package pl.edu.icm.unity.saml.idp.web.filter;

import eu.unicore.samly2.exceptions.SAMLRequesterException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Optional;
import java.util.TimeZone;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EnquiryManagement;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.idp.CommonIdPProperties;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.session.SessionParticipant;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.engine.api.utils.FreemarkerAppHandler;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.engine.api.utils.RoutingServlet;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.SAMLSessionParticipant;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.idp.SamlIdpProperties;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.saml.idp.preferences.SamlPreferences;
import pl.edu.icm.unity.saml.idp.processor.AuthnResponseProcessor;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityParam;
import pl.edu.icm.unity.webui.VaadinRequestMatcher;
import pl.edu.icm.unity.webui.idpcommon.EopException;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

@PrototypeComponent
@Primary
/* loaded from: input_file:pl/edu/icm/unity/saml/idp/web/filter/IdpConsentDeciderServlet.class */
public class IdpConsentDeciderServlet extends HttpServlet {
    private static final Logger log = Log.getLogger("unity.server.saml", IdpConsentDeciderServlet.class);
    protected PreferencesManagement preferencesMan;
    protected IdPEngine idpEngine;
    protected SSOResponseHandler ssoResponseHandler;
    protected SessionManagement sessionMan;
    protected String samlUiServletPath;
    private String authenticationUIServletPath;
    protected AttributeTypeSupport aTypeSupport;
    private EnquiryManagement enquiryManagement;
    private final PolicyAgreementManagement policyAgreementsMan;
    private final MessageSource msg;

    @Component
    @Primary
    /* loaded from: input_file:pl/edu/icm/unity/saml/idp/web/filter/IdpConsentDeciderServlet$Factory.class */
    public static class Factory implements IdpConsentDeciderServletFactory {

        @Autowired
        private ObjectFactory<IdpConsentDeciderServlet> factory;

        @Override // pl.edu.icm.unity.saml.idp.web.filter.IdpConsentDeciderServletFactory
        public IdpConsentDeciderServlet getInstance(String str, String str2) {
            IdpConsentDeciderServlet idpConsentDeciderServlet = (IdpConsentDeciderServlet) this.factory.getObject();
            idpConsentDeciderServlet.init(str, str2);
            return idpConsentDeciderServlet;
        }
    }

    @Autowired
    public IdpConsentDeciderServlet(AttributeTypeSupport attributeTypeSupport, PreferencesManagement preferencesManagement, IdPEngine idPEngine, FreemarkerAppHandler freemarkerAppHandler, SessionManagement sessionManagement, @Qualifier("insecure") EnquiryManagement enquiryManagement, PolicyAgreementManagement policyAgreementManagement, MessageSource messageSource) {
        this.aTypeSupport = attributeTypeSupport;
        this.preferencesMan = preferencesManagement;
        this.idpEngine = idPEngine;
        this.enquiryManagement = enquiryManagement;
        this.ssoResponseHandler = new SSOResponseHandler(freemarkerAppHandler);
        this.sessionMan = sessionManagement;
        this.policyAgreementsMan = policyAgreementManagement;
        this.msg = messageSource;
    }

    protected void init(String str, String str2) {
        this.samlUiServletPath = str;
        this.authenticationUIServletPath = str2;
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!VaadinRequestMatcher.isVaadinRequest(httpServletRequest)) {
            super.service(httpServletRequest, httpServletResponse);
            return;
        }
        String str = this.authenticationUIServletPath;
        if (httpServletRequest.getPathInfo() != null) {
            str = str + httpServletRequest.getPathInfo();
        }
        log.debug("Request to Vaadin internal address will be forwarded to authN {}", httpServletRequest.getRequestURI());
        httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            serviceInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            serviceInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void serviceInterruptible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException, EopException {
        SAMLAuthnContext samlContext = getSamlContext(httpServletRequest);
        try {
            SamlPreferences.SPSettings loadPreferences = loadPreferences(samlContext);
            if (isInteractiveUIRequired(loadPreferences, samlContext)) {
                log.trace("Interactive step is required for SAML request, forwarding to UI");
                RoutingServlet.forwardTo(this.samlUiServletPath, httpServletRequest, httpServletResponse);
            } else {
                log.trace("Consent is not required for SAML request, processing immediatelly");
                autoReplay(loadPreferences, samlContext, httpServletRequest, httpServletResponse);
            }
        } catch (EngineException e) {
            this.ssoResponseHandler.handleException(new AuthnResponseProcessor(this.aTypeSupport, samlContext, Calendar.getInstance(TimeZone.getTimeZone("UTC"))), e, SamlProperties.Binding.HTTP_POST, getServiceUrl(samlContext), samlContext.getRelayState(), httpServletRequest, httpServletResponse, true);
        }
    }

    protected SamlPreferences.SPSettings loadPreferences(SAMLAuthnContext sAMLAuthnContext) throws EngineException {
        return SamlPreferences.getPreferences(this.preferencesMan).getSPSettings(((AuthnRequestType) sAMLAuthnContext.getRequest()).getIssuer());
    }

    private boolean isInteractiveUIRequired(SamlPreferences.SPSettings sPSettings, SAMLAuthnContext sAMLAuthnContext) {
        return isConsentRequired(sPSettings, sAMLAuthnContext) || isActiveValueSelectionRequired(sAMLAuthnContext) || isEnquiryWaiting() || isPolicyAgreementWaiting(sAMLAuthnContext);
    }

    private boolean isActiveValueSelectionRequired(SAMLAuthnContext sAMLAuthnContext) {
        return CommonIdPProperties.isActiveValueSelectionConfiguredForClient(sAMLAuthnContext.getSamlConfiguration(), new AuthnResponseProcessor(this.aTypeSupport, sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC"))).getRequestIssuer());
    }

    private boolean isConsentRequired(SamlPreferences.SPSettings sPSettings, SAMLAuthnContext sAMLAuthnContext) {
        return (sPSettings.isDoNotAsk() || sAMLAuthnContext.getSamlConfiguration().getBooleanValue("skipConsent").booleanValue()) ? false : true;
    }

    private boolean isEnquiryWaiting() {
        try {
            return !this.enquiryManagement.getPendingEnquires(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId()))).isEmpty();
        } catch (EngineException e) {
            log.warn("Can't retrieve pending enquiries for user", e);
            return false;
        }
    }

    private boolean isPolicyAgreementWaiting(SAMLAuthnContext sAMLAuthnContext) {
        try {
            return !this.policyAgreementsMan.filterAgreementToPresent(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), CommonIdPProperties.getPolicyAgreementsConfig(this.msg, sAMLAuthnContext.getSamlConfiguration()).agreements).isEmpty();
        } catch (EngineException e) {
            log.error("Unable to determine policy agreements to accept");
            return false;
        }
    }

    protected void autoReplay(SamlPreferences.SPSettings sPSettings, SAMLAuthnContext sAMLAuthnContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EopException, IOException {
        AuthnResponseProcessor authnResponseProcessor = new AuthnResponseProcessor(this.aTypeSupport, sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC")));
        String serviceUrl = getServiceUrl(sAMLAuthnContext);
        if (!sPSettings.isDefaultAccept()) {
            this.ssoResponseHandler.handleException(authnResponseProcessor, new AuthenticationException("Authentication was declined"), SamlProperties.Binding.HTTP_POST, serviceUrl, sAMLAuthnContext.getRelayState(), httpServletRequest, httpServletResponse, false);
        }
        try {
            TranslationResult userInfo = getUserInfo(sAMLAuthnContext.getSamlConfiguration(), authnResponseProcessor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
            handleRedirectIfNeeded(userInfo, httpServletRequest.getSession(), httpServletResponse);
            IdentityParam identity = getIdentity(userInfo, authnResponseProcessor, sPSettings);
            log.debug("Authentication of " + identity);
            ResponseDocument processAuthnRequest = authnResponseProcessor.processAuthnRequest(identity, authnResponseProcessor.getAttributes(userInfo, sPSettings), sAMLAuthnContext.getResponseDestination());
            addSessionParticipant(sAMLAuthnContext, authnResponseProcessor.getAuthenticatedSubject().getNameID(), authnResponseProcessor.getSessionId(), this.sessionMan);
            this.ssoResponseHandler.sendResponse(SamlProperties.Binding.HTTP_POST, processAuthnRequest, serviceUrl, sAMLAuthnContext.getRelayState(), httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            this.ssoResponseHandler.handleException(authnResponseProcessor, e, SamlProperties.Binding.HTTP_POST, serviceUrl, sAMLAuthnContext.getRelayState(), httpServletRequest, httpServletResponse, false);
        }
    }

    private void handleRedirectIfNeeded(TranslationResult translationResult, HttpSession httpSession, HttpServletResponse httpServletResponse) throws IOException, EopException {
        String redirectURL = translationResult.getRedirectURL();
        if (redirectURL != null) {
            httpServletResponse.sendRedirect(redirectURL);
            httpSession.removeAttribute(SamlParseServlet.SESSION_SAML_CONTEXT);
            throw new EopException();
        }
    }

    protected TranslationResult getUserInfo(SamlIdpProperties samlIdpProperties, AuthnResponseProcessor authnResponseProcessor, String str) throws EngineException {
        return this.idpEngine.obtainUserInformationWithEnrichingImport(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), authnResponseProcessor.getChosenGroup(), samlIdpProperties.getOutputTranslationProfile(), authnResponseProcessor.getIdentityTarget(), Optional.empty(), "SAML2", str, authnResponseProcessor.isIdentityCreationAllowed(), samlIdpProperties);
    }

    protected IdentityParam getIdentity(TranslationResult translationResult, AuthnResponseProcessor authnResponseProcessor, SamlPreferences.SPSettings sPSettings) throws EngineException, SAMLRequesterException {
        return this.idpEngine.getIdentity(authnResponseProcessor.getCompatibleIdentities(translationResult.getIdentities()), sPSettings.getSelectedIdentity());
    }

    public static void addSessionParticipant(SAMLAuthnContext sAMLAuthnContext, NameIDType nameIDType, String str, SessionManagement sessionManagement) {
        String stringValue = ((AuthnRequestType) sAMLAuthnContext.getRequest()).getIssuer().getStringValue();
        SamlIdpProperties samlConfiguration = sAMLAuthnContext.getSamlConfiguration();
        String value = samlConfiguration.getValue(SamlIdpProperties.CREDENTIAL);
        String sPConfigKey = samlConfiguration.getSPConfigKey(((AuthnRequestType) sAMLAuthnContext.getRequest()).getIssuer());
        sessionManagement.addSessionParticipant(new SessionParticipant[]{new SAMLSessionParticipant(stringValue, nameIDType, str, sPConfigKey == null ? new ArrayList<>(0) : sAMLAuthnContext.getSamlConfiguration().getLogoutEndpointsFromStructuredList(sPConfigKey), samlConfiguration.getValue(SamlIdpProperties.ISSUER_URI), value, samlConfiguration.getAllowedSpCerts(sPConfigKey))});
    }

    protected String getServiceUrl(SAMLAuthnContext sAMLAuthnContext) {
        return sAMLAuthnContext.getSamlConfiguration().getReturnAddressForRequester(sAMLAuthnContext.getRequest());
    }

    private SAMLAuthnContext getSamlContext(HttpServletRequest httpServletRequest) {
        SAMLAuthnContext sAMLAuthnContext = (SAMLAuthnContext) httpServletRequest.getSession().getAttribute(SamlParseServlet.SESSION_SAML_CONTEXT);
        if (sAMLAuthnContext == null) {
            throw new IllegalStateException("No SAML context in UI");
        }
        return sAMLAuthnContext;
    }
}
