package com.liferay.saml.admin.rest.internal.resource.v1_0;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.module.configuration.ConfigurationException;
import com.liferay.portal.kernel.search.Sort;
import com.liferay.portal.kernel.search.filter.Filter;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.security.auth.PrincipalException;
import com.liferay.portal.kernel.security.permission.PermissionChecker;
import com.liferay.portal.kernel.security.permission.PermissionThreadLocal;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.HashMapDictionaryBuilder;
import com.liferay.portal.kernel.util.UnicodeProperties;
import com.liferay.portal.kernel.util.UnicodePropertiesBuilder;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.vulcan.pagination.Page;
import com.liferay.portal.vulcan.pagination.Pagination;
import com.liferay.saml.admin.rest.dto.v1_0.Idp;
import com.liferay.saml.admin.rest.dto.v1_0.SamlProvider;
import com.liferay.saml.admin.rest.dto.v1_0.Sp;
import com.liferay.saml.admin.rest.resource.v1_0.SamlProviderResource;
import com.liferay.saml.runtime.configuration.SamlConfiguration;
import com.liferay.saml.runtime.configuration.SamlProviderConfiguration;
import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper;
import com.liferay.saml.runtime.exception.CredentialException;
import com.liferay.saml.runtime.exception.EntityIdException;
import com.liferay.saml.runtime.metadata.LocalEntityManager;
import java.io.Serializable;
import java.util.Collections;
import java.util.Dictionary;
import java.util.Map;
import java.util.function.Supplier;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ManagedServiceFactory;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ServiceScope;

@Component(configurationPid = {"com.liferay.saml.runtime.configuration.SamlConfiguration"}, properties = {"OSGI-INF/liferay/rest/v1_0/saml-provider.properties"}, scope = ServiceScope.PROTOTYPE, service = {SamlProviderResource.class})
/* loaded from: input_file:com/liferay/saml/admin/rest/internal/resource/v1_0/SamlProviderResourceImpl.class */
public class SamlProviderResourceImpl extends BaseSamlProviderResourceImpl {
    private static final Log _log = LogFactoryUtil.getLog(SamlProviderResourceImpl.class);
    private SamlProviderConfiguration _defaultCompanySamlProviderConfiguration = (SamlProviderConfiguration) ConfigurableUtil.createConfigurable(SamlProviderConfiguration.class, Collections.emptyMap());
    private String _defaultCompanySamlProviderConfigurationPid;

    @Reference
    private LocalEntityManager _localEntityManager;
    private SamlConfiguration _samlConfiguration;

    @Reference
    private SamlProviderConfigurationHelper _samlProviderConfigurationHelper;
    private ServiceRegistration<?> _serviceRegistration;

    /* loaded from: input_file:com/liferay/saml/admin/rest/internal/resource/v1_0/SamlProviderResourceImpl$DefaultCompanyManagedServiceFactory.class */
    private class DefaultCompanyManagedServiceFactory implements ManagedServiceFactory {
        private DefaultCompanyManagedServiceFactory() {
        }

        public void deleted(String str) {
            if (str.equals(SamlProviderResourceImpl.this._defaultCompanySamlProviderConfigurationPid)) {
                SamlProviderResourceImpl.this._defaultCompanySamlProviderConfiguration = (SamlProviderConfiguration) ConfigurableUtil.createConfigurable(SamlProviderConfiguration.class, Collections.emptyMap());
                SamlProviderResourceImpl.this._defaultCompanySamlProviderConfigurationPid = null;
            }
        }

        public String getName() {
            return DefaultCompanyManagedServiceFactory.class.getName();
        }

        public void updated(String str, Dictionary<String, ?> dictionary) {
            if (GetterUtil.getLong(dictionary.get("companyId")) == 0) {
                SamlProviderResourceImpl.this._defaultCompanySamlProviderConfiguration = (SamlProviderConfiguration) ConfigurableUtil.createConfigurable(SamlProviderConfiguration.class, dictionary);
                SamlProviderResourceImpl.this._defaultCompanySamlProviderConfigurationPid = str;
            }
        }
    }

    @Override // com.liferay.saml.admin.rest.internal.resource.v1_0.BaseSamlProviderResourceImpl
    public SamlProvider getSamlProvider() throws Exception {
        _checkPermission();
        final SamlProviderConfiguration samlProviderConfiguration = this._samlProviderConfigurationHelper.getSamlProviderConfiguration();
        SamlProvider samlProvider = new SamlProvider() { // from class: com.liferay.saml.admin.rest.internal.resource.v1_0.SamlProviderResourceImpl.1
            {
                SamlProviderConfiguration samlProviderConfiguration2 = samlProviderConfiguration;
                samlProviderConfiguration2.getClass();
                setEnabled(samlProviderConfiguration2::enabled);
                SamlProviderConfiguration samlProviderConfiguration3 = samlProviderConfiguration;
                samlProviderConfiguration3.getClass();
                setEntityId(samlProviderConfiguration3::entityId);
                SamlProviderConfiguration samlProviderConfiguration4 = samlProviderConfiguration;
                samlProviderConfiguration4.getClass();
                setSignMetadata(samlProviderConfiguration4::signMetadata);
                SamlProviderConfiguration samlProviderConfiguration5 = samlProviderConfiguration;
                samlProviderConfiguration5.getClass();
                setSslRequired(samlProviderConfiguration5::sslRequired);
            }
        };
        String role = samlProviderConfiguration.role();
        if ("sp".equals(role)) {
            samlProvider.setRole(() -> {
                return SamlProvider.Role.SP;
            });
            samlProvider.setSp(() -> {
                return _getSp(samlProviderConfiguration);
            });
        } else if ("idp".equals(role)) {
            samlProvider.setIdp(() -> {
                return _getIdp(samlProviderConfiguration);
            });
            samlProvider.setRole(() -> {
                return SamlProvider.Role.IDP;
            });
        }
        return samlProvider;
    }

    @Override // com.liferay.saml.admin.rest.internal.resource.v1_0.BaseSamlProviderResourceImpl
    public SamlProvider patchSamlProvider(SamlProvider samlProvider) throws Exception {
        _checkPermission();
        return _updateSamlProvider(samlProvider, this._samlProviderConfigurationHelper.getSamlProviderConfiguration());
    }

    @Override // com.liferay.saml.admin.rest.internal.resource.v1_0.BaseSamlProviderResourceImpl
    public SamlProvider postSamlProvider(SamlProvider samlProvider) throws Exception {
        _checkPermission();
        return _updateSamlProvider(samlProvider, this._defaultCompanySamlProviderConfiguration);
    }

    @Override // com.liferay.saml.admin.rest.internal.resource.v1_0.BaseSamlProviderResourceImpl
    public Page<SamlProvider> read(Filter filter, Pagination pagination, Sort[] sortArr, Map<String, Serializable> map, String str) throws Exception {
        _checkPermission();
        return Page.of(Collections.singleton(getSamlProvider()));
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map) {
        this._samlConfiguration = (SamlConfiguration) ConfigurableUtil.createConfigurable(SamlConfiguration.class, map);
        this._serviceRegistration = bundleContext.registerService(ManagedServiceFactory.class, new DefaultCompanyManagedServiceFactory(), HashMapDictionaryBuilder.put("service.pid", "com.liferay.saml.runtime.configuration.SamlProviderConfiguration").build());
    }

    @Deactivate
    protected void deactivate() {
        if (this._serviceRegistration != null) {
            this._serviceRegistration.unregister();
        }
    }

    private void _authenticateLocalEntityCertificate(String str, LocalEntityManager.CertificateUsage certificateUsage, String str2) throws Exception {
        try {
            this._localEntityManager.authenticateLocalEntityCertificate(str, certificateUsage, str2);
        } catch (Exception e) {
            if (_log.isWarnEnabled()) {
                _log.warn(e);
            }
            throw new CredentialException(StringBundler.concat(new String[]{"Unable to authenticate with the ", certificateUsage.name(), " certificate. Verify that the SAML KeyStore contains a ", "certificate for the entity ID and that it is protected ", "by the provided key credential password."}));
        }
    }

    private void _checkPermission() throws Exception {
        PermissionChecker permissionChecker = PermissionThreadLocal.getPermissionChecker();
        if (!permissionChecker.isCompanyAdmin(CompanyThreadLocal.getCompanyId().longValue())) {
            throw new PrincipalException.MustBeCompanyAdmin(permissionChecker.getUserId());
        }
    }

    private Idp _getIdp(final SamlProviderConfiguration samlProviderConfiguration) throws Exception {
        return new Idp() { // from class: com.liferay.saml.admin.rest.internal.resource.v1_0.SamlProviderResourceImpl.2
            {
                SamlProviderConfiguration samlProviderConfiguration2 = samlProviderConfiguration;
                samlProviderConfiguration2.getClass();
                setAuthnRequestSignatureRequired(samlProviderConfiguration2::authnRequestSignatureRequired);
                SamlProviderConfiguration samlProviderConfiguration3 = samlProviderConfiguration;
                samlProviderConfiguration3.getClass();
                setDefaultAssertionLifetime(samlProviderConfiguration3::defaultAssertionLifetime);
                SamlProviderConfiguration samlProviderConfiguration4 = samlProviderConfiguration;
                samlProviderConfiguration4.getClass();
                setSessionMaximumAge(samlProviderConfiguration4::sessionMaximumAge);
                SamlProviderConfiguration samlProviderConfiguration5 = samlProviderConfiguration;
                samlProviderConfiguration5.getClass();
                setSessionTimeout(samlProviderConfiguration5::sessionTimeout);
            }
        };
    }

    private Sp _getSp(final SamlProviderConfiguration samlProviderConfiguration) throws Exception {
        return new Sp() { // from class: com.liferay.saml.admin.rest.internal.resource.v1_0.SamlProviderResourceImpl.3
            {
                SamlProviderConfiguration samlProviderConfiguration2 = samlProviderConfiguration;
                samlProviderConfiguration2.getClass();
                setAllowShowingTheLoginPortlet(samlProviderConfiguration2::allowShowingTheLoginPortlet);
                SamlProviderConfiguration samlProviderConfiguration3 = samlProviderConfiguration;
                samlProviderConfiguration3.getClass();
                setAssertionSignatureRequired(samlProviderConfiguration3::assertionSignatureRequired);
                SamlProviderConfiguration samlProviderConfiguration4 = samlProviderConfiguration;
                samlProviderConfiguration4.getClass();
                setClockSkew(samlProviderConfiguration4::clockSkew);
                SamlProviderConfiguration samlProviderConfiguration5 = samlProviderConfiguration;
                samlProviderConfiguration5.getClass();
                setLdapImportEnabled(samlProviderConfiguration5::ldapImportEnabled);
                SamlProviderConfiguration samlProviderConfiguration6 = samlProviderConfiguration;
                samlProviderConfiguration6.getClass();
                setSignAuthnRequest(samlProviderConfiguration6::signAuthnRequest);
            }
        };
    }

    private boolean _isIdpRoleDisabled(boolean z, SamlProviderConfiguration samlProviderConfiguration) {
        if (this._samlConfiguration.idpRoleConfigurationEnabled()) {
            return false;
        }
        String role = samlProviderConfiguration.role();
        if (Validator.isNull(role) || !role.equals("idp")) {
            return true;
        }
        return !samlProviderConfiguration.enabled() && z;
    }

    private boolean _isValidRole(String str) {
        if (Validator.isBlank(str)) {
            return false;
        }
        return str.equals("idp") || str.equals("sp");
    }

    private void _setIdpProperties(Idp idp, SamlProviderConfiguration samlProviderConfiguration, UnicodeProperties unicodeProperties) {
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::defaultAssertionLifetime, "saml.idp.assertion.lifetime", unicodeProperties, _toNullableString(idp.getDefaultAssertionLifetime()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::authnRequestSignatureRequired, "saml.idp.authn.request.signature.required", unicodeProperties, _toNullableString(idp.getAuthnRequestSignatureRequired()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::sessionMaximumAge, "saml.idp.session.maximum.age", unicodeProperties, _toNullableString(idp.getSessionMaximumAge()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::sessionTimeout, "saml.idp.session.timeout", unicodeProperties, _toNullableString(idp.getSessionTimeout()));
        unicodeProperties.put("saml.role", "idp");
    }

    private void _setProperty(Supplier<Object> supplier, String str, UnicodeProperties unicodeProperties, String str2) {
        if (str2 == null) {
            unicodeProperties.put(str, _toNullableString(supplier.get()));
        } else {
            unicodeProperties.put(str, str2);
        }
    }

    private void _setSamlProviderProperties(SamlProvider samlProvider, SamlProviderConfiguration samlProviderConfiguration, UnicodeProperties unicodeProperties) {
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::enabled, "saml.enabled", unicodeProperties, _toNullableString(samlProvider.getEnabled()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::entityId, "saml.entity.id", unicodeProperties, samlProvider.getEntityId());
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::keyStoreCredentialPassword, "saml.keystore.credential.password", unicodeProperties, _toNullableString(samlProvider.getKeyStoreCredentialPassword()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::signMetadata, "saml.sign.metadata", unicodeProperties, _toNullableString(samlProvider.getSignMetadata()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::sslRequired, "saml.ssl.required", unicodeProperties, _toNullableString(samlProvider.getSslRequired()));
    }

    private void _setSpProperties(String str, SamlProviderConfiguration samlProviderConfiguration, Sp sp, UnicodeProperties unicodeProperties) throws Exception {
        if (sp.getKeyStoreEncryptionCredentialPassword() != null) {
            _authenticateLocalEntityCertificate(sp.getKeyStoreEncryptionCredentialPassword(), LocalEntityManager.CertificateUsage.ENCRYPTION, str);
        }
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::keyStoreCredentialPassword, "saml.keystore.encryption.credential.password", unicodeProperties, _toNullableString(sp.getKeyStoreEncryptionCredentialPassword()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::allowShowingTheLoginPortlet, "saml.sp.allow.showing.the.login.portlet", unicodeProperties, _toNullableString(sp.getAllowShowingTheLoginPortlet()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::assertionSignatureRequired, "saml.sp.assertion.signature.required", unicodeProperties, _toNullableString(sp.getAssertionSignatureRequired()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::clockSkew, "saml.sp.clock.skew", unicodeProperties, _toNullableString(sp.getClockSkew()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::ldapImportEnabled, "saml.sp.ldap.import.enabled", unicodeProperties, _toNullableString(sp.getLdapImportEnabled()));
        samlProviderConfiguration.getClass();
        _setProperty(samlProviderConfiguration::signAuthnRequest, "saml.sp.sign.authn.request", unicodeProperties, _toNullableString(sp.getSignAuthnRequest()));
        unicodeProperties.put("saml.role", "sp");
    }

    private String _toNullableString(Object obj) {
        if (obj == null) {
            return null;
        }
        return String.valueOf(obj);
    }

    private SamlProvider _updateSamlProvider(SamlProvider samlProvider, SamlProviderConfiguration samlProviderConfiguration) throws Exception {
        UnicodeProperties build = UnicodePropertiesBuilder.create(false).build();
        _setSamlProviderProperties(samlProvider, samlProviderConfiguration, build);
        String entityId = samlProvider.getEntityId();
        if (!Validator.isNotNull(entityId)) {
            entityId = samlProviderConfiguration.entityId();
        } else if (entityId.length() > 1024) {
            throw new EntityIdException("Entity ID is longer than 1024 characters");
        }
        if (GetterUtil.getBoolean(samlProvider.getEnabled()) || !Validator.isBlank(samlProvider.getKeyStoreCredentialPassword())) {
            _authenticateLocalEntityCertificate(GetterUtil.getString(samlProvider.getKeyStoreCredentialPassword(), samlProviderConfiguration.keyStoreCredentialPassword()), LocalEntityManager.CertificateUsage.SIGNING, entityId);
        }
        if (samlProvider.getIdp() != null) {
            if (_isIdpRoleDisabled(samlProvider.getEnabled().booleanValue(), samlProviderConfiguration)) {
                throw new ConfigurationException("The identity provider role is disabled");
            }
            if (samlProvider.getSp() != null) {
                throw new ConfigurationException("Identity and service provider roles are mutually exclusive");
            }
            _setIdpProperties(samlProvider.getIdp(), samlProviderConfiguration, build);
        } else if (samlProvider.getSp() != null) {
            _setSpProperties(entityId, samlProviderConfiguration, samlProvider.getSp(), build);
        }
        if (GetterUtil.getBoolean(samlProvider.getEnabled()) && !_isValidRole(GetterUtil.get((String) build.get("saml.role"), samlProviderConfiguration.role()))) {
            throw new ConfigurationException("Unable to enable a provider without a role");
        }
        this._samlProviderConfigurationHelper.updateProperties(build);
        return getSamlProvider();
    }
}
