package net.shibboleth.idp.attribute.impl;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.function.BiFunction;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.attribute.PairwiseId;
import net.shibboleth.idp.attribute.PairwiseIdStore;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.codec.Base32Support;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.codec.DecodingException;
import net.shibboleth.utilities.java.support.codec.EncodingException;
import net.shibboleth.utilities.java.support.component.AbstractInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.NonnullSupplier;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-attribute-impl-4.3.2.jar:net/shibboleth/idp/attribute/impl/ComputedPairwiseIdStore.class */
public class ComputedPairwiseIdStore extends AbstractInitializableComponent implements PairwiseIdStore {

    @NotEmpty
    @Nonnull
    public static final String WILDCARD_OVERRIDE = "*";

    @NonnullAfterInit
    private byte[] salt;

    @Nullable
    BiFunction<ProfileRequestContext, PairwiseId, String> saltLookupStrategy;

    @Nullable
    NonnullSupplier<HttpServletRequest> httpServletRequestSupplier;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ComputedPairwiseIdStore.class);

    @NotEmpty
    @Nonnull
    private String algorithm = "SHA";

    @Nonnull
    private Encoding encoding = Encoding.BASE64;

    @Nonnull
    private Map<String, Map<String, String>> exceptionMap = Collections.emptyMap();

    /* loaded from: input_file:WEB-INF/lib/idp-attribute-impl-4.3.2.jar:net/shibboleth/idp/attribute/impl/ComputedPairwiseIdStore$Encoding.class */
    public enum Encoding {
        BASE64,
        BASE32
    }

    @NonnullAfterInit
    public byte[] getSalt() {
        return this.salt;
    }

    public void setSalt(@Nullable byte[] bArr) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (bArr == null || bArr.length <= 0) {
            return;
        }
        this.salt = bArr;
    }

    public void setSalt(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (str == null || str.isEmpty()) {
            return;
        }
        this.salt = str.getBytes();
    }

    public void setEncodedSalt(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (str == null || str.isEmpty()) {
            return;
        }
        try {
            this.salt = Base64Support.decode(str);
        } catch (DecodingException e) {
            throw new IllegalArgumentException("Can not decode base64 encoded salt value", e);
        }
    }

    @NotEmpty
    @Nonnull
    public String getAlgorithm() {
        return this.algorithm;
    }

    public void setAlgorithm(@NotEmpty @Nonnull String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.algorithm = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Digest algorithm cannot be null or empty");
    }

    @Nonnull
    public Encoding getEncoding() {
        return this.encoding;
    }

    public void setEncoding(@Nonnull Encoding encoding) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.encoding = (Encoding) Constraint.isNotNull(encoding, "Encoding cannot be null");
    }

    public void setExceptionMap(@NotEmpty @Nullable Map<String, Map<String, String>> map) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (map == null) {
            this.exceptionMap = Collections.emptyMap();
            return;
        }
        this.exceptionMap = new HashMap(map.size());
        for (Map.Entry<String, Map<String, String>> entry : map.entrySet()) {
            String trimOrNull = StringSupport.trimOrNull(entry.getKey());
            if (trimOrNull != null && entry.getValue() != null) {
                HashMap hashMap = new HashMap(entry.getValue().size());
                for (Map.Entry<String, String> entry2 : entry.getValue().entrySet()) {
                    String trimOrNull2 = StringSupport.trimOrNull(entry2.getKey());
                    if (trimOrNull2 != null) {
                        hashMap.put(trimOrNull2, StringSupport.trimOrNull(entry2.getValue()));
                    }
                }
                this.exceptionMap.put(trimOrNull, hashMap);
            }
        }
    }

    public void setSaltLookupStrategy(@Nullable BiFunction<ProfileRequestContext, PairwiseId, String> biFunction) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.saltLookupStrategy = biFunction;
    }

    public void setHttpServletRequestSupplier(@Nullable NonnullSupplier<HttpServletRequest> nonnullSupplier) {
        this.httpServletRequestSupplier = nonnullSupplier;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (null == getSalt()) {
            if (this.saltLookupStrategy == null) {
                throw new ComponentInitializationException("Global salt and salt lookup strategy cannot both be null");
            }
        } else if (getSalt().length < 16) {
            throw new ComponentInitializationException("Salt must be at least 16 bytes in size");
        }
    }

    @Override // net.shibboleth.idp.attribute.PairwiseIdStore
    @Nullable
    public PairwiseId getBySourceValue(@Nonnull PairwiseId pairwiseId, boolean z) throws IOException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        Constraint.isNotNull(pairwiseId, "Input PairwiseId object cannot be null");
        Constraint.isNotEmpty(pairwiseId.getRecipientEntityID(), "Recipient entityID cannot be null or empty");
        Constraint.isNotEmpty(pairwiseId.getPrincipalName(), "Principal name cannot be null or empty");
        Constraint.isNotEmpty(pairwiseId.getSourceSystemId(), "Source system ID cannot be null or empty");
        byte[] effectiveSalt = getEffectiveSalt(pairwiseId);
        if (effectiveSalt == null) {
            this.log.warn("Pairwise ID generation blocked for relying party ({}), no salt available", pairwiseId.getRecipientEntityID());
            throw new IOException("Pairwise ID generation blocked due to absence of salt");
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(this.algorithm);
            messageDigest.update(pairwiseId.getRecipientEntityID().getBytes());
            messageDigest.update((byte) 33);
            messageDigest.update(pairwiseId.getSourceSystemId().getBytes());
            messageDigest.update((byte) 33);
            if (this.encoding == Encoding.BASE32) {
                pairwiseId.setPairwiseId(Base32Support.encode(messageDigest.digest(effectiveSalt), false));
            } else {
                if (this.encoding != Encoding.BASE64) {
                    throw new IOException("Desired encoding was not recognized, unable to compute ID");
                }
                pairwiseId.setPairwiseId(Base64Support.encode(messageDigest.digest(effectiveSalt), false));
            }
            return pairwiseId;
        } catch (NoSuchAlgorithmException e) {
            this.log.error("Digest algorithm {} is not supported", this.algorithm);
            throw new IOException("Digest algorithm was not supported, unable to compute ID", e);
        } catch (EncodingException e2) {
            this.log.error("Unable to {} encode digest", this.encoding);
            throw new IOException("Unable to either base64 or base32 encode digest, unable to compute ID", e2);
        }
    }

    @Nullable
    private byte[] getEffectiveSalt(@Nonnull PairwiseId pairwiseId) {
        Map<String, String> map = this.exceptionMap.get(pairwiseId.getPrincipalName());
        if (map == null) {
            map = this.exceptionMap.get("*");
        }
        if (map != null) {
            if (map.containsKey(pairwiseId.getRecipientEntityID())) {
                String str = map.get(pairwiseId.getRecipientEntityID());
                if (str != null) {
                    this.log.debug("Overriding salt for principal '{}' and relying party '{}'", pairwiseId.getPrincipalName(), pairwiseId.getRecipientEntityID());
                    return str.getBytes();
                }
                this.log.debug("Blocked generation of ID for principal '{}' for relying party '{}'", pairwiseId.getPrincipalName(), pairwiseId.getRecipientEntityID());
                return null;
            }
            if (map.containsKey("*")) {
                String str2 = map.get("*");
                if (str2 != null) {
                    this.log.debug("Overriding salt for principal '{}' and relying party '{}'", pairwiseId.getPrincipalName(), pairwiseId.getRecipientEntityID());
                    return str2.getBytes();
                }
                this.log.debug("Blocked generation of ID for principal '{}' for relying party '{}'", pairwiseId.getPrincipalName(), pairwiseId.getRecipientEntityID());
                return null;
            }
        }
        if (this.saltLookupStrategy != null) {
            String apply = this.saltLookupStrategy.apply(this.httpServletRequestSupplier != null ? (ProfileRequestContext) this.httpServletRequestSupplier.get().getAttribute(ProfileRequestContext.BINDING_KEY) : null, pairwiseId);
            if (apply != null) {
                return apply.getBytes();
            }
        }
        return this.salt;
    }
}
