package com.linecorp.armeria.server.saml;

import com.linecorp.armeria.common.AggregatedHttpRequest;
import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.SessionProtocol;
import com.linecorp.armeria.common.util.Exceptions;
import com.linecorp.armeria.internal.shaded.guava.base.MoreObjects;
import com.linecorp.armeria.internal.shaded.guava.collect.ImmutableList;
import com.linecorp.armeria.internal.shaded.guava.collect.ImmutableMap;
import com.linecorp.armeria.internal.shaded.guava.collect.ImmutableSet;
import com.linecorp.armeria.server.ServerPort;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.armeria.server.auth.Authorizer;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/linecorp/armeria/server/saml/SamlServiceProviderBuilder.class */
public final class SamlServiceProviderBuilder {
    private static final Logger logger = LoggerFactory.getLogger(SamlServiceProviderBuilder.class);

    @Nullable
    private String entityId;

    @Nullable
    private String hostname;

    @Nullable
    private Authorizer<HttpRequest> authorizer;

    @Nullable
    private CredentialResolverAdapter credentialResolver;

    @Nullable
    private SamlIdentityProviderConfigSelector idpConfigSelector;

    @Nullable
    private SamlRequestIdManager requestIdManager;
    private final List<SamlIdentityProviderConfigBuilder> idpConfigBuilders = new ArrayList();
    private final List<SamlAssertionConsumerConfigBuilder> acsConfigBuilders = new ArrayList();
    private final List<SamlEndpoint> sloEndpoints = new ArrayList();
    private final SamlPortConfigBuilder hostConfigBuilder = new SamlPortConfigBuilder();
    private String signingKey = "signing";
    private String encryptionKey = "encryption";
    private String signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
    private String metadataPath = "/saml/metadata";
    private SamlSingleSignOnHandler ssoHandler = new SamlSingleSignOnHandler() { // from class: com.linecorp.armeria.server.saml.SamlServiceProviderBuilder.1
        static final /* synthetic */ boolean $assertionsDisabled;

        @Override // com.linecorp.armeria.server.saml.SamlSingleSignOnHandler
        public CompletionStage<Void> beforeInitiatingSso(ServiceRequestContext serviceRequestContext, HttpRequest httpRequest, MessageContext<AuthnRequest> messageContext, SamlIdentityProviderConfig samlIdentityProviderConfig) {
            String path = httpRequest.path();
            if (path.length() <= 80) {
                SAMLBindingContext subcontext = messageContext.getSubcontext(SAMLBindingContext.class, true);
                if (!$assertionsDisabled && subcontext == null) {
                    throw new AssertionError("SAMLBindingContext");
                }
                subcontext.setRelayState(path);
            }
            return CompletableFuture.completedFuture(null);
        }

        @Override // com.linecorp.armeria.server.saml.SamlSingleSignOnHandler
        public HttpResponse loginSucceeded(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, MessageContext<Response> messageContext, @Nullable String str, @Nullable String str2) {
            return HttpRedirectBindingUtil.responseWithLocation((String) MoreObjects.firstNonNull(str2, "/"));
        }

        @Override // com.linecorp.armeria.server.saml.SamlSingleSignOnHandler
        public HttpResponse loginFailed(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, @Nullable MessageContext<Response> messageContext, Throwable th) {
            SamlServiceProviderBuilder.logger.warn("{} SAML SSO failed", serviceRequestContext, th);
            return HttpRedirectBindingUtil.responseWithLocation("/error");
        }

        static {
            $assertionsDisabled = !SamlServiceProviderBuilder.class.desiredAssertionStatus();
        }
    };
    private SamlSingleLogoutHandler sloHandler = new SamlSingleLogoutHandler() { // from class: com.linecorp.armeria.server.saml.SamlServiceProviderBuilder.2
        @Override // com.linecorp.armeria.server.saml.SamlSingleLogoutHandler
        public CompletionStage<Void> logoutSucceeded(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, MessageContext<LogoutRequest> messageContext) {
            return CompletableFuture.completedFuture(null);
        }

        @Override // com.linecorp.armeria.server.saml.SamlSingleLogoutHandler
        public CompletionStage<Void> logoutFailed(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, Throwable th) {
            SamlServiceProviderBuilder.logger.warn("{} SAML SLO failed", serviceRequestContext, th);
            return CompletableFuture.completedFuture(null);
        }
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/linecorp/armeria/server/saml/SamlServiceProviderBuilder$CredentialResolverAdapter.class */
    public static class CredentialResolverAdapter implements Function<String, Credential> {
        private final CredentialResolver resolver;

        CredentialResolverAdapter(CredentialResolver credentialResolver) {
            this.resolver = (CredentialResolver) Objects.requireNonNull(credentialResolver, "resolver");
        }

        @Override // java.util.function.Function
        @Nullable
        public Credential apply(String str) {
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EntityIdCriterion(str));
            try {
                return (Credential) this.resolver.resolveSingle(criteriaSet);
            } catch (Throwable th) {
                return (Credential) Exceptions.throwUnsafely(th);
            }
        }
    }

    public SamlServiceProviderBuilder authorizer(Authorizer<HttpRequest> authorizer) {
        this.authorizer = (Authorizer) Objects.requireNonNull(authorizer, "authorizer");
        return this;
    }

    public SamlServiceProviderBuilder entityId(String str) {
        this.entityId = (String) Objects.requireNonNull(str, "entityId");
        return this;
    }

    public SamlServiceProviderBuilder credentialResolver(CredentialResolver credentialResolver) {
        this.credentialResolver = new CredentialResolverAdapter((CredentialResolver) Objects.requireNonNull(credentialResolver, "credentialResolver"));
        return this;
    }

    public SamlServiceProviderBuilder signingKey(String str) {
        this.signingKey = (String) Objects.requireNonNull(str, "signingKey");
        return this;
    }

    public SamlServiceProviderBuilder encryptionKey(String str) {
        this.encryptionKey = (String) Objects.requireNonNull(str, "encryptionKey");
        return this;
    }

    public SamlServiceProviderBuilder signatureAlgorithm(String str) {
        this.signatureAlgorithm = (String) Objects.requireNonNull(str, "signatureAlgorithm");
        return this;
    }

    public SamlServiceProviderBuilder hostname(String str) {
        this.hostname = (String) Objects.requireNonNull(str, "hostname");
        return this;
    }

    public SamlServiceProviderBuilder scheme(SessionProtocol sessionProtocol) {
        this.hostConfigBuilder.setSchemeIfAbsent((SessionProtocol) Objects.requireNonNull(sessionProtocol, "scheme"));
        return this;
    }

    public SamlServiceProviderBuilder port(int i) {
        this.hostConfigBuilder.setPortIfAbsent(i);
        return this;
    }

    public SamlServiceProviderBuilder schemeAndPort(ServerPort serverPort) {
        this.hostConfigBuilder.setSchemeAndPortIfAbsent((ServerPort) Objects.requireNonNull(serverPort, "serverPort"));
        return this;
    }

    public SamlServiceProviderBuilder metadataPath(String str) {
        this.metadataPath = (String) Objects.requireNonNull(str, "metadataPath");
        return this;
    }

    public SamlServiceProviderBuilder idpConfigSelector(SamlIdentityProviderConfigSelector samlIdentityProviderConfigSelector) {
        this.idpConfigSelector = (SamlIdentityProviderConfigSelector) Objects.requireNonNull(samlIdentityProviderConfigSelector, "idpConfigSelector");
        return this;
    }

    public SamlServiceProviderBuilder sloEndpoint(SamlEndpoint samlEndpoint) {
        this.sloEndpoints.add((SamlEndpoint) Objects.requireNonNull(samlEndpoint, "sloEndpoint"));
        return this;
    }

    public SamlServiceProviderBuilder requestIdManager(SamlRequestIdManager samlRequestIdManager) {
        this.requestIdManager = (SamlRequestIdManager) Objects.requireNonNull(samlRequestIdManager, "requestIdManager");
        return this;
    }

    public SamlServiceProviderBuilder ssoHandler(SamlSingleSignOnHandler samlSingleSignOnHandler) {
        this.ssoHandler = (SamlSingleSignOnHandler) Objects.requireNonNull(samlSingleSignOnHandler, "ssoHandler");
        return this;
    }

    public SamlServiceProviderBuilder sloHandler(SamlSingleLogoutHandler samlSingleLogoutHandler) {
        this.sloHandler = (SamlSingleLogoutHandler) Objects.requireNonNull(samlSingleLogoutHandler, "sloHandler");
        return this;
    }

    public SamlIdentityProviderConfigBuilder idp() {
        SamlIdentityProviderConfigBuilder samlIdentityProviderConfigBuilder = new SamlIdentityProviderConfigBuilder(this);
        this.idpConfigBuilders.add(samlIdentityProviderConfigBuilder);
        return samlIdentityProviderConfigBuilder;
    }

    public SamlAssertionConsumerConfigBuilder acs() {
        SamlAssertionConsumerConfigBuilder samlAssertionConsumerConfigBuilder = new SamlAssertionConsumerConfigBuilder(this);
        this.acsConfigBuilders.add(samlAssertionConsumerConfigBuilder);
        return samlAssertionConsumerConfigBuilder;
    }

    public SamlServiceProvider build() {
        List list;
        SamlInitializer.ensureAvailability();
        if (this.entityId == null) {
            throw new IllegalStateException("entity ID is not specified");
        }
        if (this.credentialResolver == null) {
            throw new IllegalStateException(CredentialResolver.class.getSimpleName() + " is not specified");
        }
        if (this.authorizer == null) {
            throw new IllegalStateException(Authorizer.class.getSimpleName() + " is not specified");
        }
        Credential apply = this.credentialResolver.apply(this.signingKey);
        if (apply == null) {
            throw new IllegalStateException("cannot resolve a " + Credential.class.getSimpleName() + " for signing: " + this.signingKey);
        }
        Credential apply2 = this.credentialResolver.apply(this.encryptionKey);
        if (apply2 == null) {
            throw new IllegalStateException("cannot resolve a " + Credential.class.getSimpleName() + " for encryption: " + this.encryptionKey);
        }
        validateSignatureAlgorithm(this.signatureAlgorithm, apply);
        validateSignatureAlgorithm(this.signatureAlgorithm, apply2);
        ImmutableList of = this.sloEndpoints.isEmpty() ? ImmutableList.of(SamlEndpoint.ofHttpPost("/saml/slo/post"), SamlEndpoint.ofHttpRedirect("/saml/slo/redirect")) : ImmutableList.copyOf(this.sloEndpoints);
        if (this.acsConfigBuilders.isEmpty()) {
            list = (List) ImmutableList.of(new SamlAssertionConsumerConfigBuilder(this).endpoint(SamlEndpoint.ofHttpPost("/saml/acs/post")).asDefault(), new SamlAssertionConsumerConfigBuilder(this).endpoint(SamlEndpoint.ofHttpRedirect("/saml/acs/redirect"))).stream().map((v0) -> {
                return v0.build();
            }).collect(ImmutableList.toImmutableList());
        } else {
            if (this.acsConfigBuilders.size() == 1) {
                this.acsConfigBuilders.get(0).asDefault();
            }
            list = (List) this.acsConfigBuilders.stream().map((v0) -> {
                return v0.build();
            }).collect(ImmutableList.toImmutableList());
        }
        Set set = (Set) list.stream().map((v0) -> {
            return v0.endpoint();
        }).collect(ImmutableSet.toImmutableSet());
        if (set.size() != list.size()) {
            throw new IllegalStateException("duplicated access consumer services exist");
        }
        if (this.idpConfigBuilders.isEmpty()) {
            throw new IllegalStateException("no identity provider configuration is specified");
        }
        if (this.idpConfigBuilders.size() == 1) {
            this.idpConfigBuilders.get(0).asDefault();
        }
        ImmutableMap.Builder builder = ImmutableMap.builder();
        SamlIdentityProviderConfig samlIdentityProviderConfig = null;
        for (SamlIdentityProviderConfigBuilder samlIdentityProviderConfigBuilder : this.idpConfigBuilders) {
            if (samlIdentityProviderConfigBuilder.acsEndpoint() != null && !set.contains(samlIdentityProviderConfigBuilder.acsEndpoint())) {
                throw new IllegalStateException("unspecified access consumer service at " + samlIdentityProviderConfigBuilder.acsEndpoint());
            }
            SamlIdentityProviderConfig build = samlIdentityProviderConfigBuilder.build(this.credentialResolver);
            validateSignatureAlgorithm(this.signatureAlgorithm, build.signingCredential());
            validateSignatureAlgorithm(this.signatureAlgorithm, build.encryptionCredential());
            builder.put(build.entityId(), build);
            if (samlIdentityProviderConfigBuilder.isDefault()) {
                if (samlIdentityProviderConfig != null) {
                    throw new IllegalStateException("there has to be only one default identity provider");
                }
                samlIdentityProviderConfig = build;
            }
        }
        if (this.idpConfigSelector == null) {
            if (samlIdentityProviderConfig == null) {
                throw new IllegalStateException("default identity provider does not exist");
            }
            SamlIdentityProviderConfig samlIdentityProviderConfig2 = samlIdentityProviderConfig;
            this.idpConfigSelector = (samlServiceProvider, serviceRequestContext, httpRequest) -> {
                return CompletableFuture.completedFuture(samlIdentityProviderConfig2);
            };
        }
        try {
            this.requestIdManager = (SamlRequestIdManager) MoreObjects.firstNonNull(this.requestIdManager, SamlRequestIdManager.ofJwt(this.entityId, this.entityId, 60, 5));
            return new SamlServiceProvider(this.authorizer, this.entityId, this.hostname, apply, apply2, this.signatureAlgorithm, this.hostConfigBuilder.toAutoFiller(), this.metadataPath, builder.build(), samlIdentityProviderConfig, this.idpConfigSelector, list, of, this.requestIdManager, this.ssoHandler, this.sloHandler);
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("cannot create a " + SamlRequestIdManager.class.getSimpleName(), e);
        }
    }

    private static void validateSignatureAlgorithm(String str, Credential credential) {
        String algorithmID = AlgorithmSupport.getAlgorithmID(str);
        if (algorithmID == null) {
            throw new IllegalStateException("unsupported signature algorithm: " + str);
        }
        try {
            Signature signature = Signature.getInstance(algorithmID);
            PrivateKey privateKey = credential.getPrivateKey();
            if (privateKey != null) {
                signature.initSign(privateKey);
            } else {
                signature.initVerify(credential.getPublicKey());
            }
        } catch (InvalidKeyException e) {
            throw new IllegalStateException("failed to initialize a signature with an algorithm: " + str, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException("unsupported signature algorithm: " + str, e2);
        }
    }
}
