package pl.edu.icm.unity.unicore.samlidp.saml;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.assertion.Assertion;
import eu.unicore.samly2.binding.SAMLMessageType;
import eu.unicore.samly2.exceptions.SAMLRequesterException;
import eu.unicore.samly2.proto.AssertionResponse;
import eu.unicore.security.dsig.DSigException;
import eu.unicore.security.etd.DelegationRestrictions;
import eu.unicore.security.etd.ETDImpl;
import eu.unicore.security.etd.TrustDelegation;
import io.imunity.idp.LastIdPClinetAccessAttributeManagement;
import java.util.Calendar;
import java.util.Collection;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.saml.idp.processor.AuthnResponseProcessor;
import pl.edu.icm.unity.saml.slo.SamlRoutableSignableMessage;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.IdentityParam;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.assertion.SubjectType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/unicore/samlidp/saml/AuthnWithETDResponseProcessor.class */
public class AuthnWithETDResponseProcessor extends AuthnResponseProcessor {
    private static Logger log = Log.getLogger("unity.server.saml", AuthnWithETDResponseProcessor.class);

    public AuthnWithETDResponseProcessor(AttributeTypeSupport attributeTypeSupport, LastIdPClinetAccessAttributeManagement lastIdPClinetAccessAttributeManagement, SAMLAuthnContext sAMLAuthnContext) {
        super(attributeTypeSupport, lastIdPClinetAccessAttributeManagement, sAMLAuthnContext);
    }

    public AuthnWithETDResponseProcessor(AttributeTypeSupport attributeTypeSupport, LastIdPClinetAccessAttributeManagement lastIdPClinetAccessAttributeManagement, SAMLAuthnContext sAMLAuthnContext, Calendar calendar) {
        super(attributeTypeSupport, lastIdPClinetAccessAttributeManagement, sAMLAuthnContext, calendar);
    }

    public SamlRoutableSignableMessage<ResponseDocument> processAuthnRequest(IdentityParam identityParam, Collection<Attribute> collection, String str, DelegationRestrictions delegationRestrictions, String str2) throws SAMLRequesterException, SAMLProcessingException {
        if (this.samlConfiguration.returnSingleAssertion) {
            log.info("The returnSingleAssertion = true setting is ignored for UNICORE IdP. Set it to false to disable this message");
        }
        if (!(checkX500Issuer(getContext().getRequest().getIssuer()) && "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(getRequestedFormat()))) {
            return super.processAuthnRequest(identityParam, collection, false, str2, str);
        }
        SubjectType establishSubject = establishSubject(identityParam);
        AssertionResponse oKResponseDocument = getOKResponseDocument();
        oKResponseDocument.addAssertion(createAuthenticationAssertion(establishSubject, null));
        if (collection != null) {
            SubjectType cloneSubject = cloneSubject(establishSubject);
            setSenderVouchesSubjectConfirmation(cloneSubject);
            Assertion createAttributeAssertion = createAttributeAssertion(cloneSubject, collection);
            if (createAttributeAssertion != null) {
                oKResponseDocument.addAssertion(createAttributeAssertion);
            }
        }
        if (delegationRestrictions != null) {
            oKResponseDocument.addAssertion(generateTD(establishSubject.getNameID().getStringValue(), delegationRestrictions));
        }
        return new SamlRoutableSignableMessage<>(oKResponseDocument, (X509Credential) null, SAMLMessageType.SAMLResponse, str2, str);
    }

    protected TrustDelegation generateTD(String str, DelegationRestrictions delegationRestrictions) throws SAMLProcessingException {
        ETDImpl eTDImpl = new ETDImpl();
        X509Credential samlIssuerCredential = this.samlConfiguration.getSamlIssuerCredential();
        String str2 = this.samlConfiguration.issuerURI;
        try {
            return eTDImpl.generateBootstrapTD(X500NameUtils.getPortableRFC2253Form(str), samlIssuerCredential.getCertificateChain(), str2, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity", samlIssuerCredential.getKey(), X500NameUtils.getPortableRFC2253Form(this.context.getRequest().getIssuer().getStringValue()), delegationRestrictions);
        } catch (DSigException e) {
            throw new SAMLProcessingException("Internal error while signing the trust delegation", e);
        }
    }

    protected boolean checkX500Issuer(NameIDType nameIDType) {
        if (nameIDType == null || nameIDType.getFormat() == null || !nameIDType.getFormat().equals("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName") || nameIDType.getStringValue() == null) {
            return false;
        }
        try {
            X500NameUtils.getX500Principal(nameIDType.getStringValue());
            return true;
        } catch (Exception e) {
            return false;
        }
    }
}
