package org.apereo.cas.support.saml.web.idp.profile.builders.attr;

import java.util.HashSet;
import lombok.Generated;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.util.DefaultSaml20AttributeBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectEncrypter;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/attr/SamlProfileSamlRegisteredServiceAttributeBuilder.class */
public class SamlProfileSamlRegisteredServiceAttributeBuilder extends DefaultSaml20AttributeBuilder {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlProfileSamlRegisteredServiceAttributeBuilder.class);
    private final SamlRegisteredService service;
    private final SamlRegisteredServiceServiceProviderMetadataFacade adaptor;
    private final MessageContext messageContext;
    private final SamlIdPObjectEncrypter samlObjectEncrypter;

    public void build(AttributeStatement attributeStatement, Attribute attribute) {
        if (!this.service.isEncryptAttributes() || !shouldEncryptAttribute(attribute)) {
            LOGGER.debug("Service [{}] is configured to not encrypt attributes for [{}]", this.service.getName(), attribute.getName());
            super.build(attributeStatement, attribute);
        } else {
            EncryptedAttribute encode = this.samlObjectEncrypter.encode(attribute, this.service, this.adaptor);
            LOGGER.debug("Encrypted attribute [{}] for service [{}]", attribute.getName(), this.service.getName());
            attributeStatement.getEncryptedAttributes().add(encode);
        }
    }

    private boolean shouldEncryptAttribute(Attribute attribute) {
        HashSet encryptableAttributes = this.service.getEncryptableAttributes();
        if (encryptableAttributes == null || encryptableAttributes.isEmpty() || encryptableAttributes.contains("*")) {
            LOGGER.debug("No explicit attribute encryption rules are defined; Attribute [{}] is selected for encryption.", attribute.getName());
            return true;
        }
        if (encryptableAttributes.contains(attribute.getName())) {
            LOGGER.debug("Attribute encryption rules allow [{}] to be encrypted", attribute.getName());
            return true;
        }
        LOGGER.debug("Skipping encryption as attribute encryption rules do NOT allow [{}] to be encrypted", attribute.getName());
        return false;
    }

    @Generated
    public SamlProfileSamlRegisteredServiceAttributeBuilder(SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, MessageContext messageContext, SamlIdPObjectEncrypter samlIdPObjectEncrypter) {
        this.service = samlRegisteredService;
        this.adaptor = samlRegisteredServiceServiceProviderMetadataFacade;
        this.messageContext = messageContext;
        this.samlObjectEncrypter = samlIdPObjectEncrypter;
    }
}
