package edu.internet2.middleware.shibboleth.common.security;

import edu.internet2.middleware.shibboleth.common.xmlobject.ShibbolethMetadataKeyAuthority;
import java.lang.ref.SoftReference;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.xml.namespace.QName;
import org.opensaml.saml2.common.Extensions;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoHelper;
import org.opensaml.xml.security.x509.BasicPKIXValidationInformation;
import org.opensaml.xml.security.x509.PKIXValidationInformation;
import org.opensaml.xml.security.x509.PKIXValidationInformationResolver;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.LazySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/security/MetadataPKIXValidationInformationResolver.class */
public class MetadataPKIXValidationInformationResolver implements PKIXValidationInformationResolver {
    public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT = 1;
    private final Logger log = LoggerFactory.getLogger(MetadataPKIXValidationInformationResolver.class);
    private MetadataProvider metadata;
    private Map<MetadataCacheKey, SoftReference<List<PKIXValidationInformation>>> entityPKIXCache;
    private Map<Extensions, SoftReference<List<PKIXValidationInformation>>> extensionsCache;
    private Map<MetadataCacheKey, SoftReference<Set<String>>> entityNamesCache;
    private ReadWriteLock rwlock;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/common/security/MetadataPKIXValidationInformationResolver$MetadataCacheKey.class */
    public class MetadataCacheKey {
        private String id;
        private QName role;
        private String protocol;
        private UsageType usage;

        protected MetadataCacheKey(String str, QName qName, String str2, UsageType usageType) {
            if (str == null) {
                throw new IllegalArgumentException("Entity ID may not be null");
            }
            if (qName == null) {
                throw new IllegalArgumentException("Entity role may not be null");
            }
            if (usageType == null) {
                throw new IllegalArgumentException("Usage may not be null");
            }
            this.id = str;
            this.role = qName;
            this.protocol = str2;
            this.usage = usageType;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof MetadataCacheKey)) {
                return false;
            }
            MetadataCacheKey metadataCacheKey = (MetadataCacheKey) obj;
            if (this.id.equals(metadataCacheKey.id) && this.role.equals(metadataCacheKey.role) && this.usage == metadataCacheKey.usage) {
                return this.protocol == null ? metadataCacheKey.protocol == null : this.protocol.equals(metadataCacheKey.protocol);
            }
            return false;
        }

        public int hashCode() {
            int hashCode = (37 * ((37 * 17) + this.id.hashCode())) + this.role.hashCode();
            if (this.protocol != null) {
                hashCode = (37 * hashCode) + this.protocol.hashCode();
            }
            return (37 * hashCode) + this.usage.hashCode();
        }

        public String toString() {
            return String.format("[%s,%s,%s,%s]", this.id, this.role, this.protocol, this.usage);
        }
    }

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/common/security/MetadataPKIXValidationInformationResolver$MetadataProviderObserver.class */
    protected class MetadataProviderObserver implements ObservableMetadataProvider.Observer {
        protected MetadataProviderObserver() {
        }

        public void onEvent(MetadataProvider metadataProvider) {
            Lock writeLock = MetadataPKIXValidationInformationResolver.this.getReadWriteLock().writeLock();
            writeLock.lock();
            MetadataPKIXValidationInformationResolver.this.log.debug("Write lock over cache acquired");
            try {
                MetadataPKIXValidationInformationResolver.this.entityPKIXCache.clear();
                MetadataPKIXValidationInformationResolver.this.extensionsCache.clear();
                MetadataPKIXValidationInformationResolver.this.entityNamesCache.clear();
                MetadataPKIXValidationInformationResolver.this.log.info("PKIX validation info cache cleared");
                writeLock.unlock();
                MetadataPKIXValidationInformationResolver.this.log.debug("Write lock over cache released");
            } catch (Throwable th) {
                writeLock.unlock();
                MetadataPKIXValidationInformationResolver.this.log.debug("Write lock over cache released");
                throw th;
            }
        }
    }

    public MetadataPKIXValidationInformationResolver(MetadataProvider metadataProvider) {
        if (metadataProvider == null) {
            throw new IllegalArgumentException("Metadata provider may not be null");
        }
        this.metadata = metadataProvider;
        this.entityPKIXCache = new HashMap();
        this.extensionsCache = new HashMap();
        this.entityNamesCache = new HashMap();
        this.rwlock = new ReentrantReadWriteLock();
        if (this.metadata instanceof ObservableMetadataProvider) {
            ((ObservableMetadataProvider) metadataProvider).getObservers().add(new MetadataProviderObserver());
        }
    }

    public PKIXValidationInformation resolveSingle(CriteriaSet criteriaSet) throws SecurityException {
        Iterable<PKIXValidationInformation> resolve = resolve(criteriaSet);
        if (resolve.iterator().hasNext()) {
            return resolve.iterator().next();
        }
        return null;
    }

    public Iterable<PKIXValidationInformation> resolve(CriteriaSet criteriaSet) throws SecurityException {
        checkCriteriaRequirements(criteriaSet);
        String entityID = ((EntityIDCriteria) criteriaSet.get(EntityIDCriteria.class)).getEntityID();
        MetadataCriteria metadataCriteria = (MetadataCriteria) criteriaSet.get(MetadataCriteria.class);
        QName role = metadataCriteria.getRole();
        String protocol = metadataCriteria.getProtocol();
        UsageCriteria usageCriteria = (UsageCriteria) criteriaSet.get(UsageCriteria.class);
        UsageType usage = usageCriteria != null ? usageCriteria.getUsage() : UsageType.UNSPECIFIED;
        this.log.debug("Forcing on-demand metadata provider refresh if necessary");
        try {
            this.metadata.getMetadata();
        } catch (MetadataProviderException e) {
        }
        MetadataCacheKey metadataCacheKey = new MetadataCacheKey(entityID, role, protocol, usage);
        List<PKIXValidationInformation> retrievePKIXInfoFromCache = retrievePKIXInfoFromCache(metadataCacheKey);
        if (retrievePKIXInfoFromCache == null) {
            retrievePKIXInfoFromCache = retrievePKIXInfoFromMetadata(entityID, role, protocol, usage);
            cachePKIXInfo(metadataCacheKey, retrievePKIXInfoFromCache);
        }
        return retrievePKIXInfoFromCache;
    }

    public Set<String> resolveTrustedNames(CriteriaSet criteriaSet) throws SecurityException, UnsupportedOperationException {
        checkCriteriaRequirements(criteriaSet);
        String entityID = ((EntityIDCriteria) criteriaSet.get(EntityIDCriteria.class)).getEntityID();
        MetadataCriteria metadataCriteria = (MetadataCriteria) criteriaSet.get(MetadataCriteria.class);
        QName role = metadataCriteria.getRole();
        String protocol = metadataCriteria.getProtocol();
        UsageCriteria usageCriteria = (UsageCriteria) criteriaSet.get(UsageCriteria.class);
        UsageType usage = usageCriteria != null ? usageCriteria.getUsage() : UsageType.UNSPECIFIED;
        this.log.debug("Forcing on-demand metadata provider refresh if necessary");
        try {
            this.metadata.getMetadata();
        } catch (MetadataProviderException e) {
        }
        MetadataCacheKey metadataCacheKey = new MetadataCacheKey(entityID, role, protocol, usage);
        Set<String> retrieveTrustedNamesFromCache = retrieveTrustedNamesFromCache(metadataCacheKey);
        if (retrieveTrustedNamesFromCache == null) {
            retrieveTrustedNamesFromCache = retrieveTrustedNamesFromMetadata(entityID, role, protocol, usage);
            cacheTrustedNames(metadataCacheKey, retrieveTrustedNamesFromCache);
        }
        HashSet hashSet = new HashSet(retrieveTrustedNamesFromCache);
        hashSet.add(entityID);
        return hashSet;
    }

    public boolean supportsTrustedNameResolution() {
        return true;
    }

    protected ReadWriteLock getReadWriteLock() {
        return this.rwlock;
    }

    protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
        EntityIDCriteria entityIDCriteria = (EntityIDCriteria) criteriaSet.get(EntityIDCriteria.class);
        MetadataCriteria metadataCriteria = (MetadataCriteria) criteriaSet.get(MetadataCriteria.class);
        if (entityIDCriteria == null) {
            throw new IllegalArgumentException("Entity criteria must be supplied");
        }
        if (metadataCriteria == null) {
            throw new IllegalArgumentException("SAML metadata criteria must be supplied");
        }
        if (DatatypeHelper.isEmpty(entityIDCriteria.getEntityID())) {
            throw new IllegalArgumentException("Entity ID criteria value must be supplied");
        }
        if (metadataCriteria.getRole() == null) {
            throw new IllegalArgumentException("Metadata role criteria value must be supplied");
        }
    }

    protected List<PKIXValidationInformation> retrievePKIXInfoFromMetadata(String str, QName qName, String str2, UsageType usageType) throws SecurityException {
        this.log.debug("Attempting to retrieve PKIX validation info from metadata for entity: {}", str);
        ArrayList arrayList = new ArrayList();
        List<RoleDescriptor> roleDescriptors = getRoleDescriptors(str, qName, str2);
        if (roleDescriptors == null || roleDescriptors.isEmpty()) {
            return arrayList;
        }
        Iterator<RoleDescriptor> it = roleDescriptors.iterator();
        while (it.hasNext()) {
            List<PKIXValidationInformation> resolvePKIXInfo = resolvePKIXInfo(it.next());
            if (resolvePKIXInfo != null && !resolvePKIXInfo.isEmpty()) {
                arrayList.addAll(resolvePKIXInfo);
            }
        }
        return arrayList;
    }

    protected List<PKIXValidationInformation> resolvePKIXInfo(RoleDescriptor roleDescriptor) throws SecurityException {
        ArrayList arrayList = new ArrayList();
        EntityDescriptor parent = roleDescriptor.getParent();
        while (true) {
            EntityDescriptor entityDescriptor = parent;
            if (entityDescriptor == null) {
                return arrayList;
            }
            if (entityDescriptor instanceof EntityDescriptor) {
                arrayList.addAll(resolvePKIXInfo(entityDescriptor.getExtensions()));
            } else if (entityDescriptor instanceof EntitiesDescriptor) {
                arrayList.addAll(resolvePKIXInfo(((EntitiesDescriptor) entityDescriptor).getExtensions()));
            }
            parent = entityDescriptor.getParent();
        }
    }

    protected List<PKIXValidationInformation> resolvePKIXInfo(Extensions extensions) throws SecurityException {
        if (extensions == null) {
            return Collections.emptyList();
        }
        List<PKIXValidationInformation> retrieveExtensionsInfoFromCache = retrieveExtensionsInfoFromCache(extensions);
        if (retrieveExtensionsInfoFromCache != null) {
            return retrieveExtensionsInfoFromCache;
        }
        if (this.log.isDebugEnabled()) {
            String extensionsParentName = getExtensionsParentName(extensions);
            if (extensionsParentName == null) {
                this.log.debug("Resolving PKIX validation info for Extensions with unidentified parent");
            } else if (extensions.getParent() instanceof EntityDescriptor) {
                this.log.debug("Resolving PKIX validation info for Extensions with EntityDescriptor parent: {}", extensionsParentName);
            } else if (extensions.getParent() instanceof EntitiesDescriptor) {
                this.log.debug("Resolving PKIX validation info for Extensions with EntitiesDescriptor parent: {}", extensionsParentName);
            }
        }
        ArrayList arrayList = new ArrayList();
        List unknownXMLObjects = extensions.getUnknownXMLObjects(ShibbolethMetadataKeyAuthority.DEFAULT_ELEMENT_NAME);
        if (unknownXMLObjects == null || unknownXMLObjects.isEmpty()) {
            return arrayList;
        }
        Iterator it = unknownXMLObjects.iterator();
        while (it.hasNext()) {
            PKIXValidationInformation resolvePKIXInfo = resolvePKIXInfo((ShibbolethMetadataKeyAuthority) ((XMLObject) it.next()));
            if (resolvePKIXInfo != null) {
                arrayList.add(resolvePKIXInfo);
            }
        }
        cacheExtensionsInfo(extensions, arrayList);
        return arrayList;
    }

    protected PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority shibbolethMetadataKeyAuthority) throws SecurityException {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        Integer verifyDepth = shibbolethMetadataKeyAuthority.getVerifyDepth();
        if (verifyDepth == null) {
            verifyDepth = 1;
        }
        List<KeyInfo> keyInfos = shibbolethMetadataKeyAuthority.getKeyInfos();
        if (keyInfos == null || keyInfos.isEmpty()) {
            return null;
        }
        for (KeyInfo keyInfo : keyInfos) {
            arrayList.addAll(getX509Certificates(keyInfo));
            arrayList2.addAll(getX509CRLs(keyInfo));
        }
        if (arrayList.isEmpty() && arrayList2.isEmpty()) {
            return null;
        }
        return new BasicPKIXValidationInformation(arrayList, arrayList2, verifyDepth);
    }

    protected List<X509Certificate> getX509Certificates(KeyInfo keyInfo) throws SecurityException {
        try {
            return KeyInfoHelper.getCertificates(keyInfo);
        } catch (CertificateException e) {
            throw new SecurityException("Error extracting certificates from KeyAuthority KeyInfo", e);
        }
    }

    protected List<X509CRL> getX509CRLs(KeyInfo keyInfo) throws SecurityException {
        try {
            return KeyInfoHelper.getCRLs(keyInfo);
        } catch (CRLException e) {
            throw new SecurityException("Error extracting CRL's from KeyAuthority KeyInfo", e);
        }
    }

    protected Set<String> retrieveTrustedNamesFromMetadata(String str, QName qName, String str2, UsageType usageType) throws SecurityException {
        this.log.debug("Attempting to retrieve trusted names for PKIX validation from metadata for entity: {}", str);
        LazySet lazySet = new LazySet();
        List<RoleDescriptor> roleDescriptors = getRoleDescriptors(str, qName, str2);
        if (roleDescriptors == null || roleDescriptors.isEmpty()) {
            return lazySet;
        }
        Iterator<RoleDescriptor> it = roleDescriptors.iterator();
        while (it.hasNext()) {
            List<KeyDescriptor> keyDescriptors = it.next().getKeyDescriptors();
            if (keyDescriptors == null || keyDescriptors.isEmpty()) {
                return lazySet;
            }
            for (KeyDescriptor keyDescriptor : keyDescriptors) {
                UsageType use = keyDescriptor.getUse();
                if (use == null) {
                    use = UsageType.UNSPECIFIED;
                }
                if (matchUsage(use, usageType) && keyDescriptor.getKeyInfo() != null) {
                    lazySet.addAll(getTrustedNames(keyDescriptor.getKeyInfo()));
                }
            }
        }
        return lazySet;
    }

    protected Set<String> getTrustedNames(KeyInfo keyInfo) {
        LazySet lazySet = new LazySet();
        lazySet.addAll(KeyInfoHelper.getKeyNames(keyInfo));
        return lazySet;
    }

    protected boolean matchUsage(UsageType usageType, UsageType usageType2) {
        return usageType == UsageType.UNSPECIFIED || usageType2 == UsageType.UNSPECIFIED || usageType == usageType2;
    }

    protected List<RoleDescriptor> getRoleDescriptors(String str, QName qName, String str2) throws SecurityException {
        try {
            if (DatatypeHelper.isEmpty(str2)) {
                return this.metadata.getRole(str, qName);
            }
            RoleDescriptor role = this.metadata.getRole(str, qName, str2);
            if (role == null) {
                return null;
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(role);
            return arrayList;
        } catch (MetadataProviderException e) {
            this.log.error("Unable to read metadata from provider", e);
            throw new SecurityException("Unable to read metadata provider", e);
        }
    }

    protected List<PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataCacheKey metadataCacheKey) {
        this.log.debug("Attempting to retrieve PKIX validation info from cache using index: {}", metadataCacheKey);
        Lock readLock = getReadWriteLock().readLock();
        readLock.lock();
        this.log.debug("Read lock over cache acquired");
        try {
            if (this.entityPKIXCache.containsKey(metadataCacheKey)) {
                SoftReference<List<PKIXValidationInformation>> softReference = this.entityPKIXCache.get(metadataCacheKey);
                if (softReference.get() != null) {
                    this.log.debug("Retrieved PKIX validation info from cache using index: {}", metadataCacheKey);
                    List<PKIXValidationInformation> list = softReference.get();
                    readLock.unlock();
                    this.log.debug("Read lock over cache released");
                    return list;
                }
            }
            readLock.unlock();
            this.log.debug("Read lock over cache released");
            this.log.debug("Unable to retrieve PKIX validation info from cache using index: {}", metadataCacheKey);
            return null;
        } catch (Throwable th) {
            readLock.unlock();
            this.log.debug("Read lock over cache released");
            throw th;
        }
    }

    protected List<PKIXValidationInformation> retrieveExtensionsInfoFromCache(Extensions extensions) {
        if (this.log.isDebugEnabled()) {
            String extensionsParentName = getExtensionsParentName(extensions);
            if (extensionsParentName == null) {
                this.log.debug("Attempting to retrieve PKIX validation info from cache for Extensions with unidentified parent");
            } else if (extensions.getParent() instanceof EntityDescriptor) {
                this.log.debug("Attempting to retrieve PKIX validation info from cache for Extensions with EntityDescriptor parent: {}", extensionsParentName);
            } else if (extensions.getParent() instanceof EntitiesDescriptor) {
                this.log.debug("Attempting to retrieve PKIX validation info from cache for Extensions with EntitiesDescriptor parent: {}", extensionsParentName);
            }
        }
        Lock readLock = getReadWriteLock().readLock();
        readLock.lock();
        this.log.debug("Read lock over cache acquired");
        try {
            if (this.extensionsCache.containsKey(extensions)) {
                SoftReference<List<PKIXValidationInformation>> softReference = this.extensionsCache.get(extensions);
                if (softReference.get() != null) {
                    this.log.debug("Retrieved PKIX validation info from cache using index: {}", extensions);
                    List<PKIXValidationInformation> list = softReference.get();
                    readLock.unlock();
                    this.log.debug("Read lock over cache released");
                    return list;
                }
            }
            readLock.unlock();
            this.log.debug("Read lock over cache released");
            this.log.debug("Unable to retrieve PKIX validation info from cache using index: {}", extensions);
            return null;
        } catch (Throwable th) {
            readLock.unlock();
            this.log.debug("Read lock over cache released");
            throw th;
        }
    }

    protected Set<String> retrieveTrustedNamesFromCache(MetadataCacheKey metadataCacheKey) {
        this.log.debug("Attempting to retrieve trusted names from cache using index: {}", metadataCacheKey);
        Lock readLock = getReadWriteLock().readLock();
        readLock.lock();
        this.log.debug("Read lock over cache acquired");
        try {
            if (this.entityNamesCache.containsKey(metadataCacheKey)) {
                SoftReference<Set<String>> softReference = this.entityNamesCache.get(metadataCacheKey);
                if (softReference.get() != null) {
                    this.log.debug("Retrieved trusted names from cache using index: {}", metadataCacheKey);
                    Set<String> set = softReference.get();
                    readLock.unlock();
                    this.log.debug("Read lock over cache released");
                    return set;
                }
            }
            readLock.unlock();
            this.log.debug("Read lock over cache released");
            this.log.debug("Unable to retrieve trusted names from cache using index: {}", metadataCacheKey);
            return null;
        } catch (Throwable th) {
            readLock.unlock();
            this.log.debug("Read lock over cache released");
            throw th;
        }
    }

    protected void cachePKIXInfo(MetadataCacheKey metadataCacheKey, List<PKIXValidationInformation> list) {
        Lock writeLock = getReadWriteLock().writeLock();
        writeLock.lock();
        this.log.debug("Write lock over cache acquired");
        try {
            this.entityPKIXCache.put(metadataCacheKey, new SoftReference<>(list));
            this.log.debug("Added new PKIX info to entity cache with key: {}", metadataCacheKey);
            writeLock.unlock();
            this.log.debug("Write lock over cache released");
        } catch (Throwable th) {
            writeLock.unlock();
            this.log.debug("Write lock over cache released");
            throw th;
        }
    }

    protected void cacheExtensionsInfo(Extensions extensions, List<PKIXValidationInformation> list) {
        Lock writeLock = getReadWriteLock().writeLock();
        writeLock.lock();
        this.log.debug("Write lock over cache acquired");
        try {
            this.extensionsCache.put(extensions, new SoftReference<>(list));
            if (this.log.isDebugEnabled()) {
                this.log.debug("Added new PKIX info to cache for Extensions with parent: {}", getExtensionsParentName(extensions));
            }
        } finally {
            writeLock.unlock();
            this.log.debug("Write lock over cache released");
        }
    }

    protected void cacheTrustedNames(MetadataCacheKey metadataCacheKey, Set<String> set) {
        Lock writeLock = getReadWriteLock().writeLock();
        writeLock.lock();
        this.log.debug("Write lock over cache acquired");
        try {
            this.entityNamesCache.put(metadataCacheKey, new SoftReference<>(set));
            this.log.debug("Added new PKIX info to entity cache with key: {}", metadataCacheKey);
            writeLock.unlock();
            this.log.debug("Write lock over cache released");
        } catch (Throwable th) {
            writeLock.unlock();
            this.log.debug("Write lock over cache released");
            throw th;
        }
    }

    protected String getExtensionsParentName(Extensions extensions) {
        EntityDescriptor parent = extensions.getParent();
        if (parent == null) {
            return null;
        }
        if (parent instanceof EntityDescriptor) {
            return parent.getEntityID();
        }
        if (extensions.getParent() instanceof EntitiesDescriptor) {
            return ((EntitiesDescriptor) parent).getName();
        }
        return null;
    }
}
