package net.shibboleth.profile.relyingparty.impl;

import com.codahale.metrics.Counter;
import com.codahale.metrics.Gauge;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.profile.relyingparty.RelyingPartyConfiguration;
import net.shibboleth.profile.relyingparty.RelyingPartyConfigurationResolver;
import net.shibboleth.profile.relyingparty.VerifiedProfileCriterion;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.NonnullSupplier;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import net.shibboleth.spring.security.CredentialHolder;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.metrics.MetricsSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.criterion.ProfileRequestContextCriterion;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;

/* loaded from: input_file:WEB-INF/lib/shib-profile-impl-5.0.0.jar:net/shibboleth/profile/relyingparty/impl/DefaultRelyingPartyConfigurationResolver.class */
public class DefaultRelyingPartyConfigurationResolver extends AbstractIdentifiableInitializableComponent implements RelyingPartyConfigurationResolver {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_RELYING_PARTY_COUNTER = "shibboleth.DefaultRelyingParty";

    @Nonnull
    @NotEmpty
    private static final String UNVERIFIED_RELYING_PARTY_COUNTER = "shibboleth.UnverifiedRelyingParty";

    @Nullable
    private RelyingPartyConfiguration defaultRelyingPartyConfiguration;

    @Nullable
    private RelyingPartyConfiguration unverifiedConfiguration;

    @Nullable
    private String metricName;

    @Nullable
    private Gauge<Map<String, Counter>> counterGauge;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) DefaultRelyingPartyConfigurationResolver.class);

    @Nonnull
    private List<RelyingPartyConfiguration> rpConfigurations = CollectionSupport.emptyList();

    @Nonnull
    private List<Credential> signingCredentials = CollectionSupport.emptyList();

    @Nonnull
    private List<Credential> encryptionCredentials = CollectionSupport.emptyList();

    @Nonnull
    private Map<String, Counter> counterMap = CollectionSupport.emptyMap();

    @Unmodifiable
    @Nonnull
    @NotLive
    public Collection<? extends RelyingPartyConfiguration> getRelyingPartyConfigurations() {
        return this.rpConfigurations;
    }

    public void setRelyingPartyConfigurations(@Nullable Collection<? extends RelyingPartyConfiguration> collection) {
        checkSetterPreconditions();
        if (collection != null) {
            this.rpConfigurations = CollectionSupport.copyToList(collection);
        } else {
            this.rpConfigurations = CollectionSupport.emptyList();
        }
    }

    @Nullable
    public RelyingPartyConfiguration getDefaultConfiguration() {
        return this.defaultRelyingPartyConfiguration;
    }

    public void setDefaultConfiguration(@Nullable RelyingPartyConfiguration relyingPartyConfiguration) {
        checkSetterPreconditions();
        this.defaultRelyingPartyConfiguration = relyingPartyConfiguration;
    }

    @Nullable
    public RelyingPartyConfiguration getUnverifiedConfiguration() {
        return this.unverifiedConfiguration;
    }

    public void setUnverifiedConfiguration(@Nullable RelyingPartyConfiguration relyingPartyConfiguration) {
        checkSetterPreconditions();
        this.unverifiedConfiguration = relyingPartyConfiguration;
    }

    public void setMetricName(@Nullable String str) {
        checkSetterPreconditions();
        this.metricName = StringSupport.trimOrNull(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.shared.component.AbstractIdentifiedInitializableComponent, net.shibboleth.shared.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        HashSet hashSet = new HashSet(this.rpConfigurations.size());
        for (RelyingPartyConfiguration relyingPartyConfiguration : this.rpConfigurations) {
            if (hashSet.contains(relyingPartyConfiguration.getId())) {
                throw new ComponentInitializationException("Multiple RelyingPartyConfiguration configurations with ID " + relyingPartyConfiguration.getId() + " detected, IDs must be unique.");
            }
            hashSet.add(relyingPartyConfiguration.getId());
        }
        hashSet.add(DEFAULT_RELYING_PARTY_COUNTER);
        hashSet.add(UNVERIFIED_RELYING_PARTY_COUNTER);
        String str = this.metricName;
        if (str == null || hashSet.isEmpty()) {
            return;
        }
        this.counterMap = (Map) ((NonnullSupplier) hashSet.stream().collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableMap(str2 -> {
            return str2;
        }, str3 -> {
            return new Counter();
        })))).get();
        this.counterGauge = (Gauge) MetricsSupport.register(str, new Gauge<Map<String, Counter>>() { // from class: net.shibboleth.profile.relyingparty.impl.DefaultRelyingPartyConfigurationResolver.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.codahale.metrics.Gauge
            public Map<String, Counter> getValue() {
                return DefaultRelyingPartyConfigurationResolver.this.counterMap;
            }
        }, true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.shared.component.AbstractInitializableComponent
    public void doDestroy() {
        if (this.metricName != null && this.counterGauge != null) {
            MetricsSupport.remove(this.metricName, this.counterGauge);
        }
        super.doDestroy();
    }

    @Override // net.shibboleth.shared.resolver.Resolver
    @Nonnull
    public Iterable<RelyingPartyConfiguration> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        checkComponentActive();
        this.log.debug("Resolving relying party configuration");
        if (criteriaSet == null) {
            return CollectionSupport.emptyList();
        }
        VerifiedProfileCriterion verifiedProfileCriterion = (VerifiedProfileCriterion) criteriaSet.get(VerifiedProfileCriterion.class);
        if (verifiedProfileCriterion == null || !verifiedProfileCriterion.isVerified()) {
            RelyingPartyConfiguration unverifiedConfiguration = getUnverifiedConfiguration();
            if (unverifiedConfiguration == null) {
                this.log.warn("Profile request was unverified, but no such configuration is available");
                return CollectionSupport.emptyList();
            }
            this.log.debug("Profile request is unverified, returning configuration {}", unverifiedConfiguration.getId());
            increment(UNVERIFIED_RELYING_PARTY_COUNTER);
            return CollectionSupport.singleton(unverifiedConfiguration);
        }
        ArrayList arrayList = new ArrayList();
        ProfileRequestContext profileRequestContext = getProfileRequestContext(criteriaSet);
        for (RelyingPartyConfiguration relyingPartyConfiguration : this.rpConfigurations) {
            this.log.debug("Checking if relying party configuration {} is applicable", relyingPartyConfiguration.getId());
            if (relyingPartyConfiguration.test(profileRequestContext)) {
                this.log.debug("Relying party configuration {} is applicable", relyingPartyConfiguration.getId());
                increment(relyingPartyConfiguration.getId());
                arrayList.add(relyingPartyConfiguration);
            } else {
                this.log.debug("Relying party configuration {} is not applicable", relyingPartyConfiguration.getId());
            }
        }
        if (!arrayList.isEmpty()) {
            return arrayList;
        }
        if (this.defaultRelyingPartyConfiguration == null) {
            this.log.warn("No matching relying party configuration applicable, returning nothing");
            return CollectionSupport.emptyList();
        }
        this.log.debug("No matching relying party configuration applicable, returning default: {}", this.defaultRelyingPartyConfiguration.getId());
        increment(DEFAULT_RELYING_PARTY_COUNTER);
        if ($assertionsDisabled || this.defaultRelyingPartyConfiguration != null) {
            return CollectionSupport.singleton(this.defaultRelyingPartyConfiguration);
        }
        throw new AssertionError();
    }

    @Override // net.shibboleth.shared.resolver.Resolver
    @Nullable
    public RelyingPartyConfiguration resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        checkComponentActive();
        this.log.debug("Resolving relying party configuration");
        if (criteriaSet == null) {
            return null;
        }
        VerifiedProfileCriterion verifiedProfileCriterion = (VerifiedProfileCriterion) criteriaSet.get(VerifiedProfileCriterion.class);
        if (verifiedProfileCriterion == null || !verifiedProfileCriterion.isVerified()) {
            RelyingPartyConfiguration unverifiedConfiguration = getUnverifiedConfiguration();
            if (unverifiedConfiguration == null) {
                this.log.warn("Profile request was unverified, but no such configuration is available");
                return null;
            }
            this.log.debug("Profile request is unverified, returning configuration {}", unverifiedConfiguration.getId());
            increment(UNVERIFIED_RELYING_PARTY_COUNTER);
            return unverifiedConfiguration;
        }
        ProfileRequestContext profileRequestContext = getProfileRequestContext(criteriaSet);
        for (RelyingPartyConfiguration relyingPartyConfiguration : this.rpConfigurations) {
            this.log.debug("Checking if relying party configuration {} is applicable", relyingPartyConfiguration.getId());
            if (relyingPartyConfiguration.test(profileRequestContext)) {
                this.log.debug("Relying party configuration {} is applicable", relyingPartyConfiguration.getId());
                increment(relyingPartyConfiguration.getId());
                return relyingPartyConfiguration;
            }
            this.log.debug("Relying party configuration {} is not applicable", relyingPartyConfiguration.getId());
        }
        if (this.defaultRelyingPartyConfiguration == null) {
            this.log.warn("No matching relying party configuration applicable, returning nothing");
            return null;
        }
        this.log.debug("No matching relying party configuration applicable, returning default: {}", this.defaultRelyingPartyConfiguration.getId());
        increment(DEFAULT_RELYING_PARTY_COUNTER);
        if ($assertionsDisabled || this.defaultRelyingPartyConfiguration != null) {
            return this.defaultRelyingPartyConfiguration;
        }
        throw new AssertionError();
    }

    @Override // net.shibboleth.profile.relyingparty.RelyingPartyConfigurationResolver
    @Unmodifiable
    @Nonnull
    @NotLive
    public Collection<Credential> getSigningCredentials() {
        return this.signingCredentials;
    }

    @Autowired
    @Qualifier("signing")
    public void setSigningCredentials(@Nullable List<CredentialHolder> list) {
        checkSetterPreconditions();
        if (list != null) {
            this.signingCredentials = (List) ((NonnullSupplier) list.stream().flatMap(credentialHolder -> {
                return credentialHolder.getCredentials().stream();
            }).collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableList()))).get();
        } else {
            this.signingCredentials = CollectionSupport.emptyList();
        }
    }

    @Override // net.shibboleth.profile.relyingparty.RelyingPartyConfigurationResolver
    @Unmodifiable
    @Nonnull
    @NotLive
    public Collection<Credential> getEncryptionCredentials() {
        return this.encryptionCredentials;
    }

    @Autowired
    @Qualifier("encryption")
    public void setEncryptionCredentials(@Nullable List<CredentialHolder> list) {
        checkSetterPreconditions();
        if (list != null) {
            this.encryptionCredentials = (List) ((NonnullSupplier) list.stream().flatMap(credentialHolder -> {
                return credentialHolder.getCredentials().stream();
            }).collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableList()))).get();
        } else {
            this.encryptionCredentials = CollectionSupport.emptyList();
        }
    }

    private void increment(@Nullable String str) {
        Counter counter = this.counterMap.get(str);
        if (counter != null) {
            counter.inc();
        }
    }

    @Nullable
    private ProfileRequestContext getProfileRequestContext(@Nonnull CriteriaSet criteriaSet) {
        ProfileRequestContextCriterion profileRequestContextCriterion = (ProfileRequestContextCriterion) criteriaSet.get(ProfileRequestContextCriterion.class);
        if (profileRequestContextCriterion != null) {
            return profileRequestContextCriterion.getProfileRequestContext();
        }
        String resolveEntityID = resolveEntityID(criteriaSet);
        this.log.debug("Resolved effective entityID from criteria: {}", resolveEntityID);
        EntityDescriptor resolveEntityDescriptor = resolveEntityDescriptor(criteriaSet);
        this.log.debug("Resolved effective entity descriptor from criteria: {}", resolveEntityDescriptor);
        RoleDescriptor resolveRoleDescriptor = resolveRoleDescriptor(criteriaSet);
        this.log.debug("Resolved effective role descriptor from criteria: {}", resolveRoleDescriptor);
        if (resolveEntityID == null && resolveEntityDescriptor == null && resolveRoleDescriptor == null) {
            return null;
        }
        ProfileRequestContext profileRequestContext = new ProfileRequestContext();
        RelyingPartyContext relyingPartyContext = (RelyingPartyContext) profileRequestContext.ensureSubcontext(RelyingPartyContext.class);
        relyingPartyContext.setVerified(true);
        relyingPartyContext.setRelyingPartyId(resolveEntityID);
        if (resolveEntityDescriptor != null || resolveRoleDescriptor != null) {
            SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) profileRequestContext.ensureSubcontext(SAMLPeerEntityContext.class);
            relyingPartyContext.setRelyingPartyIdContextTree(sAMLPeerEntityContext);
            sAMLPeerEntityContext.setEntityId(resolveEntityID);
            if (resolveRoleDescriptor != null) {
                sAMLPeerEntityContext.setRole(resolveRoleDescriptor.getSchemaType() != null ? resolveRoleDescriptor.getSchemaType() : resolveRoleDescriptor.getElementQName());
            }
            SAMLMetadataContext sAMLMetadataContext = (SAMLMetadataContext) sAMLPeerEntityContext.ensureSubcontext(SAMLMetadataContext.class);
            sAMLMetadataContext.setEntityDescriptor(resolveEntityDescriptor);
            sAMLMetadataContext.setRoleDescriptor(resolveRoleDescriptor);
        }
        return profileRequestContext;
    }

    @Nullable
    private String resolveEntityID(@Nonnull CriteriaSet criteriaSet) {
        EntityIdCriterion entityIdCriterion = (EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class);
        if (entityIdCriterion != null) {
            return entityIdCriterion.getEntityId();
        }
        EntityDescriptor resolveEntityDescriptor = resolveEntityDescriptor(criteriaSet);
        if (resolveEntityDescriptor != null) {
            return resolveEntityDescriptor.getEntityID();
        }
        return null;
    }

    @Nullable
    private EntityDescriptor resolveEntityDescriptor(@Nonnull CriteriaSet criteriaSet) {
        RoleDescriptor resolveRoleDescriptor = resolveRoleDescriptor(criteriaSet);
        if (resolveRoleDescriptor == null || resolveRoleDescriptor.getParent() == null || !(resolveRoleDescriptor.getParent() instanceof EntityDescriptor)) {
            return null;
        }
        return (EntityDescriptor) resolveRoleDescriptor.getParent();
    }

    @Nullable
    private RoleDescriptor resolveRoleDescriptor(@Nonnull CriteriaSet criteriaSet) {
        RoleDescriptorCriterion roleDescriptorCriterion = (RoleDescriptorCriterion) criteriaSet.get(RoleDescriptorCriterion.class);
        if (roleDescriptorCriterion != null) {
            return roleDescriptorCriterion.getRole();
        }
        return null;
    }

    static {
        $assertionsDisabled = !DefaultRelyingPartyConfigurationResolver.class.desiredAssertionStatus();
    }
}
