package org.springframework.boot.autoconfigure.security.saml2;

import java.io.InputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties;
import org.springframework.boot.context.properties.PropertyMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.core.log.LogMessage;
import org.springframework.security.converter.RsaKeyConverters;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
@ConditionalOnMissingBean({RelyingPartyRegistrationRepository.class})
@Configuration(proxyBeanMethods = false)
@Conditional({RegistrationConfiguredCondition.class})
/* loaded from: input_file:BOOT-INF/lib/spring-boot-autoconfigure-2.7.6.jar:org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.class */
public class Saml2RelyingPartyRegistrationConfiguration {
    private static final Log logger = LogFactory.getLog((Class<?>) Saml2RelyingPartyRegistrationConfiguration.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-boot-autoconfigure-2.7.6.jar:org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration$AssertingPartyProperties.class */
    public static class AssertingPartyProperties {
        private final Saml2RelyingPartyProperties.Registration registration;
        private final String id;

        AssertingPartyProperties(Saml2RelyingPartyProperties.Registration registration, String str) {
            this.registration = registration;
            this.id = str;
        }

        String getMetadataUri() {
            return (String) get("metadata-uri", (v0) -> {
                return v0.getMetadataUri();
            });
        }

        Saml2RelyingPartyProperties.AssertingParty.Verification getVerification() {
            return (Saml2RelyingPartyProperties.AssertingParty.Verification) get("verification", (v0) -> {
                return v0.getVerification();
            });
        }

        String getEntityId() {
            return (String) get("entity-id", (v0) -> {
                return v0.getEntityId();
            });
        }

        Saml2MessageBinding getSingleSignonBinding() {
            return (Saml2MessageBinding) get("singlesignon.binding", assertingParty -> {
                return assertingParty.getSinglesignon().getBinding();
            });
        }

        String getSingleSignonUrl() {
            return (String) get("singlesignon.url", assertingParty -> {
                return assertingParty.getSinglesignon().getUrl();
            });
        }

        Boolean getSingleSignonSignRequest() {
            return (Boolean) get("singlesignon.sign-request", assertingParty -> {
                return assertingParty.getSinglesignon().getSignRequest();
            });
        }

        String getSinglelogoutUrl() {
            return this.registration.getAssertingparty().getSinglelogout().getUrl();
        }

        String getSinglelogoutResponseUrl() {
            return this.registration.getAssertingparty().getSinglelogout().getResponseUrl();
        }

        Saml2MessageBinding getSinglelogoutBinding() {
            return this.registration.getAssertingparty().getSinglelogout().getBinding();
        }

        private <T> T get(String str, Function<Saml2RelyingPartyProperties.AssertingParty, T> function) {
            T apply;
            T apply2 = function.apply(this.registration.getAssertingparty());
            if (apply2 == null && (apply = function.apply(this.registration.getIdentityprovider())) != null) {
                Saml2RelyingPartyRegistrationConfiguration.logger.warn(LogMessage.format("Property 'spring.security.saml2.relyingparty.registration.identityprovider.%1$s.%2$s' is deprecated, please use 'spring.security.saml2.relyingparty.registration.assertingparty.%1$s.%2$s' instead", this.id, str));
                return apply;
            }
            return apply2;
        }
    }

    Saml2RelyingPartyRegistrationConfiguration() {
    }

    @Bean
    RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(Saml2RelyingPartyProperties saml2RelyingPartyProperties) {
        return new InMemoryRelyingPartyRegistrationRepository((List) saml2RelyingPartyProperties.getRegistration().entrySet().stream().map(this::asRegistration).collect(Collectors.toList()));
    }

    private RelyingPartyRegistration asRegistration(Map.Entry<String, Saml2RelyingPartyProperties.Registration> entry) {
        return asRegistration(entry.getKey(), entry.getValue());
    }

    private RelyingPartyRegistration asRegistration(String str, Saml2RelyingPartyProperties.Registration registration) {
        AssertingPartyProperties assertingPartyProperties = new AssertingPartyProperties(registration, str);
        boolean hasText = StringUtils.hasText(assertingPartyProperties.getMetadataUri());
        RelyingPartyRegistration.Builder registrationId = hasText ? RelyingPartyRegistrations.fromMetadataLocation(assertingPartyProperties.getMetadataUri()).registrationId(str) : RelyingPartyRegistration.withRegistrationId(str);
        registrationId.assertionConsumerServiceLocation(registration.getAcs().getLocation());
        registrationId.assertionConsumerServiceBinding(registration.getAcs().getBinding());
        registrationId.assertingPartyDetails(mapAssertingParty(registration, str, hasText));
        registrationId.signingX509Credentials(collection -> {
            Stream<R> map = registration.getSigning().getCredentials().stream().map(this::asSigningCredential);
            collection.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        registrationId.decryptionX509Credentials(collection2 -> {
            Stream<R> map = registration.getDecryption().getCredentials().stream().map(this::asDecryptionCredential);
            collection2.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        registrationId.assertingPartyDetails(builder -> {
            builder.verificationX509Credentials(collection3 -> {
                Stream<R> map = assertingPartyProperties.getVerification().getCredentials().stream().map(this::asVerificationCredential);
                collection3.getClass();
                map.forEach((v1) -> {
                    r1.add(v1);
                });
            });
        });
        registrationId.singleLogoutServiceLocation(registration.getSinglelogout().getUrl());
        registrationId.singleLogoutServiceResponseLocation(registration.getSinglelogout().getResponseUrl());
        registrationId.singleLogoutServiceBinding(registration.getSinglelogout().getBinding());
        registrationId.entityId(registration.getEntityId());
        RelyingPartyRegistration build = registrationId.build();
        validateSigningCredentials(registration, build.getAssertingPartyDetails().getWantAuthnRequestsSigned());
        return build;
    }

    private Consumer<RelyingPartyRegistration.AssertingPartyDetails.Builder> mapAssertingParty(Saml2RelyingPartyProperties.Registration registration, String str, boolean z) {
        return builder -> {
            AssertingPartyProperties assertingPartyProperties = new AssertingPartyProperties(registration, str);
            PropertyMapper alwaysApplyingWhenNonNull = PropertyMapper.get().alwaysApplyingWhenNonNull();
            assertingPartyProperties.getClass();
            PropertyMapper.Source from = alwaysApplyingWhenNonNull.from(assertingPartyProperties::getEntityId);
            builder.getClass();
            from.to(builder::entityId);
            assertingPartyProperties.getClass();
            PropertyMapper.Source from2 = alwaysApplyingWhenNonNull.from(assertingPartyProperties::getSingleSignonBinding);
            builder.getClass();
            from2.to(builder::singleSignOnServiceBinding);
            assertingPartyProperties.getClass();
            PropertyMapper.Source from3 = alwaysApplyingWhenNonNull.from(assertingPartyProperties::getSingleSignonUrl);
            builder.getClass();
            from3.to(builder::singleSignOnServiceLocation);
            assertingPartyProperties.getClass();
            PropertyMapper.Source when = alwaysApplyingWhenNonNull.from(assertingPartyProperties::getSingleSignonSignRequest).when(bool -> {
                return !z;
            });
            builder.getClass();
            when.to((v1) -> {
                r1.wantAuthnRequestsSigned(v1);
            });
            PropertyMapper.Source from4 = alwaysApplyingWhenNonNull.from((PropertyMapper) assertingPartyProperties.getSinglelogoutUrl());
            builder.getClass();
            from4.to(builder::singleLogoutServiceLocation);
            PropertyMapper.Source from5 = alwaysApplyingWhenNonNull.from((PropertyMapper) assertingPartyProperties.getSinglelogoutResponseUrl());
            builder.getClass();
            from5.to(builder::singleLogoutServiceResponseLocation);
            PropertyMapper.Source from6 = alwaysApplyingWhenNonNull.from((PropertyMapper) assertingPartyProperties.getSinglelogoutBinding());
            builder.getClass();
            from6.to(builder::singleLogoutServiceBinding);
        };
    }

    private void validateSigningCredentials(Saml2RelyingPartyProperties.Registration registration, boolean z) {
        if (z) {
            Assert.state(!registration.getSigning().getCredentials().isEmpty(), "Signing credentials must not be empty when authentication requests require signing.");
        }
    }

    private Saml2X509Credential asSigningCredential(Saml2RelyingPartyProperties.Registration.Signing.Credential credential) {
        return new Saml2X509Credential(readPrivateKey(credential.getPrivateKeyLocation()), readCertificate(credential.getCertificateLocation()), new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.SIGNING});
    }

    private Saml2X509Credential asDecryptionCredential(Saml2RelyingPartyProperties.Decryption.Credential credential) {
        return new Saml2X509Credential(readPrivateKey(credential.getPrivateKeyLocation()), readCertificate(credential.getCertificateLocation()), new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.DECRYPTION});
    }

    private Saml2X509Credential asVerificationCredential(Saml2RelyingPartyProperties.AssertingParty.Verification.Credential credential) {
        return new Saml2X509Credential(readCertificate(credential.getCertificateLocation()), new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION, Saml2X509Credential.Saml2X509CredentialType.VERIFICATION});
    }

    private RSAPrivateKey readPrivateKey(Resource resource) {
        Assert.state(resource != null, "No private key location specified");
        Assert.state(resource.exists(), (Supplier<String>) () -> {
            return "Private key location '" + resource + "' does not exist";
        });
        try {
            InputStream inputStream = resource.getInputStream();
            Throwable th = null;
            try {
                try {
                    RSAPrivateKey convert = RsaKeyConverters.pkcs8().convert(inputStream);
                    if (inputStream != null) {
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStream.close();
                        }
                    }
                    return convert;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    private X509Certificate readCertificate(Resource resource) {
        Assert.state(resource != null, "No certificate location specified");
        Assert.state(resource.exists(), (Supplier<String>) () -> {
            return "Certificate  location '" + resource + "' does not exist";
        });
        try {
            InputStream inputStream = resource.getInputStream();
            Throwable th = null;
            try {
                try {
                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
                    if (inputStream != null) {
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStream.close();
                        }
                    }
                    return x509Certificate;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }
}
