package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;

import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.utils.Random;
import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import java.security.MessageDigest;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.NameIDFormat;
import org.opensaml.saml.saml2.metadata.RequestedAttribute;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service("PVP2AssertionBuilder")
/* loaded from: input_file:at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.class */
public class Pvp2AssertionBuilder implements PvpConstants {
    private static final Logger log = LoggerFactory.getLogger(Pvp2AssertionBuilder.class);

    @Autowired
    private ILoALevelMapper loaLevelMapper;

    @Autowired
    private ISubjectNameIdGenerator subjectNameIdGenerator;

    public Assertion buildAssertion(String str, AttributeQuery attributeQuery, List<Attribute> list, Instant instant, Instant instant2, String str2, String str3) throws Pvp2Exception {
        AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) Saml2Utils.createSamlObject(AuthnContextClassRef.class);
        authnContextClassRef.setURI(str2);
        NameID nameID = (NameID) Saml2Utils.createSamlObject(NameID.class);
        nameID.setFormat(attributeQuery.getSubject().getNameID().getFormat());
        nameID.setValue(attributeQuery.getSubject().getNameID().getValue());
        return buildGenericAssertion(str, attributeQuery.getIssuer().getValue(), instant, authnContextClassRef, list, nameID, null, str3, instant2);
    }

    public Assertion buildAssertion(String str, PvpSProfilePendingRequest pvpSProfilePendingRequest, AuthnRequest authnRequest, IAuthData iAuthData, EntityDescriptor entityDescriptor, Instant instant, AssertionConsumerService assertionConsumerService, SloInformationInterface sloInformationInterface) throws Pvp2Exception {
        List attributeConsumingServices;
        ISpConfiguration serviceProviderConfiguration = pvpSProfilePendingRequest.getServiceProviderConfiguration();
        AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) Saml2Utils.createSamlObject(AuthnContextClassRef.class);
        RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
        if (requestedAuthnContext == null) {
            authnContextClassRef.setURI(iAuthData.getEidasQaaLevel());
        } else {
            List authnContextClassRefs = requestedAuthnContext.getAuthnContextClassRefs();
            String loAMatchingMode = serviceProviderConfiguration.getLoAMatchingMode();
            if (StringUtils.isEmpty(loAMatchingMode)) {
                loAMatchingMode = "minimum";
            }
            if (authnContextClassRefs.size() == 0) {
                QaaLevelVerifier.verifyQaaLevel(iAuthData.getEidasQaaLevel(), serviceProviderConfiguration.getRequiredLoA(), loAMatchingMode);
                authnContextClassRef.setURI(iAuthData.getEidasQaaLevel());
            } else {
                HashSet hashSet = new HashSet();
                hashSet.addAll(serviceProviderConfiguration.getRequiredLoA());
                Iterator it = authnContextClassRefs.iterator();
                while (it.hasNext()) {
                    String uri = ((AuthnContextClassRef) it.next()).getURI();
                    if (uri.trim().startsWith("http://eidas.europa.eu/LoA/")) {
                        hashSet.add(uri.trim());
                    } else if (this.loaLevelMapper != null) {
                        log.debug("Find no eIDAS LoA in AuthnReq. Start mapping process ... ");
                        hashSet.add(this.loaLevelMapper.mapToEidasLoa(uri.trim()));
                    } else {
                        log.debug("AuthnRequest contains no eIDAS LoA. NO LoA mapper FOUND, ignore '" + uri.trim() + "'");
                    }
                }
                if (hashSet.isEmpty()) {
                    log.info("Authn. request contains no supported LoA level. Stop authentication process ... ");
                    throw new QaaNotSupportedException("No supported LoA in Authn. request");
                }
                QaaLevelVerifier.verifyQaaLevel(iAuthData.getEidasQaaLevel(), hashSet, loAMatchingMode);
                authnContextClassRef.setURI(iAuthData.getEidasQaaLevel());
            }
        }
        SPSSODescriptor sPSSODescriptor = entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        ArrayList arrayList = new ArrayList();
        if (sPSSODescriptor.getAttributeConsumingServices() != null && sPSSODescriptor.getAttributeConsumingServices().size() > 0) {
            Integer attributeConsumingServiceIndex = authnRequest.getAttributeConsumingServiceIndex();
            AttributeConsumingService attributeConsumingService = null;
            if (attributeConsumingServiceIndex != null) {
                attributeConsumingService = (AttributeConsumingService) sPSSODescriptor.getAttributeConsumingServices().get(attributeConsumingServiceIndex.intValue());
            } else {
                for (AttributeConsumingService attributeConsumingService2 : sPSSODescriptor.getAttributeConsumingServices()) {
                    if (attributeConsumingService2.isDefault().booleanValue()) {
                        attributeConsumingService = attributeConsumingService2;
                    }
                }
            }
            if (attributeConsumingService == null && (attributeConsumingServices = sPSSODescriptor.getAttributeConsumingServices()) != null && !attributeConsumingServices.isEmpty()) {
                attributeConsumingService = (AttributeConsumingService) attributeConsumingServices.get(0);
            }
            if (attributeConsumingService != null) {
                for (RequestedAttribute requestedAttribute : attributeConsumingService.getRequestedAttributes()) {
                    try {
                        Attribute buildAttribute = PvpAttributeBuilder.buildAttribute(requestedAttribute.getName(), serviceProviderConfiguration, iAuthData);
                        if (buildAttribute == null) {
                            if (requestedAttribute.isRequired().booleanValue()) {
                                throw new UnprovideableAttributeException(requestedAttribute.getName());
                                break;
                            }
                        } else {
                            arrayList.add(buildAttribute);
                        }
                    } catch (Exception e) {
                        log.warn("General Attribute generation failed! for " + requestedAttribute.getFriendlyName(), e);
                        if (requestedAttribute.isRequired().booleanValue()) {
                            throw new UnprovideableAttributeException(requestedAttribute.getName());
                        }
                    } catch (Pvp2Exception e2) {
                        log.info("Attribute generation failed! for " + requestedAttribute.getFriendlyName());
                        if (requestedAttribute.isRequired().booleanValue()) {
                            throw new UnprovideableAttributeException(requestedAttribute.getName());
                        }
                    } catch (UnavailableAttributeException e3) {
                        log.info("Attribute generation for " + requestedAttribute.getFriendlyName() + " not possible.");
                        if (requestedAttribute.isRequired().booleanValue()) {
                            throw new UnprovideableAttributeException(requestedAttribute.getName());
                        }
                    }
                }
            }
        }
        NameID nameID = (NameID) Saml2Utils.createSamlObject(NameID.class);
        Pair<String, String> generateSubjectNameId = this.subjectNameIdGenerator.generateSubjectNameId(iAuthData, serviceProviderConfiguration);
        nameID.setValue((String) generateSubjectNameId.getFirst());
        nameID.setNameQualifier((String) generateSubjectNameId.getSecond());
        String str2 = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";
        if (authnRequest.getNameIDPolicy() == null || !StringUtils.isNotEmpty(authnRequest.getNameIDPolicy().getFormat())) {
            List nameIDFormats = sPSSODescriptor.getNameIDFormats();
            if (nameIDFormats != null) {
                Iterator it2 = nameIDFormats.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    NameIDFormat nameIDFormat = (NameIDFormat) it2.next();
                    if ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".equals(nameIDFormat.getURI())) {
                        str2 = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
                        break;
                    }
                    if ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(nameIDFormat.getURI()) || "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(nameIDFormat.getURI())) {
                        break;
                    }
                }
            }
        } else {
            str2 = authnRequest.getNameIDPolicy().getFormat();
        }
        if ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(str2) || "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(str2)) {
            try {
                nameID.setValue(Base64.getEncoder().encodeToString(MessageDigest.getInstance("SHA-1").digest((nameID.getValue() + Random.nextHexRandom32()).getBytes("ISO-8859-1"))));
                nameID.setNameQualifier((String) null);
                nameID.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
            } catch (Exception e4) {
                log.warn("PVP2 subjectNameID error", e4);
                throw new ResponderErrorException("internal.03", null, e4);
            }
        } else {
            nameID.setFormat(str2);
        }
        String str3 = null;
        if (StringUtils.isNotEmpty(iAuthData.getNameID()) && StringUtils.isNotEmpty(iAuthData.getNameIdFormat()) && str2.equals(iAuthData.getNameIdFormat())) {
            nameID.setValue(iAuthData.getNameID());
            str3 = iAuthData.getSessionIndex();
        }
        if (StringUtils.isEmpty(str3)) {
            str3 = Saml2Utils.getSecureIdentifier();
        }
        SubjectConfirmationData subjectConfirmationData = (SubjectConfirmationData) Saml2Utils.createSamlObject(SubjectConfirmationData.class);
        subjectConfirmationData.setInResponseTo(authnRequest.getID());
        subjectConfirmationData.setNotOnOrAfter(iAuthData.getSsoSessionValidTo());
        subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
        String str4 = (String) pvpSProfilePendingRequest.getRawData("reqestImpl_requesterIPAddr", String.class);
        if (StringUtils.isNotEmpty(str4)) {
            subjectConfirmationData.setAddress(str4);
        }
        sloInformationInterface.setUserNameIdentifier(nameID.getValue());
        sloInformationInterface.setNameIdFormat(nameID.getFormat());
        sloInformationInterface.setSessionIndex(str3);
        return buildGenericAssertion(str, entityDescriptor.getEntityID(), instant, authnContextClassRef, arrayList, nameID, subjectConfirmationData, str3, subjectConfirmationData.getNotOnOrAfter());
    }

    public Assertion buildGenericAssertion(String str, String str2, Instant instant, AuthnContextClassRef authnContextClassRef, List<Attribute> list, NameID nameID, SubjectConfirmationData subjectConfirmationData, String str3, Instant instant2) throws ResponderErrorException {
        Assertion assertion = (Assertion) Saml2Utils.createSamlObject(Assertion.class);
        AuthnContext authnContext = (AuthnContext) Saml2Utils.createSamlObject(AuthnContext.class);
        authnContext.setAuthnContextClassRef(authnContextClassRef);
        AuthnStatement authnStatement = (AuthnStatement) Saml2Utils.createSamlObject(AuthnStatement.class);
        authnStatement.setAuthnInstant(instant);
        authnStatement.setSessionIndex(str3);
        authnStatement.setAuthnContext(authnContext);
        assertion.getAuthnStatements().add(authnStatement);
        AttributeStatement attributeStatement = (AttributeStatement) Saml2Utils.createSamlObject(AttributeStatement.class);
        attributeStatement.getAttributes().addAll(list);
        if (attributeStatement.getAttributes().size() > 0) {
            assertion.getAttributeStatements().add(attributeStatement);
        }
        Subject subject = (Subject) Saml2Utils.createSamlObject(Subject.class);
        subject.setNameID(nameID);
        SubjectConfirmation subjectConfirmation = (SubjectConfirmation) Saml2Utils.createSamlObject(SubjectConfirmation.class);
        subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
        subject.getSubjectConfirmations().add(subjectConfirmation);
        Conditions conditions = (Conditions) Saml2Utils.createSamlObject(Conditions.class);
        AudienceRestriction audienceRestriction = (AudienceRestriction) Saml2Utils.createSamlObject(AudienceRestriction.class);
        Audience audience = (Audience) Saml2Utils.createSamlObject(Audience.class);
        audience.setURI(str2);
        audienceRestriction.getAudiences().add(audience);
        conditions.setNotBefore(instant);
        conditions.setNotOnOrAfter(instant2);
        conditions.getAudienceRestrictions().add(audienceRestriction);
        assertion.setConditions(conditions);
        Issuer issuer = (Issuer) Saml2Utils.createSamlObject(Issuer.class);
        if (str.endsWith("/")) {
            str = str.substring(0, str.length() - 1);
        }
        issuer.setValue(str);
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        assertion.setIssuer(issuer);
        assertion.setSubject(subject);
        assertion.setID(Saml2Utils.getSecureIdentifier());
        assertion.setIssueInstant(instant);
        return assertion;
    }
}
