package uk.gov.ida.saml.metadata.factories;

import io.dropwizard.setup.Environment;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import javax.ws.rs.client.Client;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import uk.gov.ida.common.shared.security.X509CertificateFactory;
import uk.gov.ida.common.shared.security.verification.CertificateChainValidator;
import uk.gov.ida.common.shared.security.verification.PKIXParametersProvider;
import uk.gov.ida.saml.metadata.CertificateChainValidationFilter;
import uk.gov.ida.saml.metadata.ExpiredCertificateMetadataFilter;
import uk.gov.ida.saml.metadata.MetadataResolverConfiguration;
import uk.gov.ida.saml.metadata.PKIXSignatureValidationFilterProvider;

/* loaded from: input_file:uk/gov/ida/saml/metadata/factories/DropwizardMetadataResolverFactory.class */
public class DropwizardMetadataResolverFactory {
    private final MetadataResolverFactory metadataResolverFactory = new MetadataResolverFactory();
    private final ExpiredCertificateMetadataFilter expiredCertificateMetadataFilter = new ExpiredCertificateMetadataFilter();
    private final MetadataClientFactory metadataClientFactory = new MetadataClientFactory();
    private final CertificateChainValidator certificateChainValidator = new CertificateChainValidator(new PKIXParametersProvider(), new X509CertificateFactory());

    public MetadataResolver createMetadataResolver(Environment environment, MetadataResolverConfiguration metadataResolverConfiguration) {
        return createMetadataResolver(environment, metadataResolverConfiguration, true);
    }

    public MetadataResolver createMetadataResolverWithoutSignatureValidation(Environment environment, MetadataResolverConfiguration metadataResolverConfiguration) {
        return createMetadataResolver(environment, metadataResolverConfiguration, false);
    }

    public MetadataResolver createMetadataResolver(Environment environment, MetadataResolverConfiguration metadataResolverConfiguration, boolean z) {
        return createMetadataResolverWithClient(metadataResolverConfiguration, z, this.metadataClientFactory.getClient(environment, metadataResolverConfiguration));
    }

    public MetadataResolver createMetadataResolverWithClient(MetadataResolverConfiguration metadataResolverConfiguration, boolean z, Client client) {
        return this.metadataResolverFactory.create(client, metadataResolverConfiguration.getUri(), getMetadataFilters(metadataResolverConfiguration, z, metadataResolverConfiguration.getHubTrustStore(), metadataResolverConfiguration.getIdpTrustStore()), metadataResolverConfiguration.getMinRefreshDelay().longValue(), metadataResolverConfiguration.getMaxRefreshDelay().longValue());
    }

    private List<MetadataFilter> getMetadataFilters(MetadataResolverConfiguration metadataResolverConfiguration, boolean z, Optional<KeyStore> optional, Optional<KeyStore> optional2) {
        if (!z) {
            return Collections.emptyList();
        }
        PKIXSignatureValidationFilterProvider pKIXSignatureValidationFilterProvider = new PKIXSignatureValidationFilterProvider(metadataResolverConfiguration.getTrustStore());
        ArrayList arrayList = new ArrayList();
        arrayList.add(pKIXSignatureValidationFilterProvider.m84get());
        arrayList.add(this.expiredCertificateMetadataFilter);
        optional.ifPresent(keyStore -> {
            arrayList.add(new CertificateChainValidationFilter(SPSSODescriptor.DEFAULT_ELEMENT_NAME, this.certificateChainValidator, keyStore));
        });
        optional2.ifPresent(keyStore2 -> {
            arrayList.add(new CertificateChainValidationFilter(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, this.certificateChainValidator, keyStore2));
        });
        return Collections.unmodifiableList(new ArrayList(arrayList));
    }
}
