package de.governikus.keycloak.eid.provider.endpoints;

import de.bund.bsi.eid240.GeneralDateType;
import de.bund.bsi.eid240.PersonalDataType;
import de.bund.bsi.eid240.PlaceType;
import de.governikus.keycloak.eid.SamlRequestDetailsCache;
import de.governikus.keycloak.eid.constants.Constants;
import de.governikus.keycloak.eid.provider.identity.EidIdentityProvider;
import de.governikus.keycloak.eid.provider.identity.EidIdentityProviderFactory;
import de.governikus.keycloak.eid.provider.mapper.EidAttributeMapper;
import de.governikus.panstar.sdk.saml.exception.SamlAuthenticationException;
import de.governikus.panstar.sdk.saml.exception.UnsuccessfulSamlAuthenticationProcessException;
import de.governikus.panstar.sdk.saml.response.ProcessedSamlResult;
import de.governikus.panstar.sdk.saml.response.SamlResponseHandler;
import de.governikus.panstar.sdk.utils.exception.InvalidInputException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.format.DateTimeFormatter;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.utils.URLEncodedUtils;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.IdentityBrokerState;
import org.keycloak.cookie.CookieProvider;
import org.keycloak.cookie.CookieType;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/keycloak/eid/provider/endpoints/EidSamlResponseHandler.class */
public class EidSamlResponseHandler {
    private static final Logger log = LoggerFactory.getLogger(EidSamlResponseHandler.class);
    private final KeycloakSession session;
    private final IdentityProvider.AuthenticationCallback callback;
    private final EventBuilder event;
    private final EidIdentityProvider eidIdentityProvider;
    private final RealmModel realm;

    public EidSamlResponseHandler(RealmModel realmModel, KeycloakSession keycloakSession, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder, EidIdentityProvider eidIdentityProvider) {
        this.realm = realmModel;
        this.session = keycloakSession;
        this.callback = authenticationCallback;
        this.event = eventBuilder;
        this.eidIdentityProvider = eidIdentityProvider;
    }

    @GET
    public Response receiveSamlResponseEidClient(@Context UriInfo uriInfo) {
        String headerString = this.session.getContext().getHttpRequest().getHttpHeaders().getHeaderString("User-Agent");
        if (!uriInfo.getQueryParameters().containsKey("RelayState")) {
            log.info("Got incoming SAMLResponse-redirect from userAgent: {}", headerString);
            return receiveSamlResponseUser(uriInfo);
        }
        log.info("Got incoming SAMLResponse from userAgent: {}", headerString);
        String uuid = UUID.randomUUID().toString();
        new SamlRequestDetailsCache(this.session).setSamlResponseUrl(uuid, uriInfo.getRequestUri().toString());
        return Response.seeOther(new URI(String.format("%s%s?%s=%s", StringUtils.removeEnd(uriInfo.getBaseUri().toString(), "/"), StringUtils.prependIfMissing(uriInfo.getRequestUri().getPath(), "/", new CharSequence[0]), Constants.SAML_TEMP_ID, uuid))).build();
    }

    public Response receiveSamlResponseUser(@Context UriInfo uriInfo) {
        URL url = new URL(new SamlRequestDetailsCache(this.session).getSamlResponseUrl((String) uriInfo.getQueryParameters().getFirst(Constants.SAML_TEMP_ID)));
        AuthenticationSessionModel authSession = getAuthSession((String) ((Map) URLEncodedUtils.parse(url.toURI(), StandardCharsets.UTF_8).stream().collect(Collectors.toMap((v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getValue();
        }))).get("RelayState"));
        try {
            ProcessedSamlResult parseSamlResponse = new SamlResponseHandler(this.eidIdentityProvider.getSamlConfiguration()).parseSamlResponse(url.toURI().getRawQuery());
            log.info("Successfully parsed SAML response. Try to set up an identity.");
            BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(getRestrictedIdString(parseSamlResponse.getPersonalData()), this.eidIdentityProvider.getConfig());
            brokeredIdentityContext.setAuthenticationSession(authSession);
            setUpIdentity(brokeredIdentityContext, this.eidIdentityProvider, authSession, parseSamlResponse);
            return this.callback.authenticated(brokeredIdentityContext);
        } catch (SamlAuthenticationException | InvalidInputException e) {
            return handleSamlError(authSession, e, URLEncoder.encode(e.getMessage(), StandardCharsets.UTF_8));
        } catch (UnsuccessfulSamlAuthenticationProcessException e2) {
            return handleSamlError(authSession, e2, URLEncoder.encode(e2.getResult().getResultMessage().getValue(), StandardCharsets.UTF_8));
        }
    }

    private Response handleSamlError(AuthenticationSessionModel authenticationSessionModel, Exception exc, String str) {
        log.info(exc.getMessage(), exc);
        String format = String.format("%s?%s=%s&%s=%s&%s=%s", authenticationSessionModel.getClientNote("redirect_uri"), "state", authenticationSessionModel.getClientNote("state"), "error", "authentication_failed", "error_description", str);
        authenticationSessionModel.getParentSession().removeAuthenticationSessionByTabId(authenticationSessionModel.getTabId());
        log.info("Authentication failed: redirecting to uri: {}", format);
        return Response.temporaryRedirect(new URI(format)).build();
    }

    private AuthenticationSessionModel getAuthSession(String str) {
        String str2 = this.session.getProvider(CookieProvider.class).get(CookieType.AUTH_SESSION_ID);
        if (str2 == null) {
            throw new IllegalStateException("Could not find required authSessionId");
        }
        RootAuthenticationSessionModel rootAuthenticationSession = this.session.authenticationSessions().getRootAuthenticationSession(this.realm, str2.split("\\.")[0]);
        IdentityBrokerState encoded = IdentityBrokerState.encoded(str, this.realm);
        return rootAuthenticationSession.getAuthenticationSession(this.realm.getClientByClientId(encoded.getClientId()), encoded.getTabId());
    }

    private String getRestrictedIdString(PersonalDataType personalDataType) {
        if (personalDataType == null || personalDataType.getRestrictedID() == null || ArrayUtils.isEmpty(personalDataType.getRestrictedID().getID())) {
            return null;
        }
        return Hex.encodeHexString(personalDataType.getRestrictedID().getID());
    }

    private void setUpIdentity(BrokeredIdentityContext brokeredIdentityContext, EidIdentityProvider eidIdentityProvider, AuthenticationSessionModel authenticationSessionModel, ProcessedSamlResult processedSamlResult) {
        brokeredIdentityContext.setIdp(eidIdentityProvider);
        brokeredIdentityContext.setAuthenticationSession(authenticationSessionModel);
        List list = this.realm.getIdentityProviderMappersByAliasStream(EidIdentityProviderFactory.PROVIDER_ID).filter(identityProviderMapperModel -> {
            return EidAttributeMapper.PROVIDER_ID.equals(identityProviderMapperModel.getIdentityProviderMapper());
        }).toList();
        if (list.isEmpty()) {
            throw new IllegalStateException("Missing eID attribute mapper configuration. Please create this configuration!");
        }
        if (list.size() != 1) {
            throw new IllegalStateException("Expected exactly one identity provider mapper for eID attributes. Other mappers are not supported but found: " + String.valueOf(list.stream().map((v0) -> {
                return v0.getName();
            }).toList()));
        }
        Map config = ((IdentityProviderMapperModel) list.get(0)).getConfig();
        PersonalDataType personalData = processedSamlResult.getPersonalData();
        if (personalData != null) {
            brokeredIdentityContext.setUsername(Hex.encodeHexString(personalData.getRestrictedID().getID()));
            brokeredIdentityContext.setFirstName(personalData.getGivenNames());
            brokeredIdentityContext.setLastName(personalData.getFamilyNames());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.GIVEN_NAME), personalData.getGivenNames());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.FAMILY_NAME), personalData.getFamilyNames());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.BIRTH_DATE), (String) Optional.ofNullable(personalData.getDateOfBirth()).map(this::formatGeneralDateType).orElse(null));
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.BIRTH_NAME), personalData.getBirthName());
            if (personalData.getPlaceOfBirth() != null) {
                if (personalData.getPlaceOfBirth().getStructuredPlace() != null) {
                    PlaceType structuredPlace = personalData.getPlaceOfBirth().getStructuredPlace();
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_LOCALITY), structuredPlace.getCity());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_COUNTRY), structuredPlace.getCountry());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_STREET_ADDRESS), structuredPlace.getStreet());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_REGION), structuredPlace.getState());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_ZIP_CODE), structuredPlace.getZipCode());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_TYPE), "STRUCTURED");
                } else if (personalData.getPlaceOfBirth().getFreetextPlace() != null) {
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_FORMATTED), personalData.getPlaceOfBirth().getFreetextPlace());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_TYPE), "FREE_TEXT");
                } else {
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_FORMATTED), personalData.getPlaceOfBirth().getNoPlaceInfo());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_BIRTH_TYPE), "NO_PLACE_INFO");
                }
            }
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.ACADEMIC_TITLE), personalData.getAcademicTitle());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.ISSUING_STATE), personalData.getIssuingState());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.ARTISTIC_NAME), personalData.getArtisticName());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.NATIONALITY), personalData.getNationality());
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.RESIDENCE_PERMIT_I), personalData.getResidencePermitI());
            String str = (String) config.get(EidAttributeMapper.ConfigAttributeNames.DATE_OF_EXPIRY);
            Optional map = Optional.ofNullable(personalData.getDateOfExpiry()).map((v0) -> {
                return v0.toGregorianCalendar();
            }).map((v0) -> {
                return v0.toInstant();
            });
            DateTimeFormatter dateTimeFormatter = Constants.DATE_FORMATTER;
            Objects.requireNonNull(dateTimeFormatter);
            brokeredIdentityContext.setUserAttribute(str, (String) map.map((v1) -> {
                return r3.format(v1);
            }).orElse(null));
            brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.DOCUMENT_TYPE), personalData.getDocumentType());
            if (personalData.getPlaceOfResidence() != null) {
                if (personalData.getPlaceOfResidence().getStructuredPlace() != null) {
                    PlaceType structuredPlace2 = personalData.getPlaceOfResidence().getStructuredPlace();
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_LOCALITY), structuredPlace2.getCity());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_COUNTRY), structuredPlace2.getCountry());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_STREET_ADDRESS), structuredPlace2.getStreet());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_REGION), structuredPlace2.getState());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_ZIP_CODE), structuredPlace2.getZipCode());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_TYPE), "STRUCTURED");
                    return;
                }
                if (personalData.getPlaceOfResidence().getFreetextPlace() != null) {
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_FORMATTED), personalData.getPlaceOfResidence().getFreetextPlace());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_TYPE), "FREE_TEXT");
                } else if (personalData.getPlaceOfResidence().getNoPlaceInfo() != null) {
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_FORMATTED), personalData.getPlaceOfResidence().getNoPlaceInfo());
                    brokeredIdentityContext.setUserAttribute((String) config.get(EidAttributeMapper.ConfigAttributeNames.PLACE_OF_RESIDENCE_TYPE), "NO_PLACE_INFO");
                }
            }
        }
    }

    private String formatGeneralDateType(GeneralDateType generalDateType) {
        if (generalDateType == null) {
            return null;
        }
        String dateString = generalDateType.getDateString();
        if (dateString.length() == 8) {
            return new StringBuilder(dateString).insert(4, '-').insert(7, '-').toString();
        }
        log.info("Date of birth is not a valid date: {}", dateString);
        return dateString;
    }
}
