package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;

import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
import org.opensaml.saml2.core.Response;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component("ReceiveFederatedAuthnResponseTask")
/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.class */
public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {

    @Autowired
    private SAMLVerificationEngineSP samlVerificationEngine;

    @Autowired
    private FederatedAuthCredentialProvider credentialProvider;

    @Autowired
    private SSOManager ssoManager;

    @Autowired
    private AttributQueryBuilder attributQueryBuilder;

    @Autowired
    private AuthenticationDataBuilder authDataBuilder;

    @Autowired(required = true)
    MOAMetadataProvider metadataProvider;

    @Autowired(required = true)
    protected IAuthenticationSessionStoreage authenticatedSessionStorage;

    @Autowired(required = true)
    protected IConfigurationWithSP authConfigWithSp;

    public void execute(ExecutionContext executionContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws TaskExecutionException {
        PostBinding redirectBinding;
        EAAFURICompare eAAFURICompare;
        InboundMessage inboundMessage = null;
        try {
            if (httpServletRequest.getMethod().equalsIgnoreCase("POST")) {
                redirectBinding = new PostBinding();
                eAAFURICompare = new EAAFURICompare(this.pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
                Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
            } else {
                if (!httpServletRequest.getMethod().equalsIgnoreCase("GET")) {
                    Logger.warn("Receive PVP Response, but Binding (" + httpServletRequest.getMethod() + ") is not supported.");
                    throw new AuthnResponseValidationException("sp.pvp2.03", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
                }
                redirectBinding = new RedirectBinding();
                eAAFURICompare = new EAAFURICompare(this.pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
                Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
            }
            InboundMessage decode = redirectBinding.decode(httpServletRequest, httpServletResponse, this.metadataProvider, true, eAAFURICompare);
            if (MiscUtil.isEmpty(decode.getEntityID())) {
                throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
            }
            if (!decode.isVerified()) {
                this.samlVerificationEngine.verify(decode, TrustEngineFactory.getSignatureKnownKeysTrustEngine(this.metadataProvider));
                decode.setVerified(true);
            }
            this.revisionsLogger.logEvent(this.pendingReq, 3102);
            PVPSProfileResponse preProcessAuthResponse = preProcessAuthResponse((PVPSProfileResponse) decode);
            IOAAuthParameters iOAAuthParameters = (IOAAuthParameters) this.authConfigWithSp.getServiceProviderConfiguration(decode.getEntityID(), IOAAuthParameters.class);
            IOAAuthParameters iOAAuthParameters2 = (IOAAuthParameters) this.pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class);
            if (!iOAAuthParameters.isInderfederationIDP()) {
                Logger.warn("Response Issuer is not a federated IDP. Stopping federated authentication ...");
                throw new AuthnResponseValidationException("sp.pvp2.08", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, decode.getEntityID()});
            }
            AssertionAttributeExtractor assertionAttributeExtractor = new AssertionAttributeExtractor(preProcessAuthResponse.getResponse());
            if (iOAAuthParameters2.isInderfederationIDP()) {
                this.pendingReq.setRawDataToTransaction("useMinimalFrontChannelResponse", true);
                this.pendingReq.setRawDataToTransaction("federatedNameID", assertionAttributeExtractor.getNameID());
                this.pendingReq.setRawDataToTransaction("federatedQAALevel", assertionAttributeExtractor.getQAALevel());
                this.authenticatedSessionStorage.addFederatedSessionInformation(this.pendingReq, iOAAuthParameters.getPublicURLPrefix(), assertionAttributeExtractor);
            } else {
                getAuthDataFromInterfederation(assertionAttributeExtractor, (IOAAuthParameters) this.pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class), iOAAuthParameters);
                if (iOAAuthParameters.isInterfederationSSOStorageAllowed()) {
                    this.authenticatedSessionStorage.addFederatedSessionInformation(this.pendingReq, iOAAuthParameters.getPublicURLPrefix(), assertionAttributeExtractor);
                }
            }
            this.pendingReq.setRawDataToTransaction("interIDPResponse", preProcessAuthResponse);
            this.pendingReq.setRawDataToTransaction("interIDPEntityID", preProcessAuthResponse.getEntityID());
            this.pendingReq.setNeedUserConsent(false);
            this.requestStoreage.storePendingRequest(this.pendingReq);
            this.revisionsLogger.logEvent(this.pendingReq, 4011);
            Logger.info("Receive a valid assertion from IDP " + decode.getEntityID());
        } catch (IOException | MarshallingException | TransformerException e) {
            Logger.warn("Processing PVP response from federated IDP FAILED.", e);
            throw new TaskExecutionException(this.pendingReq, "Processing PVP response from federated IDP FAILED.", e);
        } catch (MessageDecodingException | SecurityException e2) {
            Logger.warn("Receive INVALID PVP Response from federated IDP: " + httpServletRequest.getParameter("SAMLRequest"), e2);
            throw new TaskExecutionException(this.pendingReq, "Receive INVALID PVP Response from federated IDP", e2);
        } catch (AssertionValidationExeption | AuthnResponseValidationException e3) {
            Logger.info("PVP response validation FAILED. Msg:" + e3.getMessage());
            if (0 == 0) {
                throw new TaskExecutionException(this.pendingReq, "PVP response validation FAILED.", e3);
            }
            try {
                IOAAuthParameters iOAAuthParameters3 = (IOAAuthParameters) this.authConfigWithSp.getServiceProviderConfiguration(inboundMessage.getEntityID(), IOAAuthParameters.class);
                this.ssoManager.removeInterfederatedSSOIDP(inboundMessage.getEntityID(), httpServletRequest);
                handleAuthnResponseValidationProblem(executionContext, iOAAuthParameters3, e3);
            } catch (EAAFConfigurationException e4) {
                Logger.error("Can not handle error during an internal problem. ", e4);
                throw new TaskExecutionException(this.pendingReq, "PVP response validation FAILED.", e3);
            }
        } catch (Exception e5) {
        } catch (CredentialsNotAvailableException e6) {
            Logger.error("PVP response decrytion FAILED. No credential found.", e6);
            throw new TaskExecutionException(this.pendingReq, "PVP response decrytion FAILED. No credential found.", e6);
        }
    }

    private void getAuthDataFromInterfederation(AssertionAttributeExtractor assertionAttributeExtractor, IOAAuthParameters iOAAuthParameters, IOAAuthParameters iOAAuthParameters2) throws BuildException, ConfigurationException {
        List asList = Arrays.asList("urn:oid:1.2.40.0.10.2.1.1.261.38", "urn:oid:1.2.40.0.10.2.1.1.261.36", "urn:oid:1.2.40.0.10.2.1.1.261.104");
        try {
            Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
            List emptyList = Collections.emptyList();
            if (assertionAttributeExtractor.containsAllRequiredAttributes() || assertionAttributeExtractor.containsAllRequiredAttributes(asList)) {
                Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
            } else {
                Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
                this.attributQueryBuilder.buildSAML2AttributeList(iOAAuthParameters, emptyList.iterator());
            }
            if (!assertionAttributeExtractor.containsAllRequiredAttributes() && !assertionAttributeExtractor.containsAllRequiredAttributes(asList)) {
                Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
                throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
            }
            Set<String> allIncludeAttributeNames = assertionAttributeExtractor.getAllIncludeAttributeNames();
            AuthProcessDataWrapper authProcessDataWrapper = (AuthProcessDataWrapper) this.pendingReq.getSessionData(AuthProcessDataWrapper.class);
            for (String str : allIncludeAttributeNames) {
                String singleAttributeValue = assertionAttributeExtractor.getSingleAttributeValue(str);
                if (str.equals("urn:oid:1.2.40.0.10.2.1.1.261.94")) {
                    Logger.trace("Find PVP-attribute " + str + ". Start mapping if neccessary ... ");
                    if (!singleAttributeValue.startsWith("http://www.stork.gov.eu/1.0/citizenQAALevel/")) {
                        singleAttributeValue = "http://www.stork.gov.eu/1.0/citizenQAALevel/" + singleAttributeValue;
                        Logger.debug("Prefix '" + str + "' with: http://www.stork.gov.eu/1.0/citizenQAALevel/");
                    }
                }
                authProcessDataWrapper.setGenericDataToSession(str, singleAttributeValue);
                Logger.debug("Add PVP-attribute " + str + " into MOASession");
            }
            authProcessDataWrapper.setGenericDataToSession("federationRespValidTo", assertionAttributeExtractor.getAssertionNotOnOrAfter());
        } catch (MOAIDException e) {
            throw new BuildException("builder.06", (Object[]) null, e);
        } catch (AssertionValidationExeption e2) {
            throw new BuildException("builder.06", (Object[]) null, e2);
        } catch (EAAFStorageException e3) {
            throw new BuildException("builder.06", (Object[]) null, e3);
        }
    }

    private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters iOAAuthParameters, Throwable th) throws TaskExecutionException {
        if (iOAAuthParameters == null || !iOAAuthParameters.isPerformLocalAuthenticationOnInterfederationError()) {
            throw new TaskExecutionException(this.pendingReq, "PVP response validation FAILED.", th);
        }
        Logger.info("Switch to local authentication on this IDP ... ");
        executionContext.put("requireLocalAuthentication", true);
        executionContext.put("performBKUSelection", true);
        executionContext.remove("interfederationAuthentication");
    }

    private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse pVPSProfileResponse) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
        Logger.debug("Start PVP21 assertion processing... ");
        Response response = pVPSProfileResponse.getResponse();
        if (!response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
            Logger.info("Receive StatusCode " + response.getStatus().getStatusCode().getValue() + " from federated IDP.");
            throw new AuthnResponseValidationException("sp.pvp2.05", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, response.getIssuer().getValue(), response.getStatus().getStatusCode().getValue()});
        }
        this.samlVerificationEngine.validateAssertion(response, true, this.credentialProvider.getIDPAssertionEncryptionCredential(), this.pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA, FederatedAuthConstants.MODULE_NAME_FOR_LOGGING);
        pVPSProfileResponse.setSAMLMessage(SAML2Utils.asDOMDocument(response).getDocumentElement());
        return pVPSProfileResponse;
    }
}
