package ee.bitweb.springframework.security.estonianid.authentication;

import ee.bitweb.springframework.security.estonianid.authentication.SmartIdAuthenticationSession;
import ee.sk.smartid.AuthenticationHash;
import ee.sk.smartid.AuthenticationIdentity;
import ee.sk.smartid.AuthenticationResponseValidator;
import ee.sk.smartid.HashType;
import ee.sk.smartid.SmartIdAuthenticationResponse;
import ee.sk.smartid.SmartIdAuthenticationResult;
import ee.sk.smartid.SmartIdClient;
import ee.sk.smartid.exception.ClientNotSupportedException;
import ee.sk.smartid.exception.DocumentUnusableException;
import ee.sk.smartid.exception.InvalidParametersException;
import ee.sk.smartid.exception.RequestForbiddenException;
import ee.sk.smartid.exception.ServerMaintenanceException;
import ee.sk.smartid.exception.SessionTimeoutException;
import ee.sk.smartid.exception.SmartIdException;
import ee.sk.smartid.exception.TechnicalErrorException;
import ee.sk.smartid.exception.UserAccountNotFoundException;
import ee.sk.smartid.exception.UserRefusedException;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.Resource;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:ee/bitweb/springframework/security/estonianid/authentication/SmartIdAuthenticationService.class */
public class SmartIdAuthenticationService extends EstonianIdAuthenticationService implements InitializingBean {
    public static final String ERR_INVALID_PARAMETERS = "INVALID_PARAMETERS";
    public static final String ERR_USER_ACCOUNT_NOT_FOUND = "USER_ACCOUNT_NOT_FOUND";
    public static final String ERR_REQUEST_FORBIDDEN = "REQUEST_FORBIDDEN";
    public static final String ERR_USER_REFUSED = "USER_REFUSED";
    public static final String ERR_SESSION_TIMEOUT = "SESSION_TIMEOUT";
    public static final String ERR_DOCUMENT_UNUSABLE = "DOCUMENT_UNUSABLE";
    public static final String ERR_TECHNICAL_ERROR = "TECHNICAL_ERROR";
    public static final String ERR_CLIENT_NOT_SUPPORTED = "CLIENT_NOT_SUPPORTED";
    public static final String ERR_SERVER_MAINTENANCE = "SERVER_MAINTENANCE";
    private static final Map<Class<? extends SmartIdException>, String> errorCodeMapping = new HashMap();

    @Value("classpath:TEST_of_EID-SK_2016.pem.crt")
    private Resource testEidCert;

    @Value("classpath:TEST_of_NQ-SK_2016.pem.crt")
    private Resource testNqCert;
    private SmartIdClient smartIdClient;
    private boolean trustTestCertificates;
    private AuthenticationResponseValidator responseValidator = new AuthenticationResponseValidator();
    private String displayText = "Spring Security Smart-ID login";

    public SmartIdAuthenticationService(boolean z) {
        this.trustTestCertificates = z;
    }

    public void afterPropertiesSet() {
        Assert.notNull(this.smartIdClient, "smartIdClient must be specified");
        if (this.trustTestCertificates) {
            try {
                trustTestCertificates();
            } catch (Exception e) {
                this.logger.error("Could not add test certificates to trusted certificates list", e);
            }
        }
    }

    public SmartIdAuthenticationSession beginAuthentication(String str, SmartIdAuthenticationSession.CountryCode countryCode) {
        SmartIdAuthenticationSession smartIdAuthenticationSession = new SmartIdAuthenticationSession();
        if (ObjectUtils.isEmpty(str) || ObjectUtils.isEmpty(countryCode) || !SmartIdCredentialsValidator.validate(countryCode, str)) {
            smartIdAuthenticationSession.setStatus(SmartIdAuthenticationSession.AuthenticationStatus.ERROR);
            smartIdAuthenticationSession.setErrorCode(ERR_INVALID_PARAMETERS);
            return smartIdAuthenticationSession;
        }
        AuthenticationHash generateRandomHash = AuthenticationHash.generateRandomHash(HashType.SHA512);
        smartIdAuthenticationSession.setUserIdCode(str);
        smartIdAuthenticationSession.setCountryCode(countryCode);
        smartIdAuthenticationSession.setAuthenticationHash(generateRandomHash);
        smartIdAuthenticationSession.setVerificationCode(generateRandomHash.calculateVerificationCode());
        smartIdAuthenticationSession.setStartTime(new Date());
        smartIdAuthenticationSession.setStatus(SmartIdAuthenticationSession.AuthenticationStatus.PENDING);
        return smartIdAuthenticationSession;
    }

    public SmartIdAuthenticationSession validate(SmartIdAuthenticationSession smartIdAuthenticationSession) throws Exception {
        try {
            SmartIdAuthenticationResponse authenticate = this.smartIdClient.createAuthentication().withAuthenticationHash(smartIdAuthenticationSession.getAuthenticationHash()).withCountryCode(smartIdAuthenticationSession.getCountryCode().name()).withNationalIdentityNumber(smartIdAuthenticationSession.getUserIdCode()).withDisplayText(this.displayText).authenticate();
            SmartIdAuthenticationResult validate = this.responseValidator.validate(authenticate);
            if (validate.isValid()) {
                authenticationSuccess(smartIdAuthenticationSession, authenticate, validate);
            } else {
                authenticationFailure(smartIdAuthenticationSession, validate, null);
            }
            return smartIdAuthenticationSession;
        } catch (Exception e) {
            authenticationFailure(smartIdAuthenticationSession, null, e);
            if (e instanceof SmartIdException) {
                return smartIdAuthenticationSession;
            }
            this.logger.error(String.format("Unexpected exception on validating session for country '%s' and identity number '%s'", smartIdAuthenticationSession.getCountryCode(), smartIdAuthenticationSession.getUserIdCode()), e);
            throw e;
        }
    }

    private void trustTestCertificates() throws CertificateException, IOException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        this.responseValidator.addTrustedCACertificate((X509Certificate) certificateFactory.generateCertificate(this.testEidCert.getInputStream()));
        this.responseValidator.addTrustedCACertificate((X509Certificate) certificateFactory.generateCertificate(this.testNqCert.getInputStream()));
    }

    private void authenticationSuccess(SmartIdAuthenticationSession smartIdAuthenticationSession, SmartIdAuthenticationResponse smartIdAuthenticationResponse, SmartIdAuthenticationResult smartIdAuthenticationResult) {
        AuthenticationIdentity authenticationIdentity = smartIdAuthenticationResult.getAuthenticationIdentity();
        smartIdAuthenticationSession.setGivenName(authenticationIdentity.getGivenName());
        smartIdAuthenticationSession.setSurName(authenticationIdentity.getSurName());
        smartIdAuthenticationSession.setCertificate(smartIdAuthenticationResponse.getCertificate());
        smartIdAuthenticationSession.setStatus(SmartIdAuthenticationSession.AuthenticationStatus.USER_AUTHENTICATED);
    }

    private void authenticationFailure(SmartIdAuthenticationSession smartIdAuthenticationSession, SmartIdAuthenticationResult smartIdAuthenticationResult, Exception exc) {
        smartIdAuthenticationSession.setStatus(SmartIdAuthenticationSession.AuthenticationStatus.ERROR);
        if (exc instanceof SmartIdException) {
            smartIdAuthenticationSession.setErrorCode(errorCodeMapping.get(exc.getClass()));
        } else {
            smartIdAuthenticationSession.setErrorCode(ERR_TECHNICAL_ERROR);
        }
        if (smartIdAuthenticationResult == null || ObjectUtils.isEmpty(smartIdAuthenticationResult.getErrors())) {
            return;
        }
        this.logger.info(String.format("Smart-ID authentication failure for country '%s' and identity number '%s', errors: %s", smartIdAuthenticationSession.getCountryCode(), smartIdAuthenticationSession.getUserIdCode(), StringUtils.join(smartIdAuthenticationResult.getErrors(), ", ")));
    }

    public void setTestEidCert(Resource resource) {
        this.testEidCert = resource;
    }

    public void setTestNqCert(Resource resource) {
        this.testNqCert = resource;
    }

    public void setSmartIdClient(SmartIdClient smartIdClient) {
        this.smartIdClient = smartIdClient;
    }

    public AuthenticationResponseValidator getResponseValidator() {
        return this.responseValidator;
    }

    public void setResponseValidator(AuthenticationResponseValidator authenticationResponseValidator) {
        this.responseValidator = authenticationResponseValidator;
    }

    public String getDisplayText() {
        return this.displayText;
    }

    public void setDisplayText(String str) {
        this.displayText = str;
    }

    static {
        errorCodeMapping.put(InvalidParametersException.class, ERR_INVALID_PARAMETERS);
        errorCodeMapping.put(UserAccountNotFoundException.class, ERR_USER_ACCOUNT_NOT_FOUND);
        errorCodeMapping.put(RequestForbiddenException.class, ERR_REQUEST_FORBIDDEN);
        errorCodeMapping.put(UserRefusedException.class, ERR_USER_REFUSED);
        errorCodeMapping.put(SessionTimeoutException.class, ERR_SESSION_TIMEOUT);
        errorCodeMapping.put(DocumentUnusableException.class, ERR_DOCUMENT_UNUSABLE);
        errorCodeMapping.put(TechnicalErrorException.class, ERR_TECHNICAL_ERROR);
        errorCodeMapping.put(ClientNotSupportedException.class, ERR_CLIENT_NOT_SUPPORTED);
        errorCodeMapping.put(ServerMaintenanceException.class, ERR_SERVER_MAINTENANCE);
    }
}
