package at.gv.egovernment.moa.id.auth.modules.eidas.tasks;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider;
import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.eid4u.utils.AttributeScopeMapper;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import com.google.common.net.MediaType;
import eu.eidas.auth.commons.EidasStringUtil;
import eu.eidas.auth.commons.attribute.AttributeDefinition;
import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
import eu.eidas.auth.commons.protocol.IRequestMessage;
import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;
import eu.eidas.auth.commons.protocol.eidas.LevelOfAssuranceComparison;
import eu.eidas.auth.commons.protocol.eidas.SpType;
import eu.eidas.auth.commons.protocol.eidas.impl.EidasAuthenticationRequest;
import eu.eidas.auth.engine.ProtocolEngineI;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;

@Component("GenerateAuthnRequestTask")
/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.class */
public class GenerateAuthnRequestTask extends AbstractAuthServletTask {

    @Autowired(required = true)
    MOAeIDASChainingMetadataProvider eIDASMetadataProvider;

    public void execute(ExecutionContext executionContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws TaskExecutionException {
        try {
            IOAAuthParameters iOAAuthParameters = (IOAAuthParameters) this.pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class);
            String str = (String) executionContext.get("CCC");
            if (StringUtils.isEmpty(str)) {
                throw new AuthenticationException("eIDAS.03", new Object[]{""});
            }
            CPEPS cPEPSWithFullName = this.authConfig.getStorkConfig().getCPEPSWithFullName(str);
            if (null == cPEPSWithFullName) {
                Logger.error("PEPS unknown for country: " + str);
                throw new AuthenticationException("eIDAS.04", new Object[]{str});
            }
            Logger.debug("Found eIDaS Node/C-PEPS configuration for citizen of country: " + str);
            SingleSignOnService singleSignOnService = null;
            String trim = cPEPSWithFullName.getPepsURL().toString().split(";")[0].trim();
            try {
                EntityDescriptor entityDescriptor = this.eIDASMetadataProvider.getEntityDescriptor(trim);
                if (entityDescriptor != null) {
                    SingleSignOnService selectSingleSignOnServiceFromMetadata = selectSingleSignOnServiceFromMetadata(entityDescriptor);
                    if (selectSingleSignOnServiceFromMetadata != null) {
                        singleSignOnService = selectSingleSignOnServiceFromMetadata;
                        Logger.debug("Use destination URL:" + singleSignOnService.getLocation() + " from eIDAS metadata:" + trim);
                    } else {
                        Logger.warn("eIDAS metadata for node:" + trim + " has no IDPSSODescriptor or no SingleSignOnService information.");
                    }
                } else {
                    Logger.warn("No eIDAS metadata for node:" + trim + AttributeScopeMapper.Scope_Delimiter);
                }
            } catch (MetadataProviderException e) {
                Logger.warn("Load eIDAS metadata from node:" + trim + " FAILED with an error.", e);
            }
            if (singleSignOnService == null) {
                String trim2 = cPEPSWithFullName.getPepsURL().toString().split(";").length > 1 ? cPEPSWithFullName.getPepsURL().toString().split(";")[1].trim() : null;
                if (!MiscUtil.isNotEmpty(trim2)) {
                    Logger.error("No eIDAS-node destination URL FOUND. Request eIDAS node not possible.");
                    throw new MOAIDException("eIDAS.02", new Object[]{"No eIDAS-node Destination-URL FOUND"});
                }
                Logger.debug("Use eIDAS node destination URL:" + trim2 + " from configuration");
                singleSignOnService = (SingleSignOnService) SAML2Utils.createSAMLObject(SingleSignOnService.class);
                singleSignOnService.setLocation(trim2);
                singleSignOnService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
            }
            this.revisionsLogger.logEvent(this.pendingReq, 6100, trim);
            Collection<StorkAttribute> requestedSTORKAttributes = iOAAuthParameters.getRequestedSTORKAttributes();
            ProtocolEngineI createSAMLEngine = SAMLEngineUtils.createSAMLEngine(this.eIDASMetadataProvider);
            ArrayList arrayList = new ArrayList();
            for (StorkAttribute storkAttribute : requestedSTORKAttributes) {
                AttributeDefinition<?> attributeDefinition = SAMLEngineUtils.getMapOfAllAvailableAttributes().get(storkAttribute.getName());
                if (attributeDefinition == null) {
                    Logger.warn("eIDAS attribute with friendlyName:" + storkAttribute.getName() + " is not supported.");
                } else {
                    boolean z = false;
                    Iterator it = this.authConfig.getStorkConfig().getStorkAttributes().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        StorkAttribute storkAttribute2 = (StorkAttribute) it.next();
                        if (storkAttribute.getName().equals(storkAttribute2.getName())) {
                            z = BooleanUtils.isTrue(storkAttribute2.getMandatory());
                            break;
                        }
                    }
                    arrayList.add(AttributeDefinition.builder(attributeDefinition).required(storkAttribute.getMandatory().booleanValue() || z).build());
                }
            }
            if (arrayList.isEmpty()) {
                Logger.info("No attributes requested by OA:" + this.pendingReq.getServiceProviderConfiguration().getUniqueIdentifier() + " -->  Request attr:" + Constants.eIDAS_ATTR_PERSONALIDENTIFIER + " by default");
                arrayList.add(AttributeDefinition.builder(SAMLEngineUtils.getMapOfAllAvailableAttributes().get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).required(true).build());
            }
            ImmutableAttributeMap build = new ImmutableAttributeMap.Builder().putAll(arrayList).build();
            EidasAuthenticationRequest.Builder builder = new EidasAuthenticationRequest.Builder();
            builder.id(eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils.generateNCName());
            builder.providerName(this.pendingReq.getAuthURL());
            String str2 = this.pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
            builder.issuer(str2);
            builder.destination(singleSignOnService.getLocation());
            builder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT);
            if (MiscUtil.isNotEmpty(iOAAuthParameters.getQaaLevel())) {
                builder.levelOfAssurance(LevelOfAssurance.fromString(iOAAuthParameters.getQaaLevel()));
            } else {
                builder.levelOfAssurance(LevelOfAssurance.HIGH);
            }
            builder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
            if (iOAAuthParameters.hasBaseIdTransferRestriction()) {
                builder.spType(SpType.PRIVATE.getValue());
            } else {
                builder.spType(SpType.PUBLIC.getValue());
            }
            builder.serviceProviderCountryCode(this.authConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"));
            builder.citizenCountryCode(cPEPSWithFullName.getCountryCode());
            builder.requestedAttributes(build);
            IRequestMessage generateRequestMessage = createSAMLEngine.generateRequestMessage(builder.build(), str2);
            String encodeToBase64 = EidasStringUtil.encodeToBase64(generateRequestMessage.getMessageBytes());
            if (!"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(singleSignOnService.getBinding())) {
                Logger.error("eIDAS-node use an unsupported binding (" + singleSignOnService.getBinding() + "). Request eIDAS node not possible.");
                throw new MOAIDException("eIDAS.02", new Object[]{"eIDAS-node use an unsupported binding"});
            }
            buildPostBindingRequest(this.pendingReq, singleSignOnService, encodeToBase64, generateRequestMessage, httpServletResponse);
        } catch (Exception e2) {
            Logger.error("eIDAS AuthnRequest generation FAILED.", e2);
            throw new TaskExecutionException(this.pendingReq, e2.getMessage(), e2);
        } catch (MOAIDException e3) {
            throw new TaskExecutionException(this.pendingReq, "eIDAS AuthnRequest generation FAILED.", e3);
        } catch (EIDASSAMLEngineException e4) {
            throw new TaskExecutionException(this.pendingReq, "eIDAS AuthnRequest generation FAILED.", new EIDASEngineException("eIDAS.00", new Object[]{e4.getMessage()}, e4));
        }
    }

    private void buildPostBindingRequest(IRequest iRequest, SingleSignOnService singleSignOnService, String str, IRequestMessage iRequestMessage, HttpServletResponse httpServletResponse) throws MOAIDException {
        try {
            Template template = VelocityProvider.getClassPathVelocityEngine().getTemplate("/resources/templates/eidas_postbinding_template.vm");
            VelocityContext velocityContext = new VelocityContext();
            velocityContext.put("SAMLRequest", str);
            velocityContext.put("RelayState", iRequest.getPendingRequestId());
            velocityContext.put("action", singleSignOnService.getLocation());
            Logger.debug("Using SingleSignOnService url as action: " + singleSignOnService.getLocation());
            Logger.debug("Encoded SAMLRequest original: " + str);
            Logger.trace("Starting template merge");
            StringWriter stringWriter = new StringWriter();
            Logger.trace("Doing template merge");
            template.merge(velocityContext, stringWriter);
            Logger.trace("Template merge done");
            Logger.trace("Sending html content: " + stringWriter.getBuffer().toString());
            byte[] bytes = stringWriter.getBuffer().toString().getBytes("UTF-8");
            httpServletResponse.setContentType(MediaType.HTML_UTF_8.toString());
            httpServletResponse.setContentLength(bytes.length);
            httpServletResponse.getOutputStream().write(bytes);
            this.revisionsLogger.logEvent(iRequest, 6101, iRequestMessage.getRequest().getId());
        } catch (Exception e) {
            Logger.error("Velocity general error: " + e.getMessage());
            throw new MOAIDException("eIDAS.02", new Object[]{e.getMessage()}, e);
        }
    }

    private SingleSignOnService selectSingleSignOnServiceFromMetadata(EntityDescriptor entityDescriptor) {
        SingleSignOnService singleSignOnService = null;
        if (entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol") == null) {
            return null;
        }
        for (SingleSignOnService singleSignOnService2 : entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol").getSingleSignOnServices()) {
            if (singleSignOnService2.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")) {
                singleSignOnService = singleSignOnService2;
            }
        }
        return singleSignOnService;
    }
}
