package at.gv.egovernment.moa.id.config.webgui.validation.task.impl;

import at.gv.egiz.components.configuration.api.Configuration;
import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
import at.gv.egovernment.moa.id.config.webgui.MOAIDWebGUIConfiguration;
import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationTaskValidationException;
import at.gv.egovernment.moa.id.config.webgui.exception.SchemaValidationException;
import at.gv.egovernment.moa.id.config.webgui.exception.SignatureValidationException;
import at.gv.egovernment.moa.id.config.webgui.exception.ValidationObjectIdentifier;
import at.gv.egovernment.moa.id.config.webgui.helper.LanguageHelper;
import at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator;
import at.gv.egovernment.moa.id.config.webgui.validation.task.IDynamicLoadableTaskValidator;
import at.gv.egovernment.moa.id.config.webgui.validation.utils.MetaDataVerificationFilter;
import at.gv.egovernment.moa.id.config.webgui.validation.utils.SchemaValidationFilter;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
import iaik.x509.X509Certificate;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Timer;
import java.util.regex.Pattern;
import javax.net.ssl.SSLHandshakeException;
import org.apache.commons.httpclient.MOAHttpClient;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataFilterChain;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.class */
public class ServicesProtocolPVP2XTask extends AbstractTaskValidator implements IDynamicLoadableTaskValidator {
    private static final Logger log = LoggerFactory.getLogger(ServicesProtocolPVP2XTask.class);
    private static final List<String> KEYWHITELIST = Collections.unmodifiableList(new ArrayList());

    @Override // at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator, at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator
    public String getKeyPrefix() {
        return "";
    }

    @Override // at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator, at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator
    public String getName() {
        return "Service - General Configuration Task";
    }

    @Override // at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator, at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator
    public Map<String, String> postProcessing(Map<String, String> map, List<String> list, Configuration configuration) {
        HashMap hashMap = new HashMap();
        String str = map.get("protocols.pvp2x.certificate.data");
        if (MiscUtil.isNotEmpty(str)) {
            String[] split = str.split(",");
            if (split.length > 1) {
                hashMap.put("protocols.pvp2x.certificate.data", split[1]);
                log.debug("Extract PVP2X metadata validation certificate from GUI upload and add it to key: {}", "protocols.pvp2x.certificate.data");
                try {
                    if (MiscUtil.isNotEmpty(split[1])) {
                        hashMap.put("protocols.pvp2x.certificate.preview", new X509Certificate(Base64Utils.decode(split[1], true)).getSubjectDN().getName());
                    }
                } catch (IOException | CertificateException e) {
                    log.error("PVP2X metadata signing certificate is not parseable.", e);
                }
            }
        }
        if (hashMap.isEmpty()) {
            return null;
        }
        return hashMap;
    }

    @Override // at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator
    protected void taskValidate(Map<String, String> map) throws ConfigurationTaskValidationException {
        ArrayList arrayList = new ArrayList();
        Timer timer = null;
        HTTPMetadataProvider hTTPMetadataProvider = null;
        String str = map.get("protocols.pvp2x.certificate.data");
        try {
            try {
                try {
                    try {
                        byte[] bArr = null;
                        if (MiscUtil.isNotEmpty(str) && !str.equals("null")) {
                            String[] split = str.split(",");
                            bArr = split.length > 1 ? Base64Utils.decode(split[1], true) : Base64Utils.decode(str, true);
                        }
                        String str2 = map.get("protocols.pvp2x.URL");
                        if (MiscUtil.isNotEmpty(str2)) {
                            if (!ValidationHelper.validateURL(str2)) {
                                log.info("MetaDataURL has no valid form.");
                                arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata URL", LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid")));
                            } else if (bArr == null) {
                                log.info("No certificate for metadata validation");
                                arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.certificate.data", "PVP2x - Metadata Certificate", LanguageHelper.getErrorString("validation.pvp2.certificate.notfound")));
                            } else {
                                X509Certificate x509Certificate = new X509Certificate(bArr);
                                BasicX509Credential basicX509Credential = new BasicX509Credential();
                                basicX509Credential.setEntityCertificate(x509Certificate);
                                timer = new Timer(true);
                                MOAHttpClient mOAHttpClient = new MOAHttpClient();
                                if (str2.startsWith("https:")) {
                                    try {
                                        mOAHttpClient.setCustomSSLTrustStore(str2, new MOAHttpProtocolSocketFactory("MOAMetaDataProvider", true, MOAIDWebGUIConfiguration.getInstance().getCertStoreDirectory(), MOAIDWebGUIConfiguration.getInstance().getTrustStoreDirectory(), (String) null, "pkix", true, new String[]{"crl"}, false));
                                    } catch (ConfigurationException e) {
                                        log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
                                    } catch (MOAHttpProtocolSocketFactoryException e2) {
                                        log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e2);
                                    }
                                }
                                ArrayList arrayList2 = new ArrayList();
                                arrayList2.add(new MetaDataVerificationFilter(basicX509Credential));
                                try {
                                    arrayList2.add(new SchemaValidationFilter(MOAIDWebGUIConfiguration.getInstance().isPVPMetadataSchemaValidationActive()));
                                } catch (ConfigurationException e3) {
                                    log.warn("Configuration access FAILED!", e3);
                                }
                                MetadataFilterChain metadataFilterChain = new MetadataFilterChain();
                                metadataFilterChain.setFilters(arrayList2);
                                hTTPMetadataProvider = new HTTPMetadataProvider(timer, mOAHttpClient, str2);
                                hTTPMetadataProvider.setParserPool(new BasicParserPool());
                                hTTPMetadataProvider.setRequireValidMetadata(true);
                                hTTPMetadataProvider.setMetadataFilter(metadataFilterChain);
                                hTTPMetadataProvider.setMinRefreshDelay(900000);
                                hTTPMetadataProvider.setMaxRefreshDelay(86400000L);
                                hTTPMetadataProvider.setRequireValidMetadata(true);
                                hTTPMetadataProvider.initialize();
                                if (hTTPMetadataProvider.getMetadata() == null) {
                                    log.info("Metadata could be received but validation FAILED.");
                                    arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadata.validation")));
                                }
                            }
                        }
                        if (hTTPMetadataProvider != null) {
                            hTTPMetadataProvider.destroy();
                        }
                        if (timer != null) {
                            timer.cancel();
                        }
                    } catch (CertificateException e4) {
                        log.info("Uploaded Certificate can not be found", e4);
                        arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.certificate.notfound")));
                        if (0 != 0) {
                            hTTPMetadataProvider.destroy();
                        }
                        if (0 != 0) {
                            timer.cancel();
                        }
                    }
                } catch (MetadataProviderException e5) {
                    try {
                        if (e5.getCause() != null && (e5.getCause().getCause() instanceof SSLHandshakeException)) {
                            log.info("SSL Server certificate not trusted.", e5);
                            arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadata.ssl")));
                        } else if (e5.getCause() != null && (e5.getCause().getCause() instanceof SignatureValidationException)) {
                            log.info("MetaDate verification failed", e5);
                            arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig")));
                        } else if (e5.getCause() == null || !(e5.getCause().getCause() instanceof SchemaValidationException)) {
                            log.info("MetaDate verification failed", e5);
                            arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general")));
                        } else {
                            log.info("MetaDate verification failed", e5);
                            arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema")));
                        }
                    } catch (Exception e6) {
                        log.info("MetaDate verification failed", e6);
                        arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general")));
                    }
                    if (0 != 0) {
                        hTTPMetadataProvider.destroy();
                    }
                    if (0 != 0) {
                        timer.cancel();
                    }
                }
            } catch (IOException e7) {
                log.info("Metadata can not be loaded from URL", e7);
                arrayList.add(new ValidationObjectIdentifier("protocols.pvp2x.URL", "PVP2x - Metadata", LanguageHelper.getErrorString("validation.pvp2.metadataurl.read")));
                if (0 != 0) {
                    hTTPMetadataProvider.destroy();
                }
                if (0 != 0) {
                    timer.cancel();
                }
            }
            if (!arrayList.isEmpty()) {
                throw new ConfigurationTaskValidationException(arrayList);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                hTTPMetadataProvider.destroy();
            }
            if (0 != 0) {
                timer.cancel();
            }
            throw th;
        }
    }

    @Override // at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator, at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator
    public List<Pattern> getAllAllowedPatterns() {
        return generatePatternsFromKeys(KEYWHITELIST);
    }

    @Override // at.gv.egovernment.moa.id.config.webgui.validation.task.IDynamicLoadableTaskValidator
    public List<String> getModulValidatorPrefix() {
        return Arrays.asList("moa.id.services.oa", "moa.id.services.iidp");
    }
}
