package pl.edu.icm.unity.saml.idp.web;

import com.vaadin.annotations.Theme;
import com.vaadin.server.Page;
import com.vaadin.server.VaadinRequest;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.TimeZone;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AttributeTypeManagement;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.identity.IdentityTypeSupport;
import pl.edu.icm.unity.engine.api.idp.CommonIdPProperties;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.engine.api.utils.FreemarkerAppHandler;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.idp.SamlIdpProperties;
import pl.edu.icm.unity.saml.idp.ctx.SAMLAuthnContext;
import pl.edu.icm.unity.saml.idp.processor.AuthnResponseProcessor;
import pl.edu.icm.unity.saml.idp.web.filter.IdpConsentDeciderServlet;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.AttributeType;
import pl.edu.icm.unity.types.basic.DynamicAttribute;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityParam;
import pl.edu.icm.unity.types.policyAgreement.PolicyAgreementConfiguration;
import pl.edu.icm.unity.webui.UnityEndpointUIBase;
import pl.edu.icm.unity.webui.UnityWebUI;
import pl.edu.icm.unity.webui.authn.StandardWebAuthenticationProcessor;
import pl.edu.icm.unity.webui.common.attributes.AttributeHandlerRegistry;
import pl.edu.icm.unity.webui.common.file.ImageAccessService;
import pl.edu.icm.unity.webui.common.policyAgreement.PolicyAgreementScreen;
import pl.edu.icm.unity.webui.forms.enquiry.EnquiresDialogLauncher;
import pl.edu.icm.unity.webui.idpcommon.EopException;
import pl.edu.icm.unity.webui.idpcommon.activesel.ActiveValueSelectionScreen;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;

@Theme("unityThemeValo")
@Scope("prototype")
@Component("SamlIdPWebUI")
/* loaded from: input_file:pl/edu/icm/unity/saml/idp/web/SamlIdPWebUI.class */
public class SamlIdPWebUI extends UnityEndpointUIBase implements UnityWebUI {
    private static final Logger log = Log.getLogger("unity.server.saml", SamlIdPWebUI.class);
    protected MessageSource msg;
    protected IdPEngine idpEngine;
    protected FreemarkerAppHandler freemarkerHandler;
    protected AttributeHandlerRegistry handlersRegistry;
    protected IdentityTypeSupport identityTypeSupport;
    protected PreferencesManagement preferencesMan;
    protected StandardWebAuthenticationProcessor authnProcessor;
    protected SessionManagement sessionMan;
    protected ImageAccessService imageAccessService;
    protected PolicyAgreementManagement policyAgreementsMan;
    private ObjectFactory<PolicyAgreementScreen> policyAgreementScreenObjectFactory;
    protected AuthnResponseProcessor samlProcessor;
    protected SamlResponseHandler samlResponseHandler;
    protected AttributeTypeManagement attrTypeMan;
    protected AttributeTypeSupport aTypeSupport;
    protected List<IdentityParam> validIdentities;
    protected Map<String, AttributeType> attributeTypes;

    @Autowired
    public SamlIdPWebUI(MessageSource messageSource, ImageAccessService imageAccessService, FreemarkerAppHandler freemarkerAppHandler, AttributeHandlerRegistry attributeHandlerRegistry, PreferencesManagement preferencesManagement, StandardWebAuthenticationProcessor standardWebAuthenticationProcessor, IdPEngine idPEngine, IdentityTypeSupport identityTypeSupport, SessionManagement sessionManagement, AttributeTypeManagement attributeTypeManagement, EnquiresDialogLauncher enquiresDialogLauncher, AttributeTypeSupport attributeTypeSupport, PolicyAgreementManagement policyAgreementManagement, ObjectFactory<PolicyAgreementScreen> objectFactory) {
        super(messageSource, enquiresDialogLauncher);
        this.msg = messageSource;
        this.imageAccessService = imageAccessService;
        this.freemarkerHandler = freemarkerAppHandler;
        this.handlersRegistry = attributeHandlerRegistry;
        this.preferencesMan = preferencesManagement;
        this.authnProcessor = standardWebAuthenticationProcessor;
        this.idpEngine = idPEngine;
        this.identityTypeSupport = identityTypeSupport;
        this.sessionMan = sessionManagement;
        this.attrTypeMan = attributeTypeManagement;
        this.aTypeSupport = attributeTypeSupport;
        this.policyAgreementsMan = policyAgreementManagement;
        this.policyAgreementScreenObjectFactory = objectFactory;
    }

    protected TranslationResult getUserInfo(SAMLAuthnContext sAMLAuthnContext, AuthnResponseProcessor authnResponseProcessor) throws EngineException {
        return this.idpEngine.obtainUserInformationWithEnrichingImport(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), authnResponseProcessor.getChosenGroup(), sAMLAuthnContext.getSamlConfiguration().getOutputTranslationProfile(), this.samlProcessor.getIdentityTarget(), Optional.empty(), "SAML2", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", authnResponseProcessor.isIdentityCreationAllowed(), sAMLAuthnContext.getSamlConfiguration());
    }

    protected void enter(VaadinRequest vaadinRequest) {
        SAMLAuthnContext context = SAMLContextSupport.getContext();
        SamlIdpProperties samlConfiguration = context.getSamlConfiguration();
        List<PolicyAgreementConfiguration> filterAgreementsToPresents = filterAgreementsToPresents(samlConfiguration);
        if (filterAgreementsToPresents.isEmpty()) {
            activeValueSelectionAndConsentStage(context, samlConfiguration);
        } else {
            policyAgreementsStage(context, samlConfiguration, filterAgreementsToPresents);
        }
    }

    private List<PolicyAgreementConfiguration> filterAgreementsToPresents(SamlIdpProperties samlIdpProperties) {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.addAll(this.policyAgreementsMan.filterAgreementToPresent(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), CommonIdPProperties.getPolicyAgreementsConfig(this.msg, samlIdpProperties).agreements));
        } catch (EngineException e) {
            log.error("Unable to determine policy agreements to accept");
        }
        return arrayList;
    }

    private void policyAgreementsStage(SAMLAuthnContext sAMLAuthnContext, SamlIdpProperties samlIdpProperties, List<PolicyAgreementConfiguration> list) {
        setContent(((PolicyAgreementScreen) this.policyAgreementScreenObjectFactory.getObject()).withTitle(samlIdpProperties.getLocalizedStringWithoutFallbackToDefault(this.msg, "policyAgreementsTitle")).withInfo(samlIdpProperties.getLocalizedStringWithoutFallbackToDefault(this.msg, "policyAgreementsInfo")).withWidht((float) samlIdpProperties.getLongValue("policyAgreementsWidth").longValue(), samlIdpProperties.getValue("policyAgreementsWidthUnit")).withAgreements(list).withSubmitHandler(() -> {
            activeValueSelectionAndConsentStage(sAMLAuthnContext, samlIdpProperties);
        }));
    }

    private void activeValueSelectionAndConsentStage(SAMLAuthnContext sAMLAuthnContext, SamlIdpProperties samlIdpProperties) {
        this.samlProcessor = new AuthnResponseProcessor(this.aTypeSupport, sAMLAuthnContext, Calendar.getInstance(TimeZone.getTimeZone("UTC")));
        this.samlResponseHandler = new SamlResponseHandler(this.freemarkerHandler, this.samlProcessor);
        try {
            this.attributeTypes = this.attrTypeMan.getAttributeTypesAsMap();
            TranslationResult userInfo = getUserInfo(sAMLAuthnContext, this.samlProcessor);
            handleRedirectIfNeeded(userInfo);
            this.validIdentities = this.samlProcessor.getCompatibleIdentities(userInfo.getIdentities());
            Collection<DynamicAttribute> attributes = userInfo.getAttributes();
            Optional activeValueSelectionConfig = CommonIdPProperties.getActiveValueSelectionConfig(samlIdpProperties, this.samlProcessor.getRequestIssuer(), attributes);
            if (activeValueSelectionConfig.isPresent()) {
                showActiveValueSelectionScreen((CommonIdPProperties.ActiveValueSelectionConfig) activeValueSelectionConfig.get());
            } else {
                gotoConsentStage(attributes);
            }
        } catch (Exception e) {
            log.error("Engine problem when handling client request", e);
            this.samlResponseHandler.handleExceptionNotThrowing(e, true);
        } catch (EopException e2) {
        }
    }

    protected void gotoConsentStage(Collection<DynamicAttribute> collection) {
        if (SAMLContextSupport.getContext().getSamlConfiguration().getBooleanValue("skipConsent").booleanValue()) {
            onAccepted(this.validIdentities.get(0), (Collection) collection.stream().map(dynamicAttribute -> {
                return dynamicAttribute.getAttribute();
            }).collect(Collectors.toList()));
        } else {
            setContent(new SamlConsentScreen(this.msg, this.imageAccessService, this.handlersRegistry, this.preferencesMan, this.authnProcessor, this.identityTypeSupport, this.aTypeSupport, this.validIdentities, collection, this.attributeTypes, this::onDecline, this::onAccepted));
        }
    }

    private void showActiveValueSelectionScreen(CommonIdPProperties.ActiveValueSelectionConfig activeValueSelectionConfig) {
        setContent(new ActiveValueSelectionScreen(this.msg, this.handlersRegistry, this.authnProcessor, activeValueSelectionConfig.singleSelectableAttributes, activeValueSelectionConfig.multiSelectableAttributes, activeValueSelectionConfig.remainingAttributes, this::onDecline, (v1) -> {
            gotoConsentStage(v1);
        }));
    }

    private void handleRedirectIfNeeded(TranslationResult translationResult) throws IOException, EopException {
        String redirectURL = translationResult.getRedirectURL();
        if (redirectURL != null) {
            Page.getCurrent().open(redirectURL, (String) null);
            throw new EopException();
        }
    }

    protected void onDecline() {
        this.samlResponseHandler.handleExceptionNotThrowing(new AuthenticationException("Authentication was declined"), false);
    }

    protected void onAccepted(IdentityParam identityParam, Collection<Attribute> collection) {
        SAMLAuthnContext context = SAMLContextSupport.getContext();
        try {
            ResponseDocument signedMessage = this.samlProcessor.processAuthnRequestReturningResponse(identityParam, collection, context.getRelayState(), context.getResponseDestination()).getSignedMessage();
            addSessionParticipant(context, this.samlProcessor.getAuthenticatedSubject().getNameID(), this.samlProcessor.getSessionId());
            this.samlResponseHandler.returnSamlResponse(signedMessage);
        } catch (Exception e) {
            this.samlResponseHandler.handleExceptionNotThrowing(e, false);
        }
    }

    protected void addSessionParticipant(SAMLAuthnContext sAMLAuthnContext, NameIDType nameIDType, String str) {
        IdpConsentDeciderServlet.addSessionParticipant(sAMLAuthnContext, nameIDType, str, this.sessionMan);
    }
}
