package org.springframework.boot.autoconfigure.security.saml2;

import cn.hutool.crypto.KeyUtil;
import java.io.InputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties;
import org.springframework.boot.context.properties.PropertyMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.security.converter.RsaKeyConverters;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

@ConditionalOnMissingBean({RelyingPartyRegistrationRepository.class})
@Configuration(proxyBeanMethods = false)
@Conditional({RegistrationConfiguredCondition.class})
/* loaded from: input_file:BOOT-INF/lib/spring-boot-autoconfigure-3.3.4.jar:org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.class */
class Saml2RelyingPartyRegistrationConfiguration {
    Saml2RelyingPartyRegistrationConfiguration() {
    }

    @Bean
    RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(Saml2RelyingPartyProperties saml2RelyingPartyProperties) {
        return new InMemoryRelyingPartyRegistrationRepository(saml2RelyingPartyProperties.getRegistration().entrySet().stream().map(this::asRegistration).toList());
    }

    private RelyingPartyRegistration asRegistration(Map.Entry<String, Saml2RelyingPartyProperties.Registration> entry) {
        return asRegistration(entry.getKey(), entry.getValue());
    }

    private RelyingPartyRegistration asRegistration(String str, Saml2RelyingPartyProperties.Registration registration) {
        RelyingPartyRegistration.Builder withRegistrationId = !StringUtils.hasText(registration.getAssertingparty().getMetadataUri()) ? RelyingPartyRegistration.withRegistrationId(str) : createBuilderUsingMetadata(registration.getAssertingparty()).registrationId(str);
        withRegistrationId.assertionConsumerServiceLocation(registration.getAcs().getLocation());
        withRegistrationId.assertionConsumerServiceBinding(registration.getAcs().getBinding());
        withRegistrationId.assertingPartyDetails(mapAssertingParty(registration.getAssertingparty()));
        withRegistrationId.signingX509Credentials(collection -> {
            Stream<R> map = registration.getSigning().getCredentials().stream().map(this::asSigningCredential);
            Objects.requireNonNull(collection);
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        withRegistrationId.decryptionX509Credentials(collection2 -> {
            Stream<R> map = registration.getDecryption().getCredentials().stream().map(this::asDecryptionCredential);
            Objects.requireNonNull(collection2);
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        withRegistrationId.assertingPartyDetails(builder -> {
            builder.verificationX509Credentials(collection3 -> {
                Stream<R> map = registration.getAssertingparty().getVerification().getCredentials().stream().map(this::asVerificationCredential);
                Objects.requireNonNull(collection3);
                map.forEach((v1) -> {
                    r1.add(v1);
                });
            });
        });
        withRegistrationId.singleLogoutServiceLocation(registration.getSinglelogout().getUrl());
        withRegistrationId.singleLogoutServiceResponseLocation(registration.getSinglelogout().getResponseUrl());
        withRegistrationId.singleLogoutServiceBinding(registration.getSinglelogout().getBinding());
        withRegistrationId.entityId(registration.getEntityId());
        withRegistrationId.nameIdFormat(registration.getNameIdFormat());
        RelyingPartyRegistration build = withRegistrationId.build();
        validateSigningCredentials(registration, build.getAssertingPartyDetails().getWantAuthnRequestsSigned());
        return build;
    }

    private RelyingPartyRegistration.Builder createBuilderUsingMetadata(Saml2RelyingPartyProperties.AssertingParty assertingParty) {
        String entityId = assertingParty.getEntityId();
        for (RelyingPartyRegistration.Builder builder : RelyingPartyRegistrations.collectionFromMetadataLocation(assertingParty.getMetadataUri())) {
            if (entityId == null || entityId.equals(getEntityId(builder))) {
                return builder;
            }
        }
        throw new IllegalStateException("No relying party with Entity ID '" + entityId + "' found");
    }

    private Object getEntityId(RelyingPartyRegistration.Builder builder) {
        String[] strArr = new String[1];
        builder.assertingPartyDetails(builder2 -> {
            strArr[0] = builder2.build().getEntityId();
        });
        return strArr[0];
    }

    private Consumer<RelyingPartyRegistration.AssertingPartyDetails.Builder> mapAssertingParty(Saml2RelyingPartyProperties.AssertingParty assertingParty) {
        return builder -> {
            PropertyMapper alwaysApplyingWhenNonNull = PropertyMapper.get().alwaysApplyingWhenNonNull();
            Objects.requireNonNull(assertingParty);
            PropertyMapper.Source from = alwaysApplyingWhenNonNull.from(assertingParty::getEntityId);
            Objects.requireNonNull(builder);
            from.to(builder::entityId);
            Saml2RelyingPartyProperties.AssertingParty.Singlesignon singlesignon = assertingParty.getSinglesignon();
            Objects.requireNonNull(singlesignon);
            PropertyMapper.Source from2 = alwaysApplyingWhenNonNull.from(singlesignon::getBinding);
            Objects.requireNonNull(builder);
            from2.to(builder::singleSignOnServiceBinding);
            Saml2RelyingPartyProperties.AssertingParty.Singlesignon singlesignon2 = assertingParty.getSinglesignon();
            Objects.requireNonNull(singlesignon2);
            PropertyMapper.Source from3 = alwaysApplyingWhenNonNull.from(singlesignon2::getUrl);
            Objects.requireNonNull(builder);
            from3.to(builder::singleSignOnServiceLocation);
            Saml2RelyingPartyProperties.AssertingParty.Singlesignon singlesignon3 = assertingParty.getSinglesignon();
            Objects.requireNonNull(singlesignon3);
            PropertyMapper.Source from4 = alwaysApplyingWhenNonNull.from(singlesignon3::getSignRequest);
            Objects.requireNonNull(builder);
            from4.to((v1) -> {
                r1.wantAuthnRequestsSigned(v1);
            });
            Saml2RelyingPartyProperties.Singlelogout singlelogout = assertingParty.getSinglelogout();
            Objects.requireNonNull(singlelogout);
            PropertyMapper.Source from5 = alwaysApplyingWhenNonNull.from(singlelogout::getUrl);
            Objects.requireNonNull(builder);
            from5.to(builder::singleLogoutServiceLocation);
            Saml2RelyingPartyProperties.Singlelogout singlelogout2 = assertingParty.getSinglelogout();
            Objects.requireNonNull(singlelogout2);
            PropertyMapper.Source from6 = alwaysApplyingWhenNonNull.from(singlelogout2::getResponseUrl);
            Objects.requireNonNull(builder);
            from6.to(builder::singleLogoutServiceResponseLocation);
            Saml2RelyingPartyProperties.Singlelogout singlelogout3 = assertingParty.getSinglelogout();
            Objects.requireNonNull(singlelogout3);
            PropertyMapper.Source from7 = alwaysApplyingWhenNonNull.from(singlelogout3::getBinding);
            Objects.requireNonNull(builder);
            from7.to(builder::singleLogoutServiceBinding);
        };
    }

    private void validateSigningCredentials(Saml2RelyingPartyProperties.Registration registration, boolean z) {
        if (z) {
            Assert.state(!registration.getSigning().getCredentials().isEmpty(), "Signing credentials must not be empty when authentication requests require signing.");
        }
    }

    private Saml2X509Credential asSigningCredential(Saml2RelyingPartyProperties.Registration.Signing.Credential credential) {
        return new Saml2X509Credential(readPrivateKey(credential.getPrivateKeyLocation()), readCertificate(credential.getCertificateLocation()), new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.SIGNING});
    }

    private Saml2X509Credential asDecryptionCredential(Saml2RelyingPartyProperties.Decryption.Credential credential) {
        return new Saml2X509Credential(readPrivateKey(credential.getPrivateKeyLocation()), readCertificate(credential.getCertificateLocation()), new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.DECRYPTION});
    }

    private Saml2X509Credential asVerificationCredential(Saml2RelyingPartyProperties.AssertingParty.Verification.Credential credential) {
        return new Saml2X509Credential(readCertificate(credential.getCertificateLocation()), new Saml2X509Credential.Saml2X509CredentialType[]{Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION, Saml2X509Credential.Saml2X509CredentialType.VERIFICATION});
    }

    private RSAPrivateKey readPrivateKey(Resource resource) {
        Assert.state(resource != null, "No private key location specified");
        Assert.state(resource.exists(), (Supplier<String>) () -> {
            return "Private key location '" + resource + "' does not exist";
        });
        try {
            InputStream inputStream = resource.getInputStream();
            try {
                RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) RsaKeyConverters.pkcs8().convert(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                return rSAPrivateKey;
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    private X509Certificate readCertificate(Resource resource) {
        Assert.state(resource != null, "No certificate location specified");
        Assert.state(resource.exists(), (Supplier<String>) () -> {
            return "Certificate  location '" + resource + "' does not exist";
        });
        try {
            InputStream inputStream = resource.getInputStream();
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance(KeyUtil.CERT_TYPE_X509).generateCertificate(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                return x509Certificate;
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }
}
