package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;

import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import java.io.IOException;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component("ReceiveElgaMandateResponseTask")
/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.class */
public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {

    @Autowired
    SAMLVerificationEngineSP samlVerificationEngine;

    @Autowired
    ELGAMandatesCredentialProvider credentialProvider;

    @Autowired
    ELGAMandateServiceMetadataProvider metadataProvider;

    public void execute(ExecutionContext executionContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws TaskExecutionException {
        PostBinding redirectBinding;
        EAAFURICompare eAAFURICompare;
        try {
            if (httpServletRequest.getMethod().equalsIgnoreCase("POST")) {
                redirectBinding = new PostBinding();
                eAAFURICompare = new EAAFURICompare(this.pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_POST);
                Logger.debug("Receive PVP Response from ELGA mandate-service, by using POST-Binding.");
            } else {
                if (!httpServletRequest.getMethod().equalsIgnoreCase("GET")) {
                    Logger.warn("Receive PVP Response, but Binding (" + httpServletRequest.getMethod() + ") is not supported.");
                    throw new AuthnResponseValidationException("sp.pvp2.03", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING});
                }
                redirectBinding = new RedirectBinding();
                eAAFURICompare = new EAAFURICompare(this.pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT);
                Logger.debug("Receive PVP Response from ELGA mandate-service, by using Redirect-Binding.");
            }
            InboundMessage decode = redirectBinding.decode(httpServletRequest, httpServletResponse, this.metadataProvider, true, eAAFURICompare);
            if (MiscUtil.isEmpty(decode.getEntityID())) {
                throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING});
            }
            if (!decode.isVerified()) {
                this.samlVerificationEngine.verify(decode, TrustEngineFactory.getSignatureKnownKeysTrustEngine(this.metadataProvider));
                decode.setVerified(true);
            }
            Logger.debug("PVP Response from ELGA mandate-service is cryptographically valid.");
            this.revisionsLogger.logEvent(this.pendingReq, 6003, httpServletRequest.getRemoteAddr());
            AssertionAttributeExtractor assertionAttributeExtractor = new AssertionAttributeExtractor(preProcessAuthResponse((PVPSProfileResponse) decode).getResponse());
            if (!assertionAttributeExtractor.containsAllRequiredAttributes(ELGAMandatesAuthConstants.getRequiredAttributeNames())) {
                Logger.warn("PVP Response from ELGA mandate-service contains not all requested attributes.");
                throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING});
            }
            Logger.debug("Validation of PVP Response from ELGA mandate-service is complete.");
            Set<String> allIncludeAttributeNames = assertionAttributeExtractor.getAllIncludeAttributeNames();
            AuthenticationSessionWrapper authenticationSessionWrapper = (AuthenticationSessionWrapper) this.pendingReq.getSessionData(AuthenticationSessionWrapper.class);
            for (String str : allIncludeAttributeNames) {
                authenticationSessionWrapper.setGenericDataToSession(str, assertionAttributeExtractor.getSingleAttributeValue(str));
                Logger.debug("Add PVP-attribute " + str + " into MOASession");
            }
            this.requestStoreage.storePendingRequest(this.pendingReq);
            this.revisionsLogger.logEvent(this.pendingReq, 6001, assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.90"));
            this.revisionsLogger.logEvent(this.pendingReq, 5100, assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.68"));
            this.revisionsLogger.logEvent(this.pendingReq, 5101, "nat");
            Logger.info("Receive a valid assertion from ELGA mandate-service " + decode.getEntityID());
        } catch (CredentialsNotAvailableException e) {
            Logger.error("ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
            this.revisionsLogger.logEvent(this.pendingReq, 6002);
            throw new TaskExecutionException(this.pendingReq, "ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
        } catch (AssertionValidationExeption | AuthnResponseValidationException e2) {
            Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e2.getMessage());
            this.revisionsLogger.logEvent(this.pendingReq, 6002, e2.getErrorId());
            throw new TaskExecutionException(this.pendingReq, "ELGA mandate-service: PVP response validation FAILED.", e2);
        } catch (MessageDecodingException | SecurityException e3) {
            Logger.warn("Receive INVALID PVP Response from ELGA mandate-service: " + httpServletRequest.getParameter("SAMLRequest"), e3);
            this.revisionsLogger.logEvent(this.pendingReq, 6002);
            throw new TaskExecutionException(this.pendingReq, "Receive INVALID PVP Response from ELGA mandate-service", new AuthnResponseValidationException("sp.pvp2.12", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, e3.getMessage()}, e3));
        } catch (IOException | MarshallingException | TransformerException e4) {
            Logger.warn("Processing PVP response from ELGA mandate-service FAILED.", e4);
            this.revisionsLogger.logEvent(this.pendingReq, 6002);
            throw new TaskExecutionException(this.pendingReq, "Processing PVP response from ELGA mandate-service FAILED.", new AuthnResponseValidationException("sp.pvp2.12", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, e4.getMessage()}, e4));
        } catch (Exception e5) {
            Logger.info("ELGA mandate-service: General Exception. Msg:" + e5.getMessage());
            this.revisionsLogger.logEvent(this.pendingReq, 6002);
            throw new TaskExecutionException(this.pendingReq, "ELGA mandate-service: General Exception.", e5);
        }
    }

    private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse pVPSProfileResponse) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
        Logger.debug("Start PVP-2.1 assertion processing... ");
        Response response = pVPSProfileResponse.getResponse();
        String str = (String) this.pendingReq.getRawData("authnReqID", String.class);
        String inResponseTo = response.getInResponseTo();
        if (MiscUtil.isEmpty(str) || MiscUtil.isEmpty(inResponseTo) || !str.equals(inResponseTo)) {
            Logger.info("Validation of request/response IDs FAILED. ReqID:" + str + " InRespTo:" + inResponseTo);
            throw new AuthnResponseValidationException("sp.pvp2.07", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "'InResponseTo'"});
        }
        if (response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
            this.samlVerificationEngine.validateAssertion(response, true, this.credentialProvider.getIDPAssertionEncryptionCredential(), this.pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA, ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
            pVPSProfileResponse.setSAMLMessage(SAML2Utils.asDOMDocument(response).getDocumentElement());
            return pVPSProfileResponse;
        }
        String str2 = "No error message";
        StatusCode statusCode = response.getStatus().getStatusCode();
        if (response.getStatus().getStatusMessage() != null && MiscUtil.isNotEmpty(response.getStatus().getStatusMessage().getMessage())) {
            str2 = response.getStatus().getStatusMessage().getMessage();
        }
        if (statusCode.getStatusCode() == null) {
            Logger.info("Receive StatusCode:" + statusCode.getValue() + " | Msg:" + str2 + " from federated IDP.");
            throw new AuthnResponseValidationException("sp.pvp2.05", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, response.getIssuer().getValue(), statusCode.getValue(), response.getStatus().getStatusMessage().getMessage()});
        }
        StatusCode statusCode2 = statusCode.getStatusCode();
        Logger.info("Receive StatusCode:" + statusCode.getValue() + " -> StatusCode:" + statusCode2.getValue() + " | Msg:" + str2 + " from federated IDP.");
        throw new AuthnResponseValidationException("sp.pvp2.09", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, response.getIssuer().getValue(), statusCode.getValue(), statusCode2.getValue(), response.getStatus().getStatusMessage().getMessage()});
    }
}
