package org.apache.nifi.web.security.saml2.registration;

import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.saml2.SamlUrlPath;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;

/* loaded from: input_file:org/apache/nifi/web/security/saml2/registration/StandardRelyingPartyRegistrationRepository.class */
public class StandardRelyingPartyRegistrationRepository implements RelyingPartyRegistrationRepository {
    static final String BASE_URL_FORMAT = "{baseUrl}%s";
    static final String LOGIN_RESPONSE_LOCATION = String.format(BASE_URL_FORMAT, SamlUrlPath.LOGIN_RESPONSE.getPath());
    static final String SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION = String.format(BASE_URL_FORMAT, SamlUrlPath.SINGLE_LOGOUT_RESPONSE.getPath());
    private static final char[] BLANK_PASSWORD = new char[0];
    private static final Logger logger = LoggerFactory.getLogger(StandardRelyingPartyRegistrationRepository.class);
    private final NiFiProperties properties;
    private final Saml2CredentialProvider saml2CredentialProvider = new StandardSaml2CredentialProvider();
    private final RelyingPartyRegistration relyingPartyRegistration = getRelyingPartyRegistration();

    public StandardRelyingPartyRegistrationRepository(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    public RelyingPartyRegistration findByRegistrationId(String str) {
        return this.relyingPartyRegistration;
    }

    private RelyingPartyRegistration getRelyingPartyRegistration() {
        RelyingPartyRegistration.Builder registrationBuilder = new StandardRegistrationBuilderProvider(this.properties).getRegistrationBuilder();
        registrationBuilder.registrationId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty());
        registrationBuilder.entityId(this.properties.getSamlServiceProviderEntityId());
        registrationBuilder.assertionConsumerServiceLocation(LOGIN_RESPONSE_LOCATION);
        if (this.properties.isSamlSingleLogoutEnabled()) {
            registrationBuilder.singleLogoutServiceLocation(SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION);
            registrationBuilder.singleLogoutServiceResponseLocation(SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION);
        }
        Collection<Saml2X509Credential> credentials = getCredentials();
        List list = (List) credentials.stream().filter((v0) -> {
            return v0.isSigningCredential();
        }).collect(Collectors.toList());
        logger.debug("Loaded SAML2 Signing Credentials [{}]", Integer.valueOf(list.size()));
        registrationBuilder.signingX509Credentials(collection -> {
            collection.addAll(list);
        });
        registrationBuilder.decryptionX509Credentials(collection2 -> {
            collection2.addAll(list);
        });
        List list2 = (List) credentials.stream().filter((v0) -> {
            return v0.isVerificationCredential();
        }).collect(Collectors.toList());
        logger.debug("Loaded SAML2 Verification Credentials [{}]", Integer.valueOf(list2.size()));
        registrationBuilder.assertingPartyDetails(builder -> {
            builder.signingAlgorithms(list3 -> {
                list3.add(this.properties.getSamlSignatureAlgorithm());
            }).verificationX509Credentials(collection3 -> {
                collection3.addAll(list2);
            }).encryptionX509Credentials(collection4 -> {
                collection4.addAll(list2);
            });
        });
        return registrationBuilder.build();
    }

    private Collection<Saml2X509Credential> getCredentials() {
        TlsConfiguration fromNiFiProperties = StandardTlsConfiguration.fromNiFiProperties(this.properties);
        ArrayList arrayList = new ArrayList();
        if (fromNiFiProperties.isKeystorePopulated()) {
            arrayList.addAll(this.saml2CredentialProvider.getCredentials(getKeyStore(fromNiFiProperties), fromNiFiProperties.getKeyPassword() == null ? fromNiFiProperties.getKeystorePassword().toCharArray() : fromNiFiProperties.getKeyPassword().toCharArray()));
        }
        if (fromNiFiProperties.isTruststorePopulated()) {
            arrayList.addAll(this.saml2CredentialProvider.getCredentials(getTrustStore(fromNiFiProperties), BLANK_PASSWORD));
        }
        return arrayList;
    }

    private KeyStore getTrustStore(TlsConfiguration tlsConfiguration) {
        try {
            return KeyStoreUtils.loadKeyStore(tlsConfiguration.getTruststorePath(), tlsConfiguration.getTruststorePassword().toCharArray(), tlsConfiguration.getTruststoreType().getType());
        } catch (TlsException e) {
            throw new Saml2Exception("Trust Store loading failed", e);
        }
    }

    private KeyStore getKeyStore(TlsConfiguration tlsConfiguration) {
        try {
            return KeyStoreUtils.loadKeyStore(tlsConfiguration.getKeystorePath(), tlsConfiguration.getKeystorePassword().toCharArray(), tlsConfiguration.getKeystoreType().getType());
        } catch (TlsException e) {
            throw new Saml2Exception("Key Store loading failed", e);
        }
    }
}
