package de.governikus.autent.sdk.saml.utils;

import de.bos_bremen.gov.autent.common.AttributeNameNPA;
import de.bos_bremen.gov.autent.common.HttpRedirectUtils;
import de.bos_bremen.gov.autent.common.XmlHelper;
import de.bund.bsi.eid212.LevelOfAssuranceType;
import de.governikus.autent.saml.client.utils.ParsedResponse;
import de.governikus.autent.saml.client.utils.ResponseParser;
import de.governikus.autent.saml.client.utils.ReturnedAttributesNPA;
import de.governikus.autent.sdk.saml.RequestGeneratorNPA;
import de.governikus.autent.sdk.saml.SamlConfiguration;
import de.governikus.autent.sdk.saml.exceptions.SamlException;
import de.governikus.autent.sdk.saml.exceptions.SamlRequestBuildingException;
import de.governikus.autent.sdk.saml.exceptions.SignatureValidationFailedException;
import java.io.StringReader;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.xml.transform.Transformer;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import lombok.NonNull;
import net.shibboleth.utilities.java.support.collection.Pair;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml.saml2.core.StatusCode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;

/* loaded from: input_file:BOOT-INF/lib/saml-sdk-3.33.0.jar:de/governikus/autent/sdk/saml/utils/SamlSdkHelper.class */
public class SamlSdkHelper {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SamlSdkHelper.class);
    private static final String SAML_ECARD_ERROR = "urn:bos-bremen.de:SAML:minorCode:ECARD_ERROR";
    private static final String SAML_AUTHN_FAILED = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed";

    public static String getEidClientUrl(String str, String str2) {
        try {
            return str + "?tcTokenURL=" + URLEncoder.encode(str2, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    public static String getAusweisApp2Url(String str) {
        return getEidClientUrl("http://127.0.0.1:24727/eID-Client", str);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, null, null, false);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, boolean z) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, null, null, z);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, String str3) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, null, str3, false);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, String str3, boolean z) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, null, str3, z);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, null, false);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, boolean z) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, null, z);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, String str3) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, str3, false);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, String str3, String str4, char[] cArr) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, str3, false, str4, cArr);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, String str3, boolean z) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, str3, z, "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5");
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, String str3, boolean z, String str4, char[] cArr) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, str3, z, "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", str4, cArr);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, String str3, boolean z, String str4, String str5) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        return createSamlRedirectBindingUrl(samlConfiguration, str, strArr, strArr2, str2, num, str3, z, str4, str5, null, null);
    }

    public static String createSamlRedirectBindingUrl(@NonNull SamlConfiguration samlConfiguration, String str, String[] strArr, String[] strArr2, @NonNull String str2, Integer num, String str3, boolean z, String str4, String str5, String str6, char[] cArr) {
        if (samlConfiguration == null) {
            throw new NullPointerException("config is marked @NonNull but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("samlConsumerUrl is marked @NonNull but is null");
        }
        byte[] createSamlRequest = createSamlRequest(samlConfiguration, strArr, strArr2, str2, num, str3, str4, str5, str6, cArr, null, null, false);
        try {
            String autentSamlServiceUrl = samlConfiguration.getAutentSamlServiceUrl();
            log.trace("building saml request for autent on '{}' with relaystate '{}'", autentSamlServiceUrl, str);
            return HttpRedirectUtils.createQueryString(autentSamlServiceUrl, createSamlRequest, true, str, samlConfiguration.getSignatureKeyPair().getSecond(), "SHA256", null, true, z);
        } catch (UnsupportedEncodingException | MalformedURLException | GeneralSecurityException e) {
            throw new SamlRequestBuildingException(e.getMessage(), e);
        }
    }

    public static byte[] createSamlRequest(SamlConfiguration samlConfiguration, String[] strArr, String[] strArr2, String str, Integer num, String str2, String str3, String str4, String str5, char[] cArr, LevelOfAssuranceType levelOfAssuranceType, String str6, boolean z) {
        log.trace("building saml request");
        RequestGeneratorNPA requestGeneratorNPA = new RequestGeneratorNPA(samlConfiguration.getServiceProviderName(), samlConfiguration.getAutentSamlServiceUrl());
        requestGeneratorNPA.setAssertionConsumerURL(str);
        if (samlConfiguration.getAutentSamlEncryptionCertificate() != null) {
            try {
                requestGeneratorNPA.setEncrypter(false, samlConfiguration.getAutentSamlEncryptionCertificate(), str3, str4);
            } catch (Exception e) {
                throw new SamlRequestBuildingException("should never happen look in setEncrypter-method...", e);
            }
        }
        if (z && samlConfiguration.getServiceProviderSignatureKeystore() != null && samlConfiguration.getSignatureAlias() != null && samlConfiguration.getSignatureKeyPassword() != null) {
            requestGeneratorNPA.setSigner(false, samlConfiguration.getSignatureKeyPair().getSecond(), samlConfiguration.getSignatureKeyPair().getFirst(), "SHA-256");
        }
        if (strArr != null) {
            for (String str7 : strArr) {
                if (!AttributeNameNPA.AgeVerification.name().equals(str7) && !AttributeNameNPA.PlaceVerification.name().equals(str7) && !AttributeNameNPA.UseEidas.name().equals(str7)) {
                    requestGeneratorNPA.addRequestedAttribute(str7, true);
                } else if (AttributeNameNPA.AgeVerification.name().equals(str7) && num != null) {
                    requestGeneratorNPA.setMinAgeVerification(num.intValue(), true);
                } else if (AttributeNameNPA.PlaceVerification.name().equals(str7) && StringUtils.isNotBlank(str2)) {
                    requestGeneratorNPA.setCommunityIDVerification(str2, true);
                } else if (AttributeNameNPA.UseEidas.name().equals(str7)) {
                    requestGeneratorNPA.setEidas(levelOfAssuranceType, str6);
                }
            }
        }
        if (strArr2 != null) {
            for (String str8 : strArr2) {
                if (!AttributeNameNPA.AgeVerification.name().equals(str8) && !AttributeNameNPA.PlaceVerification.name().equals(str8) && !AttributeNameNPA.UseEidas.name().equals(str8)) {
                    requestGeneratorNPA.addRequestedAttribute(str8, false);
                } else if (AttributeNameNPA.AgeVerification.name().equals(str8) && num != null) {
                    requestGeneratorNPA.setMinAgeVerification(num.intValue(), false);
                } else if (AttributeNameNPA.PlaceVerification.name().equals(str8) && StringUtils.isNotBlank(str2)) {
                    requestGeneratorNPA.setCommunityIDVerification(str2, false);
                } else if (AttributeNameNPA.UseEidas.name().equals(str8)) {
                    requestGeneratorNPA.setEidas(levelOfAssuranceType, str6);
                }
            }
        }
        requestGeneratorNPA.setUserNameAndPassword(str5, cArr);
        try {
            byte[] createSAMLRequest = requestGeneratorNPA.createSAMLRequest();
            if (log.isTraceEnabled()) {
                log.trace("created SAMLRequest: {}", prettyPrintXml(new String(createSAMLRequest), 2));
            }
            return createSAMLRequest;
        } catch (Exception e2) {
            throw new SamlRequestBuildingException(e2.getMessage(), e2);
        }
    }

    public static ReturnedAttributesNPA resolveSamlResponseRedirectBinding(String str, String str2, SamlConfiguration samlConfiguration) {
        try {
            return resolveSamlResponse(HttpRedirectUtils.inflate(str), str2, samlConfiguration, false);
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    public static ReturnedAttributesNPA resolveSamlResponse(byte[] bArr, String str, SamlConfiguration samlConfiguration, boolean z) {
        ResponseParser responseParser = new ResponseParser();
        Pair<X509Certificate, PrivateKey> decryptionKeyPair = samlConfiguration.getDecryptionKeyPair();
        responseParser.addDecryptionKey(decryptionKeyPair.getSecond(), decryptionKeyPair.getFirst());
        if (z) {
            responseParser.addTrustedAnchorCert(samlConfiguration.getAutentSamlSignatureCertificate());
        }
        try {
            log.trace("parsing saml response");
            ParsedResponse parse = responseParser.parse(bArr);
            validateSamlResponse(parse, str, samlConfiguration.getServiceProviderName());
            return new ReturnedAttributesNPA(parse);
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    public static void validateSamlResponseSignatureRedirectBinding(String str, X509Certificate x509Certificate) {
        log.trace("checking signature saml response");
        if (!HttpRedirectUtils.checkQueryString(str, x509Certificate)) {
            throw new SignatureValidationFailedException("signature from autent could not be verified...\n\tqueryString: " + str + "\n\tsignatureValidationCertificate: " + x509Certificate);
        }
    }

    public static void validateSamlResponse(ParsedResponse parsedResponse) {
        validateSamlResponse(parsedResponse, null, null);
    }

    public static void validateSamlResponse(ParsedResponse parsedResponse, String str, String str2) {
        log.trace("validating parsed saml response");
        if (str != null && !StringUtils.equals(str, parsedResponse.getParsedObject().getDestination())) {
            throw new SamlException("expected destination does not match the real destination: \n\texpected destination: " + str + "\n\treal destination: " + parsedResponse.getParsedObject().getDestination());
        }
        parsedResponse.getAssertions().forEach(parsedAssertion -> {
            if (str2 != null) {
                if (parsedAssertion.getAudienceRestrictions().size() != 1) {
                    throw new SamlException("audience restriction must contain exactle a single element but it contains '" + parsedAssertion.getAudienceRestrictions().size() + "' elements.");
                }
                if (!parsedAssertion.getAudienceRestrictions().get(0).equals(str2)) {
                    throw new SamlException("audience restriction was expected to be for audience '" + str2 + "' but it is for '" + parsedAssertion.getAudienceRestrictions().get(0) + "'");
                }
            }
            if (parsedAssertion.getNotOnOrAfter().before(new Date())) {
                throw new SamlException("SAML response has expired: (notOnOrAfter = " + parsedAssertion.getNotOnOrAfter() + ")");
            }
        });
        if (parsedResponse.isStatusSuccess()) {
            log.trace("saml response was parsed successfully");
            return;
        }
        String statusCode = parsedResponse.getStatusCode();
        String minorStatusCode = parsedResponse.getMinorStatusCode();
        String statusMessage = parsedResponse.getStatusMessage();
        log.error("saml response contained error: \n\tstatusCode: {}\n\tminorStatusCode: {}\n\tstatusInfo: {}", statusCode, minorStatusCode, statusMessage);
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && ((SAML_ECARD_ERROR.equals(minorStatusCode) || "urn:bos-bremen.de:SAML:minorCode:CLIENT_ERROR".equals(minorStatusCode)) && (statusMessage.contains("cancelationByUser") || statusMessage.contains("cancellationByUser")))) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "client aborted authentication process");
        }
        if (StatusCode.REQUESTER.equals(statusCode) && "urn:bos-bremen.de:SAML:minorCode:AUTHORIZATION_UNFINISHED".equals(minorStatusCode)) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "authorization remains unfinished");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && SAML_ECARD_ERROR.equals(minorStatusCode) && statusMessage.contains("http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal/mEAC#DocumentValidityVerificationFailed|DocumentValidity is false")) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "the identity card is not valid");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && SAML_ECARD_ERROR.equals(minorStatusCode) && statusMessage.contains("http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal#referenceDataBlocked|Retry counter expired: PUK required")) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && SAML_ECARD_ERROR.equals(minorStatusCode) && statusMessage.contains("http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal#authenticationNotActivated|6283 - eID PIN deactivated")) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "the eID-function is not activated");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && SAML_ECARD_ERROR.equals(minorStatusCode) && statusMessage.contains("http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal#notInitialized|9000 - PIN not initialized")) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "the initial pin must be changed!");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && SAML_ECARD_ERROR.equals(minorStatusCode) && statusMessage.contains("http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal/mEAC#DocumentValidityVerificationFailed|Card is on the blacklist")) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "identity card was blacklisted");
        }
        if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) && "urn:bos-bremen.de:SAML:minorCode:AUTHORIZATION_FAILED".equals(minorStatusCode) && statusMessage.contains("ID not found in database")) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "this piece of identification was not registered for the service account");
        }
        if (!"urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode) || !"urn:bos-bremen.de:SAML:minorCode:AUTHORIZATION_FAILED".equals(minorStatusCode)) {
            throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "unidentified SAML error: majorCode:" + statusCode + "\nminorCode: " + minorStatusCode);
        }
        throw new SamlException(SamlException.SamlStatusCode.builder().statusCode(statusCode).minorStatusCode(minorStatusCode).additionalStatusInfo(statusMessage).build(), "login failed: please check your credentials");
    }

    public static String prettyPrintXml(String str, int i) {
        try {
            Document parse = XmlHelper.getDocumentBuilder().parse(new InputSource(new StringReader(str)));
            Transformer transfomer = XmlHelper.getTransfomer();
            transfomer.setOutputProperty("indent", "yes");
            transfomer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", String.valueOf(i));
            StreamResult streamResult = new StreamResult(new StringWriter());
            transfomer.transform(new DOMSource(parse), streamResult);
            return streamResult.getWriter().toString();
        } catch (Exception e) {
            log.error(e.getMessage(), (Throwable) e);
            return str;
        }
    }

    private SamlSdkHelper() {
    }
}
