package org.apereo.cas.support.saml.web.flow.config;

import com.google.common.collect.ImmutableList;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Resource;
import net.shibboleth.idp.profile.spring.relyingparty.security.credential.impl.BasicResourceCredentialFactoryBean;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.web.flow.SamlMetadataUIParserAction;
import org.apereo.cas.support.saml.web.flow.SamlMetadataUIWebflowConfigurer;
import org.apereo.cas.support.saml.web.flow.mdui.AbstractMetadataResolverAdapter;
import org.apereo.cas.support.saml.web.flow.mdui.ChainingMetadataResolverAdapter;
import org.apereo.cas.support.saml.web.flow.mdui.DynamicMetadataResolverAdapter;
import org.apereo.cas.support.saml.web.flow.mdui.MetadataResolverAdapter;
import org.apereo.cas.support.saml.web.flow.mdui.StaticMetadataResolverAdapter;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.jooq.lambda.Unchecked;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain;
import org.opensaml.saml.metadata.resolver.filter.impl.RequiredValidUntilFilter;
import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ResourceLoader;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("samlMetadataUIConfiguration")
/* loaded from: input_file:org/apereo/cas/support/saml/web/flow/config/SamlMetadataUIConfiguration.class */
public class SamlMetadataUIConfiguration {
    private static final String DEFAULT_SEPARATOR = "::";

    @Autowired
    @Qualifier("shibboleth.OpenSAMLConfig")
    private OpenSamlConfigBean openSamlConfigBean;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired(required = false)
    @Qualifier("loginFlowRegistry")
    private FlowDefinitionRegistry loginFlowDefinitionRegistry;

    @Autowired(required = false)
    private FlowBuilderServices flowBuilderServices;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Resource(name = "webApplicationServiceFactory")
    private ServiceFactory<WebApplicationService> serviceFactory;

    @ConditionalOnMissingBean(name = {"samlMetadataUIWebConfigurer"})
    @Bean
    public CasWebflowConfigurer samlMetadataUIWebConfigurer() {
        SamlMetadataUIWebflowConfigurer samlMetadataUIWebflowConfigurer = new SamlMetadataUIWebflowConfigurer();
        samlMetadataUIWebflowConfigurer.setSamlMetadataUIParserAction(samlMetadataUIParserAction());
        samlMetadataUIWebflowConfigurer.setLoginFlowDefinitionRegistry(this.loginFlowDefinitionRegistry);
        samlMetadataUIWebflowConfigurer.setFlowBuilderServices(this.flowBuilderServices);
        return samlMetadataUIWebflowConfigurer;
    }

    @Bean
    public Action samlMetadataUIParserAction() {
        SamlMetadataUIParserAction samlMetadataUIParserAction = new SamlMetadataUIParserAction((String) StringUtils.defaultIfEmpty(this.casProperties.getSamlMetadataUi().getParameter(), "entityId"), metadataAdapter());
        samlMetadataUIParserAction.setServiceFactory(this.serviceFactory);
        samlMetadataUIParserAction.setServicesManager(this.servicesManager);
        return samlMetadataUIParserAction;
    }

    @Bean
    public MetadataResolverAdapter metadataAdapter() {
        ChainingMetadataResolverAdapter chainingMetadataResolverAdapter = new ChainingMetadataResolverAdapter();
        chainingMetadataResolverAdapter.getAdapters().add(getStaticMetadataResolverAdapter());
        chainingMetadataResolverAdapter.getAdapters().add(getDynamicMetadataResolverAdapter());
        return chainingMetadataResolverAdapter;
    }

    private MetadataResolverAdapter configureAdapter(AbstractMetadataResolverAdapter abstractMetadataResolverAdapter) {
        HashMap hashMap = new HashMap();
        MetadataFilterChain metadataFilterChain = new MetadataFilterChain();
        this.casProperties.getSamlMetadataUi().getResources().forEach(Unchecked.consumer(str -> {
            configureResource(hashMap, metadataFilterChain, str);
        }));
        abstractMetadataResolverAdapter.setRequireValidMetadata(this.casProperties.getSamlMetadataUi().isRequireValidMetadata());
        abstractMetadataResolverAdapter.setMetadataResources(hashMap);
        abstractMetadataResolverAdapter.setConfigBean(this.openSamlConfigBean);
        return abstractMetadataResolverAdapter;
    }

    private void configureResource(Map<org.springframework.core.io.Resource, MetadataFilterChain> map, MetadataFilterChain metadataFilterChain, String str) throws Exception {
        Arrays.stream(org.springframework.util.StringUtils.commaDelimitedListToStringArray(str)).forEach(Unchecked.consumer(str2 -> {
            String[] split = str2.split(DEFAULT_SEPARATOR);
            String str2 = split[0];
            String str3 = split.length > 1 ? split[1] : null;
            ArrayList arrayList = new ArrayList();
            if (this.casProperties.getSamlMetadataUi().getMaxValidity() > 0) {
                arrayList.add(new RequiredValidUntilFilter(this.casProperties.getSamlMetadataUi().getMaxValidity()));
            }
            if (StringUtils.isNotEmpty(str3)) {
                BasicResourceCredentialFactoryBean basicResourceCredentialFactoryBean = new BasicResourceCredentialFactoryBean();
                basicResourceCredentialFactoryBean.setPublicKeyInfo(this.resourceLoader.getResource(str3));
                basicResourceCredentialFactoryBean.afterPropertiesSet();
                SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver((Credential) basicResourceCredentialFactoryBean.getObject()), new BasicProviderKeyInfoCredentialResolver(ImmutableList.of(new RSAKeyValueProvider(), new DSAKeyValueProvider(), new DEREncodedKeyValueProvider(), new InlineX509DataProvider()))));
                signatureValidationFilter.setRequireSignedRoot(this.casProperties.getSamlMetadataUi().isRequireSignedRoot());
                arrayList.add(signatureValidationFilter);
            }
            metadataFilterChain.setFilters(arrayList);
            map.put(this.resourceLoader.getResource(str2), metadataFilterChain);
        }));
    }

    private MetadataResolverAdapter getDynamicMetadataResolverAdapter() {
        DynamicMetadataResolverAdapter dynamicMetadataResolverAdapter = new DynamicMetadataResolverAdapter();
        configureAdapter(dynamicMetadataResolverAdapter);
        return dynamicMetadataResolverAdapter;
    }

    private MetadataResolverAdapter getStaticMetadataResolverAdapter() {
        StaticMetadataResolverAdapter staticMetadataResolverAdapter = new StaticMetadataResolverAdapter();
        configureAdapter(staticMetadataResolverAdapter);
        staticMetadataResolverAdapter.buildMetadataResolverAggregate();
        return staticMetadataResolverAdapter;
    }
}
