package org.opensaml.saml.saml2.profile.impl;

import com.google.common.base.Function;
import com.google.common.base.Functions;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.ext.saml2delrestrict.Delegate;
import org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType;
import org.opensaml.saml.saml2.core.ArtifactResponse;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.ManageNameIDRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDMappingRequest;
import org.opensaml.saml.saml2.core.NameIDMappingResponse;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectQuery;
import org.opensaml.saml.saml2.profile.context.EncryptionContext;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.encryption.support.EncryptionException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-283-10.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-saml-impl-3.1.1.jar:org/opensaml/saml/saml2/profile/impl/EncryptNameIDs.class */
public class EncryptNameIDs extends AbstractEncryptAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(EncryptNameIDs.class);

    @Nonnull
    private Function<ProfileRequestContext, SAMLObject> messageLookupStrategy = Functions.compose(new MessageLookup(SAMLObject.class), new OutboundMessageContextLookup());

    @NonnullElements
    @Nonnull
    private Set<String> excludedFormats = Collections.singleton("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");

    @Nullable
    private SAMLObject message;

    public void setMessageLookupStrategy(@Nonnull Function<ProfileRequestContext, SAMLObject> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.messageLookupStrategy = (Function) Constraint.isNotNull(function, "Message lookup strategy cannot be null");
    }

    public void setExcludedFormats(@NonnullElements @Nonnull Collection<String> collection) {
        this.excludedFormats = new HashSet(StringSupport.normalizeStringCollection(collection));
    }

    @Override // org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction
    @Nullable
    protected EncryptionParameters getApplicableParameters(@Nullable EncryptionContext encryptionContext) {
        if (encryptionContext != null) {
            return encryptionContext.getIdentifierEncryptionParameters();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction, org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        this.message = this.messageLookupStrategy.apply(profileRequestContext);
        if (this.message != null && (this.message instanceof ArtifactResponse)) {
            this.message = ((ArtifactResponse) this.message).getMessage();
        }
        if (this.message != null) {
            return super.doPreExecute(profileRequestContext);
        }
        this.log.debug("{} Message was not present, nothing to do", getLogPrefix());
        return false;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        try {
            if (this.message instanceof AuthnRequest) {
                processSubject(((AuthnRequest) this.message).getSubject());
                return;
            }
            if (this.message instanceof SubjectQuery) {
                processSubject(((SubjectQuery) this.message).getSubject());
                return;
            }
            if (this.message instanceof Response) {
                Iterator<Assertion> it = ((Response) this.message).getAssertions().iterator();
                while (it.hasNext()) {
                    processAssertion(it.next());
                }
                return;
            }
            if (this.message instanceof LogoutRequest) {
                processLogoutRequest((LogoutRequest) this.message);
                return;
            }
            if (this.message instanceof ManageNameIDRequest) {
                processManageNameIDRequest((ManageNameIDRequest) this.message);
                return;
            }
            if (this.message instanceof NameIDMappingRequest) {
                processNameIDMappingRequest((NameIDMappingRequest) this.message);
                return;
            }
            if (this.message instanceof NameIDMappingResponse) {
                processNameIDMappingResponse((NameIDMappingResponse) this.message);
            } else if (this.message instanceof Assertion) {
                processAssertion((Assertion) this.message);
            } else {
                this.log.debug("{} Message was of unrecognized type {}, nothing to do", getLogPrefix(), this.message.getClass().getName());
            }
        } catch (EncryptionException e) {
            this.log.warn("{} Error encrypting NameID", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, EventIds.UNABLE_TO_ENCRYPT);
        }
    }

    private boolean shouldEncrypt(@Nullable NameID nameID) {
        if (nameID == null) {
            return false;
        }
        String format = nameID.getFormat();
        if (format == null) {
            format = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
        }
        if (this.excludedFormats.contains(format)) {
            return false;
        }
        if (!this.log.isDebugEnabled()) {
            return true;
        }
        try {
            this.log.debug("{} NameID before encryption:\n{}", getLogPrefix(), SerializeSupport.prettyPrintXML(XMLObjectSupport.marshall(nameID)));
            return true;
        } catch (MarshallingException e) {
            this.log.error("{} Unable to marshall NameID for logging purposes", getLogPrefix(), e);
            return true;
        }
    }

    private void processSubject(@Nullable Subject subject) throws EncryptionException {
        if (subject != null) {
            if (shouldEncrypt(subject.getNameID())) {
                this.log.debug("{} Encrypt NameID in Subject", getLogPrefix());
                subject.setEncryptedID(getEncrypter().encrypt(subject.getNameID()));
                subject.setNameID(null);
            }
            for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
                if (shouldEncrypt(subjectConfirmation.getNameID())) {
                    this.log.debug("{} Encrypt NameID in SubjectConfirmation", getLogPrefix());
                    subjectConfirmation.setEncryptedID(getEncrypter().encrypt(subjectConfirmation.getNameID()));
                    subjectConfirmation.setNameID(null);
                }
            }
        }
    }

    private void processLogoutRequest(@Nonnull LogoutRequest logoutRequest) throws EncryptionException {
        if (shouldEncrypt(logoutRequest.getNameID())) {
            this.log.debug("{} Encrypting NameID in LogoutRequest", getLogPrefix());
            logoutRequest.setEncryptedID(getEncrypter().encrypt(logoutRequest.getNameID()));
            logoutRequest.setNameID(null);
        }
    }

    private void processManageNameIDRequest(@Nonnull ManageNameIDRequest manageNameIDRequest) throws EncryptionException {
        if (shouldEncrypt(manageNameIDRequest.getNameID())) {
            this.log.debug("{} Encrypting NameID in ManageNameIDRequest", getLogPrefix());
            manageNameIDRequest.setEncryptedID(getEncrypter().encrypt(manageNameIDRequest.getNameID()));
            manageNameIDRequest.setNameID(null);
        }
        if (manageNameIDRequest.getNewID() != null) {
            this.log.debug("{} Encrypting NewID in ManageNameIDRequest", getLogPrefix());
            manageNameIDRequest.setNewEncryptedID(getEncrypter().encrypt(manageNameIDRequest.getNewID()));
            manageNameIDRequest.setNewID(null);
        }
    }

    private void processNameIDMappingRequest(@Nonnull NameIDMappingRequest nameIDMappingRequest) throws EncryptionException {
        if (shouldEncrypt(nameIDMappingRequest.getNameID())) {
            this.log.debug("{} Encrypting NameID in NameIDMappingRequest", getLogPrefix());
            nameIDMappingRequest.setEncryptedID(getEncrypter().encrypt(nameIDMappingRequest.getNameID()));
            nameIDMappingRequest.setNameID(null);
        }
    }

    private void processNameIDMappingResponse(@Nonnull NameIDMappingResponse nameIDMappingResponse) throws EncryptionException {
        if (shouldEncrypt(nameIDMappingResponse.getNameID())) {
            this.log.debug("{} Encrypting NameID in NameIDMappingResponse", getLogPrefix());
            nameIDMappingResponse.setEncryptedID(getEncrypter().encrypt(nameIDMappingResponse.getNameID()));
            nameIDMappingResponse.setNameID(null);
        }
    }

    private void processAssertion(@Nonnull Assertion assertion) throws EncryptionException {
        processSubject(assertion.getSubject());
        if (assertion.getConditions() != null) {
            for (Condition condition : assertion.getConditions().getConditions()) {
                if (condition instanceof DelegationRestrictionType) {
                    for (Delegate delegate : ((DelegationRestrictionType) condition).getDelegates()) {
                        if (shouldEncrypt(delegate.getNameID())) {
                            this.log.debug("{} Encrypting NameID in Delegate", getLogPrefix());
                            delegate.setEncryptedID(getEncrypter().encrypt(delegate.getNameID()));
                            delegate.setNameID(null);
                        }
                    }
                }
            }
        }
    }
}
