package com.linecorp.armeria.server.saml;

import com.linecorp.armeria.common.AggregatedHttpRequest;
import com.linecorp.armeria.common.HttpData;
import com.linecorp.armeria.common.HttpHeaderNames;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.MediaType;
import com.linecorp.armeria.common.ResponseHeaders;
import com.linecorp.armeria.internal.shaded.guava.annotations.VisibleForTesting;
import com.linecorp.armeria.internal.shaded.guava.collect.MapMaker;
import com.linecorp.armeria.server.ServiceRequestContext;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.NameIDFormat;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/linecorp/armeria/server/saml/SamlMetadataServiceFunction.class */
public final class SamlMetadataServiceFunction implements SamlServiceFunction {
    private static final Logger logger = LoggerFactory.getLogger(SamlMetadataServiceFunction.class);

    @VisibleForTesting
    static final MediaType CONTENT_TYPE_SAML_METADATA = MediaType.parse("application/samlmetadata+xml");
    private static final ResponseHeaders HTTP_HEADERS = ResponseHeaders.of(HttpStatus.OK, HttpHeaderNames.CONTENT_TYPE, CONTENT_TYPE_SAML_METADATA, HttpHeaderNames.CONTENT_DISPOSITION, "attachment; filename=\"saml_metadata.xml\"");
    private final String entityId;
    private final Credential signingCredential;
    private final Credential encryptionCredential;
    private final Map<String, SamlIdentityProviderConfig> idpConfigs;
    private final Collection<SamlAssertionConsumerConfig> assertionConsumerConfigs;
    private final Collection<SamlEndpoint> singleLogoutEndpoints;
    private final ConcurrentMap<String, HttpData> metadataMap = new MapMaker().makeMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlMetadataServiceFunction(String str, Credential credential, Credential credential2, Map<String, SamlIdentityProviderConfig> map, Collection<SamlAssertionConsumerConfig> collection, Collection<SamlEndpoint> collection2) {
        this.entityId = str;
        this.signingCredential = credential;
        this.encryptionCredential = credential2;
        this.idpConfigs = map;
        this.assertionConsumerConfigs = collection;
        this.singleLogoutEndpoints = collection2;
    }

    @Override // com.linecorp.armeria.server.saml.SamlServiceFunction
    public HttpResponse serve(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, String str, SamlPortConfig samlPortConfig) {
        HttpData computeIfAbsent = this.metadataMap.computeIfAbsent(str, str2 -> {
            try {
                HttpData ofUtf8 = HttpData.ofUtf8(SerializeSupport.nodeToString(SamlMessageUtil.serialize(buildMetadataEntityDescriptorElement(str2, samlPortConfig))));
                logger.debug("SAML service provider metadata has been prepared for: {}.", str2);
                return ofUtf8;
            } catch (Throwable th) {
                logger.warn("{} Unexpected metadata request.", serviceRequestContext, th);
                return HttpData.EMPTY_DATA;
            }
        });
        return computeIfAbsent != HttpData.EMPTY_DATA ? HttpResponse.of(HTTP_HEADERS, computeIfAbsent) : HttpResponse.of(HttpStatus.NOT_FOUND);
    }

    private EntityDescriptor buildMetadataEntityDescriptorElement(String str, SamlPortConfig samlPortConfig) {
        EntityDescriptor build = SamlMessageUtil.build(EntityDescriptor.DEFAULT_ELEMENT_NAME);
        build.setEntityID(this.entityId);
        SPSSODescriptor build2 = SamlMessageUtil.build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        build2.setAuthnRequestsSigned(true);
        build2.setWantAssertionsSigned(true);
        build2.addSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        build2.getNameIDFormats().addAll(buildNameIdFormatElements((List) this.idpConfigs.values().stream().map(samlIdentityProviderConfig -> {
            return samlIdentityProviderConfig.nameIdPolicy().format();
        }).distinct().map((v0) -> {
            return v0.urn();
        }).collect(Collectors.toList())));
        List singleLogoutServices = build2.getSingleLogoutServices();
        this.singleLogoutEndpoints.forEach(samlEndpoint -> {
            SingleLogoutService build3 = SamlMessageUtil.build(SingleLogoutService.DEFAULT_ELEMENT_NAME);
            build3.setBinding(samlEndpoint.bindingProtocol().urn());
            build3.setLocation(samlEndpoint.toUriString(samlPortConfig.scheme().uriText(), str, samlPortConfig.port()));
            singleLogoutServices.add(build3);
        });
        int i = 0;
        List assertionConsumerServices = build2.getAssertionConsumerServices();
        Iterator<SamlAssertionConsumerConfig> it = this.assertionConsumerConfigs.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            assertionConsumerServices.add(buildAssertionConsumerServiceElement(it.next(), samlPortConfig, str, i2));
        }
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
        x509KeyInfoGeneratorFactory.setEmitEntityCertificateChain(true);
        KeyInfoGenerator newInstance = x509KeyInfoGeneratorFactory.newInstance();
        try {
            build2.getKeyDescriptors().add(buildKeyDescriptorElement(UsageType.SIGNING, newInstance.generate(this.signingCredential)));
            build2.getKeyDescriptors().add(buildKeyDescriptorElement(UsageType.ENCRYPTION, newInstance.generate(this.encryptionCredential)));
            build.getRoleDescriptors().add(build2);
            return build;
        } catch (SecurityException e) {
            throw new SamlException("failed to generate KeyInfo element", e);
        }
    }

    private static AssertionConsumerService buildAssertionConsumerServiceElement(SamlAssertionConsumerConfig samlAssertionConsumerConfig, SamlPortConfig samlPortConfig, String str, int i) {
        AssertionConsumerService build = SamlMessageUtil.build(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
        build.setLocation(samlAssertionConsumerConfig.endpoint().toUriString(samlPortConfig.scheme().uriText(), str, samlPortConfig.port()));
        build.setBinding(samlAssertionConsumerConfig.endpoint().bindingProtocol().urn());
        build.setIndex(Integer.valueOf(i));
        if (samlAssertionConsumerConfig.isDefault()) {
            build.setIsDefault(true);
        }
        return build;
    }

    private static Collection<NameIDFormat> buildNameIdFormatElements(Collection<String> collection) {
        SAMLObjectBuilder builder = SamlMessageUtil.builder(NameIDFormat.DEFAULT_ELEMENT_NAME);
        ArrayList arrayList = new ArrayList();
        for (String str : collection) {
            NameIDFormat buildObject = builder.buildObject();
            buildObject.setFormat(str);
            arrayList.add(buildObject);
        }
        return arrayList;
    }

    private static KeyDescriptor buildKeyDescriptorElement(UsageType usageType, @Nullable KeyInfo keyInfo) {
        KeyDescriptor build = SamlMessageUtil.build(KeyDescriptor.DEFAULT_ELEMENT_NAME);
        build.setUse(usageType);
        build.setKeyInfo(keyInfo);
        return build;
    }
}
