package at.gv.egovernment.moa.id.protocols.eidas;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider;
import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASAuthnRequestProcessingException;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASAuthnRequestValidationException;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASException;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import eu.eidas.auth.commons.EidasStringUtil;
import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
import eu.eidas.auth.commons.protocol.eidas.IEidasAuthenticationRequest;
import eu.eidas.auth.commons.protocol.eidas.impl.EidasAuthenticationRequest;
import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse;
import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat;
import eu.eidas.auth.engine.metadata.MetadataUtil;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
import java.io.IOException;
import java.io.StringWriter;
import java.net.URI;
import java.util.Collection;
import java.util.Iterator;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
/* loaded from: input_file:at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.class */
public class EIDASProtocol extends AbstractController implements IModulInfo {
    public static final String eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE = "eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE";
    public static final String NAME = EIDASProtocol.class.getName();
    public static final String PATH = "id_eidas";

    @Autowired(required = true)
    MOAeIDASChainingMetadataProvider eIDASMetadataProvider;

    public EIDASProtocol() {
        Logger.debug("Registering servlet " + getClass().getName() + " with mappings '" + Constants.eIDAS_HTTP_ENDPOINT_METADATA + "' and '" + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST + "'.");
    }

    public String getName() {
        return NAME;
    }

    public String getAuthProtocolIdentifier() {
        return PATH;
    }

    @RequestMapping(value = {Constants.eIDAS_HTTP_ENDPOINT_METADATA}, method = {RequestMethod.GET})
    public void eIDASMetadataRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        IRequest iRequest = (EIDASData) this.applicationContext.getBean(EIDASData.class);
        iRequest.initialize(httpServletRequest, this.authConfig);
        iRequest.setModule(NAME);
        iRequest.setNeedAuthentication(false);
        iRequest.setAuthenticated(false);
        this.revisionsLogger.logEvent(iRequest.getUniqueSessionIdentifier(), iRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
        ((EidasMetaDataRequest) this.applicationContext.getBean(EidasMetaDataRequest.class)).processRequest(iRequest, httpServletRequest, httpServletResponse, null);
        this.revisionsLogger.logEvent(iRequest.getUniqueSessionIdentifier(), iRequest.getUniqueTransactionIdentifier(), Constants.eIDAS_REVERSIONSLOG_METADATA);
    }

    @RequestMapping(value = {Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST}, method = {RequestMethod.POST})
    public void PVPIDPPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, EAAFException {
        EIDASData eIDASData = (EIDASData) this.applicationContext.getBean(EIDASData.class);
        eIDASData.initialize(httpServletRequest, this.authConfig);
        eIDASData.setModule(NAME);
        this.revisionsLogger.logEvent(1000, eIDASData.getUniqueSessionIdentifier());
        this.revisionsLogger.logEvent(1100, eIDASData.getUniqueTransactionIdentifier());
        this.revisionsLogger.logEvent(eIDASData.getUniqueSessionIdentifier(), eIDASData.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
        preProcess(httpServletRequest, httpServletResponse, eIDASData);
        this.revisionsLogger.logEvent(eIDASData, Constants.eIDAS_REVERSIONSLOG_IDP_AUTHREQUEST, eIDASData.getEidasRequest().getId());
        eIDASData.setNeedAuthentication(true);
        eIDASData.setAction(eIDASAuthenticationRequest.class.getName());
        this.protAuthService.performAuthentication(httpServletRequest, httpServletResponse, eIDASData);
    }

    private void preProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, EIDASData eIDASData) throws MOAIDException {
        Logger.info("received an eIDaS request");
        String parameter = httpServletRequest.getParameter("SAMLRequest");
        if (MiscUtil.isEmpty(parameter)) {
            Logger.warn("No eIDAS SAMLRequest found in http request.");
            throw new MOAIDException("eIDAS.06", new Object[]{"HTTP request includes no eIDAS SAML-Request element."});
        }
        try {
            IEidasAuthenticationRequest unmarshallRequestAndValidate = SAMLEngineUtils.createSAMLEngine(this.eIDASMetadataProvider).unmarshallRequestAndValidate(EidasStringUtil.decodeBytesFromBase64(parameter), this.authConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"), (Collection) null, false);
            if (!(unmarshallRequestAndValidate instanceof IEidasAuthenticationRequest)) {
                Logger.error("eIDAS AuthnRequst from node:" + unmarshallRequestAndValidate.getIssuer() + " is NOT from Type:" + IEidasAuthenticationRequest.class.getName());
                throw new MOAIDException("eIDAS.06", new Object[]{"eIDAS AuthnRequest maps to an wrong internal Type."});
            }
            IEidasAuthenticationRequest iEidasAuthenticationRequest = unmarshallRequestAndValidate;
            String destination = iEidasAuthenticationRequest.getDestination();
            if (MiscUtil.isEmpty(destination) || !destination.startsWith(eIDASData.getAuthURL())) {
                Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
                throw new EIDASAuthnRequestValidationException("stork.01", new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
            }
            ISPConfiguration serviceProviderConfiguration = this.authConfig.getServiceProviderConfiguration(unmarshallRequestAndValidate.getIssuer());
            if (serviceProviderConfiguration == null) {
                throw new EIDASAuthnRequestProcessingException("eIDAS.08", new Object[]{unmarshallRequestAndValidate.getIssuer()});
            }
            EntityDescriptor entityDescriptor = new MOAeIDASMetadataProviderDecorator(this.eIDASMetadataProvider).getEntityDescriptor(iEidasAuthenticationRequest.getIssuer(), SAMLEngineUtils.getMetadataSigner());
            String assertionConsumerServiceURL = iEidasAuthenticationRequest.getAssertionConsumerServiceURL();
            if (MiscUtil.isNotEmpty(assertionConsumerServiceURL)) {
                boolean z = false;
                Iterator it = MetadataUtil.getSPSSODescriptor(entityDescriptor).getAssertionConsumerServices().iterator();
                while (it.hasNext()) {
                    if (assertionConsumerServiceURL.equals(((AssertionConsumerService) it.next()).getLocation())) {
                        z = true;
                    }
                }
                if (!z) {
                    Logger.info("eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute");
                    throw new EIDASAuthnRequestValidationException("eIDAS.12", new Object[]{"eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute"});
                }
            } else {
                String assertionConsumerUrlFromMetadata = MetadataUtil.getAssertionConsumerUrlFromMetadata(SAMLEngineUtils.getMetadataFetcher(), SAMLEngineUtils.getMetadataSigner(), iEidasAuthenticationRequest);
                if (MiscUtil.isEmpty(assertionConsumerUrlFromMetadata)) {
                    Logger.error("eIDAS metadata for node:" + iEidasAuthenticationRequest.getIssuer() + " contains NO 'AssertionConsumerServiceURL' element!");
                    throw new EIDASSAMLEngineException("eIDAS metadata for node:" + iEidasAuthenticationRequest.getIssuer() + " contains NO 'AssertionConsumerServiceURL' element!");
                }
                EidasAuthenticationRequest.Builder builder = EidasAuthenticationRequest.builder(iEidasAuthenticationRequest);
                builder.assertionConsumerServiceURL(assertionConsumerUrlFromMetadata);
                iEidasAuthenticationRequest = builder.build();
            }
            String originCountryCode = unmarshallRequestAndValidate.getOriginCountryCode();
            String areaSpecificTargetIdentifier = serviceProviderConfiguration.getAreaSpecificTargetIdentifier();
            Matcher matcher = Pattern.compile("^urn:publicid:gv.at:eidasid\\+[A-Z,a-z]{2}\\+[A-Z,a-z]{2}$").matcher(areaSpecificTargetIdentifier);
            if (MiscUtil.isEmpty(areaSpecificTargetIdentifier) || !matcher.matches()) {
                Logger.error("Configuration for eIDAS-node:" + unmarshallRequestAndValidate.getIssuer() + " contains wrong formated eIDAS target:" + areaSpecificTargetIdentifier);
                throw new MOAIDException("config.08", new Object[]{unmarshallRequestAndValidate.getIssuer()});
            }
            String[] split = areaSpecificTargetIdentifier.split("\\+");
            if (!split[2].equalsIgnoreCase(originCountryCode)) {
                Logger.debug("Configuration for eIDAS-node:" + unmarshallRequestAndValidate.getIssuer() + " Destination Country from request (" + originCountryCode + ") does not match to configuration:" + areaSpecificTargetIdentifier + " --> Perform additional organisation check ...");
                if (!iseIDASTargetAValidOrganisation(originCountryCode, split[2])) {
                    throw new MOAIDException("eIDAS.01", new Object[]{"Destination Country from request does not match to configuration"});
                }
            }
            Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + areaSpecificTargetIdentifier);
            String spType = iEidasAuthenticationRequest.getSpType() != null ? iEidasAuthenticationRequest.getSpType() : null;
            if (MiscUtil.isEmpty(spType)) {
                spType = MetadataUtil.getSPTypeFromMetadata(entityDescriptor);
            }
            if (!MiscUtil.isNotEmpty(spType)) {
                Logger.warn("eIDAS request and eIDAS metadata contains NO 'SPType' element.");
                throw new EIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{"eIDAS request and eIDAS metadata contains NO 'SPType' element."});
            }
            Logger.debug("eIDAS request has SPType:" + spType);
            ImmutableAttributeMap requestedAttributes = iEidasAuthenticationRequest.getRequestedAttributes();
            for (URI uri : Constants.NATURALPERSONMINIMUMDATASETLIST) {
                if (requestedAttributes.getAttributeValuesByNameUri(uri) == null) {
                    Logger.warn("Minimum data-set attribute: " + uri + " is not requested.");
                    throw new EIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{"eIDAS request does not contain all attributes of minimum data-set for natural person"});
                }
            }
            eIDASData.setRemoteAddress(httpServletRequest.getRemoteAddr());
            eIDASData.setRemoteRelayState(httpServletRequest.getParameter("RelayState"));
            eIDASData.setRawDataToTransaction(eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE, iEidasAuthenticationRequest.getEidasLevelOfAssurance().stringValue());
            if (MiscUtil.isNotEmpty(iEidasAuthenticationRequest.getNameIdFormat()) && iEidasAuthenticationRequest.getNameIdFormat().equals(SamlNameIdFormat.TRANSIENT.getNameIdFormat())) {
                eIDASData.setRawDataToTransaction(EIDASData.REQ_PARAM_eIDAS_AUTHN_TRANSIENT_ID, true);
            } else {
                eIDASData.setRawDataToTransaction(EIDASData.REQ_PARAM_eIDAS_AUTHN_TRANSIENT_ID, false);
            }
            eIDASData.setEidasRequestedAttributes(iEidasAuthenticationRequest.getRequestedAttributes());
            eIDASData.setEidasRequest(iEidasAuthenticationRequest);
            eIDASData.setSPEntityId(unmarshallRequestAndValidate.getIssuer());
            eIDASData.setOnlineApplicationConfiguration(serviceProviderConfiguration);
        } catch (Exception e) {
            Logger.warn("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage(), e);
            Logger.debug("eIDAS AuthnReq: " + parameter);
            if (eIDASData != null) {
                this.revisionsLogger.logEvent(eIDASData, 1103, eIDASData.getUniqueTransactionIdentifier());
            }
            throw new EIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{e.getMessage()}, e);
        } catch (EIDASSAMLEngineException e2) {
            Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e2.getMessage());
            Logger.debug("eIDAS AuthnReq: " + parameter);
            if (eIDASData != null) {
                this.revisionsLogger.logEvent(eIDASData, 1103, eIDASData.getUniqueTransactionIdentifier());
            }
            throw new EIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{e2.getMessage()}, (Throwable) e2);
        } catch (MOAIDException e3) {
            Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e3.getMessage());
            Logger.debug("eIDAS AuthnReq: " + parameter);
            if (eIDASData != null) {
                this.revisionsLogger.logEvent(eIDASData, 1103, eIDASData.getUniqueTransactionIdentifier());
            }
            throw e3;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public boolean generateErrorMessage(Throwable th, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IRequest iRequest) throws Throwable {
        if (iRequest == null || !(iRequest instanceof EIDASData)) {
            return false;
        }
        EIDASData eIDASData = (EIDASData) iRequest;
        if (eIDASData.getEidasRequest() == null) {
            Logger.info("Can not build eIDAS ErrorResponse. No eIDAS AuthnRequest found.");
            return false;
        }
        try {
            AuthenticationResponse.Builder builder = new AuthenticationResponse.Builder();
            builder.issuer(iRequest.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA);
            if (th instanceof EIDASException) {
                builder.statusCode(((EIDASException) th).getStatusCodeFirstLevel());
                builder.subStatusCode(((EIDASException) th).getStatusCodeSecondLevel());
                builder.statusMessage(th.getMessage());
            } else if (th instanceof MOAIDException) {
                builder.statusCode("urn:oasis:names:tc:SAML:2.0:status:Responder");
                builder.subStatusCode("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                builder.statusMessage(th.getMessage());
            } else {
                builder.statusCode("urn:oasis:names:tc:SAML:2.0:status:Responder");
                builder.subStatusCode("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed");
                builder.statusMessage(th.getMessage());
            }
            builder.id(eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils.generateNCName());
            builder.inResponseTo(eIDASData.getEidasRequest().getId());
            String encodeToBase64 = EidasStringUtil.encodeToBase64(SAMLEngineUtils.createSAMLEngine(this.eIDASMetadataProvider).generateResponseErrorMessage(eIDASData.getEidasRequest(), builder.build(), eIDASData.getRemoteAddress()).getMessageBytes());
            Template template = VelocityProvider.getClassPathVelocityEngine().getTemplate("/resources/templates/eidas_postbinding_template.vm");
            VelocityContext velocityContext = new VelocityContext();
            velocityContext.put("RelayState", eIDASData.getRemoteRelayState());
            velocityContext.put("SAMLResponse", encodeToBase64);
            Logger.debug("SAMLResponse original: " + encodeToBase64);
            Logger.debug("Putting assertion consumer url as action: " + eIDASData.getEidasRequest().getAssertionConsumerServiceURL());
            velocityContext.put("action", eIDASData.getEidasRequest().getAssertionConsumerServiceURL());
            Logger.trace("Starting template merge");
            StringWriter stringWriter = new StringWriter();
            Logger.trace("Doing template merge");
            template.merge(velocityContext, stringWriter);
            Logger.trace("Template merge done");
            Logger.trace("Sending html content  : " + new String(stringWriter.getBuffer()));
            byte[] bytes = stringWriter.getBuffer().toString().getBytes("UTF-8");
            httpServletResponse.setContentType("text/html; charset=UTF-8");
            httpServletResponse.setContentLength(bytes.length);
            httpServletResponse.getOutputStream().write(bytes);
            return true;
        } catch (Exception e) {
            Logger.error("Generate eIDAS Error-Response failed.", th);
            return false;
        }
    }

    public boolean validate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IRequest iRequest) {
        return false;
    }

    private boolean iseIDASTargetAValidOrganisation(String str, String str2) {
        if (MiscUtil.isNotEmpty(str) && KeyValueUtils.getListOfCSVValues(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + str.toLowerCase())).contains(str2)) {
            Logger.debug(str2 + " is a valid OrganisationIdentifier for request-country: " + str);
            return true;
        }
        Logger.info("OrganisationIdentifier: " + str2 + " is not allowed for country: " + str);
        return false;
    }
}
