package pl.edu.icm.unity.saml.metadata.cfg;

import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.idp.SAMLIdPConfiguration;
import pl.edu.icm.unity.saml.idp.TrustedServiceProvider;
import pl.edu.icm.unity.saml.idp.TrustedServiceProviders;
import pl.edu.icm.unity.saml.metadata.cfg.MetadataVerificator;
import pl.edu.icm.unity.saml.metadata.srv.RemoteMetadataService;
import pl.edu.icm.unity.saml.sp.config.BaseSamlConfiguration;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/IdpRemoteMetaManager.class */
public class IdpRemoteMetaManager {
    private static final Logger log = Log.getLogger("unity.server.saml", IdpRemoteMetaManager.class);
    private final PKIManagement pkiManagement;
    private final MetaToIDPConfigConverter converter;
    private final RemoteMetadataService metadataService;
    private SAMLIdPConfiguration configuration;
    private final Map<String, MetadataConsumer> registeredConsumers = new HashMap();
    private final MetadataVerificator verificator = new MetadataVerificator();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/IdpRemoteMetaManager$MetadataConsumer.class */
    public class MetadataConsumer {
        private final BaseSamlConfiguration.RemoteMetadataSource metadataConfig;

        public MetadataConsumer(BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource) {
            this.metadataConfig = remoteMetadataSource;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void updateMetadata(EntitiesDescriptorDocument entitiesDescriptorDocument, String str) {
            if (IdpRemoteMetaManager.this.isMetadataValid(entitiesDescriptorDocument, this.metadataConfig)) {
                IdpRemoteMetaManager.this.assembleCombinedConfiguration(IdpRemoteMetaManager.this.parseMetadata(entitiesDescriptorDocument, this.metadataConfig), str);
            }
        }
    }

    public IdpRemoteMetaManager(SAMLIdPConfiguration sAMLIdPConfiguration, PKIManagement pKIManagement, RemoteMetadataService remoteMetadataService, MetaToIDPConfigConverter metaToIDPConfigConverter) {
        this.metadataService = remoteMetadataService;
        this.pkiManagement = pKIManagement;
        this.converter = metaToIDPConfigConverter;
        setBaseConfiguration(sAMLIdPConfiguration);
    }

    public synchronized TrustedServiceProviders getTrustedSps() {
        return this.configuration.trustedServiceProviders;
    }

    public SAMLIdPConfiguration getSAMLIdPConfiguration() {
        return this.configuration;
    }

    synchronized void setBaseConfiguration(SAMLIdPConfiguration sAMLIdPConfiguration) {
        if (this.configuration == null) {
            this.configuration = sAMLIdPConfiguration;
            reinitialize();
            return;
        }
        boolean z = (this.configuration.trustedMetadataSourcesByUrl.equals(sAMLIdPConfiguration.trustedMetadataSourcesByUrl) && this.configuration.trustedServiceProviders.equals(sAMLIdPConfiguration.trustedServiceProviders)) ? false : true;
        this.configuration = sAMLIdPConfiguration;
        if (z) {
            reinitialize();
        }
    }

    private void reinitialize() {
        unregisterAll();
        registerMetadataConsumers();
    }

    private void registerMetadataConsumers() {
        log.trace("Registering remote metadata consumers");
        for (BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource : this.configuration.trustedMetadataSourcesByUrl.values()) {
            String str = remoteMetadataSource.url;
            Duration duration = remoteMetadataSource.refreshInterval;
            String str2 = remoteMetadataSource.httpsTruststore;
            MetadataConsumer metadataConsumer = new MetadataConsumer(remoteMetadataSource);
            String preregisterConsumer = this.metadataService.preregisterConsumer(str);
            this.registeredConsumers.put(preregisterConsumer, metadataConsumer);
            RemoteMetadataService remoteMetadataService = this.metadataService;
            Objects.requireNonNull(metadataConsumer);
            remoteMetadataService.registerConsumer(preregisterConsumer, duration, str2, (entitiesDescriptorDocument, str3) -> {
                metadataConsumer.updateMetadata(entitiesDescriptorDocument, str3);
            }, false);
        }
    }

    public synchronized void unregisterAll() {
        log.trace("Unregistering all remote metadata consumers");
        Set<String> keySet = this.registeredConsumers.keySet();
        RemoteMetadataService remoteMetadataService = this.metadataService;
        Objects.requireNonNull(remoteMetadataService);
        keySet.forEach(remoteMetadataService::unregisterConsumer);
        this.registeredConsumers.clear();
    }

    private synchronized void assembleCombinedConfiguration(Set<TrustedServiceProvider> set, String str) {
        if (this.registeredConsumers.containsKey(str)) {
            this.configuration.trustedServiceProviders.replace(set);
            this.configuration.load();
        }
    }

    private Set<TrustedServiceProvider> parseMetadata(EntitiesDescriptorDocument entitiesDescriptorDocument, BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource) {
        Set<TrustedServiceProvider> convertToTrustedSps = this.converter.convertToTrustedSps(entitiesDescriptorDocument, this.configuration);
        log.trace("Converted metadata from {} to virtual configuration", remoteMetadataSource.url);
        return convertToTrustedSps;
    }

    private boolean isMetadataValid(EntitiesDescriptorDocument entitiesDescriptorDocument, BaseSamlConfiguration.RemoteMetadataSource remoteMetadataSource) {
        X509Certificate x509Certificate;
        String str = remoteMetadataSource.issuerCertificate;
        if (str != null) {
            try {
                x509Certificate = this.pkiManagement.getCertificate(str).value;
            } catch (MetadataVerificator.MetadataValidationException e) {
                log.error("Metadata from " + remoteMetadataSource.url + " is invalid, won't be used", e);
                return false;
            } catch (EngineException e2) {
                log.error("Problem establishing certificate for metadata validation " + str, e2);
                return false;
            }
        } else {
            x509Certificate = null;
        }
        this.verificator.validate(entitiesDescriptorDocument, new Date(), remoteMetadataSource.signatureValidation, x509Certificate);
        return true;
    }
}
