package at.gv.egiz.eaaf.modules.pvp2.idp.impl;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
import at.gv.egiz.eaaf.core.exceptions.NoPassivAuthenticationException;
import at.gv.egiz.eaaf.core.exceptions.SloException;
import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration;
import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor;
import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPvpRequestException;
import at.gv.egiz.eaaf.modules.pvp2.exception.NameIdFormatNotSupportedException;
import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException;
import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionConsumerServiceException;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.SoapBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
import java.util.List;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.StatusMessage;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.class */
public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo {
    private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class);
    private static final String HTTP_PARAM_SAMLREQ = "SAMLRequest";
    private static final String ERROR_INVALID_REQUEST = "Receive INVALID protocol request: {}";

    @Autowired(required = true)
    protected IPvp2BasicConfiguration pvpBasicConfiguration;

    @Autowired(required = true)
    protected IPvp2MetadataProvider metadataProvider;

    @Autowired(required = true)
    protected SamlVerificationEngine samlVerificationEngine;

    @Autowired(required = false)
    protected List<IAuthnRequestPostProcessor> authRequestPostProcessors;
    private IPvp2CredentialProvider pvpIdpCredentials;

    public void setPvpIdpCredentials(IPvp2CredentialProvider iPvp2CredentialProvider) {
        this.pvpIdpCredentials = iPvp2CredentialProvider;
    }

    public boolean generateErrorMessage(Throwable th, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IRequest iRequest) throws Throwable {
        if (iRequest == null) {
            throw th;
        }
        if (!(iRequest instanceof PvpSProfilePendingRequest)) {
            throw th;
        }
        PvpSProfilePendingRequest pvpSProfilePendingRequest = (PvpSProfilePendingRequest) iRequest;
        Response response = (Response) Saml2Utils.createSamlObject(Response.class);
        Status status = (Status) Saml2Utils.createSamlObject(Status.class);
        StatusCode statusCode = (StatusCode) Saml2Utils.createSamlObject(StatusCode.class);
        StatusMessage statusMessage = (StatusMessage) Saml2Utils.createSamlObject(StatusMessage.class);
        String str = null;
        if (th instanceof NoPassivAuthenticationException) {
            statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:NoPassive");
            statusMessage.setMessage(StringEscapeUtils.escapeXml(th.getLocalizedMessage()));
        } else if (th instanceof NameIdFormatNotSupportedException) {
            statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy");
            statusMessage.setMessage(StringEscapeUtils.escapeXml(th.getLocalizedMessage()));
        } else {
            if (th instanceof SloException) {
                return false;
            }
            if (th instanceof Pvp2Exception) {
                Pvp2Exception pvp2Exception = (Pvp2Exception) th;
                statusCode.setValue(pvp2Exception.getStatusCodeValue());
                String statusMessageValue = pvp2Exception.getStatusMessageValue();
                if (statusMessageValue != null) {
                    statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue));
                }
                str = this.statusMessager.mapInternalErrorToExternalError(pvp2Exception.getErrorId());
            } else {
                statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Responder");
                statusMessage.setMessage(StringEscapeUtils.escapeXml(th.getLocalizedMessage()));
                str = this.statusMessager.getResponseErrorCode(th);
            }
        }
        if (StringUtils.isNotEmpty(str)) {
            StatusCode statusCode2 = (StatusCode) Saml2Utils.createSamlObject(StatusCode.class);
            statusCode2.setValue(str);
            statusCode.setStatusCode(statusCode2);
        }
        status.setStatusCode(statusCode);
        if (statusMessage.getMessage() != null) {
            status.setStatusMessage(statusMessage);
        }
        response.setStatus(status);
        response.setID(Saml2Utils.getSecureIdentifier());
        response.setIssueInstant(new DateTime());
        Issuer issuer = (Issuer) Saml2Utils.createSamlObject(Issuer.class);
        issuer.setValue(this.pvpBasicConfiguration.getIdpEntityId(pvpSProfilePendingRequest.getAuthUrl()));
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        response.setIssuer(issuer);
        IEncoder iEncoder = null;
        if (pvpSProfilePendingRequest.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) {
            iEncoder = (IEncoder) this.applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
        } else if (pvpSProfilePendingRequest.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")) {
            iEncoder = (IEncoder) this.applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
        } else if (pvpSProfilePendingRequest.getBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            iEncoder = (IEncoder) this.applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
        }
        if (iEncoder == null) {
            iEncoder = new RedirectBinding();
        }
        String str2 = null;
        if (pvpSProfilePendingRequest.getRequest() != null) {
            str2 = pvpSProfilePendingRequest.getRequest().getRelayState();
        }
        iEncoder.encodeResponse(httpServletRequest, httpServletResponse, response, pvpSProfilePendingRequest.getConsumerUrl(), str2, this.pvpIdpCredentials.getMessageSigningCredential(), iRequest);
        return true;
    }

    public boolean validate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, IRequest iRequest) {
        return true;
    }

    protected void pvpMetadataRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EaafException {
        IRequest iRequest = (PvpSProfilePendingRequest) this.applicationContext.getBean(PvpSProfilePendingRequest.class);
        iRequest.initialize(httpServletRequest, this.authConfig);
        iRequest.setModule(getName());
        this.revisionsLogger.logEvent(iRequest.getUniqueSessionIdentifier(), iRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
        ((MetadataAction) this.applicationContext.getBean(MetadataAction.class)).processRequest(iRequest, httpServletRequest, httpServletResponse, null);
    }

    protected void pvpIdpPostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EaafException {
        PvpSProfilePendingRequest pvpSProfilePendingRequest = null;
        try {
            pvpSProfilePendingRequest = (PvpSProfilePendingRequest) this.applicationContext.getBean(PvpSProfilePendingRequest.class);
            pvpSProfilePendingRequest.initialize(httpServletRequest, this.authConfig);
            pvpSProfilePendingRequest.setModule(getName());
            this.revisionsLogger.logEvent(1000, pvpSProfilePendingRequest.getUniqueSessionIdentifier());
            this.revisionsLogger.logEvent(1100, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            this.revisionsLogger.logEvent(pvpSProfilePendingRequest.getUniqueSessionIdentifier(), pvpSProfilePendingRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
            pvpSProfilePendingRequest.setRequest((InboundMessage) new PostBinding().decode(httpServletRequest, httpServletResponse, this.metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, new EaafUriCompare(this.pvpBasicConfiguration.getIdpSsoPostService(pvpSProfilePendingRequest.getAuthUrl()))));
            preProcess(httpServletRequest, httpServletResponse, pvpSProfilePendingRequest);
        } catch (SamlSigningException e) {
            log.warn(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, e});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.21", new Object[0]);
        } catch (Pvp2Exception e2) {
            log.warn(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, e2});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.22", new Object[]{e2.getMessage()});
        } catch (EaafException e3) {
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw e3;
        } catch (Throwable th) {
            log.warn(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, th});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new EaafException("pvp2.24", new Object[]{th.getMessage()}, th);
        }
    }

    protected void pvpIdpRedirecttRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EaafException {
        PvpSProfilePendingRequest pvpSProfilePendingRequest = null;
        try {
            pvpSProfilePendingRequest = (PvpSProfilePendingRequest) this.applicationContext.getBean(PvpSProfilePendingRequest.class);
            pvpSProfilePendingRequest.initialize(httpServletRequest, this.authConfig);
            pvpSProfilePendingRequest.setModule(getName());
            this.revisionsLogger.logEvent(1000, pvpSProfilePendingRequest.getUniqueSessionIdentifier());
            this.revisionsLogger.logEvent(1100, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            this.revisionsLogger.logEvent(pvpSProfilePendingRequest.getUniqueSessionIdentifier(), pvpSProfilePendingRequest.getUniqueTransactionIdentifier(), 1102, httpServletRequest.getRemoteAddr());
            pvpSProfilePendingRequest.setRequest((InboundMessage) new RedirectBinding().decode(httpServletRequest, httpServletResponse, this.metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, new EaafUriCompare(this.pvpBasicConfiguration.getIdpSsoRedirectService(pvpSProfilePendingRequest.getAuthUrl()))));
            preProcess(httpServletRequest, httpServletResponse, pvpSProfilePendingRequest);
        } catch (SamlSigningException e) {
            log.warn(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, e});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.21", new Object[0]);
        } catch (Pvp2Exception e2) {
            log.warn(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, e2});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new InvalidProtocolRequestException("pvp2.22", new Object[]{e2.getMessage()});
        } catch (EaafException e3) {
            log.info(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, e3});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw e3;
        } catch (Throwable th) {
            log.warn(ERROR_INVALID_REQUEST, new Object[]{httpServletRequest.getParameter(HTTP_PARAM_SAMLREQ), null, th});
            if (pvpSProfilePendingRequest != null) {
                this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 1103, pvpSProfilePendingRequest.getUniqueTransactionIdentifier());
            }
            throw new EaafException("pvp2.24", new Object[]{th.getMessage()}, th);
        }
    }

    protected abstract boolean childPreProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PvpSProfilePendingRequest pvpSProfilePendingRequest) throws Throwable;

    protected void preProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, PvpSProfilePendingRequest pvpSProfilePendingRequest) throws Throwable {
        PvpSProfileRequest request = pvpSProfilePendingRequest.getRequest();
        if (StringUtils.isEmpty(request.getEntityID())) {
            throw new InvalidProtocolRequestException("pvp2.20", new Object[0]);
        }
        if (!request.isVerified()) {
            this.samlVerificationEngine.verify(request, TrustEngineFactory.getSignatureKnownKeysTrustEngine(this.metadataProvider));
            request.setVerified(true);
        }
        this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 3000, getAuthProtocolIdentifier());
        if ((request instanceof PvpSProfileRequest) && (request.getSamlRequest() instanceof AuthnRequest)) {
            preProcessAuthRequest(httpServletRequest, pvpSProfilePendingRequest);
        } else {
            if (!childPreProcess(httpServletRequest, httpServletResponse, pvpSProfilePendingRequest)) {
                log.error("Receive unsupported PVP21 message of type: " + request.getSamlRequest().getClass().getName());
                throw new InvalidPvpRequestException("pvp2.09", new Object[]{request.getSamlRequest().getClass().getName()});
            }
            log.debug("Find protocol handler in child implementation");
        }
        this.protAuthService.performAuthentication(httpServletRequest, httpServletResponse, pvpSProfilePendingRequest);
    }

    protected void preProcessAuthRequest(HttpServletRequest httpServletRequest, PvpSProfilePendingRequest pvpSProfilePendingRequest) throws Throwable {
        PvpSProfileRequest request = pvpSProfilePendingRequest.getRequest();
        AuthnRequest samlRequest = request.getSamlRequest();
        if (!(samlRequest instanceof AuthnRequest)) {
            throw new InvalidPvpRequestException("Unsupported request", new Object[0]);
        }
        EntityDescriptor entityMetadata = request.getEntityMetadata(this.metadataProvider);
        if (entityMetadata == null) {
            throw new NoMetadataInformationException();
        }
        SPSSODescriptor sPSSODescriptor = entityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        AuthnRequest authnRequest = samlRequest;
        if (authnRequest.getIssueInstant() == null) {
            log.warn("Unsupported request: No IssueInstant Attribute found.");
            throw new AuthnRequestValidatorException("pvp2.22", new Object[]{"Unsupported request: No IssueInstant Attribute found"}, pvpSProfilePendingRequest);
        }
        if (authnRequest.getIssueInstant().minusMinutes(5).isAfterNow()) {
            log.warn("Unsupported request: No IssueInstant DateTime is not valid anymore.");
            throw new AuthnRequestValidatorException("pvp2.22", new Object[]{"Unsupported request: No IssueInstant DateTime is not valid anymore."}, pvpSProfilePendingRequest);
        }
        AssertionConsumerService assertionConsumerService = null;
        if (StringUtils.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && StringUtils.isNotEmpty(authnRequest.getProtocolBinding())) {
            for (AssertionConsumerService assertionConsumerService2 : sPSSODescriptor.getAssertionConsumerServices()) {
                if (authnRequest.getProtocolBinding().equals(assertionConsumerService2.getBinding()) && authnRequest.getAssertionConsumerServiceURL().equals(assertionConsumerService2.getLocation())) {
                    assertionConsumerService = (AssertionConsumerService) Saml2Utils.createSamlObject(AssertionConsumerService.class);
                    assertionConsumerService.setBinding(authnRequest.getProtocolBinding());
                    assertionConsumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
                    log.debug("Requested AssertionConsumerServiceURL is valid.");
                }
            }
            if (assertionConsumerService == null) {
                throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL());
            }
        } else {
            Integer assertionConsumerServiceIndex = authnRequest.getAssertionConsumerServiceIndex();
            assertionConsumerService = (AssertionConsumerService) sPSSODescriptor.getAssertionConsumerServices().get(assertionConsumerServiceIndex != null ? assertionConsumerServiceIndex.intValue() : Saml2Utils.getDefaultAssertionConsumerServiceIndex(sPSSODescriptor));
            if (assertionConsumerService == null) {
                throw new InvalidAssertionConsumerServiceException(assertionConsumerServiceIndex.intValue());
            }
        }
        AuthnRequest authnRequest2 = samlRequest;
        String entityID = request.getEntityMetadata(this.metadataProvider).getEntityID();
        log.info("Dispatch PVP2 AuthnRequest: OAURL=" + entityID + " Binding=" + assertionConsumerService.getBinding());
        pvpSProfilePendingRequest.setSpEntityId(StringEscapeUtils.escapeHtml(entityID));
        pvpSProfilePendingRequest.setOnlineApplicationConfiguration(this.authConfig.getServiceProviderConfiguration(pvpSProfilePendingRequest.getSpEntityId()));
        pvpSProfilePendingRequest.setBinding(assertionConsumerService.getBinding());
        pvpSProfilePendingRequest.setRequest(request);
        pvpSProfilePendingRequest.setConsumerUrl(assertionConsumerService.getLocation());
        pvpSProfilePendingRequest.setPassiv(authnRequest2.isPassive().booleanValue());
        pvpSProfilePendingRequest.setForce(authnRequest2.isForceAuthn().booleanValue());
        pvpSProfilePendingRequest.setNeedAuthentication(true);
        pvpSProfilePendingRequest.setAction(AuthenticationAction.class.getName());
        log.trace("Starting extended AuthnRequest validation and processing ... ");
        if (this.authRequestPostProcessors != null) {
            for (IAuthnRequestPostProcessor iAuthnRequestPostProcessor : this.authRequestPostProcessors) {
                log.trace("Post-process AuthnRequest with module: {}", iAuthnRequestPostProcessor.getClass().getSimpleName());
                iAuthnRequestPostProcessor.process(httpServletRequest, pvpSProfilePendingRequest, authnRequest2, sPSSODescriptor);
            }
        }
        log.debug("Extended AuthnRequest validation and processing finished");
        this.revisionsLogger.logEvent(pvpSProfilePendingRequest, 3101, authnRequest2.getID());
    }

    @PostConstruct
    private void verifyInitialization() {
        if (this.pvpIdpCredentials == null) {
            log.error("No SAML2 credentialProvider injected!");
            throw new RuntimeException("No SAML2 credentialProvider injected!");
        }
    }
}
