package pl.edu.icm.unity.saml.idp.processor;

import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.assertion.Assertion;
import eu.unicore.samly2.elements.Subject;
import eu.unicore.samly2.exceptions.SAMLRequesterException;
import eu.unicore.samly2.proto.AssertionResponse;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.List;
import java.util.TimeZone;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.idp.SamlIdpProperties;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.Identity;
import pl.edu.icm.unity.types.basic.IdentityParam;
import xmlbeans.org.oasis.saml2.assertion.AuthnContextType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationDataType;
import xmlbeans.org.oasis.saml2.assertion.SubjectConfirmationType;
import xmlbeans.org.oasis.saml2.assertion.SubjectLocalityType;
import xmlbeans.org.oasis.saml2.assertion.SubjectType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestType;
import xmlbeans.org.oasis.saml2.protocol.NameIDPolicyType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/idp/processor/AuthnResponseProcessor.class */
public class AuthnResponseProcessor extends BaseResponseProcessor<AuthnRequestDocument, AuthnRequestType> {
    private String sessionId;
    private SubjectType authenticatedSubject;

    public AuthnResponseProcessor(SAMLAuthnContext sAMLAuthnContext) {
        this(sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC")));
    }

    public AuthnResponseProcessor(SAMLAuthnContext sAMLAuthnContext, Calendar calendar) {
        super(sAMLAuthnContext, calendar);
    }

    public List<IdentityParam> getCompatibleIdentities(Collection<? extends IdentityParam> collection) throws SAMLRequesterException {
        String requestedFormat = getRequestedFormat();
        String mapIdentity = this.samlConfiguration.getIdTypeMapper().mapIdentity(requestedFormat);
        ArrayList arrayList = new ArrayList();
        for (IdentityParam identityParam : collection) {
            if (identityParam.getTypeId().equals(mapIdentity)) {
                arrayList.add(identityParam);
            }
        }
        if (arrayList.size() > 0) {
            return arrayList;
        }
        throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_UNKNOWN_PRINCIPIAL, "There is no identity of the requested '" + requestedFormat + "' SAML identity format for the authenticated principial.");
    }

    public boolean isIdentityCreationAllowed() {
        NameIDPolicyType nameIDPolicy = this.context.getRequest().getNameIDPolicy();
        if (nameIDPolicy == null) {
            return true;
        }
        return nameIDPolicy.getAllowCreate();
    }

    public ResponseDocument processAuthnRequest(Identity identity) throws SAMLRequesterException, SAMLProcessingException {
        return processAuthnRequest(identity, null);
    }

    public ResponseDocument processAuthnRequest(IdentityParam identityParam, Collection<Attribute<?>> collection) throws SAMLRequesterException, SAMLProcessingException {
        return processAuthnRequest(identityParam, collection, this.samlConfiguration.getBooleanValue(SamlIdpProperties.RETURN_SINGLE_ASSERTION).booleanValue());
    }

    protected ResponseDocument processAuthnRequest(IdentityParam identityParam, Collection<Attribute<?>> collection, boolean z) throws SAMLRequesterException, SAMLProcessingException {
        SubjectType establishSubject = establishSubject(identityParam);
        AssertionResponse oKResponseDocument = getOKResponseDocument();
        if (z) {
            addAssertionEncrypting(oKResponseDocument, createAuthenticationAssertion(establishSubject, collection));
        } else {
            addAssertionEncrypting(oKResponseDocument, createAuthenticationAssertion(establishSubject, null));
            if (collection != null) {
                SubjectType cloneSubject = cloneSubject(establishSubject);
                setSenderVouchesSubjectConfirmation(cloneSubject);
                Assertion createAttributeAssertion = createAttributeAssertion(cloneSubject, collection);
                if (createAttributeAssertion != null) {
                    addAssertionEncrypting(oKResponseDocument, createAttributeAssertion);
                }
            }
        }
        return oKResponseDocument.getXMLBeanDoc();
    }

    protected SubjectType establishSubject(IdentityParam identityParam) {
        SubjectType xBean = convertIdentity(identityParam, getRequestedFormat()).getXBean();
        setBearerSubjectConfirmation(xBean);
        return xBean;
    }

    protected void setBearerSubjectConfirmation(SubjectType subjectType) {
        SubjectConfirmationType newInstance = SubjectConfirmationType.Factory.newInstance();
        newInstance.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        SubjectConfirmationDataType addNewSubjectConfirmationData = newInstance.addNewSubjectConfirmationData();
        addNewSubjectConfirmationData.setInResponseTo(this.context.getRequest().getID());
        Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
        calendar.setTimeInMillis(getAuthnTime().getTimeInMillis() + this.samlConfiguration.getRequestValidity());
        addNewSubjectConfirmationData.setNotOnOrAfter(calendar);
        String assertionConsumerServiceURL = this.context.getRequest().getAssertionConsumerServiceURL();
        if (assertionConsumerServiceURL == null) {
            assertionConsumerServiceURL = this.samlConfiguration.getReturnAddressForRequester(this.context.getRequest().getIssuer());
        }
        addNewSubjectConfirmationData.setRecipient(assertionConsumerServiceURL);
        subjectType.setSubjectConfirmationArray(new SubjectConfirmationType[]{newInstance});
    }

    protected Assertion createAuthenticationAssertion(SubjectType subjectType, Collection<Attribute<?>> collection) throws SAMLProcessingException {
        this.authenticatedSubject = subjectType;
        AuthnContextType authnContextType = setupAuthnContext();
        Assertion assertion = new Assertion();
        assertion.setIssuer(this.samlConfiguration.getValue(SamlIdpProperties.ISSUER_URI), "urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        assertion.setSubject(subjectType);
        this.sessionId = assertion.getXMLBean().getID();
        assertion.addAuthStatement(getAuthnTime(), authnContextType, this.sessionId, (Calendar) null, (SubjectLocalityType) null);
        assertion.setAudienceRestriction(new String[]{this.context.getRequest().getIssuer().getStringValue()});
        if (collection != null) {
            addAttributesToAssertion(assertion, collection);
        }
        signAssertion(assertion);
        return assertion;
    }

    protected AuthnContextType setupAuthnContext() {
        AuthnContextType newInstance = AuthnContextType.Factory.newInstance();
        newInstance.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
        return newInstance;
    }

    protected Subject convertIdentity(IdentityParam identityParam, String str) {
        if (str.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")) {
            str = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
        }
        return new Subject(identityParam.getValue(), str);
    }

    protected String getRequestedFormat() {
        String str = null;
        NameIDPolicyType nameIDPolicy = getContext().getRequest().getNameIDPolicy();
        if (nameIDPolicy != null) {
            str = nameIDPolicy.getFormat();
        }
        return str == null ? "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" : str;
    }

    public String getSessionId() {
        return this.sessionId;
    }

    public SubjectType getAuthenticatedSubject() {
        return this.authenticatedSubject;
    }
}
