package at.gv.egovernment.moa.id.protocols.eidas.validator;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.impl.data.Trible;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeProcessingUtils;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import eu.eidas.auth.commons.protocol.IAuthenticationResponse;
import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;

/* loaded from: input_file:at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.class */
public class eIDASResponseValidator {
    public static void validateResponse(IRequest iRequest, IAuthenticationResponse iAuthenticationResponse, String str) throws MOAIDException {
        LevelOfAssurance fromString = LevelOfAssurance.fromString(((IOAAuthParameters) iRequest.getServiceProviderConfiguration(IOAAuthParameters.class)).getQaaLevel());
        LevelOfAssurance fromString2 = LevelOfAssurance.fromString(iAuthenticationResponse.getLevelOfAssurance());
        if (fromString2.numericValue() < fromString.numericValue()) {
            Logger.error("eIDAS Response LevelOfAssurance is lower than the required! (Resp-LoA:" + fromString2.getValue() + " Req-LoA:" + fromString.getValue() + ")");
            throw new MOAIDException("eIDAS.14", new Object[]{fromString2.getValue()});
        }
        String country = iAuthenticationResponse.getCountry();
        Object firstValue = iAuthenticationResponse.getAttributes().getFirstValue(SAMLEngineUtils.getMapOfAllAvailableAttributes().get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
        if (firstValue == null || !(firstValue instanceof String)) {
            Logger.warn("eIDAS Response include NO 'PersonalIdentifier' attriubte .... That can be a BIG problem in further processing steps");
            return;
        }
        Trible<String, String, String> parseEidasPersonalIdentifier = eIDASAttributeProcessingUtils.parseEidasPersonalIdentifier((String) firstValue);
        if (parseEidasPersonalIdentifier == null) {
            throw new MOAIDException("eIDAS.16", new Object[]{Constants.eIDAS_ATTR_PERSONALIDENTIFIER, "Wrong identifier format"});
        }
        if (MiscUtil.isEmpty((String) parseEidasPersonalIdentifier.getSecond())) {
            Logger.error("eIDAS attribute value for PersonIdentifier includes NO destination country. Value:" + ((String) firstValue));
            throw new MOAIDException("eIDAS.16", new Object[]{Constants.eIDAS_ATTR_PERSONALIDENTIFIER, "No or empty destination country"});
        }
        if (!((String) parseEidasPersonalIdentifier.getSecond()).equalsIgnoreCase(str)) {
            Logger.error("eIDAS attribute value for PersonIdentifier includes wrong destination country. Value:" + ((String) firstValue) + " SP-Country:" + str);
            throw new MOAIDException("eIDAS.16", new Object[]{Constants.eIDAS_ATTR_PERSONALIDENTIFIER, "Destination country does not match to SP country"});
        }
        if (MiscUtil.isEmpty((String) parseEidasPersonalIdentifier.getFirst())) {
            Logger.error("eIDAS attribute value for PersonIdentifier includes NO citizen country. Value:" + ((String) firstValue));
            throw new MOAIDException("eIDAS.16", new Object[]{Constants.eIDAS_ATTR_PERSONALIDENTIFIER, "No or empty citizen country"});
        }
        if (((String) parseEidasPersonalIdentifier.getFirst()).equalsIgnoreCase(country)) {
            return;
        }
        Logger.error("eIDAS attribute value for PersonIdentifier includes a citizen country that does not match to eIDAS Response node.  Value:" + ((String) firstValue) + " Response-Node Country:" + country);
        throw new MOAIDException("eIDAS.16", new Object[]{Constants.eIDAS_ATTR_PERSONALIDENTIFIER, "Citizen country does not match to eIDAS-node country that generates the response"});
    }
}
