package edu.internet2.middleware.shibboleth.common.relyingparty;

import java.util.Collections;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicy;
import org.opensaml.ws.security.SecurityPolicyResolver;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/relyingparty/RelyingPartySecurityPolicyResolver.class */
public class RelyingPartySecurityPolicyResolver implements SecurityPolicyResolver {
    private Logger log;
    private RelyingPartyConfigurationManager rpConfigManager;
    private MetadataProvider metadataProvider;

    public RelyingPartySecurityPolicyResolver(RelyingPartyConfigurationManager relyingPartyConfigurationManager) {
        this(relyingPartyConfigurationManager, null);
    }

    public RelyingPartySecurityPolicyResolver(RelyingPartyConfigurationManager relyingPartyConfigurationManager, MetadataProvider metadataProvider) {
        this.log = LoggerFactory.getLogger(RelyingPartySecurityPolicyResolver.class);
        if (relyingPartyConfigurationManager == null) {
            throw new IllegalArgumentException("Relying party configuration manager may not be null");
        }
        this.rpConfigManager = relyingPartyConfigurationManager;
        this.metadataProvider = metadataProvider;
    }

    public Iterable<SecurityPolicy> resolve(MessageContext messageContext) throws SecurityException {
        return Collections.singletonList(resolveSingle(messageContext));
    }

    public SecurityPolicy resolveSingle(MessageContext messageContext) throws SecurityException {
        String inboundMessageIssuer = messageContext.getInboundMessageIssuer();
        if (DatatypeHelper.isEmpty(inboundMessageIssuer)) {
            throw new SecurityException("Unable to select security policy, ID of the peer unknown.");
        }
        RelyingPartyConfiguration relyingPartyConfiguration = null;
        if (this.metadataProvider != null) {
            try {
                if (this.metadataProvider.getEntityDescriptor(inboundMessageIssuer) == null) {
                    this.log.warn("No metadata for relying party {}, treating party as anonymous for security policy", inboundMessageIssuer);
                    relyingPartyConfiguration = this.rpConfigManager.getAnonymousRelyingConfiguration();
                }
            } catch (MetadataProviderException e) {
                this.log.error("Error fetching metadata for relying party '{}', unable to evaluate anonymous relying party case", inboundMessageIssuer, e);
            }
        } else {
            this.log.debug("No metadata provider supplied, will be unable to evaluate anonymous relying party case");
        }
        if (relyingPartyConfiguration == null) {
            relyingPartyConfiguration = this.rpConfigManager.getRelyingPartyConfiguration(inboundMessageIssuer);
        }
        if (relyingPartyConfiguration == null) {
            this.log.debug("No relying party configuration resolved, returning null security policy");
            return null;
        }
        String communicationProfileId = messageContext.getCommunicationProfileId();
        if (DatatypeHelper.isEmpty(communicationProfileId)) {
            throw new SecurityException("Unable to select security policy, communication profile ID unknown.");
        }
        this.log.debug("Resolving security policy based on communication profile ID: {}", communicationProfileId);
        ProfileConfiguration profileConfiguration = relyingPartyConfiguration.getProfileConfiguration(communicationProfileId);
        if (profileConfiguration != null) {
            return profileConfiguration.getSecurityPolicy();
        }
        this.log.debug("No profile configuration resolved for communication profile ID '{}', returning null security policy", communicationProfileId);
        return null;
    }
}
