package com.appiancorp.security.auth.saml.functions;

import com.appian.logging.AppianLogger;
import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.core.expr.AppianScriptContext;
import com.appiancorp.core.expr.EvalPath;
import com.appiancorp.core.expr.fn.PublicFunction;
import com.appiancorp.core.expr.portable.Type;
import com.appiancorp.core.expr.portable.Value;
import com.appiancorp.security.auth.saml.IdpEndpointResolver;
import com.appiancorp.security.auth.saml.MetadataResolverFactory;
import com.appiancorp.suiteapi.common.ServiceLocator;
import com.appiancorp.suiteapi.content.ContentConstants;
import com.appiancorp.suiteapi.content.ContentService;
import com.appiancorp.suiteapi.knowledge.Document;
import com.appiancorp.util.BundleUtils;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.apache.commons.lang3.ArrayUtils;
import org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.security.credential.UsageType;

/* loaded from: input_file:com/appiancorp/security/auth/saml/functions/SamlIdpMetadataValidatorFunction.class */
public class SamlIdpMetadataValidatorFunction extends PublicFunction {
    private static final AppianLogger LOG = AppianLogger.getLogger(SamlIdpMetadataValidatorFunction.class);
    public static final String FN_NAME = "validateidpmetadata_appian_internal";
    private String GENERIC_METADATA_FILE_ERROR;
    private String FILE_NOT_AVAILABLE_ERROR;
    private String NO_SUPPORTED_BINDING_ERROR;
    private String MULTIPLE_ENTITY_DESCRIPTORS_NOT_SUPPORTED_ERROR;
    private String ENTITY_DESCRIPTOR_NOT_FOUND_ERROR;
    private String SIGNING_KEYDESCRIPTOR_NOT_FOUND_ERROR;
    private String SAML2_SSODESCRIPTOR_NOT_FOUND_ERROR;
    private ContentService contentService;

    public Value eval(EvalPath evalPath, Value[] valueArr, AppianScriptContext appianScriptContext) {
        Preconditions.checkNotNull(valueArr, "Parameter value should not be null.");
        Preconditions.checkArgument(valueArr.length == 1, "validateidpmetadata_appian_internal expercts 1 parameter (idpMetadataContentId)");
        populateResourceBundleStrings(appianScriptContext.getServiceContext().getLocale());
        Value value = valueArr[0];
        if (value == null || value.isNull()) {
            return Type.STRING.valueOf("");
        }
        Long valueOf = Long.valueOf(((Integer) value.getValue()).intValue());
        this.contentService = ServiceLocator.getContentService(appianScriptContext.getServiceContext());
        Optional<Document> reactivatedDocument = getReactivatedDocument(valueOf);
        return reactivatedDocument.isPresent() ? Type.STRING.valueOf(getMetadataValidationMessage(reactivatedDocument.get())) : Type.STRING.valueOf(this.FILE_NOT_AVAILABLE_ERROR);
    }

    private void populateResourceBundleStrings(Locale locale) {
        this.FILE_NOT_AVAILABLE_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.fileNotAvailable", (Object[]) null);
        this.GENERIC_METADATA_FILE_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.invalidFile", (Object[]) null);
        this.NO_SUPPORTED_BINDING_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.noSupportedSignOnServiceBinding", (Object[]) null);
        this.MULTIPLE_ENTITY_DESCRIPTORS_NOT_SUPPORTED_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.multipleEntityDescriptorsNotSupported", (Object[]) null);
        this.ENTITY_DESCRIPTOR_NOT_FOUND_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.entityDescriptorNotFound", (Object[]) null);
        this.SIGNING_KEYDESCRIPTOR_NOT_FOUND_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.signingKeyDescriptorNotFound", (Object[]) null);
        this.SAML2_SSODESCRIPTOR_NOT_FOUND_ERROR = BundleUtils.getText(SamlIdpMetadataValidatorFunction.class, locale, "error.idp_metadata.noSaml2SsoDescriptorFound", (Object[]) null);
    }

    private Optional<Document> getReactivatedDocument(Long l) {
        try {
            this.contentService.reactivate(l);
            Document[] download = this.contentService.download(l, ContentConstants.VERSION_CURRENT, false);
            return ArrayUtils.isEmpty(download) ? Optional.empty() : Optional.ofNullable(download[0]);
        } catch (Exception e) {
            deactivateDocumentOnException(l);
            return Optional.empty();
        }
    }

    private void deactivateDocumentOnException(Long l) {
        try {
            this.contentService.deactivate(l, (Boolean) false);
        } catch (Exception e) {
            LOG.error(e, e.getMessage());
        }
    }

    private String getMetadataValidationMessage(Document document) {
        try {
            return validateMetadata(Lists.newArrayList(((MetadataResolverFactory) ApplicationContextHolder.getBean(MetadataResolverFactory.class)).create(document).resolve(new CriteriaSet(new Criterion[]{new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)}))));
        } catch (Exception e) {
            LOG.error(e, "Could not validate IdP Metadata");
            return this.GENERIC_METADATA_FILE_ERROR;
        }
    }

    private String validateMetadata(List<EntityDescriptor> list) {
        return list.size() > 1 ? this.MULTIPLE_ENTITY_DESCRIPTORS_NOT_SUPPORTED_ERROR : list.size() == 0 ? this.ENTITY_DESCRIPTOR_NOT_FOUND_ERROR : validateEntity(list.get(0));
    }

    private String validateEntity(EntityDescriptor entityDescriptor) {
        IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        if (Objects.isNull(iDPSSODescriptor)) {
            return this.SAML2_SSODESCRIPTOR_NOT_FOUND_ERROR;
        }
        Iterator it = iDPSSODescriptor.getSingleSignOnServices().iterator();
        while (it.hasNext()) {
            if (IdpEndpointResolver.ACCEPTABLE_BINDING_TYPES.contains(((SingleSignOnService) it.next()).getBinding())) {
                return validateKeyDescriptor(iDPSSODescriptor);
            }
        }
        return this.NO_SUPPORTED_BINDING_ERROR;
    }

    private String validateKeyDescriptor(IDPSSODescriptor iDPSSODescriptor) {
        for (KeyDescriptor keyDescriptor : iDPSSODescriptor.getKeyDescriptors()) {
            if (UsageType.UNSPECIFIED.equals(keyDescriptor.getUse()) || UsageType.SIGNING.equals(keyDescriptor.getUse())) {
                return "";
            }
        }
        return this.SIGNING_KEYDESCRIPTOR_NOT_FOUND_ERROR;
    }
}
