package org.opensaml.saml.metadata.resolver.filter.impl;

import com.google.common.base.Function;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.DeprecationSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.metadata.resolver.filter.FilterException;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.saml2.metadata.AffiliationDescriptor;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.TrustedNamesCriterion;
import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opensaml/saml/metadata/resolver/filter/impl/SignatureValidationFilter.class */
public class SignatureValidationFilter implements MetadataFilter {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) SignatureValidationFilter.class);

    @Nonnull
    private SignatureTrustEngine signatureTrustEngine;
    private boolean requireSignedRoot;

    @Nullable
    private CriteriaSet defaultCriteria;

    @Nullable
    private SignaturePrevalidator signaturePrevalidator;

    @Nullable
    private Function<XMLObject, Set<String>> dynamicTrustedNamesStrategy;

    public SignatureValidationFilter(@Nonnull @ParameterName(name = "engine") SignatureTrustEngine signatureTrustEngine) {
        Constraint.isNotNull(signatureTrustEngine, "SignatureTrustEngine cannot be null");
        this.requireSignedRoot = true;
        this.signatureTrustEngine = signatureTrustEngine;
        this.signaturePrevalidator = new SAMLSignatureProfileValidator();
        this.dynamicTrustedNamesStrategy = new BasicDynamicTrustedNamesStrategy();
    }

    @Nullable
    public Function<XMLObject, Set<String>> getDynamicTrustedNamesStrategy() {
        return this.dynamicTrustedNamesStrategy;
    }

    public void setDynamicTrustedNamesStrategy(@Nullable Function<XMLObject, Set<String>> function) {
        this.dynamicTrustedNamesStrategy = function;
    }

    @Nonnull
    public SignatureTrustEngine getSignatureTrustEngine() {
        return this.signatureTrustEngine;
    }

    @Nullable
    public SignaturePrevalidator getSignaturePrevalidator() {
        return this.signaturePrevalidator;
    }

    public void setSignaturePrevalidator(@Nullable SignaturePrevalidator signaturePrevalidator) {
        this.signaturePrevalidator = signaturePrevalidator;
    }

    public boolean getRequireSignedRoot() {
        return this.requireSignedRoot;
    }

    public void setRequireSignedRoot(boolean z) {
        this.requireSignedRoot = z;
    }

    @Deprecated
    public boolean getRequireSignature() {
        DeprecationSupport.warnOnce(DeprecationSupport.ObjectType.METHOD, getClass().getName() + ".getRequireSignature", null, "getRequireSignedRoot");
        return getRequireSignedRoot();
    }

    @Deprecated
    public void setRequireSignature(boolean z) {
        DeprecationSupport.warnOnce(DeprecationSupport.ObjectType.METHOD, getClass().getName() + ".setRequireSignature", null, "setRequireSignedRoot");
        setRequireSignedRoot(z);
    }

    @Nullable
    public CriteriaSet getDefaultCriteria() {
        return this.defaultCriteria;
    }

    public void setDefaultCriteria(@Nullable CriteriaSet criteriaSet) {
        this.defaultCriteria = criteriaSet;
    }

    @Override // org.opensaml.saml.metadata.resolver.filter.MetadataFilter
    @Nullable
    public XMLObject filter(@Nullable XMLObject xMLObject) throws FilterException {
        if (xMLObject == null) {
            return null;
        }
        if (!(xMLObject instanceof SignableXMLObject)) {
            this.log.warn("Input was not a SignableXMLObject, skipping filtering: {}", xMLObject.getClass().getName());
            return xMLObject;
        }
        SignableXMLObject signableXMLObject = (SignableXMLObject) xMLObject;
        if (!signableXMLObject.isSigned() && getRequireSignedRoot()) {
            throw new FilterException("Metadata root element was unsigned and signatures are required.");
        }
        if (signableXMLObject instanceof EntityDescriptor) {
            processEntityDescriptor((EntityDescriptor) signableXMLObject);
        } else if (signableXMLObject instanceof EntitiesDescriptor) {
            processEntityGroup((EntitiesDescriptor) signableXMLObject);
        } else {
            this.log.error("Internal error, metadata object was of an unsupported type: {}", xMLObject.getClass().getName());
        }
        return xMLObject;
    }

    protected void processEntityDescriptor(@Nonnull EntityDescriptor entityDescriptor) throws FilterException {
        String entityID = entityDescriptor.getEntityID();
        this.log.trace("Processing EntityDescriptor: {}", entityID);
        if (entityDescriptor.isSigned()) {
            verifySignature(entityDescriptor, entityID, false);
        }
        Iterator<RoleDescriptor> it = entityDescriptor.getRoleDescriptors().iterator();
        while (it.hasNext()) {
            RoleDescriptor next = it.next();
            if (next.isSigned()) {
                this.log.trace("Processing signed RoleDescriptor member: {}", next.getElementQName());
                try {
                    verifySignature(next, getRoleIDToken(entityID, next), false);
                } catch (FilterException e) {
                    this.log.error("RoleDescriptor '{}' subordinate to entity '{}' failed signature verification, removing from metadata provider", next.getElementQName(), entityID);
                    it.remove();
                }
            } else {
                this.log.trace("RoleDescriptor member '{}' was not signed, skipping signature processing...", next.getElementQName());
            }
        }
        if (entityDescriptor.getAffiliationDescriptor() != null) {
            AffiliationDescriptor affiliationDescriptor = entityDescriptor.getAffiliationDescriptor();
            if (!affiliationDescriptor.isSigned()) {
                this.log.trace("AffiliationDescriptor member was not signed, skipping signature processing...");
                return;
            }
            this.log.trace("Processing signed AffiliationDescriptor member with owner ID: {}", affiliationDescriptor.getOwnerID());
            try {
                verifySignature(affiliationDescriptor, affiliationDescriptor.getOwnerID(), false);
            } catch (FilterException e2) {
                this.log.error("AffiliationDescriptor with owner ID '{}' subordinate to entity '{}' failed signature verification, removing from metadata provider", affiliationDescriptor.getOwnerID(), entityID);
                entityDescriptor.setAffiliationDescriptor(null);
            }
        }
    }

    protected void processEntityGroup(@Nonnull EntitiesDescriptor entitiesDescriptor) throws FilterException {
        String groupName = getGroupName(entitiesDescriptor);
        this.log.trace("Processing EntitiesDescriptor group: {}", groupName);
        if (entitiesDescriptor.isSigned()) {
            verifySignature(entitiesDescriptor, groupName, true);
        }
        HashSet hashSet = new HashSet();
        for (EntityDescriptor entityDescriptor : entitiesDescriptor.getEntityDescriptors()) {
            if (entityDescriptor.isSigned()) {
                this.log.trace("Processing signed EntityDescriptor member: {}", entityDescriptor.getEntityID());
                try {
                    processEntityDescriptor(entityDescriptor);
                } catch (FilterException e) {
                    this.log.error("EntityDescriptor '{}' failed signature verification, removing from metadata provider", entityDescriptor.getEntityID());
                    hashSet.add(entityDescriptor);
                }
            } else {
                this.log.trace("EntityDescriptor member '{}' was not signed, skipping signature processing...", entityDescriptor.getEntityID());
            }
        }
        if (!hashSet.isEmpty()) {
            entitiesDescriptor.getEntityDescriptors().removeAll(hashSet);
            hashSet.clear();
        }
        for (EntitiesDescriptor entitiesDescriptor2 : entitiesDescriptor.getEntitiesDescriptors()) {
            String groupName2 = getGroupName(entitiesDescriptor2);
            this.log.trace("Processing EntitiesDescriptor member: {}", groupName2);
            try {
                processEntityGroup(entitiesDescriptor2);
            } catch (FilterException e2) {
                this.log.error("EntitiesDescriptor '{}' failed signature verification, removing from metadata provider", groupName2);
                hashSet.add(entitiesDescriptor2);
            }
        }
        if (hashSet.isEmpty()) {
            return;
        }
        entitiesDescriptor.getEntitiesDescriptors().removeAll(hashSet);
    }

    protected void verifySignature(@Nonnull SignableXMLObject signableXMLObject, @NotEmpty @Nonnull String str, boolean z) throws FilterException {
        this.log.debug("Verifying signature on metadata entry: {}", str);
        Signature signature = signableXMLObject.getSignature();
        if (signature == null) {
            this.log.warn("Signature was null, skipping processing on metadata entry: {}", str);
            return;
        }
        performPreValidation(signature, str);
        try {
            if (getSignatureTrustEngine().validate(signature, buildCriteriaSet(signableXMLObject, str, z))) {
                this.log.trace("Signature trust establishment succeeded for metadata entry {}", str);
            } else {
                this.log.error("Signature trust establishment failed for metadata entry {}", str);
                throw new FilterException("Signature trust establishment failed for metadata entry");
            }
        } catch (SecurityException e) {
            this.log.error("Error processing signature verification for metadata entry '{}': {} ", str, e.getMessage());
            throw new FilterException("Error processing signature verification for metadata entry", e);
        }
    }

    protected void performPreValidation(@Nonnull Signature signature, @NotEmpty @Nonnull String str) throws FilterException {
        if (getSignaturePrevalidator() != null) {
            try {
                getSignaturePrevalidator().validate(signature);
            } catch (SignatureException e) {
                this.log.error("Signature on metadata entry '{}' failed signature pre-validation", str);
                throw new FilterException("Metadata instance signature failed signature pre-validation", e);
            }
        }
    }

    @Nonnull
    protected CriteriaSet buildCriteriaSet(@Nonnull SignableXMLObject signableXMLObject, @NotEmpty @Nonnull String str, boolean z) {
        Set<String> apply;
        CriteriaSet criteriaSet = new CriteriaSet();
        if (getDefaultCriteria() != null) {
            criteriaSet.addAll(getDefaultCriteria());
        }
        if (!criteriaSet.contains(UsageCriterion.class)) {
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        }
        if (getDynamicTrustedNamesStrategy() != null && (apply = getDynamicTrustedNamesStrategy().apply(signableXMLObject)) != null && !apply.isEmpty()) {
            criteriaSet.add(new TrustedNamesCriterion(apply));
        }
        return criteriaSet;
    }

    protected String getRoleIDToken(@NotEmpty @Nonnull String str, @Nonnull RoleDescriptor roleDescriptor) {
        return "[Role: " + str + "::" + roleDescriptor.getElementQName().getLocalPart() + "]";
    }

    @NotEmpty
    @Nonnull
    protected String getGroupName(@Nonnull EntitiesDescriptor entitiesDescriptor) {
        String name = entitiesDescriptor.getName();
        if (name != null) {
            return name;
        }
        String id = entitiesDescriptor.getID();
        return id != null ? id : "(unnamed)";
    }
}
