package org.apereo.cas.support.saml.web.idp.metadata;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import lombok.Generated;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.BaseCasRestActuatorEndpoint;
import org.jooq.lambda.Unchecked;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.criterion.SatisfyAnyCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
import org.springframework.http.ResponseEntity;
import org.springframework.lang.Nullable;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Endpoint(id = "samlIdPRegisteredServiceMetadataCache", enableByDefault = false)
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/metadata/SamlRegisteredServiceCachedMetadataEndpoint.class */
public class SamlRegisteredServiceCachedMetadataEndpoint extends BaseCasRestActuatorEndpoint {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlRegisteredServiceCachedMetadataEndpoint.class);
    private final ObjectProvider<SamlRegisteredServiceCachingMetadataResolver> cachingMetadataResolver;
    private final ObjectProvider<ServicesManager> servicesManager;
    private final ObjectProvider<AuditableExecution> registeredServiceAccessStrategyEnforcer;
    private final ObjectProvider<OpenSamlConfigBean> openSamlConfigBean;

    public SamlRegisteredServiceCachedMetadataEndpoint(CasConfigurationProperties casConfigurationProperties, ObjectProvider<SamlRegisteredServiceCachingMetadataResolver> objectProvider, ObjectProvider<ServicesManager> objectProvider2, ObjectProvider<AuditableExecution> objectProvider3, ObjectProvider<OpenSamlConfigBean> objectProvider4) {
        super(casConfigurationProperties, ((OpenSamlConfigBean) objectProvider4.getObject()).getApplicationContext());
        this.cachingMetadataResolver = objectProvider;
        this.servicesManager = objectProvider2;
        this.registeredServiceAccessStrategyEnforcer = objectProvider3;
        this.openSamlConfigBean = objectProvider4;
    }

    @DeleteMapping
    @Operation(summary = "Invalidate SAML2 metadata cache using a service id or entity id. The service id could be the registered service numeric identifier, its name or actual service id. In case the service definition points to an aggregate, you may also specify an entity id to locate the service provider within that aggregate. If you do not specify any parameters, all entries in the metadata cache will be invalidated.", parameters = {@Parameter(name = "serviceId", description = "The service id"), @Parameter(name = "entityId", description = "The entity id")})
    public ResponseEntity invalidate(@Nullable @RequestParam(required = false) String str, @Nullable @RequestParam(required = false) String str2) throws Throwable {
        if (StringUtils.isBlank(str)) {
            ((SamlRegisteredServiceCachingMetadataResolver) this.cachingMetadataResolver.getObject()).invalidate();
            LOGGER.info("Cleared SAML2 registered service metadata cache");
            return ResponseEntity.noContent().build();
        }
        SamlRegisteredService findRegisteredService = findRegisteredService(str);
        CriteriaSet criteriaSet = new CriteriaSet();
        String str3 = (String) StringUtils.defaultIfBlank(str2, findRegisteredService.getServiceId());
        criteriaSet.add(new EntityIdCriterion(str3));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        ((SamlRegisteredServiceCachingMetadataResolver) this.cachingMetadataResolver.getObject()).invalidate(findRegisteredService, criteriaSet);
        LOGGER.info("Invalidated SAML2 registered service metadata cache entry for [{}]", findRegisteredService);
        return ResponseEntity.noContent().header(findRegisteredService.getClass().getSimpleName(), new String[]{String.valueOf(findRegisteredService.getId()), findRegisteredService.getName()}).header(EntityIdCriterion.class.getSimpleName(), new String[]{str3}).build();
    }

    @GetMapping(produces = {"application/json", "application/vnd.spring-boot.actuator.v2+json", "application/vnd.spring-boot.actuator.v3+json", "application/x-www-form-urlencoded", "application/vnd.cas.services+yaml"})
    @Operation(summary = "Get SAML2 cached metadata for a SAML2 registered service. The service id could be the registered service numeric identifier, its name or actual service id. In case the service definition points to an aggregate, you may also specify an entity id to locate the service provider within that aggregate", parameters = {@Parameter(name = "serviceId", required = true, description = "The service id"), @Parameter(name = "entityId", description = "The entity id")})
    public ResponseEntity<? extends Map> getCachedMetadataObject(@RequestParam String str, @Nullable @RequestParam(required = false) String str2, @RequestParam(required = false, defaultValue = "true") boolean z) {
        return (ResponseEntity) FunctionUtils.doAndHandle(() -> {
            SamlRegisteredService findRegisteredService = findRegisteredService(str);
            CriteriaSet criteriaSet = new CriteriaSet();
            if (StringUtils.isNotBlank(str2)) {
                criteriaSet.add(new EntityIdCriterion(str2));
                criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
            } else {
                criteriaSet.add(new EvaluableEntityRoleEntityDescriptorCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
                criteriaSet.add(new SatisfyAnyCriterion(true));
            }
            return (ResponseEntity) (z ? Optional.of(((SamlRegisteredServiceCachingMetadataResolver) this.cachingMetadataResolver.getObject()).resolve(findRegisteredService, criteriaSet)) : ((SamlRegisteredServiceCachingMetadataResolver) this.cachingMetadataResolver.getObject()).getIfPresent(findRegisteredService, criteriaSet)).map(Unchecked.function(cachedMetadataResolverResult -> {
                return ResponseEntity.ok((Map) StreamSupport.stream(cachedMetadataResolverResult.getMetadataResolver().resolve(criteriaSet).spliterator(), false).filter((v0) -> {
                    return v0.isValid();
                }).map(entityDescriptor -> {
                    return Pair.of(entityDescriptor.getEntityID(), CollectionUtils.wrap("cachedInstant", cachedMetadataResolverResult.getCachedInstant(), "metadata", SamlUtils.transformSamlObject((OpenSamlConfigBean) this.openSamlConfigBean.getObject(), entityDescriptor).toString()));
                }).collect(Collectors.toMap((v0) -> {
                    return v0.getLeft();
                }, (v0) -> {
                    return v0.getRight();
                })));
            })).orElseThrow(() -> {
                return new SamlException("Unable to locate and resolve metadata for service " + findRegisteredService.getName());
            });
        }, th -> {
            return ResponseEntity.badRequest().body(Map.of("error", th.getMessage()));
        }).get();
    }

    protected SamlRegisteredService findRegisteredService(String str) throws Throwable {
        Collection findServiceBy;
        if (NumberUtils.isCreatable(str)) {
            SamlRegisteredService findServiceBy2 = ((ServicesManager) this.servicesManager.getObject()).findServiceBy(Long.parseLong(str), SamlRegisteredService.class);
            findServiceBy = findServiceBy2 != null ? List.of(findServiceBy2) : List.of();
        } else {
            findServiceBy = ((ServicesManager) this.servicesManager.getObject()).findServiceBy(registeredService -> {
                return (registeredService instanceof SamlRegisteredService) && (registeredService.getName().equalsIgnoreCase(str) || registeredService.getServiceId().equalsIgnoreCase(str));
            });
        }
        if (findServiceBy.isEmpty()) {
            throw UnauthorizedServiceException.denied("Unable to locate service " + str);
        }
        SamlRegisteredService samlRegisteredService = (SamlRegisteredService) findServiceBy.iterator().next();
        ((AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject()).execute(AuditableContext.builder().registeredService(samlRegisteredService).build()).throwExceptionIfNeeded();
        LOGGER.debug("Located registered service definition [{}]", samlRegisteredService);
        return samlRegisteredService;
    }
}
