package org.wso2.carbon.identity.saml.application.listener.listeners;

import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.InboundAuthenticationRequestConfig;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.application.mgt.listener.AbstractApplicationMgtListener;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.saml.application.listener.internal.IdentitySAMLListenerComponent;
import org.wso2.carbon.identity.saml.application.listener.util.SAMLMetadataParser;
import org.wso2.carbon.identity.sp.metadata.saml2.Exception.InvalidMetadataException;
import org.wso2.carbon.identity.sso.saml.cloud.util.SAMLSSOUtil;
import org.wso2.carbon.security.SecurityConfigException;
import org.wso2.carbon.security.keystore.service.KeyStoreAdminServiceImpl;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/saml/application/listener/listeners/SAMLMetadataListener.class */
public class SAMLMetadataListener extends AbstractApplicationMgtListener {
    private static final ThreadLocal<String> SAMLSPCertificateThreadLocal = new ThreadLocal<>();
    private static final Log log = LogFactory.getLog(SAMLMetadataListener.class);

    public int getDefaultOrderId() {
        return 25;
    }

    public boolean doPreUpdateApplication(ServiceProvider serviceProvider, String str, String str2) throws IdentityApplicationManagementException {
        InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig = null;
        String configTypeFromSPProperties = getConfigTypeFromSPProperties(serviceProvider.getSpProperties());
        for (InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig2 : serviceProvider.getInboundAuthenticationConfig().getInboundAuthenticationRequestConfigs()) {
            if (StringUtils.equals(getAppTypeFromAuthnConfigProps(inboundAuthenticationRequestConfig2), configTypeFromSPProperties) && StringUtils.equals(inboundAuthenticationRequestConfig2.getInboundAuthType(), "samlssocloud")) {
                inboundAuthenticationRequestConfig = inboundAuthenticationRequestConfig2;
            }
        }
        if (inboundAuthenticationRequestConfig == null) {
            return true;
        }
        boolean z = false;
        HashMap hashMap = new HashMap();
        for (Property property : inboundAuthenticationRequestConfig.getProperties()) {
            if (StringUtils.equals(property.getName(), "metadata") && StringUtils.isNotBlank(property.getValue())) {
                z = true;
            }
            hashMap.put(property.getName(), property);
        }
        if (z) {
            if (log.isDebugEnabled()) {
                log.debug("Meta data file uploaded. Updating Service Provider with metadata.");
            }
            updateServiceProviderInboundAuthConfigs(serviceProvider, str, hashMap);
        } else {
            Property property2 = hashMap.get("issuer");
            if (property2 == null || StringUtils.isBlank(property2.getValue())) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("No SAML issuer found.");
                return true;
            }
            validateIssuer(serviceProvider, str, property2);
            String value = hashMap.get("publicCertificate").getValue();
            if (value != null && StringUtils.isNotBlank(value)) {
                if (log.isDebugEnabled()) {
                    log.debug("Service Provider certificate provided. Adding certificate to the key store.");
                }
                try {
                    addCertToKeyStore(property2.getValue(), value, str);
                    Property property3 = hashMap.get("alias");
                    if (property3 == null) {
                        property3 = new Property();
                        property3.setDescription("Certificate Alias");
                        property3.setName("alias");
                        hashMap.put("alias", property3);
                    }
                    property3.setValue(property2.getValue());
                } catch (SecurityConfigException e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Failed to add provided certificate to the key store", e);
                    }
                }
            }
        }
        if (hashMap.get("metadata") != null) {
            hashMap.remove("metadata");
        }
        if (hashMap.get("publicCertificate") != null) {
            hashMap.remove("publicCertificate");
        }
        inboundAuthenticationRequestConfig.setProperties((Property[]) hashMap.values().toArray(new Property[hashMap.keySet().size()]));
        return true;
    }

    public boolean doPreDeleteApplication(String str, String str2, String str3) throws IdentityApplicationManagementException {
        ServiceProvider serviceProvider = ApplicationManagementService.getInstance().getServiceProvider(str, str2);
        String configTypeFromSPProperties = getConfigTypeFromSPProperties(serviceProvider.getSpProperties());
        for (InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig : serviceProvider.getInboundAuthenticationConfig().getInboundAuthenticationRequestConfigs()) {
            if (StringUtils.equals(getAppTypeFromAuthnConfigProps(inboundAuthenticationRequestConfig), configTypeFromSPProperties) && StringUtils.equals(inboundAuthenticationRequestConfig.getInboundAuthType(), "samlssocloud")) {
                for (Property property : inboundAuthenticationRequestConfig.getProperties()) {
                    if (StringUtils.equals(property.getName(), "alias") && StringUtils.isNotBlank(property.getValue())) {
                        SAMLSPCertificateThreadLocal.set(property.getValue());
                    }
                }
            }
        }
        return true;
    }

    public boolean doPostDeleteApplication(String str, String str2, String str3) throws IdentityApplicationManagementException {
        String str4 = SAMLSPCertificateThreadLocal.get();
        try {
            if (!StringUtils.isNotBlank(str4)) {
                return true;
            }
            try {
                removeCertFromKeyStore(str4, str2);
                SAMLSPCertificateThreadLocal.remove();
                return true;
            } catch (SecurityConfigException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Failed to removed certificate from the key store", e);
                }
                SAMLSPCertificateThreadLocal.remove();
                return true;
            }
        } catch (Throwable th) {
            SAMLSPCertificateThreadLocal.remove();
            throw th;
        }
    }

    public boolean doPostGetApplicationExcludingFileBasedSPs(ServiceProvider serviceProvider, String str, String str2) throws IdentityApplicationManagementException {
        InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig = null;
        String configTypeFromSPProperties = getConfigTypeFromSPProperties(serviceProvider.getSpProperties());
        for (InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig2 : serviceProvider.getInboundAuthenticationConfig().getInboundAuthenticationRequestConfigs()) {
            if (StringUtils.equals(getAppTypeFromAuthnConfigProps(inboundAuthenticationRequestConfig2), configTypeFromSPProperties) && StringUtils.equals(inboundAuthenticationRequestConfig2.getInboundAuthType(), "samlssocloud")) {
                inboundAuthenticationRequestConfig = inboundAuthenticationRequestConfig2;
            }
        }
        if (inboundAuthenticationRequestConfig == null) {
            return true;
        }
        HashMap hashMap = new HashMap();
        for (Property property : inboundAuthenticationRequestConfig.getProperties()) {
            hashMap.put(property.getName(), property);
        }
        if (hashMap.get("alias") == null) {
            return true;
        }
        String value = ((Property) hashMap.get("alias")).getValue();
        if (!StringUtils.isNotBlank(value)) {
            return true;
        }
        String certFromKeyStore = getCertFromKeyStore(value, str2);
        if (!StringUtils.isNotBlank(certFromKeyStore)) {
            return true;
        }
        Property property2 = (Property) hashMap.get("publicCertificate");
        if (property2 == null) {
            property2 = new Property();
            property2.setDescription("Certificate");
            property2.setName("publicCertificate");
            hashMap.put("publicCertificate", property2);
        }
        property2.setValue(certFromKeyStore);
        inboundAuthenticationRequestConfig.setProperties((Property[]) hashMap.values().toArray(new Property[hashMap.keySet().size()]));
        return true;
    }

    private void updateServiceProviderInboundAuthConfigs(ServiceProvider serviceProvider, String str, Map<String, Property> map) throws IdentityApplicationManagementException {
        String applicationName = serviceProvider.getApplicationName();
        String value = map.get("metadata").getValue();
        SAMLMetadataParser sAMLMetadataParser = new SAMLMetadataParser();
        try {
            SAMLSSOServiceProviderDO parse = sAMLMetadataParser.parse(new String(Base64.decodeBase64(value)), new SAMLSSOServiceProviderDO());
            Property property = map.get("issuer");
            if (property == null || StringUtils.isBlank(property.getValue())) {
                property = map.get("issuer");
                if (property == null) {
                    property = new Property();
                    property.setName("issuer");
                    property.setDisplayName("Issuer");
                    map.put("issuer", property);
                }
                property.setValue(parse.getIssuer());
            }
            if (StringUtils.isBlank(property.getValue())) {
                throw new IdentityApplicationManagementException("Missing mandatory field 'issuer' in inbound authentication configuration properties.");
            }
            validateIssuer(serviceProvider, str, property);
            setSAMLConfigs(map, parse, sAMLMetadataParser.getCertificate(), str);
        } catch (InvalidMetadataException e) {
            throw new IdentityApplicationManagementException("Failed to parse metadata of the Service Provider " + applicationName);
        }
    }

    private void setSAMLConfigs(Map<String, Property> map, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, String str, String str2) {
        if (map.get("defaultAssertionConsumerURL") != null) {
            map.get("defaultAssertionConsumerURL").setValue(sAMLSSOServiceProviderDO.getDefaultAssertionConsumerUrl());
        }
        if (str != null && StringUtils.isNotBlank(str)) {
            try {
                addCertToKeyStore(sAMLSSOServiceProviderDO.getCertAlias(), str, str2);
                if (map.get("alias") != null) {
                    map.get("alias").setValue(sAMLSSOServiceProviderDO.getCertAlias());
                }
            } catch (SecurityConfigException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Failed to add provided certificate to the key store", e);
                }
            }
        }
        if (map.get("assertionConsumerURLs") != null) {
            map.get("assertionConsumerURLs").setValue(StringUtils.join(sAMLSSOServiceProviderDO.getAssertionConsumerUrls(), ","));
        }
        if (map.get("nameIdFormat") != null) {
            map.get("nameIdFormat").setValue(sAMLSSOServiceProviderDO.getNameIDFormat());
        }
        if (map.get("enableResponseSignature") != null) {
            map.get("enableResponseSignature").setValue(Boolean.toString(sAMLSSOServiceProviderDO.isDoSignResponse()));
        }
        if (map.get("signingAlgorithm") != null) {
            map.get("signingAlgorithm").setValue(sAMLSSOServiceProviderDO.getSigningAlgorithmUri());
        }
        if (map.get("digestAlgorithm") != null) {
            map.get("digestAlgorithm").setValue(sAMLSSOServiceProviderDO.getDigestAlgorithmUri());
        }
        if (map.get("enableSigValidation") != null) {
            map.get("enableSigValidation").setValue(Boolean.toString(sAMLSSOServiceProviderDO.isDoValidateSignatureInRequests()));
        }
        if (map.get("enableAssertionSigned") != null) {
            map.get("enableAssertionSigned").setValue(Boolean.toString(sAMLSSOServiceProviderDO.isDoSignAssertions()));
        }
        if (map.get("enableSingleLogout") != null) {
            map.get("enableSingleLogout").setValue(Boolean.toString(sAMLSSOServiceProviderDO.isDoSingleLogout()));
        }
        if (map.get("sloResponseURL") != null) {
            map.get("sloResponseURL").setValue(sAMLSSOServiceProviderDO.getSloResponseURL());
        }
        if (map.get("sloRequestURL") != null) {
            map.get("sloRequestURL").setValue(sAMLSSOServiceProviderDO.getSloResponseURL());
        }
    }

    private void validateIssuer(ServiceProvider serviceProvider, String str, Property property) throws IdentityApplicationManagementException {
        ServiceProvider serviceProviderByClientId = ApplicationManagementService.getInstance().getServiceProviderByClientId(property.getValue(), "samlssocloud", str);
        if (serviceProviderByClientId != null && !"default".equals(serviceProviderByClientId.getApplicationName()) && serviceProviderByClientId.getApplicationID() != serviceProvider.getApplicationID()) {
            throw new IdentityApplicationManagementException("An application with the issuer name " + property.getValue() + " already exists.");
        }
    }

    private void addCertToKeyStore(String str, String str2, String str3) throws SecurityConfigException {
        KeyStoreAdminServiceImpl keyStoreAdminServiceImpl = new KeyStoreAdminServiceImpl();
        if (!"carbon.super".equalsIgnoreCase(str3)) {
            keyStoreAdminServiceImpl.importCertToStore(str, str2, SAMLSSOUtil.generateKSNameFromDomainName(str3));
        } else {
            String[] split = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Location").split("/");
            keyStoreAdminServiceImpl.importCertToStore(str, str2, split[split.length - 1]);
        }
    }

    private String getCertFromKeyStore(String str, String str2) {
        try {
            int tenantId = IdentitySAMLListenerComponent.getRealmService().getTenantManager().getTenantId(str2);
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
            try {
                return new String(Base64.encodeBase64(((X509Certificate) (-1234 != tenantId ? keyStoreManager.getKeyStore(SAMLSSOUtil.generateKSNameFromDomainName(str2)) : keyStoreManager.getPrimaryKeyStore()).getCertificate(str)).getEncoded()));
            } catch (Exception e) {
                if (!log.isDebugEnabled()) {
                    return null;
                }
                log.debug("Error retrieving the public certificate for alias " + str, e);
                return null;
            }
        } catch (UserStoreException e2) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Error getting the tenant ID for the tenant domain " + str2, e2);
            return null;
        }
    }

    private void removeCertFromKeyStore(String str, String str2) throws SecurityConfigException {
        KeyStoreAdminServiceImpl keyStoreAdminServiceImpl = new KeyStoreAdminServiceImpl();
        if (!"carbon.super".equalsIgnoreCase(str2)) {
            keyStoreAdminServiceImpl.removeCertFromStore(str, SAMLSSOUtil.generateKSNameFromDomainName(str2));
        } else {
            String[] split = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Location").split("/");
            keyStoreAdminServiceImpl.removeCertFromStore(str, split[split.length - 1]);
        }
    }

    private String getAppTypeFromAuthnConfigProps(InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig) {
        for (Property property : inboundAuthenticationRequestConfig.getProperties()) {
            if (StringUtils.equals(property.getName(), "appType")) {
                return property.getValue();
            }
        }
        return "standardAPP";
    }

    private String getConfigTypeFromSPProperties(ServiceProviderProperty[] serviceProviderPropertyArr) {
        for (ServiceProviderProperty serviceProviderProperty : serviceProviderPropertyArr) {
            if (StringUtils.equals(serviceProviderProperty.getName(), "appType")) {
                return serviceProviderProperty.getValue();
            }
        }
        return "standardAPP";
    }
}
