package net.shibboleth.metadata.dom.saml;

import java.util.Collection;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.GuardedBy;
import javax.annotation.concurrent.ThreadSafe;
import javax.xml.namespace.QName;
import net.shibboleth.metadata.Item;
import net.shibboleth.metadata.pipeline.AbstractFilteringStage;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.primitive.DeprecationSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.xml.DOMTypeSupport;
import net.shibboleth.shared.xml.ElementSupport;
import net.shibboleth.shared.xml.QNameSupport;
import org.slf4j.Logger;
import org.w3c.dom.Element;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/metadata/dom/saml/EntityRoleFilterStage.class */
public class EntityRoleFilterStage extends AbstractFilteringStage<Element> {

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private static final Set<QName> NAMED_ROLES;

    @Nonnull
    private static final Logger LOG;

    @GuardedBy("this")
    private boolean keepingRoles;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    @NonnullElements
    @Unmodifiable
    @GuardedBy("this")
    private Set<QName> designatedRoles = CollectionSupport.emptySet();

    @GuardedBy("this")
    private boolean removingRolelessEntities = true;

    @GuardedBy("this")
    private boolean removingEntitylessEntitiesDescriptor = true;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    public final synchronized Collection<QName> getDesignatedRoles() {
        return this.designatedRoles;
    }

    public synchronized void setDesignatedRoles(@Unmodifiable @Nonnull @NonnullElements Collection<QName> collection) {
        checkSetterPreconditions();
        this.designatedRoles = CollectionSupport.copyToSet(collection);
    }

    public final synchronized boolean isKeepingRoles() {
        return this.keepingRoles;
    }

    public synchronized void setKeepingRoles(boolean z) {
        checkSetterPreconditions();
        this.keepingRoles = z;
    }

    @Deprecated(since = "0.10.0", forRemoval = true)
    public final synchronized boolean isWhitelistingRoles() {
        DeprecationSupport.warnOnce(DeprecationSupport.ObjectType.METHOD, "isWhitelistingRoles", "EntityRoleFilterStage", "isKeepingRoles");
        return isKeepingRoles();
    }

    @Deprecated(since = "0.10.0", forRemoval = true)
    public synchronized void setWhitelistingRoles(boolean z) {
        DeprecationSupport.warnOnce(DeprecationSupport.ObjectType.METHOD, "setWhitelistingRoles", "EntityRoleFilterStage", "setKeepingRoles");
        setKeepingRoles(z);
    }

    public final synchronized boolean isRemovingRolelessEntities() {
        return this.removingRolelessEntities;
    }

    public synchronized void setRemoveRolelessEntities(boolean z) {
        checkSetterPreconditions();
        this.removingRolelessEntities = z;
    }

    public final synchronized boolean isRemovingEntitylessEntitiesDescriptor() {
        return this.removingEntitylessEntitiesDescriptor;
    }

    public synchronized void setRemovingEntitylessEntitiesDescriptor(boolean z) {
        checkSetterPreconditions();
        this.removingEntitylessEntitiesDescriptor = z;
    }

    @Override // net.shibboleth.metadata.pipeline.AbstractFilteringStage
    protected boolean doExecute(@Nonnull Item<Element> item) {
        Element unwrap = item.unwrap();
        return SAMLMetadataSupport.isEntitiesDescriptor(unwrap) ? !processEntitiesDescriptor(unwrap) : (SAMLMetadataSupport.isEntityDescriptor(unwrap) && processEntityDescriptor(unwrap)) ? false : true;
    }

    protected boolean processEntitiesDescriptor(@Nonnull Element element) {
        boolean z = true;
        for (Element element2 : ElementSupport.getChildElements(element, SAMLMetadataSupport.ENTITIES_DESCRIPTOR_NAME)) {
            if (!$assertionsDisabled && element2 == null) {
                throw new AssertionError();
            }
            if (processEntitiesDescriptor(element2)) {
                element.removeChild(element2);
            } else {
                z = false;
            }
        }
        for (Element element3 : ElementSupport.getChildElements(element, SAMLMetadataSupport.ENTITY_DESCRIPTOR_NAME)) {
            if (!$assertionsDisabled && element3 == null) {
                throw new AssertionError();
            }
            if (processEntityDescriptor(element3)) {
                element.removeChild(element3);
            } else {
                z = false;
            }
        }
        return z && isRemovingEntitylessEntitiesDescriptor();
    }

    protected boolean processEntityDescriptor(@Nonnull Element element) {
        if (getDesignatedRoles().isEmpty()) {
            return false;
        }
        String entityID = SAMLMetadataSupport.getEntityID(element);
        if (!$assertionsDisabled && entityID == null) {
            throw new AssertionError();
        }
        LOG.debug("{} pipeline stage filtering roles from EntityDescriptor {}", getId(), entityID);
        return !hasFilteredRoles(entityID, element) && isRemovingRolelessEntities();
    }

    private boolean hasFilteredRoles(@Nonnull String str, @Nonnull Element element) {
        QName xSIType;
        boolean z = false;
        for (Element element2 : ElementSupport.getChildElements(element)) {
            if (!$assertionsDisabled && element2 == null) {
                throw new AssertionError();
            }
            QName nodeQName = QNameSupport.getNodeQName(element2);
            if (Objects.equals(nodeQName, SAMLMetadataSupport.ROLE_DESCRIPTOR_NAME)) {
                xSIType = DOMTypeSupport.getXSIType(element2);
            } else if (NAMED_ROLES.contains(nodeQName)) {
                xSIType = nodeQName;
            }
            if (xSIType != null) {
                boolean contains = getDesignatedRoles().contains(xSIType);
                if ((!isKeepingRoles() || contains) && (isKeepingRoles() || !contains)) {
                    LOG.debug("{} pipeline did not remove role {} from EntityDescriptor {}", new Object[]{getId(), xSIType, str});
                    z = true;
                } else {
                    LOG.debug("{} pipeline stage removing role {} from EntityDescriptor {}", new Object[]{getId(), xSIType, str});
                    element.removeChild(element2);
                }
            }
        }
        return z;
    }

    static {
        $assertionsDisabled = !EntityRoleFilterStage.class.desiredAssertionStatus();
        NAMED_ROLES = CollectionSupport.setOf(new QName[]{SAMLMetadataSupport.IDP_SSO_DESCRIPTOR_NAME, SAMLMetadataSupport.SP_SSO_DESCRIPTOR_NAME, SAMLMetadataSupport.AUTHN_AUTHORITY_DESCRIPTOR_NAME, SAMLMetadataSupport.ATTRIBUTE_AUTHORITY_DESCRIPTOR_NAME, SAMLMetadataSupport.PDP_DESCRIPTOR_NAME});
        LOG = LoggerFactory.getLogger(EntityRoleFilterStage.class);
    }
}
