentException e) {
                this.pkiManagement.addCertificate(certificateKey, x509Certificate);
            }
        }
    }

    private String getCertificateKey(X509Certificate x509Certificate, String str) {
        return "_SP_METADATA_CERT_" + DigestUtils.md5Hex(str) + "#" + DigestUtils.md5Hex(X500NameUtils.getComparableForm(x509Certificate.getSubjectX500Principal().getName()));
    }

    private List<X509Certificate> getSigningCerts(KeyDescriptorType[] keyDescriptorTypeArr, String str) {
        ArrayList arrayList = new ArrayList();
        for (KeyDescriptorType keyDescriptorType : keyDescriptorTypeArr) {
            if (!keyDescriptorType.isSetUse() || KeyTypes.SIGNING.equals(keyDescriptorType.getUse())) {
                X509DataType[] x509DataArray = keyDescriptorType.getKeyInfo().getX509DataArray();
                if (x509DataArray == null || x509DataArray.length == 0) {
                    log.info("Key in SAML metadata is ignored as it doesn't contain X.509 certificate. Entity " + str);
                } else {
                    for (X509DataType x509DataType : x509DataArray) {
                        try {
                            arrayList.add(CertificateUtils.loadCertificate(new ByteArrayInputStream(x509DataType.getX509CertificateArray()[0]), CertificateUtils.Encoding.DER));
                        } catch (IOException e) {
                            log.warn("Can not load/parse a certificate from metadata of " + str + ", ignoring it", e);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    private String convertBinding(String str) {
        if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(str)) {
            return SAMLSPProperties.Binding.HTTP_POST.toString();
        }
        if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(str)) {
            return SAMLSPProperties.Binding.HTTP_REDIRECT.toString();
        }
        if ("urn:oasis:names:tc:SAML:2.0:bindings:SOAP".equals(str)) {
            return SAMLSPProperties.Binding.SOAP.toString();
        }
        throw new IllegalStateException("Unsupported binding: " + str);
    }

    private String getExistingKey(String str, EndpointType endpointType, SAMLSPProperties sAMLSPProperties) {
        for (String str2 : sAMLSPProperties.getStructuredListKeys(SAMLSPProperties.IDP_PREFIX)) {
            if (str.equals(sAMLSPProperties.getValue(str2 + SAMLSPProperties.IDP_ID))) {
                return SAMLSPProperties.P + str2;
            }
        }
        return null;
    }

    private boolean supportsSaml2(IDPSSODescriptorType iDPSSODescriptorType) {
        Iterator it = iDPSSODescriptorType.getProtocolSupportEnumeration().iterator();
        while (it.hasNext()) {
            if ("urn:oasis:names:tc:SAML:2.0:protocol".equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    private EndpointType selectWebEndpoint(IDPSSODescriptorType iDPSSODescriptorType) {
        EndpointType endpointType = null;
        for (EndpointType endpointType2 : iDPSSODescriptorType.getSingleSignOnServiceArray()) {
            if (endpointType2.getBinding() != null && endpointType2.getLocation() != null) {
                if (endpointType2.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) {
                    return endpointType2;
                }
                if (endpointType2.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")) {
                    endpointType = endpointType2;
                }
            }
        }
        return endpointType;
    }

    private EndpointType selectSOAPEndpoint(IDPSSODescriptorType iDPSSODescriptorType) {
        for (EndpointType endpointType : iDPSSODescriptorType.getSingleSignOnServiceArray()) {
            if (endpointType.getBinding() != null && endpointType.getLocation() != null && endpointType.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
                return endpointType;
            }
        }
        return null;
    }

    private Map<String, String> getLocalizedNames(UIInfoType uIInfoType, IDPSSODescriptorType iDPSSODescriptorType) {
        HashMap hashMap = new HashMap();
        OrganizationType organization = iDPSSODescriptorType.getOrganization();
        if (organization != null) {
            addLocalizedNames(organization.getOrganizationNameArray(), hashMap);
            addLocalizedNames(organization.getOrganizationDisplayNameArray(), hashMap);
        }
        if (uIInfoType != null) {
            addLocalizedNames(uIInfoType.getDisplayNameArray(), hashMap);
        }
        return hashMap;
    }

    private Map<String, LogoType> getLocalizedLogos(UIInfoType uIInfoType) {
        HashMap hashMap = new HashMap();
        if (uIInfoType != null) {
            LogoType[] logoArray = uIInfoType.getLogoArray();
            if (logoArray == null) {
                return hashMap;
            }
            for (LogoType logoType : logoArray) {
                String str = logoType.getLang() == null ? "" : "." + logoType.getLang();
                LogoType logoType2 = (LogoType) hashMap.get(str);
                if (logoType2 == null) {
                    hashMap.put(str, logoType);
                } else if (logoType2.getHeight().longValue() < logoType.getHeight().longValue()) {
                    hashMap.put(str, logoType);
                }
            }
        }
        return hashMap;
    }

    private void addLocalizedNames(LocalizedNameType[] localizedNameTypeArr, Map<String, String> map) {
        if (localizedNameTypeArr == null) {
            return;
        }
        for (LocalizedNameType localizedNameType : localizedNameTypeArr) {
            String lang = localizedNameType.getLang();
            if (lang != null) {
                map.put("." + lang, localizedNameType.getStringValue());
            }
        }
    }

    private UIInfoType parseMDUIInfo(ExtensionsType extensionsType, String str) {
        if (extensionsType == null) {
            return null;
        }
        NodeList childNodes = extensionsType.getDomNode().getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1) {
                Element element = (Element) item;
                if ("UIInfo".equals(element.getLocalName()) && "urn:oasis:names:tc:SAML:metadata:ui".equals(element.getNamespaceURI())) {
                    try {
                        return UIInfoDocument.Factory.parse(element).getUIInfo();
                    } catch (XmlException e) {
                        log.warn("Can not parse UIInfo metadata extension for " + str, e);
                    }
                }
            }
        }
        return null;
    }
}
