package pl.edu.icm.unity.saml.idp.web.filter;

import eu.unicore.samly2.exceptions.SAMLRequesterException;
import eu.unicore.security.dsig.DSigException;
import io.imunity.idp.LastIdPClinetAccessAttributeManagement;
import io.imunity.vaadin.endpoint.common.EopException;
import io.imunity.vaadin.endpoint.common.QueryBuilder;
import io.imunity.vaadin.endpoint.common.consent_utils.LoginInProgressService;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TimeZone;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.eclipse.jetty.ee10.servlet.ServletApiRequest;
import org.eclipse.jetty.security.AuthenticationState;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.endpoint.Endpoint;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.identity.IdentityParam;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EnquiryManagement;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.enquiry.EnquirySelector;
import pl.edu.icm.unity.engine.api.idp.ActiveValueClientHelper;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.session.SessionParticipant;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.engine.api.utils.FreemarkerAppHandler;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.saml.SAMLSessionParticipant;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.idp.SAMLIdPConfiguration;
import pl.edu.icm.unity.saml.idp.SamlIdpStatisticReporter;
import pl.edu.icm.unity.saml.idp.TrustedServiceProvider;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.saml.idp.preferences.SamlPreferences;
import pl.edu.icm.unity.saml.idp.processor.AuthnResponseProcessor;
import pl.edu.icm.unity.saml.idp.web.SamlSessionService;
import pl.edu.icm.unity.saml.slo.SamlRoutableSignableMessage;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

@PrototypeComponent
@Primary
/* loaded from: input_file:pl/edu/icm/unity/saml/idp/web/filter/IdpConsentDeciderServlet.class */
public class IdpConsentDeciderServlet extends HttpServlet {
    private static final Logger log = Log.getLogger("unity.server.saml", IdpConsentDeciderServlet.class);
    protected PreferencesManagement preferencesMan;
    protected IdPEngine idpEngine;
    protected SSOResponseHandler ssoResponseHandler;
    protected SessionManagement sessionMan;
    protected String samlUiServletPath;
    protected AttributeTypeSupport aTypeSupport;
    private final EnquiryManagement enquiryManagement;
    private final PolicyAgreementManagement policyAgreementsMan;
    private final FreemarkerAppHandler freemarker;
    private final SamlIdpStatisticReporter.SamlIdpStatisticReporterFactory idpStatisticReporterFactory;
    protected final LastIdPClinetAccessAttributeManagement lastAccessAttributeManagement;

    @Component
    @Primary
    /* loaded from: input_file:pl/edu/icm/unity/saml/idp/web/filter/IdpConsentDeciderServlet$Factory.class */
    public static class Factory implements IdpConsentDeciderServletFactory {

        @Autowired
        private ObjectFactory<IdpConsentDeciderServlet> factory;

        @Override // pl.edu.icm.unity.saml.idp.web.filter.IdpConsentDeciderServletFactory
        public IdpConsentDeciderServlet getInstance(String str, Endpoint endpoint) {
            IdpConsentDeciderServlet idpConsentDeciderServlet = (IdpConsentDeciderServlet) this.factory.getObject();
            idpConsentDeciderServlet.init(str, endpoint);
            return idpConsentDeciderServlet;
        }
    }

    @Autowired
    public IdpConsentDeciderServlet(AttributeTypeSupport attributeTypeSupport, PreferencesManagement preferencesManagement, IdPEngine idPEngine, FreemarkerAppHandler freemarkerAppHandler, SessionManagement sessionManagement, @Qualifier("insecure") EnquiryManagement enquiryManagement, PolicyAgreementManagement policyAgreementManagement, SamlIdpStatisticReporter.SamlIdpStatisticReporterFactory samlIdpStatisticReporterFactory, LastIdPClinetAccessAttributeManagement lastIdPClinetAccessAttributeManagement) {
        this.aTypeSupport = attributeTypeSupport;
        this.preferencesMan = preferencesManagement;
        this.idpEngine = idPEngine;
        this.enquiryManagement = enquiryManagement;
        this.sessionMan = sessionManagement;
        this.policyAgreementsMan = policyAgreementManagement;
        this.idpStatisticReporterFactory = samlIdpStatisticReporterFactory;
        this.freemarker = freemarkerAppHandler;
        this.lastAccessAttributeManagement = lastIdPClinetAccessAttributeManagement;
    }

    protected void init(String str, Endpoint endpoint) {
        this.samlUiServletPath = str;
        this.ssoResponseHandler = new SSOResponseHandler(this.freemarker, this.idpStatisticReporterFactory, endpoint);
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (AuthenticationState.getAuthenticationState(((ServletApiRequest) httpServletRequest).getRequest()) == null) {
            sendRedirect(httpServletRequest, httpServletResponse);
        } else {
            super.service(httpServletRequest, httpServletResponse);
        }
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            serviceInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            serviceInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void serviceInterruptible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, EopException {
        SAMLAuthnContext samlContext = getSamlContext(httpServletRequest);
        try {
            SamlPreferences.SPSettings loadPreferences = loadPreferences(samlContext);
            if (isInteractiveUIRequired(loadPreferences, samlContext)) {
                log.trace("Interactive step is required for SAML request, redirect to UI");
                sendRedirect(httpServletRequest, httpServletResponse);
            } else {
                log.trace("Consent is not required for SAML request, processing immediatelly");
                autoReplay(loadPreferences, samlContext, httpServletRequest, httpServletResponse);
            }
        } catch (EngineException e) {
            this.ssoResponseHandler.handleException(new AuthnResponseProcessor(this.aTypeSupport, this.lastAccessAttributeManagement, samlContext, Calendar.getInstance(TimeZone.getTimeZone("UTC"))), e, SamlProperties.Binding.HTTP_POST, getServiceUrl(samlContext), samlContext, httpServletRequest, httpServletResponse, true);
        }
    }

    private void sendRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendRedirect(this.samlUiServletPath + getQueryToAppend(httpServletRequest));
    }

    private String getQueryToAppend(HttpServletRequest httpServletRequest) {
        return QueryBuilder.buildQuery((Map) httpServletRequest.getParameterMap().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Arrays.asList((String[]) entry.getValue());
        })));
    }

    protected SamlPreferences.SPSettings loadPreferences(SAMLAuthnContext sAMLAuthnContext) throws EngineException {
        return SamlPreferences.getPreferences(this.preferencesMan).getSPSettings(((AuthnRequestType) sAMLAuthnContext.getRequest()).getIssuer());
    }

    private boolean isInteractiveUIRequired(SamlPreferences.SPSettings sPSettings, SAMLAuthnContext sAMLAuthnContext) {
        return isConsentRequired(sPSettings, sAMLAuthnContext) || isActiveValueSelectionRequired(sAMLAuthnContext) || isEnquiryWaiting() || isPolicyAgreementWaiting(sAMLAuthnContext);
    }

    private boolean isActiveValueSelectionRequired(SAMLAuthnContext sAMLAuthnContext) {
        return ActiveValueClientHelper.isActiveValueSelectionConfiguredForClient(sAMLAuthnContext.getSamlConfiguration().activeValueClient, new AuthnResponseProcessor(this.aTypeSupport, this.lastAccessAttributeManagement, sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC"))).getRequestIssuer());
    }

    private boolean isConsentRequired(SamlPreferences.SPSettings sPSettings, SAMLAuthnContext sAMLAuthnContext) {
        return (sPSettings.isDoNotAsk() || sAMLAuthnContext.getSamlConfiguration().skipConsent) ? false : true;
    }

    private boolean isEnquiryWaiting() {
        try {
            return !this.enquiryManagement.getAvailableEnquires(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), EnquirySelector.builder().withAccessMode(EnquirySelector.AccessMode.NOT_BY_INVITATION_ONLY).withType(EnquirySelector.Type.REGULAR).build()).isEmpty();
        } catch (EngineException e) {
            log.warn("Can't retrieve pending enquiries for user", e);
            return false;
        }
    }

    private boolean isPolicyAgreementWaiting(SAMLAuthnContext sAMLAuthnContext) {
        try {
            return !this.policyAgreementsMan.filterAgreementToPresent(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), sAMLAuthnContext.getSamlConfiguration().policyAgreements.agreements).isEmpty();
        } catch (EngineException e) {
            log.error("Unable to determine policy agreements to accept");
            return false;
        }
    }

    protected void autoReplay(SamlPreferences.SPSettings sPSettings, SAMLAuthnContext sAMLAuthnContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EopException, IOException {
        AuthnResponseProcessor authnResponseProcessor = new AuthnResponseProcessor(this.aTypeSupport, this.lastAccessAttributeManagement, sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC")));
        String serviceUrl = getServiceUrl(sAMLAuthnContext);
        if (!sPSettings.isDefaultAccept()) {
            this.ssoResponseHandler.handleException(authnResponseProcessor, new AuthenticationException("Authentication was declined"), SamlProperties.Binding.HTTP_POST, serviceUrl, sAMLAuthnContext, httpServletRequest, httpServletResponse, false);
        }
        try {
            TranslationResult userInfo = getUserInfo(sAMLAuthnContext.getSamlConfiguration(), authnResponseProcessor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
            handleRedirectIfNeeded(userInfo, httpServletRequest, httpServletResponse);
            IdentityParam identity = getIdentity(userInfo, authnResponseProcessor, sPSettings);
            log.info("Authentication of " + identity);
            SamlRoutableSignableMessage<ResponseDocument> processAuthnRequestReturningResponse = authnResponseProcessor.processAuthnRequestReturningResponse(identity, authnResponseProcessor.getAttributes(userInfo, sPSettings), sAMLAuthnContext.getRelayState(), sAMLAuthnContext.getResponseDestination());
            addSessionParticipant(sAMLAuthnContext, authnResponseProcessor.getAuthenticatedSubject().getNameID(), authnResponseProcessor.getSessionId(), this.sessionMan);
            try {
                this.ssoResponseHandler.sendResponse(sAMLAuthnContext, processAuthnRequestReturningResponse, SamlProperties.Binding.HTTP_POST, httpServletRequest, httpServletResponse);
            } catch (DSigException e) {
                this.ssoResponseHandler.handleException(authnResponseProcessor, e, SamlProperties.Binding.HTTP_POST, serviceUrl, sAMLAuthnContext, httpServletRequest, httpServletResponse, false);
            }
        } catch (Exception e2) {
            this.ssoResponseHandler.handleException(authnResponseProcessor, e2, SamlProperties.Binding.HTTP_POST, serviceUrl, sAMLAuthnContext, httpServletRequest, httpServletResponse, false);
        }
    }

    private void handleRedirectIfNeeded(TranslationResult translationResult, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, EopException {
        String redirectURL = translationResult.getRedirectURL();
        if (redirectURL != null) {
            httpServletResponse.sendRedirect(redirectURL);
            SamlSessionService.cleanContext(new LoginInProgressService.HttpContextSession(httpServletRequest));
            throw new EopException();
        }
    }

    protected TranslationResult getUserInfo(SAMLIdPConfiguration sAMLIdPConfiguration, AuthnResponseProcessor authnResponseProcessor, String str) throws EngineException {
        return this.idpEngine.obtainUserInformationWithEnrichingImport(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), authnResponseProcessor.getChosenGroup(), sAMLIdPConfiguration.getOutputTranslationProfile(), authnResponseProcessor.getIdentityTarget(), Optional.empty(), "SAML2", str, authnResponseProcessor.isIdentityCreationAllowed(), sAMLIdPConfiguration.userImportConfigs);
    }

    protected IdentityParam getIdentity(TranslationResult translationResult, AuthnResponseProcessor authnResponseProcessor, SamlPreferences.SPSettings sPSettings) throws EngineException, SAMLRequesterException {
        return this.idpEngine.getIdentity(authnResponseProcessor.getCompatibleIdentities(translationResult.getIdentities()), sPSettings.getSelectedIdentity());
    }

    public static void addSessionParticipant(SAMLAuthnContext sAMLAuthnContext, NameIDType nameIDType, String str, SessionManagement sessionManagement) {
        String stringValue = ((AuthnRequestType) sAMLAuthnContext.getRequest()).getIssuer().getStringValue();
        SAMLIdPConfiguration samlConfiguration = sAMLAuthnContext.getSamlConfiguration();
        String str2 = samlConfiguration.credentialName;
        TrustedServiceProvider sPConfig = samlConfiguration.getSPConfig(((AuthnRequestType) sAMLAuthnContext.getRequest()).getIssuer());
        sessionManagement.addSessionParticipant(new SessionParticipant[]{new SAMLSessionParticipant(stringValue, nameIDType, str, sPConfig == null ? new ArrayList<>(0) : sPConfig.getLogoutEndpoints(), samlConfiguration.issuerURI, str2, (Set) Optional.ofNullable(sPConfig).map((v0) -> {
            return v0.getCertificateNames();
        }).orElseGet(Set::of))});
    }

    protected String getServiceUrl(SAMLAuthnContext sAMLAuthnContext) {
        return sAMLAuthnContext.getSamlConfiguration().getReturnAddressForRequester(sAMLAuthnContext.getRequest());
    }

    private SAMLAuthnContext getSamlContext(HttpServletRequest httpServletRequest) {
        return SamlSessionService.getContext(httpServletRequest).orElseThrow(LoginInProgressService.noSignInContextException());
    }
}
