package org.apereo.cas.support.saml;

import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.MetadataEntityAttributeQuery;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.profile.logic.EntityAttributesPredicate;
import org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.ChainingMetadataResolver;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/SamlIdPUtils.class */
public final class SamlIdPUtils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlIdPUtils.class);

    public static String getSamlIdPMetadataOwner(Optional<SamlRegisteredService> optional) {
        if (!optional.isPresent()) {
            return "CAS";
        }
        SamlRegisteredService samlRegisteredService = optional.get();
        return samlRegisteredService.getName() + "-" + samlRegisteredService.getId();
    }

    public static void preparePeerEntitySamlEndpointContext(Pair<? extends RequestAbstractType, MessageContext> pair, MessageContext messageContext, SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor, String str) throws SamlException {
        String entityId = samlRegisteredServiceMetadataAdaptor.getEntityId();
        if (!samlRegisteredServiceMetadataAdaptor.containsAssertionConsumerServices()) {
            throw new SamlException("No assertion consumer service could be found for entity " + entityId);
        }
        SAMLPeerEntityContext ensureSubcontext = messageContext.ensureSubcontext(SAMLPeerEntityContext.class);
        ensureSubcontext.setEntityId(entityId);
        SAMLEndpointContext ensureSubcontext2 = ensureSubcontext.ensureSubcontext(SAMLEndpointContext.class);
        Endpoint determineEndpointForRequest = determineEndpointForRequest(pair, samlRegisteredServiceMetadataAdaptor, str);
        LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", determineEndpointForRequest.getLocation(), determineEndpointForRequest.getBinding());
        ensureSubcontext2.setEndpoint(determineEndpointForRequest);
    }

    public static Endpoint determineEndpointForRequest(Pair<? extends RequestAbstractType, MessageContext> pair, SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor, String str) {
        RequestAbstractType requestAbstractType = (RequestAbstractType) pair.getLeft();
        SingleLogoutService singleLogoutService = requestAbstractType instanceof LogoutRequest ? samlRegisteredServiceMetadataAdaptor.getSingleLogoutService(str) : determineEndpointForRequest(requestAbstractType, samlRegisteredServiceMetadataAdaptor, str, getAssertionConsumerServiceFromRequest(requestAbstractType, str, samlRegisteredServiceMetadataAdaptor), samlRegisteredServiceMetadataAdaptor.getAssertionConsumerService(str), (MessageContext) pair.getRight());
        if (singleLogoutService == null) {
            throw new SamlException("Endpoint for " + String.valueOf(requestAbstractType.getSchemaType()) + " is not available or does not define a binding for " + str);
        }
        boolean z = StringUtils.isBlank(singleLogoutService.getResponseLocation()) && StringUtils.isBlank(singleLogoutService.getLocation());
        if (StringUtils.isBlank(singleLogoutService.getBinding()) || z) {
            throw new SamlException("Endpoint for " + String.valueOf(requestAbstractType.getSchemaType()) + " does not define a binding or location for binding " + str);
        }
        return singleLogoutService;
    }

    private static AssertionConsumerService determineEndpointForRequest(RequestAbstractType requestAbstractType, SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor, String str, AssertionConsumerService assertionConsumerService, AssertionConsumerService assertionConsumerService2, MessageContext messageContext) {
        LOGGER.trace("ACS from authentication request is [{}], ACS from metadata is [{}] with binding [{}]", new Object[]{assertionConsumerService, assertionConsumerService2, str});
        if (assertionConsumerService == null) {
            return assertionConsumerService2;
        }
        if (requestAbstractType.isSigned() || SAMLBindingSupport.isMessageSigned(messageContext)) {
            return assertionConsumerService;
        }
        List<String> assertionConsumerServiceLocations = StringUtils.isNotBlank(str) ? samlRegisteredServiceMetadataAdaptor.getAssertionConsumerServiceLocations(str) : samlRegisteredServiceMetadataAdaptor.getAssertionConsumerServiceLocations();
        String str2 = (String) StringUtils.defaultIfBlank(assertionConsumerService.getResponseLocation(), assertionConsumerService.getLocation());
        Integer assertionConsumerServiceIndex = requestAbstractType instanceof AuthnRequest ? ((AuthnRequest) requestAbstractType).getAssertionConsumerServiceIndex() : null;
        if (StringUtils.isNotBlank(str2)) {
            Stream<String> stream = assertionConsumerServiceLocations.stream();
            Objects.requireNonNull(str2);
            if (stream.anyMatch(str2::equalsIgnoreCase)) {
                return buildAssertionConsumerService(str, str2, assertionConsumerServiceIndex);
            }
        }
        if (assertionConsumerServiceIndex != null) {
            Optional<String> assertionConsumerServiceFor = samlRegisteredServiceMetadataAdaptor.getAssertionConsumerServiceFor(str, assertionConsumerServiceIndex);
            if (assertionConsumerServiceFor.isPresent()) {
                return buildAssertionConsumerService(str, assertionConsumerServiceFor.get(), assertionConsumerServiceIndex);
            }
        }
        throw new SamlException(String.format("Assertion consumer service [%s] cannot be located in metadata [%s]", str2, assertionConsumerServiceLocations));
    }

    private static AssertionConsumerService buildAssertionConsumerService(String str, String str2, Integer num) {
        AssertionConsumerService buildObject = new AssertionConsumerServiceBuilder().buildObject();
        buildObject.setBinding(str);
        buildObject.setLocation(str2);
        buildObject.setResponseLocation(str2);
        buildObject.setIndex(num);
        buildObject.setIsDefault(Boolean.TRUE);
        return buildObject;
    }

    public static MetadataResolver getMetadataResolverForAllSamlServices(ServicesManager servicesManager, String str, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver) {
        Class<SamlRegisteredService> cls = SamlRegisteredService.class;
        Objects.requireNonNull(SamlRegisteredService.class);
        Collection findServiceBy = servicesManager.findServiceBy((v1) -> {
            return r1.isInstance(v1);
        });
        ChainingMetadataResolver chainingMetadataResolver = new ChainingMetadataResolver();
        Stream stream = findServiceBy.stream();
        Class<SamlRegisteredService> cls2 = SamlRegisteredService.class;
        Objects.requireNonNull(SamlRegisteredService.class);
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<SamlRegisteredService> cls3 = SamlRegisteredService.class;
        Objects.requireNonNull(SamlRegisteredService.class);
        List list = (List) filter.map((v1) -> {
            return r1.cast(v1);
        }).map(samlRegisteredService -> {
            return SamlRegisteredServiceMetadataAdaptor.get(samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, str);
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.metadataResolver();
        }).collect(Collectors.toList());
        LOGGER.debug("Located [{}] metadata resolvers to match against [{}]", list, str);
        FunctionUtils.doUnchecked(obj -> {
            chainingMetadataResolver.setResolvers(list);
            chainingMetadataResolver.setId(str);
            chainingMetadataResolver.initialize();
        }, new Object[0]);
        return chainingMetadataResolver;
    }

    public static String getIssuerFromSamlObject(SAMLObject sAMLObject) {
        if (sAMLObject instanceof RequestAbstractType) {
            return ((RequestAbstractType) sAMLObject).getIssuer().getValue();
        }
        if (sAMLObject instanceof StatusResponseType) {
            return ((StatusResponseType) sAMLObject).getIssuer().getValue();
        }
        if (sAMLObject instanceof Assertion) {
            return ((Assertion) sAMLObject).getIssuer().getValue();
        }
        return null;
    }

    public static RoleDescriptorResolver getRoleDescriptorResolver(SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor, boolean z) throws Exception {
        return getRoleDescriptorResolver(samlRegisteredServiceMetadataAdaptor.metadataResolver(), z);
    }

    public static RoleDescriptorResolver getRoleDescriptorResolver(MetadataResolver metadataResolver, boolean z) throws Exception {
        PredicateRoleDescriptorResolver predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(metadataResolver);
        predicateRoleDescriptorResolver.setSatisfyAnyPredicates(true);
        predicateRoleDescriptorResolver.setUseDefaultPredicateRegistry(true);
        predicateRoleDescriptorResolver.setRequireValidMetadata(z);
        predicateRoleDescriptorResolver.initialize();
        return predicateRoleDescriptorResolver;
    }

    public static Optional<NameIDPolicy> getNameIDPolicy(RequestAbstractType requestAbstractType) {
        return requestAbstractType instanceof AuthnRequest ? Optional.ofNullable(((AuthnRequest) requestAbstractType).getNameIDPolicy()) : Optional.empty();
    }

    private static AssertionConsumerService getAssertionConsumerServiceFromRequest(RequestAbstractType requestAbstractType, String str, SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor) {
        if (!(requestAbstractType instanceof AuthnRequest)) {
            return null;
        }
        AuthnRequest authnRequest = (AuthnRequest) requestAbstractType;
        String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
        Integer assertionConsumerServiceIndex = authnRequest.getAssertionConsumerServiceIndex();
        if (StringUtils.isBlank(assertionConsumerServiceURL) && assertionConsumerServiceIndex == null) {
            LOGGER.debug("No assertion consumer service url or index is supplied in the authentication request");
            return null;
        }
        if (StringUtils.isBlank(assertionConsumerServiceURL) && assertionConsumerServiceIndex != null) {
            LOGGER.debug("Locating assertion consumer service url for binding [{}] and index [{}]", assertionConsumerServiceURL, assertionConsumerServiceIndex);
            assertionConsumerServiceURL = samlRegisteredServiceMetadataAdaptor.getAssertionConsumerServiceFor(str, assertionConsumerServiceIndex).orElseGet(() -> {
                LOGGER.warn("Unable to locate acs url in for entity [{}] and binding [{}] with index [{}]", new Object[]{samlRegisteredServiceMetadataAdaptor.getEntityId(), str, assertionConsumerServiceIndex});
                return null;
            });
        }
        if (!StringUtils.isNotBlank(assertionConsumerServiceURL)) {
            return null;
        }
        LOGGER.debug("Fetched assertion consumer service url [{}] with binding [{}] from authentication request", assertionConsumerServiceURL, str);
        AssertionConsumerService buildObject = new AssertionConsumerServiceBuilder().buildObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
        buildObject.setBinding(str);
        buildObject.setResponseLocation(assertionConsumerServiceURL);
        buildObject.setLocation(assertionConsumerServiceURL);
        buildObject.setIndex(assertionConsumerServiceIndex);
        return buildObject;
    }

    public static String determineNameIdNameQualifier(SamlRegisteredService samlRegisteredService, MetadataResolver metadataResolver) {
        if (StringUtils.isNotBlank(samlRegisteredService.getNameIdQualifier())) {
            return samlRegisteredService.getNameIdQualifier();
        }
        boolean isNotBlank = StringUtils.isNotBlank(samlRegisteredService.getIssuerEntityId());
        Objects.requireNonNull(samlRegisteredService);
        String str = (String) FunctionUtils.doIf(isNotBlank, samlRegisteredService::getIssuerEntityId, Unchecked.supplier(() -> {
            CriteriaSet criteriaSet = new CriteriaSet(new Criterion[]{new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService)});
            LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", samlRegisteredService.getName());
            return ((EntityDescriptor) Objects.requireNonNull((EntityDescriptor) metadataResolver.resolveSingle(criteriaSet))).getEntityID();
        })).get();
        LOGGER.debug("Using name qualifier [{}] for the Name ID", str);
        return str;
    }

    public static boolean doesEntityDescriptorMatchEntityAttribute(EntityDescriptor entityDescriptor, List<MetadataEntityAttributeQuery> list) {
        return buildEntityAttributePredicate(list).test(entityDescriptor);
    }

    public static EntityAttributesPredicate buildEntityAttributePredicate(List<MetadataEntityAttributeQuery> list) {
        return new EntityAttributesPredicate(list.stream().map(metadataEntityAttributeQuery -> {
            EntityAttributesPredicate.Candidate candidate = new EntityAttributesPredicate.Candidate(metadataEntityAttributeQuery.getName(), metadataEntityAttributeQuery.getFormat());
            candidate.setValues(metadataEntityAttributeQuery.getValues());
            return candidate;
        }).toList(), true);
    }

    @Generated
    private SamlIdPUtils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }
}
