package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes;
import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
import at.gv.egovernment.moa.logging.Logger;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xml.XMLObject;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.class */
public class AuthnRequestSemperProcessor implements IAuthnRequestPostProcessor {

    @Autowired
    IConfiguration authConfig;

    public void process(HttpServletRequest httpServletRequest, IRequest iRequest, AuthnRequest authnRequest, SPSSODescriptor sPSSODescriptor) throws AuthnRequestValidatorException {
        if (!this.authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false) || !isSpAllowed(authnRequest)) {
            Logger.trace("Skip: " + AuthnRequestSemperProcessor.class.getSimpleName() + " because is's not active or not allowed");
        } else {
            Logger.debug("SEMPER mode detected. Starting SP-Info extraction from requested attributes ...");
            extractRequestedAttributeInformation(authnRequest, iRequest);
        }
    }

    private boolean isSpAllowed(AuthnRequest authnRequest) {
        List listOfCSVValues = KeyValueUtils.getListOfCSVValues(this.authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST));
        Logger.trace("Validate SP-EntityId: " + authnRequest.getIssuer().getValue() + " with allowed MS-Proxies: [" + StringUtils.join(listOfCSVValues, ", ") + "]");
        return listOfCSVValues.contains(authnRequest.getIssuer().getValue());
    }

    private void extractRequestedAttributeInformation(AuthnRequest authnRequest, IRequest iRequest) throws AuthnRequestValidatorException {
        boolean z = false;
        if (authnRequest.getExtensions() != null) {
            for (EAAFRequestedAttributes eAAFRequestedAttributes : authnRequest.getExtensions().getUnknownXMLObjects()) {
                if (eAAFRequestedAttributes instanceof EAAFRequestedAttributes) {
                    EAAFRequestedAttributes eAAFRequestedAttributes2 = eAAFRequestedAttributes;
                    if (eAAFRequestedAttributes2.getAttributes() == null || eAAFRequestedAttributes2.getAttributes().size() == 0) {
                        Logger.debug("No requested Attributes in Authn. Request");
                    } else {
                        for (EAAFRequestedAttribute eAAFRequestedAttribute : eAAFRequestedAttributes2.getAttributes()) {
                            Logger.trace("Processing req. attribute '" + eAAFRequestedAttribute.getName() + "' ... ");
                            if (eAAFRequestedAttribute.getName().equals("urn:oid:1.2.40.0.10.2.1.1.261.34")) {
                                z = extractBpkTarget(eAAFRequestedAttribute, iRequest);
                            } else if (eAAFRequestedAttribute.getName().equals("urn:eidgvat:attributes.ServiceProviderMandateProfiles")) {
                                extractMandateProfiles(eAAFRequestedAttribute, iRequest);
                            } else {
                                Logger.debug("Ignore req. attribute: " + eAAFRequestedAttribute.getName());
                            }
                        }
                    }
                } else {
                    Logger.info("Ignore unknown requested attribute: " + eAAFRequestedAttributes.getElementQName().toString());
                }
            }
        }
        if (z) {
            return;
        }
        Logger.info("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information.");
        throw new AuthnRequestValidatorException("pvp2.22", new Object[]{"NO or NO VALID target-sector information"});
    }

    private void extractMandateProfiles(EAAFRequestedAttribute eAAFRequestedAttribute, IRequest iRequest) {
        if (eAAFRequestedAttribute.getAttributeValues() == null || eAAFRequestedAttribute.getAttributeValues().size() != 1) {
            Logger.info("Req. attribute '" + eAAFRequestedAttribute.getName() + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
            return;
        }
        String textContent = ((XMLObject) eAAFRequestedAttribute.getAttributeValues().get(0)).getDOM().getTextContent();
        Map fullConfiguration = iRequest.getServiceProviderConfiguration().getFullConfiguration();
        Logger.debug("Set MandateProfiles to: " + textContent);
        fullConfiguration.put("auth.mandates.ovs.use", String.valueOf(true));
        fullConfiguration.put("auth.mandates.ovs.profiles", textContent);
    }

    private boolean extractBpkTarget(EAAFRequestedAttribute eAAFRequestedAttribute, IRequest iRequest) {
        if (eAAFRequestedAttribute.getAttributeValues() == null || eAAFRequestedAttribute.getAttributeValues().size() != 1) {
            Logger.info("Req. attribute '" + eAAFRequestedAttribute.getName() + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
            return false;
        }
        String textContent = ((XMLObject) eAAFRequestedAttribute.getAttributeValues().get(0)).getDOM().getTextContent();
        Map fullConfiguration = iRequest.getServiceProviderConfiguration().getFullConfiguration();
        if (!textContent.startsWith("urn:publicid:gv.at:eidasid+")) {
            Logger.info("Requested sector: " + textContent + " DOES NOT match to allowed sectors for SP: " + iRequest.getServiceProviderConfiguration().getUniqueIdentifier());
            return false;
        }
        Logger.debug("Set eIDAS target to: " + textContent);
        fullConfiguration.put("auth.target.business.type", "eIDAS");
        fullConfiguration.put("auth.target.business.value", textContent.substring("urn:publicid:gv.at:eidasid+".length()));
        return true;
    }
}
