package org.nuxeo.ecm.platform.auth.saml.web;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.LinkedList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.platform.auth.saml.key.KeyManager;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;
import org.nuxeo.runtime.api.Framework;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.NameIDFormat;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.util.XMLHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/auth/saml/web/MetadataServlet.class */
public class MetadataServlet extends HttpServlet {
    public static final Collection<String> nameID = Arrays.asList("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName");
    protected static final Log log = LogFactory.getLog(MetadataServlet.class);
    protected XMLObjectBuilderFactory builderFactory;
    private KeyManager keyManager;
    private String entityBaseURL;
    private String entityId = "nuxeo";
    private boolean signMetadata = true;
    private boolean requestSigned = true;
    private boolean wantAssertionSigned = true;

    public void init() throws ServletException {
        this.builderFactory = Configuration.getBuilderFactory();
    }

    private KeyManager getKeyManager() {
        if (this.keyManager == null) {
            this.keyManager = (KeyManager) Framework.getLocalService(KeyManager.class);
        }
        return this.keyManager;
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.entityBaseURL = VirtualHostHelper.getBaseURL(httpServletRequest) + "/nxstartup.faces";
        EntityDescriptor buildEntityDescriptor = buildEntityDescriptor();
        try {
            Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(buildEntityDescriptor);
            if (marshaller == null) {
                log.error("Unable to marshall message, no marshaller registered for message object: " + buildEntityDescriptor.getElementQName());
            }
            XMLHelper.writeNode(marshaller.marshall(buildEntityDescriptor), httpServletResponse.getWriter());
        } catch (MarshallingException e) {
            log.error("Unable to write metadata.");
        }
    }

    protected EntityDescriptor buildEntityDescriptor() {
        EntityDescriptor build = build(EntityDescriptor.DEFAULT_ELEMENT_NAME);
        build.setEntityID(this.entityId);
        SPSSODescriptor build2 = build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        build2.setAuthnRequestsSigned(Boolean.valueOf(this.requestSigned));
        build2.setWantAssertionsSigned(Boolean.valueOf(this.wantAssertionSigned));
        build2.addSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        build2.getNameIDFormats().addAll(buildNameIDFormats(nameID));
        if (getKeyManager().getSigningCredential() != null) {
            build2.getKeyDescriptors().add(buildKeyDescriptor(UsageType.SIGNING, generateKeyInfoForCredential(getKeyManager().getSigningCredential())));
        }
        if (getKeyManager().getEncryptionCredential() != null) {
            build2.getKeyDescriptors().add(buildKeyDescriptor(UsageType.ENCRYPTION, generateKeyInfoForCredential(getKeyManager().getEncryptionCredential())));
        }
        if (getKeyManager().getTlsCredential() != null) {
            build2.getKeyDescriptors().add(buildKeyDescriptor(UsageType.UNSPECIFIED, generateKeyInfoForCredential(getKeyManager().getTlsCredential())));
        }
        AssertionConsumerService build3 = build(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
        build3.setLocation(this.entityBaseURL);
        build3.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        build3.setIsDefault(true);
        build3.setIndex(0);
        build2.getAssertionConsumerServices().add(build3);
        SingleLogoutService build4 = build(SingleLogoutService.DEFAULT_ELEMENT_NAME);
        build4.setLocation(this.entityBaseURL);
        build4.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        build2.getSingleLogoutServices().add(build4);
        build.getRoleDescriptors().add(build2);
        return build;
    }

    protected KeyDescriptor buildKeyDescriptor(UsageType usageType, KeyInfo keyInfo) {
        KeyDescriptor build = build(KeyDescriptor.DEFAULT_ELEMENT_NAME);
        build.setUse(usageType);
        build.setKeyInfo(keyInfo);
        return build;
    }

    protected Collection<NameIDFormat> buildNameIDFormats(Collection<String> collection) {
        LinkedList linkedList = new LinkedList();
        for (String str : collection) {
            NameIDFormat build = build(NameIDFormat.DEFAULT_ELEMENT_NAME);
            build.setFormat(str);
            linkedList.add(build);
        }
        return linkedList;
    }

    protected KeyInfo generateKeyInfoForCredential(Credential credential) {
        try {
            return SecurityHelper.getKeyInfoGenerator(credential, (SecurityConfiguration) null, (String) null).generate(credential);
        } catch (SecurityException e) {
            log.error("Failed to  generate key info.");
            return null;
        }
    }

    protected <T extends SAMLObject> T build(QName qName) {
        return this.builderFactory.getBuilder(qName).buildObject(qName);
    }
}
