package at.gv.egovernment.moa.id.protocols.pvp2x;

import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
import at.gv.egiz.eaaf.core.exceptions.ProtocolNotActiveException;
import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityLogAdapter;
import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
import at.gv.egiz.eaaf.modules.pvp2.exception.AttributQueryException;
import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException;
import at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPVP2XProtocol;
import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.SoapBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
/* loaded from: input_file:at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.class */
public class PVP2XProtocol extends AbstractPVP2XProtocol {

    @Autowired(required = true)
    AuthConfiguration moaAuthConfig;

    @Autowired
    protected IAuthenticationSessionStoreage authenticatedSessionStorage;
    public static final String PATH = "id_pvp2-sprofile";
    public static final String NAME = PVP2XProtocol.class.getName();
    public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList("urn:oid:1.2.40.0.10.2.1.1.261.34");

    public String getName() {
        return NAME;
    }

    public String getAuthProtocolIdentifier() {
        return PATH;
    }

    @RequestMapping(value = {PVPConfiguration.PVP2_METADATA}, method = {RequestMethod.POST, RequestMethod.GET})
    public void PVPMetadataRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        if (this.moaAuthConfig.getAllowedProtocols().isPVP21Active()) {
            super.pvpMetadataRequest(httpServletRequest, httpServletResponse);
        } else {
            Logger.info("PVP2.1 is deaktivated!");
            throw new ProtocolNotActiveException("auth.22", new Object[]{NAME});
        }
    }

    @RequestMapping(value = {PVPConfiguration.PVP2_IDP_POST}, method = {RequestMethod.POST})
    public void PVPIDPPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        if (this.moaAuthConfig.getAllowedProtocols().isPVP21Active()) {
            super.PVPIDPPostRequest(httpServletRequest, httpServletResponse);
        } else {
            Logger.info("PVP2.1 is deaktivated!");
            throw new ProtocolNotActiveException("auth.22", new Object[]{NAME});
        }
    }

    @RequestMapping(value = {PVPConfiguration.PVP2_IDP_REDIRECT}, method = {RequestMethod.GET})
    public void PVPIDPRedirecttRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        if (AuthConfigurationProviderFactory.getInstance().getAllowedProtocols().isPVP21Active()) {
            super.PVPIDPRedirecttRequest(httpServletRequest, httpServletResponse);
        } else {
            Logger.info("PVP2.1 is deaktivated!");
            throw new ProtocolNotActiveException("auth.22", new Object[]{NAME});
        }
    }

    @RequestMapping(value = {PVPConfiguration.PVP2_IDP_SOAP}, method = {RequestMethod.POST})
    public void PVPIDPSOAPRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        PVPSProfilePendingRequest pVPSProfilePendingRequest = null;
        try {
            pVPSProfilePendingRequest = (PVPSProfilePendingRequest) this.applicationContext.getBean(PVPSProfilePendingRequest.class);
            pVPSProfilePendingRequest.initialize(httpServletRequest, this.authConfig);
            pVPSProfilePendingRequest.setModule(NAME);
            this.revisionsLogger.logEvent(1000, pVPSProfilePendingRequest.getUniqueSessionIdentifier());
            this.revisionsLogger.logEvent(1100, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            this.revisionsLogger.logEvent(pVPSProfilePendingRequest.getUniqueSessionIdentifier(), pVPSProfilePendingRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
            pVPSProfilePendingRequest.setRequest(new SoapBinding().decode(httpServletRequest, httpServletResponse, this.metadataProvider, false, new EAAFURICompare(this.pvpBasicConfiguration.getIDPSSOPostService(pVPSProfilePendingRequest.getAuthURL()))));
            preProcess(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
        } catch (SecurityPolicyException e) {
            Logger.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), e);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.21", new Object[0]);
        } catch (MOAIDException e2) {
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw e2;
        } catch (SecurityException e3) {
            Logger.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), e3);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.22", new Object[]{e3.getMessage()});
        } catch (Throwable th) {
            Logger.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), th);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new MOAIDException("pvp2.24", new Object[]{th.getMessage()});
        }
    }

    protected boolean childPreProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PVPSProfilePendingRequest pVPSProfilePendingRequest) throws Throwable {
        PVPSProfileRequest request = pVPSProfilePendingRequest.getRequest();
        if ((request instanceof PVPSProfileRequest) && (request.getSamlRequest() instanceof AttributeQuery)) {
            preProcessAttributQueryRequest(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
            return true;
        }
        if ((request instanceof PVPSProfileRequest) && (request.getSamlRequest() instanceof LogoutRequest)) {
            preProcessLogOut(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
            return true;
        }
        if (!(request instanceof PVPSProfileResponse) || !(((PVPSProfileResponse) request).getResponse() instanceof LogoutResponse)) {
            return false;
        }
        preProcessLogOut(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
        return true;
    }

    private void preProcessLogOut(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PVPSProfilePendingRequest pVPSProfilePendingRequest) throws EAAFException {
        PVPSProfileRequest request = pVPSProfilePendingRequest.getRequest();
        if ((request instanceof PVPSProfileRequest) && (request.getSamlRequest() instanceof LogoutRequest)) {
            PVPSProfileRequest pVPSProfileRequest = request;
            EntityDescriptor entityMetadata = pVPSProfileRequest.getEntityMetadata(this.metadataProvider);
            if (entityMetadata == null) {
                throw new NoMetadataInformationException();
            }
            String escapeHtml = StringEscapeUtils.escapeHtml(entityMetadata.getEntityID());
            ISPConfiguration serviceProviderConfiguration = this.authConfig.getServiceProviderConfiguration(escapeHtml);
            Logger.info("Dispatch PVP2 SingleLogOut: OAURL=" + escapeHtml + " Binding=" + pVPSProfileRequest.getRequestBinding());
            pVPSProfilePendingRequest.setSPEntityId(escapeHtml);
            pVPSProfilePendingRequest.setOnlineApplicationConfiguration(serviceProviderConfiguration);
            pVPSProfilePendingRequest.setBinding(pVPSProfileRequest.getRequestBinding());
            this.revisionsLogger.logEvent(pVPSProfilePendingRequest, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_SLO);
        } else {
            if (!(request instanceof PVPSProfileResponse) || !(((PVPSProfileResponse) request).getResponse() instanceof LogoutResponse)) {
                throw new EAAFException("Unsupported request");
            }
            LogoutResponse response = ((PVPSProfileResponse) request).getResponse();
            Logger.debug("PreProcess SLO Response from " + response.getIssuer());
            boolean z = false;
            try {
                z = MiscUtil.isNotEmpty(this.authConfig.validateIDPURL(new URL(response.getDestination())));
            } catch (MalformedURLException e) {
                Logger.info(response.getDestination() + " is NOT valid. Reason: " + e.getMessage());
            }
            if (!z) {
                Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL");
                throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", (Object[]) null);
            }
            request.getRelayState();
        }
        pVPSProfilePendingRequest.setRequest(request);
        pVPSProfilePendingRequest.setAction("SingleLogOut");
        pVPSProfilePendingRequest.setNeedAuthentication(false);
        pVPSProfilePendingRequest.setAction(SingleLogOutAction.class.getName());
    }

    private void preProcessAttributQueryRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PVPSProfilePendingRequest pVPSProfilePendingRequest) throws Throwable {
        PVPSProfileRequest request = pVPSProfilePendingRequest.getRequest();
        AttributeQuery samlRequest = request.getSamlRequest();
        request.setEntityID(samlRequest.getIssuer().getValue());
        if (!this.pvpBasicConfiguration.getIDPSSOSOAPService(HTTPUtils.extractAuthURLFromRequest(httpServletRequest)).equals(samlRequest.getDestination())) {
            Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");
            throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", (Object[]) null);
        }
        IOAAuthParameters iOAAuthParameters = (IOAAuthParameters) this.authConfig.getServiceProviderConfiguration(request.getEntityID(), IOAAuthParameters.class);
        if (!iOAAuthParameters.isInderfederationIDP()) {
            Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs.");
            throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", (Object[]) null);
        }
        if (!iOAAuthParameters.isOutboundSSOInterfederationAllowed()) {
            Logger.warn("Interfederation IDP " + iOAAuthParameters.getPublicURLPrefix() + " does not allow outgoing SSO interfederation.");
            throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", (Object[]) null);
        }
        IAuthenticationSession sessionWithUserNameID = this.authenticatedSessionStorage.getSessionWithUserNameID(samlRequest.getSubject().getNameID().getValue());
        if (sessionWithUserNameID == null) {
            Logger.warn("AttributeQuery nameID does not match to an active single sign-on session.");
            throw new AttributQueryException("auth.31", (Object[]) null);
        }
        pVPSProfilePendingRequest.setRequest(request);
        pVPSProfilePendingRequest.setSPEntityId(request.getEntityID());
        pVPSProfilePendingRequest.setOnlineApplicationConfiguration(iOAAuthParameters);
        pVPSProfilePendingRequest.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:SOAP");
        pVPSProfilePendingRequest.setNeedAuthentication(false);
        pVPSProfilePendingRequest.setAction(AttributQueryAction.class.getName());
        pVPSProfilePendingRequest.setInternalSSOSessionIdentifier(sessionWithUserNameID.getSSOSessionID());
        this.revisionsLogger.logEvent(pVPSProfilePendingRequest, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY);
    }

    static {
        new VelocityLogAdapter();
    }
}
