package org.springframework.security.saml2.provider.service.registration;

import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.saml.ext.saml2alg.SigningMethod;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.Extensions;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.OpenSamlRelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/registration/OpenSamlMetadataRelyingPartyRegistrationConverter.class */
class OpenSamlMetadataRelyingPartyRegistrationConverter {
    private final XMLObjectProviderRegistry registry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
    private final ParserPool parserPool = this.registry.getParserPool();

    OpenSamlRelyingPartyRegistration.Builder convert(EntityDescriptor entityDescriptor) {
        Saml2MessageBinding saml2MessageBinding;
        Saml2MessageBinding saml2MessageBinding2;
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        if (iDPSSODescriptor == null) {
            throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (KeyDescriptor keyDescriptor : iDPSSODescriptor.getKeyDescriptors()) {
            if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
                Iterator<X509Certificate> it = certificates(keyDescriptor).iterator();
                while (it.hasNext()) {
                    arrayList.add(Saml2X509Credential.verification(it.next()));
                }
            }
            if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
                Iterator<X509Certificate> it2 = certificates(keyDescriptor).iterator();
                while (it2.hasNext()) {
                    arrayList2.add(Saml2X509Credential.encryption(it2.next()));
                }
            }
            if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
                for (X509Certificate x509Certificate : certificates(keyDescriptor)) {
                    arrayList.add(Saml2X509Credential.verification(x509Certificate));
                    arrayList2.add(Saml2X509Credential.encryption(x509Certificate));
                }
            }
        }
        if (arrayList.isEmpty()) {
            throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
        }
        OpenSamlRelyingPartyRegistration.Builder assertingPartyDetails = OpenSamlRelyingPartyRegistration.withAssertingPartyEntityDescriptor(entityDescriptor).assertingPartyDetails(builder -> {
            builder.entityId(entityDescriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(iDPSSODescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials(collection -> {
                collection.addAll(arrayList);
            }).encryptionX509Credentials(collection2 -> {
                collection2.addAll(arrayList2);
            });
        });
        for (SigningMethod signingMethod : signingMethods(iDPSSODescriptor)) {
            assertingPartyDetails.assertingPartyDetails(builder2 -> {
                builder2.signingAlgorithms(list -> {
                    list.add(signingMethod.getAlgorithm());
                });
            });
        }
        if (iDPSSODescriptor.getSingleSignOnServices().isEmpty()) {
            throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
        }
        for (SingleSignOnService singleSignOnService : iDPSSODescriptor.getSingleSignOnServices()) {
            if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
                saml2MessageBinding2 = Saml2MessageBinding.POST;
            } else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
                saml2MessageBinding2 = Saml2MessageBinding.REDIRECT;
            }
            Saml2MessageBinding saml2MessageBinding3 = saml2MessageBinding2;
            assertingPartyDetails.assertingPartyDetails(builder3 -> {
                builder3.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(saml2MessageBinding3);
            });
        }
        for (SingleLogoutService singleLogoutService : iDPSSODescriptor.getSingleLogoutServices()) {
            if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
                saml2MessageBinding = Saml2MessageBinding.POST;
            } else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
                saml2MessageBinding = Saml2MessageBinding.REDIRECT;
            }
            String location = singleLogoutService.getResponseLocation() == null ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
            Saml2MessageBinding saml2MessageBinding4 = saml2MessageBinding;
            assertingPartyDetails.assertingPartyDetails(builder4 -> {
                builder4.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(location).singleLogoutServiceBinding(saml2MessageBinding4);
            });
            return assertingPartyDetails;
        }
        return assertingPartyDetails;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<RelyingPartyRegistration.Builder> convert(InputStream inputStream) {
        ArrayList arrayList = new ArrayList();
        EntitiesDescriptor xmlObject = xmlObject(inputStream);
        if (!(xmlObject instanceof EntitiesDescriptor)) {
            if (xmlObject instanceof EntityDescriptor) {
                return Arrays.asList(convert((EntityDescriptor) xmlObject));
            }
            throw new Saml2Exception("Unsupported element of type " + xmlObject.getClass());
        }
        for (EntityDescriptor entityDescriptor : xmlObject.getEntityDescriptors()) {
            if (entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol") != null) {
                arrayList.add(convert(entityDescriptor));
            }
        }
        if (arrayList.isEmpty()) {
            throw new Saml2Exception("Metadata contains no IDPSSODescriptor elements");
        }
        return arrayList;
    }

    private List<X509Certificate> certificates(KeyDescriptor keyDescriptor) {
        try {
            return KeyInfoSupport.getCertificates(keyDescriptor.getKeyInfo());
        } catch (CertificateException e) {
            throw new Saml2Exception(e);
        }
    }

    private List<SigningMethod> signingMethods(IDPSSODescriptor iDPSSODescriptor) {
        List<SigningMethod> signingMethods = signingMethods(iDPSSODescriptor.getExtensions());
        return !signingMethods.isEmpty() ? signingMethods : signingMethods(iDPSSODescriptor.getParent().getExtensions());
    }

    private XMLObject xmlObject(InputStream inputStream) {
        Element documentElement = document(inputStream).getDocumentElement();
        Unmarshaller unmarshaller = this.registry.getUnmarshallerFactory().getUnmarshaller(documentElement);
        if (unmarshaller == null) {
            throw new Saml2Exception("Unsupported element of type " + documentElement.getTagName());
        }
        try {
            return unmarshaller.unmarshall(documentElement);
        } catch (Exception e) {
            throw new Saml2Exception(e);
        }
    }

    private Document document(InputStream inputStream) {
        try {
            return this.parserPool.parse(inputStream);
        } catch (Exception e) {
            throw new Saml2Exception(e);
        }
    }

    private <T> List<T> signingMethods(Extensions extensions) {
        return extensions != null ? extensions.getUnknownXMLObjects(SigningMethod.DEFAULT_ELEMENT_NAME) : new ArrayList();
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
