package com.liferay.saml.opensaml.integration.internal.metadata;

import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.util.HttpComponentsUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.saml.opensaml.integration.internal.bootstrap.SecurityConfigurationBootstrap;
import com.liferay.saml.opensaml.integration.internal.provider.CachingChainingMetadataResolver;
import com.liferay.saml.opensaml.integration.internal.util.OpenSamlUtil;
import com.liferay.saml.persistence.service.SamlIdpSpConnectionLocalService;
import com.liferay.saml.persistence.service.SamlSpIdpConnectionLocalService;
import com.liferay.saml.runtime.SamlException;
import com.liferay.saml.runtime.configuration.SamlProviderConfiguration;
import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper;
import com.liferay.saml.runtime.metadata.LocalEntityManager;
import com.liferay.saml.util.SamlHttpRequestUtil;
import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.handler.MessageHandler;
import org.opensaml.messaging.handler.impl.BasicMessageHandlerChain;
import org.opensaml.messaging.handler.impl.CheckMandatoryAuthentication;
import org.opensaml.messaging.handler.impl.CheckMandatoryIssuer;
import org.opensaml.messaging.handler.impl.HTTPRequestValidationHandler;
import org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler;
import org.opensaml.saml.common.messaging.context.navigate.SAMLMessageContextAuthenticationFunction;
import org.opensaml.saml.common.messaging.context.navigate.SAMLMessageContextIssuerFunction;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler;
import org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.SecurityConfigurationSupport;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ChainingSignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.component.annotations.ReferenceScope;

@Component(immediate = true, service = {MetadataManager.class, SamlHttpRequestUtil.class})
/* loaded from: input_file:com/liferay/saml/opensaml/integration/internal/metadata/MetadataManagerImpl.class */
public class MetadataManagerImpl implements MetadataManager, SamlHttpRequestUtil {
    private static final Log _log = LogFactoryUtil.getLog(MetadataManagerImpl.class);
    private ChainingSignatureTrustEngine _chainingSignatureTrustEngine;
    private CredentialResolver _credentialResolver;
    private LocalEntityManager _localEntityManager;
    private MetadataCredentialResolver _metadataCredentialResolver;
    private ParserPool _parserPool;
    private Portal _portal;

    @Reference
    private SamlIdpSpConnectionLocalService _samlIdpSpConnectionLocalService;
    private SamlProviderConfigurationHelper _samlProviderConfigurationHelper;

    @Reference
    private SamlSpIdpConnectionLocalService _samlSpIdpConnectionLocalService;

    @Reference
    private SecurityConfigurationBootstrap _securityConfigurationBootstrap;
    private final CachingChainingMetadataResolver _cachingChainingMetadataResolver = new CachingChainingMetadataResolver();
    private final PredicateRoleDescriptorResolver _predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(this._cachingChainingMetadataResolver);

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public int getAssertionLifetime(String str) {
        try {
            return this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(CompanyThreadLocal.getCompanyId().longValue(), str).getAssertionLifetime();
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e);
            }
            return this._samlProviderConfigurationHelper.getSamlProviderConfiguration().defaultAssertionLifetime();
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public String[] getAttributeNames(String str) {
        try {
            return StringUtil.splitLines(this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(CompanyThreadLocal.getCompanyId().longValue(), str).getAttributeNames());
        } catch (Exception e) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug(e);
            return null;
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public long getClockSkew() {
        return _getSamlProviderConfiguration().clockSkew();
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public Credential getEncryptionCredential() throws SamlException {
        try {
            String localEntityId = this._localEntityManager.getLocalEntityId();
            if (Validator.isNull(localEntityId)) {
                return null;
            }
            return this._credentialResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(localEntityId), new UsageCriterion(UsageType.ENCRYPTION)));
        } catch (ResolverException e) {
            throw new SamlException(e);
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public EntityDescriptor getEntityDescriptor(HttpServletRequest httpServletRequest) throws SamlException {
        Credential credential = null;
        try {
            credential = getEncryptionCredential();
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug("Unable to get encryption credential: " + e.getMessage(), e);
            }
        }
        try {
            String portalURL = this._portal.getPortalURL(httpServletRequest, _isSSLRequired() || this._portal.isSecure(httpServletRequest));
            String localEntityId = this._localEntityManager.getLocalEntityId();
            if (this._samlProviderConfigurationHelper.isRoleIdp()) {
                return MetadataGeneratorUtil.buildIdpEntityDescriptor(portalURL, localEntityId, _isWantAuthnRequestSigned(), _isSignMetadata(), getSigningCredential(), credential);
            }
            if (this._samlProviderConfigurationHelper.isRoleSp()) {
                return MetadataGeneratorUtil.buildSpEntityDescriptor(portalURL, localEntityId, _isSignAuthnRequest(), _isSignMetadata(), _isWantAssertionsSigned(), getSigningCredential(), credential);
            }
            return null;
        } catch (Exception e2) {
            throw new SamlException(e2);
        }
    }

    public String getEntityDescriptorString(HttpServletRequest httpServletRequest) throws SamlException {
        try {
            return OpenSamlUtil.marshall(getEntityDescriptor(httpServletRequest));
        } catch (Exception e) {
            throw new SamlException(e);
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public MetadataCredentialResolver getMetadataCredentialResolver() {
        return this._metadataCredentialResolver;
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public MetadataResolver getMetadataResolver() {
        return this._cachingChainingMetadataResolver;
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public String getNameIdAttribute(String str) {
        String str2 = "";
        try {
            str2 = this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(CompanyThreadLocal.getCompanyId().longValue(), str).getNameIdAttribute();
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e);
            }
        }
        return Validator.isNotNull(str2) ? str2 : "emailAddress";
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public String getNameIdFormat(String str) {
        long longValue = CompanyThreadLocal.getCompanyId().longValue();
        if (this._samlProviderConfigurationHelper.isRoleIdp()) {
            try {
                return this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(longValue, str).getNameIdFormat();
            } catch (Exception e) {
                if (!_log.isDebugEnabled()) {
                    return null;
                }
                _log.debug(e);
                return null;
            }
        }
        if (!this._samlProviderConfigurationHelper.isRoleSp()) {
            return null;
        }
        try {
            return this._samlSpIdpConnectionLocalService.getSamlSpIdpConnection(longValue, str).getNameIdFormat();
        } catch (Exception e2) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug(e2);
            return null;
        }
    }

    public String getRequestPath(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        String contextPath = httpServletRequest.getContextPath();
        if (Validator.isNotNull(contextPath) && !contextPath.equals("/")) {
            requestURI = requestURI.substring(contextPath.length());
        }
        return HttpComponentsUtil.removePathParameters(requestURI);
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public MessageHandler<?> getSecurityMessageHandler(HttpServletRequest httpServletRequest, String str, boolean z) {
        BasicMessageHandlerChain basicMessageHandlerChain = new BasicMessageHandlerChain();
        ArrayList arrayList = new ArrayList();
        if (z) {
            if (str.equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
                SAML2HTTPRedirectDeflateSignatureSecurityHandler sAML2HTTPRedirectDeflateSignatureSecurityHandler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
                sAML2HTTPRedirectDeflateSignatureSecurityHandler.setHttpServletRequest(httpServletRequest);
                arrayList.add(sAML2HTTPRedirectDeflateSignatureSecurityHandler);
            } else if (str.equals(SAMLConstants.SAML2_POST_SIMPLE_SIGN_BINDING_URI)) {
                KeyInfoCredentialResolver dataKeyInfoCredentialResolver = SecurityConfigurationSupport.getGlobalDecryptionConfiguration().getDataKeyInfoCredentialResolver();
                SAML2HTTPPostSimpleSignSecurityHandler sAML2HTTPPostSimpleSignSecurityHandler = new SAML2HTTPPostSimpleSignSecurityHandler();
                sAML2HTTPPostSimpleSignSecurityHandler.setKeyInfoResolver(dataKeyInfoCredentialResolver);
                sAML2HTTPPostSimpleSignSecurityHandler.setParser(this._parserPool);
                arrayList.add(sAML2HTTPPostSimpleSignSecurityHandler);
            } else {
                arrayList.add(new SAMLProtocolMessageXMLSignatureSecurityHandler());
            }
            CheckMandatoryAuthentication checkMandatoryAuthentication = new CheckMandatoryAuthentication();
            checkMandatoryAuthentication.setAuthenticationLookupStrategy(new SAMLMessageContextAuthenticationFunction());
            arrayList.add(checkMandatoryAuthentication);
        }
        CheckMandatoryIssuer checkMandatoryIssuer = new CheckMandatoryIssuer();
        checkMandatoryIssuer.setIssuerLookupStrategy(new SAMLMessageContextIssuerFunction());
        arrayList.add(checkMandatoryIssuer);
        HTTPRequestValidationHandler hTTPRequestValidationHandler = new HTTPRequestValidationHandler();
        hTTPRequestValidationHandler.setHttpServletRequest(httpServletRequest);
        hTTPRequestValidationHandler.setRequireSecured(_isSSLRequired());
        arrayList.add(hTTPRequestValidationHandler);
        basicMessageHandlerChain.setHandlers(arrayList);
        return basicMessageHandlerChain;
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public SignatureTrustEngine getSignatureTrustEngine() throws SamlException {
        return this._chainingSignatureTrustEngine;
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public Credential getSigningCredential() throws SamlException {
        try {
            String localEntityId = this._localEntityManager.getLocalEntityId();
            if (Validator.isNull(localEntityId)) {
                return null;
            }
            return this._credentialResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(localEntityId), new UsageCriterion(UsageType.SIGNING)));
        } catch (ResolverException e) {
            throw new SamlException(e);
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public String getUserAttributeMappings(String str) {
        try {
            return this._samlSpIdpConnectionLocalService.getSamlSpIdpConnection(CompanyThreadLocal.getCompanyId().longValue(), str).getUserAttributeMappings();
        } catch (Exception e) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug(e);
            return null;
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public boolean isAttributesEnabled(String str) {
        try {
            return this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(CompanyThreadLocal.getCompanyId().longValue(), str).isAttributesEnabled();
        } catch (Exception e) {
            if (!_log.isDebugEnabled()) {
                return false;
            }
            _log.debug(e);
            return false;
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.metadata.MetadataManager
    public boolean isAttributesNamespaceEnabled(String str) {
        try {
            return this._samlIdpSpConnectionLocalService.getSamlIdpSpConnection(CompanyThreadLocal.getCompanyId().longValue(), str).isAttributesNamespaceEnabled();
        } catch (Exception e) {
            if (!_log.isDebugEnabled()) {
                return false;
            }
            _log.debug(e);
            return false;
        }
    }

    @Reference(unbind = "-")
    public void setCredentialResolver(CredentialResolver credentialResolver) {
        this._credentialResolver = credentialResolver;
    }

    @Reference(unbind = "-")
    public void setLocalEntityManager(LocalEntityManager localEntityManager) {
        this._localEntityManager = localEntityManager;
    }

    @Reference(cardinality = ReferenceCardinality.AT_LEAST_ONE, policyOption = ReferencePolicyOption.GREEDY, scope = ReferenceScope.PROTOTYPE_REQUIRED)
    public void setMetadataResolver(MetadataResolver metadataResolver) {
        if (_log.isDebugEnabled()) {
            _log.debug("Adding metadata resolver " + metadataResolver);
        }
        this._cachingChainingMetadataResolver.addMetadataResolver(metadataResolver);
    }

    @Reference(unbind = "-")
    public void setParserPool(ParserPool parserPool) {
        this._parserPool = parserPool;
    }

    @Reference(unbind = "-")
    public void setPortal(Portal portal) {
        this._portal = portal;
    }

    @Reference(unbind = "-")
    public void setSamlProviderConfigurationHelper(SamlProviderConfigurationHelper samlProviderConfigurationHelper) {
        this._samlProviderConfigurationHelper = samlProviderConfigurationHelper;
    }

    public void unsetMetadataResolver(MetadataResolver metadataResolver) {
        if (_log.isDebugEnabled()) {
            _log.debug("Removing metadata resolver " + metadataResolver);
        }
        this._cachingChainingMetadataResolver.removeMetadataResolver(metadataResolver);
    }

    @Activate
    protected void activate() throws ComponentInitializationException {
        this._cachingChainingMetadataResolver.setId(CachingChainingMetadataResolver.class.getName());
        this._cachingChainingMetadataResolver.setParserPool(this._parserPool);
        this._cachingChainingMetadataResolver.initialize();
        this._predicateRoleDescriptorResolver.initialize();
        KeyInfoCredentialResolver buildBasicInlineKeyInfoCredentialResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver();
        this._metadataCredentialResolver = new MetadataCredentialResolver();
        this._metadataCredentialResolver.setKeyInfoCredentialResolver(buildBasicInlineKeyInfoCredentialResolver);
        this._metadataCredentialResolver.setRoleDescriptorResolver(this._predicateRoleDescriptorResolver);
        this._metadataCredentialResolver.initialize();
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ExplicitKeySignatureTrustEngine(this._metadataCredentialResolver, buildBasicInlineKeyInfoCredentialResolver));
        arrayList.add(new ExplicitKeySignatureTrustEngine(this._credentialResolver, buildBasicInlineKeyInfoCredentialResolver));
        this._chainingSignatureTrustEngine = new ChainingSignatureTrustEngine(arrayList);
    }

    @Deactivate
    protected void deactivate() {
        this._predicateRoleDescriptorResolver.destroy();
        this._cachingChainingMetadataResolver.destroy();
    }

    private SamlProviderConfiguration _getSamlProviderConfiguration() {
        return this._samlProviderConfigurationHelper.getSamlProviderConfiguration();
    }

    private boolean _isSignAuthnRequest() {
        return _getSamlProviderConfiguration().signAuthnRequest();
    }

    private boolean _isSignMetadata() {
        return _getSamlProviderConfiguration().signMetadata();
    }

    private boolean _isSSLRequired() {
        return _getSamlProviderConfiguration().sslRequired();
    }

    private boolean _isWantAssertionsSigned() {
        return _getSamlProviderConfiguration().assertionSignatureRequired();
    }

    private boolean _isWantAuthnRequestSigned() {
        return _getSamlProviderConfiguration().authnRequestSignatureRequired();
    }
}
