package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;

import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.utils.Random;
import at.gv.egiz.eaaf.modules.pvp2.PVPConstants;
import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
import at.gv.egiz.eaaf.modules.pvp2.exception.QAANotSupportedException;
import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QAALevelVerifier;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.core.impl.AuthnRequestImpl;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.NameIDFormat;
import org.opensaml.saml2.metadata.RequestedAttribute;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.Base64Utils;

@Service("PVP2AssertionBuilder")
/* loaded from: input_file:at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.class */
public class PVP2AssertionBuilder implements PVPConstants {
    private static final Logger log = LoggerFactory.getLogger(PVP2AssertionBuilder.class);

    @Autowired
    private ILoALevelMapper loaLevelMapper;

    @Autowired
    private ISubjectNameIdGenerator subjectNameIdGenerator;

    public Assertion buildAssertion(String str, AttributeQuery attributeQuery, List<Attribute> list, DateTime dateTime, DateTime dateTime2, String str2, String str3) throws PVP2Exception {
        AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
        authnContextClassRef.setAuthnContextClassRef(str2);
        NameID nameID = (NameID) SAML2Utils.createSAMLObject(NameID.class);
        nameID.setFormat(attributeQuery.getSubject().getNameID().getFormat());
        nameID.setValue(attributeQuery.getSubject().getNameID().getValue());
        return buildGenericAssertion(str, attributeQuery.getIssuer().getValue(), dateTime, authnContextClassRef, list, nameID, null, str3, dateTime2);
    }

    public Assertion buildAssertion(String str, PVPSProfilePendingRequest pVPSProfilePendingRequest, AuthnRequest authnRequest, IAuthData iAuthData, EntityDescriptor entityDescriptor, DateTime dateTime, AssertionConsumerService assertionConsumerService, SLOInformationInterface sLOInformationInterface) throws PVP2Exception {
        List attributeConsumingServices;
        ISPConfiguration serviceProviderConfiguration = pVPSProfilePendingRequest.getServiceProviderConfiguration();
        AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
        RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
        if (requestedAuthnContext == null) {
            authnContextClassRef.setAuthnContextClassRef(iAuthData.getEIDASQAALevel());
        } else {
            List authnContextClassRefs = requestedAuthnContext.getAuthnContextClassRefs();
            String str2 = "minimum";
            if (requestedAuthnContext.getComparison() != null && StringUtils.isNotEmpty(requestedAuthnContext.getComparison().toString())) {
                str2 = requestedAuthnContext.getComparison().toString();
            }
            if (authnContextClassRefs.size() == 0) {
                QAALevelVerifier.verifyQAALevel(iAuthData.getEIDASQAALevel(), serviceProviderConfiguration.getRequiredLoA(), str2);
                authnContextClassRef.setAuthnContextClassRef(iAuthData.getEIDASQAALevel());
            } else {
                ArrayList arrayList = new ArrayList();
                Iterator it = authnContextClassRefs.iterator();
                while (it.hasNext()) {
                    String authnContextClassRef2 = ((AuthnContextClassRef) it.next()).getAuthnContextClassRef();
                    if (authnContextClassRef2.trim().startsWith("http://eidas.europa.eu/LoA/")) {
                        arrayList.add(authnContextClassRef2.trim());
                    } else if (this.loaLevelMapper != null) {
                        log.debug("Find no eIDAS LoA in AuthnReq. Start mapping process ... ");
                        arrayList.add(this.loaLevelMapper.mapToeIDASLoA(authnContextClassRef2.trim()));
                    } else {
                        log.debug("AuthnRequest contains no eIDAS LoA. NO LoA mapper FOUND, ignore '" + authnContextClassRef2.trim() + "'");
                    }
                }
                if (arrayList.isEmpty()) {
                    log.info("Authn. request contains no supported LoA level. Stop authentication process ... ");
                    throw new QAANotSupportedException("No supported LoA in Authn. request");
                }
                QAALevelVerifier.verifyQAALevel(iAuthData.getEIDASQAALevel(), arrayList, str2);
                authnContextClassRef.setAuthnContextClassRef(iAuthData.getEIDASQAALevel());
            }
        }
        SPSSODescriptor sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        ArrayList arrayList2 = new ArrayList();
        if (sPSSODescriptor.getAttributeConsumingServices() != null && sPSSODescriptor.getAttributeConsumingServices().size() > 0) {
            Integer attributeConsumingServiceIndex = authnRequest.getAttributeConsumingServiceIndex();
            AttributeConsumingService attributeConsumingService = null;
            if (attributeConsumingServiceIndex != null) {
                attributeConsumingService = (AttributeConsumingService) sPSSODescriptor.getAttributeConsumingServices().get(attributeConsumingServiceIndex.intValue());
            } else {
                for (AttributeConsumingService attributeConsumingService2 : sPSSODescriptor.getAttributeConsumingServices()) {
                    if (attributeConsumingService2.isDefault().booleanValue()) {
                        attributeConsumingService = attributeConsumingService2;
                    }
                }
            }
            if (attributeConsumingService == null && (attributeConsumingServices = sPSSODescriptor.getAttributeConsumingServices()) != null && !attributeConsumingServices.isEmpty()) {
                attributeConsumingService = (AttributeConsumingService) attributeConsumingServices.get(0);
            }
            if (attributeConsumingService != null) {
                for (RequestedAttribute requestedAttribute : attributeConsumingService.getRequestAttributes()) {
                    try {
                        Attribute buildAttribute = PVPAttributeBuilder.buildAttribute(requestedAttribute.getName(), serviceProviderConfiguration, iAuthData);
                        if (buildAttribute == null) {
                            if (requestedAttribute.isRequired().booleanValue()) {
                                throw new UnprovideableAttributeException(requestedAttribute.getName());
                                break;
                            }
                        } else {
                            arrayList2.add(buildAttribute);
                        }
                    } catch (UnavailableAttributeException e) {
                        log.info("Attribute generation for " + requestedAttribute.getFriendlyName() + " not possible.");
                        if (requestedAttribute.isRequired().booleanValue()) {
                            throw new UnprovideableAttributeException(requestedAttribute.getName());
                        }
                    } catch (PVP2Exception e2) {
                        log.info("Attribute generation failed! for " + requestedAttribute.getFriendlyName());
                        if (requestedAttribute.isRequired().booleanValue()) {
                            throw new UnprovideableAttributeException(requestedAttribute.getName());
                        }
                    } catch (Exception e3) {
                        log.warn("General Attribute generation failed! for " + requestedAttribute.getFriendlyName(), e3);
                        if (requestedAttribute.isRequired().booleanValue()) {
                            throw new UnprovideableAttributeException(requestedAttribute.getName());
                        }
                    }
                }
            }
        }
        NameID nameID = (NameID) SAML2Utils.createSAMLObject(NameID.class);
        Pair<String, String> generateSubjectNameId = this.subjectNameIdGenerator.generateSubjectNameId(iAuthData, serviceProviderConfiguration);
        nameID.setValue((String) generateSubjectNameId.getFirst());
        nameID.setNameQualifier((String) generateSubjectNameId.getSecond());
        String str3 = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";
        AuthnRequestImpl authnRequestImpl = (AuthnRequestImpl) authnRequest;
        if (authnRequestImpl.getNameIDPolicy() == null || !StringUtils.isNotEmpty(authnRequestImpl.getNameIDPolicy().getFormat())) {
            List nameIDFormats = sPSSODescriptor.getNameIDFormats();
            if (nameIDFormats != null) {
                Iterator it2 = nameIDFormats.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    NameIDFormat nameIDFormat = (NameIDFormat) it2.next();
                    if ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".equals(nameIDFormat.getFormat())) {
                        str3 = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
                        break;
                    }
                    if ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(nameIDFormat.getFormat()) || "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(nameIDFormat.getFormat())) {
                        break;
                    }
                }
            }
        } else {
            str3 = authnRequestImpl.getNameIDPolicy().getFormat();
        }
        if ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(str3) || "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(str3)) {
            try {
                nameID.setValue(Base64Utils.encodeToString(MessageDigest.getInstance("SHA-1").digest((nameID.getValue() + Random.nextHexRandom32()).getBytes("ISO-8859-1"))));
                nameID.setNameQualifier((String) null);
                nameID.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
            } catch (Exception e4) {
                log.warn("PVP2 subjectNameID error", e4);
                throw new ResponderErrorException("pvp2.13", null, e4);
            }
        } else {
            nameID.setFormat(str3);
        }
        String str4 = null;
        if (StringUtils.isNotEmpty(iAuthData.getNameID()) && StringUtils.isNotEmpty(iAuthData.getNameIDFormat()) && str3.equals(iAuthData.getNameIDFormat())) {
            nameID.setValue(iAuthData.getNameID());
            str4 = iAuthData.getSessionIndex();
        }
        if (StringUtils.isEmpty(str4)) {
            str4 = SAML2Utils.getSecureIdentifier();
        }
        SubjectConfirmationData subjectConfirmationData = (SubjectConfirmationData) SAML2Utils.createSAMLObject(SubjectConfirmationData.class);
        subjectConfirmationData.setInResponseTo(authnRequest.getID());
        subjectConfirmationData.setNotOnOrAfter(new DateTime(iAuthData.getSsoSessionValidTo().getTime()));
        subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
        String str5 = (String) pVPSProfilePendingRequest.getRawData("reqestImpl_requesterIPAddr", String.class);
        if (StringUtils.isNotEmpty(str5)) {
            subjectConfirmationData.setAddress(str5);
        }
        sLOInformationInterface.setUserNameIdentifier(nameID.getValue());
        sLOInformationInterface.setNameIDFormat(nameID.getFormat());
        sLOInformationInterface.setSessionIndex(str4);
        return buildGenericAssertion(str, entityDescriptor.getEntityID(), dateTime, authnContextClassRef, arrayList2, nameID, subjectConfirmationData, str4, subjectConfirmationData.getNotOnOrAfter());
    }

    public Assertion buildGenericAssertion(String str, String str2, DateTime dateTime, AuthnContextClassRef authnContextClassRef, List<Attribute> list, NameID nameID, SubjectConfirmationData subjectConfirmationData, String str3, DateTime dateTime2) throws ResponderErrorException {
        Assertion assertion = (Assertion) SAML2Utils.createSAMLObject(Assertion.class);
        AuthnContext authnContext = (AuthnContext) SAML2Utils.createSAMLObject(AuthnContext.class);
        authnContext.setAuthnContextClassRef(authnContextClassRef);
        AuthnStatement authnStatement = (AuthnStatement) SAML2Utils.createSAMLObject(AuthnStatement.class);
        authnStatement.setAuthnInstant(dateTime);
        authnStatement.setSessionIndex(str3);
        authnStatement.setAuthnContext(authnContext);
        assertion.getAuthnStatements().add(authnStatement);
        AttributeStatement attributeStatement = (AttributeStatement) SAML2Utils.createSAMLObject(AttributeStatement.class);
        attributeStatement.getAttributes().addAll(list);
        if (attributeStatement.getAttributes().size() > 0) {
            assertion.getAttributeStatements().add(attributeStatement);
        }
        Subject subject = (Subject) SAML2Utils.createSAMLObject(Subject.class);
        subject.setNameID(nameID);
        SubjectConfirmation subjectConfirmation = (SubjectConfirmation) SAML2Utils.createSAMLObject(SubjectConfirmation.class);
        subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
        subject.getSubjectConfirmations().add(subjectConfirmation);
        Conditions conditions = (Conditions) SAML2Utils.createSAMLObject(Conditions.class);
        AudienceRestriction audienceRestriction = (AudienceRestriction) SAML2Utils.createSAMLObject(AudienceRestriction.class);
        Audience audience = (Audience) SAML2Utils.createSAMLObject(Audience.class);
        audience.setAudienceURI(str2);
        audienceRestriction.getAudiences().add(audience);
        conditions.setNotBefore(dateTime);
        conditions.setNotOnOrAfter(dateTime2);
        conditions.getAudienceRestrictions().add(audienceRestriction);
        assertion.setConditions(conditions);
        Issuer issuer = (Issuer) SAML2Utils.createSAMLObject(Issuer.class);
        if (str.endsWith("/")) {
            str = str.substring(0, str.length() - 1);
        }
        issuer.setValue(str);
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        assertion.setIssuer(issuer);
        assertion.setSubject(subject);
        assertion.setID(SAML2Utils.getSecureIdentifier());
        assertion.setIssueInstant(dateTime);
        return assertion;
    }
}
