package org.opensaml.saml.security.impl;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.locks.ReadWriteLock;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.collection.LockableClassToInstanceMultiMap;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.component.InitializableComponent;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.MutableCredential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-saml-impl-3.1.1.jar:org/opensaml/saml/security/impl/MetadataCredentialResolver.class */
public class MetadataCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements InitializableComponent {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(MetadataCredentialResolver.class);

    @Nullable
    private RoleDescriptorResolver roleDescriptorResolver;

    @NonnullAfterInit
    private KeyInfoCredentialResolver keyInfoCredentialResolver;
    private boolean isInitialized;

    public boolean isInitialized() {
        return this.isInitialized;
    }

    public void initialize() throws ComponentInitializationException {
        if (getKeyInfoCredentialResolver() == null) {
            throw new ComponentInitializationException("A KeyInfoCredentialResolver instance is required");
        }
        if (getRoleDescriptorResolver() == null) {
            this.log.info("RoleDescriptorResolver was not supplied, credentials may only be resolved via RoleDescriptorCriterion");
        }
        this.isInitialized = true;
    }

    @Nullable
    public RoleDescriptorResolver getRoleDescriptorResolver() {
        return this.roleDescriptorResolver;
    }

    public void setRoleDescriptorResolver(@Nullable RoleDescriptorResolver roleDescriptorResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.roleDescriptorResolver = roleDescriptorResolver;
    }

    @NonnullAfterInit
    public KeyInfoCredentialResolver getKeyInfoCredentialResolver() {
        return this.keyInfoCredentialResolver;
    }

    public void setKeyInfoCredentialResolver(@Nonnull KeyInfoCredentialResolver keyInfoCredentialResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.keyInfoCredentialResolver = (KeyInfoCredentialResolver) Constraint.isNotNull(keyInfoCredentialResolver, "KeyInfoCredentialResolver may not be null");
    }

    @Override // org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
    @Nonnull
    protected Iterable<Credential> resolveFromSource(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        UsageType effectiveUsageInput = getEffectiveUsageInput(criteriaSet);
        if (criteriaSet.contains(RoleDescriptorCriterion.class)) {
            return resolveFromRoleDescriptor(criteriaSet, ((RoleDescriptorCriterion) criteriaSet.get(RoleDescriptorCriterion.class)).getRole(), effectiveUsageInput);
        }
        if (!criteriaSet.contains(EntityIdCriterion.class) || !criteriaSet.contains(EntityRoleCriterion.class)) {
            throw new ResolverException("Criteria contained neither RoleDescriptorCriterion nor EntityIdCriterion + EntityRoleCriterion, could not perform resolution");
        }
        if (getRoleDescriptorResolver() == null) {
            throw new ResolverException("EntityID and role input were supplied but no RoleDescriptorResolver is configured");
        }
        String entityId = ((EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class)).getEntityId();
        QName role = ((EntityRoleCriterion) criteriaSet.get(EntityRoleCriterion.class)).getRole();
        String str = null;
        ProtocolCriterion protocolCriterion = (ProtocolCriterion) criteriaSet.get(ProtocolCriterion.class);
        if (protocolCriterion != null) {
            str = protocolCriterion.getProtocol();
        }
        return resolveFromMetadata(criteriaSet, entityId, role, str, effectiveUsageInput);
    }

    @Nonnull
    protected UsageType getEffectiveUsageInput(@Nonnull CriteriaSet criteriaSet) {
        UsageCriterion usageCriterion = (UsageCriterion) criteriaSet.get(UsageCriterion.class);
        return usageCriterion != null ? usageCriterion.getUsage() : UsageType.UNSPECIFIED;
    }

    @Nonnull
    protected Collection<Credential> resolveFromRoleDescriptor(@Nonnull CriteriaSet criteriaSet, @Nonnull RoleDescriptor roleDescriptor, @Nonnull UsageType usageType) throws ResolverException {
        String str = null;
        if (roleDescriptor.getParent() instanceof EntityDescriptor) {
            str = ((EntityDescriptor) roleDescriptor.getParent()).getEntityID();
        }
        this.log.debug("Resolving credentials from supplied RoleDescriptor using usage: {}.  Effective entityID was: {}", usageType, str);
        HashSet<Credential> hashSet = new HashSet<>(3);
        processRoleDescriptor(hashSet, roleDescriptor, str, usageType);
        return hashSet;
    }

    @Nonnull
    protected Collection<Credential> resolveFromMetadata(@Nonnull CriteriaSet criteriaSet, @NotEmpty @Nonnull String str, @Nonnull QName qName, @Nullable String str2, @Nonnull UsageType usageType) throws ResolverException {
        this.log.debug("Resolving credentials from metadata using entityID: {}, role: {}, protocol: {}, usage: {}", new Object[]{str, qName, str2, usageType});
        HashSet<Credential> hashSet = new HashSet<>(3);
        Iterator<RoleDescriptor> it = getRoleDescriptors(criteriaSet, str, qName, str2).iterator();
        while (it.hasNext()) {
            processRoleDescriptor(hashSet, it.next(), str, usageType);
        }
        return hashSet;
    }

    protected void processRoleDescriptor(@Nonnull HashSet<Credential> hashSet, @Nonnull RoleDescriptor roleDescriptor, @Nullable String str, @Nonnull UsageType usageType) throws ResolverException {
        for (KeyDescriptor keyDescriptor : roleDescriptor.getKeyDescriptors()) {
            UsageType use = keyDescriptor.getUse();
            if (use == null) {
                use = UsageType.UNSPECIFIED;
            }
            if (matchUsage(use, usageType) && keyDescriptor.getKeyInfo() != null) {
                extractCredentials(hashSet, keyDescriptor, str, use);
            }
        }
    }

    protected void extractCredentials(@Nonnull HashSet<Credential> hashSet, @Nonnull KeyDescriptor keyDescriptor, @Nullable String str, @Nonnull UsageType usageType) throws ResolverException {
        LockableClassToInstanceMultiMap<Object> objectMetadata = keyDescriptor.getObjectMetadata();
        ReadWriteLock readWriteLock = objectMetadata.getReadWriteLock();
        try {
            readWriteLock.readLock().lock();
            List list = objectMetadata.get(Credential.class);
            if (!list.isEmpty()) {
                this.log.debug("Resolved cached credentials from KeyDescriptor object metadata");
                hashSet.addAll(list);
                readWriteLock.readLock().unlock();
                return;
            }
            this.log.debug("Found no cached credentials in KeyDescriptor object metadata, resolving from KeyInfo");
            readWriteLock.readLock().unlock();
            try {
                readWriteLock.writeLock().lock();
                List list2 = objectMetadata.get(Credential.class);
                if (!list2.isEmpty()) {
                    this.log.debug("Credentials were resolved and cached by another thread while this thread was waiting on the write lock");
                    hashSet.addAll(list2);
                    readWriteLock.writeLock().unlock();
                    return;
                }
                ArrayList arrayList = new ArrayList();
                CriteriaSet criteriaSet = new CriteriaSet();
                criteriaSet.add(new KeyInfoCriterion(keyDescriptor.getKeyInfo()));
                for (Credential credential : getKeyInfoCredentialResolver().resolve(criteriaSet)) {
                    if (credential instanceof MutableCredential) {
                        MutableCredential mutableCredential = (MutableCredential) credential;
                        mutableCredential.setEntityId(str);
                        mutableCredential.setUsageType(usageType);
                    }
                    credential.getCredentialContextSet().add(new SAMLMDCredentialContext(keyDescriptor));
                    arrayList.add(credential);
                }
                objectMetadata.putAll(arrayList);
                hashSet.addAll(arrayList);
                readWriteLock.writeLock().unlock();
            } catch (Throwable th) {
                readWriteLock.writeLock().unlock();
                throw th;
            }
        } catch (Throwable th2) {
            readWriteLock.readLock().unlock();
            throw th2;
        }
    }

    protected boolean matchUsage(@Nonnull UsageType usageType, @Nonnull UsageType usageType2) {
        return usageType == UsageType.UNSPECIFIED || usageType2 == UsageType.UNSPECIFIED || usageType == usageType2;
    }

    @Nonnull
    protected Iterable<RoleDescriptor> getRoleDescriptors(@Nonnull CriteriaSet criteriaSet, @Nonnull String str, @Nonnull QName qName, @Nullable String str2) throws ResolverException {
        if (getRoleDescriptorResolver() == null) {
            throw new ResolverException("No RoleDescriptorResolver is configured");
        }
        try {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Retrieving role descriptor metadata for entity '{}' in role '{}' for protocol '{}'", new Object[]{str, qName, str2});
            }
            CriteriaSet criteriaSet2 = new CriteriaSet(new Criterion[]{new EntityIdCriterion(str), new EntityRoleCriterion(qName)});
            if (str2 != null) {
                criteriaSet2.add(new ProtocolCriterion(str2));
            }
            return getRoleDescriptorResolver().resolve(criteriaSet2);
        } catch (ResolverException e) {
            this.log.error("Unable to resolve information from metadata", e);
            throw new ResolverException("Unable to resolve information from metadata", e);
        }
    }
}
