package org.opensaml.saml.saml2.profile.impl;

import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.collection.Pair;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.profile.SAMLEventIds;
import org.opensaml.saml.ext.saml2delrestrict.Delegate;
import org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.ManageNameIDRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDMappingRequest;
import org.opensaml.saml.saml2.core.NameIDMappingResponse;
import org.opensaml.saml.saml2.core.NewEncryptedID;
import org.opensaml.saml.saml2.core.NewID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectQuery;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-402.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-saml-impl-3.1.1.jar:org/opensaml/saml/saml2/profile/impl/DecryptNameIDs.class */
public class DecryptNameIDs extends AbstractDecryptAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DecryptNameIDs.class);

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        SAMLObject sAMLObject = getSAMLObject();
        try {
            if (sAMLObject instanceof AuthnRequest) {
                processSubject(profileRequestContext, ((AuthnRequest) sAMLObject).getSubject());
                return;
            }
            if (sAMLObject instanceof SubjectQuery) {
                processSubject(profileRequestContext, ((SubjectQuery) sAMLObject).getSubject());
                return;
            }
            if (sAMLObject instanceof Response) {
                Iterator<Assertion> it = ((Response) sAMLObject).getAssertions().iterator();
                while (it.hasNext()) {
                    processAssertion(profileRequestContext, it.next());
                }
                return;
            }
            if (sAMLObject instanceof LogoutRequest) {
                processLogoutRequest(profileRequestContext, (LogoutRequest) sAMLObject);
                return;
            }
            if (sAMLObject instanceof ManageNameIDRequest) {
                processManageNameIDRequest(profileRequestContext, (ManageNameIDRequest) sAMLObject);
                return;
            }
            if (sAMLObject instanceof NameIDMappingRequest) {
                processNameIDMappingRequest(profileRequestContext, (NameIDMappingRequest) sAMLObject);
                return;
            }
            if (sAMLObject instanceof NameIDMappingResponse) {
                processNameIDMappingResponse(profileRequestContext, (NameIDMappingResponse) sAMLObject);
            } else if (sAMLObject instanceof Assertion) {
                processAssertion(profileRequestContext, (Assertion) sAMLObject);
            } else {
                this.log.debug("{} Message was of unrecognized type {}, nothing to do", getLogPrefix(), sAMLObject.getClass().getName());
            }
        } catch (DecryptionException e) {
            this.log.warn("{} Failure performing decryption", getLogPrefix(), e);
            if (isErrorFatal()) {
                ActionSupport.buildEvent(profileRequestContext, SAMLEventIds.DECRYPT_NAMEID_FAILED);
            }
        }
    }

    @Nullable
    private NameID processEncryptedID(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull EncryptedID encryptedID) throws DecryptionException {
        if (!getDecryptionPredicate().apply(new Pair<>(profileRequestContext, encryptedID))) {
            return null;
        }
        if (getDecrypter() == null) {
            throw new DecryptionException("No decryption parameters, unable to decrypt EncryptedID");
        }
        SAMLObject decrypt = getDecrypter().decrypt(encryptedID);
        if (decrypt instanceof NameID) {
            return (NameID) decrypt;
        }
        throw new DecryptionException("Decrypted EncryptedID was not a NameID, was a " + decrypt.getElementQName().toString());
    }

    @Nullable
    private NewID processNewEncryptedID(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull NewEncryptedID newEncryptedID) throws DecryptionException {
        if (!getDecryptionPredicate().apply(new Pair<>(profileRequestContext, newEncryptedID))) {
            return null;
        }
        if (getDecrypter() == null) {
            throw new DecryptionException("No decryption parameters, unable to decrypt NewEncryptedID");
        }
        return getDecrypter().decrypt(newEncryptedID);
    }

    private void processSubject(@Nonnull ProfileRequestContext profileRequestContext, @Nullable Subject subject) throws DecryptionException {
        if (subject != null) {
            if (subject.getEncryptedID() != null) {
                this.log.debug("{} Decrypting EncryptedID in Subject", getLogPrefix());
                try {
                    NameID processEncryptedID = processEncryptedID(profileRequestContext, subject.getEncryptedID());
                    if (processEncryptedID != null) {
                        subject.setNameID(processEncryptedID);
                        subject.setEncryptedID(null);
                    }
                } catch (DecryptionException e) {
                    if (isErrorFatal()) {
                        throw e;
                    }
                    this.log.warn("{} Trapped failure decrypting EncryptedID in Subject", getLogPrefix(), e);
                }
            }
            for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
                if (subjectConfirmation.getEncryptedID() != null) {
                    this.log.debug("{} Decrypting EncryptedID in SubjectConfirmation", getLogPrefix());
                    try {
                        NameID processEncryptedID2 = processEncryptedID(profileRequestContext, subject.getEncryptedID());
                        if (processEncryptedID2 != null) {
                            subjectConfirmation.setNameID(processEncryptedID2);
                            subjectConfirmation.setEncryptedID(null);
                        }
                    } catch (DecryptionException e2) {
                        if (isErrorFatal()) {
                            throw e2;
                        }
                        this.log.warn("{} Trapped failure decrypting EncryptedID in SubjectConfirmation", getLogPrefix(), e2);
                    }
                }
            }
        }
    }

    private void processLogoutRequest(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull LogoutRequest logoutRequest) throws DecryptionException {
        if (logoutRequest.getEncryptedID() != null) {
            this.log.debug("{} Decrypting EncryptedID in LogoutRequest", getLogPrefix());
            NameID processEncryptedID = processEncryptedID(profileRequestContext, logoutRequest.getEncryptedID());
            if (processEncryptedID != null) {
                logoutRequest.setNameID(processEncryptedID);
                logoutRequest.setEncryptedID(null);
            }
        }
    }

    private void processManageNameIDRequest(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull ManageNameIDRequest manageNameIDRequest) throws DecryptionException {
        if (manageNameIDRequest.getEncryptedID() != null) {
            this.log.debug("{} Decrypting EncryptedID in ManageNameIDRequest", getLogPrefix());
            NameID processEncryptedID = processEncryptedID(profileRequestContext, manageNameIDRequest.getEncryptedID());
            if (processEncryptedID != null) {
                manageNameIDRequest.setNameID(processEncryptedID);
                manageNameIDRequest.setEncryptedID(null);
            }
        }
        if (manageNameIDRequest.getNewEncryptedID() != null) {
            this.log.debug("{} Decrypting NewEncryptedID in ManageNameIDRequest", getLogPrefix());
            NewID processNewEncryptedID = processNewEncryptedID(profileRequestContext, manageNameIDRequest.getNewEncryptedID());
            if (processNewEncryptedID != null) {
                manageNameIDRequest.setNewID(processNewEncryptedID);
                manageNameIDRequest.setNewEncryptedID(null);
            }
        }
    }

    private void processNameIDMappingRequest(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull NameIDMappingRequest nameIDMappingRequest) throws DecryptionException {
        if (nameIDMappingRequest.getEncryptedID() != null) {
            this.log.debug("{} Decrypting EncryptedID in NameIDMappingRequest", getLogPrefix());
            NameID processEncryptedID = processEncryptedID(profileRequestContext, nameIDMappingRequest.getEncryptedID());
            if (processEncryptedID != null) {
                nameIDMappingRequest.setNameID(processEncryptedID);
                nameIDMappingRequest.setEncryptedID(null);
            }
        }
    }

    private void processNameIDMappingResponse(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull NameIDMappingResponse nameIDMappingResponse) throws DecryptionException {
        if (nameIDMappingResponse.getEncryptedID() != null) {
            this.log.debug("{} Decrypting EncryptedID in NameIDMappingRequest", getLogPrefix());
            NameID processEncryptedID = processEncryptedID(profileRequestContext, nameIDMappingResponse.getEncryptedID());
            if (processEncryptedID != null) {
                nameIDMappingResponse.setNameID(processEncryptedID);
                nameIDMappingResponse.setEncryptedID(null);
            }
        }
    }

    private void processAssertion(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Assertion assertion) throws DecryptionException {
        try {
            processSubject(profileRequestContext, assertion.getSubject());
        } catch (DecryptionException e) {
            if (isErrorFatal()) {
                throw e;
            }
            this.log.warn("{} Trapped failure decrypting EncryptedIDs in Subject", getLogPrefix(), e);
        }
        if (assertion.getConditions() != null) {
            for (Condition condition : assertion.getConditions().getConditions()) {
                if (condition instanceof DelegationRestrictionType) {
                    for (Delegate delegate : ((DelegationRestrictionType) condition).getDelegates()) {
                        if (delegate.getEncryptedID() != null) {
                            this.log.debug("{} Decrypting EncryptedID in Delegate", getLogPrefix());
                            try {
                                NameID processEncryptedID = processEncryptedID(profileRequestContext, delegate.getEncryptedID());
                                if (processEncryptedID != null) {
                                    delegate.setNameID(processEncryptedID);
                                    delegate.setEncryptedID(null);
                                }
                            } catch (DecryptionException e2) {
                                if (isErrorFatal()) {
                                    throw e2;
                                }
                                this.log.warn("{} Trapped failure decrypting EncryptedID in Delegate", getLogPrefix(), e2);
                            }
                        }
                    }
                }
            }
        }
    }
}
