package net.shibboleth.idp.cas.service.impl;

import java.util.Iterator;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.cas.config.AbstractProtocolConfiguration;
import net.shibboleth.idp.cas.service.Service;
import net.shibboleth.idp.cas.service.ServiceRegistry;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.criterion.EndpointCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.criterion.StartsWithLocationCriterion;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-cas-impl-4.3.1.jar:net/shibboleth/idp/cas/service/impl/MetadataServiceRegistry.class */
public class MetadataServiceRegistry implements ServiceRegistry {
    public static final String LOGIN_BINDING = "https://www.apereo.org/cas/protocol/login";
    public static final String LOGOUT_BINDING = "https://www.apereo.org/cas/protocol/logout";
    public static final String LOGOUT_LOCATION = "urn:mace:shibboleth:profile:CAS:logout";
    public static final String PROXY_BINDING = "https://www.apereo.org/cas/protocol/proxy";
    private final Logger log = LoggerFactory.getLogger((Class<?>) MetadataServiceRegistry.class);

    @Nonnull
    private final RoleDescriptorResolver metadataResolver;

    /* loaded from: input_file:WEB-INF/lib/idp-cas-impl-4.3.1.jar:net/shibboleth/idp/cas/service/impl/MetadataServiceRegistry$LoginEndpointPredicate.class */
    public static class LoginEndpointPredicate implements Predicate<Endpoint> {
        @Override // java.util.function.Predicate
        public boolean test(@Nullable Endpoint endpoint) {
            return "https://www.apereo.org/cas/protocol/login".equals(endpoint.getBinding());
        }
    }

    public MetadataServiceRegistry(@Nonnull @ParameterName(name = "resolver") RoleDescriptorResolver roleDescriptorResolver) {
        this.metadataResolver = roleDescriptorResolver;
    }

    @Override // net.shibboleth.idp.cas.service.ServiceRegistry
    @Nullable
    public Service lookup(@Nonnull String str) {
        try {
            RoleDescriptor resolveSingle = this.metadataResolver.resolveSingle(criteria(str));
            if (resolveSingle instanceof SPSSODescriptor) {
                return create(str, (SPSSODescriptor) resolveSingle);
            }
            throw new ResolverException("No compatible role resolved");
        } catch (ResolverException e) {
            this.log.warn("Metadata resolution failed for {}", str, e);
            return null;
        }
    }

    @Nonnull
    protected CriteriaSet criteria(@Nonnull String str) {
        AssertionConsumerService buildObject = new AssertionConsumerServiceBuilder().buildObject();
        buildObject.setBinding("https://www.apereo.org/cas/protocol/login");
        buildObject.setLocation(str);
        return new CriteriaSet(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new EndpointCriterion(buildObject), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new StartsWithLocationCriterion());
    }

    @Nonnull
    protected Service create(@Nonnull String str, @Nonnull SPSSODescriptor sPSSODescriptor) {
        EntityDescriptor entityDescriptor = (EntityDescriptor) sPSSODescriptor.getParent();
        XMLObject parent = entityDescriptor.getParent();
        Service service = new Service(str, parent instanceof EntitiesDescriptor ? ((EntitiesDescriptor) parent).getName() : "unknown", isAuthorizedToProxy(sPSSODescriptor), hasSingleLogoutService(sPSSODescriptor));
        service.setRoleDescriptor(sPSSODescriptor);
        service.setEntityDescriptor(entityDescriptor);
        return service;
    }

    private boolean isAuthorizedToProxy(@Nonnull SPSSODescriptor sPSSODescriptor) {
        Iterator<AssertionConsumerService> it = sPSSODescriptor.getAssertionConsumerServices().iterator();
        while (it.hasNext()) {
            if ("https://www.apereo.org/cas/protocol/proxy".equals(it.next().getBinding())) {
                return true;
            }
        }
        return false;
    }

    private boolean hasSingleLogoutService(@Nonnull SPSSODescriptor sPSSODescriptor) {
        for (Endpoint endpoint : sPSSODescriptor.getEndpoints(SingleLogoutService.DEFAULT_ELEMENT_NAME)) {
            if (LOGOUT_BINDING.equals(endpoint.getBinding()) && LOGOUT_LOCATION.equals(endpoint.getLocation())) {
                return true;
            }
        }
        return false;
    }
}
