package pl.edu.icm.unity.saml.sp;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.trust.CheckingMode;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.trust.StrictSamlTrustChecker;
import eu.unicore.util.configuration.ConfigurationException;
import eu.unicore.util.configuration.DocumentationReferenceMeta;
import eu.unicore.util.configuration.DocumentationReferencePrefix;
import eu.unicore.util.configuration.PropertyMD;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import org.apache.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.ecp.SAMLECPProperties;
import pl.edu.icm.unity.saml.idp.SamlIdpProperties;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;

/* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLSPProperties.class */
public class SAMLSPProperties extends SamlProperties {

    @DocumentationReferencePrefix
    public static final String P = "unity.saml.requester.";
    public static final String REQUESTER_ID = "requesterEntityId";
    public static final String CREDENTIAL = "requesterCredential";
    public static final String ACCEPTED_NAME_FORMATS = "acceptedNameFormats.";
    public static final String METADATA_PATH = "metadataPath";
    public static final String SLO_PATH = "sloPath";
    public static final String SLO_REALM = "sloRealm";
    public static final String DEF_SIGN_REQUEST = "defaultSignRequest";
    public static final String DEF_REQUESTED_NAME_FORMAT = "defaultRequestedNameFormat";
    public static final String REQUIRE_SIGNED_ASSERTION = "requireSignedAssertion";
    public static final String IDPMETA_PREFIX = "metadataSource.";
    public static final String IDPMETA_TRANSLATION_PROFILE = "perMetadataTranslationProfile";
    public static final String IDPMETA_REGISTRATION_FORM = "perMetadataRegistrationForm";
    public static final String IDP_PREFIX = "remoteIdp.";
    public static final String IDP_NAME = "name";
    public static final String IDP_LOGO = "logoURI";
    public static final String IDP_ID = "samlId";
    public static final String IDP_ADDRESS = "address";
    public static final String IDP_BINDING = "binding";
    public static final String IDP_CERTIFICATE = "certificate";
    public static final String IDP_CERTIFICATES = "certificates.";
    public static final String IDP_SIGN_REQUEST = "signRequest";
    public static final String IDP_REQUESTED_NAME_FORMAT = "requestedNameFormat";
    public static final String IDP_GROUP_MEMBERSHIP_ATTRIBUTE = "groupMembershipAttribute";
    public static final String DEFAULT_TRANSLATION_PROFILE = "sys:saml";
    private PKIManagement pkiManagement;
    private Properties sourceProperties;
    private static final Logger log = Log.getLegacyLogger(SamlIdpProperties.LOG_PFX, SAMLSPProperties.class);

    @DocumentationReferenceMeta
    public static final Map<String, PropertyMD> META = new HashMap();

    /* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLSPProperties$MetadataSignatureValidation.class */
    public enum MetadataSignatureValidation {
        require,
        ignore
    }

    public SAMLSPProperties(Properties properties, PKIManagement pKIManagement) throws ConfigurationException {
        this(properties, META, pKIManagement);
    }

    protected SAMLSPProperties(SAMLSPProperties sAMLSPProperties) throws ConfigurationException {
        super(sAMLSPProperties);
        this.pkiManagement = sAMLSPProperties.pkiManagement;
        this.sourceProperties = new Properties(sAMLSPProperties.sourceProperties);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SAMLSPProperties(Properties properties, Map<String, PropertyMD> map, PKIManagement pKIManagement) throws ConfigurationException {
        super(P, properties, map, log);
        addCachedPrefixes(new String[]{"unity\\.saml\\.requester\\.remoteIdp\\.[^.]+\\.certificates\\.", "unity\\.saml\\.requester\\.remoteIdp\\.[^.]+\\.name\\."});
        this.sourceProperties = new Properties();
        this.sourceProperties.putAll(properties);
        this.pkiManagement = pKIManagement;
        boolean z = false;
        for (String str : getStructuredListKeys(IDP_PREFIX)) {
            boolean isSignRequest = isSignRequest(str);
            z |= isSignRequest;
            SamlProperties.Binding binding = (SamlProperties.Binding) getEnumValue(str + IDP_BINDING, SamlProperties.Binding.class);
            if (isSignRequest && (binding == SamlProperties.Binding.HTTP_REDIRECT || binding == SamlProperties.Binding.SOAP)) {
                throw new ConfigurationException("IdP " + getName(str) + " is configured to use HTTP Redirect binding or SOAP binding for ECP and at the same time Unity is configured to sign requests for this IdP. This is unsupported currently and against SAML interoperability specification.");
            }
        }
        if (z) {
            String value = getValue(CREDENTIAL);
            if (value == null) {
                throw new ConfigurationException("Credential must be defined when request signing is enabled for at least one IdP.");
            }
            try {
                if (!pKIManagement.getCredentialNames().contains(value)) {
                    throw new ConfigurationException("Credential name is invalid - there is no such credential available '" + value + "'.");
                }
            } catch (EngineException e) {
                throw new ConfigurationException("Can't esablish a list of known credentials", e);
            }
        }
        Set<String> structuredListKeys = getStructuredListKeys(IDPMETA_PREFIX);
        try {
            Set certificateNames = this.pkiManagement.getCertificateNames();
            for (String str2 : structuredListKeys) {
                if (((MetadataSignatureValidation) getEnumValue(str2 + SamlProperties.METADATA_SIGNATURE, MetadataSignatureValidation.class)) == MetadataSignatureValidation.require) {
                    String value2 = getValue(str2 + SamlProperties.METADATA_ISSUER_CERT);
                    if (value2 == null) {
                        throw new ConfigurationException("For the " + str2 + " entry the certificate for metadata signature verification is not set");
                    }
                    if (!certificateNames.contains(value2)) {
                        throw new ConfigurationException("For the " + str2 + " entry the certificate for metadata signature verification is incorrect: " + value2);
                    }
                }
            }
            getTrustChecker();
            if (getBooleanValue(SamlProperties.PUBLISH_METADATA).booleanValue() && !isSet(METADATA_PATH)) {
                throw new ConfigurationException("Metadata path " + getKeyDescription(METADATA_PATH) + " must be set if metadata publication is enabled.");
            }
        } catch (EngineException e2) {
            throw new ConfigurationException("Can't retrieve available certificates", e2);
        }
    }

    public synchronized void setProperties(Properties properties) throws ConfigurationException {
        long currentTimeMillis = System.currentTimeMillis();
        super.setProperties(properties);
        log.info("Updated trusted IdPs configuration with " + getStructuredListKeys(IDP_PREFIX).size() + " explicit trusted providers, took " + (System.currentTimeMillis() - currentTimeMillis) + "ms");
    }

    public X509Credential getRequesterCredential() {
        String value = getValue(CREDENTIAL);
        if (value == null) {
            return null;
        }
        try {
            return this.pkiManagement.getCredential(value);
        } catch (EngineException e) {
            return null;
        }
    }

    public SamlTrustChecker getTrustChecker() throws ConfigurationException {
        Set<String> structuredListKeys = getStructuredListKeys(IDP_PREFIX);
        StrictSamlTrustChecker strictSamlTrustChecker = new StrictSamlTrustChecker(getBooleanValue(REQUIRE_SIGNED_ASSERTION).booleanValue() ? CheckingMode.REQUIRE_SIGNED_ASSERTION : CheckingMode.REQUIRE_SIGNED_RESPONSE_OR_ASSERTION);
        for (String str : structuredListKeys) {
            String value = getValue(str + IDP_ID);
            for (String str2 : getCertificateNames(str)) {
                try {
                    strictSamlTrustChecker.addTrustedIssuer(value, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity", this.pkiManagement.getCertificate(str2).getPublicKey());
                } catch (EngineException e) {
                    throw new ConfigurationException("Remote SAML IdP certificate can not be loaded " + str2, e);
                }
            }
        }
        return strictSamlTrustChecker;
    }

    public Set<String> getCertificateNames(String str) {
        return getCertificateNames(str, "certificate", "certificates.");
    }

    public boolean isSignRequest(String str) {
        return (isSet(new StringBuilder().append(str).append(IDP_SIGN_REQUEST).toString()) ? getBooleanValue(str + IDP_SIGN_REQUEST) : getBooleanValue(DEF_SIGN_REQUEST)).booleanValue();
    }

    public String getRequestedNameFormat(String str) {
        return isSet(new StringBuilder().append(str).append(IDP_REQUESTED_NAME_FORMAT).toString()) ? getValue(str + IDP_REQUESTED_NAME_FORMAT) : getValue(DEF_REQUESTED_NAME_FORMAT);
    }

    public boolean isIdPDefinitionComplete(String str) {
        if (!isSet(str + IDP_ID)) {
            log.warn("No entityId for " + str + " ignoring IdP");
            return false;
        }
        String value = getValue(str + IDP_ID);
        if (!isSet(str + IDP_ADDRESS)) {
            log.warn("No address for " + value + " ignoring IdP");
            return false;
        }
        if (getCertificateNames(str).size() == 0) {
            log.warn("No certificate for " + value + " ignoring IdP");
            return false;
        }
        String value2 = getValue(str + "translationProfile");
        if (value2 != null && !value2.isEmpty()) {
            return true;
        }
        log.warn("No translation profile for " + value + " ignoring IdP");
        return false;
    }

    public String getIdPConfigKey(NameIDType nameIDType) {
        for (String str : getStructuredListKeys(IDP_PREFIX)) {
            String value = getValue(str + IDP_ID);
            if (value != null && value.equals(nameIDType.getStringValue())) {
                return str;
            }
        }
        return null;
    }

    @Override // pl.edu.icm.unity.saml.SamlProperties
    public Properties getSourceProperties() {
        Properties properties = new Properties();
        properties.putAll(this.sourceProperties);
        return properties;
    }

    public String getLocalizedName(String str, Locale locale) {
        String localizedValue = getLocalizedValue(str + "name", locale);
        return localizedValue != null ? localizedValue : getName(str);
    }

    public String getName(String str) {
        String str2 = str + "name";
        return isSet(str2) ? getValue(str2) : getValue(str + IDP_ID);
    }

    public String getPrefixOfIdP(String str) {
        for (String str2 : getStructuredListKeys(IDP_PREFIX)) {
            if (str.equals(getValue(str2 + IDP_ID))) {
                return str2;
            }
        }
        return null;
    }

    @Override // pl.edu.icm.unity.saml.SamlProperties
    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public SAMLSPProperties mo4clone() {
        return new SAMLSPProperties(this);
    }

    static {
        PropertyMD.DocumentationCategory documentationCategory = new PropertyMD.DocumentationCategory("Common settings", "01");
        PropertyMD.DocumentationCategory documentationCategory2 = new PropertyMD.DocumentationCategory("Manual settings of trusted IdPs", "03");
        META.put(IDP_PREFIX, new PropertyMD().setStructuredList(false).setCategory(documentationCategory2).setDescription("With this prefix configuration of trusted and enabled remote SAML IdPs is stored. There must be at least one IdP defined. If there are multiple ones defined, then the user can choose which one to use."));
        META.put(IDP_ADDRESS, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Address of the IdP endpoint."));
        META.put(IDP_BINDING, new PropertyMD(SamlProperties.Binding.HTTP_REDIRECT).setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("SAML binding to be used to send a request to the IdP. If you use 'SOAP' here then the IdP will be available only for ECP logins, not via the web browser login."));
        META.put(SamlProperties.REDIRECT_LOGOUT_URL, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Address of the IdP Single Logout Endpoint supporting HTTP Redirect binding."));
        META.put(SamlProperties.REDIRECT_LOGOUT_RET_URL, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Address of the IdP Single Logout response endpoint supporting HTTP Redirect binding. If undefined the base redirect endpoint address is used."));
        META.put(SamlProperties.POST_LOGOUT_URL, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Address of the IdP Single Logout Endpoint supporting HTTP POST binding."));
        META.put(SamlProperties.POST_LOGOUT_RET_URL, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Address of the IdP Single Logout response endpoint supporting HTTP POST binding. If undefined the base redirect endpoint address is used."));
        META.put(SamlProperties.SOAP_LOGOUT_URL, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Address of the IdP Single Logout Endpoint supporting SOAP binding."));
        META.put("name", new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setCanHaveSubkeys().setDescription("Displayed name of the IdP. If not defined then the name is created from the IdP address (what is rather not user friendly). The property can have subkeys being locale names; then the localized value is used if it is matching the selected locale of the UI."));
        META.put("logoURI", new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setCanHaveSubkeys().setDescription("Displayed logo of the IdP. If not defined then only the name is used. The value can be a file:, http(s): or data: URI. The last option allows for embedding the logo in the configuration. The property can have subkeys being locale names; then the localized value is used if it is matching the selected locale of the UI."));
        META.put(IDP_ID, new PropertyMD().setStructuredListEntry(IDP_PREFIX).setMandatory().setCategory(documentationCategory2).setDescription("SAML entity identifier of the IdP."));
        META.put("certificate", new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setDescription("Certificate name (as used in centralized PKI store) of the IdP. This certificate is used to verify signature of SAML response and included assertions. Therefore it is of highest importance for the whole system security."));
        META.put("certificates.", new PropertyMD().setStructuredListEntry(IDP_PREFIX).setCategory(documentationCategory2).setList(false).setDescription("Using this property additional trusted certificates of an IdP can be added (when IdP uses more then one). See certificate for details. Those properties can be used together or alternatively."));
        META.put(IDP_SIGN_REQUEST, new PropertyMD("false").setCategory(documentationCategory2).setStructuredListEntry(IDP_PREFIX).setDescription("Controls whether the requests for this IdP should be signed."));
        META.put(IDP_REQUESTED_NAME_FORMAT, new PropertyMD().setCategory(documentationCategory2).setStructuredListEntry(IDP_PREFIX).setDescription("If defined then specifies what SAML name format should be requested from the IdP. If undefined then IdP is free to choose, however see the acceptedNameFormats. property. Value is arbitrary string, meaningful for the IdP. SAML specifies several standard formats: +urn:oasis:names:tc:SAML:2.0:nameid-format:persistent+, +urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress+, +urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName+ and  +urn:oasis:names:tc:SAML:2.0:nameid-format:transient+ are the most popular."));
        META.put(IDP_GROUP_MEMBERSHIP_ATTRIBUTE, new PropertyMD().setCategory(documentationCategory2).setStructuredListEntry(IDP_PREFIX).setDescription("Defines a SAML attribute name which will be treated as an attribute carrying group membership information."));
        META.put("translationProfile", new PropertyMD("sys:saml").setCategory(documentationCategory2).setStructuredListEntry(IDP_PREFIX).setDescription("Name of a translation profile, which will be used to map remotely obtained attributes and identity to the local counterparts. The profile should at least map the remote identity."));
        META.put("registrationFormForUnknown", new PropertyMD().setCategory(documentationCategory2).setStructuredListEntry(IDP_PREFIX).setDescription("Name of a registration form to be shown for a remotely authenticated principal who has no local account. If unset such users will be denied."));
        META.put("enableAccountAssociation", new PropertyMD().setCategory(documentationCategory2).setStructuredListEntry(IDP_PREFIX).setDescription("If true then unknown remote user gets an option to associate the remote identity with an another local (already existing) account. Overrides the global setting."));
        META.put(REQUESTER_ID, new PropertyMD().setMandatory().setCategory(documentationCategory).setDescription("SAML entity ID (must be a URI) of the local SAML requester (or service provider)."));
        META.put(CREDENTIAL, new PropertyMD().setCategory(documentationCategory).setDescription("Local credential, used to sign requests and to decrypt encrypted assertions. If neither signing nor decryption is used it can be skipped."));
        META.put(SLO_PATH, new PropertyMD().setCategory(documentationCategory).setDescription("Last element of the URL, under which the SAML Single Logout functionality should be published for this SAML authenticator. Any suffix can be used, however it must be unique for all SAML authenticators in the system. If undefined the SLO functionality won't be enabled."));
        META.put(SLO_REALM, new PropertyMD().setCategory(documentationCategory).setDescription("Name of the authentication realm of the endpoints using this authenticator. This is needed to enable Single Logout functionality (if undefined the SLO functionality will be disabled). If this authenticator is used by endpoints placed in different realms and you still want to have SLO functionality you have to define one authenticator per realm."));
        META.put(METADATA_PATH, new PropertyMD().setCategory(SamlProperties.samlMetaCat).setDescription("Last element of the URL, under which the SAML metadata should be published for this SAML authenticator.Used only if metadata publication is enabled. See the SAML Metadata section for more details."));
        META.put(ACCEPTED_NAME_FORMATS, new PropertyMD().setList(false).setCategory(documentationCategory).setDescription("If defined then specifies what SAML name formatd are accepted from IdP. Useful when the property requestedNameFormat is undefined for at least one IdP. "));
        META.put(REQUIRE_SIGNED_ASSERTION, new PropertyMD("false").setCategory(documentationCategory).setDescription("SAML authN responses may be signed as a whole and/or may have signed individual assertions which are contained in the response. In general SAML SSO protocol requires assertions to be signed, but in the wild this is not always the case. If this optionis set to false, then response will be accepted also when it is signed, but its assertions are not."));
        META.put(DEF_SIGN_REQUEST, new PropertyMD("false").setCategory(documentationCategory).setDescription("Default setting of request signing. Used for those IdPs, for which the setting is not set explicitly."));
        META.put(DEF_REQUESTED_NAME_FORMAT, new PropertyMD().setCategory(documentationCategory).setDescription("Default setting of requested identity format. Used for those IdPs, for which the setting is not set explicitly."));
        META.put("defaultEnableAccountAssociation", new PropertyMD("true").setCategory(documentationCategory).setDescription("Default setting allowing to globally control whether account association feature is enabled. Used for those IdPs, for which the setting is not set explicitly."));
        META.put(SAMLECPProperties.JWT_P, new PropertyMD().setCanHaveSubkeys().setHidden());
        META.put(IDPMETA_TRANSLATION_PROFILE, new PropertyMD().setCategory(remoteMeta).setStructuredListEntry(IDPMETA_PREFIX).setDescription("Deafult translation profile for all the IdPs from the metadata. Can be overwritten by individual IdP configuration entries."));
        META.put(IDPMETA_REGISTRATION_FORM, new PropertyMD().setCategory(remoteMeta).setStructuredListEntry(IDPMETA_PREFIX).setDescription("Deafult registration form for all the IdPs from the metadata. Can be overwritten by individual IdP configuraiton entries."));
        META.put(SamlProperties.IDENTITY_MAPPING_PFX, new PropertyMD().setStructuredList(false).setCategory(documentationCategory).setDescription("Prefix used to store mappings of SAML identity types to Unity identity types. Those mappings are used to reverse the mapping process of remote identity mapping into Unity representation (as configured with an input translation profile). This is used solely to provide a single logout functionality, where remote peer may request to logout an identity previously authenticated. Unity needs to be able to find this person's session to terminate it."));
        META.put(SamlProperties.IDENTITY_LOCAL, new PropertyMD().setStructuredListEntry(SamlProperties.IDENTITY_MAPPING_PFX).setMandatory().setCategory(documentationCategory).setDescription("Unity identity to which the SAML identity is mapped. If it is set to an empty value, then the mapping is disabled, what is useful for turning off the default mappings."));
        META.put(SamlProperties.IDENTITY_SAML, new PropertyMD().setStructuredListEntry(SamlProperties.IDENTITY_MAPPING_PFX).setMandatory().setCategory(documentationCategory).setDescription("SAML identity to be mapped"));
        META.putAll(SamlProperties.getDefaults(IDPMETA_PREFIX, "Under this prefix you can configure the remote trusted SAML IdPs however not providing all their details but only their metadata."));
    }
}
