package org.apereo.cas.support.saml.services.idp.metadata.cache;

import com.google.common.base.Function;
import com.google.common.base.Throwables;
import com.google.common.cache.CacheLoader;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.spring.relyingparty.security.credential.impl.BasicResourceCredentialFactoryBean;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.ResourceUtils;
import org.apereo.cas.util.http.HttpClient;
import org.opensaml.saml.metadata.resolver.ChainingMetadataResolver;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain;
import org.opensaml.saml.metadata.resolver.filter.impl.RequiredValidUntilFilter;
import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
import org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.FunctionDrivenDynamicHTTPMetadataResolver;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.AbstractResource;

/* loaded from: input_file:org/apereo/cas/support/saml/services/idp/metadata/cache/ChainingMetadataResolverCacheLoader.class */
public class ChainingMetadataResolverCacheLoader extends CacheLoader<SamlRegisteredService, ChainingMetadataResolver> {
    protected OpenSamlConfigBean configBean;
    protected HttpClient httpClient;
    private long metadataCacheExpirationMinutes;
    private String basicAuthnUsername;
    private String basicAuthnPassword;
    protected transient Logger logger = LoggerFactory.getLogger(getClass());
    private transient Object lock = new Object();
    private boolean failFastInitialization = true;
    private boolean requireValidMetadata = true;
    private List<String> supportedContentTypes = new ArrayList();

    public ChainingMetadataResolver load(SamlRegisteredService samlRegisteredService) throws Exception {
        try {
            ChainingMetadataResolver chainingMetadataResolver = new ChainingMetadataResolver();
            ArrayList arrayList = new ArrayList();
            if (isDynamicMetadataQueryConfigured(samlRegisteredService)) {
                resolveMetadataDynamically(samlRegisteredService, arrayList);
            } else {
                resolveMetadataFromResource(samlRegisteredService, arrayList);
            }
            if (arrayList.isEmpty()) {
                throw new SamlException("No metadata resolvers could be configured for service " + samlRegisteredService.getName() + " with metadata location " + samlRegisteredService.getMetadataLocation());
            }
            synchronized (this.lock) {
                chainingMetadataResolver.setId(ChainingMetadataResolver.class.getCanonicalName());
                chainingMetadataResolver.setResolvers(arrayList);
                chainingMetadataResolver.initialize();
            }
            return chainingMetadataResolver;
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    protected void resolveMetadataDynamically(final SamlRegisteredService samlRegisteredService, List<MetadataResolver> list) throws Exception {
        this.logger.info("Loading metadata dynamically for [{}]", samlRegisteredService.getName());
        FunctionDrivenDynamicHTTPMetadataResolver functionDrivenDynamicHTTPMetadataResolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClient.getWrappedHttpClient());
        functionDrivenDynamicHTTPMetadataResolver.setMinCacheDuration(Long.valueOf(TimeUnit.MILLISECONDS.convert(this.metadataCacheExpirationMinutes, TimeUnit.MINUTES)));
        functionDrivenDynamicHTTPMetadataResolver.setRequireValidMetadata(this.requireValidMetadata);
        if (StringUtils.isNotBlank(this.basicAuthnPassword) && StringUtils.isNotBlank(this.basicAuthnUsername)) {
            functionDrivenDynamicHTTPMetadataResolver.setBasicCredentials(new UsernamePasswordCredentials(this.basicAuthnUsername, this.basicAuthnPassword));
        }
        if (!this.supportedContentTypes.isEmpty()) {
            functionDrivenDynamicHTTPMetadataResolver.setSupportedContentTypes(this.supportedContentTypes);
        }
        functionDrivenDynamicHTTPMetadataResolver.setRequestURLBuilder(new Function<String, String>() { // from class: org.apereo.cas.support.saml.services.idp.metadata.cache.ChainingMetadataResolverCacheLoader.1
            @Nullable
            public String apply(@Nullable String str) {
                try {
                    if (!StringUtils.isNotBlank(str)) {
                        return null;
                    }
                    String replace = samlRegisteredService.getMetadataLocation().replace("{0}", EncodingUtils.urlEncode(str));
                    ChainingMetadataResolverCacheLoader.this.logger.info("Constructed dynamic metadata query [{}] for [{}]", replace, samlRegisteredService.getName());
                    return replace;
                } catch (Exception e) {
                    throw new RuntimeException(e.getMessage(), e);
                }
            }
        });
        buildSingleMetadataResolver(functionDrivenDynamicHTTPMetadataResolver, samlRegisteredService);
        list.add(functionDrivenDynamicHTTPMetadataResolver);
    }

    protected void resolveMetadataFromResource(SamlRegisteredService samlRegisteredService, List<MetadataResolver> list) throws IOException {
        String metadataLocation = samlRegisteredService.getMetadataLocation();
        this.logger.info("Loading SAML metadata from [{}]", metadataLocation);
        try {
            InputStream inputStream = ResourceUtils.getResourceFrom(metadataLocation).getInputStream();
            Throwable th = null;
            try {
                this.logger.debug("Parsing metadata from [{}]", metadataLocation);
                DOMMetadataResolver dOMMetadataResolver = new DOMMetadataResolver(this.configBean.getParserPool().parse(inputStream).getDocumentElement());
                buildSingleMetadataResolver(dOMMetadataResolver, samlRegisteredService);
                list.add(dOMMetadataResolver);
                if (inputStream != null) {
                    if (0 != 0) {
                        try {
                            inputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        inputStream.close();
                    }
                }
            } finally {
            }
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    protected boolean isDynamicMetadataQueryConfigured(SamlRegisteredService samlRegisteredService) {
        return samlRegisteredService.getMetadataLocation().trim().endsWith("/entities/{0}");
    }

    protected void buildSingleMetadataResolver(AbstractMetadataResolver abstractMetadataResolver, SamlRegisteredService samlRegisteredService) throws Exception {
        abstractMetadataResolver.setParserPool(this.configBean.getParserPool());
        abstractMetadataResolver.setFailFastInitialization(this.failFastInitialization);
        abstractMetadataResolver.setRequireValidMetadata(this.requireValidMetadata);
        abstractMetadataResolver.setId(abstractMetadataResolver.getClass().getCanonicalName());
        buildMetadataFilters(samlRegisteredService, abstractMetadataResolver);
        this.logger.info("Initializing metadata resolver from [{}]", samlRegisteredService.getMetadataLocation());
        abstractMetadataResolver.initialize();
        this.logger.info("Initialized metadata resolver from [{}]", samlRegisteredService.getMetadataLocation());
    }

    protected void buildMetadataFilters(SamlRegisteredService samlRegisteredService, AbstractMetadataResolver abstractMetadataResolver) throws Exception {
        ArrayList arrayList = new ArrayList();
        buildRequiredValidUntilFilterIfNeeded(samlRegisteredService, arrayList);
        buildSignatureValidationFilterIfNeeded(samlRegisteredService, arrayList);
        if (arrayList.isEmpty()) {
            return;
        }
        MetadataFilterChain metadataFilterChain = new MetadataFilterChain();
        metadataFilterChain.setFilters(arrayList);
        this.logger.debug("Metadata filter chain initialized with [{}] filters", Integer.valueOf(arrayList.size()));
        abstractMetadataResolver.setMetadataFilter(metadataFilterChain);
    }

    protected void buildSignatureValidationFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) throws Exception {
        if (StringUtils.isBlank(samlRegisteredService.getMetadataSignatureLocation())) {
            this.logger.warn("No metadata signature location is defined for {}, so SignatureValidationFilter will not be invoked", samlRegisteredService.getMetadataLocation());
            return;
        }
        AbstractResource resourceFrom = ResourceUtils.getResourceFrom(samlRegisteredService.getMetadataSignatureLocation());
        ArrayList arrayList = new ArrayList();
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new DEREncodedKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        this.logger.debug("Attempting to resolve credentials from {} for {}", samlRegisteredService.getMetadataSignatureLocation(), samlRegisteredService.getMetadataLocation());
        BasicProviderKeyInfoCredentialResolver basicProviderKeyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver(arrayList);
        BasicResourceCredentialFactoryBean basicResourceCredentialFactoryBean = new BasicResourceCredentialFactoryBean();
        basicResourceCredentialFactoryBean.setPublicKeyInfo(resourceFrom);
        basicResourceCredentialFactoryBean.afterPropertiesSet();
        BasicCredential basicCredential = (BasicCredential) basicResourceCredentialFactoryBean.getObject();
        this.logger.info("Successfully resolved credentials from {} for {}", samlRegisteredService.getMetadataSignatureLocation(), samlRegisteredService.getMetadataLocation());
        SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(basicCredential), basicProviderKeyInfoCredentialResolver));
        signatureValidationFilter.setRequireSignedRoot(false);
        list.add(signatureValidationFilter);
        this.logger.debug("Added metadata SignatureValidationFilter with signature from [{}]", samlRegisteredService.getMetadataSignatureLocation());
    }

    protected void buildRequiredValidUntilFilterIfNeeded(SamlRegisteredService samlRegisteredService, List<MetadataFilter> list) {
        if (samlRegisteredService.getMetadataMaxValidity() <= 0) {
            this.logger.debug("No metadata maximum validity criteria is defined for {}, so RequiredValidUntilFilter will not be invoked", samlRegisteredService.getMetadataLocation());
        } else {
            list.add(new RequiredValidUntilFilter(samlRegisteredService.getMetadataMaxValidity()));
            this.logger.debug("Added metadata RequiredValidUntilFilter with max validity of [{}]", Long.valueOf(samlRegisteredService.getMetadataMaxValidity()));
        }
    }

    public void setMetadataCacheExpirationMinutes(long j) {
        this.metadataCacheExpirationMinutes = j;
    }

    public void setFailFastInitialization(boolean z) {
        this.failFastInitialization = z;
    }

    public void setRequireValidMetadata(boolean z) {
        this.requireValidMetadata = z;
    }

    public void setConfigBean(OpenSamlConfigBean openSamlConfigBean) {
        this.configBean = openSamlConfigBean;
    }

    public void setHttpClient(HttpClient httpClient) {
        this.httpClient = httpClient;
    }

    public void setBasicAuthnUsername(String str) {
        this.basicAuthnUsername = str;
    }

    public void setBasicAuthnPassword(String str) {
        this.basicAuthnPassword = str;
    }

    public void setSupportedContentTypes(List<String> list) {
        this.supportedContentTypes = list;
    }
}
