package org.keycloak.adapters.saml.rotation;

import java.security.Key;
import java.security.KeyManagementException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.x500.X500Principal;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyName;
import org.apache.http.client.HttpClient;
import org.jboss.logging.Logger;
import org.keycloak.adapters.cloned.HttpAdapterUtils;
import org.keycloak.adapters.cloned.HttpClientAdapterException;
import org.keycloak.common.util.Time;
import org.keycloak.dom.saml.v2.metadata.KeyTypes;
import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.processing.api.util.KeyInfoTools;

/* loaded from: input_file:WEB-INF/lib/keycloak-saml-adapter-core-14.0.0.jar:org/keycloak/adapters/saml/rotation/SamlDescriptorPublicKeyLocator.class */
public class SamlDescriptorPublicKeyLocator implements KeyLocator, Iterable<PublicKey> {
    private static final Logger LOG = Logger.getLogger((Class<?>) SamlDescriptorPublicKeyLocator.class);
    private final int minTimeBetweenDescriptorRequests;
    private final int cacheEntryTtl;
    private final String descriptorUrl;
    private final HttpClient client;
    private final Map<String, PublicKey> publicKeyCache = new ConcurrentHashMap();
    private volatile int lastRequestTime = 0;

    public SamlDescriptorPublicKeyLocator(String str, int i, int i2, HttpClient httpClient) {
        this.minTimeBetweenDescriptorRequests = i <= 0 ? 20 : i;
        this.descriptorUrl = str;
        this.cacheEntryTtl = i2;
        this.client = httpClient;
    }

    @Override // org.keycloak.rotation.KeyLocator
    public Key getKey(String str) throws KeyManagementException {
        PublicKey publicKey;
        if (str == null) {
            LOG.debugf("Invalid key id: %s", str);
            return null;
        }
        LOG.tracef("Requested key id: %s", str);
        int currentTime = Time.currentTime();
        if (currentTime > this.lastRequestTime + this.cacheEntryTtl) {
            LOG.debugf("Performing regular cache cleanup.", new Object[0]);
            publicKey = refreshCertificateCacheAndGet(str);
        } else {
            publicKey = this.publicKeyCache.get(str);
            if (publicKey == null) {
                if (currentTime > this.lastRequestTime + this.minTimeBetweenDescriptorRequests) {
                    publicKey = refreshCertificateCacheAndGet(str);
                } else {
                    LOG.debugf("Won't send request to realm SAML descriptor url, timeout not expired. Last request time was %d", this.lastRequestTime);
                }
            }
        }
        return publicKey;
    }

    @Override // org.keycloak.rotation.KeyLocator
    public synchronized void refreshKeyCache() {
        LOG.info("Forcing key cache cleanup and refresh.");
        this.publicKeyCache.clear();
        refreshCertificateCacheAndGet(null);
    }

    private synchronized PublicKey refreshCertificateCacheAndGet(String str) {
        if (this.descriptorUrl == null) {
            return null;
        }
        this.lastRequestTime = Time.currentTime();
        LOG.debugf("Refreshing public key cache from %s", this.descriptorUrl);
        try {
            List<KeyInfo> list = HttpAdapterUtils.downloadKeysFromSamlDescriptor(this.client, this.descriptorUrl).get(KeyTypes.SIGNING.value());
            if (list == null) {
                return null;
            }
            LOG.debugf("Certificates retrieved from server, filling public key cache", new Object[0]);
            this.publicKeyCache.clear();
            for (KeyInfo keyInfo : list) {
                KeyName keyName = KeyInfoTools.getKeyName(keyInfo);
                X509Certificate x509Certificate = KeyInfoTools.getX509Certificate(keyInfo);
                if (x509Certificate != null) {
                    try {
                        x509Certificate.checkValidity();
                        if (keyName != null) {
                            LOG.tracef("Registering signing certificate %s", keyName.getName());
                            this.publicKeyCache.put(keyName.getName(), x509Certificate.getPublicKey());
                        } else {
                            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                            String str2 = (subjectX500Principal == null ? "unnamed" : subjectX500Principal.getName()) + "@" + x509Certificate.getSerialNumber() + "$" + UUID.randomUUID();
                            this.publicKeyCache.put(str2, x509Certificate.getPublicKey());
                            LOG.tracef("Adding certificate %s without a specific key name: %s", str2, x509Certificate);
                        }
                    } catch (CertificateException e) {
                    }
                }
            }
            if (str == null) {
                return null;
            }
            return this.publicKeyCache.get(str);
        } catch (HttpClientAdapterException e2) {
            LOG.error("Could not refresh certificates from the server", e2);
            return null;
        }
    }

    public String toString() {
        return "Keys retrieved from SAML descriptor at " + this.descriptorUrl;
    }

    @Override // java.lang.Iterable
    public Iterator<PublicKey> iterator() {
        if (this.publicKeyCache.isEmpty()) {
            refreshCertificateCacheAndGet(null);
        }
        return this.publicKeyCache.values().iterator();
    }
}
