package org.apache.nifi.web.security.saml2.registration;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.saml2.SamlUrlPath;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;

/* loaded from: input_file:org/apache/nifi/web/security/saml2/registration/StandardRelyingPartyRegistrationRepository.class */
public class StandardRelyingPartyRegistrationRepository implements RelyingPartyRegistrationRepository {
    private static final String RSA_PUBLIC_KEY_ALGORITHM = "RSA";
    private final NiFiProperties properties;
    private final X509ExtendedTrustManager trustManager;
    private final X509ExtendedKeyManager keyManager;
    private final RelyingPartyRegistration relyingPartyRegistration = getRelyingPartyRegistration();
    static final String BASE_URL_FORMAT = "{baseUrl}%s";
    static final String LOGIN_RESPONSE_LOCATION = String.format(BASE_URL_FORMAT, SamlUrlPath.LOGIN_RESPONSE.getPath());
    static final String SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION = String.format(BASE_URL_FORMAT, SamlUrlPath.SINGLE_LOGOUT_RESPONSE.getPath());
    private static final Principal[] UNFILTERED_ISSUERS = new Principal[0];
    private static final Logger logger = LoggerFactory.getLogger(StandardRelyingPartyRegistrationRepository.class);

    public StandardRelyingPartyRegistrationRepository(NiFiProperties niFiProperties, X509ExtendedKeyManager x509ExtendedKeyManager, X509ExtendedTrustManager x509ExtendedTrustManager) {
        this.properties = niFiProperties;
        this.keyManager = x509ExtendedKeyManager;
        this.trustManager = x509ExtendedTrustManager;
    }

    public RelyingPartyRegistration findByRegistrationId(String str) {
        return this.relyingPartyRegistration;
    }

    private RelyingPartyRegistration getRelyingPartyRegistration() {
        RelyingPartyRegistration.Builder registrationBuilder = new StandardRegistrationBuilderProvider(this.properties, this.keyManager, this.trustManager).getRegistrationBuilder();
        registrationBuilder.registrationId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty());
        registrationBuilder.entityId(this.properties.getSamlServiceProviderEntityId());
        registrationBuilder.assertionConsumerServiceLocation(LOGIN_RESPONSE_LOCATION);
        if (this.properties.isSamlSingleLogoutEnabled()) {
            registrationBuilder.singleLogoutServiceLocation(SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION);
            registrationBuilder.singleLogoutServiceResponseLocation(SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION);
        }
        Collection<Saml2X509Credential> credentials = getCredentials();
        List<Saml2X509Credential> list = credentials.stream().filter((v0) -> {
            return v0.isSigningCredential();
        }).toList();
        logger.debug("Loaded SAML2 Signing Credentials [{}]", Integer.valueOf(list.size()));
        registrationBuilder.signingX509Credentials(collection -> {
            collection.addAll(list);
        });
        registrationBuilder.decryptionX509Credentials(collection2 -> {
            collection2.addAll(list);
        });
        List<Saml2X509Credential> list2 = credentials.stream().filter((v0) -> {
            return v0.isVerificationCredential();
        }).toList();
        logger.debug("Loaded SAML2 Verification Credentials [{}]", Integer.valueOf(list2.size()));
        registrationBuilder.assertingPartyMetadata(builder -> {
            builder.signingAlgorithms(list3 -> {
                list3.add(this.properties.getSamlSignatureAlgorithm());
            }).verificationX509Credentials(collection3 -> {
                collection3.addAll(list2);
            }).encryptionX509Credentials(collection4 -> {
                collection4.addAll(list2);
            });
        });
        return registrationBuilder.build();
    }

    private Collection<Saml2X509Credential> getCredentials() {
        ArrayList arrayList = new ArrayList();
        if (this.keyManager != null) {
            for (String str : getKeyAliases()) {
                arrayList.add(new Saml2X509Credential(this.keyManager.getPrivateKey(str), this.keyManager.getCertificateChain(str)[0], new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.SIGNING, Saml2X509Credential.Saml2X509CredentialType.DECRYPTION}));
            }
        }
        if (this.trustManager != null) {
            for (X509Certificate x509Certificate : this.trustManager.getAcceptedIssuers()) {
                arrayList.add(new Saml2X509Credential(x509Certificate, new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION, Saml2X509Credential.Saml2X509CredentialType.VERIFICATION}));
            }
        }
        return arrayList;
    }

    private List<String> getKeyAliases() {
        ArrayList arrayList = new ArrayList();
        String[] serverAliases = this.keyManager.getServerAliases(RSA_PUBLIC_KEY_ALGORITHM, UNFILTERED_ISSUERS);
        if (serverAliases != null) {
            arrayList.addAll(Arrays.asList(serverAliases));
        }
        return arrayList;
    }
}
