package pl.edu.icm.unity.saml.sp;

import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.net.URL;
import java.util.Map;
import java.util.Properties;
import org.apache.xmlbeans.XmlException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.saml.SAMLHelper;
import pl.edu.icm.unity.saml.SAMLResponseValidatorUtil;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.metadata.MetadataProviderFactory;
import pl.edu.icm.unity.saml.metadata.MultiMetadataServlet;
import pl.edu.icm.unity.saml.metadata.cfg.RemoteMetaManager;
import pl.edu.icm.unity.server.api.PKIManagement;
import pl.edu.icm.unity.server.api.TranslationProfileManagement;
import pl.edu.icm.unity.server.authn.AuthenticationException;
import pl.edu.icm.unity.server.authn.AuthenticationResult;
import pl.edu.icm.unity.server.authn.remote.AbstractRemoteVerificator;
import pl.edu.icm.unity.server.authn.remote.InputTranslationEngine;
import pl.edu.icm.unity.server.utils.ExecutorsService;
import pl.edu.icm.unity.server.utils.UnityServerConfiguration;
import xmlbeans.org.oasis.saml2.metadata.IndexedEndpointType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/sp/SAMLVerificator.class */
public class SAMLVerificator extends AbstractRemoteVerificator implements SAMLExchange {
    private UnityServerConfiguration mainConfig;
    private SAMLSPProperties samlProperties;
    private PKIManagement pkiMan;
    private MultiMetadataServlet metadataServlet;
    private ExecutorsService executorsService;
    private String responseConsumerAddress;
    private Map<String, RemoteMetaManager> remoteMetadataManagers;
    private RemoteMetaManager myMetadataManager;
    private ReplayAttackChecker replayAttackChecker;

    public SAMLVerificator(String str, String str2, TranslationProfileManagement translationProfileManagement, InputTranslationEngine inputTranslationEngine, PKIManagement pKIManagement, ReplayAttackChecker replayAttackChecker, ExecutorsService executorsService, MultiMetadataServlet multiMetadataServlet, URL url, String str3, Map<String, RemoteMetaManager> map, UnityServerConfiguration unityServerConfiguration) {
        super(str, str2, SAMLExchange.ID, translationProfileManagement, inputTranslationEngine);
        this.remoteMetadataManagers = map;
        this.pkiMan = pKIManagement;
        this.mainConfig = unityServerConfiguration;
        this.metadataServlet = multiMetadataServlet;
        this.executorsService = executorsService;
        this.responseConsumerAddress = url + str3 + SAMLResponseConsumerServlet.PATH;
        this.replayAttackChecker = replayAttackChecker;
    }

    public String getSerializedConfiguration() throws InternalException {
        StringWriter stringWriter = new StringWriter();
        try {
            this.samlProperties.getProperties().store(stringWriter, "");
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize SAML verificator configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) throws InternalException {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            this.samlProperties = new SAMLSPProperties(properties, this.pkiMan);
            if (this.samlProperties.getBooleanValue(SamlProperties.PUBLISH_METADATA).booleanValue()) {
                exposeMetadata();
            }
            if (this.remoteMetadataManagers.containsKey(this.instanceName)) {
                this.myMetadataManager = this.remoteMetadataManagers.get(this.instanceName);
                this.myMetadataManager.setBaseConfiguration(this.samlProperties);
            } else {
                this.myMetadataManager = new RemoteMetaManager(this.samlProperties, this.mainConfig, this.executorsService, this.pkiMan);
                this.remoteMetadataManagers.put(this.instanceName, this.myMetadataManager);
                this.myMetadataManager.start();
            }
        } catch (IOException e) {
            throw new InternalException("Invalid configuration of the SAML verificator(?)", e);
        } catch (ConfigurationException e2) {
            throw new InternalException("Invalid configuration of the SAML verificator", e2);
        }
    }

    private void exposeMetadata() {
        String value = this.samlProperties.getValue(SAMLSPProperties.METADATA_PATH);
        IndexedEndpointType newInstance = IndexedEndpointType.Factory.newInstance();
        newInstance.setIndex(1);
        newInstance.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        newInstance.setLocation(this.responseConsumerAddress);
        newInstance.setIsDefault(true);
        IndexedEndpointType newInstance2 = IndexedEndpointType.Factory.newInstance();
        newInstance2.setIndex(2);
        newInstance2.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        newInstance2.setLocation(this.responseConsumerAddress);
        newInstance2.setIsDefault(false);
        this.metadataServlet.addProvider("/" + value, MetadataProviderFactory.newSPInstance(this.samlProperties, this.executorsService, new IndexedEndpointType[]{newInstance, newInstance2}));
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public RemoteAuthnContext createSAMLRequest(String str, String str2) throws InternalException {
        RemoteAuthnContext remoteAuthnContext = new RemoteAuthnContext(getSamlValidatorSettings(), str);
        SAMLSPProperties contextConfig = remoteAuthnContext.getContextConfig();
        boolean isSignRequest = contextConfig.isSignRequest(str);
        AuthnRequestDocument createSAMLRequest = SAMLHelper.createSAMLRequest(this.responseConsumerAddress, isSignRequest, contextConfig.getValue(SAMLSPProperties.REQUESTER_ID), contextConfig.getValue(str + SAMLSPProperties.IDP_ADDRESS), contextConfig.getRequestedNameFormat(str), true, isSignRequest ? contextConfig.getRequesterCredential() : null);
        remoteAuthnContext.setRequest(createSAMLRequest.xmlText(), createSAMLRequest.getAuthnRequest().getID(), str2);
        return remoteAuthnContext;
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public AuthenticationResult verifySAMLResponse(RemoteAuthnContext remoteAuthnContext) throws AuthenticationException {
        try {
            return getResult(new SAMLResponseValidatorUtil(getSamlValidatorSettings(), this.replayAttackChecker, this.responseConsumerAddress).verifySAMLResponse(ResponseDocument.Factory.parse(remoteAuthnContext.getResponse()), remoteAuthnContext.getRequestId(), SAMLBindings.valueOf(remoteAuthnContext.getResponseBinding().toString()), remoteAuthnContext.getGroupAttribute()), remoteAuthnContext.getContextConfig().getValue(remoteAuthnContext.getContextIdpKey() + "translationProfile"));
        } catch (XmlException e) {
            throw new AuthenticationException("The SAML response can not be parsed - XML data is corrupted", e);
        }
    }

    @Override // pl.edu.icm.unity.saml.sp.SAMLExchange
    public SAMLSPProperties getSamlValidatorSettings() {
        return this.myMetadataManager.getVirtualConfiguration();
    }
}
