package at.gv.egiz.eaaf.modules.pvp2.idp.impl;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
import at.gv.egiz.eaaf.core.exceptions.NoPassivAuthenticationException;
import at.gv.egiz.eaaf.core.exceptions.SLOException;
import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor;
import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPVPRequestException;
import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException;
import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException;
import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionConsumerServiceException;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.SoapBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine;
import java.util.List;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.security.SecurityPolicyException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.class */
public abstract class AbstractPVP2XProtocol extends AbstractController implements IModulInfo {
    private static final Logger log = LoggerFactory.getLogger(AbstractPVP2XProtocol.class);

    @Autowired(required = true)
    protected IPVP2BasicConfiguration pvpBasicConfiguration;

    @Autowired(required = true)
    protected IPVPMetadataProvider metadataProvider;

    @Autowired(required = true)
    protected SAMLVerificationEngine samlVerificationEngine;

    @Autowired(required = false)
    protected List<IAuthnRequestPostProcessor> authRequestPostProcessors;
    private AbstractCredentialProvider pvpIDPCredentials;

    public void setPvpIDPCredentials(AbstractCredentialProvider abstractCredentialProvider) {
        this.pvpIDPCredentials = abstractCredentialProvider;
    }

    public boolean generateErrorMessage(Throwable th, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IRequest iRequest) throws Throwable {
        if (iRequest == null) {
            throw th;
        }
        if (!(iRequest instanceof PVPSProfilePendingRequest)) {
            throw th;
        }
        PVPSProfilePendingRequest pVPSProfilePendingRequest = (PVPSProfilePendingRequest) iRequest;
        Response response = (Response) SAML2Utils.createSAMLObject(Response.class);
        Status status = (Status) SAML2Utils.createSAMLObject(Status.class);
        StatusCode statusCode = (StatusCode) SAML2Utils.createSAMLObject(StatusCode.class);
        StatusMessage statusMessage = (StatusMessage) SAML2Utils.createSAMLObject(StatusMessage.class);
        String str = null;
        if (th instanceof NoPassivAuthenticationException) {
            statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:NoPassive");
            statusMessage.setMessage(StringEscapeUtils.escapeXml(th.getLocalizedMessage()));
        } else if (th instanceof NameIDFormatNotSupportedException) {
            statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy");
            statusMessage.setMessage(StringEscapeUtils.escapeXml(th.getLocalizedMessage()));
        } else {
            if (th instanceof SLOException) {
                return false;
            }
            if (th instanceof PVP2Exception) {
                PVP2Exception pVP2Exception = (PVP2Exception) th;
                statusCode.setValue(pVP2Exception.getStatusCodeValue());
                String statusMessageValue = pVP2Exception.getStatusMessageValue();
                if (statusMessageValue != null) {
                    statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue));
                }
                str = this.statusMessager.mapInternalErrorToExternalError(pVP2Exception.getErrorId());
            } else {
                statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Responder");
                statusMessage.setMessage(StringEscapeUtils.escapeXml(th.getLocalizedMessage()));
                str = this.statusMessager.getResponseErrorCode(th);
            }
        }
        if (StringUtils.isNotEmpty(str)) {
            StatusCode statusCode2 = (StatusCode) SAML2Utils.createSAMLObject(StatusCode.class);
            statusCode2.setValue(str);
            statusCode.setStatusCode(statusCode2);
        }
        status.setStatusCode(statusCode);
        if (statusMessage.getMessage() != null) {
            status.setStatusMessage(statusMessage);
        }
        response.setStatus(status);
        response.setID(SAML2Utils.getSecureIdentifier());
        response.setIssueInstant(new DateTime());
        Issuer issuer = (Issuer) SAML2Utils.createSAMLObject(Issuer.class);
        issuer.setValue(this.pvpBasicConfiguration.getIDPEntityId(pVPSProfilePendingRequest.getAuthURL()));
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        response.setIssuer(issuer);
        IEncoder iEncoder = null;
        if (pVPSProfilePendingRequest.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) {
            iEncoder = (IEncoder) this.applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
        } else if (pVPSProfilePendingRequest.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")) {
            iEncoder = (IEncoder) this.applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
        } else if (pVPSProfilePendingRequest.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            iEncoder = (IEncoder) this.applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
        }
        if (iEncoder == null) {
            iEncoder = new RedirectBinding();
        }
        String str2 = null;
        if (pVPSProfilePendingRequest.getRequest() != null) {
            str2 = pVPSProfilePendingRequest.getRequest().getRelayState();
        }
        iEncoder.encodeRespone(httpServletRequest, httpServletResponse, response, pVPSProfilePendingRequest.getConsumerURL(), str2, this.pvpIDPCredentials.getIDPAssertionSigningCredential(), iRequest);
        return true;
    }

    public boolean validate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IRequest iRequest) {
        return true;
    }

    protected void pvpMetadataRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        IRequest iRequest = (PVPSProfilePendingRequest) this.applicationContext.getBean(PVPSProfilePendingRequest.class);
        iRequest.initialize(httpServletRequest, this.authConfig);
        iRequest.setModule(getName());
        this.revisionsLogger.logEvent(iRequest.getUniqueSessionIdentifier(), iRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
        ((MetadataAction) this.applicationContext.getBean(MetadataAction.class)).processRequest(iRequest, httpServletRequest, httpServletResponse, null);
    }

    protected void PVPIDPPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        PVPSProfilePendingRequest pVPSProfilePendingRequest = null;
        try {
            pVPSProfilePendingRequest = (PVPSProfilePendingRequest) this.applicationContext.getBean(PVPSProfilePendingRequest.class);
            pVPSProfilePendingRequest.initialize(httpServletRequest, this.authConfig);
            pVPSProfilePendingRequest.setModule(getName());
            this.revisionsLogger.logEvent(1000, pVPSProfilePendingRequest.getUniqueSessionIdentifier());
            this.revisionsLogger.logEvent(1100, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            this.revisionsLogger.logEvent(pVPSProfilePendingRequest.getUniqueSessionIdentifier(), pVPSProfilePendingRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
            pVPSProfilePendingRequest.setRequest((InboundMessage) new PostBinding().decode(httpServletRequest, httpServletResponse, this.metadataProvider, false, new EAAFURICompare(this.pvpBasicConfiguration.getIDPSSOPostService(pVPSProfilePendingRequest.getAuthURL()))));
            preProcess(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
        } catch (SecurityException e) {
            log.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), e);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.22", new Object[]{e.getMessage()});
        } catch (SecurityPolicyException e2) {
            log.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), e2);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.21", new Object[0]);
        } catch (EAAFException e3) {
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw e3;
        } catch (Throwable th) {
            log.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), th);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new EAAFException("pvp2.24", new Object[]{th.getMessage()}, th);
        }
    }

    protected void PVPIDPRedirecttRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EAAFException {
        PVPSProfilePendingRequest pVPSProfilePendingRequest = null;
        try {
            pVPSProfilePendingRequest = (PVPSProfilePendingRequest) this.applicationContext.getBean(PVPSProfilePendingRequest.class);
            pVPSProfilePendingRequest.initialize(httpServletRequest, this.authConfig);
            pVPSProfilePendingRequest.setModule(getName());
            this.revisionsLogger.logEvent(1000, pVPSProfilePendingRequest.getUniqueSessionIdentifier());
            this.revisionsLogger.logEvent(1100, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            this.revisionsLogger.logEvent(pVPSProfilePendingRequest.getUniqueSessionIdentifier(), pVPSProfilePendingRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
            pVPSProfilePendingRequest.setRequest((InboundMessage) new RedirectBinding().decode(httpServletRequest, httpServletResponse, this.metadataProvider, false, new EAAFURICompare(this.pvpBasicConfiguration.getIDPSSORedirectService(pVPSProfilePendingRequest.getAuthURL()))));
            preProcess(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
        } catch (SecurityException e) {
            log.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), e);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.22", new Object[]{e.getMessage()});
        } catch (SecurityPolicyException e2) {
            log.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), e2);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.21", new Object[0]);
        } catch (EAAFException e3) {
            log.info("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"));
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw e3;
        } catch (Throwable th) {
            log.warn("Receive INVALID protocol request: " + httpServletRequest.getParameter("SAMLRequest"), th);
            if (pVPSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 1103, pVPSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new EAAFException("pvp2.24", new Object[]{th.getMessage()}, th);
        }
    }

    protected abstract boolean childPreProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PVPSProfilePendingRequest pVPSProfilePendingRequest) throws Throwable;

    protected void preProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PVPSProfilePendingRequest pVPSProfilePendingRequest) throws Throwable {
        PVPSProfileRequest request = pVPSProfilePendingRequest.getRequest();
        if (StringUtils.isEmpty(request.getEntityID())) {
            throw new InvalidProtocolRequestException("pvp2.20", new Object[0]);
        }
        if (!request.isVerified()) {
            this.samlVerificationEngine.verify(request, TrustEngineFactory.getSignatureKnownKeysTrustEngine(this.metadataProvider));
            request.setVerified(true);
        }
        this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 3000, getAuthProtocolIdentifier());
        if ((request instanceof PVPSProfileRequest) && (request.getSamlRequest() instanceof AuthnRequest)) {
            preProcessAuthRequest(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
        } else {
            if (!childPreProcess(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest)) {
                log.error("Receive unsupported PVP21 message of type: " + request.getSamlRequest().getClass().getName());
                throw new InvalidPVPRequestException("pvp2.09", new Object[]{request.getSamlRequest().getClass().getName()});
            }
            log.debug("Find protocol handler in child implementation");
        }
        this.protAuthService.performAuthentication(httpServletRequest, httpServletResponse, pVPSProfilePendingRequest);
    }

    private void preProcessAuthRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PVPSProfilePendingRequest pVPSProfilePendingRequest) throws Throwable {
        PVPSProfileRequest request = pVPSProfilePendingRequest.getRequest();
        AuthnRequest samlRequest = request.getSamlRequest();
        if (!(samlRequest instanceof AuthnRequest)) {
            throw new InvalidPVPRequestException("Unsupported request", new Object[0]);
        }
        EntityDescriptor entityMetadata = request.getEntityMetadata(this.metadataProvider);
        if (entityMetadata == null) {
            throw new NoMetadataInformationException();
        }
        SPSSODescriptor sPSSODescriptor = entityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        AuthnRequest authnRequest = samlRequest;
        if (authnRequest.getIssueInstant() == null) {
            log.warn("Unsupported request: No IssueInstant Attribute found.");
            throw new AuthnRequestValidatorException("pvp2.22", new Object[]{"Unsupported request: No IssueInstant Attribute found"}, pVPSProfilePendingRequest);
        }
        if (authnRequest.getIssueInstant().minusMinutes(5).isAfterNow()) {
            log.warn("Unsupported request: No IssueInstant DateTime is not valid anymore.");
            throw new AuthnRequestValidatorException("pvp2.22", new Object[]{"Unsupported request: No IssueInstant DateTime is not valid anymore."}, pVPSProfilePendingRequest);
        }
        AssertionConsumerService assertionConsumerService = null;
        if (StringUtils.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && StringUtils.isNotEmpty(authnRequest.getProtocolBinding())) {
            for (AssertionConsumerService assertionConsumerService2 : sPSSODescriptor.getAssertionConsumerServices()) {
                if (authnRequest.getProtocolBinding().equals(assertionConsumerService2.getBinding()) && authnRequest.getAssertionConsumerServiceURL().equals(assertionConsumerService2.getLocation())) {
                    assertionConsumerService = (AssertionConsumerService) SAML2Utils.createSAMLObject(AssertionConsumerService.class);
                    assertionConsumerService.setBinding(authnRequest.getProtocolBinding());
                    assertionConsumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
                    log.debug("Requested AssertionConsumerServiceURL is valid.");
                }
            }
            if (assertionConsumerService == null) {
                throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL());
            }
        } else {
            Integer assertionConsumerServiceIndex = authnRequest.getAssertionConsumerServiceIndex();
            assertionConsumerService = (AssertionConsumerService) sPSSODescriptor.getAssertionConsumerServices().get(assertionConsumerServiceIndex != null ? assertionConsumerServiceIndex.intValue() : SAML2Utils.getDefaultAssertionConsumerServiceIndex(sPSSODescriptor));
            if (assertionConsumerService == null) {
                throw new InvalidAssertionConsumerServiceException(assertionConsumerServiceIndex.intValue());
            }
        }
        AuthnRequest authnRequest2 = samlRequest;
        String entityID = request.getEntityMetadata(this.metadataProvider).getEntityID();
        log.info("Dispatch PVP2 AuthnRequest: OAURL=" + entityID + " Binding=" + assertionConsumerService.getBinding());
        pVPSProfilePendingRequest.setSPEntityId(StringEscapeUtils.escapeHtml(entityID));
        pVPSProfilePendingRequest.setOnlineApplicationConfiguration(this.authConfig.getServiceProviderConfiguration(pVPSProfilePendingRequest.getSPEntityId()));
        pVPSProfilePendingRequest.setBinding(assertionConsumerService.getBinding());
        pVPSProfilePendingRequest.setRequest(request);
        pVPSProfilePendingRequest.setConsumerURL(assertionConsumerService.getLocation());
        pVPSProfilePendingRequest.setPassiv(authnRequest2.isPassive().booleanValue());
        pVPSProfilePendingRequest.setForce(authnRequest2.isForceAuthn().booleanValue());
        pVPSProfilePendingRequest.setNeedAuthentication(true);
        pVPSProfilePendingRequest.setAction(AuthenticationAction.class.getName());
        log.trace("Starting extended AuthnRequest validation and processing ... ");
        if (this.authRequestPostProcessors != null) {
            for (IAuthnRequestPostProcessor iAuthnRequestPostProcessor : this.authRequestPostProcessors) {
                log.trace("Post-process AuthnRequest with module: {}", iAuthnRequestPostProcessor.getClass().getSimpleName());
                iAuthnRequestPostProcessor.process(httpServletRequest, pVPSProfilePendingRequest, authnRequest2, sPSSODescriptor);
            }
        }
        log.debug("Extended AuthnRequest validation and processing finished");
        this.revisionsLogger.logEvent(pVPSProfilePendingRequest, 3101, authnRequest2.getID());
    }

    @PostConstruct
    private void verifyInitialization() {
        if (this.pvpIDPCredentials == null) {
            log.error("No SAML2 credentialProvider injected!");
            throw new RuntimeException("No SAML2 credentialProvider injected!");
        }
    }
}
