package net.shibboleth.idp.saml.security.impl;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.locks.ReadWriteLock;
import javax.annotation.Nonnull;
import javax.xml.namespace.QName;
import net.shibboleth.idp.saml.security.KeyAuthoritySupport;
import net.shibboleth.idp.saml.xmlobject.KeyAuthority;
import net.shibboleth.utilities.java.support.collection.LockableClassToInstanceMultiMap;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.component.InitializableComponent;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.saml2.common.Extensions;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.PKIXValidationInformation;
import org.opensaml.security.x509.PKIXValidationInformationResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/saml/security/impl/MetadataPKIXValidationInformationResolver.class */
public class MetadataPKIXValidationInformationResolver implements PKIXValidationInformationResolver, InitializableComponent {
    public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT = 1;
    private final Logger log = LoggerFactory.getLogger(MetadataPKIXValidationInformationResolver.class);
    private RoleDescriptorResolver roleDescriptorResolver;
    private boolean isInitialized;

    public MetadataPKIXValidationInformationResolver(RoleDescriptorResolver roleDescriptorResolver) {
        this.roleDescriptorResolver = (RoleDescriptorResolver) Constraint.isNotNull(roleDescriptorResolver, "RoleDescriptor resolver cannot be null");
    }

    public boolean isInitialized() {
        return this.isInitialized;
    }

    public void initialize() throws ComponentInitializationException {
        this.isInitialized = true;
    }

    public RoleDescriptorResolver getRoleDescriptorResolver() {
        return this.roleDescriptorResolver;
    }

    public PKIXValidationInformation resolveSingle(CriteriaSet criteriaSet) throws ResolverException {
        Iterator<PKIXValidationInformation> it = resolve(criteriaSet).iterator();
        if (it.hasNext()) {
            return it.next();
        }
        return null;
    }

    public Iterable<PKIXValidationInformation> resolve(CriteriaSet criteriaSet) throws ResolverException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        checkCriteriaRequirements(criteriaSet);
        String entityId = ((EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class)).getEntityId();
        QName role = ((EntityRoleCriterion) criteriaSet.get(EntityRoleCriterion.class)).getRole();
        String str = null;
        ProtocolCriterion protocolCriterion = (ProtocolCriterion) criteriaSet.get(ProtocolCriterion.class);
        if (protocolCriterion != null) {
            str = protocolCriterion.getProtocol();
        }
        return retrievePKIXInfoFromMetadata(criteriaSet, entityId, role, str);
    }

    public Set<String> resolveTrustedNames(CriteriaSet criteriaSet) throws ResolverException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        checkCriteriaRequirements(criteriaSet);
        String entityId = ((EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class)).getEntityId();
        QName role = ((EntityRoleCriterion) criteriaSet.get(EntityRoleCriterion.class)).getRole();
        String str = null;
        ProtocolCriterion protocolCriterion = (ProtocolCriterion) criteriaSet.get(ProtocolCriterion.class);
        if (protocolCriterion != null) {
            str = protocolCriterion.getProtocol();
        }
        UsageCriterion usageCriterion = (UsageCriterion) criteriaSet.get(UsageCriterion.class);
        return retrieveTrustedNamesFromMetadata(criteriaSet, entityId, role, str, usageCriterion != null ? usageCriterion.getUsage() : UsageType.UNSPECIFIED);
    }

    public boolean supportsTrustedNameResolution() {
        return true;
    }

    protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
        Constraint.isNotNull(StringSupport.trimOrNull(((EntityIdCriterion) Constraint.isNotNull(criteriaSet.get(EntityIdCriterion.class), "EntityIdCriterion must be supplied")).getEntityId()), "Credential owner entity ID criteria value must be supplied");
        Constraint.isNotNull(((EntityRoleCriterion) Constraint.isNotNull(criteriaSet.get(EntityRoleCriterion.class), "EntityRoleCriterion must be supplied")).getRole(), "Credential entity role criteria value must be supplied");
    }

    protected Collection<PKIXValidationInformation> retrievePKIXInfoFromMetadata(CriteriaSet criteriaSet, String str, QName qName, String str2) throws ResolverException {
        this.log.debug("Attempting to retrieve PKIX validation info from resolver for entity: {}", str);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterable<RoleDescriptor> roleDescriptors = getRoleDescriptors(criteriaSet, str, qName, str2);
        if (roleDescriptors == null) {
            return linkedHashSet;
        }
        Iterator<RoleDescriptor> it = roleDescriptors.iterator();
        while (it.hasNext()) {
            resolvePKIXInfo(linkedHashSet, it.next());
        }
        return linkedHashSet;
    }

    protected void resolvePKIXInfo(Collection<PKIXValidationInformation> collection, RoleDescriptor roleDescriptor) throws ResolverException {
        if (roleDescriptor.getParent() instanceof EntityDescriptor) {
            EntityDescriptor parent = roleDescriptor.getParent();
            resolvePKIXInfo(collection, parent.getExtensions());
            LockableClassToInstanceMultiMap objectMetadata = parent.getObjectMetadata();
            ReadWriteLock readWriteLock = objectMetadata.getReadWriteLock();
            try {
                readWriteLock.readLock().lock();
                collection.addAll(objectMetadata.get(PKIXValidationInformation.class));
                readWriteLock.readLock().unlock();
            } catch (Throwable th) {
                readWriteLock.readLock().unlock();
                throw th;
            }
        }
    }

    protected void resolvePKIXInfo(Collection<PKIXValidationInformation> collection, Extensions extensions) throws ResolverException {
        List unknownXMLObjects;
        if (extensions == null || (unknownXMLObjects = extensions.getUnknownXMLObjects(KeyAuthority.DEFAULT_ELEMENT_NAME)) == null || unknownXMLObjects.isEmpty()) {
            return;
        }
        Iterator it = unknownXMLObjects.iterator();
        while (it.hasNext()) {
            extractPKIXInfo(collection, (KeyAuthority) ((XMLObject) it.next()));
        }
    }

    protected void extractPKIXInfo(@Nonnull Collection<PKIXValidationInformation> collection, @Nonnull KeyAuthority keyAuthority) throws ResolverException {
        LockableClassToInstanceMultiMap objectMetadata = keyAuthority.getObjectMetadata();
        ReadWriteLock readWriteLock = objectMetadata.getReadWriteLock();
        try {
            readWriteLock.readLock().lock();
            List list = objectMetadata.get(PKIXValidationInformation.class);
            if (!list.isEmpty()) {
                this.log.debug("Resolved cached PKIXValidationInformation from KeyAuthority object metadata");
                collection.addAll(list);
                readWriteLock.readLock().unlock();
                return;
            }
            this.log.debug("Found no cached PKIXValidationInformation in KeyAuthority object metadata, resolving XML");
            readWriteLock.readLock().unlock();
            try {
                try {
                    readWriteLock.writeLock().lock();
                    List list2 = objectMetadata.get(PKIXValidationInformation.class);
                    if (!list2.isEmpty()) {
                        this.log.debug("PKIXValidationInformation was resolved and cached by another thread while this thread was waiting on the write lock");
                        collection.addAll(list2);
                        readWriteLock.writeLock().unlock();
                    } else {
                        PKIXValidationInformation extractPKIXValidationInfo = KeyAuthoritySupport.extractPKIXValidationInfo(keyAuthority);
                        if (extractPKIXValidationInfo != null) {
                            objectMetadata.put(extractPKIXValidationInfo);
                            collection.add(extractPKIXValidationInfo);
                        }
                    }
                } catch (SecurityException e) {
                    throw new ResolverException("Error resolving PKIXValidationInformation for shibmd:KeyAuthority", e);
                }
            } finally {
                readWriteLock.writeLock().unlock();
            }
        } catch (Throwable th) {
            readWriteLock.readLock().unlock();
            throw th;
        }
    }

    protected Set<String> retrieveTrustedNamesFromMetadata(CriteriaSet criteriaSet, String str, QName qName, String str2, UsageType usageType) throws ResolverException {
        this.log.debug("Attempting to retrieve trusted names for PKIX validation from resolver for entity: {}", str);
        HashSet hashSet = new HashSet();
        Iterable<RoleDescriptor> roleDescriptors = getRoleDescriptors(criteriaSet, str, qName, str2);
        if (roleDescriptors == null) {
            return hashSet;
        }
        Iterator<RoleDescriptor> it = roleDescriptors.iterator();
        while (it.hasNext()) {
            for (KeyDescriptor keyDescriptor : it.next().getKeyDescriptors()) {
                UsageType use = keyDescriptor.getUse();
                if (use == null) {
                    use = UsageType.UNSPECIFIED;
                }
                if (matchUsage(use, usageType) && keyDescriptor.getKeyInfo() != null) {
                    getTrustedNames(hashSet, keyDescriptor.getKeyInfo());
                }
            }
        }
        return hashSet;
    }

    protected void getTrustedNames(Set<String> set, KeyInfo keyInfo) {
        set.addAll(KeyInfoSupport.getKeyNames(keyInfo));
    }

    protected boolean matchUsage(UsageType usageType, UsageType usageType2) {
        return usageType == UsageType.UNSPECIFIED || usageType2 == UsageType.UNSPECIFIED || usageType == usageType2;
    }

    protected Iterable<RoleDescriptor> getRoleDescriptors(CriteriaSet criteriaSet, String str, QName qName, String str2) throws ResolverException {
        try {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Retrieving role descriptor metadata for entity '{}' in role '{}' for protocol '{}'", new Object[]{str, qName, str2});
            }
            return getRoleDescriptorResolver().resolve(criteriaSet);
        } catch (ResolverException e) {
            this.log.error("Unable to resolve information from metadata", e);
            throw new ResolverException("Unable to resolve unformation from metadata", e);
        }
    }
}
