package pl.edu.icm.unity.saml.idp.processor;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.assertion.Assertion;
import eu.unicore.samly2.binding.SAMLMessageType;
import eu.unicore.samly2.elements.Subject;
import eu.unicore.samly2.exceptions.SAMLRequesterException;
import eu.unicore.samly2.proto.AssertionResponse;
import io.imunity.idp.AccessProtocol;
import io.imunity.idp.ApplicationId;
import io.imunity.idp.LastIdPClinetAccessAttributeManagement;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.List;
import java.util.TimeZone;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.attribute.Attribute;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.identity.IdentityParam;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.idp.SAMLIdPConfiguration;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.saml.slo.SamlRoutableSignableMessage;
import xmlbeans.org.oasis.saml2.assertion.AuthnContextType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationDataType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationType;
import xmlbeans.org.oasis.saml2.assertion.SubjectLocalityType;
import xmlbeans.org.oasis.saml2.assertion.SubjectType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestType;
import xmlbeans.org.oasis.saml2.protocol.NameIDPolicyType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/idp/processor/AuthnResponseProcessor.class */
public class AuthnResponseProcessor extends BaseResponseProcessor<AuthnRequestDocument, AuthnRequestType> {
    private static final Logger log = Log.getLogger("unity.server.saml", AuthnResponseProcessor.class);
    private String sessionId;
    private SubjectType authenticatedSubject;
    private LastIdPClinetAccessAttributeManagement lastAccessAttributeManagement;

    public AuthnResponseProcessor(AttributeTypeSupport attributeTypeSupport, LastIdPClinetAccessAttributeManagement lastIdPClinetAccessAttributeManagement, SAMLAuthnContext sAMLAuthnContext) {
        this(attributeTypeSupport, lastIdPClinetAccessAttributeManagement, sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC")));
    }

    public AuthnResponseProcessor(AttributeTypeSupport attributeTypeSupport, LastIdPClinetAccessAttributeManagement lastIdPClinetAccessAttributeManagement, SAMLAuthnContext sAMLAuthnContext, Calendar calendar) {
        super(attributeTypeSupport, sAMLAuthnContext, calendar);
        this.lastAccessAttributeManagement = lastIdPClinetAccessAttributeManagement;
    }

    public List<IdentityParam> getCompatibleIdentities(Collection<? extends IdentityParam> collection) throws SAMLRequesterException {
        String requestedFormat = getRequestedFormat();
        String mapIdentity = this.samlConfiguration.idTypeMapper.mapIdentity(requestedFormat);
        ArrayList arrayList = new ArrayList();
        for (IdentityParam identityParam : collection) {
            if (identityParam.getTypeId().equals(mapIdentity)) {
                arrayList.add(identityParam);
            }
        }
        log.debug("Requested identity {}, mapped to {}, returning identities: {}", requestedFormat, mapIdentity, arrayList);
        if (arrayList.size() > 0) {
            return arrayList;
        }
        throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_UNKNOWN_PRINCIPAL, "There is no identity of the requested '" + requestedFormat + "' SAML identity format for the authenticated principial.");
    }

    public boolean isIdentityCreationAllowed() {
        NameIDPolicyType nameIDPolicy = this.context.getRequest().getNameIDPolicy();
        if (nameIDPolicy == null) {
            return true;
        }
        return nameIDPolicy.getAllowCreate();
    }

    public SamlRoutableSignableMessage<ResponseDocument> processAuthnRequestReturningResponse(IdentityParam identityParam, Collection<Attribute> collection, String str, String str2) throws SAMLRequesterException, SAMLProcessingException {
        return processAuthnRequest(identityParam, collection, this.samlConfiguration.returnSingleAssertion, str, str2);
    }

    protected SamlRoutableSignableMessage<ResponseDocument> processAuthnRequest(IdentityParam identityParam, Collection<Attribute> collection, boolean z, String str, String str2) throws SAMLRequesterException, SAMLProcessingException {
        SubjectType establishSubject = establishSubject(identityParam);
        AssertionResponse oKResponseDocument = getOKResponseDocument();
        if (str2 != null) {
            oKResponseDocument.getXMLBean().setDestination(str2);
        }
        if (z) {
            addAssertionEncrypting(oKResponseDocument, createAuthenticationAssertion(establishSubject, collection));
        } else {
            addAssertionEncrypting(oKResponseDocument, createAuthenticationAssertion(establishSubject, null));
            if (collection != null) {
                SubjectType cloneSubject = cloneSubject(establishSubject);
                setSenderVouchesSubjectConfirmation(cloneSubject);
                Assertion createAttributeAssertion = createAttributeAssertion(cloneSubject, collection);
                if (createAttributeAssertion != null) {
                    addAssertionEncrypting(oKResponseDocument, createAttributeAssertion);
                }
            }
        }
        X509Credential x509Credential = null;
        if (doSignResponse()) {
            if (str2 == null) {
                throw new SAMLProcessingException("Unable to determine Destination value which is mandatory when signing response is requested");
            }
            x509Credential = this.samlConfiguration.getSamlIssuerCredential();
        }
        try {
            this.lastAccessAttributeManagement.setAttribute(new EntityParam(identityParam), AccessProtocol.SAML, new ApplicationId(this.context.getRequest().getIssuer().getStringValue()), Instant.now());
        } catch (EngineException e) {
            log.error("Can not set last access attribute", e);
        }
        return new SamlRoutableSignableMessage<>(oKResponseDocument, x509Credential, SAMLMessageType.SAMLResponse, str, str2);
    }

    protected SubjectType establishSubject(IdentityParam identityParam) {
        SubjectType xBean = convertIdentity(identityParam, getRequestedFormat()).getXBean();
        setBearerSubjectConfirmation(xBean);
        return xBean;
    }

    protected void setBearerSubjectConfirmation(SubjectType subjectType) {
        SubjectConfirmationType newInstance = SubjectConfirmationType.Factory.newInstance();
        newInstance.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        SubjectConfirmationDataType addNewSubjectConfirmationData = newInstance.addNewSubjectConfirmationData();
        addNewSubjectConfirmationData.setInResponseTo(this.context.getRequest().getID());
        Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
        calendar.setTimeInMillis(getAuthnTime().getTimeInMillis() + this.samlConfiguration.requestValidityPeriod.toMillis());
        addNewSubjectConfirmationData.setNotOnOrAfter(calendar);
        addNewSubjectConfirmationData.setRecipient(this.samlConfiguration.getReturnAddressForRequester((AuthnRequestType) this.context.getRequest()));
        subjectType.setSubjectConfirmationArray(new SubjectConfirmationType[]{newInstance});
    }

    protected Assertion createAuthenticationAssertion(SubjectType subjectType, Collection<Attribute> collection) throws SAMLProcessingException {
        this.authenticatedSubject = subjectType;
        AuthnContextType authnContextType = setupAuthnContext();
        Assertion assertion = new Assertion();
        assertion.setIssuer(this.samlConfiguration.issuerURI, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        assertion.setSubject(subjectType);
        AssertionTimeConditionSetter.setDefaultNotOnOrAfterInAssertion(assertion);
        this.sessionId = assertion.getXMLBean().getID();
        assertion.addAuthStatement(getAuthnTime(), authnContextType, this.sessionId, (Calendar) null, (SubjectLocalityType) null);
        assertion.setAudienceRestriction(new String[]{this.context.getRequest().getIssuer().getStringValue()});
        if (collection != null) {
            addAttributesToAssertion(assertion, collection);
        }
        if (this.samlConfiguration.setNotBeforeConstraint) {
            AssertionTimeConditionSetter.setDefaultNotBeforeCondition(assertion);
        }
        if (this.samlConfiguration.signAssertion == SAMLIdPConfiguration.AssertionSigningPolicy.always || !doSignResponse()) {
            signAssertion(assertion);
        }
        return assertion;
    }

    protected AuthnContextType setupAuthnContext() {
        AuthnContextType newInstance = AuthnContextType.Factory.newInstance();
        newInstance.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
        return newInstance;
    }

    protected Subject convertIdentity(IdentityParam identityParam, String str) {
        if (str.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")) {
            str = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
        }
        return new Subject(identityParam.getValue(), str);
    }

    protected String getRequestedFormat() {
        String str = null;
        NameIDPolicyType nameIDPolicy = getContext().getRequest().getNameIDPolicy();
        if (nameIDPolicy != null) {
            str = nameIDPolicy.getFormat();
        }
        return str == null ? "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" : str;
    }

    public String getSessionId() {
        return this.sessionId;
    }

    public SubjectType getAuthenticatedSubject() {
        return this.authenticatedSubject;
    }
}
