package org.apereo.cas.support.saml;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import lombok.Generated;
import net.shibboleth.idp.profile.spring.factory.BasicResourceCredentialFactoryBean;
import net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.util.ResourceUtils;
import org.cryptacular.util.CertUtil;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.Marshaller;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/cas-server-support-saml-core-5.3.16.jar:org/apereo/cas/support/saml/SamlUtils.class */
public final class SamlUtils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlUtils.class);
    private static final int SAML_OBJECT_LOG_ASTERIXLINE_LENGTH = 80;
    private static final String NAMESPACE_URI = "http://www.w3.org/2000/xmlns/";

    public static X509Certificate readCertificate(Resource resource) {
        try {
            InputStream inputStream = resource.getInputStream();
            try {
                X509Certificate readCertificate = CertUtil.readCertificate(inputStream);
                if (inputStream != null) {
                    $closeResource(null, inputStream);
                }
                return readCertificate;
            } catch (Throwable th) {
                if (inputStream != null) {
                    $closeResource(null, inputStream);
                }
                throw th;
            }
        } catch (Exception e) {
            throw new IllegalArgumentException("Error reading certificate " + resource, e);
        }
    }

    public static StringWriter transformSamlObject(OpenSamlConfigBean openSamlConfigBean, XMLObject xMLObject) throws SamlException {
        return transformSamlObject(openSamlConfigBean, xMLObject, false);
    }

    public static <T extends XMLObject> T transformSamlObject(OpenSamlConfigBean openSamlConfigBean, String str, Class<T> cls) {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8));
            try {
                Element documentElement = openSamlConfigBean.getParserPool().parse(byteArrayInputStream).getDocumentElement();
                Unmarshaller unmarshaller = openSamlConfigBean.getUnmarshallerFactory().getUnmarshaller(documentElement);
                if (unmarshaller == null) {
                    $closeResource(null, byteArrayInputStream);
                    return null;
                }
                XMLObject unmarshall = unmarshaller.unmarshall(documentElement);
                if (!cls.isAssignableFrom(unmarshall.getClass())) {
                    throw new ClassCastException("Result [" + unmarshall + " is of type " + unmarshall.getClass() + " when we were expecting " + cls);
                }
                T t = (T) unmarshall;
                $closeResource(null, byteArrayInputStream);
                return t;
            } catch (Throwable th) {
                $closeResource(null, byteArrayInputStream);
                throw th;
            }
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    public static StringWriter transformSamlObject(OpenSamlConfigBean openSamlConfigBean, XMLObject xMLObject, boolean z) throws SamlException {
        StringWriter stringWriter = new StringWriter();
        try {
            Marshaller marshaller = openSamlConfigBean.getMarshallerFactory().getMarshaller(xMLObject.getElementQName());
            if (marshaller != null) {
                DOMSource dOMSource = new DOMSource(marshaller.marshall(xMLObject));
                StreamResult streamResult = new StreamResult(stringWriter);
                Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
                if (z) {
                    newTransformer.setOutputProperty("indent", "yes");
                    newTransformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
                }
                newTransformer.transform(dOMSource, streamResult);
            }
            return stringWriter;
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    public static SignatureValidationFilter buildSignatureValidationFilter(String str) throws Exception {
        return buildSignatureValidationFilter(ResourceUtils.getResourceFrom(str));
    }

    public static SignatureValidationFilter buildSignatureValidationFilter(ResourceLoader resourceLoader, String str) {
        try {
            return buildSignatureValidationFilter(resourceLoader.getResource(str));
        } catch (Exception e) {
            LOGGER.debug(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    public static SignatureValidationFilter buildSignatureValidationFilter(Resource resource) throws Exception {
        if (!ResourceUtils.doesResourceExist(resource)) {
            LOGGER.warn("Resource [{}] cannot be located", resource);
            return null;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new DEREncodedKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        LOGGER.debug("Attempting to resolve credentials from [{}]", resource);
        BasicCredential buildCredentialForMetadataSignatureValidation = buildCredentialForMetadataSignatureValidation(resource);
        LOGGER.info("Successfully resolved credentials from [{}]", resource);
        LOGGER.debug("Configuring credential resolver for key signature trust engine @ [{}]", buildCredentialForMetadataSignatureValidation.getCredentialType().getSimpleName());
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(buildCredentialForMetadataSignatureValidation), new BasicProviderKeyInfoCredentialResolver(arrayList));
        LOGGER.debug("Adding signature validation filter based on the configured trust engine");
        SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(explicitKeySignatureTrustEngine);
        signatureValidationFilter.setRequireSignedRoot(false);
        LOGGER.debug("Added metadata SignatureValidationFilter with signature from [{}]", resource);
        return signatureValidationFilter;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static BasicCredential buildCredentialForMetadataSignatureValidation(Resource resource) throws Exception {
        try {
            BasicX509CredentialFactoryBean basicX509CredentialFactoryBean = new BasicX509CredentialFactoryBean();
            basicX509CredentialFactoryBean.setCertificateResource(resource);
            basicX509CredentialFactoryBean.afterPropertiesSet();
            return (BasicCredential) basicX509CredentialFactoryBean.getObject2();
        } catch (Exception e) {
            LOGGER.trace(e.getMessage(), (Throwable) e);
            LOGGER.debug("Credential cannot be extracted from [{}] via X.509. Treating it as a public key to locate credential...", resource);
            BasicResourceCredentialFactoryBean basicResourceCredentialFactoryBean = new BasicResourceCredentialFactoryBean();
            basicResourceCredentialFactoryBean.setPublicKeyInfo(resource);
            basicResourceCredentialFactoryBean.afterPropertiesSet();
            return (BasicCredential) basicResourceCredentialFactoryBean.getObject2();
        }
    }

    public static void logSamlObject(OpenSamlConfigBean openSamlConfigBean, XMLObject xMLObject) throws SamlException {
        String repeat = StringUtils.repeat('*', 80);
        LOGGER.debug(repeat);
        LOGGER.debug("Logging [{}]\n\n{}\n\n", xMLObject.getClass().getName(), transformSamlObject(openSamlConfigBean, xMLObject, true));
        LOGGER.debug(repeat);
    }

    @Generated
    private SamlUtils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
