package org.keycloak.protocol.saml.installation;

import java.net.URI;
import java.util.Iterator;
import java.util.TreeSet;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.keycloak.Config;
import org.keycloak.common.util.PemUtils;
import org.keycloak.dom.saml.v2.metadata.KeyTypes;
import org.keycloak.keys.KeyMetadata;
import org.keycloak.keys.RsaKeyMetadata;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.ClientInstallationProvider;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.saml.SPMetadataDescriptor;
import org.keycloak.services.resources.RealmsResource;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.class */
public class SamlIDPDescriptorClientInstallation implements ClientInstallationProvider {
    public static String getIDPDescriptorForClient(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, URI uri) {
        SamlClient samlClient = new SamlClient(clientModel);
        String uri2 = RealmsResource.realmBaseUrl(UriBuilder.fromUri(uri)).build(realmModel.getName()).toString();
        String uri3 = RealmsResource.protocolUrl(UriBuilder.fromUri(uri)).build(realmModel.getName(), "saml").toString();
        StringBuilder sb = new StringBuilder();
        sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<EntityDescriptor entityID=\"").append(uri2).append("\"\n                   xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"\n                   xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\"\n                   xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n   <IDPSSODescriptor WantAuthnRequestsSigned=\"").append(samlClient.requiresClientSignature()).append("\"\n      protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n");
        sb.append("      <SingleLogoutService\n         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n         Location=\"").append(uri3).append("\" />\n");
        if (!samlClient.forcePostBinding()) {
            sb.append("      <SingleLogoutService\n         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n         Location=\"").append(uri3).append("\" />\n");
        }
        if (!samlClient.forceNameIDFormat() || samlClient.getNameIDFormat() == null) {
            sb.append("   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>\n   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>\n   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n");
        } else {
            sb.append("   <NameIDFormat>").append(samlClient.getNameIDFormat()).append("</NameIDFormat>\n");
        }
        sb.append("\n      <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n         Location=\"").append(uri3).append("\" />\n");
        if (!samlClient.forcePostBinding()) {
            sb.append("      <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n         Location=\"").append(uri3).append("\" />\n");
        }
        TreeSet treeSet = new TreeSet((rsaKeyMetadata, rsaKeyMetadata2) -> {
            return rsaKeyMetadata.getStatus() == rsaKeyMetadata2.getStatus() ? (int) (rsaKeyMetadata2.getProviderPriority() - rsaKeyMetadata.getProviderPriority()) : rsaKeyMetadata.getStatus() == KeyMetadata.Status.PASSIVE ? 1 : -1;
        });
        treeSet.addAll(keycloakSession.keys().getRsaKeys(realmModel, false));
        Iterator it = treeSet.iterator();
        while (it.hasNext()) {
            addKeyInfo(sb, (RsaKeyMetadata) it.next(), KeyTypes.SIGNING.value());
        }
        sb.append("   </IDPSSODescriptor>\n</EntityDescriptor>\n");
        return sb.toString();
    }

    private static void addKeyInfo(StringBuilder sb, RsaKeyMetadata rsaKeyMetadata, String str) {
        if (rsaKeyMetadata == null) {
            return;
        }
        sb.append(SPMetadataDescriptor.xmlKeyInfo("      ", rsaKeyMetadata.getKid(), PemUtils.encodeCertificate(rsaKeyMetadata.getCertificate()), str, false));
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public Response generateInstallation(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, URI uri) {
        return Response.ok(getIDPDescriptorForClient(keycloakSession, realmModel, clientModel, uri), MediaType.TEXT_PLAIN_TYPE).build();
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public String getProtocol() {
        return "saml";
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public String getDisplayType() {
        return "SAML Metadata IDPSSODescriptor";
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public String getHelpText() {
        return "SAML Metadata IDSSODescriptor tailored for the client.  This is special because not every client may require things like digital signatures";
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public String getFilename() {
        return "client-tailored-saml-idp-metadata.xml";
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public String getMediaType() {
        return "application/xml";
    }

    @Override // org.keycloak.protocol.ClientInstallationProvider
    public boolean isDownloadOnly() {
        return false;
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.keycloak.provider.ProviderFactory
    /* renamed from: create */
    public ClientInstallationProvider create2(KeycloakSession keycloakSession) {
        return this;
    }

    @Override // org.keycloak.provider.ProviderFactory
    public void init(Config.Scope scope) {
    }

    @Override // org.keycloak.provider.ProviderFactory
    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    @Override // org.keycloak.provider.ProviderFactory
    public String getId() {
        return "saml-idp-descriptor";
    }
}
