package dk.gov.oio.saml.model;

import dk.gov.oio.saml.config.Configuration;
import dk.gov.oio.saml.service.CRLChecker;
import dk.gov.oio.saml.service.OIOSAML3Service;
import dk.gov.oio.saml.util.ExternalException;
import dk.gov.oio.saml.util.InternalException;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.log4j.Logger;
import org.bouncycastle.util.encoders.Base64;
import org.joda.time.DateTime;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.FilesystemMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.signature.X509Data;

/* loaded from: input_file:dk/gov/oio/saml/model/IdPMetadata.class */
public class IdPMetadata {
    private static final Logger log = Logger.getLogger(IdPMetadata.class);
    private List<X509Certificate> validEncryptionCertificates = new ArrayList();
    private List<X509Certificate> validSigningCertificates = new ArrayList();
    private List<X509Certificate> validUnspecifiedCertificates = new ArrayList();
    private String metadataFilePath;
    private AbstractReloadingMetadataResolver resolver;
    private DateTime lastCRLCheck;
    private String entityId;
    private String metadataURL;

    public IdPMetadata(String str, String str2, String str3) throws ExternalException, InternalException {
        this.entityId = str;
        this.metadataURL = str2;
        this.metadataFilePath = str3;
        getEntityDescriptor();
    }

    public EntityDescriptor getEntityDescriptor() throws InternalException, ExternalException {
        initMetadataResolver();
        if (!this.resolver.wasLastRefreshSuccess().booleanValue()) {
            if (log.isDebugEnabled()) {
                log.debug("Last Metadata was not successful, Refreshing metadata.");
            }
            try {
                this.resolver.refresh();
            } catch (ResolverException e) {
                throw new ExternalException("Could not get Metadata from url", e);
            }
        }
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIdCriterion(this.entityId));
        try {
            return this.resolver.resolveSingle(criteriaSet);
        } catch (ResolverException e2) {
            throw new InternalException("Configured entityID not found in metadata", e2);
        }
    }

    public IDPSSODescriptor getSSODescriptor() throws ExternalException, InternalException {
        return getEntityDescriptor().getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
    }

    public X509Certificate getValidX509Certificate(UsageType usageType) throws InternalException, ExternalException {
        doRevocationCheck();
        X509Certificate x509Certificate = null;
        if (UsageType.ENCRYPTION.equals(usageType)) {
            if (this.validEncryptionCertificates != null && !this.validEncryptionCertificates.isEmpty()) {
                x509Certificate = this.validEncryptionCertificates.get(0);
            }
        } else if (UsageType.SIGNING.equals(usageType) && this.validSigningCertificates != null && !this.validSigningCertificates.isEmpty()) {
            x509Certificate = this.validSigningCertificates.get(0);
        }
        if (x509Certificate == null && this.validUnspecifiedCertificates != null && !this.validUnspecifiedCertificates.isEmpty()) {
            x509Certificate = this.validUnspecifiedCertificates.get(0);
        }
        return x509Certificate;
    }

    private List<X509Certificate> getAllX509CertificatesWithUsageType(UsageType usageType) throws InternalException, ExternalException {
        org.opensaml.xmlsec.signature.X509Certificate x509Certificate;
        ArrayList arrayList = new ArrayList();
        for (KeyDescriptor keyDescriptor : getSSODescriptor().getKeyDescriptors()) {
            if (Objects.equals(usageType, keyDescriptor.getUse()) && (x509Certificate = (org.opensaml.xmlsec.signature.X509Certificate) ((X509Data) keyDescriptor.getKeyInfo().getX509Datas().get(0)).getX509Certificates().get(0)) != null) {
                try {
                    try {
                        arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.decode(x509Certificate.getValue()))));
                    } catch (CertificateException e) {
                        throw new ExternalException("Could not parse X509 Certificate from Metadata", e);
                    }
                } catch (CertificateException e2) {
                    throw new InternalException("Could not create factory to parse X509 Certificate", e2);
                }
            }
        }
        return arrayList;
    }

    public SingleLogoutService getLogoutEndpoint() throws ExternalException, InternalException {
        for (SingleLogoutService singleLogoutService : getSSODescriptor().getSingleLogoutServices()) {
            if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(singleLogoutService.getBinding())) {
                return singleLogoutService;
            }
        }
        throw new ExternalException("Could not find SLO endpoint for Redirect binding in metadata");
    }

    public String getLogoutResponseEndpoint() throws InternalException, ExternalException {
        for (SingleLogoutService singleLogoutService : getSSODescriptor().getSingleLogoutServices()) {
            if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".equals(singleLogoutService.getBinding())) {
                String responseLocation = singleLogoutService.getResponseLocation();
                return !responseLocation.isEmpty() ? responseLocation : singleLogoutService.getLocation();
            }
        }
        throw new ExternalException("Unable to find SingleLogoutService with binding HTTPRedirect and an ResponseLocation");
    }

    public DateTime getLastCRLCheck() {
        return this.lastCRLCheck;
    }

    private void doRevocationCheck() throws ExternalException, InternalException {
        Configuration config = OIOSAML3Service.getConfig();
        if (!config.isCRLCheckEnabled() && !config.isOcspCheckEnabled()) {
            this.validEncryptionCertificates = getAllX509CertificatesWithUsageType(UsageType.ENCRYPTION);
            this.validSigningCertificates = getAllX509CertificatesWithUsageType(UsageType.SIGNING);
            List<X509Certificate> allX509CertificatesWithUsageType = getAllX509CertificatesWithUsageType(UsageType.UNSPECIFIED);
            allX509CertificatesWithUsageType.addAll(getAllX509CertificatesWithUsageType(null));
            this.validUnspecifiedCertificates = allX509CertificatesWithUsageType;
            return;
        }
        DateTime lastUpdate = this.resolver.getLastUpdate();
        if (this.lastCRLCheck == null || (lastUpdate != null && lastUpdate.isAfter(this.lastCRLCheck))) {
            try {
                Set<X509Certificate> checkCertificates = CRLChecker.checkCertificates(getAllX509CertificatesWithUsageType(UsageType.ENCRYPTION), getLastCRLCheck());
                this.validEncryptionCertificates.clear();
                if (checkCertificates != null) {
                    this.validEncryptionCertificates.addAll(checkCertificates);
                }
                Set<X509Certificate> checkCertificates2 = CRLChecker.checkCertificates(getAllX509CertificatesWithUsageType(UsageType.SIGNING), getLastCRLCheck());
                this.validSigningCertificates.clear();
                if (checkCertificates2 != null) {
                    this.validSigningCertificates.addAll(checkCertificates2);
                }
                Set<X509Certificate> checkCertificates3 = CRLChecker.checkCertificates(getAllX509CertificatesWithUsageType(UsageType.UNSPECIFIED), getLastCRLCheck());
                Set<X509Certificate> checkCertificates4 = CRLChecker.checkCertificates(getAllX509CertificatesWithUsageType(null), getLastCRLCheck());
                this.validUnspecifiedCertificates.clear();
                if (checkCertificates3 != null) {
                    this.validUnspecifiedCertificates.addAll(checkCertificates3);
                }
                if (checkCertificates4 != null) {
                    this.validUnspecifiedCertificates.addAll(checkCertificates4);
                }
                this.lastCRLCheck = DateTime.now();
            } catch (ExternalException | InternalException | InitializationException e) {
                log.error("CRL check failed", e);
            }
        }
    }

    private void initMetadataResolver() throws InternalException, ExternalException {
        if (this.resolver == null || !this.resolver.isInitialized()) {
            try {
                CloseableHttpClient build = OIOSAML3Service.getConfig().isSupportSelfSigned() ? HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom().loadTrustMaterial((KeyStore) null, new TrustSelfSignedStrategy()).build(), NoopHostnameVerifier.INSTANCE)).build() : HttpClients.createDefault();
                if (this.metadataFilePath != null) {
                    log.debug("MetadataFilePath supplied. Using file based metadata resolver");
                    URL resource = getClass().getClassLoader().getResource(this.metadataFilePath);
                    File file = resource != null ? new File(resource.toURI()) : new File(this.metadataFilePath);
                    if (!file.exists()) {
                        throw new InternalException("Could not get the configured metadata file at path: " + this.metadataFilePath);
                    }
                    this.resolver = new FilesystemMetadataResolver(file);
                } else {
                    log.debug("MetadataFilePath not supplied. Using URL based metadata resolver");
                    this.resolver = new HTTPMetadataResolver(build, this.metadataURL);
                }
                this.resolver.setId(this.entityId);
                this.resolver.setMinRefreshDelay(3600000 * r0.getIdpMetadataMinRefreshDelay());
                this.resolver.setMaxRefreshDelay(3600000 * r0.getIdpMetadataMaxRefreshDelay());
                BasicParserPool basicParserPool = new BasicParserPool();
                this.resolver.setParserPool(basicParserPool);
                try {
                    basicParserPool.initialize();
                    try {
                        this.resolver.initialize();
                    } catch (ComponentInitializationException e) {
                        throw new ExternalException("Could not initialize MetadataResolver", e);
                    }
                } catch (ComponentInitializationException e2) {
                    throw new InternalException("Could not initialize parser pool", e2);
                }
            } catch (ResolverException | URISyntaxException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException e3) {
                throw new InternalException("Could not create MetadataResolver", e3);
            }
        }
    }
}
